Home page logo
/

basics logo Security Basics mailing list archives

RE: FW: Legal? Road Runner proactive scanning.[Scanned]
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 19 Mar 2004 10:49:56 -0800

I happen to scan houses all the time, I am trying to buy one. I also
scan cars. 
However if I throw a rock at the house or car, I am no longer scanning,
I am attacking.

I think were a little off topic with analogies, I also think we have
confused
the less technical among us. First we pretty much all agree that a
portscan itself
is not an attack, good. Now lets drill down some arguments so we can end
this.

1.) Just because a port is open doesn't mean it's public

Then secure the port via software controls, ACL's, firewalls, etc. We
all acknowledge
that the Internet is not secure-by-default and it's a defacto standard
to have
firewalls or other security measures in place to protect your 'private'
stuff. We also
all acknowledge that the Internet is a public realm, this is not beyond
reason. But
you are all confusing services and ports. You want to protect the
'service' from being
accessed, but port is just the translation between the host systems
TCP/IP stack and
the underlying service, thread or process that is using that port. I can
run telnet on
any port I want, 80, 25, 110, etc. Port 80 doesn't automatically mean a
httpd service,
that's just the standard.

What do we say when people get hacked? "Shoulda installed a firewall",
well don't want
your system scanned....

2.) It's privacy issue.

The port is just the hosts implementation of the TCP stack. It's not
indicative of the 
service that uses that port, thus accessing the port does not
necessarily imply accessing
the underlying service.

3.) They need to be a authorized user.

...Of the service that you are hosting. If you want to limit interaction
with the TCP/IP
stack itself you need setup security to protect the stack, firewall etc.
Also the whole
'reasonable man' stuff is a little off target. If you setup
www.server.org, (WWW) implies
website, you have just given authorization for people to access that
site. Now if you want
to restrict access you need to setup security and/or post your 'do not
enter message'. You
can't open up a shop on a busy street and keep the door unlocked and not
expect people to
come in, that's beyond reasonable. If anyone who has worked for the USG
will know they HAVE
to port the normal disclaimer on ALL services that people can access.
That is how you alert
people using the service of the T&C's.

4.) FTP is not a reasonable resource.

AND SMTP is, HTTP is? They are all members of the TCP stack, and are all
there for use. I
check if a site uses anon FTP if I'm going to be doing some heavy
downloading, that's 
reasonable seaming FTP is a (FILE transfer protocol). 

5.) Port scanning is an attack.

Then protect yourself if you feel that way. Numerous programs that use
dynamically assigned
ports will conduct a limited portscan to find their service on the host
system, that's not
wrong. A postscan is a quick way of finding out what ports are open, not
what services they
run.

6.) It's illegal.

Show me common international law that states that portscanning is
illegal. Trespassing or
any other non-digital law may not apply. I've look at all the cyber
crime laws I could get my
hands on, and they don't state that accessing another hosts TCP stack is
against the law. 
Even the USG won't trace people for that, it's just not a cause for
concern. It is cause 
for concern when they start trying to hack your services, but a port
sweep is below the 
radar. If you don't want people accessing your telnet service, add
security and put up a message
telling them that, same with all the other services.

7.) The End....

Now I still don't know how this thread started, but I can assume someone
didn't like that
their provider was postscanning their box. I'm sure it's well within the
hosts T&C's and
if you don't like it get a firewall. Personally I would want to see more
providers taking
care of what's on their network. If more providers took a proactive
stance like this then
the amount of spam, zombie DDoS systems, and hacked grannies would
decrease.

Face it, it's for the better good. If you can't take care of your own
backyard, then
someone will do it for you, usually be cutting your connection to the
Internet. How's that
for private.

....Off the soapbox back to work....

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]