I don't have legal expertise. I do have security expertise. I've also dealt with legal departments.

Even when working with agreements with vendors, a lawyer sometimes wishes to know the author of the agreements intent for some of the particular statements. That doesn't mean the statement gets changed.

I've seen various research groups (independent and govt sponsored) that gather statistics. I imagine some research groups may wish to gather statistics to determine how much a service offering has grown.. such as determining the growth of FTP servers... just an example not something I've seen specifically. They could then determine that company XYZ seems to have 90% of the market and that the remaining 10% is shared between 3 other companies. That could prompt those 3 minority service holders to figure out why XYZ has an advantage and how they will go forward with their products.

Sometimes a corporate scan of a network may reveal networks it had no knowledge of. They may procede to see if the network has any hosts or if it's just a router to a network no longer used. Low and behold they could then find out they scanned the Acme Scooter company without knowing it. Would it be held illegal? I doubt it, because the intent was not to scan the Acme Scooter company network. As the employee turnover rate within IT continues the way it is, and the project initiatives climb, I'm sure there will be many things left undocumented and forgotten. The last company I worked for had a computer from 1985 that was still running that noone knew what it did, how to log in etc. Sometimes a network scan may be the only way to find out, or the first way before finding physical presence. With everything internetworking, business-to-business relationships, etc... by banning network scanning altogether for networks not belonging to you, it will end up being the equivalent of carrying a concealed weapon. Only the outlaws would do it.

Scott

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/126/4121#4121