Slashdot Mirror
Law Review Article Says Port Scanning Illegal
Anonymous Coward writes: "The Journal of Technology Law and Policy has a good article on computer security and privacy. If you ignore the more metaphorical crap at the beginning of the article, the author marches through some laws that apply to the Internet and shows how they apply and why his way of deciding what kind of access to a computer breaks the law and what kinds don't is better. (Its based on property and expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case. I'm not sure I agree with him, but he definitely makes a pretty sobering case." Actually, I think the metaphors throughout this piece (not just at the beginning) are what make it interesting, and a big component of law is dealing with metaphors. This piece also collects in one place a lot of the cases dealing with computer law.
What are the IP addresses of the machines you admin? I'd like to see if you patch them.
- A.P. (I have no sympathy for admins who don't patch their machines and people who don't make backups.)
--
Forget Napster. Why not really break the law?
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Poor analogy. What is nmap stealing when it performs connection attempts? What is it smashing?
- A.P.
--
Forget Napster. Why not really break the law?
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
This is a big change from how things work now.
I have no problem with companies' own servers being very forcefully protected, or with extreme limits being placed on what I can do to or with THEIR computers- if the SAME LIMITS apply to what they can do with mine! This has often been a concern of mine. I see my hard disks as private property, and just because I run a program does not mean my expectation is to allow the software to run completely amok and cause problems while 'protecting' itself. That would be like saying if you let someone into your house, they are allowed to steal or wreck everything you own. Hey, you let 'em in!
The real world is more complicated than that. And I'm delighted to see the real world beginning to enter into software issues too.
Do you want to be able to say "Trust me" to the RIAA, MPAA etc ad nauseam when they want to get permission to log onto your computer and scan it for copyrighted material? Do you want an ironclad legal defense stating that they have no business snooping around your property? Do you want to be able to run software they might be involved with, and not risk the possibility that they will use it as a trojan to hunt down copyrighted material and delete it or report you to the police?
Do you want to be able to say "Trust me" and be certain that if they then try to spy on you, infiltrate your system, or destroy your data, that THEY will be the criminals in that case?
Or would you like them to be able to do all this and then turn you over to the authorities if they find anything they think is incriminating?
Our 'cyberspace property rights' are way weaker than physical property rights. Having this change is not necessarily a bad thing.
The justice system of the United States Of America already disagrees with you on the last bit. Just because said system also permits appeals doesn't change that. And selling bare machines is _strongly_ discouraged- by Microsoft. You may not want to know what they can do to you if you persist in doing so.
I knew perfectly well I was pushing it with my first example, hence the 'or more plausibly'. It's pretty unlikely that they will ever not be allowed to cease supporting stuff. It is, however, possible that they will not be allowed to gratituously break stuff that used to work- and this is precisely what they are in the process of doing.
Astroturf much? ;)
It's a bit of a red flag for me simply that you use the term 'the free market' twice. Sounds like a libertarian perspective, and you're not necessarily going to see it backed by the courts. It's pretty well accepted that limitations on this consumer ability to examine are expected- that the legal system tries to strike a balance between the wish of a seller to con the buyer, and the wish of a buyer to 'make a rational choice' (HA!).
By the same token, it's pretty well accepted that 'consumers' can't even voluntarily waive their rights completely- if you say "here's three cents off, and if it kills you we're not liable!" it won't stand up in court if the thing does kill somebody, because people don't go around making rational decisions all the time. For this reason, post-sale control of goods and services has an uphill battle if it wants to get to where the copyright lobby wants it- and in fact book publishers have already lost this battle, which is why there's case law on first sale rights.
The only thing that _can_ affect corporate entities is law and terrorism. But law _does_ affect corporate entities. You're personalising them and that's a mistake. If law says they've gotta do something, they may weasel but it's really not in the interests of the shareholders for them to try to overthrow the law itself- bad PR, poor chances, not a win. It's the legacy of Microsoft that's confused you about this, because Microsoft is an insane corporation and would _much_ rather overthrow law and justice than please the stockholders. MS has control issues. You can't generalise that to all corporations.
This is a _good_ article. Law and justice that doesn't have two sides is no law at all... this article goes a long way towards presenting a concept of digital property rights that is _local_.
There is a lot of money and power behind content creators, copyright holders etc. saying "we own this, it is OUR property, therefore we get to scan your computer, send back information to the mothership, and if you are a criminal we get to delete stolen goods off your hard drive, you pirate you! You miscreant!"
The thing is, _law_ sees this and comes back with "If you're saying that is property, wouldn't the person's hard disk be property too? As in 'not yours', as in 'you are a guest but they bought it and own it and live in it'?"
That's the beauty of law and justice- it balances, in time. The inevitable result of pushing for extensive 'property' law regarding copyright etc. is to also cast light on the subject of what kind of property a person's datasphere is.
I even wrote an essay on this in November 1998: it's at http://www.airwindows.com/fiction/essays/Hotel.htm l. When you operate a computer it is like you are moving your stuff around on virtual property: you put something somewhere. Does a company have a right to move it to somewhere else? To pile stuff next to it obscuring it? To paint it a different color, or dust it off? To remove, discard it, set it on fire, impound it as evidence?
The fact that all of this seems totally permissible only shows that law hasn't begun thinking about these issues yet.
You can't have it both ways- if I am forbidden even to portscan a company, then the company is forbidden to go over _my_ computer either. It's analogous. If we're tightening the protections for company-owned 'cyberspace' we're also laying a precedent for tighter protections on privately owned cyberspace.
In the future it may be ILLEGAL for Microsoft to shut off the mp3 encoding in its software and force people to migrate to WMA- or more plausibly, it may be ILLEGAL for them to take a WMA file that was once functional and render it nonfunctional arbitrarily if you don't cough up a license fee. It may also be illegal for them to place restrictions on OEM desktops- on the basis that they make the building materials, the OEM builds the house, the customer buys it and moves in. There is no compelling argument that they must be able to prohibit the OEM from decorating the 'house' as they see fit.
Very interesting stuff in this article, and grounds for hope :)
Ok, let's pretend I'm really filthy rich and looking for a bank to put my money.
If I ask to see their security, chances are the bank will be more than willing to do so. If I suggest testing their security for weak points, they may also be willing to work with me if I'm worth a really filthy amount.
If however I do so by attempting to break in to all the banks in town to see which ones have weak security, witout asking first.
Would it come as any surprise to end up in jail?
I understand your point, but you need to ask permission. If permission isn't granted, then maybe you should move on to the next provider, until you actually find one who will let you.
Guns don't kill people.
It's the damn bullets!
Did it ever occur to you that maybe the people who post stories don't check k5 every time they post a story? They post stories off the submission queue...if you want to complain, complain to the person who submitted it.
-- Are you an EFF member yet?
I have been known to portscan port 80 on a slow day to see if there are any local webpages on the network. Same with newservers and other interesting ports of communication. Looks like a walk through the neighborhood to visit interesting characters will soon be outlawed.
Shame people don't believe in locks to spoil it for those of us who like to visit those who wish to open up communication ports to be friendly.
Guns can also be used for hunting purposes for us that prefer eating tasty animals that haven't been pumped up with steriods and antibiotics, raised on cruel slaughterfarm camps. What a life for a cow. I prefer wild deer
Portscanning can also be used for searching sites that haven't been shamelessly advertised through marketing. Such rare gems are often found to be representative of local communities. I prefer folks who take the initiative to put up something personal, but haven't spammed their links everywhere. You'd be surprised at what you can find through portscanning httpd, finger, ntalk, etc...
The policy for specifying what is allowed and not allowed is simply closing the damn port in the first place.
I think your's is a bad analogy. Port scanning is much less intrusive than what you describe.
:)
I like the door knocking ananlogy... on the scale of 1024 doors
Steve
In a single FTP session, you can end up using any free port on the machine to do the file transfer.
But that conversation is part of the FTP session, and is (or can be) logged as such. You wouldn't connect to a random port without requesting a file transfer from ann FTP server, assuming I even have an FTP server running on my computer, which I don't.
The list the guy mentions isn't meant to be an exhaustive list of services which are considered "public". Replace the list with the phrase "commonly provided services". And interpret the names of the services, instead of the ports for the names. If you want to run your telnet port on 23000 instead of 23 to avoid a firewall somewhere, more power to you. And no company would provide a service without also providing a direct way to the service, unless they intend for that service to remain undetected, in which case it's probably not a service that should be running anyway (like the telnet port at 23000 to avoid the firewall).
