Security Basics mailing list archives
Re: Yet another thread on the legality of port scanning
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 18 Mar 2004 11:33:58 -0500
Charley Hamilton wrote:
These anologies don't work together. The normal means of connecting an ethernet card to a network is not via a power cord. The normal means of connecting to a server *IS* sending IP packets to that server and recieving them back. Which port(s) the packets are sent to is irrelivent. Whether the content is an attack or not depends on the content of the packets. Just because some (very poorly designed) hardware/software can't survive a port scan, doesn't mean that port scans are attacks nor does it mean that they represent anomolous traffic.The normal means of communicating on the internet is via IP packets.On that basis, electron transport is the standard method of information transfer on the internet. If I connect a power cord to your router's ethernet jack, is that okay? Obviously not.
There are legitimate reasons for running a port scan on a computer in a limited fashion, such as service discovery.
Authorized users are told they are authorized users.
Where?!?Perhaps I'm not aware of it, but is there an "authorized user/service" database on the internet? I must have missed that.
The "reasonable man" hypothesis applies to connecting to a system to which authorization isin doubt.
The reasonable man hypothesis also dictates that a person would only reasonably leave a system exposed with a service running and without warnings if it weren't meant to be viewed. If the content says "classified" or "you're not supposed to be here", or if the person knows they shouldn't be there - that's one thing.
Would a reasonable man conclude that http://www.cnn.com is an acceptable connection in the absence of explicit permission? I would say yes, he would. Would a reasonable man conclude that ftp://www.cnn.comis an acceptable connection in the absence of explicit permission?I would argue no, he would not.
I would argue that you're wrong. Anonymous FTP is a very frequent occurrance on the internet and it's not unreasonable to expect that CNN might have an anonymous FTP site for content. What, exactly, makes you think that it's an unreasonable service to use?
What's the difference? HTTP is generally accepted to be a public connection, in the sense that it is intended as a shared resource, to be accessible to all. FTP is not generally accepted as such, regardless of what electronic storefronthappens to be offering the service.
I don't know what universe you're in, but FTP is a public connection if it's configured that way. HTTP is also a public connection if it's configured to be. Both are also private connections if they're configured to be. The key here is in configuration, not in the service.
So, all these times I've been downloading things off of ftp://mirrors.kernel.org, I've been being unreasonable? That's the first time I've ever heard anyone argue anything of the sort.
The act of plugging a device into a public [@1] IP address is your way of giving people permission to send packets to it.I disagree strongly on this. I have a public street address. It is appropriate for a caller to knock on my door/ring my doorbell, because that is the "reasonable man" thing to do. It is not acceptable for the caller to come around the side of my house just because he sees my side door open. What makes an IP address any different from a physical address in terms of the "reasonable man" hypothesis? That is the typical legal test to which such arguments must be put.
Because an IP address isn't a physical door and the internet isn't your street. Everyone's talking about this as if the rules are the same, but they aren't. Frankly, this argument is getting completely absurd.
Anyone on the internet can send an IP packet to anyone else. That's kind of the whole point.I disagree. The whole point of the internet is to permit effective communication of ideas, not random unsolicited contact between individuals. If I solicit contact by offering "reasonable man" permission for contact, then it is part of effective communication. If I do not, it is annoyance potentially rising to criminal action.
The whole point of the internet is whatever you can do with the networking technology within an ethical framework. Internet traffic need not be solicited. However, some would say that you solicit the reciept of non-disruptive generic TCP/IP traffic just by putting your computer on the internet.
*blink blink* I can't argue with the last sentence, but just what constitutes a "private" service by your definition?
I, personally, would identify a private service as being one that you want no one or limited numbers of people to access.
Something that is accessible only to someone from an internal net? Are you arguing that any service offered over the internet is tacit approval for *everyone* to use that service? Or is it only tascit approval if the service is not properly secured?
I think his point was that if you don't want people to be able to see the service (we're not even talking about logging in and using. Port scans don't log in and use services, they just detect them) then don't put the service up for the net to see. It's that simple. :)
Assuming that my interpretation of your writing is correct, you would support unsolicited bulk email. After all, you have an email address and your mail server (or the firewall through which it passes) has a public IP address, right? After all, I got your email and I'm not on your private netweork.
Actually, I'm not the original poster, but I'd have to say that unsolicited e-mail is just fine. I don't have a problem with people just sending me e-mail. What I have a problem with is people hacking into systems and converting them into SPAM relays.
Unsolicited e-mail isn't the problem, system abuse is -- that's what makes filters fail and causes havoc.
Same source, definition of access: 2 a : permission, liberty, or ability to enter, approach, communicate with, or pass to and from b : freedom or ability to obtain or make use of c : a way or means of access d : the act or an instance of accessing It is clear from 2a and 2b that the intent of "access" is "permitted access", not simply the physical limitation of availability.
I don't think anyone's arguing that it's OK for someone to access a system without permission or liberty. The question is does being on the internet open you up to generalized detection and discovery traffic? I'd say yeah, it does. I'm not advocating that people just port scan everyone, and I do believe that most port scans are precursors to attack...
But, by the same token, my looking at someone funny COULD be a precursor to attack -- so, should we then consider people looking at others in a funny way an attack?
I just happen to think that this whole argument is getting ridiculous. Are port scans questionable? Sure. Are there legitimate reasons to do them? Sure. Are they often precursors to attacks? Often, yes. Do the packets sent by them constitute legitimate IP traffic? Yes, unless they're malformed, which is a different issue entirely. Are they going away anytime soon? No.
There, problem solved. :) -Barry ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Re: FW: Legal? Road Runner proactive scanning.[Scanned], (continued)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 12)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Ansgar -59cobalt- Wiechers (Mar 15)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 16)
- Yet another thread on the legality of port scanning Mortis (Mar 17)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 17)
- Re: Yet another thread on the legality of port scanning Ansgar -59cobalt- Wiechers (Mar 18)
- Re: Yet another thread on the legality of port scanning ~Kevin DavisĀ³ (Mar 19)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 19)
- Re: Yet another thread on the legality of port scanning Ansgar -59cobalt- Wiechers (Mar 23)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Ansgar -59cobalt- Wiechers (Mar 15)
- RE: Yet another thread on the legality of port scanning Mortis (Mar 18)
- Re: Yet another thread on the legality of port scanning Barry Fitzgerald (Mar 18)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 19)
- Re: Yet another thread on the legality of port scanning Barry Fitzgerald (Mar 22)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 12)
- Re: Yet another thread on the legality of port scanning Derek Schaible (Mar 19)
- Re: Yet another thread on the legality of port scanning Charles Otstot (Mar 22)
- RE: Yet another thread on the legality of port scanning David Gillett (Mar 19)
- Re: Yet another thread on the legality of port scanning Barry Fitzgerald (Mar 19)
- RE: Yet another thread on the legality of port scanning Yvan Boily (Mar 19)
- Re: Yet another thread on the legality of port scanning Murad Talukdar (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Ansgar -59cobalt- Wiechers (Mar 17)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 17)