I discovered shodan.io recently when I was tailing the logs of a vpn server and saw a connection attempt from an IP I did not recognize. The IP was registered to shodan.io and tried to connect without authentication credentials. I looked up the IP of my box on Shodan and sure enough, there it was, right on the wall of sheep.
Of course I blame myself for not whitelisting IP addresses, but I did not appreciate the connection attempt. Passive port scanning is one thing, but actively trying to establish a VPN session is another.
I was under the impression that port scanning IP addresses on the open internet without prior authorization was illegal under the CFAA. Obviously that's a provision commonly ignored by researchers, but at least they disclose any port scanning activity with some discretion and acknowledgement of its potential illegality. I'm surprised how blatantly upfront Shodan is about its operation.
Does anyone know the deal with this company/website? Why are they not worried about prosecution for their mass port scanning?
Even if it was illegal wouldn't the answer simply be to rent servers in a country where it isn't illegal (or even condoned by the government) and scan away? I'd imagine most government responses to this would be IDGAF.
> Why are they not worried about prosecution for their mass port scanning?
In his talks the founder says he provides law enforcement with all the crawled data for free and that he has regular contact with the US CERT. So there doesn't seem to be any legal problem.
My opinion: shodan doesn't try to exploit any known backdoors or common user/password combinations. Testing for anonymous/guest logins is fine in my view.
It's not necessarily a good thing, but it's a good indicator that it isn't obviously illegal (because otherwise law enforcement would try to hide that connection better)
You are bizarrely off base as to US law, ethical norms, and general customs. Shodan is doing nothing illegal or immoral; the fact that you think they might be suggests that you should step back and rethink your mental model of the internet, because that may not be the only mistake you've made.
(A couple of prosecutions have been attempted under the CFAA; they were thrown out as being completely groundless. On the other hand, other countries have other laws.)
Seems like a net positive to notice some attempt that likely has little/less/no malice, that may aid you in preparing to increase your security to be more prepared for when someone that actually has malice does the same thing.
Of course I blame myself for not whitelisting IP addresses, but I did not appreciate the connection attempt. Passive port scanning is one thing, but actively trying to establish a VPN session is another.
I was under the impression that port scanning IP addresses on the open internet without prior authorization was illegal under the CFAA. Obviously that's a provision commonly ignored by researchers, but at least they disclose any port scanning activity with some discretion and acknowledgement of its potential illegality. I'm surprised how blatantly upfront Shodan is about its operation.
Does anyone know the deal with this company/website? Why are they not worried about prosecution for their mass port scanning?