On 03/01/2011 11:36 AM, mick wrote:
On Mon, 28 Feb 2011 22:09:56 -0800 Chris Palmer chris@eff.org allegedly wrote:
On Feb 27, 2011, at 8:59 AM, mick wrote:
in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.
Chris
I used the word "reckless" because that is the wording used in the UK CMA (as amended). See section 3 at:
http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:
"Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc."
I agree that a single full TCP connect does not constitute such "reckless" activity, but an aggressive, rapid, portscan, perhaps using (deliberately) badly formed TCP packets which took no account of the potential impact on the target, might.
Some network devices may not handle such traffic well. Indeed, the scan may cause a DOS.
IANAL, but it seems to me the drafters of the amendments to the UK legislation may have had such activity in mind when using the term "reckless". The term implies to me a "lack of care or due diligence". I suspect that "intent to impair" may sometimes be difficult to prove so lack of care was added.
And the lawyers involved were likely not technologically literate. I'm guessing none of them understand TCP/IP or BGP. There's a big disconnect here and part of it is likely cultural.
Connection to the public internet requires that random people on the internet be able to burn some CPU time on your machine. It takes a bit of energy to process a packet, even if to discard it unless the machine is otherwise protected. This is the nature of the internet - everyone with a public and routed IP address signs up for this when they join the network. If they don't like it, they should probably consider a solution that actually scales or works - legislation like this doesn't change the nature of the network.
The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.
I can't see that sort of activity as being deemed reckless - and it is highly unlikely to be spotted anyway.
It depends entirely on how the scan is performed - sequential scans will be discovered by an IDS. Even if it's undiscovered, I wouldn't consider it reckless.
It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.
Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.
I disagree. In my view, port scanning in and of itself can be hostile if such activity is aggressive enough to cause difficulties - hence my concern.
A port scan is not aggressive in and of itself. The frequency of packets might overwhelm a system and so the system, or an upstream system should probably drop those packets on the floor.
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
I don't think such a configuration option makes any sense at all. We have many streams on a given circuit for load balancing. A clever scanner would simply use one circuit per connect attempt and it would generate a lot of load on the network.
I'd suggest that if you're concerned about someone making connections from your computer, it's probably a bad idea to run an Exit node...
All the best, Jaco