RE: Port scanning/illegalities

["Ramsdell, Scott" <sramsdell () stinsonmoheck com>]

Ansgar,
 
I accept that you have successfully replied to each challenge to your original premise, but I also believe in several 
cases you have assumed a rebuttle is a refutation, which it is not.
 
You write below "Again, there is no such violation, otherwise walking through a mall and
looking at the shops in it would be the exact same type of violation."
 
Additionally, in your rebuttal to my previous example you stated that each available port of an IP address is analogous 
to a separate shop.
 
I disagree with both of those assertions.
 
My IP address is mine, each and every port, and by extension all sockets you are able to perform a connect() to too.  
All possible sockets at my address are mine, not shops owned by different individuals.  Just because the sockets are 
available from the Internet does not in any way mean they are free to use.  A good analogy here would be that 
peeping-toms perform an illegal act.  Peeping-toms are those people who look in windows of private residences.  Port 
scans do not look *at* windows, they look *in* them.  You don't make a connect() to a port, you make a connect() to a 
socket.
 
Your analogy of walking through a mall being equivalent to being on the Internet indicates you are not grasping the 
point many of us are trying to make regarding what is "public" and what is "open to the public, yet private".  A mall 
is private, at least in the states.  You are already in the mall in your above example, so you have already been 
permitted to a private location, with the owner's consent, as you presumably entered through the front doors.  Go ahead 
and window shop.
 
You also stated earlier that accidentally breaking an item in a store is illegal.  This is not the case.  Purposefully 
breaking an item in a store is illegal.  It is either vandalism or malicious destruction of property.  Accidentally 
broken items are a risk the retailer takes, and writes off as a cost of doing business.  The distinction is intent.  I 
bring this up to exemplify the importance of intent.  The intent behind a port scan is what makes it legal or not.  Is 
your intent legitimate and benign when port scanning an IP address you have not been contracted to scan is the question 
we are debating.
 
You have also asserted that necessitating a reboot of a server may not constitute grievous harm (again, I'm 
paraphrashing) with regard to the EU law.  Port scans can cause some boxes to lockup and require a reboot.  Having to 
bounce a box is a big deal to management.  Sure, you and I would see this as trivial, but to management the cause is 
unknown and therefore induces uncertainty.  This uncertainty may cause management to require a rebuild, which costs 
money.  In any event, rebuild or not, the server was unavailable between the lockup and the reboot, which may be 
detrimental, certainly if the server was not redundant.
 
Back to your mall analogy, in the states a better analogy would be the street to the mall is public, but the mall 
itself is private.  (The Internet is the street ((although it's privately funded, we've skipped that in this thread)) 
and the mall is my IP ((which you've stated earlier is comprised of ports analogous to shops))).  I am assuming we both 
understand that a mall is an enclosed space for shopping in this case, rather than the other definition of "mall" which 
is a space for walking among distinct areas outside.  Outside versus inside is an obvious allusion to networks here.  A 
mall itself is financed by private individuals.  You would be arrested for performing reconnaisance ("casing", port 
scanning) if you rattled the doors of the stores in the mall from outside.  (Each store, of course, has a door leading 
outside for fire regulations.)
 
The point here is a distinction between what is public and what is private, and I think you are failing to make it.  
This is the interesting part of the thread to me, and the only reason I am asserting my opinions into this thread again.
 
I believe you have also made this same misstep with regard to properly differentiating between public and private when 
you quoted an EU law which stated something to the effect of, "public servers must allow access to the public".  (My 
verbiage is not even close to verbatim there.)  You stated that you could read the law, and therefore you could 
understand the law, and that the law meant you could port scan.
 
First, being able to read and understand the words and sentences that comprise a law in no way guarantees an 
understanding of the law itself and how that law is applied.  There's a subtlety there you can accept or debate.
 
The second point I'd like to make regarding the EU law is that I came to a different interpretation of it when I read 
it (as it was presented, I've not read the entire law, nor do I care to).  Rather than your interpretation which I'll 
liberally paraphrase as, "publicly accessible IP addresses are subject to free public usage", I understood the law to 
read, "public resources on the Internet must be robust and withstand likely public usage".  My interpretation was that 
government sites must (not may) be expected, and therefore designed, to withstand likely use and abuse.  I neither 
interpreted nor assumed any inference for a private company's publicly accessible IP address.  Cultural difference, 
perhaps?
 
The fact that a government would require robust public resources can be exemplified by the trash can in my local public 
park.  The trash can has been designed to withstand public use and abuse.  The trash can is made of thick steel so 
no-one can easily dent it.  The trash can has a non-publicly-removable lid so only appropriate items can be placed in 
it.  The trash can has a lock so no-one can steal the liner.  The trash can itself is contained within a cage so no-one 
can steal it.  Finally, the cage is cemented into the ground.  This amount of protection is necessary when a government 
offers public services because we all know what the public will do.  This is what I read into the law for EU government 
offered public resources over the Internet: make it robust because we all know someone will vandalize it or walk off 
with it if they can.
 
Again, I think we are debating the difference between "public" and "publicly available".  If the terms for IP addresses 
were "purchasable" and "private", I wonder if we would still be having this debate?  I would like to think so, 
otherwise we are just bantering semantics simply because we can "read" the word "public".
 
In the states, there is a very clear distinction between what is "public" and what is "private but publicly available". 
 Both are, however, termed "public", so simply reading the word wouldn't grant an understanding of the nuanced meanings.
 
The statement has been made that port scanning is a legitimate way to find a public FTP server.  I would google for 
one.  If you are port scanning to find an FTP server, you are scanning to find a place where dumping files is possible, 
not necessarily permissable.  Permission is not granted by the operating system allowing you to place your files on the 
server, rather permission is granted by the intent of the server owner.  If you choose to debate the word "permission" 
as it's been historically applied to file rights, and to suggest it equivicates to permission from the server owner, so 
be it.  You would be bantering semantics, and you would be wrong.
 
The excuse, "How did I know I wasn't allowed?" is not likely to hold up in court here in the states.  The question is 
whether or not a prudent man would do it too.  "Prudent man" is a legal term, not simply two words.
 
What has not yet been brought up in this thread is what really determines if an act is illegal or not.  In the states, 
it is fourteen strangers that will determine the legality of your actions.  One is a prosecutor who feels you did 
wrong, one is a judge who agrees to hear the case, the others are a jury of your peers.  I wonder, Ansgar, have you 
convinced your peers on this thread?
 
In any event, cheers from the states,
- Scott Ramsdell
 
 

________________________________

From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Tue 4/4/2006 6:59 PM
To: security-basics () securityfocus com
Subject: Re: Port scanning/illegalities



On 2006-04-04 c.s.wright () unn ac uk wrote:
> > > Connecting to a range of ports and closing the connection is nothing
> > > like sending and email nor using a browser.
> >
> > Being not like mail or web doesn't make something illegal.
>
> What makes the act illegal is a violation of property rights.

Again, there is no such violation, otherwise walking through a mall and
looking at the shops in it would be the exact same type of violation.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
 
 
This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent 
to you in error, please contact the sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------