
Scan the Internet and Screenshot All the Things - ssclafani
http://w00tsec.blogspot.com/2014/08/scan-internet-screenshot-all-things.html
======
tptacek
Wow.

I read Tentler's follow-up post on this, where he abruptly declares that what
they're doing isn't unlawful. Presumably, he's saying that because a competent
lawyer told him that. If that's not the case, he should retain one.

There are a number of problems with his logic:

* The fact that AV vendors have done things like this in the past (or even do them today) almost definitely won't inoculate _this particular team_ from civil or criminal actions which will cost them a fortune to defend.

* There is no provision in CFAA, or in any unauthorized access statute I've ever read, that has a safe-harbor provision for scanners that do "opt-out". Providing a block-list is good, and neighborly, but it probably doesn't protect them.

* "But the server never asked for a password" is not going to be an effective defense. It's actually even less compelling in this case than it was in the Aurenheimer case, because a web server normally exists to publish documents to the world, but virtually all VNC servers do not.

* Most importantly: what they're doing is so non-minimal. They appear to really be pushing the boundaries of what it means to do an Internet survey. If they wanted to map open VNC servers, they could do that without _screenshotting people 's open servers_.

This team starts that scanner process knowing that they're going to reap
hundreds of screenshots that the owners of those systems don't want them to
have. If you can describe your project reasonably in a sentence that includes
the words "knowing" and "unauthorized", get a lawyer to sign off on it first.

Hopefully, they already did, and I'm just being noisy!

~~~
chatmasta
This is such head-in-the-sand logic.

In his post, he also mentions all the open VNC servers he found that he didn't
publish. Emails, checks, prescriptions, industrial control servers, etc.

We should be much more worried about what a more malicious attacker might do,
armed with nothing but a trivial port scanning script. This guy should be
lauded for exposing how dangerous this is, not sued or imprisoned.

~~~
tptacek
[http://en.wikipedia.org/wiki/Is%E2%80%93ought_problem](http://en.wikipedia.org/wiki/Is%E2%80%93ought_problem)

~~~
chatmasta
What?

~~~
teddyh
Tptacek is arguing that Tentler _is_ probably going to get into a lot of legal
trouble.

You are arguing that he _ought not_ to get in trouble.

These are _two separate arguments_. Tptacek is _not_ arguing that Tentler
_ought_ to get in trouble, but you responded as though that was the case.