This space for rent. Call 1-800-STEAK4U
This space for rent. Call 1-800-STEAK4U
A port scan can be defined as any exploration, brute-force or directed, of the available services on a computer not belonging to you with the intent of utilizing those services is a manner not intended by the provider of those services.
Does that make sense?
This space for rent. Call 1-800-STEAK4U
This space for rent. Call 1-800-STEAK4U
IANAL.
the "expectation of privacy" doesn't mean shit. There is nothing that actually PROTECTS our privacy. We just assume that laws should... Tough shit for us I suppose.
yep, you cannot do that. If you don't trust them, go somewhere else. You don't own the machines, you cannot scan them.
but no one is looking for the "main" entrance are they? They are looking to see if the "Staff Only" doors are unlocked when no one is around..
This made me laugh. Portscanning and murder are the same thing?
Yep. But your ports aren't property. They aren't even corporeal.
Interesting. Please point me to the legal agreement I signed which states that - you ought to have no difficulty if your assertion is true.
It has nothing to do with a legal agreement. The Internet is a public internetwork by definition. It's like standing on a public highway.
My system is my system, for use by me and those whom I authorise to use it, and NO-ONE ELSE.
I suggest you disconnect your machine from the Internet. Or buy a good firewall, if you want to be more reasonable about things.
If you portscan my system, I wanna know WHY, and you better have a bloody good reason for it.
Red herring. We're talking about a law that forbids port scanning of *any system*, NOT YOUR SYSTEM. And, believe it or not, there are legitimate reasons to check the security of ports on other hosts. Like checking up on your ISPs security claims. Or checking your OWN systems. And if you don't think that would be illegal too, you don't know the government very well. ;-)
I don't know about google but there are commercial companies out there that do portscanning as part of their businessmodel.
Here is one:
May 15 03:32:39 209.211.205.56:37301 -> xxx.xx.65.88:80 SYN ******S*
2 C3AF4F2snlbxq'|dc
May 15 03:32:39 209.211.205.56:37278 -> xxx.xx.65.65:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37285 -> xxx.xx.65.72:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37286 -> xxx.xx.65.73:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37287 -> xxx.xx.65.74:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37291 -> xxx.xx.65.78:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37293 -> xxx.xx.65.80:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37294 -> xxx.xx.65.81:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37298 -> xxx.xx.65.85:80 SYN ******S*
May 15 03:32:39 209.211.205.56:37302 -> xxx.xx.65.89:80 SYN ******S*
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D727
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Does this mean that Google and company can now be found guilty when searching for open port 80 on networks ?
How about search engines that look for open 21(ftp) port ? , How about gopher ? CIFS (Common Internet filesystem) ? Hmmmm Interesting ..2 C3AF4F2snlbxq'|dc
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D727
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
The difference is that they force you to use the alpha versions, whether you want to or not.
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Analogies:
The third bullet is definitely questionable as far as this lawyer's analysis goes, but nmap is most certainly not illegal, witness bullet points one, two, and four. Five is just stupid.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
- 1st paragraph, 2nd sentence:Laws made to protect computer security? How do you protect security? Or does he mean computer security is applied unpredictably? What?
- 2nd para., 2nd sent.Either the word 'in' or the phrase 'partially on' need to be deleted.
- 2nd para, 3rd sent. With property rights, computer owners will not be willing to connect to the Internet if their computers can be abused without legal remedy. So what's his point?
/me gives up in disgust and then notices byline, at the very beginning:
Ethan Preston expects to receive his J.D. from the Georgetown University Law Center in 2001.
Right... and I expect to be made emperor in 2001. I'll never hire a Georgetown alumnus if Ethan makes the grade.
I'll begin with this...
The people that insist that port scanning should be legal miss the fact that it should be legal ONLY for the sysadmins of that particular network, not for every idiot that thinks he/she should have the 'freedom' to scan a network that doesn't belong to him/her.
A stated law that makes it clear that port scanning is illegal for those outside of that networks system administrators gives people the tool to go after those who scan networks for holes that they can exploit. For instance, on my dialup connection I regularly get scanned for SubSeven and NetBus. These people are looking specifically for those ports, and the only reason they are scanning those ports is to find a machine that has been compromised that they can get into. Those that advocate being able to run port scans on networks that they don't admin could also use the same argument that it's ok to attempt a robbery as long as the attempt isn't successfull.
But, I do expect the whole concept here to fall on deaf ears (or blind eye's as it were), since it seems that Slashdot has become a haven for the script kiddie crowd.
Steve's Computer Service, Hobbs, NM
It's kinda like showing a proof of Godel's Incompleteness Theory to someone not versed in math. Each step of the process is simple and straightforward, but as a whole it's tough for an untrained mind to grasp and follow along.
--
--
Mod up a post Rob doesn't like and you'll never mod again
--
--
Mod up a post Rob doesn't like and you'll never mod again
A netboot machine? Windos with nthe "network neighborhood"? Most connections require a userspace program to request a connection. Contrary to Micros~1 propaganda, a web browser isn't really a standard operating system component.
Or were you referring to nmap not using the OS routines to attempt the connect? If so, then you're just wrong since it does use the OS routines.
Secondly, blah blah blah
It's usually considered bad form to change definitions in the middle of a debate.
So you're telling me you've never done an HTTP GET just to determine if the webserver is running? Oh no, port scan! Anyway, next time I portscan you i'll just be sure to send a GET request and you'll consider it not-a-port-scan.
This is similar in attitude to the "admins that dont patch their systems deserve to get cr/hacked", and almost as ridiculous
Go Straw Man! I'll just ignore this comment.
or implicitely (eg. setting up a website)
"I was just checking to see if that's what you had done!". Or is that a portscan, because i didn't magically know the instant you did so?
The sad fact is that many people don't seem to really understand the Internet. That's why we have parents expecting that the internet should fit their morality even though anyone can publish, governments thinking they can legislate it, and people like you thinking "no! don't even look at me!" is a basic right.
-----
--
perl -e'$_=shift;die eval' '"$^X $0\047\$_=shift;die eval\047 \047$_\047"' at -e line 1.
If you go up and down the street knocking on people's doors in order to find out who is not at home, then you are "casing". And that is a crime.
A Government Is a Body of People, Usually Notably Ungoverned
Absolutely not! Girl Scouts knocking on doors are specifically looking for people at home. Ditto for Jehovah's Witnesses, Mormons and trick-or-treaters. Casing is when you knock on doors (or perform other activities) to find out who is NOT at home. Big difference. Huge difference.
Go around your neighborhood. Knock on all the doors. When someone answers, politely say "Oh! I'm sorry, I didn't expect you to be home. I'll come back later." Within minutes someone's going to call the cops on you.
A Government Is a Body of People, Usually Notably Ungoverned
Port scanning IS passive.
...
In the bank analogy, how do you know if they have a door or a window? Photons from the sun bounce off of it and hit your eye in a recognizable pattern.
How would you do this on a cloudy night? A flashlight perhaps?
There's no way (asside from sending out continual broadcast messages from everyone) for a server to broadcast that it is serving something. You simply have to ask. Portscanning is how you do that. You ask if they are serving files. How about web pages? How about
Now, you could make up some convoluted scenario where the bank had photo-cells in the windows to detect if it was night, and your flashlight, unlawfully shined into their windows, blah blah blah...
This would be like if you were scanning for someone sharing files, you check FTP, HTTP, Windows networking, etc... Now maybe someone has a misconfigured program that instead of saying 'No', crashes when asked.
But that's not your fault, you were just asking a question.
If you exploited this, by asking over and over, it'd be akin to harassment. An otherwise legal action would be forbidden by context.
Similarly, portscanning should be legal. It's the way the network works. But malicious use of portscanning, or portscanning connected to a crime, wouldn't be legal.
"If nmap is illegal, than only criminals will have nmap"
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Perhaps a friendly call to them to get permission first?
"That's Tron. He fights for the Users."
No, I haven't, but you probably haven't either. Don't know until you try and all that. Personally, if someone called me (preferably someone who had already requested info on hosting services from me) and made such a request, I'd probably allow it.
"That's Tron. He fights for the Users."
