Re: Scanning the Internet for Vulnerabilities

[Mel Beckman <mel () beckman org>]

Carsten,

The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators. 

Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in 
virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited. 

In fact, when I Google that precise phrase along with “Acceptable Use Policy” I get thousands of hits. 

I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes 
anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … 
information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information 
they’re not authorized to. 

-mel

> On Jun 20, 2022, at 1:11 PM, Carsten Bormann <cabo () tzi org> wrote:
>
> On 2022-06-20, at 19:36, goemon--- via NANOG <nanog () nanog org> wrote:
> > On Mon, 20 Jun 2022, Carsten Bormann wrote:
> > > > > On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal () dataix net> wrote:
> > > > > Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by 
> > > > > every university \o/
> > > there was some actual research involved.
> > >
> > > I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
> > >
> > > I do not agree that this externality makes any research in this space unethical.
> >
> > Consent is what makes it unethical.
>
> You consented to receiving packets by connecting to the Internet.
>
> Now there is a limit to that consent (e.g., when these packets have an actual material negative effect), and here we 
> enter an area where all simple schematic approaches fail — you really have to think about outcomes instead of 
> expounding fundamentalist stances.
>
> > > You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
> >
> > "If you dont like the unsolicited email, just hit delete" ?
> >
> > How about ... NO.
>
> How about: It’s really hard to properly apply analogies.
>
> Unsolicited email wastes people’s time, and actually a lot of that.
> (Responsibly performed) packet probes waste machine time, and very little so.
> (If you are wasting human time on packet probes, you are holding it wrong.)
> Totally different outcome, and hence totally different ethics.
>
> This “discussion" is getting a bit off-topic.
>
> Grüße, Carsten