On 23 Jul 99, at 12:30, Derek Martin wrote:
> On Thu, 22 Jul 1999, Bill Joynt wrote:
>
> > So you're argument is that port scanning is considered permissable use?
> > Thats what this really comes down to. The analogy of ringing a doorbell is
> > inaccurate. To use your example, connecting for email is exactly the same as
> > port scanning. Therefore, port scanning is making use of a website. And
> > clearly, it should not be considered permissable use.
>
> NO NO NO NO NO. My argument is that port scanning, from a technical
> standpoint, is indistinguishable from "acceptable use" and that there is
> no real, clearly defined, practical definition of acceptable use. Er,
> permissible use.
NO NO NO NO NO. *MY* argument is that port scanning, from a technical
standpoint, is indistinguishable from "UNacceptable use" and that there is
no real, clearly defined, practical definition of unacceptable use THAT DOES
NOT INCLUDE port scanning.
> The whole permission thing is a giant grey area. If you put a server on
> the net, anyone can connect to it, which actually is the point. I'm sure
> the guys who designed the ARPANet in the first place would agree. If you
> don't want to give people permission to connect to your server, DON'T
> CONNECT IT TO THE INTERNET.
If you put a server on the net, OTHER MACHINES can connect to it, which
actually is the point. If you only want to give SOME people permission to
connect to your server, GIVE THEM PERMISSION TO CONNECT. On what basis do
you claim that there is an obligation to extend permission to the world?
> If you don't want people accessing particular ports on your server, DON'T
> RUN SERVICES ON THEM. You can't connect to a port that isn't listening
> and therefore you can't break in through it. This is why port scanning is
> harmless, and why it shouldn't be specifically illegal.
If you want SOME PEOPLE accessing particular ports on your server, YOU MUST
RUN SERVICES ON THEM. They can connect to a port that is listening, and/but
others may try to break in through it.
> My contention simply is, that if you have a server on the internet, and
> you have services running on its ports, you have implicitly given people
> "permission" to connect to it, since in most cases, it is impossible
> and/or impractical to ask permission.
My contention simply is, that if you have a server on the internet, and you
have services running on its ports, you have apparently given SOME people
"permission" to connect to it. In most cases you will advertise those
services to the people whom you intend to use them.
> Therefore, the only practical way for me to find out what services are
> running and hence what services I have permission to connect to on your
> server, is to connect to it and see.
Therefore, if you have not been told that server X is hosting service Y, it
is entirely possible that service Y is only provided for customers on list Z,
who would have been informed of its availability.
[Your axiom seems (to me) to be: "What is permitted to ANY is permitted to
ALL". Essentially, you're rejecting the whole notion of private property, and
regarding all of cyberspace as Commons.
As an Ideal, I think this is commendable. [I think Proudhon made the case
pretty convincingly.] As a practical matter, I see this as the basis for a
great deal of abuse, including the famous Green Card Lottery spam of a few
years back. [The argument of the lawyers who perpetrated that incident
seemed to me to amount to a claim that if there was no billboard already on
the side of my house, it was fair game for them to erect one there....]
If we reject the notion that servers are property, with owners who are
entitled to determine what uses to permit and what to deny, AND TO WHOM, then
of course we have no longer any basis for Computer Security as a field; we
should pack up this mailing list and all go find USEFUL things to do instead.]
> This is why people use the analogy of the store front. It really is a very
> good analogy. The idea is here that you have a store, and the store has a
> front door, and in order for you to see if the store is open for business
> you have to try to open the door... No?
Do you walk up to the door of the local Ford plant when you want to buy a
car? Do you knock on every door on your block, looking for someone who has a
car to sell? Does every building, by virtue of having a street address,
invite your inquiry as to whether perhaps they have a car to sell?
NO. You notice (or look for) an advertisement, on TV or in the Yellow
Pages or in the newspaper, for someone who tells the world that they have the
kind of car you want *offered for sale*.
Simple analogies to the material world break down when applied to port-
scanning. In the material world, we can stand across the street and count
the windows on a building without approaching. With a port scan, we
*effectively* have to take a pole and tap on the wall, looking for spaces or
places that sound like glass when tapped (or perhaps toss a baseball at the
wall), and then try to insist to the owner that we were not trying to *break*
any of the windows, just count them.
The fact that the technology doesn't allow us to "stand across the street
and count the windows" does NOT, I think, constitute an implicit permission
to determine the number of windows by more agressive/intimate means. It may
mean that we have to live with not always knowing how many windows every
building has, especially when we cannot demonstrate any compelling need to
know that. I'm afraid I don't grasp why some people find that idea so
intolerable.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
