Home page logo
/

basics logo Security Basics mailing list archives

RE: Yet another thread on the legality of port scanning
From: "Robert M. Newton" <rnewton () hcc net>
Date: Mon, 5 Apr 2004 07:11:40 -0400

Consider this.

When living out in the Northwest I loved just driving and exploring
(scanning) roads for new places.  I drove on the public roads which
interconnected with many other roads private and public.    It didn't matter
what road surface (protocol) I was driving on.  Obvious a four lane asphalt
was probably meant for public use, but sometimes I would find a great
restaurant on a lake at the end of a small gravel road looking for business.
I do not see signs that state "Public Road" or "This is a road, please use
it" because it is usually assume to be so unless there was some indication
it is private road such as signs, gates, or security guards that restricts
its' usage.  As it is with the property owner, I believe it is the
responsibility of the server administrator, to restrict the services of that
server.  If I the ignore the "NO Access" Private Road" signs or circumvent
the gates design to keep me out, then I am the culprit and should be
punished.  My $.02 worth.

Robert M. Newton
IT Director


-----Original Message-----
From: Charley Hamilton [mailto:chamilto () uci edu]
Sent: Wednesday, March 17, 2004 1:40 PM
To: security-basics () securityfocus com
Subject: Re: Yet another thread on the legality of port scanning


Anybody who wishes to communicate to my resources
can do so by normal
means: web browser, email, etc.


The normal means of communicating on the internet is via IP
packets.

On that basis, electron transport is the standard method of
information transfer on the internet.  If I connect a power cord
to your router's ethernet jack, is that okay?  Obviously not.

All such
services will be published where
appropriate.


There is no place to publish open ports, accepted protocols,
and authorized users.

Authorized users are told they are authorized users.  If you are not
an authorized user, what difference does it make what protocols are
accepted?  You're not supposed to be using them.  That's the definition
of authorized.  The same argument applied to open ports.  Authorized
users will be told that they are authorized.  The "reasonable man"
hypothesis applies to connecting to a system to which authorization is
in doubt.  Would a reasonable man conclude that http://www.cnn.com is an
acceptable connection in the absence of explicit permission?  I would
say yes, he would.  Would a reasonable man conclude that ftp://www.cnn.com
is an acceptable connection in the absence of explicit permission?
I would argue no, he would not.  What's the difference?  HTTP is
generally accepted to be a public connection, in the sense that it
is intended as a shared resource, to be accessible to all.  FTP is
not generally accepted as such, regardless of what electronic storefront
happens to be offering the service.  Similarly, www.foo.com is generally
expected to be a public http server.  Therefore, making an HTTP connection
to that server is reasonable.  accounts-payable.foo.com is *not* generally
expected to be a public http server.  Therefore, it is not reasonable to
assume that it would be offering public http services.  Any such services
would reasonably be intended for authorized users only.

Simply providing one service does
not give tacit approval
for somebody to probe my resources.


The act of plugging a device into a public [ () 1] IP address
is your way of giving people permission to send packets to
it.

I disagree strongly on this.  I have a public street address.
It is appropriate for a caller to knock on my door/ring my
doorbell, because that is the "reasonable man" thing to do.
It is not acceptable for the caller to come around the side
of my house just because he sees my side door open.
What makes an IP address any different from a physical address
in terms of the "reasonable man" hypothesis?  That is the typical
legal test to which such arguments must be put.

Anyone on the internet can send an IP packet to anyone else.
That's kind of the whole point.

I disagree. The whole point of the internet is to permit
effective communication of ideas, not random unsolicited
contact between individuals.  If I solicit contact by offering
"reasonable man" permission for contact, then it is part of
effective communication.  If I do not, it is annoyance potentially
rising to criminal action.

If the packets sent to your computer are necessary as part of
reasonable communication (e.g. a small network using NetBEUI
could reasonably expect for everyone to get pounded with broadcast
packets).  However, specifically targeted packets are a different
matter.  If I specifically target you with an http connection, then
it is reasonable to expect that *only* your machine (plus the pertinent
intermediate hops) is getting those packets.  If I am making an http
connection attempt to your machine, it should be because I reasonably
expect to have permission to make the connection.

Search around for the hundreds of reincarnations of this
thread.  The analogies have been done to death.  Keep
private services off the net.  Secure public services as
needed.

*blink blink*  I can't argue with the last sentence, but
just what constitutes a "private" service by your definition?
Something that is accessible only to someone from an internal
net?  Are you arguing that any service offered over the
internet is tacit approval for *everyone* to use that service?
Or is it only tascit approval if the service is not properly
secured?

Assuming that my interpretation of your writing is correct,
you would support unsolicited bulk email.  After all, you have
an email address and your mail server (or the firewall through
which it passes) has a public IP address, right?  After all, I
got your email and I'm not on your private netweork.

[ () 1] http://www.m-w.com/cgi-bin/dictionary?va=public
     6a accessible to or shared by all members of the
community

Same source, definition of access:

2 a : permission, liberty, or ability to enter, approach,
communicate with, or pass to and from b : freedom or ability to
obtain or make use of c : a way or means of access d : the act or
an instance of accessing

It is clear from 2a and 2b that the intent of "access" is
"permitted access", not simply the physical limitation of
availability.

Just my $0.02, IANAL, etc

Charley

--
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
     Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto () uci edu




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • RE: Yet another thread on the legality of port scanning Robert M. Newton (Apr 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]