[Owasp-Mumbai] Fwd: Legality of Port Scans

r4y secureas at gmail.com
Mon Oct 20 16:32:54 EDT 2008


imo,  law will never ever be able to define what is illegal and legal about
a port scan.

In such situations, judges, lawyers and solicitors everywhere will look for
a precedent (within their jurisdiction or outside) in order to be able to
help them with a decision. As well as intent.

We could argue on the technicalities forever, but lets face it. If we as
security professionals cannot come to a conclusion about it then the
judiciary has no hope in a 100 years! They will normally try and come to a
conclusion about intent however. And from your email you have already stated
your intent (purely educational in nature!), and hence I dont see why you
should wait any more to begin your scans ;-)


2008/10/19 TecCoder <teccoder at gmail.com>

> Dear Dipak,
>
> Thank you for your response.
>
> I just want to clarify a few things since you seem to have a strong legal
> understanding.
>
> How does the law define a port-scan to be illegal? If I am carrying out a
> very simplistic port-scan, I would simply connect to the port, retrieve the
> banner and close the connection. The banner will then be analyzed on my
> system to determine what is running.
>
> I personally don't see much of a difference between this and what my
> browser is doing as I open gmail.com.
>
> My browser connects to gmail.com on port 80, sends information, receives
> information and ends communication. In-fact, in this case I am going a step
> further as I am actually sending data to the server.
>
> In no-way does Google or Gmail state anywhere that I have the rights to
> connect to their system, so based on this am I breaking the law by checking
> my e-mail on a 3rd party server?
>
> If not, what differentiates a port-scan from regular surfing, sending an
> e-mail via smtp, retrieving e-mail via pop3, downloading files via ftp etc?
>
> What if I only port scan port 25 and port 80? Since obviously communicating
> to POP3 or a Web-site is not illegal?
>
> I am really just trying to understand how a Port-Scan is considered illegal
> and differentiated from regular net activity.
>
> People have used an argument similar to this to say  that "SQL Injections"
> are not illegal, however in that case you are sending out malicious data
> with malicious intent to make a system behave in a way it is not supposed
> to. However in-this case you are sending a simple RFC compliant SYN and/or
> SYN/ACK packet to the server.
>
> Once again, thanks for your time. Would love to sit down and really discuss
> these issues at the next OWASP meet.
> --
> Yash Kadakia
>
>
>
>
> 2008/10/19 Dipak Parmar <dipak at lawyer.com>
>
>  Dear Yogesh/Yash
>>
>>
>>
>> As to usage of Port scanning…
>>
>>
>>
>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>
>>
>>
>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>
>>
>>
>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>
>>
>>
>> I trust I had answered your query…
>>
>>
>>
>> With regards
>>
>>
>>
>> Dipak Parmar
>>
>> 022 -22093564
>>
>> 09820196971
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>> Date: Sun, Oct 19, 2008 at 11:11 AM
>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>> To: Yogesh Badwe <yogeshmb at gmail.com>
>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>> owasp-mumbai at lists.owasp.org>
>>
>>
>> Yash - simply put, this is a sticky area. Any scan must be done ONLY after
>> obtaining a clearly defined scope from the client. Having said that, the
>> investigator must also ensure that he / she is not being asked to scan any
>> networks which do not belong to the client.
>>
>> It will be good for the health :) to keep any such urges under strict
>> control which entice you to "go where no man has been nefore" !!
>>
>> This is regular common sense advice, and I shall try to get some legal
>> stuff out to the group in time.
>>
>> regards
>> Dinesh.
>>
>>
>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com> wrote:
>>
>>> Yash,
>>>
>>> *IT Act 2000*
>>>
>>> *                          Definitions:* *
>>>
>>> Access: *"access" with its grammatical variations and cognate
>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>> computer system or computer network;*
>>>
>>>                             Sections:*
>>> *
>>> Chapter IX - Penalties and Adjudication*
>>>
>>> *43: penalty for damage to computer* : Sets the penalty for damage to a
>>> computer or network at INR 10 million for any damage or *unauthorized
>>> access* to a computer system.
>>>
>>> Correlating the Definition and the Section --> implies "illegal"
>>>
>>> I am not a lawyer ...but hope it helps !!
>>>
>>> -Yogesh Badwe
>>>
>>>
>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>
>>>>   Hey,
>>>>
>>>> I was having a discussion with someone the other day and we started
>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>> really come to any definite answer and even after going through the relevant
>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>> there is no clear answer for the same.
>>>>
>>>> In my opinion, I do not think it is illegal since
>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>> about post-data theft, network compromise, virus infection etc.
>>>>
>>>> I just wanted to throw this out there and see if any of you have any
>>>> ideas about the same.
>>>>
>>>> Yash Kadakia
>>>>
>>>> Co-Founder/ Chief Technology Officer
>>>> Security Brigade
>>>> Information Security Solutions
>>>>
>>>> Mobile: +91-09833375290
>>>> Fax: +91-651-2444545
>>>> E-mail: yash at securitybrigade.com
>>>> Web: http://www.securitybrigade.com/
>>>> Blog: http://www.yashkadakia.com/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>> --
>>>  Please consider your environmental responsibility.
>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>> copy?"
>>>
>>>
>>>
>>> Yogesh . M . Badwe
>>> Disclaimer - This email and any files transmitted with it are
>>> confidential and contain privileged or copyright information. You must not
>>> present this message to another party without gaining permission from the
>>> sender. If you are not the intended recipient you must not copy, distribute
>>> or use this email or the information contained in it for any purpose other
>>> than to notify us.
>>>
>>> If you have received this message in error, please notify the sender
>>> immediately, and delete this email from your system. I do not guarantee that
>>> this material is free from viruses or any other defects although due care
>>> has been taken to minimise the risk.
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>>
>> With kind regards,
>>
>> DIPAK G. PARMAR
>> 13/A, Nalawala Building,
>> Ground Floor,
>> Bhaijivanji Lane,
>> Thakurdwar Road,
>> Mumbai - 400 002
>> India
>> (9122) 22093564
>>
>>
>> -- Be Yourself @ mail.com!
>> Choose From 200+ Email Addresses
>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081021/78aa01f4/attachment-0001.html 


More information about the OWASP-Mumbai mailing list