Re: Yet another thread on the legality of port scanning

From: Charley Hamilton (chamilto_at_uci.edu)
Date: 03/17/04

  • Next message: JTH: "RE: ESTMP Exploits & Security" 
    Date: Wed, 17 Mar 2004 10:39:34 -0800
To: security-basics@securityfocus.com

    > Anybody who wishes to communicate to my resources
    >> can do so by normal
    >> means: web browser, email, etc.
    >
    >
    > The normal means of communicating on the internet is via IP
    > packets.

    On that basis, electron transport is the standard method of
    information transfer on the internet. If I connect a power cord
    to your router's ethernet jack, is that okay? Obviously not.

    >> All such
    >> services will be published where
    >> appropriate.
    >
    >
    > There is no place to publish open ports, accepted protocols,
    > and authorized users.

    Authorized users are told they are authorized users. If you are not
    an authorized user, what difference does it make what protocols are
    accepted? You're not supposed to be using them. That's the definition
    of authorized. The same argument applied to open ports. Authorized
    users will be told that they are authorized. The "reasonable man"
    hypothesis applies to connecting to a system to which authorization is
    in doubt. Would a reasonable man conclude that http://www.cnn.com is an
    acceptable connection in the absence of explicit permission? I would
    say yes, he would. Would a reasonable man conclude that ftp://www.cnn.com
    is an acceptable connection in the absence of explicit permission?
    I would argue no, he would not. What's the difference? HTTP is
    generally accepted to be a public connection, in the sense that it
    is intended as a shared resource, to be accessible to all. FTP is
    not generally accepted as such, regardless of what electronic storefront
    happens to be offering the service. Similarly, www.foo.com is generally
    expected to be a public http server. Therefore, making an HTTP connection
    to that server is reasonable. accounts-payable.foo.com is *not* generally
    expected to be a public http server. Therefore, it is not reasonable to
    assume that it would be offering public http services. Any such services
    would reasonably be intended for authorized users only.

    >> Simply providing one service does
    >> not give tacit approval
    >> for somebody to probe my resources.
    >
    >
    > The act of plugging a device into a public [@1] IP address
    > is your way of giving people permission to send packets to
    > it.

    I disagree strongly on this. I have a public street address.
    It is appropriate for a caller to knock on my door/ring my
    doorbell, because that is the "reasonable man" thing to do.
    It is not acceptable for the caller to come around the side
    of my house just because he sees my side door open.
    What makes an IP address any different from a physical address
    in terms of the "reasonable man" hypothesis? That is the typical
    legal test to which such arguments must be put.

    > Anyone on the internet can send an IP packet to anyone else.
    > That's kind of the whole point.

    I disagree. The whole point of the internet is to permit
    effective communication of ideas, not random unsolicited
    contact between individuals. If I solicit contact by offering
    "reasonable man" permission for contact, then it is part of
    effective communication. If I do not, it is annoyance potentially
    rising to criminal action.

    If the packets sent to your computer are necessary as part of
    reasonable communication (e.g. a small network using NetBEUI
    could reasonably expect for everyone to get pounded with broadcast
    packets). However, specifically targeted packets are a different
    matter. If I specifically target you with an http connection, then
    it is reasonable to expect that *only* your machine (plus the pertinent
    intermediate hops) is getting those packets. If I am making an http
    connection attempt to your machine, it should be because I reasonably
    expect to have permission to make the connection.

    > Search around for the hundreds of reincarnations of this
    > thread. The analogies have been done to death. Keep
    > private services off the net. Secure public services as
    > needed.

    *blink blink* I can't argue with the last sentence, but
    just what constitutes a "private" service by your definition?
    Something that is accessible only to someone from an internal
    net? Are you arguing that any service offered over the
    internet is tacit approval for *everyone* to use that service?
    Or is it only tascit approval if the service is not properly
    secured?

    Assuming that my interpretation of your writing is correct,
    you would support unsolicited bulk email. After all, you have
    an email address and your mail server (or the firewall through
    which it passes) has a public IP address, right? After all, I
    got your email and I'm not on your private netweork.

    > [@1] http://www.m-w.com/cgi-bin/dictionary?va=public
    > 6a accessible to or shared by all members of the
    > community

    Same source, definition of access:

    2 a : permission, liberty, or ability to enter, approach,
    communicate with, or pass to and from b : freedom or ability to
    obtain or make use of c : a way or means of access d : the act or
    an instance of accessing

    It is clear from 2a and 2b that the intent of "access" is
    "permitted access", not simply the physical limitation of
    availability.

    Just my $0.02, IANAL, etc

    Charley 

    -- 
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
     Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto@uci.edu
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
  • Next message: JTH: "RE: ESTMP Exploits & Security"

    Relevant Pages

    • Re: One internet connection only
      ... > active connection at a time. ... > I connect to the Internet via DSL with D-Link router acts ... Sounds like communication is only one-way at a time, ... Perhaps rebooting the modem will help. ...
      (microsoft.public.windowsxp.network_web)
    • Re: remote assistance; can it connect two computers anywhere, anytime?
      ... You need to know the IP address--that's the whole basis of Internet (or even ... with inbound communication. ... > The expert wants to remotely assist the novice user. ... > novice user and the constant changing way in which connection to the ...
      (microsoft.public.windowsxp.work_remotely)
    • Checkpoint NG question
      ... I want that the HTTP and HTTPs from the pc's go via one ... connection the other communication go via the other internet ...
      (comp.security.firewalls)
    • [Full-disclosure] Stealthier Internet access
      ... Stealthier Internet access ... Nevertheless anonymous and secure communication in the world today is ... (Here are few basic bookmarks to improve Stealthier internet access for windows) ...
      (Full-Disclosure)
    • ebooks share lits 289
      ... Aurignacian Lithic Economy: Ecological Perspectives From Southwestern ... Concept, Design, and Deployment of Internet ... Democratic Institutions Praeger Series in Political Communication, ... A Practical Guide Routledge Education ...
      (sci.med.nutrition)