nanog mailing list archives
Re: Scanning the Internet for Vulnerabilities
From: Carsten Bormann <cabo () tzi org>
Date: Mon, 20 Jun 2022 23:27:31 +0200
On 2022-06-20, at 23:02, Mel Beckman <mel () beckman org> wrote:
Carsten, The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators. Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited.
Of course they don’t want their customers to do that. (They might find out that the ISP is cooking with water…) I’m not your customer, though.
I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information they’re not authorized to.
You would think so, but then it turns out the CFAA is not actually being policed in the way you think it should be.
(The whole thing is a bit of a “soviet law" situation, where everyone is routinely doing things that could
theoretically be criminalized, but aren’t, except when some thug is exceptionally interested in doing so and can thus
abuse the law to exert unreasonable power over you.)
So CFAA is more a case of us logical people trying to interpret a law that clearly is not subject to applying logic.
In any case, I’d argue I’m concludently authorized by you having opened to my access that port I’m probing — the
computer simply isn’t “protected”.
.oOo.
I can understand very well that everyone here is allergic to the large-scale scanners (most of which are done in a
spectacularly stupid way) that are loading our servers. That problem is not being solved by banning well-thought-out
academic research; you wouldn’t be able to note the difference if that stopped.
(Oh, and, as a service, our ISP scans our ports and looks for vulns, which is a good service so we don’t have to do
this as much for systems set up by our students.)
Grüße, Carsten
Current thread:
- Re: Scanning the Internet for Vulnerabilities, (continued)
- Re: Scanning the Internet for Vulnerabilities Fernando Gont (Jun 21)
- Re: Scanning the Internet for Vulnerabilities Ronald F. Guilmette (Jun 21)
- Re: Scanning the Internet for Vulnerabilities Fernando Gont (Jun 21)
- Re: Scanning the Internet for Vulnerabilities Ronald F. Guilmette (Jun 21)
- Re: Scanning the Internet for Vulnerabilities Ronald F. Guilmette (Jun 21)
- Re: Scanning the Internet for Vulnerabilities Fernando Gont (Jun 21)
- Re: Scanning the Internet for Vulnerabilities J. Hellenthal via NANOG (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Carsten Bormann (Jun 20)
- Re: Scanning the Internet for Vulnerabilities J. Hellenthal via NANOG (Jun 20)
- Re: Scanning the Internet for Vulnerabilities goemon--- via NANOG (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Carsten Bormann (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Mel Beckman (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Carsten Bormann (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Carsten Bormann (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Michael Butler via NANOG (Jun 20)
- Re: Scanning the Internet for Vulnerabilities J. Hellenthal via NANOG (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Randy Bush (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Matthew Craig (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Robert L Mathews (Jun 20)
- Re: Scanning the Internet for Vulnerabilities Mel Beckman (Jun 20)
- Re: Scanning the Internet for Vulnerabilities bzs (Jun 20)