Re: Yet another thread on the legality of port scanning

• Previous message: ksaenz_at_spinaweb.com.au: "Re: proxy"
• In reply to: Charley Hamilton: "Re: Yet another thread on the legality of port scanning"
• Next in thread: Derek Schaible: "Re: Yet another thread on the legality of port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Mar 2004 14:06:06 -0500
To: Charley Hamilton <chamilto@uci.edu>

Charley Hamilton wrote:

> > Perhaps I'm not aware of it, but is there an "authorized
> user/service" database on the internet? I must have missed that.
>
> So portscanning is the generally accepted method of discovering what
> services any given machine offers? And this is the way that everyone
> should determine whether or not there is a service being offered to them?
>
No - I never said that it was the way that everyone should determine
whether or not there is a service being offered. I said that there were
valid reasons to do portscanning in a limited fashion. However, there
is no place to declare your service public or private. If you believe
there is a place where you can declare the services on your system as
public, I'd like to know where it is.

> I was under the impression that resources (not just 'net, in general)
> were private unless declared public.

Sure, unless you allow everyone to use services on your system, they are
effectively private. By placing yourself on the network, you accept the
responsibility of recieving/sending unsolicited traffic. That's the
reality of networking. Nothing you or I can do will change that.

If you want to block things, put up a firewall.

Port scans just aren't specifically attacks. They aren't people looking
into your system. They're not even people using your services. So,
yes, unless you explicitly allow people to use a service on your system,
then it might as well be public. The act of putting the system on the
net and not taking the time to secure it is your statement that it may
as well be public.

> Has something drasticsally changed
> since I was last taught about these matters? Authorized users of the
> supercomputing center at UCSD are notified of their authority when they
> successfully apply for an account there. The fact that some moron leaves
> a port open accepting unencrypted telnet connections and otherwise
> fails to properly secure the system is not an invitation for a visit.
> Why would you be port scanning to see if the SCC offers unencrypted
> telnet unless you are:
>
> - tasked by the SCC (or their security group) with identifying
> vulnerabilities
> - the university performing routine security screening
> - an intruder seeking access
>
I'm sorry, I didn't know that we were talking about a specific case. It
was my impression that we were speaking about the concept of the
legality of port scanning in general and whether or not there may be a
legitimate reason to port scan a system. My bad.

> I get that a port scan is not an attack. I don't get why a generic user
> should be portscanning. I get that it's possible, even that it's
> probably
> legal short of explicit notice to the contrary.
>

Good. Then, why are you arguing with me the points that you are?

>
> The particular choice of FTP was a poor one. I agree that anonymous FTP
> is quite common. However, how did you find out about the anonymous FTP
> sites you use (e.g. kernel.org)? By portscanning for them? I was
> able to
> find gnu's ftp site without a port scan. I looked at their "front
> door" (website) and found out about it. It seems that if a service is
> intendedto be public, it will be *published*. How it is published is
> up to the *owner*, not
> the self-declared potential user.

Actually, believe it or not, I have port scanned a system to find out if
it contained a service. I required an encrypted method of getting the
file and it was not published. I had a username and a legitimate
account on the system and the system was using that service on a
non-standard port. I legitimately port scanned the system to find out
if the service was available.

And no - I didn't do this with kernel.org, but it has been done in the past.

>
> > Actually, I'm not the original poster, but I'd have to say that
> unsolicited e-mail is just fine. I don't have a problem with people
> just sending me e-mail. What I have a problem with is people hacking
> into systems and converting them into SPAM relays.
>
> So you support unsolicited bulk email as long as no hacking was committed
> in generating it? Are you defining the act of hacking the system as
> creating the difference between SPAM and acceptable unsolicited bulk
> email? Different people, different opinions.

Agreed. Different people, different opinions. The act of requiring all
e-mail to be solicited would be devastating.

>
> I will grant unsolicited email is okay. However, unsolicited bulk
> email is
> the electronic equivalent of unsolicited physical mail. It is a drag
> on the mail system (physical or electronic).
>
Yep, and all the advertisements I get in my mail take up my time and
space in my trash bin. Unfortunately, there's nothing I can do to stop
that either.

>
> I certainly agree this discussion has drifted quite far
> afield. I don't debate the potential for *legitimate* uses of
> port scans. I just debate whether a legitimate use of
> port scans as a means of generally profiling a box. Why do you
> as a random stranger need to know what services a given box offers?
>
>
Because sometimes there are legitimate services that use ephemeral ports
to make their connections. I have seen software packages that scan for
a particular port to see if it's required service is running. Often,
the service gains the port within a specific range (say, 10000-11000)
and just scans in there. Said given box is expected of running that
service, then the person needs to query for it. Sometimes there are
other ways of publishing that service, like locator services, sometimes
there aren't. I happen to think programs written like this are poorly
written, but they do exist and their existance really isn't a threat.

             -Barry

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: ksaenz_at_spinaweb.com.au: "Re: proxy"
• In reply to: Charley Hamilton: "Re: Yet another thread on the legality of port scanning"
• Next in thread: Derek Schaible: "Re: Yet another thread on the legality of port scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]