What is property and thus why are some things illegal.

["Craig Wright" <cwright () bdosyd com au>]

Hello,
(Caveat) First I am neither Marxist nor Anarchist nor do I live in a
country that is. Each of these philosophies has a different view on
property rights, but neither is one that I care about.

Property (as defined in legal terms) as is associated with servers,
routers and information systems in general is known in the law as
consisting of "chattels". Servers are chattels. The data are
Intellectual Property.

There are a standard bundle of rights associated with property:
1       The right to control use of the property ,
2       The right to receive benefit from the property,
3       The right to assign, transfer or sell the property ,
4       and the right to exclude others from the property.

In the case of port scans we are looking at point 4, the right to
exclude and point 1, the right to control. Rights as defined and used in
this email are based on the Anglo-Saxon idea of exclusive right. This
right is equivalent to the Civil law (Roman) idea of Dominus (see.
Dominus enim dicit for those who like Latin). The dominus is more
restrictive than common law property rights and Civil law (or codified
law) rights of property are absolute rather than distributable as in the
English common law.

For this reason I shall confine this to the common law view of rights as
much as possible. This view is one that is more commonly held in the
"West" and Civil codified laws are more restrictive and more likely to
enforce the rights of a property holder.

The rights we need to look at as was noted are the right of control and
the right of exclusion.

The "right of control" is the right to determine how the property is
used. "Uses" were originally the equitable or beneficial interests in
the property. The right of control allows the system owner to determine
how the system is to operate according to law. The system owner has the
right to state that they do not allow ping (or any ICMP for example). To
enforce this they could filter any ICMP traffic.

If in this example the system owner had determined that they would stop
all ICMP traffic to/from the server, they could state this and than any
access via ICMP would be a violation of the property rights. If the
system owner had not taken steps to notify the public through some means
(eg a terms notice on the primary web site) than the rights still exist
but are not enforceable in law. This means that the act of trying to
ping this server is illegal but there is not way to enforce this right.

To enforce the right the system owner has to do something to bring the
right of control to the notice of the person who seeks to violate this
right. An example here is a banner on a telnet login. The action is
still illegal as stated, but there is not an action to enforce the right
without the notification. The notification does not need to be ongoing.
It just needs to occur. It does not even need to be particularly verbose
or even grammatically correct. The notification does not even need to be
sent using the same protocol. Sending an email off to the attacker would
satisfy the requirement.

A simple manner of transmitting intent is to have ICMP responses
allowed. By allowing this traffic and using ingress and egress filters,
and sending ICMP type 3 replies. In particular type 3/13 replies could
be sent (Communication Administratively Prohibited). Upon receiving this
response, the person scanning has effectively received notification (eg
like a banner). There is no legal requirement that they take notice of
the packet, just that it is delivered.

Other ICMP types that would effect this include;
3/9     The destination network is administratively prohibited
3/10    The destination host is administratively prohibited.
3/11    The network is unreachable for Type Of Service.
3/12    The host is unreachable for Type Of Service.

Sending ICMP 3/9 is the most effective solution. (This is easy to
configure on Cisco routers, other routers may or may not be able to
achieve this). On receipt of the first packet, the person scanning is
effectively notified. If they than "scan" or "test" any port on the
network, they are effectively breaching the conditions as they have been
notified to (similar to trespass on real property when you have asked
the trespasser to leave and you have rights to the land).

If the person ports scans the site and ingress filters are configured to
send ICMP 3/9 replies as soon as a packet is received to any port on any
server other than the validly allowed ports, there is a breach. In this
case, continued scanning becomes a breach of rights with an attached
enforceable action. In this case you have the ability to litigate the
person scanning the site civilly for a port scan and nothing more (i.e.
no real damage).

Why do some people wait till you see a banner and log till than? When
you see the banner this becomes a course of action. If you keep scanning
after seeing the banner, than you have an action in criminal terms and
you do not need to have damage to be able to seek action.

The right of exclusion is the right to dictate what others can do. This
means that the property owner has the right to exercise control and to
dictate what level of access (if any) another has to the property. In
respect to the Internet, access from your gateway to another server is
completed under an effect of easement. There are both public and private
easements. A public easement is one that grants the right to a large
group of individuals or to the public in general. This in the terms of
the Internet is analogous to the backbone routers.

A DOS or DDoS attack against DNS or the backbone routers is in effect
the same as blocking access to someone who has an easement. It  is a
trespass upon the right of easement and creates a cause of action for
civil suit. In most jurisdictions this is also not codified or in
statute as a criminal offence. It is still illegal as a civil breach
when not directly excluded.

Exclusion allows the property owner (in our case the system owner) to
designate what actions are acceptable. They only need to state that an
action is against the policy of the site for this to become an
enforceable action, further, where the system is a state owned system
(take US Federal government for example) all access is considered to be
expressly controls unless access is expressly allowed.

What does this mean? A port scan, if the system owner does not welcome
them is a violation of the property rights of the system owner. They
breach the rights of exclusivity. The whether we see the system and its
data as a "choses in possession" or a "choses in action" the act has to
be one that is acceptable to the system owner. If we look to the Civil
law, we have an analogous system with respect to movable property or
movables.

Breach of an owner or possessors rights is a transgression in the nature
of property law. There are actions for recovery or tort, but these
require that there generally has been damage. None the less, a
transgression of either the right to control or the right to exclude is
still a violation of the fundamental rights of the owner of the
property. A property law violation is not (generally) a criminal act
without damage. This does not stop it from being illegal.

It is illegal in that it also can act to void a contract. If for example
party A contracts party B to scan the systems of party C using a port
scanner, party A could after receiving the report decide not to pay B
for the services as the action is considered illegal and an illegal
contract is not enforceable. There would be no punitive effect from
this, but this does not change the action into a legal act.

Clear as mud? Well I hope that this has created a little more
understanding of the law, rights and why they apply. To complicate this
we could also look at equitable rights, but this would only lose more
readers.

Damage the property or actually get access to the system and than we get
into a who new area. This is where the criminal offences come to play.

Regards,
Craig

Further reading

"Ancient Law" by Henry Maine Chapter 8 (The Early History of Property)

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------