As much as I dislike most of the laws covering these issues, I'm
grateful for the discussion of them in this thread. People should know the
laws, even the ones they don't agree with.
But I'm no less of the opinion that the laws governing these aspects
of cyber-security are biased in favor of large entities with elaborate
online presences, and those people (including professionals in the
electronic security industry) who serve them.
One day last week, after reading many posters to this thread agree
that port-scanning an organization's network was similiar to throwing
small rocks at the windows of a house, I happened to tune into a
Talk-Radio station during my homeward commute, and picked up the Michael
Medved show. Michael is one of the more civil and intellectually rigorous
rightwing talkshow hosts, and he was interviewing a woman who leads some
sort of protest organization against RFID tags, whose wafer-thin little
radio transmitters that look like ordinary bar-code labels but which can
transmit a radio signal several meters when powered by induction. This
woman described several imaginative scenarios in which data could be
collected in unexpected ways; ex. The RFID tags embedded in your latest
pair of shoes, and associated with your identity at their Point-Of-Sale,
could be used to determine whether you stopped and admired the display in
a storefront, and could perhaps result in targeted junk mail being sent
to your mailbox.
Mr Medved's attitude was basically, "So what?" His standard was
that this woman had to demonstrate ironclad evidence of inevitable serious
harm resulting from this kind of surveilance before he would regard her
as anything other than a paranoid, hysterical Kook.
One could easily imagine many people sharing this viewpoint, and
certainly no one would expect the organizations that manufacture RFID tags
to be overly concerned about the future possibility of this kind of
surveilance. Yet this is the exact opposite of the attitude which is being
expressed by many people in this thread. The mere examination of the
possibility of there being vulnerabilities in an organization's internet
presence is virtually equated with the act of mailicously exploiting such
a weakness. And once again I can't help noticing that when it's the
privacy of an individual that's being compromised, the burden is put on
that indiviual to demonstrate conclusively what harm is being done, while
an institution's privacy is sacrosanct.
The informative postings from Craig and others in this thread
show that the supposition that a portscan is criminal behavior seems
firmly embedded in our legal system. Yet I've seen precious little
demonstration of actual harm that comes of it. One poster in this thread
said that it makes it more likely that the scanned system will be
compromised because a 3rd party may break into the system from which the
scanning was done, find the logs of the scans, and attack the
vulnerabilities found in the original scanned system. I'd call this a
vanishingly small danger in comparison to that of the 3rd party finding
and attacking the original vulnerable system! Another poster said that
the people who run port scans are likely to brag to their friends about
the vulnerabilities that they have found. This tells me that the
character assasination of people who run port scans is extensive
if not complete.
Further, I believe that it's easy to demonstrate that beyond being
strongly biased towards the short-term interests of large organizations
that hire electronic security professionals, our present laws and cultural
attidudes actually harm the individual user of the internet and society in
general, because they basically promote the continuance of an atmosphere
in which security weaknesses are allowed to continue to exist.
It's no exaggeration to say that online fraud and identity theft
and serious problems and they are getting worse. I've lost track of how
many times over the past year I've heard of this or that financial or
commercial institution that has exposed the personal, financial, and/or
legal information of it's customers by the thousands or hundreds of
thousands. In an earlier post to this thread I advanced the idea that a
person might have a legitimate interest in knowing about the security of
the internet presence of a potential employer. Couldn't it also be said
that any consumer has a legitimate interest in knowing about the internet
security of any organization that they might patronize, or invest in?
Indeed, in this country some states have already mandated in law that
organizations must publicly acknowledge breaches of their electronic
security!
Let's imagine for a moment what is probably the ultimate nightmare
scenario for many people on this mailing list: Some individual or group
with time and money to spare, a reliable high-bandwidth internet
connection, and immunity from prosecution establishes the new website
"http://www.OpenPortsAtTheFortune500.com", and reliably keeps it updated
in realtime!
Assuming that this site takes off and becomes popular, what
would be it's short- and long-term effects? Would it result in more or
fewer electronic compromises of fortune 500 companies in the short term?
What about the long term? Would it result in a more secure or less secure
average internet presence for members of the Fortune 500? Would it result
in a greater or lesser degree of security in the average commercial
operating system and application software product? Would it's effects,
(whatever they are) be strictly confined to the Fortune 500 or would they
have some tendency to spread over the Internet at large?
In an earlier post I noted the limitations of reasoning by
analogy, and many people agreed, but it didn't seem to stop anybody. It
seems to me that the present legal and cultural attitudes towards the
concept of a port-scan would require us to add an additional final
paragraph to that old fairy tale, "The Emperor's New Clothes". In this
final paragraph the little boy would immediately be surrounded by several
large men wearing black suits and sunglasses and be whisked off to a
re-education facility, and the populace would once again praise the
emporer's sartorial splendor.
Yours,
Kurt Reimer
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Received on Apr 06 2006
Intro
