Re: Yet another thread on the legality of port scanning

["Murad Talukdar" <talukdar_m () subway com>]

Thanks guys! That was a great bit of friday afternoon entertainment for me
and thought provoking too.
Murad Talukdar


----- Original Message -----
From: "Barry Fitzgerald" <bkfsec () sdf lonestar org>
To: "Charley Hamilton" <chamilto () uci edu>
Cc: <security-basics () securityfocus com>
Sent: Friday, March 19, 2004 2:33 AM
Subject: Re: Yet another thread on the legality of port scanning


> Charley Hamilton wrote:
>
> > > The normal means of communicating on the internet is via IP
> > > packets.
> >
> >
> > On that basis, electron transport is the standard method of
> > information transfer on the internet.  If I connect a power cord
> > to your router's ethernet jack, is that okay?  Obviously not.
> These anologies don't work together.  The normal means of connecting an
> ethernet card to a network is not via a power cord.  The normal means of
> connecting to a server *IS* sending IP packets to that server and
> recieving them back.  Which port(s) the packets are sent to is
> irrelivent.  Whether the content is an attack or not depends on the
> content of the packets.  Just because some (very poorly designed)
> hardware/software can't survive a port scan, doesn't mean that port
> scans are attacks nor does it mean that they represent anomolous traffic.
>
> There are legitimate reasons for running a port scan on a computer in a
> limited fashion, such as service discovery.
>
>
> > Authorized users are told they are authorized users.
>
> Where?!?
>
> Perhaps I'm not aware of it, but is there an "authorized user/service"
> database on the internet?  I must have missed that.
>
>
> >   The "reasonable man"
> > hypothesis applies to connecting to a system to which authorization is
> > in doubt.
>
> The reasonable man hypothesis also dictates that a person would only
> reasonably leave a system exposed with a service running and without
> warnings if it weren't meant to be viewed.  If the content says
> "classified" or "you're not supposed to be here", or if the person knows
> they shouldn't be there - that's one thing.
>
>
> > Would a reasonable man conclude that http://www.cnn.com is an
> > acceptable connection in the absence of explicit permission?  I would
> > say yes, he would.  Would a reasonable man conclude that
> > ftp://www.cnn.com
> > is an acceptable connection in the absence of explicit permission?
> > I would argue no, he would not.
>
> I would argue that you're wrong.  Anonymous FTP is a very frequent
> occurrance on the internet and it's not unreasonable to expect that CNN
> might have an anonymous FTP site for content.  What, exactly, makes you
> think that it's an unreasonable service to use?
>
>
> > What's the difference?  HTTP is
> > generally accepted to be a public connection, in the sense that it
> > is intended as a shared resource, to be accessible to all.  FTP is
> > not generally accepted as such, regardless of what electronic storefront
> > happens to be offering the service.
>
> I don't know what universe you're in, but FTP is a public connection if
> it's configured that way.  HTTP is also a public connection if it's
> configured to be.  Both are also private connections if they're
> configured to be.  The key here is in configuration, not in the service.
>
> So, all these times I've been downloading things off of
> ftp://mirrors.kernel.org, I've been being unreasonable?  That's the
> first time I've ever heard anyone argue anything of the sort.
>
>
> > > The act of plugging a device into a public [@1] IP address
> > > is your way of giving people permission to send packets to
> > > it.
> >
> >
> > I disagree strongly on this.  I have a public street address.
> > It is appropriate for a caller to knock on my door/ring my
> > doorbell, because that is the "reasonable man" thing to do.
> > It is not acceptable for the caller to come around the side
> > of my house just because he sees my side door open.
> > What makes an IP address any different from a physical address
> > in terms of the "reasonable man" hypothesis?  That is the typical
> > legal test to which such arguments must be put.
>
> Because an IP address isn't a physical door and the internet isn't your
> street.  Everyone's talking about this as if the rules are the same, but
> they aren't.  Frankly, this argument is getting completely absurd.
>
> > > Anyone on the internet can send an IP packet to anyone else.
> > > That's kind of the whole point.
> >
> >
> > I disagree. The whole point of the internet is to permit
> > effective communication of ideas, not random unsolicited
> > contact between individuals.  If I solicit contact by offering
> > "reasonable man" permission for contact, then it is part of
> > effective communication.  If I do not, it is annoyance potentially
> > rising to criminal action.
>
> The whole point of the internet is whatever you can do with the
> networking technology within an ethical framework.  Internet traffic
> need not be solicited.  However, some would say that you solicit the
> reciept of non-disruptive generic TCP/IP traffic just by putting your
> computer on the internet.
>
> > *blink blink*  I can't argue with the last sentence, but
> > just what constitutes a "private" service by your definition?
>
> I, personally, would identify a private service as being one that you
> want no one or limited numbers of people to access.
>
> > Something that is accessible only to someone from an internal
> > net?  Are you arguing that any service offered over the
> > internet is tacit approval for *everyone* to use that service?
> > Or is it only tascit approval if the service is not properly
> > secured?
>
> I think his point was that if you don't want people to be able to see
> the service (we're not even talking about logging in and using.  Port
> scans don't log in and use services, they just detect them) then don't
> put the service up for the net to see.  It's that simple.  :)
>
> > Assuming that my interpretation of your writing is correct,
> > you would support unsolicited bulk email.  After all, you have
> > an email address and your mail server (or the firewall through
> > which it passes) has a public IP address, right?  After all, I
> > got your email and I'm not on your private netweork.
>
> Actually, I'm not the original poster, but I'd have to say that
> unsolicited e-mail is just fine.  I don't have a problem with people
> just sending me e-mail.  What I have a problem with is people hacking
> into systems and converting them into SPAM relays.
>
> Unsolicited e-mail isn't the problem, system abuse is -- that's what
> makes filters fail and causes havoc.
>
>
> > Same source, definition of access:
> >
> > 2 a : permission, liberty, or ability to enter, approach,
> > communicate with, or pass to and from b : freedom or ability to
> > obtain or make use of c : a way or means of access d : the act or
> > an instance of accessing
> >
> > It is clear from 2a and 2b that the intent of "access" is
> > "permitted access", not simply the physical limitation of
> > availability.
>
> I don't think anyone's arguing that it's OK for someone to access a
> system without permission or liberty.  The question is does being on the
> internet open you up to generalized detection and discovery traffic?
> I'd say yeah, it does.  I'm not advocating that people just port scan
> everyone, and I do believe that most port scans are precursors to
attack...
> But, by the same token, my looking at someone funny COULD be a precursor
> to attack -- so, should we then consider people looking at others in a
> funny way an attack?
>
> I just happen to think that this whole argument is getting ridiculous.
> Are port scans questionable?  Sure.  Are there legitimate reasons to do
> them?  Sure.  Are they often precursors to attacks?  Often, yes.  Do the
> packets sent by them constitute legitimate IP traffic?  Yes, unless
> they're malformed, which is a different issue entirely.  Are they going
> away anytime soon?  No.
>
> There, problem solved.  :)
>
>              -Barry
>
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------