On Sat, Jan 13, 2001 at 08:25:00PM -0600, Jordan Bettis wrote: > [snippage] > > revisions of MacOS 9. The moral of the story? Be careful who you scan, > > they > > may care, and be careful what OS you use for critical services. > > I see that as a bug in the Operating System. It is /not/ the fault of the > guy who did the portscan. The only time I can think of a portscan being > wrong would be if one were scanning somebody with very little bandwith.
Here's a (possibly poor and misleading :) analogy for you: is it wrong to put salt in people's gas tanks just because they didn't padlock them? I think it is. It would be great if the internet wasn't so cut-throat that you have to lock up everything or else people will smash it, but it is and won't change except by laws and rules. Laws often suck, since they stop you from doing bad stuff by preventing a whole bunch of things, only some of which are bad. (e.g. jaywalking on the quietest street in the city, when you haven't seen a car for minutes. This isn't likely to cause any trouble, but it's still against the law.) I think the internet is doing ok the way it is, with a wild-west kind of environment. You have to take care of yourself. I'd rather have to spend a bit of time thinking about security than I would like to get jailed for my own curiosity! Laws never care too much what your intentions were, just what you did. (intentions can affect the penalty, like with murder vs. manslaughter, but I can't think of anything that's legal as long as you do it without ill intent. (I didn't try very hard, though:)) Unless we find a good way to tell whether people are telling the truth when they say they had good intentions, we can't make laws based on intent. Wild West it is, then, unless you want the government all over your computer! For the record, here's my opinion: I don't think anyone should get in trouble for port scanning because they were curious and wanted to find something out. If they did it because they knew that the other machine couldn't take it and did it to cause damage, then that is Not OK. If you happen to know that a machine is vulnerable, you should, if anything, warn the owner. If you do, and they say you're wrong or don't believe you, then prove _them_ wrong if you want, as long as you don't do any permanent damage or cause any long term harm. (e.g. mac lab admin doesn't believe that anyone on the internet can take down his lab. If you really really want to win the argument, then freeze one of his Macs with a portscan, and tell him about it. Don't freeze all of them just before some class has a big multimedia assignment due. You'll get in trouble, and rightly so.) > In that case, it is very easy to discern the fact that they have little > bandwith, if they are on a dialup, etc. So one should be responsible > for the resulting DoS. > > But I should not be responsible if I scan someone who's system is so flaky > that it can't take the scan. I think the only time you can ever be in the wrong when port scanning is when you are actively trying to cause damage, by DoS or otherwise. If you know, or thing there's a good chance, that something will break if you scan, don't scan unless you want it to break. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
