Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - A Bunch Of Bull in a China Shop InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Bunch Of Bull in a China Shop

Published: 2006-03-02
Last Updated: 2006-03-02 16:55:36 UTC
by Tom Liston (Version: 1)
0 comment(s)
Over the past several days, we've been deluged with responses to our story on Professor Packetslinger and his assignment.  The number of lawyer-wannabes among the infosec community appears to be at an all-time high, and so I've decided to step into the fray and offer a little unsolicited, yet sage advice:

If you think being a geek drives away chicks, being a lawyer is, if anything, worse.

That being said, I'd also like to toss out one more tidbit of wisdom that I've accumulated over time, like mold, within this lump of goo situated between my ears:

The legality of port scanning is an unsettled matter.  The legality of breaking someone else's machine or causing monetary damage isn't.  The problem is this: there's no difference between the two when it happens... and then it's too late.

(Note: I'll tempt fate.  Honey... please don't leave me 'cause of this.. OK?) 

The case that the budding Perry Mason's keep tossing at us is Moulton v. VC3:
  1. This is a civil, not a criminal case.  For those of you who keep claiming that this case proves that port scanning is legal, here is a dime. Take it, call your mother, and tell her there is serious doubt about you ever becoming a lawyer. (...with apologies to Prof. Charles Kingsfield.)
  2. While there was a criminal investigation that preceeded the whole Moulton v VC3 (and VC3 v Moulton) hoopla, all it spoke to was that the costs of investigating a port scan could not be used to push the case beyond the damage limit for criminal prosecution.  The judge stated that the statute required "that the damage must be an impairment to the integrity and availability of the network", and that this particular case did not meet that criteria.
  3. Remember: Most computer crime cases are about damages, and damages are all about interpretation.  This particular damage interpretation took place in the year 2000.  The "cost" of a security incident is a very slippery subject.  Care to be a 2006 test case?
When I take my kids out shopping, and we wander through a store chock full o' purty yet breakable things, a strange compulsion comes over me and I pop out with the typical "Dad" mantra: "We look with our eyes, not with our hands... keep 'em in your pockets."  And while they're all getting to the age now where they just look at me and roll their eyes, the advice is still solid.  In my own way, I'm teaching them an important rule that all adults know, believe, and put into practice in their daily lives: Don't take unnecessary risks.  While it's fun to look at the pretty glass unicorns and that bone china vase is awfully nice... picking them up and playing around with them can only lead to problems.

Ask any infosec professional who has been around the block a time or three, and they'll be able to tell you stories about systems they've popped with nothing but a port scan.  I've been there, I've done that, and I've got the "I tipped over a system using Nmap" t-shirt to prove it.  Stepping beyond simple port scans to vulnerability scans is fraught with even more peril.

The point is this.  If you're learning to be a professional, you need to act like a professional.  If I fired off an on-site or remote test of a client without a signed "get out of jail free" document, my employer should, by rights, discharge me immediately.  While the liability is, perhaps, low and there might be a decent argument that exposing machines that can tip over at the drop of a hat on any network is negligence, it doesn't change the fact that I am acting unprofessionally in this circumstance.

Professionals get permission, in writing, in advance.  If you're not doing that, you're an attacker doing recon, despite how much you might want to convince yourself to the contrary.  And while your actions by themselves may or may not be illegal, you certainly are tempting the law of unintended consequences to place your butt squarely within a sling.

So... unless and until you have authorization, take this Dad's advice: We look with our eyes, not with our hands... keep your packets in your pockets.

Tom Liston - Intelguardians
0 comment(s)
Diary Archives