Re: ICMP mapping, questioning legality!!

["Greg A. Woods" <woods () weird com>]

[ On Wednesday, September 13, 2000 at 16:22:15 (-0700), Ryan Russell wrote: ]
> Subject: Re: ICMP mapping, questioning legality!!
>
> lots of problems with laws like this, as you point out.  First one is
> "authorization".  I've got no way to know if I'm authorized to pull a web
> page from someone's web server.

Actually you do.  In systems security circles it is often argued that
anything which is not explicitly denied is implicitly permitted.

While this may not hold for stupid analogies such as not passing through
an unlocked door which has no explicit warning against trespass
(eg. your car door), it's pretty obvious when you consider what the
Internet is for and why people usually connect up to the Internet.

Wiggling door handles to see if they are locked is usually an indication
of suspicious activity, but any over-eager cop who issues anything more
than a stern verbal warning is likely to get just as big a reprimand
from the judge as the perpetrator does.  (And unless the kid's been
doing other suspicious things then I'd bet the case is almost certainly
going to be simply dismissed -- even the maximum fine won't pay the
costs incurred by the over-eager cop and both sides have to learn their
lesson....)

> The problem is, try and get the same people to undertand a SYN scan when
> you're a defendent, and you may be screwed.

On this basis of the above though people with legitimate needs to
discover what services some host do offer would probably best be advised
to use a full TCP conect() port scan rather than any kind of so-called
"stealth scan".

> There's a general expectation that if you put up a web server that people
> will use it, and that is authorized and expected.  Clearly, judging by the
> number of people in this forum who want to punish people who poke at them,
> various scans are neither authorized nor expected.

Common sense suggests that if you don't want your ports to be scanned
then don't connect it to the Internet.  Any other expectations about
what will or will not happen to a host connected to the net for *any*
purpose (even just as a client) are totally unfounded.

If you don't want anyone to even look funny at your computer then you
put it in a physically secure room and you post a guard (armed if
necessary) at the door.  The law only sets expectations for law abiding
people.  Those who don't abide by the law may seek loopholes in it in
order to reduce their risk, but in the end they will simply ignore the
law if their potential for gain exceeds their perception of the risk at
ataining that gain.

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>