On Thu, 22 Jul 1999, Dave Gillett wrote:
> >
> > Did you obtain the permission to send mail to this mailing list from the
> > owner of the machine and network that it resides on? NO? YOU MUST BE
> > BREAKING THE LAW by sending your mail then... by your definition.
>
> There are important differences between:
>
> 1. All port scans are legal. [The assertion I believe I've been
> rejecting.][In the passage quoted above, Matthew appears to me to be arguing
> that all port scans must be legal because some are legitimately useful.]
>
> 2. Some accesses are illegal, and in many cases port scans may be construed
> as meeting the criteria for illegality (whether this was the intention of the
> legislators or not).
>
> 3. All accesses are, or should be, illegal. [Which is how I think you've
> misrepresented my position here.]
I agree there are differences between those statements. I'm just not sure
what your point is. I certainly have not intended to misrepresent your
position in that way. I'll explain in a moment...
> One of the criticisms levelled at the Oregon statute is that while it
> criminalizes only "unauthorized" access, it never really defines what
> constitutes "authorization".
Exactly my point. You see, we agree, though we're coming at it from
different ends... My point was (which you failed to address) that the
mechanics of a port scan are NO DIFFERENT from the mechanics of connecting
to *ANY* TCP or UDP port, wether there's a mail server or a web server or
an SSH server or some other server running on the port or not. So how can
one be legal and one not? They are THE SAME. You could argue intent, but
it's very difficult to convict one on that argument alone, since it's easy
for him to argue that his intent was legitimate. And lets face it, if all
one does is scan your ports, there's really no harm done. You're just not
likely to see this become a convictable offense, or should I say you
SHOULDN'T see this become one... I'm all for bagging criminals, let's
just wait until they DO something worth bagging them for, eh?
> The question of whether or not I am authorized to send messages to the list
> presupposes that the list-owner is authorized to run a listserver on the
> host; I believe that would implicitly convey to them the right to authorize
> or deny individuals to post via the list. If you want to get really picky,
You're making assumptions... people break their TOS agreements all the
time. Do you KNOW that they have permission? Also your argument can be
used against you... I can say that the mere fact that Joe Admin put a
server up on the internet implies that I have permission to connect to it.
Isn't that the same thing?
> > Did you obtain the permission to send mail to this mailing list from the
> > owner of the machine and network that it resides on?
>
> must be: I have good faith belief that such permission was extended to me by
> someone authorised by that owner to extend such permission.
People often overlook that LOTS of different network services run on Unix
boxes, not just the common ones that you're accustomed to using from your
Windows PC (using you in the general sense here). I may have a legitimate
reason for trying to connect to a port that is, shall we say, *less*
standard than FTP WWW and mail, for lack of a better way to put it.
For example:
A business contact of mine has a Unix workstation on his desk. I know
that he is running a web server on it. I also have a Unix workstation,
and I have an urgent need to get in touch with the contact, but he's not
answering his phone for some reason.
I know that Unix offers the "talk" facility, which allows two (or more,
depending on what talk client/server you're using) users on unix
workstations to chat with each other, like IRC.
So I try to connect to his box on UDP port 517 to see if he's got a talk
server running. Have I commited a crime? I also know that there are a
variety of other services that he may or may not be running which might
help me get in contact with him. So I do a port scan to see what's
available. Have I commited a crime? According to you I have.
To me, this is the same as dialing a random phone number and seeing if
someone answers. This isn't illegal, though it may be annoying, and so
long as the person who does it doesn't repeatedly do it when you ask him
not to, no crime is commited (that I know of, or even if one has you're
not going to see the Feds go knocking on the caller's door...) and no real
harm is done. So let it alone. I agree that it COULD be a prelude to an
attack, but it doesn't have to be, and if that's the case, prosecute the
ATTACK, not the scan. Scanning is harmless.
Derek D. Martin | UNIX System Administrator
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