Well, actually, I'm not sure that's the case. The author lists two references for that one particular sentence:
l (modified Jan. 20, 2000).
TIMOTHY PARKER, TEACH YOURSELF TCP/IP IN 14 DAYS Page 1-50 (2nd ed. 1996); Jason Yanowitz, Under the hood of the Internet
An overview of the TCP/IP Protocol Suite at http://info.acm.org/crossroads/xrds1-1/tcpjpy.htm
Though I would rather he read the Stevens book as opposed to some "teach yourself something in 14 days" the fact remains that he is right. Though separating the process of communications into layers is an academic exercise and not a technical one. The TCP/IP model and the DOD model both have 4 layers. The OSI model has 7 layers, much like that burrito from taco bell.
Check out this link for differences between the three.
Killing people might actually have a useful purpose once in a while. But I still like the idea of keeping it illegal. The fact that the act can be committed from overseas doesn't mean that it shouldn't be a crime. Nor does criminalization mean that you shouldn't defend against port scanners. It is illegal to steal a car; every car sold still has locks and a keyed ignition. You can't count on the law to find and prosecute the one who attacks you; that's not a complaint about the law, just the fact that they are only human. So you defend yourself with firewalls, burglar alarms, and pepper spray, cooperate with the law when you are attacked, and let the law simply reduce the number of jerks willing to attack you.
--The basis of all love is respect
The point was connecting to a public network for *purely* private purposes is inherently retarded, as in: connecting top secret millitary computers to the internet, connecting your corporate intranet with all of your trade secrets to the internet, connecting your electric power grid controllers to the internet.
Usernames and Passwords are used when a specific subset of the *public* need to connect to publicly accessable computers. Connecting to a public network and expecting *not* to get portscanned or *not* to get connected to is just stupid.
-- iCEBaLM
Like connecting a private driveway to a public road and never expecting anyone to look at it or the occasional stranger using it to turn around.
-- iCEBaLM
Crime, eh?
Okay, suppose someone passes such a law. How the hell is the law going to be enforced?
On the defensive side, you really have no idea whether the host you're being scanned from is really where the packets are coming from, so you could end up throwing your lawyers at host A whilst on host B the "real" scanner is laughing at your expense and looking for someone else to spoof.
On the offensive side, you could outlaw tools like nmap, to prevent people from scanning in the first place. If the lesson from DeCSS means anything, making nmap illegal will not hinder anyone's access to it, except people who have a legitimate need to use such tools.
You could license use of scanning tools, e.g. to "Certified Systems Administrators," but that won't slow down the black hats any (see above), and just make the life of a sysadmin more difficult.
Laws against portscanning would be unenforcable; time better spent securing systems so they don't get cracked in the first place, and leveraging existing laws against the people who *do* break into systems.
Port scanning is like looking at a house from across the street. The equivalent of "crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents" is sending known exploit code to the port in order to see if you can get unauthorized access. It's not even like looking in the windows. A port scan tells you nothing more about a computer than seeing that a window on the second floor has been left open.
The first could be used in the sense of "casing the joint," but it could also be a case of looking at the architecture of the houses on the block without the owners' permission. It may make some people uncomfortable, but it's hardly illegal. A port scan is the closest thing to a look-but-don't -touch on the Net today.
If port scanning is found to be illegal, would a bare ping to see if a site is up and running be made illegal in the future as well? Beware the slippery-slope. We need to make sure that there is a difference in law between commiting a crime and having the potential to commit a crime.
If a script kiddie starts trying known exploits against your box, THAT should be seen as a crime. They are totally trying the vents to see if it's loose so that they can gain access. This is a clear, distinct, and unambiguous step beyond a port scan.
- I don't need to go outside, my CRT tan'll do me just fine.
Too often these days we see those who are empowered in our society, either by money, political or social position, seeking further extensions of that power. The law, it seems, wasn't enough.
The RIAA and MPAA were tremendously well-protected under the Copyright Act, without more. But that was not enough. Dissatisfied with the existing provisions of the Act, carefully negotiated by careful balancing of public policies, they went for the raw power-grab, and obtained rights in gross through the MPAA, making it a crime and actionable to circumvent copyright protection technology, even when the technology circumvention does not give rise to an infringement.
Likewise with trademarks, the AntiCybersquatting Act and trademark dilution.
Likewise here, with the proposed "don't peek" provisions. Again, the Congress carefully drafted (well, its a mess, but its what they gave us) the Computer Fraud and Abuse Act and the Electronic Communications Protection Act, with all its powers and limitations, to prevent certain kinds, but not all kinds, of hackery. Congress expressly limited de minimus impositions costing less than $5,000 per year, such as pings, from the CFAA, precisely to protect overreaching machine-owners and, if you will, "to permit the spice to flow" as internet technologies develop.
But the powers that be are always seeking yet another way. We no longer need the CFAA, with all of its policy-balancing limitations and exceptions. Instead, let's just make it illegal to ping, if I'm powerful enough to sue your patents off, and watch you squirm under the power of my legal sledgehammer.
This is, simply put, the wrong thing to do. If we are going to empower people to protect legitimate interests, we must carefully carve out the abuse of that power to protect other interests; and make it cost the nasty plaintiffs when they lose.
I do not condone computer crime, and portscanning is a blight upon mine eyes. But we shouldn't make it criminal or actionable when it doesn't rise to the level of meaningful denial of service, and we should wait until a computer crime is actually committed before we go after someone for a computer crime.
Otherwise, we simply empower the powerful to prey upon the weak. That will always happen, of course as a force of nature -- but we needn't write it into the law.
It is time to STOP changing the law to circumvent public policy, just to appease the few powerful enough to lobby the Congress. Yes, this sounds good, and the argument of the article, while not persuasive, cannot be ignored without reasoned comment. But it is bad for the net, and it is bad for America. We don't need to arrest woeful pingers, just because it would facilitate catching a few real bad guys who are otherwise slipping through the cracks.
That's too much and not enough good law.
Verra dangerous, imho, because it's horrdily broad. Building a massive microwave generator and pointing it at your neighbor's house would be legal.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
"Port scanning has nothing to do with breaking in."
You have got to be kidding me. Every hack starts with a portscan. When you say "looking" what you really mean is "casing the joint". You are walking around my house and trying to figure out how best to break in. What possible legitemate reason do YOU have for portscanning? If you want to know if I have FTP services for you ask me, better yet presume that it's not there becuase I did not tell you about it. If I wanted you to access my computer via FTP I would have let you know.
Also It's one thing wonder about wheather or not I have an FTP server and it's another to scan every single port on my machine. What is your justification for that?
I tell people to use portsentry. That way they can immediately blackhole anybody who does a portscan. Anybody who does a portscan is doing it because they want to hack your system. There is no other reason to do one.
War is necrophilia.
All cracks start with a portscan. Maybe in the one to two percent of the cases a portscan is done for benign reasons but really even you have to admit that most of the people portscanning you want to see if they can break in. Use portsentry and black hole people who portscan you. You'll see how many of them complain that they can't finish their portscan.
War is necrophilia.
Why are you seeing if a port is open? Better yet why do you want to know about the status of every single port on my machine? DO I know you? Did I say I was going to provide some service for you on my computer? Did I tell you about some service and forget to tell you the port?
Be honest. People running portscans are doing it because they want to hack your machine.
War is necrophilia.
If he wanted you to play his game he would have told you about the port.
War is necrophilia.
"Without portscanning, how do you find out what services a host provides to the public?"
Here is a novel idea.
Presume that there is no public services unless you have been told about them by the people who own the server. They are not obligated to provide you with anything. If a service is not advertised or nobody told you about it why are you looking for it?
War is necrophilia.
"Trying doors and windows: Using packaged exploits (parallels: It's easy; if it succeeds you are now able to walk around and do what you want; and any responsible person would have taken the simple measures to prevent its effectiveness)"
Nevertheless this could get you arrested. If you actually walk in then it's breaking and entering. Trying the door is actually trespassing because at that moment you are in my property. It could be argued that the minute you leave the sidewalk you are tresspassing in my property. The analog of that might be that the minute you probe a port without an advertised service you are a criminal.
War is necrophilia.
Unfortunately this is a slippery slope argument. What If I lock my door but the lock can be jimmied easaliy? What if somebody on the internet developes a skeleton key which now opens every lock with that brand? Now what? I locked my door like a responsible citizen but some script kiddie got a hold of a skeleton key and ransacked my house. Is it still my fault?
The problem is that even though you may be relatively responsible person there are bound to be security hacks that you don't know about. The burden should not be on me. IT should be on the person doing the breaking and entering. You can't just say but you should have changed your lock, it was known for three days that this skeleton key was in circulation.
War is necrophilia.
Anybody can DOS you anytime they want. There is nothing you can do about it.
Portsentry listens on ports you tell it to and when it detects a scan it can immediately run an ipchains rule to blakhole your ip address.
War is necrophilia.
99 percent of all port scans being done are a prelude to an attack on your system. If somebody is portscanning your system you can be 99% sure they are looking to break into your system.
"And what about the suggestion that portscans should be used to verify the security claims of ISPs before subscribing."
Simple. Call up the ISP and ask for permission to do a portscan. If they don't let you move, on to another one.
War is necrophilia.
Just because people are ripping of their employees that does not mean the portscanners should get a free ride. People do have the capability to worry about more then one security problem at a time. Some breaches are due to internal employees and some breaches are due to external hackers.
Just as internal employees are punished severely if caught so should the portscanners and the hackers.
Oh BTW are you seriously suggesting that crackers don't start with a nmap first thing? They just let loose with an attack on a random port without first checking to see if that port is available?
War is necrophilia.
Because logs are for after the fact. Logs don't prevent you from being hacked. Sure you can take precautions and you should but tripwire will tell you after the fact that you have been hacked. There is always cause to be afraid.
Hackers will attack your system via exploits that may not be known to you or even to the general public. There is always some delay between a hack being discovered and being published and fixed. So that "necessary" port may be sitting duck for a buffer exploit and you don't even know it yet. Also any hacker anywhere in the world can DOS you with off the shelf kits and there is nothing you can do about it.
I will restate. Anybody who is doing a portscan of your system is most probably looking to crack it. Maybe one or two percent of portscans are accidents or legitamate but the vast majority of them are people who are looking to take over your machine and commit crimes. If you detect a portscan you can be 99% sure the person who just portscanned you was looking to see they could break in. They have criminal intent.
War is necrophilia.
Internet started with a small set of highly trusted people and hosts. All of the core internet protocols have this trust presumption built into them. It's not the same world now. Sorry.
The days of leaving your server open to mail relay, rpc etc are long gone and will never come back thanks to the legion of script kiddies who have nothing to do but crack other machines and launch DDOS attacks against anybody they want to.
So no you may NOT presume that I am giving you something. You may NOT presume that any service I have on my machine is for you. Do not try to connect to my machine unless you know there is a service there AND have been told so via advertising, links, email, phone or otherwise that you are welcome it.
It's my machine and you keep your hands off it.
You have no reason to port scan me. NONE. If you are port scanning me it can only mean you mean to crack it.
War is necrophilia.
What a bunch of crap.
First of all a tool that is used 99% of the time in criminal activity and 1% of the time in non criminal activity will be either illegal or highly regulated. All kinds of chemicals and drugs fall under this classification. You can't go into a drug store and buy heroin but a doctor can prescribe it for you. They are not illegal to have but require licensing, registration etc. In the real world it's not all or nothing.
There is no reason why something like that can not be set up to prevent hackers from portscanning your machine.
War is necrophilia.
I hope and pray that the day will come where the TCP/IP protocol will be in such a condition that I will be instantly able to track down any portscanner. When Packets can't be spoofed, when return adressed can't be forged, and when people will be held personally responsible for their acts of vandalism. When such a day comes I will be the first in line to press charges against anybody who portscans my system and make them pay for taking up my bandwidth and my processing power even it's only ten cents. I will also fight to make these actions criminal, I will lobby my congresspeople and I will tell anybody who listens. Until people end up jail for cracking systems cracking will go on. Until we fix the protocols which allow people to unleash distruction anonymously we will all be victims of smart aleck 13 year old script kiddies with nothing to do but jerk off to pr0n and destroy other peoples property because they can't get laid and have to realese their sexual frustration by being destructive.
War is necrophilia.
I would outlaw port scanning without permission. That's all. If you want to portscan me just ask I might let you otherwise it's tresspassing. Of course something like this would be hard to enforce given the state of TCP/IP as it is today but one day your ability to spoof will be gone and I will dance in the streets. But then again tresspassing is hard to enforce too if you have a 300 acre ranch. Somehow it's still illegal though.
War is necrophilia.
I would agree to disagree except that you keep insisting that a port on my machine, set up by me, for my purposes, using bandwidth I paid for by me is somehow not my property.
War is necrophilia.
It will one day because it's logical and consistent with our current concepts of property. Many people have ranches spanning many acres which are not fenced but it's still illegal for you to step on that land, bike through it, hunt on it etc. You may claim that it causes no harm to walk through their property or that because they have not fenced it you are free to walk about on it but it's still trespassing.
Port scaning is tresspassing pure and simple. It matters not what your intention is or weather I have IPchains rules to stop you. BTW even if I do have firewall rules you are still eating up my bandwidth and my CPU cyles and my hard drive space by port scanning me.
In america property rights are very vigorously defended. Using other peoples property without permission is illegal in most cases and will one day be illegal in this case too. It's just a matter of time for technology to catch up so it can be enforced. Hopefully IPv6 will take us a huge step in that direction and I can't wait.
War is necrophilia.
False on both accounts.
Even intangible things like ideas, concepts, songs, plans, etc are considered property and have legal status of ownership. Furthermore the port exists only because a machine exists. That machine is mine, the post is on the machine and therefore the port is mine.
Even if you don't do "damage" I can argue that your portscan cost me money. It cost me money because you used my bandwidth, it cost me money becuase you used my CPU cycles, it cost me money because you used my hard drive space and it cost me money because I had to analyze that log to try and see it you were up to no good. It cost me tangible money and tangible time. Even if each portscan cost me five or ten dollars it adds up ove the lifespan of the machine. I suppose I could ignore my logs but that too would cost me even more money in the long run.
War is necrophilia.
No matter what you think of intellectual property the fact remains that it's the law of the land. There are a whole host of "intangible" things like copyright etc that are coded into the law as property.
I really don't think you can actually try and argue that a port does not exist. If it does not exist why are you scanning it? what are you scanning? Even in the one in a billion chance that a judge actually bought that argument you can not argue that the bandwidth you took up didn't exist, that my CPU didn't exist, my hard drive didn't exist or that my time didn't exists. In other words the damage you caused was real no matter how ethereal or "unreal" the port was.
War is necrophilia.
Without portscanning, how do you find out what services a host provides to the public? A website is not the answer, because there's no obligation for a host to set up an HTTP server just because they want to offer IRC. See purple.com for an example of this.
------
There's no reason why I should have to phone 30 WSPs prior to scanning a public interface.
------
------
Maybe what's needed is a `System Policy Information Protocol' with a standard way of specifying what is and is not allowed on a specific host.
------
You would, and so would I, but try calling a Windows-centric tech support line. ("Let me talk to my supervisor... HOLD ... HOLD ... HOLD ... I'm sorry, we don't allow spamming from our networks. Oh. You want to do what, again? ... HOLD ...")
------
THANK YOU! I was hoping someone would say that.
------
The idea behind proposing that protocol was to show how silly it would be to suggest another method of finding out what is allowed when there is already such a method available (namely ICMP destination port unreachable).
What's scary is someone will eventually propose such a system, and be serious about it, and lawmakers will gobble it up.
I think the problem here is a bunch of networking newbies who think suspicious activity equals illegal activity. They're running BlackIce (or some other intrusion detection software), and as soon as they get an alert, they scream "Oh my God! Someone's trying to hack my computer!" They get scared and think that anything picked up by an IDS must be illegal.
Realistically, the only things that should be unarguably illegal are DoS attacks, since there's no technical measure to prevent being attacked by them. All other security breaches are either the programmer's fault, the sysadmin's fault, or the trusted user's fault.
------
This is a faulty analogy that is almost a troll. Port scanning doesn't damage anything, but smashing a window does.
------
Yes, but so does pinging or accessing an HTTP server. That doesn't make them inherently illegal.
------
Port scanning isn't trying to break into a bank. It's pulling on the doors when the bank is closed to see if they're unlocked. There's nothing illegal about that.
------
Maybe, but that gives rise to the false notion that port scanning is passive. That analogy is more like packet sniffing.
------
It helps to remove some of the most blatently clueless companies from my list.
------
Put that way, it would never hold up in court.
------
Should you be deprived of the right to examine the quality of a service before buying it, especially when it wouldn't fall under "theft of services"? I think not.
------
First, I gather the lawyer involved has never traveled west of the Missisippi River, if he is under the impression that settlement has eliminated open range practices; there is still a considerable area where this applies and is still useful.
Equally he might consider hunting/fishing related common law in much of the USA, which often does not require a sportsman to assume that the mere presence of a fence is meant to prohibit him crossing same; or that in the UK which allows use of private property for casual hikers, indeed prohibits farmers from generally denying access.
Generally I gathered from reading the article that the writer believes invoking the "fence" metaphor would be a valuable way for courts to treat the internet. IMHO this is unsupportable garbage.
Imagine the chaos resulting from the ability of a person to physically fence off his property from that generally open, with a "fence" which was invisible and could cause the invocation of legal sanctions by the mere attempt to detect it - much less cross it - while others allowed and even needed people crossing those fences into their space to maintain their livelihoods. And to arbitrarily invoke those sanctions against specific access by persons left-handed, with long hair (or using nmap, et cetra), with no way for a person to know they were of a forbidden class, and the landowner having no duty to inform them.
This would be a closer analogy to the real dispute over port scanning with nmap and the like, and would cause legal risk for anyone attempting to use any area of the "open range" or those areas which though fenced are not forbidden, or known-fenced areas where their use probably would be accepted, but where it is uncertain.
The fence analogy sucks because in the real world there are only some places and situations where a fence means you are forbidden access, and fences are almost always visible. What exists on on the Internet is more like carefully hidden nets of underground sensors designed to detect intruders but invisible to the naked eye.
Even where fences exist, therefore, there is often a requirement that trespassing only occurs if the owner of a property has posted "no trespassing" signs, or those forbidding certain uses (hunting, for instance) conspicuously enough that a person is indeed informed of what the rules are (and other places with different rules, but the internet is effectively too global to allow such divisions).
Therefore, what I propose is this: an access-allowed checking protocol. A method by which an internet-connected node can, if it wishes, indicate that certain uses are forbidden.
Perhaps a TCP port which can be accessed with no fear of liability which could return data indicating "Ports A, B, and D are meant for public use, but port C is private, don't twiddle with it". Maybe add further info about just what use is allowed beyond that, such as allowing HTTP access for browser use but not by data-mining spiders.
This would place a burden on both the public whose programs would have to check the access first, and the owner of the node who would have to put up the "no trespassing" signs. It would not cure the problem, but would at least allow both sides recourse to something which would allow them to know they are acting legally or which would enforce their desired restrictions
Perhaps there are uses which the assumption would still be "allowed" or "forbidden" despite no check for the "sign" being required or no posting of it needed, but in general with no way to check for or advertise the "fence" one side or the other is going to be screwed.
Guns are inanimate objects. They are neither good nor evil, but can be used for good and evil purposes. See World War II for examples of both.
Both guns and port scanning tools have entirely legitimate and beneficial uses, and neither should be banned.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
If 'unauthorised access' is illegal, then if i run a web server, with an index page that clearly states that i do not wish anyone to request any of the documents from it, and someone requests and transfers a document from it, are they breaking the law?
I gots ta ding a ding dang my dang a long ling long
I'd compare port sacnning to wandering across that lawn and checking to see whether the doors and windows are locked. You might just be worried about my security and safety but see how far you get telling it to the police.
The way I look at it, if it's ok for the goverment to do it, it should be ok for the people to do it also. Is not the government supposed to serve the people in a democracy? Is a slave greater than his master?
How faithful can one be to the private property metaphor without getting into absurd comparisons? If port scanning is illegal, so should looking at someone's house, roof, lawn, doors, windows, etc...
Once you move your computer onto a public network you've changed the rules it operates under. Since the door analogy is so popular, I'd say that doing a port scan is akin to walking through a shopping district and pushing on each of the doors. In this way you can determine which shops are open for business and which are closed. The fact that you might later come back and rob some of these shops is an entirely separate matter.
________________________
I don't want free as in beer. I just want free beer.
Port scanning is the real-world equivalent of going up, testing the door knob, and walking in if it's unlocked.
I'd say that when it comes to real world mataphores, this is probably the most used, abused and stupid one.Port scanning has nothing to do with breaking in. It's looking. How am I supposed to know that you've got a public FTP server running? Or a website? Or a mail address? By checking of course.
I refuse to make a real world analogy for port scanning, because all I've seen so far has been quite stupid (although not at the very same level as this one).
Heh, besides... define "port scanning" please
--
May we live long and die out
And, they're not communicating their game plans in an obvious way. Port scanning is legal because there's no precedent for defining that a particular permanent IP is providing anonymous services for applications that aren't commonplace. With a secure web-application, a user-password attack could probably be argued, since demonstration of malice could be asserted and that server has established that it provides secure web access.
What about rpc, though? The problem with the property assertion is that it establishes the fence metaphor but without a tie-in for those in a certain physical access zone who do have access. So what, then? The trespassing sign would say, you can jump the fence if you live within 2 blocks of me, but, otherwise, not? Clearly, the metaphor needs further definition. ex.: I allow mountd from 192.168.1.0, 10.0.0.0 but, firewall it from anything else. So, a DENY rule triggers an alert, and, I have to go track down the ISP abuse account to let someone know.
Now, the Admin (an NT/2k, sort) and I exchange e-mails about what's port 111 and I don't understand why you're upset about my end-user trying to do file-sharing on your host. Of course an nfs mount doesn't trigger the same pop-up that an attempt to mount an NT/2K share does, so we're talking about different beasts and the implementation hasn't evolved to that point, yet, where we can strategically produce end-users with a NO TRESPASSING sign that suits the situation.
Implementation of such a mechanism would be equally problematic because if we offer a challenge to their request to use our nfs server, we're going to need to connect to a suspect port on their server/proxy/firewall, which will initiate another dubious service request query from their provider. It's not all put together in a way that solves these problems, yet.
The problem with making a scan illegal is that those who've done any research know that if they get a printer/mount/anon-ftp sequence on a server that's running IDS from a particular ip within a reasonably short period of time know they're getting checked on by a vulnerability assessment script. How do you distinguish that from a simple potentially legitimate nfs connect request?
Short answer: You can't. Because that connection request for port 111 might have been initiated by someone who just loaded up the latest RedHat and wanted to do some nfs updates from some server and their dns server was configured to look at where updates.redhat.com was 6 months ago, and, you just happened to get that IP the last time your router initiated a dhcp request. Who knows?
The point is, you can't apply voodoo law when the network is still a lot of voodoo being implemented by newbie witch doctors.
Port scanning is legal. No, I don't like it. But, you can do something about it. You just can't sue anyone if they try it and break into your server. Bummer, huh? >:)
Linux rocks!!! www.dedserius.com
www.dedserius.com
VB != VisualBasic
And if law were more like open source, it would be better?! Don't get me wrong... open source is fine for open source but not necessarily for law.
Imagine a system of law in which each person could set up their own government, a system of rules to which nobody else had to conform or comply. Imagine the few most popular standards were only useable by the legislators and legal pundits for twenty or thirty years while the bugs were worked out. The general public wouldn't have the understanding to try any of the several governing distributions by themselves, so they'd have to rely on more experienced people to set up their systems. Over the years, hot contentions would organize blocs of specialists who fought for only one or two standards, even though the underlying system was still supposedly a free-to-be-an-individual system.
Hm, the more I look at it, the US government resembles open source, too.
[
Shouldn't slashdot be making original material? This is copied straight out of kuro5hin. At least put a reference to K5 if you're gonna cutnpaste!
You might have some difficulty proving anything if the guy only hit your telnet or FTP port once.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If my fiiend moves into an apartment, and I do not know what apartment it is, can I not look around at the mailroom for his name?
THERE. I've proven my point by inventing another analogy. Arguments by analogy do not work. Forget it!
RANT: None of you geeks here have any clue about how to make logical arguments. I see nobody attempting to see what port-scanning consists of, and how you can distinguish it from normal traffic on the net.
The facts of the matter is this: port scans don't look very different from normal connect attempts, except by their sheer volume. Even that volume can be controlled by the perpetrator. I can portscan you one port a day, one packet per day if I was patient and want to be undetected. It would no sense to make laws you can't enforce, and without port-scanning, a lot of the early internet would never have been discovered.
Cracking into computers is already illegal. All I see is people attempting to increase the scope of the law without any knowledge of what is happening.
It is a very well known fact that most security breaches are not those that result from of the remote exploit. In fact, most breaches are due to user cluelessness or employee abuse of previliges.
All these whining and shouting about portscannning does not address the most important of security flaws - the people. After all, it is just the security aspects about portscanning which bother you, right ?
It is true tha people running portscans probably have evil intentions. But the reverse does not apply - being portscanned does not therefore imply that you are probably being set up for evil. These are two distinct probabilities, related only by Bayes Theorem - ever heard of that?
Please learn some elementary logic and probability and stop embarrasing yourself. Impunging dishonesty when that is none is simply irrational.
I had not realized that the difference between evil-intentioned portscanning and innocuous portscanning was one of VOLUME. Thanks for the heads up!
Yeah! Exactly. See that bastard walking up that our driveway like the road belonged to him. Just shoot him sonny, like your Pa tells you to.
I have been hacked too, and I wished the people who I warned had been more responsible. Unfortunately, there are just as many irresponsible SysAd's as there are irreponsible script kiddies.
But these are distinct questions from decicing portscanning itself should be outlawed or not.
I predict that this could set the record for the highest percentage of replies from people who didn't read the article.
Can someone point out to me where the article claims that nmap, or port scanning, is currently illegal? (Bonus points if you show evidence contrary to the claim. Hint: Moulton did not hold that port scanning was legal; it held that the claimant didn't show damages to the court's satisfaction, and specifically said that Moulton may be subject to criminal prosecution under the Georgia Computer Systems Protection Act.)
Such a focus on property rights, as opposed to torts, is a characteristic of right-wing interpretations of law. Lawrence Lessig, for example, focuses less on property rights when writing about the same issues.
The article uses the phrase "trusted systems" to describe software which prevents the owner of the computer from doing something with protected content. That's a painful expression. He does, though, raise questions as to how intrusive a copy protection system can be before it violates the property rights of the computer owner. That's a key point for the Linux crowd. Do you have the right to run protected content in a virtual machine which keeps the protected content from crippling the whole system?
We have a server set up at work to be a honeypot. It has one DNS entry, but is not linked to by anything, is not advertised in any way, is not pointed to by any MX, NS or other service type record. In other words, nobody who's not specifically doing blanket scans should ever find it. When somebody tries to interact with a service on it, say, FTP, not only does it keep a full record of the session, it also portscans them, fingers them, WHOISs them, tries to get banners from their FTP, mail, and web servers, and all that good stuff. Why? Because there is NO reason that anybody would ever hit it. So we want to know about the people who are.
Vintage computer games and RPG books available. Email me if you're interested.
"Ringing a doorbell" is a single probe on port 80.
I'd add https port 443 to that list, but I personally know a couple sysadmins who consider one request for connection on port 80 or 443 while the web server is temporarily down to be grounds for banning your IP.
Will I retire or break 10K?
After reading through much of the article, I still fail to see how scanning a host's ports is any different from knocking on that host's various doors and windows, seeing if anybody's home, or giving that host's various telephone lines a ring. If you don't want people coming through a doorway, lock the door.
If the right to portscan is overturned, how will a potential customer be able to discover whether or not the owner of a given host has given permission to connect via HTTP, FTP, SMTP, etc.?
Will I retire or break 10K?
Now I disagree with old Mark that all system administrators are idiots. Its just that those who are worth anything tend to move on fairly quickly these days. This kind of legal stupidity has much to do with that.
--
--
You nah, me nah. Screw you guys, I'm going home.
Hmm, it seems to be the case you already have a counter-measure to stop port scanners that doesn't involve the legal system and the issues that result from that (restriction of freedom, making yet more people into criminals, further burdening the already extremely overburdened police and courts who have MUCH more serious issues to deal with than someone running NMAP, etc).
With that in mind, you don't need to use the law in this case... you already have a better solution. Judicial solutions should be the last resort.
If someone breaks in, you can have them prosecuted in any court with jurisdiction, even if they did no damage.
P.S. If I were to go to the police because of the people trying to connect to various ports on my computer - I'd gather the police would either laugh or be annoyed. Never mind that I'd be spending a few dozen hours each week going to the police station. Or worse... The last attempt (less than 24 hours ago) appears to have come from Asia. I'm not even thinking of calling Interpol.
Just because it CAN be done, doesn't mean it should!
Exactly my point. If the person who wrote the article was your judge, you would have gone free. As for what you did, since it was unlocked, would that properly be prosecuted as Tresspassing rather than Breaking and Entering? Still a crime, albeit a lesser one. (not a subtle distinction - B&E is often a felony, Tresspass a misdemeanor) Any lawyers care to comment?
Just because it CAN be done, doesn't mean it should!
2 problems:
(1)Lack of security is an excuse to break in. If someone leaves the root password unset on a machine, or leaves off the security on their web server, the above would say it is legal to access whatever you want on that system - whether it is meant to be private or even if one is explicitly told it is private.
Imagine the prosecutor letting someone who robbed you go free because you "didn't take precautions" (e.g. left personal belongs for a second, etc).
(2) It legitimizes making technical measures have the force of law. If I (as an private citizen) have the technical ability to stop you from entering a public park, should you get arrested for going there anywhere? Heck no. In fact, I wouldn't be allowed to even use technical measures to stop you. That is why the DMCA is so bad. Copyright is limited by fair use - fair use activities are not trespass, they are more like entering a public easement on a property where such is allowed by law. If I as a property owner in the real world block access to an easement (try to build a wall on a road crossing my property), not only do people not get arrested for breaking down/circumventing/destroying the wall, I'll get arrested for building it.
The DMCA turns that common sense notion upside down - the wall builder is ALWAYS right, the others are ALWAYS criminal.
That article seems to feed that thinking.
I am not a lawyer, but I understand common sense - which puts me above most of Congress.
Just because it CAN be done, doesn't mean it should!
Grc, oh please. the guy is a gimp. I'm sure not crying about the DDos he's suffereing.
as for portscanning being an attack, it's not. someone may simply be trying to find out what services are available on your system out of curiosity. it's an information gathering tool, if you wanna outlaw those, you might as well limit yourself to JUST surfing the web. forget all the OTHER stuff there is to do on the internet and the hundreds of valid reasons to portscan an IP.
how you got moded as insightfull I'll never know.
If you're hearing rhetoric about Linux, open source, or Mac and everyone's bashing Microsoft, you've found Slashdot.
By saying that others are not allowed to portscan your machine, when you detect a portscan yourself, you are allowed to call in the authorities to try and track down the portscanner. You can take preemptive measure against someone who is trying to break into your system thanks to the portscan.
Not that I'm suggesting that the authorities will be any more effective now than before, but if portscanning others machines is made illegal, that actually gives you the sysadmin additional tools, not fewer. (Well, in the case of the FBI and their effectiveness against crackers, it's not a very useful tool, but, well, it's something...)
--
You are in a maze of twisty little relative jumps, all alike.
Tell me what makes you so afraid
Of all those people you say you hate
Since they're doing it from Korea, China, and Ghana, the fact that it might be illegal here doesn't help your security much.
Or, to put it another way, since you're going to have to secure your systems anyway, why bother trying to make something illegal that actually might have a useful purpose once in a while?
The internet is a public network, anything you connect to it is exposed for public access. Anything you do not want accessed by the public should not be made accessable on the public interface.
Why should I have to put up with repeated port scans?
Because you choose to put your box on a public network. If you don't want people looking at your box, feel free to pay for a private connection.
Those people aren't trying to connect to ports 111, 161, etc to do me a favour by testing my security. They're trying to break in!
No, they are just looking. If they find a flaw they can exploit, and then make the attempt to exploit it, THEN they are trying to break in. Certainly cruising a neighborhood casing the houses is suspicious, but its not illegal (in general, depending on where you are. Some communities have such rules).
If you don't want people looking at a public interface, don't put one up.
guns can only be used to harm others
:)
Here's a news flash, Chester... sometimes an individual will need to harm or even kill another person for the greater good. You can say that isn't so all you want but it won't make it true. You can believe it with every fiber of your being, but you would still be wrong. Sometimes, violence isn't just a solution, it's the only solution.
