So many of you have asked me about what is legal and illegal in hacking/pentesting that I decided it was time to address it directly.
In our discipline, we may WANT to ignore the legal consequences until they slap us upside the head, but that's not a very prudent strategy. To help all my apprentice hackers better understand what is and is not legal in hacking, I dedicate this article.
The Cyber Crime Law Enforcement
In the United States, most hacking is investigated and prosecuted by the federal law enforcement. Surprisingly, the Secret Service is the lead agency, but they primarily are involved in coordinating the response, usually not investigating. They delegate the investigation to one of numerous federal agencies, but the FBI's Cyber Crime Task Force is the agency most often involved.
There are cyber crime task forces in each locality. These local cyber crime task forces generally are assigned the smaller local cases and the local FBI special agents have limited training and background in hacking and forensics. They often rely on good old detective work to solve these cases. I can't tell how many times hackers have been tracked down because they bragged about their exploits. You don't have to be a techno-genius to track down a bragging hacker who suddenly is awash in money.
Although federal law makes it a felony to do more than $5,000 damage, the general rule is the FBI won't even get involved in cases that involve less than $100,000 in damages. Note that the key word here is "damages". This has nothing to do with how much the hacker gets away with, but rather how much damage is done to the individual or business.
As I pointed out in my guide on evading detection while DoSing, a one-minute DoS against Amazon would cause over $100,000 in revenue losses, and that does not even include the cost of lawyers and consultants to resolve the situation. A simple one-minute DoS against Amazon might mean over a $1 million in damages! Good luck paying that back in restitution.
Federal Laws Regarding Cyber Crime
Federal agencies in the U.S. prosecute cases using two primary federal statutes; USC Title 18 Section 1029 and 1030. These two statutes are so broad and ambiguous that many things that are not intended to be hacking, could very well be found to be illegal.
Of these two, USC Title 18 Section 1030 is most often used to prosecute hacking in the United States. That being the case, let's take a look at it. I have reprinted the key section that defines what activity is illegal below. I know there is a lot of legalese here, but let's try to stay focused and examine the critical sections closely.
USC Title 18 Section 1030
Please note the sections I have highlighted above to get your attention that among other things, makes accessing "information from any protected computer". Since the courts have ruled that "protected computer" can be a computer with as little protection as a password, this mean essentially that EVERY computer is covered in this section.
This section is key as well. This section defines ways that a computer might be damaged such as "transmission of a program, information, code or command" or "accesses a protected computer without authorization" which then "causes damage or loss".
As you can see, this is so vaguely worded that even a vulnerability scan might be construed as criminal if the prosecutor and "victim" can show there was damage or loss. Imagine a scenario where you are doing a vulnerability scan on a poorly designed website and it crashes as a result. You may have committed a federal felony!
So, that is the law in its entirety. I left out the section on penalties, but you can imagine that it's not joyful reading.
Be Careful Out There!
My message to all of you is simply, "Be Careful Out There!". Even if you don't have malicious intentions, the knowledge that you now have can be misconstrued as bad intentions. If a website blows up while you are scanning it, no one is going to ask about your intentions before they throw you in prison.
For someone like myself who has danced on both sides of the law, I can tell you first hand that when someone finds out you have Kali or any hacking tools AND the knowledge of how to use them, you are suddenly guilty until proven innocent.
Just a fair warning to all my hacker apprentices.