Re: FW: Legal? Road Runner proactive scanning.[Scanned]

[Phil Brammer <security () wjjeep com>]

On Thu, Mar 18, 2004 at 06:46:26AM -0500, ~Kevin Davis³ wrote:
> > > I have mail box out front for communication and a phone.  People can
> > > call me.  But them attempting to find other ways into my house is
> > > tresspassing.  And such activity can indicate an attempt to break in
> > > is forthcoming.
> >
> > This analogy was born without legs. A portscan is a means of finding out
> > what services you are providing to the public. Nothing more. Nothing
> > less.
>
> No, it's not.  It's a perfectly valid analogy.  While it is encumbant upon
> an individual that they should know what windows they have unlocked or ports
> they have open by a service to secure themselves, it does not mean that they
> always will.
>
> If their window is unlocked that doesn't mean that everyone who knows or
> finds out that the window is unlocked is freely invited inside.  Expecially
> if the person who owns the house doesn't realize that the window is unlocked
> at the time.  Similarly, if a port is open on a box, that doesn't mean
> everyone is free to use it as they please.  Particularly if the person
> doesn't realize that the port is even open.

Oh, stop.  A port scan doesn't test your locks.  

What I fail to see is, where does this analogy of testing the locks on your doors/windows come into play?  Comparing 
this to windows isn't exactly appropriate; I would argue that (for instance) if I found port 23 open on your machine 
via nmap the actual act of telnetting into your system would be testing your locks.

Maybe this would be a better analogy.  Stick a person in said window on the side of the house.  Walking up to this 
window, I hold up a sign that says: "Are you open?"  If the person in the window responds, "Yes!"  Then I respond with, 
"Thank you!"  This window would be considered OPEN in port scanning terms.  If the person responds with "No!" then said 
window would be considered closed.  If there is no person in the window, I won't even get a response, and will consider 
it closed.  This isn't *quite* accurate in TCP/IP speak because the OS will handle the RST of the SYN packet sent by 
the scanner if there is no service listening on the port.

Now, let's assume that the person in the window responded that it was open.  Okay, fine, so I decide to enter through 
the window (perhaps using a ladder, like Telnet).  I climb up to the window and ask again.  "Are you open?"  The person 
responds with, "Yes!"  So, I proceed to start the process of entering the window.  As soon as my foot touches the 
window sill, the person asks for the secret code word needed to enter.  "Bah!  I don't know that!"  At that point, the 
person decides to shut the window.

Do you see where this port scanning analogy fails when comparing to testing locks on your doors & windows? 

And, by the way, for a port to be open, there must be a service listening on it.  If that's the case and you are on a 
public IP address, then the public are allowed to connect.  Otherwise, this is when you'll want to implement your ACLs.

I'm not a TCP/IP guru by any means, but I'd hope everyone gets ths gist of what I'm clucking.

Phil

Attachment: _bin
Description: