[Owasp-Mumbai] Fwd: Legality of Port Scans

r4y secureas at gmail.com
Mon Oct 20 15:45:32 EDT 2008


Hahaha ! xkcd rocks ! :)

http://xkcd.com/488/

2008/10/20 TecCoder <teccoder at gmail.com>

> Hi MuNNA,
>
> I will reply in a full in a bit, Monday morning madness.
>
> I just wanted to say in-regards to SQL Injections, I do not think they are
> legal. However, I do-not think that inserting a quote somewhere should be
> considered illegal. Lets just consider Dinesh's last name while filling out
> a form, O'Bareja. I bet he has seen a lot of unintentional SQL errors.
> However a real attack retrieving data is definitely illegal, no arguments
> there. Unless ofcourse your last-name is: ' UNION SELECT * user,pass FROM
> admin WHERE user='admin'--
>
> Reminds me of an xkcd comic.
>
> --
> Yash Kadakia
>
>
> 2008/10/20 MuNNa <sant.jadhav at gmail.com>
>
>> Hi Yash
>>
>> I guess if you are scanning a single IP for ports 25 and 80 which you can
>> try even by simple telnet instead of a port scanner, then that would not be
>> considered as suspicious act. But if you are scanning a pool of IPs for port
>> 80 and 25 then that would surely be considered as suspicious act. Why would
>> any person scan a range of IPs even for port 80. Normal human beings connect
>> to port 80 using domain name instead of IP address ( until and unless you
>> have not registered any domain name. Then too you would be providing a
>> single IP to end users to connect and would never expect the user to scan
>> the IP pool for connecting to port 80). similarly for pop3 and smtp relays,
>> you would either be given certain IPs or simple sub-domain names like say
>> pop.gmail.com and smtp.gmail.com. Even here scanning a pool of IPs for
>> port 110 or 25 looks suspicious.
>>
>> Some may argue that SQL injection is not illegal but why would normal user
>> enter SQL queries in fileds which requires simple username and password or
>> simple page number.
>>
>> At some places law might not consider these things illegal but its surely
>> is. It is similar to some strange guy always checking the locks of your
>> house door without actually trying to break in. You would surely feel it
>> suspicious and think its illegal.
>>
>>
>> Regards;
>> Santosh J.
>>
>>
>> On Sun, Oct 19, 2008 at 10:49 PM, TecCoder <teccoder at gmail.com> wrote:
>>
>>> Dear Dipak,
>>>
>>> Thank you for your response.
>>>
>>> I just want to clarify a few things since you seem to have a strong legal
>>> understanding.
>>>
>>> How does the law define a port-scan to be illegal? If I am carrying out a
>>> very simplistic port-scan, I would simply connect to the port, retrieve the
>>> banner and close the connection. The banner will then be analyzed on my
>>> system to determine what is running.
>>>
>>> I personally don't see much of a difference between this and what my
>>> browser is doing as I open gmail.com.
>>>
>>> My browser connects to gmail.com on port 80, sends information, receives
>>> information and ends communication. In-fact, in this case I am going a step
>>> further as I am actually sending data to the server.
>>>
>>> In no-way does Google or Gmail state anywhere that I have the rights to
>>> connect to their system, so based on this am I breaking the law by checking
>>> my e-mail on a 3rd party server?
>>>
>>> If not, what differentiates a port-scan from regular surfing, sending an
>>> e-mail via smtp, retrieving e-mail via pop3, downloading files via ftp etc?
>>>
>>> What if I only port scan port 25 and port 80? Since obviously
>>> communicating to POP3 or a Web-site is not illegal?
>>>
>>> I am really just trying to understand how a Port-Scan is considered
>>> illegal and differentiated from regular net activity.
>>>
>>> People have used an argument similar to this to say  that "SQL
>>> Injections" are not illegal, however in that case you are sending out
>>> malicious data with malicious intent to make a system behave in a way it is
>>> not supposed to. However in-this case you are sending a simple RFC compliant
>>> SYN and/or SYN/ACK packet to the server.
>>>
>>> Once again, thanks for your time. Would love to sit down and really
>>> discuss these issues at the next OWASP meet.
>>> --
>>> Yash Kadakia
>>>
>>>
>>>
>>>
>>> 2008/10/19 Dipak Parmar <dipak at lawyer.com>
>>>
>>>  Dear Yogesh/Yash
>>>>
>>>>
>>>>
>>>> As to usage of Port scanning…
>>>>
>>>>
>>>>
>>>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>>>
>>>>
>>>>
>>>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>>>
>>>>
>>>>
>>>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>>>
>>>>
>>>>
>>>> I trust I had answered your query…
>>>>
>>>>
>>>>
>>>> With regards
>>>>
>>>>
>>>>
>>>> Dipak Parmar
>>>>
>>>> 022 -22093564
>>>>
>>>> 09820196971
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>>>> Date: Sun, Oct 19, 2008 at 11:11 AM
>>>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>>>> To: Yogesh Badwe <yogeshmb at gmail.com>
>>>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>>>> owasp-mumbai at lists.owasp.org>
>>>>
>>>>
>>>> Yash - simply put, this is a sticky area. Any scan must be done ONLY
>>>> after obtaining a clearly defined scope from the client. Having said that,
>>>> the investigator must also ensure that he / she is not being asked to scan
>>>> any networks which do not belong to the client.
>>>>
>>>> It will be good for the health :) to keep any such urges under strict
>>>> control which entice you to "go where no man has been nefore" !!
>>>>
>>>> This is regular common sense advice, and I shall try to get some legal
>>>> stuff out to the group in time.
>>>>
>>>> regards
>>>> Dinesh.
>>>>
>>>>
>>>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com>wrote:
>>>>
>>>>> Yash,
>>>>>
>>>>> *IT Act 2000*
>>>>>
>>>>> *                          Definitions:* *
>>>>>
>>>>> Access: *"access" with its grammatical variations and cognate
>>>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>>>> computer system or computer network;*
>>>>>
>>>>>                             Sections:*
>>>>> *
>>>>> Chapter IX - Penalties and Adjudication*
>>>>>
>>>>> *43: penalty for damage to computer* : Sets the penalty for damage to
>>>>> a computer or network at INR 10 million for any damage or *unauthorized
>>>>> access* to a computer system.
>>>>>
>>>>> Correlating the Definition and the Section --> implies "illegal"
>>>>>
>>>>> I am not a lawyer ...but hope it helps !!
>>>>>
>>>>> -Yogesh Badwe
>>>>>
>>>>>
>>>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>>>
>>>>>>   Hey,
>>>>>>
>>>>>> I was having a discussion with someone the other day and we started
>>>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>>>> really come to any definite answer and even after going through the relevant
>>>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>>>> there is no clear answer for the same.
>>>>>>
>>>>>> In my opinion, I do not think it is illegal since
>>>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>>>> about post-data theft, network compromise, virus infection etc.
>>>>>>
>>>>>> I just wanted to throw this out there and see if any of you have any
>>>>>> ideas about the same.
>>>>>>
>>>>>> Yash Kadakia
>>>>>>
>>>>>> Co-Founder/ Chief Technology Officer
>>>>>> Security Brigade
>>>>>> Information Security Solutions
>>>>>>
>>>>>> Mobile: +91-09833375290
>>>>>> Fax: +91-651-2444545
>>>>>> E-mail: yash at securitybrigade.com
>>>>>> Web: http://www.securitybrigade.com/
>>>>>> Blog: http://www.yashkadakia.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Mumbai mailing list
>>>>>> OWASP-Mumbai at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>  Please consider your environmental responsibility.
>>>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>>>> copy?"
>>>>>
>>>>>
>>>>>
>>>>> Yogesh . M . Badwe
>>>>> Disclaimer - This email and any files transmitted with it are
>>>>> confidential and contain privileged or copyright information. You must not
>>>>> present this message to another party without gaining permission from the
>>>>> sender. If you are not the intended recipient you must not copy, distribute
>>>>> or use this email or the information contained in it for any purpose other
>>>>> than to notify us.
>>>>>
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately, and delete this email from your system. I do not guarantee that
>>>>> this material is free from viruses or any other defects although due care
>>>>> has been taken to minimise the risk.
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Mumbai mailing list
>>>>> OWASP-Mumbai at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> With kind regards,
>>>>
>>>> DIPAK G. PARMAR
>>>> 13/A, Nalawala Building,
>>>> Ground Floor,
>>>> Bhaijivanji Lane,
>>>> Thakurdwar Road,
>>>> Mumbai - 400 002
>>>> India
>>>> (9122) 22093564
>>>>
>>>>
>>>> -- Be Yourself @ mail.com!
>>>> Choose From 200+ Email Addresses
>>>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>
>>>> !
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081021/e8f2f281/attachment-0001.html 


More information about the OWASP-Mumbai mailing list