-5

I was wondering if you know how to portscan internet and be compliant with law. I mean a SYN scan and a little UDP one. Such database would be very useful, and should be public anyway. I think this would be a great push for the internet security, if everyone would receive their free annual report.

I am not joking, Chinese are scanning all the time everything, so for defence, I think I should do the same, for a legal purposes, of the defence. This way I will be able to isolate myself from vulnerable networks.

Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • I disagree with making it public. Possibly allow public submissions of found vulnerabilities, but you should not announce live vulnerabilities before giving the site owners adequate time to fix. What if a service you use is vulnerable, would you be ok if information used to attack your accounts was made public? You could possibly announce after say a year's worth of time not being fixed, but even then I'd hesitate (even with a vague announcement). Don't make the black hats' jobs any easier. – dr jimbob Jul 09 '12 at 20:55
  • http://www.shodanhq.com/ does it in some fashion. i am not sure how they address the legal part, but you could likely research how they have addressed it. – Tate Hansen Jul 09 '12 at 23:05
  • But if I publish it, surely it will get fixed next day ;-) – Andrew Smith Jul 09 '12 at 23:11
  • @AndrewSmith You clearly have no idea how long it takes to push a fix. Have a look through the bugtraq mailing list and see how long it usually is between reporting the bug to a vendor and having it fixed. –  Jul 10 '12 at 01:50
  • OK Thanks, now I know what I am going to do. I will scan only myself like mobiles, routers and networks, so this way I can see what Chinese scanner can see, so when I open a port by a mistake on some new device I am getting alerted. Same as arpwatch, portwatch would do the same, and the ip numbers are taken from the authentication server. Slashdot does the same, they check for the HTTP proxies on your source IP. – Andrew Smith Jul 10 '12 at 06:54
  • Fyodor already scanned the whole Internet in 2008 - http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf - but since the Internet is many times bigger (4 years later) maybe it's worth a review ;-) – Mark Hillick Jul 10 '12 at 08:32

1 Answers1

8

The question cannot be answered (but my bet is on "No way!"): "the Internet" is a transnational entity. So two adjacent IPs might be on the opposite sides of a border, and what is legal (or at least not forbidden by law) for one might be a crime for the other.

In some South European countries chuckle, a portscan can be construed as "suspicious behaviour" -- in those same countries, if you walked by wearing a mask and a prybar, you can be detained and, lacking a convincing explanation, arrested. So-called "abstract danger of criminal conduct", allowing the inversion of burden of proof.

In such a case, you would be required to demostrate that your portscan is NOT a preliminary to an attack; it is not the portscanned that has to prove you ARE reconnoitering for an attack.

In many other countries (France, Germany and Denmark, but probably most of Europe), any "unforeseen" usage of network resources has to be cleared with the owner of same. It is of no importance that the "usage" is limited to a few bytes packet, nor that every day spammers and worms perform much greater abuse.

Also because, if you were to be permitted a slow portscan, why should everyone else be excluded? And if everyone were to run a portscan, however slow...

So, you might be onto something if you:

  • offered the service to interested third parties,
  • cleared it with them (obtaining probably a written permission)

...and then most of them would require that you kept their vulnerabilities confidential, of course. No public DB of open relays or Jurassic SQL servers or DB open to default password.

update/expansion on comment by mark
disclaimer: I Am Not A Lawyer (and I'm pretty fast approaching the limits of my knowledge)

The breadth of interpretation is generally mainly targeted at allowing prosecution "in case of need" (there is a well-known quote attributed to an Italian PM of the 19th century, "Laws are applied to enemies, but interpreted for friends").

In Italy, portscanning a system is likened to a "look at a door" - it may be a passing gaze or a deep, expert stare capable of assessing the lock's strengths and weaknesses [ http://www.civile.it/internet/visual.php?num=44650 ]. The hardliners hold that while a "gaze" is a passive action whence no intent may be gleaned, a portscan implies affirmative action to be undertaken, and is therefore more alike to looking with binoculars - you need the equipment, the knowledge and the intention to use it.

A legal analysis of the portscanner's position may be found here, but it is written in Italian legalese http://www.ordineavvocati.roma.it/Documenti/TemiRomana/GiurisprudenzaDottrinaDirittodellInformatica_2.pdf - the long and the short of it is: a guy ran a portscan and got his DSL account pulled; went to trial claiming that a portscan isn't a crime -- and lost. The commenting lawyers are more doubtful, but they admit that the contract prohibited "any improper use of the service", and portscan wasn't listed in the "proper uses" (for that matter VoIP wasn't -- and still isn't!), so.

The key point is that "intent" can be "assumed", "proved", or "disproved", and due to the lack of certified telepaths it's all in the hands of the lawyers.

In Germany the regulations instituting the Cyber-Abwehrzentrum coordination speak vaguely of "suspicious activities", which I take it to mean that if a polizei offizier has a bad hair day, sending an email with mistyped address might earn you an audit (it could be an "Act preparatory to data espionage").

Again, a good lawyer may get you out scot-free. But if a judge gets convinced you were up to no good (e.g. you did that before, are a notorious hacker, etc.), then laws exist allowing you to be locked in for some years.

(The NCAZ actually deals with threats to the State, but since they may come from individual ISPs and terminals, they have jurisdiction on individual (i.e. not a firm's) accounts too).

Simple possession of tools such as nmap or hping MAY lead to up to one year sentence (I'm not kidding you. Google 'Section 202c' of German Strafgesetzbuch on IT). So that things like this may and do happen: http://news.techeye.net/security/security-expert-acidgen-sued-for-vulnerability-warning .

Laws not too different (albeit differently worded and held in different regard by local magistrates and lawyers [this last is my opinion, of course]) are in effect throughout the European Union due to EU law uniformity, so I'm pretty confident that the situation, at least potentially, is probably not so different in countries of which I know nothing, such as Belgium or Spain.

Of late, the "early bird" interpretations of EU directives on cracking down on hackers adopted by Germany have made way into an EU law proposal (the difference being, AFAIK, that EU directives "may" be transmogrified into individual countries' law corpus, while EU laws must -- actually, they automatically are): http://www.europarl.europa.eu/news/en/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence . The problem being, who says what is a hacking software and what is not?

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • It's interesting to learn that some countries require "unforeseen usage" to be pre-approved. I'm sure it is intentionally so broad. Can you provide any links to more detail? – Mark Jul 09 '12 at 22:38
  • 1
    Some. Editing the answer... – LSerni Jul 10 '12 at 05:57