Re: Yet another thread on the legality of port scanning

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Charley Hamilton wrote:

> > The normal means of communicating on the internet is via IP
> > packets.
>
>
> On that basis, electron transport is the standard method of
> information transfer on the internet.  If I connect a power cord
> to your router's ethernet jack, is that okay?  Obviously not.
These anologies don't work together.  The normal means of connecting an 
ethernet card to a network is not via a power cord.  The normal means of 
connecting to a server *IS* sending IP packets to that server and 
recieving them back.  Which port(s) the packets are sent to is 
irrelivent.  Whether the content is an attack or not depends on the 
content of the packets.  Just because some (very poorly designed) 
hardware/software can't survive a port scan, doesn't mean that port 
scans are attacks nor does it mean that they represent anomolous traffic.

There are legitimate reasons for running a port scan on a computer in a 
limited fashion, such as service discovery. 


> Authorized users are told they are authorized users.

Where?!?

Perhaps I'm not aware of it, but is there an "authorized user/service" 
database on the internet?  I must have missed that.


>   The "reasonable man"
> hypothesis applies to connecting to a system to which authorization is
> in doubt.  

The reasonable man hypothesis also dictates that a person would only 
reasonably leave a system exposed with a service running and without 
warnings if it weren't meant to be viewed.  If the content says 
"classified" or "you're not supposed to be here", or if the person knows 
they shouldn't be there - that's one thing. 


> Would a reasonable man conclude that http://www.cnn.com is an 
> acceptable connection in the absence of explicit permission?  I would
> say yes, he would.  Would a reasonable man conclude that 
> ftp://www.cnn.com
> is an acceptable connection in the absence of explicit permission?
> I would argue no, he would not.  

I would argue that you're wrong.  Anonymous FTP is a very frequent 
occurrance on the internet and it's not unreasonable to expect that CNN 
might have an anonymous FTP site for content.  What, exactly, makes you 
think that it's an unreasonable service to use?


> What's the difference?  HTTP is
> generally accepted to be a public connection, in the sense that it
> is intended as a shared resource, to be accessible to all.  FTP is
> not generally accepted as such, regardless of what electronic storefront
> happens to be offering the service.  

I don't know what universe you're in, but FTP is a public connection if 
it's configured that way.  HTTP is also a public connection if it's 
configured to be.  Both are also private connections if they're 
configured to be.  The key here is in configuration, not in the service.

So, all these times I've been downloading things off of 
ftp://mirrors.kernel.org, I've been being unreasonable?  That's the 
first time I've ever heard anyone argue anything of the sort.


> > The act of plugging a device into a public [@1] IP address
> > is your way of giving people permission to send packets to
> > it.
>
>
> I disagree strongly on this.  I have a public street address.
> It is appropriate for a caller to knock on my door/ring my
> doorbell, because that is the "reasonable man" thing to do.
> It is not acceptable for the caller to come around the side
> of my house just because he sees my side door open.
> What makes an IP address any different from a physical address
> in terms of the "reasonable man" hypothesis?  That is the typical
> legal test to which such arguments must be put.

Because an IP address isn't a physical door and the internet isn't your 
street.  Everyone's talking about this as if the rules are the same, but 
they aren't.  Frankly, this argument is getting completely absurd.

> > Anyone on the internet can send an IP packet to anyone else.
> > That's kind of the whole point.
>
>
> I disagree. The whole point of the internet is to permit
> effective communication of ideas, not random unsolicited
> contact between individuals.  If I solicit contact by offering
> "reasonable man" permission for contact, then it is part of
> effective communication.  If I do not, it is annoyance potentially
> rising to criminal action.

The whole point of the internet is whatever you can do with the 
networking technology within an ethical framework.  Internet traffic 
need not be solicited.  However, some would say that you solicit the 
reciept of non-disruptive generic TCP/IP traffic just by putting your 
computer on the internet.

> *blink blink*  I can't argue with the last sentence, but
> just what constitutes a "private" service by your definition?

I, personally, would identify a private service as being one that you 
want no one or limited numbers of people to access.

> Something that is accessible only to someone from an internal
> net?  Are you arguing that any service offered over the
> internet is tacit approval for *everyone* to use that service?
> Or is it only tascit approval if the service is not properly
> secured?

I think his point was that if you don't want people to be able to see 
the service (we're not even talking about logging in and using.  Port 
scans don't log in and use services, they just detect them) then don't 
put the service up for the net to see.  It's that simple.  :)

> Assuming that my interpretation of your writing is correct,
> you would support unsolicited bulk email.  After all, you have
> an email address and your mail server (or the firewall through
> which it passes) has a public IP address, right?  After all, I
> got your email and I'm not on your private netweork.

Actually, I'm not the original poster, but I'd have to say that 
unsolicited e-mail is just fine.  I don't have a problem with people 
just sending me e-mail.  What I have a problem with is people hacking 
into systems and converting them into SPAM relays.

Unsolicited e-mail isn't the problem, system abuse is -- that's what 
makes filters fail and causes havoc.


> Same source, definition of access:
>
> 2 a : permission, liberty, or ability to enter, approach,
> communicate with, or pass to and from b : freedom or ability to
> obtain or make use of c : a way or means of access d : the act or
> an instance of accessing
>
> It is clear from 2a and 2b that the intent of "access" is
> "permitted access", not simply the physical limitation of
> availability.

I don't think anyone's arguing that it's OK for someone to access a 
system without permission or liberty.  The question is does being on the 
internet open you up to generalized detection and discovery traffic?  
I'd say yeah, it does.  I'm not advocating that people just port scan 
everyone, and I do believe that most port scans are precursors to attack...

But, by the same token, my looking at someone funny COULD be a precursor 
to attack -- so, should we then consider people looking at others in a 
funny way an attack?

I just happen to think that this whole argument is getting ridiculous.  
Are port scans questionable?  Sure.  Are there legitimate reasons to do 
them?  Sure.  Are they often precursors to attacks?  Often, yes.  Do the 
packets sent by them constitute legitimate IP traffic?  Yes, unless 
they're malformed, which is a different issue entirely.  Are they going 
away anytime soon?  No.

There, problem solved.  :)

            -Barry



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------