I sincerely hope your delicate worldview is never harmed though. I'd never wish misfortune on another person, but that's probably what it will take to get you to change your mind.
(I've had an unarmed friend killed by armed robbers, despite her compliance with their demands, so please don't tell me that cooperating with a bad guy insures your safety.)
If you want to argue about guns, there are a lot of other better ways to go about it. Weapons aren't evil. They are tools, and like any tool they can be use or abused.
Find me one person who shoots his own house to test its defenses...
Heh, my urban fortress isn't ready for stress-testing yet.
(And thanks for reminding me to finish my concealed weapons permit paperwork. I've been putting it off.)
There is no greater good.
;)
Another point to debate. I think that there is, and that the Common Man can serve it, partially by shooting Bad Guys if forced to. But hey, to each his own.
But as far as guns go, you're statistically much more likely to shoot yourself, family, or a friend, than an attacker.
For each study that concludes that there is another that refutes it. Personally, I have a great deal of faith in my training and judgement. I take it all very seriously and see myself as responsible for the safety of those around me. But it's a personal thing and I don't think that gun ownership is the right choice for everyone.
I'm sure many people have saved themselves against attackers using their guns. I'm willing to bet that a whole lot more people have been killed as a result of provoking an attacker or in an accident at home.
Sure, there are always accidents. But there are not as many as some people would have you think. (there are many sets of contradictory studies, as always in this field.)
As to the viability of resisting -- check into Gary Kleck's research. Here's a summary from a page I found, it should be easy to google for more if you are curious.
"Kleck found that victims who resist with a gun are less likely to be attacked, injured, or suffer property losses, than those who use any other means of self-protection, or who do not resist an attack - even when confronted by an attacker armed with a gun. Furthermore, Kleck concluded from existing data that armed defenders lose their guns to an attacker less than 1% of the time."
An author named Paxton Quigley quotes some other stats that are specifically about the viability of women resisting attackers, and her conclusion is also that it is the better course of action.
I'm just saying that if you're looking to improve your personal safety, there are better choices. Martial arts, for instance. It's much harder for your kid to accidentally pick up your fist and beat himself to death with it.
BIG GUY: Give me your money or I will bleed you.
SMALL GUY: Crap, ok. Please don't hurt m-- OW, DEAR GOD, SOMEONE HELP ME!
I do not believe that fists can beat a gun often enough to go down that road myself. I have done enough martial arts and enough competitive pistol shooting to know which one I would rather rely on!!
The kid thing -- well, I don't have kids. Too bad more people aren't as cautious that way as you seem to be though. Kids and guns don't mix, I can agree with that.
that analogy doesn't work perfectly because computers aren't people. they have different senses.
Our most hands-off sense is sight. It relies on photons bounced off something else. It's passive unless you use a light source. But a computer can't see another computer on a network. A computer is blind, so to speak. It has to walk up to that other computer, in a way, and feel it up to learn anything about it at all.
I don't think portscanning should be illegal, since it's representative of the the most basic way to learn about another system.
Would feeling around the outside of a building, looking for a doorway, be illegal if humans were all blind? Probably not. If touch is all you have, the laws would be a little different.
Portscanning should be considered a crime.
...
A long time programming friend of mine mentioned that the most useful courses he took outside of the programming course were a business law course, just to cover the basics of things like this, and a business accounting course, just to get his mind wrapped around modelling what bean counters were doing in the first place.
You would think with all of the legal issues running around, technical types could spend time just to get a toe wet, and get some familiarity with the concepts. It seems very much worth it.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents. Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions, ringing phone lines, ringing doorbells, seeing if you can turn on sprinklers/water faucets, etc.
Would you have no problem with someone doing all that? That's a port scan.
"Ringing a doorbell" is a single probe on port 80. "Ring a telephone" is a single probe on port 23. Don't bullshit yourself.
... and as such, it has its uses, both good and bad. In and of itself, it should NOT be made illegal. Only illegal or criminal USES of portscanning should be made illegal.
Example:
I walk into my local computer repair shop. I'm casually looking around, and I notice that they have a security camera, and what appears to be a motion detector. I don't know about you, but seeing that kind of equipment sure makes me feel better about leaving my computer there. What I've just done isn't in any way, shape, or form, illegal.
Now, suppose that a criminal does the same thing; he goes in, scopes that there's a security cam and a motion detector. He makes notes of these, and later that night, comes back, and FOREWARNED about your security measures, breaks into the store, bypasses them (we'll assume he's a clever criminal), and makes off with the goods. What he's done is illegal.
Gaining the knowledge ISN'T illegal! Using it for illegal purposes IS! THIS is what so many people miss when they talk about outlawing portscanning.
My understanding is that portscanning is more akin to the 'door knocking' that other people have mentioned here as well. Does a machine respond on port X, X1, X2, Xn... ?
While that's useful, there are more dangerous exploits to be used against common ports already - there are numerous port 80 exploits against IIS boxes, sendmail and bind exploits against unix boxes, etc. You don't need to 'portscan' (in my understanding of the word) to do damage. You already KNOW the port.
Am I missing something?
creation science book
As a network administrator for a large ISP, I deal with about 4 or 5 major scans in a 24 hour period. On weekends, it can be twice that. The time it takes to track down the IPs mainly with ARIN or APNIC (75% of all scans come from .kr) and cross reference firewall scans with server logs and then e-mail the sysadmins adds up.
It gets old, and little script kiddies who want
to be k-rad ub3r 31337 are the cause. They should not get criminal charges, but their ISPs should
be required to terminate their(or more likely, mommy and daddy's account).
-DankNinja
@hha.net
P.S. I've had a few beers, sorry for run-on sentences and spellng erors.
One word: HUNTING!. Since you seem unfamiliar with the word, let me explain. You pay money to the government (usually the state, which uses it for conservation), get a permit, take the big bad evil gun (a rifle or shotgun in most cases, but sometimes a handgun is used), and shoot some non-human creature (whatever the permit says you can shoot). Then you take your kill home and eat it, if its something big, like a deer, you have meat for awhile.
Sure, it may seem cruel, but I've seen wild animals, and I know how most domesticated livestock is raised, and the agribusiness farms are the cruel part.
Oh, and I don't hunt. I occasionally speak out against the current system of hunting, since I believe the state DNR prefers to keep deer numbers artificially high in order to get more revenue. However, your argument is flawed, and I must point it out. There are plenty of legitimate arguments for gun control, but "guns are evil" is not one of them.
You're quite right. In my experience, however, the desire to possess a gun correlates pretty strongly with the stupidity and instability that make it dangerous.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
And so? I compared trying doorknobs with trying simple exploits. These are similar because both operations, if successful, actually create a path into the secured area. This is why port scanning is NOT like trying doors. Port scanning just tells you where the doors are, something that can easily be done from the sidewalk.
You go try to have the neighbor kids arrested for stepping off the sidewalk into your grass and let me know how it goes.
What's an "advertised" service? Until (if ever) SRV records are widely deployed, this is meaningless. There is a continuum between plastering your port-80 address on every bus shelter and billboard in town, and telling nobody about the existence of your machine. In between those two points, there's no clear line.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Then you need better glasses.
Your list of metaphorical intrusions and indignities doesn't leave anything to analogize for actual attacks.
You're not going to be able to map the full cycle of casing, analysis, attack, and penetration to the burglary story unless you pace yourself a little.
Remember perspective, it's a wonderful thing.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
It's surely a good news to me. Everyday I got hundreds netbios (137/138/139) port scannings on my Linux server from Windows boxes within the same domain. I always wish somebody would bash them and jail them.
Yes those Windows users might not aware as the netbios port scanning is being done automatically. However, they must take responsible for booting up their netbios port scanning OS which annoy their honest Linux neighbours.
"Say you are a sysadmin. You run a mission-critical webserver. In the status quo, you receive around 40 portscans a minute. Hackers have been successful 3 times on your site. If portscans are outlawed, then the overall security of your site receives additional protection.
Practical benefits like this one should be MUCH more important than simply protecting 'liberty."
Please don't take this as a flame, but this is the same kind of flawed thinking that leads to things like anti-gun laws.
