Re: Yet another thread on the legality of port scanning

• Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: Encryption on Laptops?"
• In reply to: Barry Fitzgerald: "Re: Yet another thread on the legality of port scanning"
• Next in thread: Shawn Jackson: "RE: Yet another thread on the legality of port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Barry Fitzgerald" <bkfsec@sdf.lonestar.org>, "Charley Hamilton" <chamilto@uci.edu>
Date: Fri, 19 Mar 2004 14:28:03 +1000

Thanks guys! That was a great bit of friday afternoon entertainment for me
and thought provoking too.
Murad Talukdar

----- Original Message -----
From: "Barry Fitzgerald" <bkfsec@sdf.lonestar.org>
To: "Charley Hamilton" <chamilto@uci.edu>
Cc: <security-basics@securityfocus.com>
Sent: Friday, March 19, 2004 2:33 AM
Subject: Re: Yet another thread on the legality of port scanning

> Charley Hamilton wrote:
>
> >>
> >> The normal means of communicating on the internet is via IP
> >> packets.
> >
> >
> > On that basis, electron transport is the standard method of
> > information transfer on the internet. If I connect a power cord
> > to your router's ethernet jack, is that okay? Obviously not.
> >
> These anologies don't work together. The normal means of connecting an
> ethernet card to a network is not via a power cord. The normal means of
> connecting to a server *IS* sending IP packets to that server and
> recieving them back. Which port(s) the packets are sent to is
> irrelivent. Whether the content is an attack or not depends on the
> content of the packets. Just because some (very poorly designed)
> hardware/software can't survive a port scan, doesn't mean that port
> scans are attacks nor does it mean that they represent anomolous traffic.
>
> There are legitimate reasons for running a port scan on a computer in a
> limited fashion, such as service discovery.
>
>
> >
> > Authorized users are told they are authorized users.
>
> Where?!?
>
> Perhaps I'm not aware of it, but is there an "authorized user/service"
> database on the internet? I must have missed that.
>
>
> > The "reasonable man"
> > hypothesis applies to connecting to a system to which authorization is
> > in doubt.
>
> The reasonable man hypothesis also dictates that a person would only
> reasonably leave a system exposed with a service running and without
> warnings if it weren't meant to be viewed. If the content says
> "classified" or "you're not supposed to be here", or if the person knows
> they shouldn't be there - that's one thing.
>
>
> > Would a reasonable man conclude that http://www.cnn.com is an
> > acceptable connection in the absence of explicit permission? I would
> > say yes, he would. Would a reasonable man conclude that
> > ftp://www.cnn.com
> > is an acceptable connection in the absence of explicit permission?
> > I would argue no, he would not.
>
> I would argue that you're wrong. Anonymous FTP is a very frequent
> occurrance on the internet and it's not unreasonable to expect that CNN
> might have an anonymous FTP site for content. What, exactly, makes you
> think that it's an unreasonable service to use?
>
>
> > What's the difference? HTTP is
> > generally accepted to be a public connection, in the sense that it
> > is intended as a shared resource, to be accessible to all. FTP is
> > not generally accepted as such, regardless of what electronic storefront
> > happens to be offering the service.
>
> I don't know what universe you're in, but FTP is a public connection if
> it's configured that way. HTTP is also a public connection if it's
> configured to be. Both are also private connections if they're
> configured to be. The key here is in configuration, not in the service.
>
> So, all these times I've been downloading things off of
> ftp://mirrors.kernel.org, I've been being unreasonable? That's the
> first time I've ever heard anyone argue anything of the sort.
>
>
> >>
> >> The act of plugging a device into a public [@1] IP address
> >> is your way of giving people permission to send packets to
> >> it.
> >
> >
> > I disagree strongly on this. I have a public street address.
> > It is appropriate for a caller to knock on my door/ring my
> > doorbell, because that is the "reasonable man" thing to do.
> > It is not acceptable for the caller to come around the side
> > of my house just because he sees my side door open.
> > What makes an IP address any different from a physical address
> > in terms of the "reasonable man" hypothesis? That is the typical
> > legal test to which such arguments must be put.
>
> Because an IP address isn't a physical door and the internet isn't your
> street. Everyone's talking about this as if the rules are the same, but
> they aren't. Frankly, this argument is getting completely absurd.
>
> >
> >> Anyone on the internet can send an IP packet to anyone else.
> >> That's kind of the whole point.
> >
> >
> > I disagree. The whole point of the internet is to permit
> > effective communication of ideas, not random unsolicited
> > contact between individuals. If I solicit contact by offering
> > "reasonable man" permission for contact, then it is part of
> > effective communication. If I do not, it is annoyance potentially
> > rising to criminal action.
>
> The whole point of the internet is whatever you can do with the
> networking technology within an ethical framework. Internet traffic
> need not be solicited. However, some would say that you solicit the
> reciept of non-disruptive generic TCP/IP traffic just by putting your
> computer on the internet.
>
> >
> > *blink blink* I can't argue with the last sentence, but
> > just what constitutes a "private" service by your definition?
>
> I, personally, would identify a private service as being one that you
> want no one or limited numbers of people to access.
>
> > Something that is accessible only to someone from an internal
> > net? Are you arguing that any service offered over the
> > internet is tacit approval for *everyone* to use that service?
> > Or is it only tascit approval if the service is not properly
> > secured?
>
> I think his point was that if you don't want people to be able to see
> the service (we're not even talking about logging in and using. Port
> scans don't log in and use services, they just detect them) then don't
> put the service up for the net to see. It's that simple. :)
>
> >
> > Assuming that my interpretation of your writing is correct,
> > you would support unsolicited bulk email. After all, you have
> > an email address and your mail server (or the firewall through
> > which it passes) has a public IP address, right? After all, I
> > got your email and I'm not on your private netweork.
>
> Actually, I'm not the original poster, but I'd have to say that
> unsolicited e-mail is just fine. I don't have a problem with people
> just sending me e-mail. What I have a problem with is people hacking
> into systems and converting them into SPAM relays.
>
> Unsolicited e-mail isn't the problem, system abuse is -- that's what
> makes filters fail and causes havoc.
>
>
> >
> > Same source, definition of access:
> >
> > 2 a : permission, liberty, or ability to enter, approach,
> > communicate with, or pass to and from b : freedom or ability to
> > obtain or make use of c : a way or means of access d : the act or
> > an instance of accessing
> >
> > It is clear from 2a and 2b that the intent of "access" is
> > "permitted access", not simply the physical limitation of
> > availability.
> >
>
> I don't think anyone's arguing that it's OK for someone to access a
> system without permission or liberty. The question is does being on the
> internet open you up to generalized detection and discovery traffic?
> I'd say yeah, it does. I'm not advocating that people just port scan
> everyone, and I do believe that most port scans are precursors to
attack...
>
> But, by the same token, my looking at someone funny COULD be a precursor
> to attack -- so, should we then consider people looking at others in a
> funny way an attack?
>
> I just happen to think that this whole argument is getting ridiculous.
> Are port scans questionable? Sure. Are there legitimate reasons to do
> them? Sure. Are they often precursors to attacks? Often, yes. Do the
> packets sent by them constitute legitimate IP traffic? Yes, unless
> they're malformed, which is a different issue entirely. Are they going
> away anytime soon? No.
>
> There, problem solved. :)
>
> -Barry
>
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------

--
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: Encryption on Laptops?"
• In reply to: Barry Fitzgerald: "Re: Yet another thread on the legality of port scanning"
• Next in thread: Shawn Jackson: "RE: Yet another thread on the legality of port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]