RE: Yet another thread on the legality of port scanning

From: Robert M. Newton (rnewton_at_hcc.net)
Date: 04/05/04

  • Next message: paralleluniverse: "HIPAA_Compliance"
    To: <security-basics@securityfocus.com>
    Date: Mon, 5 Apr 2004 07:11:40 -0400
    
    

    Consider this.

    When living out in the Northwest I loved just driving and exploring
    (scanning) roads for new places. I drove on the public roads which
    interconnected with many other roads private and public. It didn't matter
    what road surface (protocol) I was driving on. Obvious a four lane asphalt
    was probably meant for public use, but sometimes I would find a great
    restaurant on a lake at the end of a small gravel road looking for business.
    I do not see signs that state "Public Road" or "This is a road, please use
    it" because it is usually assume to be so unless there was some indication
    it is private road such as signs, gates, or security guards that restricts
    its' usage. As it is with the property owner, I believe it is the
    responsibility of the server administrator, to restrict the services of that
    server. If I the ignore the "NO Access" Private Road" signs or circumvent
    the gates design to keep me out, then I am the culprit and should be
    punished. My $.02 worth.

    Robert M. Newton
    IT Director

    -----Original Message-----
    From: Charley Hamilton [mailto:chamilto@uci.edu]
    Sent: Wednesday, March 17, 2004 1:40 PM
    To: security-basics@securityfocus.com
    Subject: Re: Yet another thread on the legality of port scanning

    > Anybody who wishes to communicate to my resources
    >> can do so by normal
    >> means: web browser, email, etc.
    >
    >
    > The normal means of communicating on the internet is via IP
    > packets.

    On that basis, electron transport is the standard method of
    information transfer on the internet. If I connect a power cord
    to your router's ethernet jack, is that okay? Obviously not.

    >> All such
    >> services will be published where
    >> appropriate.
    >
    >
    > There is no place to publish open ports, accepted protocols,
    > and authorized users.

    Authorized users are told they are authorized users. If you are not
    an authorized user, what difference does it make what protocols are
    accepted? You're not supposed to be using them. That's the definition
    of authorized. The same argument applied to open ports. Authorized
    users will be told that they are authorized. The "reasonable man"
    hypothesis applies to connecting to a system to which authorization is
    in doubt. Would a reasonable man conclude that http://www.cnn.com is an
    acceptable connection in the absence of explicit permission? I would
    say yes, he would. Would a reasonable man conclude that ftp://www.cnn.com
    is an acceptable connection in the absence of explicit permission?
    I would argue no, he would not. What's the difference? HTTP is
    generally accepted to be a public connection, in the sense that it
    is intended as a shared resource, to be accessible to all. FTP is
    not generally accepted as such, regardless of what electronic storefront
    happens to be offering the service. Similarly, www.foo.com is generally
    expected to be a public http server. Therefore, making an HTTP connection
    to that server is reasonable. accounts-payable.foo.com is *not* generally
    expected to be a public http server. Therefore, it is not reasonable to
    assume that it would be offering public http services. Any such services
    would reasonably be intended for authorized users only.

    >> Simply providing one service does
    >> not give tacit approval
    >> for somebody to probe my resources.
    >
    >
    > The act of plugging a device into a public [@1] IP address
    > is your way of giving people permission to send packets to
    > it.

    I disagree strongly on this. I have a public street address.
    It is appropriate for a caller to knock on my door/ring my
    doorbell, because that is the "reasonable man" thing to do.
    It is not acceptable for the caller to come around the side
    of my house just because he sees my side door open.
    What makes an IP address any different from a physical address
    in terms of the "reasonable man" hypothesis? That is the typical
    legal test to which such arguments must be put.

    > Anyone on the internet can send an IP packet to anyone else.
    > That's kind of the whole point.

    I disagree. The whole point of the internet is to permit
    effective communication of ideas, not random unsolicited
    contact between individuals. If I solicit contact by offering
    "reasonable man" permission for contact, then it is part of
    effective communication. If I do not, it is annoyance potentially
    rising to criminal action.

    If the packets sent to your computer are necessary as part of
    reasonable communication (e.g. a small network using NetBEUI
    could reasonably expect for everyone to get pounded with broadcast
    packets). However, specifically targeted packets are a different
    matter. If I specifically target you with an http connection, then
    it is reasonable to expect that *only* your machine (plus the pertinent
    intermediate hops) is getting those packets. If I am making an http
    connection attempt to your machine, it should be because I reasonably
    expect to have permission to make the connection.

    > Search around for the hundreds of reincarnations of this
    > thread. The analogies have been done to death. Keep
    > private services off the net. Secure public services as
    > needed.

    *blink blink* I can't argue with the last sentence, but
    just what constitutes a "private" service by your definition?
    Something that is accessible only to someone from an internal
    net? Are you arguing that any service offered over the
    internet is tacit approval for *everyone* to use that service?
    Or is it only tascit approval if the service is not properly
    secured?

    Assuming that my interpretation of your writing is correct,
    you would support unsolicited bulk email. After all, you have
    an email address and your mail server (or the firewall through
    which it passes) has a public IP address, right? After all, I
    got your email and I'm not on your private netweork.

    > [@1] http://www.m-w.com/cgi-bin/dictionary?va=public
    > 6a accessible to or shared by all members of the
    > community

    Same source, definition of access:

    2 a : permission, liberty, or ability to enter, approach,
    communicate with, or pass to and from b : freedom or ability to
    obtain or make use of c : a way or means of access d : the act or
    an instance of accessing

    It is clear from 2a and 2b that the intent of "access" is
    "permitted access", not simply the physical limitation of
    availability.

    Just my $0.02, IANAL, etc

    Charley

    --
    Charles Hamilton, PhD EIT               Faculty Fellow
    Department of Civil and                 Phone: 949.824.3752
         Environmental Engineering           FAX:   949.824.2117
    University of California, Irvine        Email: chamilto@uci.edu
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: paralleluniverse: "HIPAA_Compliance"

    Relevant Pages

    • IT WORKED FOR ME!!! THANK YOU
      ... only HTTP won't work. ... Open a Run command and type in: ... regsvr32 SOFTPUB.DLL ... computer and try to establish a connection and try the link, ...
      (microsoft.public.windowsxp.network_web)
    • RE: RPC Over HTTP
      ... Normally running the CEICW (configure e-mail and internet connection ... wizard) and allowing RPC over HTTP option on the ... Web services configuration page should configur your server to allow RPC ... Verify that the certificate is installed by going to ...
      (microsoft.public.windows.server.sbs)
    • RE: Cannot connect via http but https works?
      ... Only one computer of three on my adhoc workgroup reports this error. ... only HTTP won't work. ... regsvr32 SOFTPUB.DLL ... computer and try to establish a connection and try the link, ...
      (microsoft.public.windowsxp.network_web)
    • Re: RPC over HTTP problem for some users only
      ... This will cause the Exchange ... The default connection methodology for Outlook 2003 when RPC/HTTP is ... Fast - TCP/IP then HTTP ...
      (microsoft.public.outlook.installation)
    • Re: RPCoHTTP always has 4 failures
      ... ON fast networks, connect using HTTP first, then connect using TCP/IP ... Outlook doesn't even prompt me to log in, it just says the server is ... Warning If you use Registry Editor incorrectly, ... It always shows HTTPS as the protocol in the connection ...
      (microsoft.public.exchange.admin)