Home page logo
/

basics logo Security Basics mailing list archives

Re: Yet another thread on the legality of port scanning
From: "Murad Talukdar" <talukdar_m () subway com>
Date: Fri, 19 Mar 2004 14:28:03 +1000

Thanks guys! That was a great bit of friday afternoon entertainment for me
and thought provoking too.
Murad Talukdar


----- Original Message -----
From: "Barry Fitzgerald" <bkfsec () sdf lonestar org>
To: "Charley Hamilton" <chamilto () uci edu>
Cc: <security-basics () securityfocus com>
Sent: Friday, March 19, 2004 2:33 AM
Subject: Re: Yet another thread on the legality of port scanning


Charley Hamilton wrote:


The normal means of communicating on the internet is via IP
packets.


On that basis, electron transport is the standard method of
information transfer on the internet.  If I connect a power cord
to your router's ethernet jack, is that okay?  Obviously not.

These anologies don't work together.  The normal means of connecting an
ethernet card to a network is not via a power cord.  The normal means of
connecting to a server *IS* sending IP packets to that server and
recieving them back.  Which port(s) the packets are sent to is
irrelivent.  Whether the content is an attack or not depends on the
content of the packets.  Just because some (very poorly designed)
hardware/software can't survive a port scan, doesn't mean that port
scans are attacks nor does it mean that they represent anomolous traffic.

There are legitimate reasons for running a port scan on a computer in a
limited fashion, such as service discovery.



Authorized users are told they are authorized users.

Where?!?

Perhaps I'm not aware of it, but is there an "authorized user/service"
database on the internet?  I must have missed that.


  The "reasonable man"
hypothesis applies to connecting to a system to which authorization is
in doubt.

The reasonable man hypothesis also dictates that a person would only
reasonably leave a system exposed with a service running and without
warnings if it weren't meant to be viewed.  If the content says
"classified" or "you're not supposed to be here", or if the person knows
they shouldn't be there - that's one thing.


Would a reasonable man conclude that http://www.cnn.com is an
acceptable connection in the absence of explicit permission?  I would
say yes, he would.  Would a reasonable man conclude that
ftp://www.cnn.com
is an acceptable connection in the absence of explicit permission?
I would argue no, he would not.

I would argue that you're wrong.  Anonymous FTP is a very frequent
occurrance on the internet and it's not unreasonable to expect that CNN
might have an anonymous FTP site for content.  What, exactly, makes you
think that it's an unreasonable service to use?


What's the difference?  HTTP is
generally accepted to be a public connection, in the sense that it
is intended as a shared resource, to be accessible to all.  FTP is
not generally accepted as such, regardless of what electronic storefront
happens to be offering the service.

I don't know what universe you're in, but FTP is a public connection if
it's configured that way.  HTTP is also a public connection if it's
configured to be.  Both are also private connections if they're
configured to be.  The key here is in configuration, not in the service.

So, all these times I've been downloading things off of
ftp://mirrors.kernel.org, I've been being unreasonable?  That's the
first time I've ever heard anyone argue anything of the sort.



The act of plugging a device into a public [ () 1] IP address
is your way of giving people permission to send packets to
it.


I disagree strongly on this.  I have a public street address.
It is appropriate for a caller to knock on my door/ring my
doorbell, because that is the "reasonable man" thing to do.
It is not acceptable for the caller to come around the side
of my house just because he sees my side door open.
What makes an IP address any different from a physical address
in terms of the "reasonable man" hypothesis?  That is the typical
legal test to which such arguments must be put.

Because an IP address isn't a physical door and the internet isn't your
street.  Everyone's talking about this as if the rules are the same, but
they aren't.  Frankly, this argument is getting completely absurd.


Anyone on the internet can send an IP packet to anyone else.
That's kind of the whole point.


I disagree. The whole point of the internet is to permit
effective communication of ideas, not random unsolicited
contact between individuals.  If I solicit contact by offering
"reasonable man" permission for contact, then it is part of
effective communication.  If I do not, it is annoyance potentially
rising to criminal action.

The whole point of the internet is whatever you can do with the
networking technology within an ethical framework.  Internet traffic
need not be solicited.  However, some would say that you solicit the
reciept of non-disruptive generic TCP/IP traffic just by putting your
computer on the internet.


*blink blink*  I can't argue with the last sentence, but
just what constitutes a "private" service by your definition?

I, personally, would identify a private service as being one that you
want no one or limited numbers of people to access.

Something that is accessible only to someone from an internal
net?  Are you arguing that any service offered over the
internet is tacit approval for *everyone* to use that service?
Or is it only tascit approval if the service is not properly
secured?

I think his point was that if you don't want people to be able to see
the service (we're not even talking about logging in and using.  Port
scans don't log in and use services, they just detect them) then don't
put the service up for the net to see.  It's that simple.  :)


Assuming that my interpretation of your writing is correct,
you would support unsolicited bulk email.  After all, you have
an email address and your mail server (or the firewall through
which it passes) has a public IP address, right?  After all, I
got your email and I'm not on your private netweork.

Actually, I'm not the original poster, but I'd have to say that
unsolicited e-mail is just fine.  I don't have a problem with people
just sending me e-mail.  What I have a problem with is people hacking
into systems and converting them into SPAM relays.

Unsolicited e-mail isn't the problem, system abuse is -- that's what
makes filters fail and causes havoc.



Same source, definition of access:

2 a : permission, liberty, or ability to enter, approach,
communicate with, or pass to and from b : freedom or ability to
obtain or make use of c : a way or means of access d : the act or
an instance of accessing

It is clear from 2a and 2b that the intent of "access" is
"permitted access", not simply the physical limitation of
availability.


I don't think anyone's arguing that it's OK for someone to access a
system without permission or liberty.  The question is does being on the
internet open you up to generalized detection and discovery traffic?
I'd say yeah, it does.  I'm not advocating that people just port scan
everyone, and I do believe that most port scans are precursors to
attack...

But, by the same token, my looking at someone funny COULD be a precursor
to attack -- so, should we then consider people looking at others in a
funny way an attack?

I just happen to think that this whole argument is getting ridiculous.
Are port scans questionable?  Sure.  Are there legitimate reasons to do
them?  Sure.  Are they often precursors to attacks?  Often, yes.  Do the
packets sent by them constitute legitimate IP traffic?  Yes, unless
they're malformed, which is a different issue entirely.  Are they going
away anytime soon?  No.

There, problem solved.  :)

             -Barry



--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault