Judge Says Port Scanning Is Legal

cvbear0 writes: "SecurityFocus has an article explaining a ruling from a U.S. district court ruling in Georgia about port scanning. The judge ruled that that port scanning tools neither "impair the integrity nor availability of the network." Both parties agreed not to appeal the judge's ruling."

Honeynet project

[wiredog]

Trying to submit this, but the slashdot server keeps barfing out error messages:

The HoneyNet Project, a network of honeypots!

The Honeynet project is a group of 30 security professionals dedicated to learning the tools, tactics, and motives of the blackhat community and sharing those lessons learned.

ZDnet report

Nice Wording

[max99ted]

If someone came by in the middle of the night to check my knob...

Do I need to elaborate?

Re:The legal system still doesn't get it...

[bfree]

If you connect your computer by to the Internet and it is assigned an IP address, then it is potentially offering an infinite (or is it 65536 or ....) number of ports to the public internet. Each and every port you connect to the internet becomes part of the shared public network, just as you assume that people who you have never met, dealt with or heard of will route your packets you are offering these connected ports. If someone port scans your computer, they are portscanning a public IP address (or else you are behind a firewall and should be asking questions of the provider). TCP/IP does not (that I know of) provide a DNS like system to say which ports are useful on each IP so using a port-scanner is the only way to find out what you are usefully offering. How am I meant to know what services you are providing on your public part of the public internet (lets make a public and private net addressing system to say that your system is different if you don't accept this)?

bad analogies.

[ruin]

Port scanning is not like walking by someone's house and looking at the windows. Port scanning is not like testing all the doors on someone's house for an unlocked one. Port scanning is not like wandering through someone's house poking at their stuff. Port scanning is like... sending a request to commonly used ports of a computer to see what software is replying.

Simply choosing whatever real-world analogy best supports the position of port scanning is good/bad is a faulty argument. Why not discuss the topic in terms of the actual result of the actual action we are talking about? Port scanning does no real harm right off the bat. On the other hand, it is impolite to do, because now the admins of the box you scanned have to worry about what your intentions are. So going around portscanning strangers just for fun is kind of a bad thing, but not so bad that no one should ever use such a piece of software, especially since it is so educational.

And that's my take. Sure, if I put on my security admin hat, I don't want anyone ever doing any port scanning, because it makes my job a lot easier: anyone scanning my box is an enemy. On the other hand, if I put on my student hat, how am I ever going to learn things if the most educational tools are seen as dangerous and disallowed?

-- "Just the superficial sort of [analogy] someone grounded too far in 'reality' would think up. TURN UP THE FEED, YOU WIGGLY MEAT THINGS! THIS IS THE NET! NOTHING'S REAL!" --Rache Bartmoss

--

Intelligence Finally.

[--delphi--]

Finally we see a little intelligence from our court systems. I mean, I do not do any sort of cracking, but I love to know what people are doing with their boxes. I have port scanned many of the servers around my university just to see what they're running. Port scanning does not hurt the network at all, it just throws a few packets at each port trying to establish a connection and then moves on. When can we schedule this judge to hear the decss case??

Re:Intelligence Finally.

[ethereal]

No, but on the other hand if you're "in public", there's a certain understanding that people will see you, and they may even talk to you or bump into you on the street. None of those things constitute criminal actions.

Likewise, if you're hooked up to the public network, you can expect to sometimes get packets from other machines. If you don't like the packets, drop them on the floor. If you don't want to waste time doing so, get a firewall (public street example: a Popemobile) and let the firewall drop unwanted packets on the floor.

There's a difference between attacking your machine, and just port scanning it. I could see allowing prosecution for sending you a virus, or trying to crack one of the services you're running, but a port scan is not the same thing. I don't think you can really complain until your computing resources have actually been misappropriated. If you've just been port scanned (and not flooded) then that hasn't happened yet.

Re:Intelligence Finally.

[Chris+Burke]

And while you're at it, rattling all the doors and windows to see if everything's locked. Oh yeah - and let's not forget to check those common hiding places for a spare key. You use a Schlage lock? Cool - I've got a Schlage master key.

This would be a little more than just a port scan. There's a big difference between seeing if you have Telnet open and trying to brute-force some user accounts. As you say:

Mostly harmless, but some real jerks in there.

You need to be paying attention to the jerks, then, not having a fit whenever a packet hits your server. You're on the net -- it's fine to be mad when someone tries to get into your house, but not when they look at your house as they drive by.

Re:Intelligence Finally.

[osgeek]

Yeah, let me know when I can wonder around your house or apartment looking at stuff.

I won't hurt anything or take anything, I'll just poke around - I love to know what people are doing. Having sex with your SO? Don't mind me, I was just looking.

Re:Intelligence Finally.

[Alex+Pennace]

Yeah, let me know when I can wonder around your house or apartment looking at stuff.

More like wandering by your house and counting the number of windows it has.

Re:Intelligence Finally.

[glitch_]

I'm sorry, but why on gods good earth would have ports open, if you don't want people to use them. I'm sorry, but going with the doors and windows analogy, it is like having a door open, with a welcome sign on it, flashing, and then bitching when someone walks in.

Re:Intelligence Finally.

[Jawbox]

That analogy works for me. It isn't against the law to look at windows, determine their type and make estimates of their security. It enables you to do things like say, "Wow those are gee-golly neat windows I should get some of those for my house." or "What an idiot, I can't believe that house only is using the XJy9 style of windows, my 10 year old could break into their house and rob them blind."

None of this is a crime! And a homeowner that watches someone scanning their windows can't sue for damages because they suddenly realize that the security of their windows stinks either. All this ruling does is apply some real world sense to a computer security case.

Now the earlier post about walking around inside your apartment and looking at all the cool stuff is a false analogy in my eyes. To me that is the equivalent of breaking into a system(or being invited in depending on circumstances) and scanning the filesystem.

Re:Intelligence Finally.

[drsoran]

I don't know about the portscans you see, but the portscans I see are more analogous to someone walking up to your back door in the middle of the night and jiggling the knob to see if it's open. I personally don't care less what your intentions are in the dead of night jiggling my door handle, I'm going to shoot you first and ask questions later. Don't do it.

Re:Intelligence Finally.

[cprael]

More like finding a house and going to take a look at it. I just want to find a little bit about it. How it was constructed. Are they using brick or stone, gravel driveway or paved, fence or no fence. Same analogy, are they using linux or bsd(or whatever), webserver or no webserver, ssh or not...

And while you're at it, rattling all the doors and windows to see if everything's locked. Oh yeah - and let's not forget to check those common hiding places for a spare key. You use a Schlage lock? Cool - I've got a Schlage master key.

You may think that this is stupid, but as I said in the post above, I'm just interested in what theyre running. I said in my post above that I sometimes scan on my university network. Here's two examples where port scanning has either benefited me or someone else.

No, it isn't stupid. It's blind. You are (deliberately?) ignoring the malicious uses of portscanning, which far outweigh the useful ones simply in magnitude of effect.

Example: In the past 11 days, I've had 30 unique machines scan my laptop (at home). Of that count, 1 was a telnet connect attempt, 5 were TCP port probes, 3 were OS fingerprints, 2 were attempts to connect to the SubSeven trojan horse, one was an attempt by a known remailer to connect to a mailserver I run on another box so he can use me as a relay point, 6 were RPC connect attempts, 1 proxy port probe, 2 PCAnywhere connect attempts, 8 people tried to connect to a non-existent FTP server, and 3 people tried to connect to a non-existent DNS server. Mostly harmless, but some real jerks in there. And that's in an 11 day window.

As you might guess, I don't like deliberate portscanners. My network is MY NETWORK. It's here for my convenience, not yours, and I don't particularly appreciate you poking around on my boxes.

Re:Intelligence Finally.

[brokeninside]

bugg:

I don't know about you, but if I some guy I don't know (and didn't give permission to) walking around my house with a clipboard inspecting the windows, I'm calling the police.

I am not a lawyer, but from what little reading of law I've done, in the US in most jurisdictions, the police problably wouldn't even come out to investigate. Only in situations where "No Trespassing" signs are clearly posted or in situations where you have personally informed an individual that you do not want them on your property would the police even care that someone was looking at your windows.

[I suppose there would be a few other exceptional circumstance such as the property owner having some sort of injunction against the individual doing the inspection or in the case of the person doing the inspection doing it in a manner that attempts to conceal their identity.]

Connecting a computer to the internet is really more akin to parking an automobile on a public street. It is not illegal (or even necessarily immoral) to examine such a car up close. It is, however, illegal and/or immoral to use the information obtained from such an examination in certain circumstances (such as to pick the lock or hotwire the vehicle). There are also many circumstances where the informatin comes in helpful. For example, if I see a car with he headlights left on, I will almost always check to see if the door is locked and if it isn't I will turn off the headlights. You can sue me for doing that to your car if you please, but you will lose the suit and you will be laughed out of court by virtually any judge.

have a day,

-l

The Judge..

[seanmeister]

Gotta love the judge's name 'Thomas Thrash' - clearly, his h0n0r is a l33t h4x0r.
Sean

No it's not the equivalent...

[Oestergaard]

I've heard that analogy before, and *plo ease* stop it. No it is not the same as trying if someone forgot to lock their door - that would be the actual exploit, if anything...

When is a port scan a port scan ? If I scan one port ? two ? ten ? If I connect to a machine on port 80, I expect to get the web-server - but it is a one-port "scan" as well. Is that leagal ? What if I follow a link from somewhere that points to http://yourhost.com:81/, but you never had a web server running at port 81 ? Am I a burgler ?

Give up the ghost-hunting, and let's focus on the real issues... If you log a port scan, you're wise to keep an eye on that IP. But nothing happened yet, and maybe nothing will.

If I walk by your house looking at your front door, maybe you'll be wise to keep an eye out for me next time. But if you come after me on those grounds alone, the law is on my side.

It is wise to use logged port-scans to focus your detective work, but attempting to act on them alone is ridiculous. It is very simply *just*not*good*enough*.

backwards

[www.sorehands.com]

You have it backwards! Mattel/MSI/TLC violated the law (FMLA/ADA, etc)and paid a judgment for their violation.

Mattel continued with a baseless libel lawsuit, even though their own attorney admitted that I believed what I published. When a judge asked them what was libelous, Mattel moved to dismiss. Mattel is the one who tried to shake me down, Mattel tried to shake down others. Mattel has over 130 cases in only one of Federal courts; Mattel has 10 pages of cases (1 line per case) in the LA superior court. Are you saying my lawsuit against Mattel is abusing the courts more than Mattel abuses the court?

Why don't you check the facts before you jump to conclusions.

Re:Not law!

[Mignon]

If you try repeated times on the same system ... it will be ruled against you.

Ah, the "three pings and you're out" approach.

Re:I'm not too sure on this ruling

[Flounder]

I think the weakness itself impairs the integrity of the network, and the taking down of the network to be a crime. The use of the port scanner itself doesn't impair the network.

Does possesion of a tool capable for use in a crime make that possession a crime? Of course not. But, if you walk into a bank with a loaded gun and a ski mask, or if you are caught sneaking around people's houses with a crowbar, I think the police will certainly take a suspicious look at you. Same with repeated and targeted port scanning.

We're treading onto some very thin ice with this subject. I personally use port scanners all the time. But if anybody else on my network is caught using one, then I'm gonna get very suspicious.

Re:The legal system still doesn't get it...

[Shotgun]

Port scanning a system is directly analogous to trying the locks on someones home.
It is not free speech, it's a violation of property rights.
You do not have the right to use anyone elses computer hardware for any purpose without permission.

Yes, but you do have the right to walk down the street and peer into windows. You have the right to walk up to their door and even try the lock. You can even carry a crowbar while doing it if you wish. The police don't have anything against you until you enter the premises and leave with something. If you just enter and leave, they still don't have anything on you unless there were no tresspassing signs up. There are 'breaking and entering violations', but no 'entering' violations that I know of.

If a policeman notices you acting suspiciously and want to catch you (as opposed to just stopping you), he will watch you and catch you with the good after you left the premises. Notice, that store security doesn't stop shoplifters until after they've left the store. Until they cross the threshold, they are not shoplifting. They may have the intent, but they haven't yet committed the crime.

Servers on the public network are like window displays. You can't set up a server for everyone to see and then sue people for looking at it, just like you can't sue people for crossing your yard and looking in the window.

Course, I did hear of one case where a man looks through a window from the street and sees a woman dressing. She sues him for being a peeping tom, and he countered sued her for public exposure. They both won...

The contractor was in the wrong and deserved to be fired. If he had recieved permission to scan the network, it would have been another matter entirely, but acting on his own was wrong and should have been illegal.

The man was installing a network component. Are security tests not to be included as part of a system test? If the network was later successfully attacked and it was disclosed that the installation contractor hadn't done the barest minimum security checks, wouln't he be held liable for negligence? In my view, not only were his actions ethical, they were prudent.

Re:Security-firms

[Malc]

My ISPs newsgroup (sympatico.highspeed) is full of people whining about hack attempts. I get the impression that this is the tip of the iceberg and that there are a lot of people living in fear, and also many more who report them to the ISP (wasting their resources). I would suggest that most of the time these are just false alarms and caused by the background noise of the internet.

How often have you typed an IP address incorrectly? My office uses public IP addresses internally. Thie means that if the VPN isn't connected, my Netbios, Visual Source Safe, SQL Server Enterprise Manager, etc, are all attempting to make connections to machines on the internet. All harmless, but will trigger warnings from many people's firewall software.

These companies producing this firewall software base their marketting on people's fear of the unknown, and in fact increase their fear of being hacked. Just the other day somebody was whining on the newsgroup about a connection attempt on port 7 (ping). He thought he was being hacked and wanted to know where he should report it.

Just to clarify

[Alien54]

Just to clarify the issue slightly:

While VC3 acknowledged that Moulton's port scan did no direct harm, the company argued that the time spent investigating the event was a form of damage. "If somebody does some type of attack, and you are a good service provider, you spend all your time verifying that it did not cause a significant problem," says Hogue. "The time that it takes to do all that searching is the damage that we were claiming."

But it pays to know that while they lost on this particular point, harrassing someone by multiple ports scans probably is not a good idea.

Not Likely to Reduce Investigations

[mellifluous]

It doesn't seem like this will deter many companies from investigating port scans -- it just means that they can't claim damages for the scan itself. But it is a good decision, and I hope Moulton wins the counter suit against VC3.

Admins and their managers are going to have to face up to the fact that if they want to maintain a secure system, they'll have to be vigillant and won't be able to sue everyone for their time.

Not law!

[www.sorehands.com]

Since this case won't be appealed, it means almost nothing.

A trial level court decision does not mean much, except to the parties, until there is an appeals court rules on it (or denies to rule on it, sometimes).

The issue on port scanning will come back again. It will be decided on frequency, and by whom. If you try repeated times on the same system, or using kiddie scripts it will be ruled against you.

I'm not too sure on this ruling

[Flounder]

The judge ruled that that port scanning tools neither "impair the integrity nor availability of the network."

However, if through the use of a port scanner, a script kiddie finds a weakness in one of your web servers and proceeds to take down your network, then I think it does "impair the integrity nor availability of the network."

It's the equivalent of a burglar checking your doors and windows looking for one that's not locked.

I use portscanning tools all the time on my own network. However, I'll be damned if I'm gonna sit back and let some 12 year old with some software downloaded from Tucows identify every machine in my network and what ports they're using.

Never had it happen though, that's what the firewall's for.

Security-firms

[zyklone]

Thank god that the judge did not buy the standard comp-sec firm talk that a scan is the same thing as a hack attempt.

Over here (Sweden) there have been lots of whining lately from the security firms suggesting that all broadband users should buy their firewall to avoid the hundreds of hack attempts every day.
Now how a badly configured firewall would help I do not know.

To me it seems that security firms have some of the worst security of all internet sites.
GO EEYE!

Re:The legal system still doesn't get it...

[BeBoxer]

I would not consider port scanning to be like actually trying locks. It is in fact the least intrusive method possible to determine whether or not a machine is offering services to the public. In this way, it's more like walking down a street looking to see which buildings have open doors and welcome mats.

Here's a real world example I just came across at work. Part of our address range is in use by a high school. It seems that one of their computers decided to scan for FTP ports on a whole lot of addresses. I don't know if it was a student doing it or if the machine was hacked first. But, do you think this is "a violation of property rights"? For someone to go out and ask machines on the internet if they allow anonymous FTP access?

I agree completely that if someone is doing things which can only be viewed as a hacking attempt such as scanning for ports with commonly known vulnerabilities which are not used for public services, that's a problem. But, if someone is just looking for machines which are allowing anonymous FTP, who cares? This isn't like "trying the locks" at all.

It seems like you have a pretty extreme view of what it means to "use" someone elses computer. Is trying to FTP to a machine something which deserves a stiff penalty? What about a ping? What if I happen to get an arp sent down your DSL line? What about when IIS tries to connect back to web clients to get name information? Is this a criminal act on the part of Microsoft to engage in illegal tresspass? Did Cable and Wireless give me implicit authorization to send packets thru their router when they connected it to the internet? Did you give me implicit authorization to send packets to your host when you connected it to the internet? Is it my responsibility to intuit that you don't want FTP sessions? Or is it your responsibility to block FTP packets if they are unwelcome?

Re:Hahahahahahahahhaha

[brokeninside]

Personally, if someone jiggled my doorknob in the middle of the night, I'd ignore them unless they opened the door and came in. If they simply jiggled and walked away, at most I'd call my neighbors to keep an eye out.

Regardless, this analogy doesn't fit portscanning. A portscan jiggles no knobs, it simply reports that a knob exists and perhaps what type of knob it is. If someone came by in the middle of the night to check my knob, I'd be a bit suspicious. Much less so if a person did such during the day. In either case their actions are not likely to be illegal.

have a day,

-l

Excellent

[I+Am+Smarter+Than+U]

[root@box0r root]# nmap -S 208.47.125.33 -e eth0 -P0 -sS slashdot.org

Beautiful...