Though port scanning can be (and maybe even frequently is) done with malicious intent by looking for misconfigured/bugged servers, I disagree that it's inherently malicious. Port scanning is just about checking to see what services a host is offering you. It's like going to a random shop at a mall and asking what services they provide. Would asking about their services be malicious?
It feels like the reason asking about services is considered malicious is because shops frequently give out info to the public that they shouldn't have. It's like:
client: What services do you provide?
shop owner: Well, I can provide you with a list of all my clients along with their personal information they entrusted to me.
So, is the client being malicious for asking or is the shop owner the one that was in the wrong for mistakenly providing that info to the public?
I feel the only reason we don't blame the shop owner is because even though he's the one that mistakenly discloses private info, sometimes he's just following a script written by a random programmer unassociated with him. Maybe the response was a mistake on the programmers part, maybe it was a mistake in how the shop owner used the script (a configuration error). In the end, it's simpler to blame the client for asking out-of-the-box questions (after all, most clients just come in to ask if you're giving out flyers/pamphlets because that's what everybody does) and so they don't feel responsible for the response that results.
I can provide a shop that also offers things different than http(s) with open access to the public. It shouldn't be a crime/violation to ask me if I offer them.
I think the dynamics of the Internet have shifted from the early days. Basically, HTTPS on port 443 is pretty much the only service that anyone intends to make publicly available. This is different from 30 years ago, when those same sites had HTTP, FTP, Gopher, a public Telnet server, a public NTP server, etc. and they wanted you to use them. It was very reasonable to look around back then, but nowadays anything that is available publicly is probably an accident.
Exactly! And do we want to continue on that trend? Personally, I don't.
I dislike the growing idea that HTTP is a core part of the internet, and not just the most popular part. The difference lies in if we're going to see legislation that dictates proper use of the lower networking layers like TCP/IP by stuff of the upper layers like HTTP. I'd really hate to see something along the lines of "it's illegal to use a TCP port unless it was specified as available to the public in some (possibly js-rendered) part of an HTTP response."
I don't think it's worth getting caught up on which data framing protocol everyone is using. Everything that Gopher, IRC, FTP, etc. did are perfectly expressible as any other RPC protocol; these things were just RPCs before we invented the term RPC. Now we have protocols that can generically transport any RPC, and so we don't need to think about these things in terms of port numbers or running services.
True, as if the browser is the only tool to access the Internet. Today with the much bigger security awareness it would be thinkable to allow file sharing over Internet or to fail-over to the neighbour's Internet uplink when the own DSL provider has a problem. All these things become increasingly difficult. (Actually Bruce Schneier was once writing on his blog that he has an open Wifi at home)
I don't think port scanning and computer intrusions are comparable. As always, I believe, in both state (like CA 502) and federal law (like CFAA), state of mind is what matters. You have to intend to gain unauthorized access (or, in California, the resources of that computer). A port scan by itself can't do that; on the flip side, randomly accessing URLs can do that, so even though you don't need special "malicious" tooling to hit a URL, you can charged with a felony for (say) dumping lots of private information from a URL you simply type into your browser bar.
Even in California, the resources that you can access and consume from a port scan of a browser visiting your site are essentially the same as you'd get from running Javascript on your page. A legal claim based on those scans seems very far-fetched.
Message board nerds seem totally convinced of the idea that computer crime law tracks the state of the art in offensive computer security, but the two concepts aren't directly connected at all.
I speak both for myself and, I think, for a lot of security researchers both academic and professional when I say that I am very, very nervous poking at a website that hasn't given me permission to, say, check if an input that generated a crazy error is, say, letting me inject SQL, while at the same time I am never scared about port scanning things. There are companies, well-respected companies, that do nothing but port scan everything on the whole Internet.
In this case, eBay is the shop, and I'm the customer. It's like walking into eBay and when I walk in I have to empty out all of my pockets and open my phone screen to show them that no one is telling me what to shop for (VNC).
No, because of the existence of client-side scripting with javascript, it's actually eBay that's running on your computer acting as the customer toward the shop that's your computer. You're right that the end effect is similar to having to empty out your pockets, but the underlying issue of why they're able to do that is a whole 'nother can of worms.
That's a bad analogy. It wrong because you can see what doors, cupboards and drawers are available for the public. Doors that are in-reach but that shouldn't be used by the public have signs like "restricted access" or "employees only". You can't do that with the internet. You can't see that a port is not available to you until you try it.
If you want to continue using that analogy, then you have to consider that everybody is blind and deaf, and checking to see what's locked is the only way to know if something is available.
> That's a bad analogy. It wrong because you can see what doors, cupboards and drawers are available for the public. Doors that are in-reach but that shouldn't be used by the public have signs like "restricted access" or "employees only". You can't do that with the internet. You can't see that a port is not available to you until you try it.
But you can see what ports/doors are available. TCP doors are defined in the RFC and they are numbered 0-65535. Those are the ones available.
Port scanning still is analogous to trying all these doors and see which one are open.
Just because it is a lot of doors to choose from doesn't make it very different. That's why guests ask a host where the bathroom is.
When you visit a website, it's not very cool for that site to check which of all your TCP ports are open. It's none of their business.
I made this edit to the post you replied to. You probably missed it:
> If you want to continue using that analogy, then you have to consider that everybody is blind and deaf, and checking to see what's locked is the only way to know if something is available.
About this:
> instead of waiting for the guy to tell you which one to go to?
How does that translate to TCP/IP? What is "the guy" representing? The way I see it, there is no guy.
Port scanning is a brute force, over-reaching probing technique. A better analogy would be like visiting a shopping mall and trying to open every closed door you see, including the ones that say "authorized personnel only", "private", "do not enter" with an excuse like "I was trying to find out which shop was open".
> including the ones that say "authorized personnel only", "private", "do not enter" with an excuse like "I was trying to find out which shop was open".
I don't think this part of the analogy is accurate. There are no "authorized personnel only" ports
Any port that isn’t advertised to you explicitly is an overreach. You don’t run through hosts and ports to “find out services to use”. What’s a legitimate use case for that other than peeping?
I used to think the exact same thing about wardriving.
Nobody should catalog wifi access points and their location!
Of course, now this ethical lapse is a business model and apple, google and everyone else does it. literally anyone with a smartphone is doing this to your wifi access point. And they will do the reverse to find out precise location.
Exactly. There are assumptions in every threat model, and violating them isn't a legitimate use case because someone "forgot to protect" their private resource. "Door wasn't locked" isn't an excuse.
> including the ones that say "authorized personnel only", "private", "do not enter"
Basically, to answer you separately, an analogy like that doesn't represent TCP accurately. In your analogy, you can
1) see from afar for visual cues indicating whether access is being given to you, and
2) try opening it.
Your argument is that doing 2 is invasive, because they can do 1.
However, in TCP, you can only try to make the connection. There is no see from afar. If I give you an IP address, there's no standard way for you to tell me whether FTP is available, without trying to connect to the port! That's your only choice!
So, yes, "I was trying to find out which [service is available]" is a very valid reason.
> Port scanning is a brute force, over-reaching probing technique.
It certainly is brute-force, and that sucks. I think there's a network service / protocol called Portmapper/rpcbind[2] that lists the services available and port numbers they're on. I only know that NFS uses it, but nothing else. If that were standard, then I'd agree port scanning is over-reaching. As it stands, though, I don't consider it over-reaching when it's the only TCP mechanism to see what's available online.
Nope. Ports that you can use are already advertised to you: web links, MX records, registrar records, WSDLs etc. Enumerating all ports that aren’t advertised to you is an overreach.
But when I'm visiting a website, I am not a "store". These ports are on localhost, that's more like asking where is the sign saying that my bedroom door is not for you to try and open. However, I will tell you behind which door the bathroom is.
Though port scanning can be (and maybe even frequently is) done with malicious intent by looking for misconfigured/bugged servers, I disagree that it's inherently malicious. Port scanning is just about checking to see what services a host is offering you. It's like going to a random shop at a mall and asking what services they provide. Would asking about their services be malicious?
It feels like the reason asking about services is considered malicious is because shops frequently give out info to the public that they shouldn't have. It's like:
client: What services do you provide?
shop owner: Well, I can provide you with a list of all my clients along with their personal information they entrusted to me.
So, is the client being malicious for asking or is the shop owner the one that was in the wrong for mistakenly providing that info to the public?
I feel the only reason we don't blame the shop owner is because even though he's the one that mistakenly discloses private info, sometimes he's just following a script written by a random programmer unassociated with him. Maybe the response was a mistake on the programmers part, maybe it was a mistake in how the shop owner used the script (a configuration error). In the end, it's simpler to blame the client for asking out-of-the-box questions (after all, most clients just come in to ask if you're giving out flyers/pamphlets because that's what everybody does) and so they don't feel responsible for the response that results.
I can provide a shop that also offers things different than http(s) with open access to the public. It shouldn't be a crime/violation to ask me if I offer them.