Security Basics mailing list archives
Re: Yet another thread on the legality of port scanning
From: Charley Hamilton <chamilto () uci edu>
Date: Wed, 17 Mar 2004 10:39:34 -0800
Anybody who wishes to communicate to my resourcescan do so by normal means: web browser, email, etc.The normal means of communicating on the internet is via IP packets.
On that basis, electron transport is the standard method of information transfer on the internet. If I connect a power cord to your router's ethernet jack, is that okay? Obviously not.
All such services will be published where appropriate.There is no place to publish open ports, accepted protocols, and authorized users.
Authorized users are told they are authorized users. If you are not an authorized user, what difference does it make what protocols are accepted? You're not supposed to be using them. That's the definition of authorized. The same argument applied to open ports. Authorized users will be told that they are authorized. The "reasonable man" hypothesis applies to connecting to a system to which authorization isin doubt. Would a reasonable man conclude that http://www.cnn.com is an acceptable connection in the absence of explicit permission? I would
say yes, he would. Would a reasonable man conclude that ftp://www.cnn.com is an acceptable connection in the absence of explicit permission? I would argue no, he would not. What's the difference? HTTP is generally accepted to be a public connection, in the sense that it is intended as a shared resource, to be accessible to all. FTP is not generally accepted as such, regardless of what electronic storefront happens to be offering the service. Similarly, www.foo.com is generally expected to be a public http server. Therefore, making an HTTP connection to that server is reasonable. accounts-payable.foo.com is *not* generally expected to be a public http server. Therefore, it is not reasonable to assume that it would be offering public http services. Any such services would reasonably be intended for authorized users only.
Simply providing one service does not give tacit approval for somebody to probe my resources.The act of plugging a device into a public [@1] IP address is your way of giving people permission to send packets to it.
I disagree strongly on this. I have a public street address. It is appropriate for a caller to knock on my door/ring my doorbell, because that is the "reasonable man" thing to do. It is not acceptable for the caller to come around the side of my house just because he sees my side door open. What makes an IP address any different from a physical address in terms of the "reasonable man" hypothesis? That is the typical legal test to which such arguments must be put.
Anyone on the internet can send an IP packet to anyone else. That's kind of the whole point.
I disagree. The whole point of the internet is to permit effective communication of ideas, not random unsolicited contact between individuals. If I solicit contact by offering "reasonable man" permission for contact, then it is part of effective communication. If I do not, it is annoyance potentially rising to criminal action. If the packets sent to your computer are necessary as part of reasonable communication (e.g. a small network using NetBEUI could reasonably expect for everyone to get pounded with broadcast packets). However, specifically targeted packets are a different matter. If I specifically target you with an http connection, then it is reasonable to expect that *only* your machine (plus the pertinent intermediate hops) is getting those packets. If I am making an http connection attempt to your machine, it should be because I reasonably expect to have permission to make the connection.
Search around for the hundreds of reincarnations of this thread. The analogies have been done to death. Keep private services off the net. Secure public services as needed.
*blink blink* I can't argue with the last sentence, but just what constitutes a "private" service by your definition? Something that is accessible only to someone from an internal net? Are you arguing that any service offered over the internet is tacit approval for *everyone* to use that service? Or is it only tascit approval if the service is not properly secured? Assuming that my interpretation of your writing is correct, you would support unsolicited bulk email. After all, you have an email address and your mail server (or the firewall through which it passes) has a public IP address, right? After all, I got your email and I'm not on your private netweork.
[@1] http://www.m-w.com/cgi-bin/dictionary?va=public 6a accessible to or shared by all members of the community
Same source, definition of access: 2 a : permission, liberty, or ability to enter, approach, communicate with, or pass to and from b : freedom or ability to obtain or make use of c : a way or means of access d : the act or an instance of accessing It is clear from 2a and 2b that the intent of "access" is "permitted access", not simply the physical limitation of availability. Just my $0.02, IANAL, etc Charley -- Charles Hamilton, PhD EIT Faculty Fellow Department of Civil and Phone: 949.824.3752 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: chamilto () uci edu ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- FW: Legal? Road Runner proactive scanning.[Scanned] James P. Saveker (Mar 11)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 12)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Ansgar -59cobalt- Wiechers (Mar 15)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 16)
- Yet another thread on the legality of port scanning Mortis (Mar 17)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 17)
- Re: Yet another thread on the legality of port scanning Ansgar -59cobalt- Wiechers (Mar 18)
- Re: Yet another thread on the legality of port scanning ~Kevin DavisĀ³ (Mar 19)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 19)
- Re: Yet another thread on the legality of port scanning Ansgar -59cobalt- Wiechers (Mar 23)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Ansgar -59cobalt- Wiechers (Mar 15)
- RE: Yet another thread on the legality of port scanning Mortis (Mar 18)
- Re: Yet another thread on the legality of port scanning Barry Fitzgerald (Mar 18)
- Re: Yet another thread on the legality of port scanning Charley Hamilton (Mar 19)
- Re: Yet another thread on the legality of port scanning Barry Fitzgerald (Mar 22)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Bryan S. Sampsel (Mar 12)
- Re: Yet another thread on the legality of port scanning Derek Schaible (Mar 19)
- Re: Yet another thread on the legality of port scanning Charles Otstot (Mar 22)