Security Basics mailing list archives
RE: FW: Legal? Road Runner proactive scanning.[Scanned]
From: "Jef Feltman" <feltman () pacbell net>
Date: Thu, 18 Mar 2004 18:56:32 -0800
Yes, it is reasonable. You agree to allow others to send packets to you host as soon as you connect it to the internet. By this act you give permission to the world. The port they send to does not make a difference as far as legal or not. Attaching a host to the internet is like opening your business to the public. There is no other way to request info about services available from a host other than a port scan. jef -----Original Message----- From: Charles Otstot [mailto:charles.otstot () ncmail net] Sent: Tuesday, March 16, 2004 11:02 AM To: Jef Feltman; security-basics () securityfocus com Subject: Re: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman wrote:
So if someone comes and knocks on your door at home you shoot them? Do you consider them a criminal? No, you lock the door and windows.
Jef, I think you are missing my position. It seems to me that this really wasn't a technical question, but rather a question of what a reasonable (as normally used in legal definitions) person would consider proper access. Such person need not be technical, in fact, imposing a technical definition ignores the more practical concern of property and privacy rights. Knocking on *a" door may be an innocent act, knocking on *all* my doors and windows (or as others have noted, testing to see whether they are locked) is a deliberately intrusive act. While it certainly doesn't merit shooting, I would, at the least, bar that person from knocking on my door again (absent a very good explanation of why they should not be prohibited from such).
If your host is on the internet I consider it public and knocking on the door to see if the shop is open, is not a problem. If you do not want people coming in the door lock it and give a key to those who need it.
I think you might have trouble convincing others that your actions do not pose a problem. Simply having a host on the Internet does not automatically mean that one has the right to see what might be *technically* available on that host as opposed as to what the host's owners intended to be available. To refer to your analogy, the shop owner does not (in general) have the responsibility to lock the door and provide those who need access with a key. Rather, outsiders have the responsibility (both moral and legal) to stay out unless invited in.
Based on your statement no website should not be accessed by anyone other than an employee. Sending E-Mail would be a violation also, as the port must be checked to verify it can be opened to receive.
No, I stated that permission does not necessarily have to be explicit, only that ordinary concepts of reasonableness should dictate what is and isn't proper access. I specificaaly used the example of a publicly accessible website to illustrate that reasonableness would say accessing such a site would be considered appropriate. If however, there is a link on the site that says "Employees Only" that is available (from a technical perspective), and a non-employee intentionally clicks on the link to see if he/she can access the page, a reasonable person (IMHO) would consider such access to be improper. As to email, access would be to a specific resource in repsonse to a specific, proper request.
Port scanning is not an attack it is probe.
This is merely semantics. The implied *intention* is the important piece of the puzzle, not whether any harm is actually inflicted by this specific act.
I have scanned many machines that have tried to attack my machine trying to verify if it is an attack or the host has been compromised. Unless the attack is currently in progress, the host is almost always taken over by a hacker or virus. Scanning the host allows me to find ports open that prove the host has been attacked and taken over. Then I am able to inform the ISP or user of the problem. And not go after some innocent user.
I agree more with the poster who stated that this is not appropriate behavior. You have the right to identify who is scanning you, blocking the scan and then informing their ISP. Anything beyond that is the purview of their ISP, the system administrator and/or the proper legal authorities.
If a company runs a service on the internet they must place a lock on the door to keep out the unwanted. Otherwise it is open to the public. Remember there are private and public ip addresses. Public means anyone can access them without freely unless they harm or steal from the host, just like the store on the corner.
This is simply wrong. The responsibility lies with the person accessing the resource. Personal resoponsibility and (Western) morality dictate that one should not go where one is not invited. Just because you *can* access something doesn't mean it is alright for you to do so. This is precisely where couching one's arguments in technical terms deflects from the more important (and very real) issues of right and wrong.
A port scan has never hurt any machine and never will. Only a poorly configured host will be hacked. Just as a poorly locked house will be broken into.
There is no such thing as an unhackable host, just as there is no such thing as a house which cannot be broken into. Remember, the perfect hack (like the perfect crime) has already occurred. The perpetrator was good enough that no one will ever know about it.
jef
Charlie --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: FW: Legal? Road Runner proactive scanning.[Scanned], (continued)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Charles Otstot (Mar 12)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 15)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 16)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Phil Brammer (Mar 17)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 15)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] David Gillett (Mar 16)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Charles Otstot (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] David Gillett (Mar 17)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Charles Otstot (Mar 12)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Derek Schaible (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Charles Otstot (Mar 22)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] David Gillett (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 19)