--- djahandarie@gmail.com wrote: From: Darius Jahandarie <djahandarie@gmail.com> Either way, in the US at least, it's not legal to port scan random machines on the internet, so this was a rather useless exercise. (And ------------------------------------------------------ Want to re-write that section or should I respond now? ;-) scott
Have a look at the talks done by Fyodor the creator of Nmap "Scanning the Internet". http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf http://www.securitytube.net/video/170 http://blog.thc.org/index.php?/archives/2-Port-Scanning-the-Internet.html Also if you are look for a host CloudSigma are open to Security Researches using their VPS system for this kind of work. http://www.cloudsigma.com/ ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็ ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้ ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้ On 16 Oct 2012 05:59, "Scott Weeks" <surfer@mauigateway.com> wrote:
--- djahandarie@gmail.com wrote: From: Darius Jahandarie <djahandarie@gmail.com>
Either way, in the US at least, it's not legal to port scan random machines on the internet, so this was a rather useless exercise. (And ------------------------------------------------------
Want to re-write that section or should I respond now? ;-)
scott
On Tue, Oct 16, 2012 at 12:57 AM, Scott Weeks <surfer@mauigateway.com> wrote:
Want to re-write that section or should I respond now? ;-)
I always thought it wasn't allowed because of 18 USC § 2701, but IINAL, would be happy to hear otherwise :). -- Darius Jahandarie
On Tue, 16 Oct 2012 08:48:47 -0400, Darius Jahandarie said:
On Tue, Oct 16, 2012 at 12:57 AM, Scott Weeks <surfer@mauigateway.com> wrote:
Want to re-write that section or should I respond now? ;-)
I always thought it wasn't allowed because of 18 USC 2701, but IINAL, would be happy to hear otherwise :)
If a portscan allows access to stored communications, you have bigger problems.
On Tue, Oct 16, 2012 at 9:46 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 16 Oct 2012 08:48:47 -0400, Darius Jahandarie said:
On Tue, Oct 16, 2012 at 12:57 AM, Scott Weeks <surfer@mauigateway.com> wrote:
Want to re-write that section or should I respond now? ;-)
I always thought it wasn't allowed because of 18 USC 2701, but IINAL, would be happy to hear otherwise :)
If a portscan allows access to stored communications, you have bigger problems.
In particular, my understanding was that since you're sending a SYN, it could very well initiate access to stored communications (although that may have not been the intent of the SYN). But maybe I'm wrong -- and even if I'm right, this seems like something that probably wouldn't hold in court very well anyways. -- Darius Jahandarie
On Tue, 16 Oct 2012 11:38:52 -0400, Darius Jahandarie said:
In particular, my understanding was that since you're sending a SYN, it could very well initiate access to stored communications (although
What 18 USC 2701 actually says, courtesy of www.law.cornell.edu: "Offense. - Except as provided in subsection (c) of this section whoever: (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section." First off, I believe (but don't have citation handy) there's actual case law that says that a SYN scan doesn't count as "access" (either without or exceeding authorization). And that's *stored* communications (in other words, your mail spool, not mail in-flight). You're better off chasing 18 USC 2511 (wiretapping, where the bits are in motion), and of course the 800 pound gorilla would be 18 USC 1030 (Fraud and related activity in connection with computers). And I'm pretty sure that an NMAP scan doesn't rise to the definition of 'accessed' for any of those. Of course, if the answer actually matters, ask a competent lawyer you've paid for advice. ;)
On 10/16/12, Darius Jahandarie <djahandarie@gmail.com> wrote:
On Tue, Oct 16, 2012 at 12:57 AM, Scott Weeks <surfer@mauigateway.com> wrote: I always thought it wasn't allowed because of 18 USC § 2701, but IINAL, would be happy to hear otherwise :). 18 USC 2701 is not necessarily the only consideration.
I would rather say that there might be a risk of criminal and civil liability, for all entities intentionally participating in, assisting as accomplices in, or facilitating as service provider, software provider, providers of information or operating instructions, etc, for, anyone conducting or intentionally assisting an unauthorized port scan of a different ISP's address space, that varies with jurisdiction, and you should consult your counsel, to determine if any precautions are appropriate to manage the risk, such as obtaining proper Letters of authorization from IP address assignees in advance, or if the responsible entity determines that you must abstain from the activity entirely, because the risk level is too high. By definition a reputable service, will not have a policy that you may execute internet-wide port scans of arbitrary ports that include IP networks/addresses that are not either assigned to you, your ISP customer, or that you have specific written permission to scan, as they will want to manage the risks to themselves properly as well. Port scans are strongly associated with malicious activity. And there are other risks of adverse actions, besides legal ones, such as the service provider's address space becoming widely blacklisted or becoming depeered. Before a network service provider offers any kind of service that permits the SPs' services to be used for arbitrary port scans of other remote networks, they are likely to have taken steps to protect themselves, by setting some terms of use and policy restrictions on what conditions and parameters must be met, before a scan is allowed.
Darius Jahandarie -- -JH
----- Original Message -----
From: "Scott Weeks" <surfer@mauigateway.com>
From: Darius Jahandarie <djahandarie@gmail.com>
Either way, in the US at least, it's not legal to port scan random machines on the internet, so this was a rather useless exercise. (And ------------------------------------------------------
Want to re-write that section or should I respond now? ;-)
I was gonna say {{citation-needed}}, myself, but yeah: "Huh?" Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
participants (6)
-
Bacon Zombie -
Darius Jahandarie -
Jay Ashworth -
Jimmy Hess -
Scott Weeks -
Valdis.Kletnieks@vt.edu