Nmap Announce mailing list archives

RE: legality of port-mapping


From: "Dragos Ruiu" <dr () v-wave com>
Date: Tue, 23 Feb 1999 22:10:34 -0800

I'm afraid I have to take serious issue with anyone who tells me a port
scan is illegal. Or who wants it to be.

Let me describe a real world scenario that I was in yesterday:

We build distributed traffic measurement systems and router
control front ends.  As a part of the testing this product
we are sprinkling probes in many location, some of which are
at 3rd party test sites.  Some of these probes are DHCP addressed.

The other day one of our unmanned probes was accidentally rebooted
by local people, and for one reason or another didn't re-establish
contact with the rest of the distributed test system.  There are no
humans (computer savvy ones anyway) to contact at the remote site.
Trying to re-establish links failed. We correctly surmised that the
ISP that served the probe had assigned a different DHCP address to it.

Our probe was lost out there on a /23.  The only recourse was to run
nmap (thanks again Fyodor) on the entire public /23 and then look for
a profile that matched our probe.  In that scan three hosts with
matching port profiles turned up.  Each had to be tried with ssh
to identify which was the real probe.

In this scenario, even if we turn up nasty banners, I don't think that
there should be any grounds to call that wrong or illegal in any manner.
Yet on the log files it could look like we port-mapped and then tried to
break in to three machines.

I'll tell ya, if some overzealous sysadmin phoned "computer savvy" cops
and wasted my time with them, they would have to get through our lawyers.
And they -are- mean.

My common sense says that any time you make typing in the wrong IP address
and mistakenly scanning someone with "restrictive" system usage policy a
crime, something is not right. As far as the Steve Jackson Games history,
I think we all have to agree that was one of the most idiotic examples
of miscarriages of law-enforcement and computer myopia.

Anyway, though I haven't read the c.unix.security thread, I don't want to
beat a dead horse. So I'll shut up about this now. Thanks.

--dr

p.s.
Our average port mapping incidence on our public probes is about 2 portmaps
per day.


-----Original Message-----
From: Lamont Granquist [mailto:lamontg () raven genome washington edu]
Sent: Tuesday, February 23, 1999 2:09 PM
To: Technical Incursion Countermeasures
Cc: HD Moore; nmap-hackers () insecure org
Subject: Re: publicly available resources and the law



Alright, we just went through all this on comp.unix.security.  You can go
read that thread if you're interested in other opinions I have about it.

However, I think it is *very*, *very* sketchy legal grounds to say that
this is legal.  In the first place the door-rattling, etc analogies have
been done _to_death_ on comp.security.unix.  They're not useful.  For
every analogy there is a countery-analogy ad nauseum.

The fact, however, is that you are contacting services which you don't
have authorization for.  You *are* connecting to those services, and you
will cause the CPU in question to consume cycles dealing with you and
possibly even fork().  Under "normal" "bug-free" circumstances this does
not cause any harm, *however* you are using a resource on that machine.  I
think that legally the argument could very easily be made that you are
*using* resources that you have no rights to.

The "an open port is an invitation" argument has also been beat to death
on comp.security.unix.  It doesn't hold water, because some sites don't
have an option of putting up a firewall and some sites don't have an
option of what O/Ses they run.  We wind up having to deal with the reality
of having open services hanging out in the wind with no way to access
control and no way to packet filter.

As to intent, that is probably very easy to prove.  All they have to do is
find a bunch of phrack articles in your possession/on your account and
they'll have a good ways towards intent.  Having exploit code, even if its
not exploit code for what you're scanning for will look even worse.  Sure
*IF* you have a good lawyer, and have the money for a good lawyer you can
probably beat the charge.  I personally would not bet my liberty on this,
though.  People are very fond of getting into abstract arguments about the
letter of the law on the net, and I'm sure that anyone here could put up a
pretty convincing case in front of the already-converted that possession
does not equal intent.  However, I think that reality, where judges
"interpret" the laws, has a decent chance of being a little more arbitrary
and cruel.

And three words:  Steve Jackson Games.

They got off in the end, but they were put through hell and the abuses in
that case were really egregious.  Don't bet on being treated this well.

So, my advice really is to treat portscanning random machines as being
illegal.  All this discussion about putting nmap up on websites kinds of
makes me kind of nervous, I think it's probably a huge legal risk.  I
personally don't care about portscans.  I simply log them and send logs
off to our internal "CERT" which collects reports from all the
security-aware admins on campus.  Usually for the persistant ones there
are a few break-in attempts and they're tracked back down to the script
kiddie who did them and the person gets busted -- for breaking into the
machines.  I doubt that most security people have the resources to care
about portscans that aren't used to root machines, or launched from rooted
machines.  However, I am quite sure that once you've scanned enough of the
net you will come across the admin who hates his job and life and has
nothing better to do than try to fuck with people -- and a webserver
offering a scanning service is going to be a nice fat stationary target to
unload abuse, hostility and lawyers at.

Legally I actually do think that portscans 'should' be illegal.  I think
that there's no damn question about intent when my class C gets hit by SYN
scans for imapd or mountd.  Ethically, however, I have no problems with
people accepting their own level of risk and illegal behavior.  I also
have no ethical problems with helping Fyodor out with porting nmap.
Perhaps this is inconsistent or a hypocrite, but I really don't think so
(and I gave up on not being a hypocrite awhile back, that's a long
philosophical discussion though).  My basic take is personal in that if
I'm going to scan a machine that isn't mine that I really do expect it to
be perceived as a hostile act both by the admins of that box and the
authorities, and will take responsibility for that and won't try to claim
that I have the 'right' to scan a box.

Anyway, that's my say, and I am going to bow the hell out of the rest of
this discussion because I'm totally sick of the one that is currently on
comp.security.unix.  Feel free to trash me, but I'm really tired of this
flamewar...

On Tue, 23 Feb 1999, Technical Incursion Countermeasures wrote:
ahh a good fun topic :}..

ok AFAIK this is how it is interpreted normally..

Port scanning is quite rightly not a crime - it equates to rattling door
knobs and trying windows.. not a felony in itself - however it is
suspicious activity. This is the key...

Now if during our port scanning we happen to find a wide open NFS port and
access it - then we have committed a crime - because by port scanning we
have shown intent - it is no longer an accident that we just happened to
push on the door and fall in.

Now I know US law is different to Aust law  - but I'm guessing that the
intent provision is still there - i.e that to be convicted of a deliberate
act - the prosecution must show that you indented to commit the act.

Cheers,
Bret

PS and just in case someone is stupid enough to take what I said as legal
advise - its not :}
Technical Incursion Countermeasures
consulting () TICM COM                      http://www.ticm.com/
ph: (+61)(041) 4411 149(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security
http://www.ticm.com/info/insider/index.html


--
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka



Current thread: