[Owasp-Mumbai] Fwd: Legality of Port Scans

Dinesh O'Bareja dineshbareja at gmail.com
Mon Oct 20 00:39:55 EDT 2008


Yash - my statement that Port 80 is public is my own interpretation and not
from the law. I said that as an argument since anyone talking about this
port will say that the owner keeps this port open to public and accepts
connections to serve documents (webpages etc) to visitors (known and
unknown) - hence it has a public identity.

If you note my comments, I also mentioned that as the law matures we ( may /
can ) hope that terminology willbe defined and included in relevant
provisions to make things more clear.

Now to come to your intention - you say you do not have malicious intent but
thats your word. You know, as well as I do, how difficult it is going to be
be to explain that to the law enforcement officer and to convince him/her
that you were conducting a study.

It may be good to have an organization working with you rather than doing
this in an individual capacity. Considering the current fragile mindset
(because of the terrorist acts) it will be advisable to make sure that there
is "official" sanction to any such study.

I guess it will be nice to meet to discuss such issues in greater detail.

regards
Dinesh





On Mon, Oct 20, 2008 at 9:32 AM, TecCoder <teccoder at gmail.com> wrote:

> Dinesh,
>
> I'll be the first to admit it, I know absolutely nothing about law; So
> pardon my view if its completely insane and radical :p
>
> But, who ever said Port 80 was public? I see absolutely no mention of this
> in the law? and if not stated should and can definitely not be assumed? Can
> it?
>
> Although the office analogy is a great one, it is valid because the law
> states that you specifically cannot walk into private areas, aka
> tress-passing. Also, in your analogy, I would say that in my opinion Port
> Scanning would be the equivalent of Looking at the Door. Identifying the
> version of the port would be like seeing what kind of security is used. Is
> it a RFID door? Card door? Lock and Key? etc. However, again this is just
> opinion and mine could mean absolutely nothing.
>
> In-regards to malicious intent, that is the reason I am pushing this so
> much. I have absolutely no malicious intent. I am looking at, collecting
> large sums of anonymous data about the security and services running on a
> large section of computers running within the Indian IP Space to carry out
> statistical analysis on and obtain a decent set of results to use in
> board-rooms, media etc to create awareness about the real IT Security
> Scenario in the country.
>
> Every other day, I read random numbers in the Indian News-papers from
> Security Experts talking about how 70% of the web is vulnerable, 90% on some
> other days, etc. My intention was to create this raw data and use it to
> carry out a large amount of statistical analysis.
>
> Some of the questions I was looking at answering with numbers were:
> 1) How many high, medium, low vulnerabilities per server?
> 2) How many machines can be compromised completely as a result of these?
> 3) What is the average patch cycle of machines (judged by the age of
> services running)?
> 4) What are the most common flaws? How could they have been prevented?
> 5) What were the most commonly vulnerable services?
> 6) What is the most commonly used software in the country?
> 7) How many devices face the internet that should not do so?
> 8) How many machines are behind firewalls, ids, ips as opposed to not?
> 9) etc.. this is just from the top of my ahead before my morning coffee..
> :)
>
> Anyway, I will pull in a legal consultant on this. I am definitely not
> interested in breaking the law. I want to push the boundaries to their
> limit, but not be on the other side :p.
>
> Also, on the bright side, at-least we have this mailing list talking again.
>
> --
> Yash Kadakia
>
>
> 2008/10/20 Dinesh O'Bareja <dineshbareja at gmail.com>
>
> Yash
>>
>> Port 80 is a "public" port and when you visit a website it is a document
>> put out by the owner of the IP/domain who has put it up for public viewing.
>> So it is like visiting a company and being in their reception area where you
>> can get to see whatever and more they have put up on display. Upto now you
>> are not "intruding" or "snooping" into any area on the property where you
>> were not supposed to be.
>>
>> Now consider that you are in the reception and picked up the phone and
>> started studying the internal phone list, or making notes of the same; or
>> you started looking at the doors leading out of the reception area into the
>> office (pushing to see if the door opens) and making notes about which door
>> opened or did not open; or you start checking the electric switches - which
>> switch controls whihc light / fan / a/c.... you get my drift ?? You are
>> clearly engaged in some sort of intrusive activity !
>>
>> So even if you are scanning port 80 you are straying from the public
>> "open" path specified by the 'owner' which is that you can load the webpage,
>> or crawl the domain as per the directives for bots and such. However,
>> 'unauthorized' scan will surely lead to sticky questions about intent.
>>
>> About the law specifically mentioning port scans, I guess Dipak will
>> confirm that a port scan is yet to be recognized as an activity mong others
>> and as the law matures all terms and activities in the realm of Cyber law
>> will be recognized and addressed. However, it will be pretty simple to
>> explain port scanning in the court and if this is not authorized it will be
>> easy to establish that you have been snooping with, possibly, malicious
>> intent to break and enter my network through the port.
>>
>> It will surely be interesting to know other points of view !
>>
>>
>> regards
>> Dinesh
>>
>>
>>
>> On Sun, Oct 19, 2008 at 10:49 PM, TecCoder <teccoder at gmail.com> wrote:
>>
>>> Dear Dipak,
>>>
>>> Thank you for your response.
>>>
>>> I just want to clarify a few things since you seem to have a strong legal
>>> understanding.
>>>
>>> How does the law define a port-scan to be illegal? If I am carrying out a
>>> very simplistic port-scan, I would simply connect to the port, retrieve the
>>> banner and close the connection. The banner will then be analyzed on my
>>> system to determine what is running.
>>>
>>> I personally don't see much of a difference between this and what my
>>> browser is doing as I open gmail.com.
>>>
>>> My browser connects to gmail.com on port 80, sends information, receives
>>> information and ends communication. In-fact, in this case I am going a step
>>> further as I am actually sending data to the server.
>>>
>>> In no-way does Google or Gmail state anywhere that I have the rights to
>>> connect to their system, so based on this am I breaking the law by checking
>>> my e-mail on a 3rd party server?
>>>
>>> If not, what differentiates a port-scan from regular surfing, sending an
>>> e-mail via smtp, retrieving e-mail via pop3, downloading files via ftp etc?
>>>
>>> What if I only port scan port 25 and port 80? Since obviously
>>> communicating to POP3 or a Web-site is not illegal?
>>>
>>> I am really just trying to understand how a Port-Scan is considered
>>> illegal and differentiated from regular net activity.
>>>
>>> People have used an argument similar to this to say  that "SQL
>>> Injections" are not illegal, however in that case you are sending out
>>> malicious data with malicious intent to make a system behave in a way it is
>>> not supposed to. However in-this case you are sending a simple RFC compliant
>>> SYN and/or SYN/ACK packet to the server.
>>>
>>> Once again, thanks for your time. Would love to sit down and really
>>> discuss these issues at the next OWASP meet.
>>> --
>>> Yash Kadakia
>>>
>>>
>>>
>>>
>>> 2008/10/19 Dipak Parmar <dipak at lawyer.com>
>>>
>>>  Dear Yogesh/Yash
>>>>
>>>>
>>>>
>>>> As to usage of Port scanning…
>>>>
>>>>
>>>>
>>>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>>>
>>>>
>>>>
>>>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>>>
>>>>
>>>>
>>>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>>>
>>>>
>>>>
>>>> I trust I had answered your query…
>>>>
>>>>
>>>>
>>>> With regards
>>>>
>>>>
>>>>
>>>> Dipak Parmar
>>>>
>>>> 022 -22093564
>>>>
>>>> 09820196971
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>>>> Date: Sun, Oct 19, 2008 at 11:11 AM
>>>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>>>> To: Yogesh Badwe <yogeshmb at gmail.com>
>>>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>>>> owasp-mumbai at lists.owasp.org>
>>>>
>>>>
>>>> Yash - simply put, this is a sticky area. Any scan must be done ONLY
>>>> after obtaining a clearly defined scope from the client. Having said that,
>>>> the investigator must also ensure that he / she is not being asked to scan
>>>> any networks which do not belong to the client.
>>>>
>>>> It will be good for the health :) to keep any such urges under strict
>>>> control which entice you to "go where no man has been nefore" !!
>>>>
>>>> This is regular common sense advice, and I shall try to get some legal
>>>> stuff out to the group in time.
>>>>
>>>> regards
>>>> Dinesh.
>>>>
>>>>
>>>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com>wrote:
>>>>
>>>>> Yash,
>>>>>
>>>>> *IT Act 2000*
>>>>>
>>>>> *                          Definitions:* *
>>>>>
>>>>> Access: *"access" with its grammatical variations and cognate
>>>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>>>> computer system or computer network;*
>>>>>
>>>>>                             Sections:*
>>>>> *
>>>>> Chapter IX - Penalties and Adjudication*
>>>>>
>>>>> *43: penalty for damage to computer* : Sets the penalty for damage to
>>>>> a computer or network at INR 10 million for any damage or *unauthorized
>>>>> access* to a computer system.
>>>>>
>>>>> Correlating the Definition and the Section --> implies "illegal"
>>>>>
>>>>> I am not a lawyer ...but hope it helps !!
>>>>>
>>>>> -Yogesh Badwe
>>>>>
>>>>>
>>>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>>>
>>>>>>   Hey,
>>>>>>
>>>>>> I was having a discussion with someone the other day and we started
>>>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>>>> really come to any definite answer and even after going through the relevant
>>>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>>>> there is no clear answer for the same.
>>>>>>
>>>>>> In my opinion, I do not think it is illegal since
>>>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>>>> about post-data theft, network compromise, virus infection etc.
>>>>>>
>>>>>> I just wanted to throw this out there and see if any of you have any
>>>>>> ideas about the same.
>>>>>>
>>>>>> Yash Kadakia
>>>>>>
>>>>>> Co-Founder/ Chief Technology Officer
>>>>>> Security Brigade
>>>>>> Information Security Solutions
>>>>>>
>>>>>> Mobile: +91-09833375290
>>>>>> Fax: +91-651-2444545
>>>>>> E-mail: yash at securitybrigade.com
>>>>>> Web: http://www.securitybrigade.com/
>>>>>> Blog: http://www.yashkadakia.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Mumbai mailing list
>>>>>> OWASP-Mumbai at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>  Please consider your environmental responsibility.
>>>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>>>> copy?"
>>>>>
>>>>>
>>>>>
>>>>> Yogesh . M . Badwe
>>>>> Disclaimer - This email and any files transmitted with it are
>>>>> confidential and contain privileged or copyright information. You must not
>>>>> present this message to another party without gaining permission from the
>>>>> sender. If you are not the intended recipient you must not copy, distribute
>>>>> or use this email or the information contained in it for any purpose other
>>>>> than to notify us.
>>>>>
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately, and delete this email from your system. I do not guarantee that
>>>>> this material is free from viruses or any other defects although due care
>>>>> has been taken to minimise the risk.
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Mumbai mailing list
>>>>> OWASP-Mumbai at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> With kind regards,
>>>>
>>>> DIPAK G. PARMAR
>>>> 13/A, Nalawala Building,
>>>> Ground Floor,
>>>> Bhaijivanji Lane,
>>>> Thakurdwar Road,
>>>> Mumbai - 400 002
>>>> India
>>>> (9122) 22093564
>>>>
>>>>
>>>> -- Be Yourself @ mail.com!
>>>> Choose From 200+ Email Addresses
>>>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>
>>>> !
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081020/4472b8f5/attachment-0001.html 


More information about the OWASP-Mumbai mailing list