Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Portscanning legal in USA

By Signal 11 in MLP
Mon Dec 18, 2000 at 08:26:18 PM EST
Tags: Freedom (all tags)
Freedom

A district court judge has ruled portscans are legal. Many hackers and computer security professionals have been debating the legality of portscans, many on the side that it is OK - little more than a knock on the door. Good news for "white hat" hackers, bad news for overzealous corporations and ISPs.


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o ruled
o Also by Signal 11


Display: Sort:
Portscanning legal in USA | 10 comments (7 topical, 3 editorial, 0 hidden)
Of course it should be (3.38 / 13) (#1)
by jann on Mon Dec 18, 2000 at 06:43:59 PM EST

Portscanning is somewhat analogous to ringing a doorbell.

You ring a bell to see if someone is home to talk to ... you attempt to gain a response from a port to see if someone is home ... like a HTTP service, FTP service, Chargen service etc. If people do not want their servers / computers / network devices to respond to these they only need to turn them off or place appropriate access lists on their routers.

If you cant do this you probably shouldn't be running a box which allows external connections to ports on the computer.

Tell it to Mediaone (3.66 / 12) (#2)
by Signal 11 on Mon Dec 18, 2000 at 06:53:08 PM EST

My service provider, Mediaone, nearly revoked my access for running a portscan on my friend's computer to test his firewall (with his permission, even!) - and they claimed it was "hacking". After I called the manager of the callcenter up and explained things to him, that person talked to their legal department, and the problem vanished without a trace.

People don't understand security, hence they overreact when it is brought up. I could tell them there is a virus out there that affects *only* their computers and steals their proprietary information and passes it onto competitors was on their system, as well as have control over their HVAC systems and they would believe me - how realistic is it? Not very.

We've all BS'd to laypeople before, and we all know how easy it is to completely baffle them, get them upset, or make them buy stuff they don't need, etcetra. All it takes is one person pointing fingers and anyone they talk to who isn't knowledgeable about security will happily do their bidding.

This is a way of responding to those ill-advised people by saying, not only is it legal, but somebody was sued for reporting something stupid like that as a crime. It's total CYA (Cover Your Ass) material for us out in the field.


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]

Legality (2.66 / 6) (#5)
by CyberQuog on Mon Dec 18, 2000 at 07:21:58 PM EST

Hasn't port scanning alwyas technically been legal, I was under the impression that most ISP's and servers don't appreciate it.


-...-
Port Scanning (3.33 / 3) (#6)
by xrayspx on Mon Dec 18, 2000 at 10:32:42 PM EST

I've personally never discouraged portscanning on any of the networks I've controlled. The way I see it, as long as I've secured the machines with patches and kept up on exploits, I've held up my end of the bargain. If anyone can learn anything by scanning the networks to try and figure out how we did things, so much the better for them.

They shouldn't get anything from it, but if they do, more power to them. The only time I've ever even contacted an ISP was when we were portscanned, then the kid tried 4500 different logins with null passwords in 3 minutes. Even then though, we watched the attack, he didn't get anywhere, no harm done. There's no reason to call the feds (wouldn't have helped, it was a Belgian dialup anyway).

However, scanning and false attacks can serve a good purpose, maybe your upstream internet provider is full of shit, and you pay them >$1000/month, you want to know how secure their networks are.
"I see one maggot, it all gets thrown away" -- My Wife
Work != Damages (4.00 / 5) (#7)
by MrSpey on Mon Dec 18, 2000 at 11:13:54 PM EST

The decision basically says is that if my server gets port scanned, the time I spend figuring out who scanned me and what they're up to is not 'damage' caused by the scan. This is important to realize. It means that if I'm doing something legal, regardless of what, then if it happens to bother someone, or inspire them to poke around my system or their own, then it's not my fault. This is a very good ruling from a principle point of view. What I read out of the ruling is that if you have a box on the internet, it's your own responsibility to secure it. Sure, if someone hacks your box then you have every right to go after them (leaving your front door unlocked doesn't mean that it's okay for someone to walk in off the street and take your stuff), but you still have a certain obligation to spend some of your time making sure you aren't full of holes.

Mr. Spey
Cover your butt. Bernard is watching.

Just for a laugh (1.00 / 1) (#9)
by jann on Tue Dec 19, 2000 at 05:11:48 PM EST

K5 had this BEFORE slashdot ... kinda humorous

So what? (none / 0) (#10)
by elemental on Wed Dec 20, 2000 at 02:03:20 AM EST

Legal or not, persistant scans of any system I control (persistant, meaning one scan never to be heard from again doesn't count) will still be logged and reported to the originating ISP. Why? Because it's my system. If you're here without my explicit permission, you're tresspassing, IMHO.


--
I love my country but I fear my government.
--> Contact info on my web site --


Portscanning legal in USA | 10 comments (7 topical, 3 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!