Nmap Announce mailing list archives
RE: legality of port-mapping
From: "Dragos Ruiu" <dr () v-wave com>
Date: Tue, 23 Feb 1999 22:10:34 -0800
I'm afraid I have to take serious issue with anyone who tells me a port scan is illegal. Or who wants it to be. Let me describe a real world scenario that I was in yesterday: We build distributed traffic measurement systems and router control front ends. As a part of the testing this product we are sprinkling probes in many location, some of which are at 3rd party test sites. Some of these probes are DHCP addressed. The other day one of our unmanned probes was accidentally rebooted by local people, and for one reason or another didn't re-establish contact with the rest of the distributed test system. There are no humans (computer savvy ones anyway) to contact at the remote site. Trying to re-establish links failed. We correctly surmised that the ISP that served the probe had assigned a different DHCP address to it. Our probe was lost out there on a /23. The only recourse was to run nmap (thanks again Fyodor) on the entire public /23 and then look for a profile that matched our probe. In that scan three hosts with matching port profiles turned up. Each had to be tried with ssh to identify which was the real probe. In this scenario, even if we turn up nasty banners, I don't think that there should be any grounds to call that wrong or illegal in any manner. Yet on the log files it could look like we port-mapped and then tried to break in to three machines. I'll tell ya, if some overzealous sysadmin phoned "computer savvy" cops and wasted my time with them, they would have to get through our lawyers. And they -are- mean. My common sense says that any time you make typing in the wrong IP address and mistakenly scanning someone with "restrictive" system usage policy a crime, something is not right. As far as the Steve Jackson Games history, I think we all have to agree that was one of the most idiotic examples of miscarriages of law-enforcement and computer myopia. Anyway, though I haven't read the c.unix.security thread, I don't want to beat a dead horse. So I'll shut up about this now. Thanks. --dr p.s. Our average port mapping incidence on our public probes is about 2 portmaps per day. -----Original Message----- From: Lamont Granquist [mailto:lamontg () raven genome washington edu] Sent: Tuesday, February 23, 1999 2:09 PM To: Technical Incursion Countermeasures Cc: HD Moore; nmap-hackers () insecure org Subject: Re: publicly available resources and the law Alright, we just went through all this on comp.unix.security. You can go read that thread if you're interested in other opinions I have about it. However, I think it is *very*, *very* sketchy legal grounds to say that this is legal. In the first place the door-rattling, etc analogies have been done _to_death_ on comp.security.unix. They're not useful. For every analogy there is a countery-analogy ad nauseum. The fact, however, is that you are contacting services which you don't have authorization for. You *are* connecting to those services, and you will cause the CPU in question to consume cycles dealing with you and possibly even fork(). Under "normal" "bug-free" circumstances this does not cause any harm, *however* you are using a resource on that machine. I think that legally the argument could very easily be made that you are *using* resources that you have no rights to. The "an open port is an invitation" argument has also been beat to death on comp.security.unix. It doesn't hold water, because some sites don't have an option of putting up a firewall and some sites don't have an option of what O/Ses they run. We wind up having to deal with the reality of having open services hanging out in the wind with no way to access control and no way to packet filter. As to intent, that is probably very easy to prove. All they have to do is find a bunch of phrack articles in your possession/on your account and they'll have a good ways towards intent. Having exploit code, even if its not exploit code for what you're scanning for will look even worse. Sure *IF* you have a good lawyer, and have the money for a good lawyer you can probably beat the charge. I personally would not bet my liberty on this, though. People are very fond of getting into abstract arguments about the letter of the law on the net, and I'm sure that anyone here could put up a pretty convincing case in front of the already-converted that possession does not equal intent. However, I think that reality, where judges "interpret" the laws, has a decent chance of being a little more arbitrary and cruel. And three words: Steve Jackson Games. They got off in the end, but they were put through hell and the abuses in that case were really egregious. Don't bet on being treated this well. So, my advice really is to treat portscanning random machines as being illegal. All this discussion about putting nmap up on websites kinds of makes me kind of nervous, I think it's probably a huge legal risk. I personally don't care about portscans. I simply log them and send logs off to our internal "CERT" which collects reports from all the security-aware admins on campus. Usually for the persistant ones there are a few break-in attempts and they're tracked back down to the script kiddie who did them and the person gets busted -- for breaking into the machines. I doubt that most security people have the resources to care about portscans that aren't used to root machines, or launched from rooted machines. However, I am quite sure that once you've scanned enough of the net you will come across the admin who hates his job and life and has nothing better to do than try to fuck with people -- and a webserver offering a scanning service is going to be a nice fat stationary target to unload abuse, hostility and lawyers at. Legally I actually do think that portscans 'should' be illegal. I think that there's no damn question about intent when my class C gets hit by SYN scans for imapd or mountd. Ethically, however, I have no problems with people accepting their own level of risk and illegal behavior. I also have no ethical problems with helping Fyodor out with porting nmap. Perhaps this is inconsistent or a hypocrite, but I really don't think so (and I gave up on not being a hypocrite awhile back, that's a long philosophical discussion though). My basic take is personal in that if I'm going to scan a machine that isn't mine that I really do expect it to be perceived as a hostile act both by the admins of that box and the authorities, and will take responsibility for that and won't try to claim that I have the 'right' to scan a box. Anyway, that's my say, and I am going to bow the hell out of the rest of this discussion because I'm totally sick of the one that is currently on comp.security.unix. Feel free to trash me, but I'm really tired of this flamewar... On Tue, 23 Feb 1999, Technical Incursion Countermeasures wrote:
ahh a good fun topic :}.. ok AFAIK this is how it is interpreted normally.. Port scanning is quite rightly not a crime - it equates to rattling door knobs and trying windows.. not a felony in itself - however it is suspicious activity. This is the key... Now if during our port scanning we happen to find a wide open NFS port and access it - then we have committed a crime - because by port scanning we have shown intent - it is no longer an accident that we just happened to push on the door and fall in. Now I know US law is different to Aust law - but I'm guessing that the intent provision is still there - i.e that to be convicted of a deliberate act - the prosecution must show that you indented to commit the act. Cheers, Bret PS and just in case someone is stupid enough to take what I said as legal advise - its not :} Technical Incursion Countermeasures consulting () TICM COM http://www.ticm.com/ ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/info/insider/index.html
-- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- publicly available resources and the law HD Moore (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- Re: publicly available resources and the law Bennett Todd (Feb 23)
- Re: publicly available resources and the law Lamont Granquist (Feb 23)
- RE: legality of port-mapping Dragos Ruiu (Feb 23)
- RE: legality of port-mapping Lamont Granquist (Feb 24)
- Re: publicly available resources and the law Daemor (Feb 23)
- Re: publicly available resources and the law Technical Incursion Countermeasures (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law Erik Parker (Feb 23)
- RE: publicly available resources and the law Dragos Ruiu (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- RE: publicly available resources and the law rain.forest.puppy (Feb 23)
- Re: publicly available resources and the law Brian Gosnell (Feb 23)
- RE: publicly available resources and the law Frank Miller (Feb 23)
- <Possible follow-ups>
- RE: publicly available resources and the law Meritt, Jim (Feb 23)
- Re: publicly available resources and the law Benjamin Tomhave (Feb 23)