Security Basics mailing list archives
RE: FW: Legal? Road Runner proactive scanning.[Scanned]
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 19 Mar 2004 10:49:56 -0800
I happen to scan houses all the time, I am trying to buy one. I also
scan cars.
However if I throw a rock at the house or car, I am no longer scanning,
I am attacking. I think were a little off topic with analogies, I also think we have confused the less technical among us. First we pretty much all agree that a portscan itself is not an attack, good. Now lets drill down some arguments so we can end this. 1.) Just because a port is open doesn't mean it's public Then secure the port via software controls, ACL's, firewalls, etc. We all acknowledge that the Internet is not secure-by-default and it's a defacto standard to have firewalls or other security measures in place to protect your 'private' stuff. We also all acknowledge that the Internet is a public realm, this is not beyond reason. But you are all confusing services and ports. You want to protect the 'service' from being accessed, but port is just the translation between the host systems TCP/IP stack and the underlying service, thread or process that is using that port. I can run telnet on any port I want, 80, 25, 110, etc. Port 80 doesn't automatically mean a httpd service, that's just the standard. What do we say when people get hacked? "Shoulda installed a firewall", well don't want your system scanned.... 2.) It's privacy issue. The port is just the hosts implementation of the TCP stack. It's not indicative of the service that uses that port, thus accessing the port does not necessarily imply accessing the underlying service. 3.) They need to be a authorized user. ...Of the service that you are hosting. If you want to limit interaction with the TCP/IP stack itself you need setup security to protect the stack, firewall etc. Also the whole 'reasonable man' stuff is a little off target. If you setup www.server.org, (WWW) implies website, you have just given authorization for people to access that site. Now if you want to restrict access you need to setup security and/or post your 'do not enter message'. You can't open up a shop on a busy street and keep the door unlocked and not expect people to come in, that's beyond reasonable. If anyone who has worked for the USG will know they HAVE to port the normal disclaimer on ALL services that people can access. That is how you alert people using the service of the T&C's. 4.) FTP is not a reasonable resource. AND SMTP is, HTTP is? They are all members of the TCP stack, and are all there for use. I check if a site uses anon FTP if I'm going to be doing some heavy downloading, that's reasonable seaming FTP is a (FILE transfer protocol). 5.) Port scanning is an attack. Then protect yourself if you feel that way. Numerous programs that use dynamically assigned ports will conduct a limited portscan to find their service on the host system, that's not wrong. A postscan is a quick way of finding out what ports are open, not what services they run. 6.) It's illegal. Show me common international law that states that portscanning is illegal. Trespassing or any other non-digital law may not apply. I've look at all the cyber crime laws I could get my hands on, and they don't state that accessing another hosts TCP stack is against the law. Even the USG won't trace people for that, it's just not a cause for concern. It is cause for concern when they start trying to hack your services, but a port sweep is below the radar. If you don't want people accessing your telnet service, add security and put up a message telling them that, same with all the other services. 7.) The End.... Now I still don't know how this thread started, but I can assume someone didn't like that their provider was postscanning their box. I'm sure it's well within the hosts T&C's and if you don't like it get a firewall. Personally I would want to see more providers taking care of what's on their network. If more providers took a proactive stance like this then the amount of spam, zombie DDoS systems, and hacked grannies would decrease. Face it, it's for the better good. If you can't take care of your own backyard, then someone will do it for you, usually be cutting your connection to the Internet. How's that for private. ....Off the soapbox back to work.... Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: FW: Legal? Road Runner proactive scanning.[Scanned], (continued)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Mitchell Rowton (Mar 16)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Young, Randy (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] David Gillett (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Andy Blair (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] ~Kevin DavisĀ³ (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 23)
- The fallacy of analogies - Enough with throwing rocks at your windows! Burton M. Strauss III (Mar 23)