Bad raps for non-hacks
By Mark Rasch
Date: June 16, 2003
A few odd cases show that you don't have be a digital desparado to be accused of a cybercrime... particularly if you embarrass the wrong bureaucrats.
Some recent (and not so recent) cases illustrate how computer security professionals and well intentioned whistle-blowers face a genuine risk of running afoul of computer crime statutes simply for forgetting to ask the right person, "May I?," before doing a computer security assessment.
Take the case of Scott Moulten, a computer security professional in Georgia. He was the principal person responsible for computer security (through a private company) for a county in Georgia. The county worked with various cities coordinating and providing 911 Emergency Response Services. When one city wanted to hook up to the county's 911 network, Moulten performed a port scan and throughput test on that city's network to see if the computers were vulnerable to exploit.
Of course, they were. Moulten wisely went no further, and never attempted to penetrate any of the computers he scanned, and the city eventually plugged the holes. Did the city award him a medal? A raise? A new contract? No... they promptly contacted the Georgia Bureau of Investigation, which searched and seized his computer and arrested him for violating the Georgia computer crime laws. The statue in question made it a felony to use a computer with the intention of "obstructing, interrupting, or in any way interfering with the use of a computer program or data... regardless of how long the alteration, damage, or malfunction persists." Since the port scan infinitesimally slowed the computer, the government supposed, Moulten violated the statute.
Thousands of dollars of legal fees later (and a civil case to defend as well), the government abandoned the criminal prosecution with no charges filed.
Original article: http://www.theregister.co.uk/content/55/31220.html
^macro[showdigestcomments;^uri;Bad raps for non-hacks]