Home page logo
/

basics logo Security Basics mailing list archives

Re: Yet another thread on the legality of port scanning
From: Charles Otstot <charles.otstot () ncmail net>
Date: Fri, 19 Mar 2004 13:13:11 -0500



Derek Schaible wrote:

<snip>

A normal, default, friendly ICMP sweep or TCP connect is doing none of
these. It has no effect whatsoever on the strength of your APPLICATION
security.

<snip>

Derek,

This is where you and I disagree.
Whether the scan actually causes "harm" (e.g causing a poorly designed application to crash) is really irrelevant. All of the technical descriptions and comparisons are likewise irrelevant.

The simple fact is that whether port scanning a host that does not belong to you is alright is in no way a technical question. It is a simple matter of right and wrong. I can think of no legitimate reason for someone to perform a scan against any host on someone else's network without their explicit permission. Stating that one could simply be looking for available services is a technical red herring. The argument may have been valid twenty (and perhaps even ten) years ago when publicly available resources were, at best, poorly published; this is NOT the case today. With (seemingly) virtually every major organization and company having a presence on the Internet, publicly allowable resources are widely published and easily found without ever interrogating the organization's network (e.g Google searches). If one is unsure of what resources an organization intends to be publicly availabale, one has the *moral obligation* to contact the organization through *published* available resources (e.g. email or telephone) requesting such information. One does NOT have the right to access the organization's resources in any other fashion (including scans) without the organization's consent.

Charlie





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]