Re: FW: Legal? Road Runner proactive scanning.[Scanned]

[Phil Brammer <security () wjjeep com>]

On Mon, Mar 15, 2004 at 11:41:08AM -0700, Bryan S. Sampsel wrote:
> Jef Feltman said:
> > So if someone comes and knocks on your door at home you shoot them? Do you
> > consider them a criminal? No, you lock the door and windows.
>
> Not quite an accurate comparison.  A portscan is comparable to somebody
> testing those locks and windows.  An action that has legal ramifications. 
> And legally speaking, a tresspasser doesn't have to bypass a locked door
> to tresspass.
>
> A knock is a "service" -- a method of communicating with my house.  As is
> a phone or mail.  Just a tad different than a security probe.

I disagree with this.  A port scan does not test your locks.  Basically, a port scan tells the scanner that there are 
windows/doors available to try.

(This is just my perspective on the matter.)

If I drive down the street and look at your house, I can count the number of openings that I would have access to the 
interior of your home.  Some of those windows might be open.  Some might be closed. 

I think the issue here is that if I walk up to your door and test the lock, wouldn't that be akin to the actual process 
of attempting to log into said service and maybe tying a brute-force attack?  

> > If your host is on the internet I consider it public and knocking on the
> > door to see if the shop is open, is not a problem. If you do not want
> > people
> > coming in the door lock it and give a key to those who need it.
>
> Still not an apples-apples.  There are legit ways of communicating with my
> system.

Like what?  Keep in mind you are on a PUBLIC system.  You don't own your IP address like you do your home property.  
It's a little different.  You might own a name to an address, but you don't own the address.  Your IP address might be 
assigned to you, but it's still not your address.

If I head to our local arena and walk around the facility, I'm entitled to grab the doorknob on any door I walk by.  
Now, if I found a door that was unlocked and had a sign that stated "Employees Only," I can see that I could be 
punished for entering the room.  But, merely checking the doorknob is not punishable.  It's a public place and 
locations that are not public need to have proper safeguards in place to prevent unauthorized access.

> > Based on your statement no website should not be accessed by anyone other
> > than an employee. Sending E-Mail would be a violation also, as the port
> > must
> > be checked to verify it can be opened to receive.
>
> Nope.  Email performs a handshake, it does not probe an entire system to
> communicate.  If it receives no response on its connection attempt, it
> ceases activity.

A gentle port scan on every port it checks also performs a handshake.  It's TCP for god's sake.  In fact, if you have a 
firewall blocking access to a port (DROP) that is not allowing the RST flag to get sent back to me, are you not in 
violation of your handshake scenario?

Attachment: _bin
Description: