Scanning. Is it a consumer right?

[prestone () BULLDOG GEORGETOWN EDU (ethan preston)]

Security is a two-way street and I think the issue of scanning brings
that to the forefront. Our own security (which should be something like
a natural right in computer science)is threatened by the insecurity of
others. If no other machines were ever compromised, crackers would be
less able to disguise their origin in a meaningful way. Therefore we
would be able to focus on tracking crackers down and deterring them,
rather than playing catch-up on plugging the hole in our system that we
haven't found yet.

So you have an interest in keeping other's servers secure. IANAL, but
I'm about a year out from graduation. (This isn't legal advice, you have
not formed a client-attorney relationship, blah, blah, blah.) The idea
that third-party servers that are negligent in securing their system
should be liable (in order to provide incentive to make people take
reasonable steps to secure their system) has been much discussed in
legal circles.

It seems to me that, if the legal system has given us an interest in
third-party security, consumers should have a corresponding right to
ensure that they are not ensuring their credit card number to a server
that has a three-year old vulnerability (that's been patched for almost
as long) in their implementation of Front Page and has 3y3oWnj00 as a
user in their NetBIOS register. The consumer can find this out from a
scan by Nessus, but I think a lot of us would think that a full Nessus
scan crosses the line between mere OS fingerprinting and into invasive
scanning.

We all depend, to some degree, on third party security. Consumers may
place their privacy and their credit card numbers in the hands of
servers that can be negligent. If we decide consumers SHOULDN'T have a
right to scan, then their only recourse is legal. (Which is great for me
and every other lawyer, but would be an overall loss to society, I
think.) Allowing consumers to scan reduces the transaction costs of poor
security; if you have poor security, consumers know it and stay away
from you, rather than trusting you and having to buy lawyers when you
are r00ted seven months later.

Obviously, one way around this is to let consumers request permission to
scan, but somehow I don't think this is going to be a real solution. If
faced with such a request, I wonder how many of you would agree to be
scanned? It's a matter of trust, because who's to say that the consumer
isn't a cracker (or won't become one)?

----- Original Message -----
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Monday, May 1, 2000 2:35 pm
Subject: Re: Scanning. Is it dangerous?

> On Sat, 29 Apr 2000 17:12:54 +0200 Sarunas Krivickas
> <KrivickasS () PASTAS KAM LT> wrote:
>
> > Lets go to discuss a little bit about subject!
> > My question is how the recognized simple scanning is described
> in your IT
> > security policy and why scanning is so dangerous for you?
>
> Our security policy includes scanning under the heading of "security
> experiments" and our user are forbidden to perform such experiments
> with the exception of Systems and Network Administrators testing their
> own security.  If they want to do this from off campus they need my
> (Security Officer's) permission otherwise they will likely loose their
> ISP account ;-)
>
> We report all inbound scans (providing we can find someone to report
> them too without to much trouble).  In bound scans are not
> dangerous in
> themselves, however the information obtained from scanning may
> well be
> -- why else to crackers do it?
>
> There are two main reason we report scans:
> 1/ most come from machine that have already been compromised.  I
> believe it behoves us as good net citizens to warn the owners of
> systems that have been compromised that they have problems.  It
> may be
> me next time.
>
> 2/ Scans originating from dail-up servers at ISP are likely to be
> naivescript kiddies.  A warning from an ISP to the kids parents
> may well
> save him/her from getting into more serious trouble later.
>
> We also see quite a few scans from local ISPs, these I persue fairly
> virgorously.  My guess is that most of these scans are initiated
> by our
> own students from home (they do tend to focus on the the machines that
> supply student services and control their access to the net ;-)
> I want to get the message to our students that if they muck with our
> systems then they will get caught and will be dealt with.
>
> My personal belief is that ISPs should have a 3 teir warning system:
> 1/ First complaint gets an email notice.
> 2/ Second gets a phone call to the person in whoes name the
> account is
>   held warning them that any more complaints will result in
>   cancellation of the account.
> 3/ Third the account is cancelled.
>
> Unfortunately ISPs have to be very careful in this process because it
> it very easy to lay false complaints and very difficult for an ISP to
> detect that they are in fact false.
>
> Cheers, Russell.