RE: Is portscanning legal? was Re: application for an employment

["c.s.wright" <c.s.wright () unn ac uk>]

Hello,

> > Again - illegal and criminal are not the same. Trying to treat them as 
> > such is wrong. Criminal is a subset of illegal. Illegal is the superset.

> Thanks for the explanation. However, why would port scanning be considered
illegal
> since it is not a criminal offense?  

Most things that end up in court or that you get fined for are not criminal
offences. Port scanning is a property offence. Even if the router being
scanned (as an example) is a gateway router - it is placed on the Internet
as a gateway router. The implied purpose is to route traffic, not to provide
services.

> One example that I can think of is when a web site provides a link to 
> an email address that doesn't work. A port scan on the relevant server 
> could tell me if the mail server is down (and what alternative services 
> might be available on the server for contacting whoever I'm looking for)

Port scanning a mail server is not a valid solution. To see if the SMTP port
is up you could "telnet <host> 25". Using nslookup or dig would giuve a list
of valid mail servers. 

The manner in which mail (SMTP works allows for a system to be down. When I
started (and this was some time back) mail systems commonly used UUCP at
scheduled intervals to receive mail. A message that the mail is spooled will
follow. If the primary server is down you may not be able to send anyway. I
have never seen a valid reason for a port scan of somebody elses mail server
as it may be down.

> Here, the port scanning has caused a server reboot and damage... 
> but would the exact same danger not also be there if I use a mass 
> downloader to download from the web site and cause the server reboot?

If the site has a set of terms and conditiuons that forbid mass downloaders
and site mirrors than you are violating the policy and if you cause the
damage you are liable.

Port scanning with autorisation is legal, without is illegal. Just as
driving with a licence is lefgal and without is iullegal.

Regards
Craig

====
This e-mail is intended solely for the addressee. It may contain private and
confidential information. If you are not the intended addressee, please take
no action based on it nor show a copy to anyone. Please reply to this e-mail
to highlight the error. You should also be aware that all electronic mail
from, to, or within Northumbria University may be the subject of a request
under the Freedom of Information Act 2000 and related legislation, and
therefore may be required to be disclosed to third parties.
This e-mail and attachments have been scanned for viruses prior to leaving
Northumbria University. Northumbria University will not be liable for any
losses as a result of any viruses being passed on.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------