On Mon, 28 Feb 2011 22:09:56 -0800 Chris Palmer chris@eff.org allegedly wrote:
On Feb 27, 2011, at 8:59 AM, mick wrote:
in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.
Chris
I used the word "reckless" because that is the wording used in the UK CMA (as amended). See section 3 at:
http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:
"Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc."
I agree that a single full TCP connect does not constitute such "reckless" activity, but an aggressive, rapid, portscan, perhaps using (deliberately) badly formed TCP packets which took no account of the potential impact on the target, might.
Some network devices may not handle such traffic well. Indeed, the scan may cause a DOS.
IANAL, but it seems to me the drafters of the amendments to the UK legislation may have had such activity in mind when using the term "reckless". The term implies to me a "lack of care or due diligence". I suspect that "intent to impair" may sometimes be difficult to prove so lack of care was added.
The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.
I can't see that sort of activity as being deemed reckless - and it is highly unlikely to be spotted anyway.
It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.
Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.
I disagree. In my view, port scanning in and of itself can be hostile if such activity is aggressive enough to cause difficulties - hence my concern.
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------