<div>According to <a href="http://theregister.co.uk">theregister.co.uk</a>:</div>
<div> </div>
<div>"Cuthbert is accused of attempting a directory traversal attack on the <a href="http://donate.bt.com">donate.bt.com</a> site which handles credit card payments on behalf of the Disasters Emergency Committee." (
<a href="http://www.theregister.co.uk/2005/10/05/dec_case/">http://www.theregister.co.uk/2005/10/05/dec_case/</a>) and</div>
<div>"After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories" (
<a href="http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/">http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/</a>).<br> </div>
<div>This is legal hair-splitting. Yes, you are right. Who knows whether the judges would consider "port scanning" just as bad as "illegally attempt of securing access to a computer" (as defined in the UK "Computer Misuse Act 1990 (
c.18)").</div>
<div> </div>
<div>----- Original Message -----
<div>From: "Drew Masters" <<a href="mailto:drewmasters@gmail.com">drewmasters@gmail.com</a>></div>
<div>To: <<a href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</a>></div>
<div>Sent: Friday, June 02, 2006 9:33 AM</div>
<div>Subject: Re: Fw: [Full-disclosure] scanning</div></div>
<div><br> </div>> It's worth looking into the Daniel Cuthbert case in the UK.<br>> <br>> Drew<br>> <br>> On 02/06/06, Lawrence Tang <<a href="mailto:tang.luong@gmail.com">tang.luong@gmail.com</a>> wrote:
<br>> ><br>> > "Vulnerability test" is not "port scan". It could involve attempt to<br>> > "penetrate" or even penetration of the website through a vulnerable server<br>> > script for instance. In this particular case, we don't know what RA 8792 in
<br>> > the Philippines says and/or what Tridel Technologies, Inc did. But in<br>> > general, "port scan" is supposed to be only checking which TCP/IP ports are<br>> > open for connection without going through the entire process of connection.
<br>> > There is no question of penetration. How could any authority prosecute this<br>> > legitimately? If I, by mistake, attempt a connection to a site, could I be<br>> > in legal trouble? How many ports constitute "port scanning"?