On Mon, 26 Jul 1999, Paul D. Robertson wrote:
> As much as you'd like to be3lieve that port scanning does no harm, you
> can't *know* that.
O.k. I can agree with that, but as I already said if a DoS results, that
IS an intrusion and I think that's a case where you should be able to
bring some action against the perpetrator. I was specifically arguing
cases where the scan had no impact, and was not followed by an attack.
In general a simple port scan is harmless, and does not need to send large
packets that will fragment and cause problems. The vendor must still bear
some responsibility for having a buggy implementation. A legitimate user
might still connect to a buggy port and crash the box. And I would also
agree that scans not conducted in this manner are attacks.
I and others have presented valid reasons for doing port scans (at least
as far as we're concerned), and I can personally name several people that
have done port scans and not attacked the scanned machines, myself
included. I don't do it on a regular basis but I have done it more than
once. To the best of my knowlege no damage was done as a result (i.e. the
boxes remained reachable afterward). Do you think I should have a criminal
record now, which could potentially damage my ability to earn a living at
what I'm best at? Or even at all? Most employers, especially in
"professional" atmospheres, are very reluctant to hire people with any
sort of criminal record. For an offense so trivial, I can't see that such
a consequence is warranted.
I think you're still missing the point though... if you want to have a
law about breaking into machines, and have it be a just law, then you need
to clearly define what constitutes an attack. I personally think that
this is very difficult to do in general, and very much so in the case of a
port scan. It seems to be in a grey area that I think should be left
alone. In any case, I don't beleive that the average legislator has the
expertise to make decisions about this kind of problem.
I want laws to protect people from malicious system crackers as much as
you do, I just don't want to see people prosecuted and incarcerated for
doing things that essentially have no consequence to anyone. There is a
great deal of FUD spread about cracking that frankly, I find disturbing.
It's almost to the point that in some people's eyes anyone who has any
talent as an IT professional is portrayed as evil. I'm exaggerating to
make a point, but I have no doubt that you've seen examples of this.
Especially for people in the computer security business... how many people
have you heard say they believe that virus software companies write new
viruses to stay in business?
Let me ask you this: what do you think should be the punishment for a port
scan?
--
Derek D. Martin | UNIX System Administrator
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
