Bad raps for non-hacks
Some recent (and not so recent) cases illustrate how computer security professionals and well intentioned whistle-blowers face a genuine risk of running afoul of computer crime statutes simply for forgetting to ask the right person, "May I?," before doing a computer security assessment.
Take the case of Scott Moulten, a computer security professional in Georgia. He was the principal person responsible for computer security (through a private company) for a county in Georgia. The county worked with various cities coordinating and providing 911 Emergency Response Services. When one city wanted to hook up to the county's 911 network, Moulten performed a port scan and throughput test on that city's network to see if the computers were vulnerable to exploit.
Of course, they were. Moulten wisely went no further, and never attempted to penetrate any of the computers he scanned, and the city eventually plugged the holes.
Did the city award him a medal? A raise? A new contract? No... they promptly contacted the Georgia Bureau of Investigation, which searched and seized his computer and arrested him for violating the Georgia computer crime laws.
[ Read more ]