Re: Yet another thread on the legality of port scanning

[Charley Hamilton <chamilto () uci edu>]

> Anybody who wishes to communicate to my resources
> > can do so by normal
> > means: web browser, email, etc.
>
>
> The normal means of communicating on the internet is via IP
> packets.

On that basis, electron transport is the standard method of
information transfer on the internet.  If I connect a power cord
to your router's ethernet jack, is that okay?  Obviously not.

> > All such
> > services will be published where
> > appropriate.
>
>
> There is no place to publish open ports, accepted protocols,
> and authorized users.

Authorized users are told they are authorized users.  If you are not
an authorized user, what difference does it make what protocols are
accepted?  You're not supposed to be using them.  That's the definition
of authorized.  The same argument applied to open ports.  Authorized
users will be told that they are authorized.  The "reasonable man"
hypothesis applies to connecting to a system to which authorization is
in doubt.  Would a reasonable man conclude that http://www.cnn.com is an 
acceptable connection in the absence of explicit permission?  I would
say yes, he would.  Would a reasonable man conclude that ftp://www.cnn.com
is an acceptable connection in the absence of explicit permission?
I would argue no, he would not.  What's the difference?  HTTP is
generally accepted to be a public connection, in the sense that it
is intended as a shared resource, to be accessible to all.  FTP is
not generally accepted as such, regardless of what electronic storefront
happens to be offering the service.  Similarly, www.foo.com is generally
expected to be a public http server.  Therefore, making an HTTP connection
to that server is reasonable.  accounts-payable.foo.com is *not* generally
expected to be a public http server.  Therefore, it is not reasonable to
assume that it would be offering public http services.  Any such services
would reasonably be intended for authorized users only.

> > Simply providing one service does
> > not give tacit approval
> > for somebody to probe my resources.
>
>
> The act of plugging a device into a public [@1] IP address
> is your way of giving people permission to send packets to
> it.

I disagree strongly on this.  I have a public street address.
It is appropriate for a caller to knock on my door/ring my
doorbell, because that is the "reasonable man" thing to do.
It is not acceptable for the caller to come around the side
of my house just because he sees my side door open.
What makes an IP address any different from a physical address
in terms of the "reasonable man" hypothesis?  That is the typical
legal test to which such arguments must be put.

> Anyone on the internet can send an IP packet to anyone else.
> That's kind of the whole point.

I disagree. The whole point of the internet is to permit
effective communication of ideas, not random unsolicited
contact between individuals.  If I solicit contact by offering
"reasonable man" permission for contact, then it is part of
effective communication.  If I do not, it is annoyance potentially
rising to criminal action.

If the packets sent to your computer are necessary as part of
reasonable communication (e.g. a small network using NetBEUI
could reasonably expect for everyone to get pounded with broadcast
packets).  However, specifically targeted packets are a different
matter.  If I specifically target you with an http connection, then
it is reasonable to expect that *only* your machine (plus the pertinent
intermediate hops) is getting those packets.  If I am making an http
connection attempt to your machine, it should be because I reasonably
expect to have permission to make the connection.

> Search around for the hundreds of reincarnations of this
> thread.  The analogies have been done to death.  Keep
> private services off the net.  Secure public services as
> needed.

*blink blink*  I can't argue with the last sentence, but
just what constitutes a "private" service by your definition?
Something that is accessible only to someone from an internal
net?  Are you arguing that any service offered over the
internet is tacit approval for *everyone* to use that service?
Or is it only tascit approval if the service is not properly
secured?

Assuming that my interpretation of your writing is correct,
you would support unsolicited bulk email.  After all, you have
an email address and your mail server (or the firewall through
which it passes) has a public IP address, right?  After all, I
got your email and I'm not on your private netweork.

> [@1] http://www.m-w.com/cgi-bin/dictionary?va=public
>      6a accessible to or shared by all members of the
> community

Same source, definition of access:

2 a : permission, liberty, or ability to enter, approach,
communicate with, or pass to and from b : freedom or ability to
obtain or make use of c : a way or means of access d : the act or
an instance of accessing

It is clear from 2a and 2b that the intent of "access" is
"permitted access", not simply the physical limitation of
availability.

Just my $0.02, IANAL, etc

Charley

--
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
    Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto () uci edu




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------