Security Basics mailing list archives
Re: Port scanning/illegalities
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 6 Apr 2006 09:49:18 +0200
On 2006-04-05 Ramsdell, Scott wrote:
You write below "Again, there is no such violation, otherwise walking through a mall and looking at the shops in it would be the exact same type of violation." Additionally, in your rebuttal to my previous example you stated that each available port of an IP address is analogous to a separate shop. I disagree with both of those assertions. My IP address is mine,
This assumption is wrong. A public IP address is assigned to you either temporary by your provider, or fix because you rented one (e.g. from the owner of a netblock) because you had a reason to have one. Besides, even if you really owned it, it wouldn't matter, because just like with your postal address anyone can walk up to that address and have a look (from the outside).
each and every port, and by extension all sockets you are able to perform a connect() to too. All possible sockets at my address are mine, not shops owned by different individuals.
You didn't get my point. It doesn't matter whether all of the shops are owned by different people or just one. The point is that every port is the front door to a separate shop.
Just because the sockets are available from the Internet does not in any way mean they are free to use.
This assumption is wrong, too, because unless you have established some sort of authentication they are of course free to use. Just like anyone can enter your shop through the front door and look around, take flyers with them or buy stuff.
A good analogy here would be that peeping-toms perform an illegal act. Peeping-toms are those people who look in windows of private residences. Port scans do not look *at* windows, they look *in* them.
This analogy doesn't fit at all, because portscans do by no means look *into* windows (that would be actually using the service bound to the socket) or even *at* windows at all. Portscans look at doors and show whether the door is open or closed.
You don't make a connect() to a port, you make a connect() to a socket.
A port that hasn't a socket bound to it is closed and thus nothing to worry about at all.
Your analogy of walking through a mall being equivalent to being on the Internet indicates you are not grasping the point many of us are trying to make regarding what is "public" and what is "open to the public, yet private". A mall is private, at least in the states. You are already in the mall in your above example, so you have already been permitted to a private location, with the owner's consent, as you presumably entered through the front doors. Go ahead and window shop.
This is the exact situation you have with a host on the Internet. By "public" I always meant "accessible by the public" or "open to the public". The host is - just like the mall or a shop in it - private property, but there is an implicit permission for the public to access it. My point has always been that there is no need for explicit permission to access a host.
You also stated earlier that accidentally breaking an item in a store is illegal. This is not the case. Purposefully breaking an item in a store is illegal.
That's wrong, at least with german law and I doubt that american or australian law is that different in this respect. Accidentally breaking an item *is* illegal, otherwise you wouldn't be able to charge compensation (this is covered by civil laws). Purposefully breaking an item is *criminal* and covered by criminal laws. [...]
The distinction is intent.
Intent is what makes the latter criminal.
I bring this up to exemplify the importance of intent. The intent behind a port scan is what makes it legal or not.
I doubt that. A portscan in itself is AFAICS never illegal (as there is no law against it), unless it breaks something. Further actions may be, though. [...]
You have also asserted that necessitating a reboot of a server may not constitute grievous harm (again, I'm paraphrashing) with regard to the EU law. Port scans can cause some boxes to lockup and require a reboot. Having to bounce a box is a big deal to management. Sure, you and I would see this as trivial, but to management the cause is unknown and therefore induces uncertainty. This uncertainty may cause management to require a rebuild, which costs money. In any event, rebuild or not, the server was unavailable between the lockup and the reboot, which may be detrimental, certainly if the server was not redundant.
My point there was simply that the article of the cybercrime convention required *serious* hindering of the server operation to be applicable. Whether a single reboot qualifies as such depends on the very case. Costs are subject to civil law and have nothing to do with the cyber- crime convention, neither do management issues. The convention is about criminal law, not civil law.
Back to your mall analogy, in the states a better analogy would be the street to the mall is public, but the mall itself is private. (The Internet is the street ((although it's privately funded, we've skipped that in this thread)) and the mall is my IP ((which you've stated earlier is comprised of ports analogous to shops))). I am assuming we both understand that a mall is an enclosed space for shopping in this case, rather than the other definition of "mall" which is a space for walking among distinct areas outside. Outside versus inside is an obvious allusion to networks here. A mall itself is financed by private individuals. You would be arrested for performing reconnaisance ("casing", port scanning) if you rattled the doors of the stores in the mall from outside. (Each store, of course, has a door leading outside for fire regulations.)
You misunderstood me. The mall (host) is of course private property, and so are the stores (ports). There is, however, an implicit permission for the public to enter the mall and also to enter the stores. A portscan is like looking which shops have open doors *inside* the mall. It is *not* like looking which shops have open fire escapes. [...]
I believe you have also made this same misstep with regard to properly differentiating between public and private when you quoted an EU law which stated something to the effect of, "public servers must allow access to the public".
I don't remember having said anything in this respect.
(My verbiage is not even close to verbatim there.) You stated that you could read the law, and therefore you could understand the law, and that the law meant you could port scan.
My statement that I could read the law was because Craig claimed that intent was not required for the articles 2 through 6 of the cybercrime convention to apply. This is plain wrong, because each of these articles EXPRESSLY states that intent is a REQUIRED precondition. Noone needs law training to see that. [...]
The second point I'd like to make regarding the EU law is that I came to a different interpretation of it when I read it (as it was presented, I've not read the entire law, nor do I care to). Rather than your interpretation which I'll liberally paraphrase as, "publicly accessible IP addresses are subject to free public usage", I understood the law to read, "public resources on the Internet must be robust and withstand likely public usage". My interpretation was that government sites must (not may) be expected, and therefore designed, to withstand likely use and abuse. I neither interpreted nor assumed any inference for a private company's publicly accessible IP address. Cultural difference, perhaps?
No, I think your interpretation is quite correct, and I don't think I have ever claimed anything different. In fact, none of the european or german laws Craig cited were even remotely applicable in the matter discussed here. I tried to point that out several times. [...]
The statement has been made that port scanning is a legitimate way to find a public FTP server. I would google for one.
I probably would, too. However, Google is www and www is a different service than FTP. You won't necessarily find the FTP server you're looking for on the www. Portscanning is another way of finding an FTP server, and it is in no way less legal than using Google.
If you are port scanning to find an FTP server, you are scanning to find a place where dumping files is possible, not necessarily permissable.
Non sequitur. Besides, FTP allows GET as well as PUT.
Permission is not granted by the operating system allowing you to place your files on the server, rather permission is granted by the intent of the server owner.
This intent is epressed by the presence or absence of authentication mechanisms. [...]
What has not yet been brought up in this thread is what really determines if an act is illegal or not. In the states, it is fourteen strangers that will determine the legality of your actions. One is a prosecutor who feels you did wrong, one is a judge who agrees to hear the case, the others are a jury of your peers. I wonder, Ansgar, have you convinced your peers on this thread?
I don't need to, since I'm not a lawyer and this is not a court. I have tried to point out where and why I think Craig and others were wrong. What everyone makes of it is entirely up to them. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment John E. Fleming (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment c.s.wright (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Message not available
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
- RE: Port scanning/illegalities Ramsdell, Scott (Apr 06)
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 06)
- Re: Port scanning/illegalities Jeffrey F. Bloss (Apr 07)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment John E. Fleming (Apr 03)
- RE: application for an employment Kurt Reimer (Apr 06)
- RE: application for an employment David Gillett (Apr 06)
- RE: application for an employment Kurt Reimer (Apr 07)