It is an extremely FALSE assumption that merly outlawing portscans will somehow reduce breaking into systems, DOS attacks, etc. Last time I checked, THOSE activities were already illegal.
To have any HOPE of effectiveness, you'd have to outlaw portscanning utilities. And give that law enough teeth to allow the stormtroopers (police) the ability to "find out who has them".
Portscanners have very PRACTICAL and good purposes you know, such as, me, as a sysadmin can use one to make sure the ports I wanted closed ARE closed... To ban portscans and portscanning means more systems will be left open and vulnerable!
Please think about the implications before so quickly giving up a liberty for the (false) promise of government guaranteed safety.
Here is the best quote on this subject:
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
=== The price of freedom is eternal vigilance
Well, many programs do types of 'port scans' to look for certain services to connect to. For example, Gnutella clients routinly scan several class C networks looking for other nodes within the same netblock (as these should be closer to localhost). In fact, I think the portscan is a very useful method in IP. Unfortunatly, it's misused, and as a result often is abused.
A good metaphor for port scanning would be going up and knocking on every door in the neighborhood to see if people are home. There is nothing illegal about that. It may irritate people if you go do it every 5 minutes, or do it during dinner (prime time), but it isn't illegal at all. If you're offering a service, then you are offering it. It's visible. If you don't have it secured, then that's your own fault -- anyone who can be broken into using a simple nmap and a vist to the local script kiddie exploit page doesn't have security at all, and is just using the pathetic execuse of a portscan as an attack, in which case, unfortunatly, it actually is.
It doesn't matter anyway if we make portscans 'illegal', because they will still be done. DoS is technically illegal, but people still do it. All that article was to be was annoying lawyer rhetoric and unsubstatinated arguments.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Then there are the "gray" ports, like the non-standard Gnutella ports. Attempting to connect to 6347 after failing to connect to 6346 might be an attempt to ask for permission to speak to a Gnutella client, though it's unlikely.
That still leaves a lot of ports, and attempting to connect to any of them is suspect. If it is only once though, then we're still in the "gray" area. However, attempting to connect to hundreds of ports sequentially, even as slow as once a minute, puts us firmly in the "black" area.
Ok, now let me go back to your questions:
Does a program have to used? If I send 50 http GET requests to a computer within one second, is that port scanning? What about 50 TCP requests to a computer to 50 different ports in one second?How many TCP ports need to be probed in how much time to be defined as port scanning?
I'm pretty sure it's illegal to go from house to house testing people's doorknobs and windows, even if you claim that you're not up to anything bad. Why should portscanning (or even automated portscanning of larger netblocks) be any different?
Generally the first thing I do after I finish setting up and configuring a box that I believe to be secure is run nmap on it with an order to scan everything. If nmap shows anything that I didn't explicitly decide to allow, that means I wrote the firewall rules wrong and need to do it again. The thing is even if the US outlaws portscanners the script kiddiez will keep using them. They are already looking to break the law (by breaking in to a computer). This not to mention script kiddiez in other countries where it is legal. So then what do sysadmins do? If we aren't allowed to legally scan our own computers we could be leaving holes open that we don't know about.
information ripping software can be considered illegal and the information used via Gnutella or other peer to peer networks can not be used by anyone either. Under the definition as "poking around", this would easily fit in this catagory. Hence the MPAA and RIAA will lose big time in the courts should port scanning become illegal.
*Headline News* censorship shuts down the Internet! More at 6PM!
Portscanners have very PRACTICAL and good purposes you know, such as, me, as a sysadmin can use one to make sure the ports I wanted closed ARE closed... To ban portscans and portscanning means more systems will be left open and vulnerable!
My post advocated banning portscans from OTHER PEOPLE without your prior consent. By all means, portscan yourself 24 hours a day. You correctly cite a legitimate use of a portscanner.
To have any HOPE of effectiveness, you'd have to outlaw portscanning utilities. And give that law enough teeth to allow the stormtroopers (police) the ability to "find out who has them".
No, banning portscanning utilities themselves would be a violation of liberty because they have some legitimate purposes. It is the use of a legitimate object in an illegal context which needs to be banned (This is a *fundamental* tenet of legislation). Let's go back to the gun metaphor. If current legislation regarding portscanning applied to the use of guns, shooting things would be unregulated. People would legitimately use guns (hunting, testing bullet proof vests, etc), but many, many people would go around shooting others. Since law-abiding people should be able to walk around without the fear of being shot, there is a violation of liberty in this situation. In the internet world, there is a violation of the sysadmin's liberty because their security can be violated by the use of a portscanner. Because guns have legitimate as well as illegitimate uses, correct law will NOT simply ban guns. This would be a violation of the liberty for law-abiding people. The same thing applies to portscanning: sysadmins legitimately use portscans, so banning the utilities themselves is not the solution.
What is the solution? Banning illegitimate use, of course! The act of shooting another person (illegitimate use) is outlawed. The same thing should happen on the internet. Bad use of a (potentially) good thing should be banned, NOT THE GOOD THING ITSELF.
It is an extremely FALSE assumption that merly outlawing portscans will somehow reduce breaking into systems, DOS attacks, etc. Last time I checked, THOSE activities were already illegal.
Very untrue. Perhaps the gun metaphor is a bit inaccurate - rather, let us relate the use of a portscanner to the action of pointing a gun at an individual. The act of pointing a gun at somebody has NO positive effects whatsoever (Um...I wasn't about to shoot you mr president! I was just testing your bodyguards! Just doing my duty as a citizen to keep vigilant national security! Heh...). Thus, pointing a gun at somebody can be rightfully outlawed. Relate this logic to portscanning: If a 3rd party portscans you without your prior consent, no good can come of it. The white-hat argument is invalid here. Again, back to pointing the gun. The guy about to shoot the president I described above could have been a potential white hat - after all, he said he was just testing the bodyguards. There are two blatant misgivings in the white-hat's cause. If the guy wanted to test the bodyguards, he could have at least asked beforehand. But the much larger problem is the white hat's violation of liberty. IT IS NOT THE DUTY NOR THE RIGHT OF A 3RD PARTY TO "TEST" ANOTHER'S SECURITY BY VIOLATING IT. If somebody wants to walk around with no bodyguards, they should be able to! Back to portscanning: No sysadmin *has* to maintain good security. If his or her's system is compromised, so be it. Others don't need to "look out" for somebody's liberty, especially if it involves the compromise (no matter HOW friendly) of that liberty itself! Liberty is a right ensured by one thing: legislation.
Only in the status quo and in the "police state" scenario which you cited are there violations of privacy and liberty. My model of legislation PROTECTS liberty (rather than violating it) and ensures justice.
Just wondering, what constitutes port scanning? How many TCP ports need to be probed in how much time to be defined as port scanning? Does a program have to used? If I send 50 http GET requests to a computer within one second, is that port scanning? What about 50 TCP requests to a computer to 50 different ports in one second? I want to know!
D/\ Gooberguy
Karma: Meh (Mostly from meh.)
I find an interesting similarity between law and shared source. They're both big crufty kluges that don't work very well, are full of bugs, and are hard to fix. Changes are often made for political reasons and have little practical merit. And you can't fix it yourself; you can only ask the vendor to fix it and hope they'll get around to it sooner or later.
I am glad that the public has shown such an interest in my case. It is all about what the future holds for the rights of computer people everywhere. If they outlaw port scanning, what is next? Outlaw Pinging? They tried to say that in this case also. I wish I could talk more about it, but as there is a Criminal prosecution case pending and I am forbidden to disclose material that is not already public. All depositions in the FEDERAL case, including the depositions of two Georgia Bureau of Investigation detectives are public, if you can figure out how to get them. Computer specialist should really read the depositions of the GBI Computer guys and see what kind of experience they have and how they investigate a case as well as what they believe constitutes a crime. It may be helpful in the future to know how to defend yourselves You can also see another report by Kevin Poulsen at: http://www.securityfocus.com/news/126 Kevin called me, but again I could not disclose information on this case even though I would have enjoyed speaking with him. I am proud that I could be of some benefit to the computer society in defending and protecting the rights of specialists in the computer field, however it is EXTREMELY costly to support such an effort, of which I am not happy about. But I will continue to fight and prove that there is nothing illegal about port scanning especially when I was just doing my job. Thanks goes out those who have sent messages of support in the past year that my company and I have been dragged through this mess. Thanks again, Scott Moulton