Re: Port scanning/illegalities

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-04-05 Ramsdell, Scott wrote:
> You write below "Again, there is no such violation, otherwise walking
> through a mall and looking at the shops in it would be the exact same
> type of violation."
>  
> Additionally, in your rebuttal to my previous example you stated that
> each available port of an IP address is analogous to a separate shop.
>  
> I disagree with both of those assertions.
>  
> My IP address is mine,

This assumption is wrong. A public IP address is assigned to you either
temporary by your provider, or fix because you rented one (e.g. from the
owner of a netblock) because you had a reason to have one. Besides, even
if you really owned it, it wouldn't matter, because just like with your
postal address anyone can walk up to that address and have a look (from
the outside).

> each and every port, and by extension all sockets you are able to
> perform a connect() to too.  All possible sockets at my address are
> mine, not shops owned by different individuals.

You didn't get my point. It doesn't matter whether all of the shops are
owned by different people or just one. The point is that every port is
the front door to a separate shop.

> Just because the sockets are available from the Internet does not in
> any way mean they are free to use.

This assumption is wrong, too, because unless you have established some
sort of authentication they are of course free to use. Just like anyone
can enter your shop through the front door and look around, take flyers
with them or buy stuff.

> A good analogy here would be that peeping-toms perform an illegal act.
> Peeping-toms are those people who look in windows of private
> residences.  Port scans do not look *at* windows, they look *in* them.

This analogy doesn't fit at all, because portscans do by no means look
*into* windows (that would be actually using the service bound to the
socket) or even *at* windows at all. Portscans look at doors and show
whether the door is open or closed.

> You don't make a connect() to a port, you make a connect() to a
> socket.

A port that hasn't a socket bound to it is closed and thus nothing to
worry about at all.

> Your analogy of walking through a mall being equivalent to being on
> the Internet indicates you are not grasping the point many of us are
> trying to make regarding what is "public" and what is "open to the
> public, yet private".  A mall is private, at least in the states.  You
> are already in the mall in your above example, so you have already
> been permitted to a private location, with the owner's consent, as you
> presumably entered through the front doors.  Go ahead and window shop.

This is the exact situation you have with a host on the Internet. By
"public" I always meant "accessible by the public" or "open to the
public". The host is - just like the mall or a shop in it - private
property, but there is an implicit permission for the public to access
it. My point has always been that there is no need for explicit
permission to access a host.

> You also stated earlier that accidentally breaking an item in a store
> is illegal.  This is not the case.  Purposefully breaking an item in a
> store is illegal.

That's wrong, at least with german law and I doubt that american or
australian law is that different in this respect. Accidentally breaking
an item *is* illegal, otherwise you wouldn't be able to charge
compensation (this is covered by civil laws). Purposefully breaking an
item is *criminal* and covered by criminal laws.

[...]
> The distinction is intent.

Intent is what makes the latter criminal.

> I bring this up to exemplify the importance of intent.  The intent
> behind a port scan is what makes it legal or not.

I doubt that. A portscan in itself is AFAICS never illegal (as there is
no law against it), unless it breaks something. Further actions may be,
though.

[...]
> You have also asserted that necessitating a reboot of a server may not
> constitute grievous harm (again, I'm paraphrashing) with regard to the
> EU law. Port scans can cause some boxes to lockup and require a
> reboot.  Having to bounce a box is a big deal to management.  Sure,
> you and I would see this as trivial, but to management the cause is
> unknown and therefore induces uncertainty.  This uncertainty may cause
> management to require a rebuild, which costs money.  In any event,
> rebuild or not, the server was unavailable between the lockup and the
> reboot, which may be detrimental, certainly if the server was not
> redundant.

My point there was simply that the article of the cybercrime convention
required *serious* hindering of the server operation to be applicable.
Whether a single reboot qualifies as such depends on the very case.
Costs are subject to civil law and have nothing to do with the cyber-
crime convention, neither do management issues. The convention is about
criminal law, not civil law.

> Back to your mall analogy, in the states a better analogy would be the
> street to the mall is public, but the mall itself is private.  (The
> Internet is the street ((although it's privately funded, we've skipped
> that in this thread)) and the mall is my IP ((which you've stated
> earlier is comprised of ports analogous to shops))).  I am assuming we
> both understand that a mall is an enclosed space for shopping in this
> case, rather than the other definition of "mall" which is a space for
> walking among distinct areas outside.  Outside versus inside is an
> obvious allusion to networks here.  A mall itself is financed by
> private individuals.  You would be arrested for performing
> reconnaisance ("casing", port scanning) if you rattled the doors of
> the stores in the mall from outside.  (Each store, of course, has a
> door leading outside for fire regulations.)

You misunderstood me. The mall (host) is of course private property, and
so are the stores (ports). There is, however, an implicit permission for
the public to enter the mall and also to enter the stores. A portscan is
like looking which shops have open doors *inside* the mall. It is *not*
like looking which shops have open fire escapes.

[...]
> I believe you have also made this same misstep with regard to properly
> differentiating between public and private when you quoted an EU law
> which stated something to the effect of, "public servers must allow
> access to the public".

I don't remember having said anything in this respect.

> (My verbiage is not even close to verbatim there.)  You stated that
> you could read the law, and therefore you could understand the law,
> and that the law meant you could port scan.

My statement that I could read the law was because Craig claimed that
intent was not required for the articles 2 through 6 of the cybercrime
convention to apply. This is plain wrong, because each of these articles
EXPRESSLY states that intent is a REQUIRED precondition. Noone needs law
training to see that.

[...]
> The second point I'd like to make regarding the EU law is that I came
> to a different interpretation of it when I read it (as it was
> presented, I've not read the entire law, nor do I care to).  Rather
> than your interpretation which I'll liberally paraphrase as, "publicly
> accessible IP addresses are subject to free public usage", I
> understood the law to read, "public resources on the Internet must be
> robust and withstand likely public usage".  My interpretation was that
> government sites must (not may) be expected, and therefore designed,
> to withstand likely use and abuse.  I neither interpreted nor assumed
> any inference for a private company's publicly accessible IP address.
> Cultural difference, perhaps?

No, I think your interpretation is quite correct, and I don't think I
have ever claimed anything different. In fact, none of the european or
german laws Craig cited were even remotely applicable in the matter
discussed here. I tried to point that out several times.

[...]
> The statement has been made that port scanning is a legitimate way to
> find a public FTP server.  I would google for one.

I probably would, too. However, Google is www and www is a different
service than FTP. You won't necessarily find the FTP server you're
looking for on the www. Portscanning is another way of finding an FTP
server, and it is in no way less legal than using Google.

> If you are port scanning to find an FTP server, you are scanning to
> find a place where dumping files is possible, not necessarily
> permissable.

Non sequitur. Besides, FTP allows GET as well as PUT.

> Permission is not granted by the operating system allowing you to
> place your files on the server, rather permission is granted by the
> intent of the server owner.

This intent is epressed by the presence or absence of authentication
mechanisms.

[...]
> What has not yet been brought up in this thread is what really
> determines if an act is illegal or not.  In the states, it is fourteen
> strangers that will determine the legality of your actions.  One is a
> prosecutor who feels you did wrong, one is a judge who agrees to hear
> the case, the others are a jury of your peers.  I wonder, Ansgar, have
> you convinced your peers on this thread?

I don't need to, since I'm not a lawyer and this is not a court. I have
tried to point out where and why I think Craig and others were wrong.
What everyone makes of it is entirely up to them.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------