It is a common misconception that a lack of new statues makes all actions over the Internet legal unless expressly prohibited. This is a misconception as old laws do apply to new technology as well. The response to a property right is a general duty on other people not to interfere with the res (thing).

It is a common misconception that a lack of new statues makes all actions over the Internet legal unless expressly prohibited. This is a misconception as old laws do apply to new technology as well. The response to a property right is a general duty on other people not to interfere with the res (thing).

It does not matter that the method of interference is new, the remedy is still available. Unauthorised port scanning is perilous. Both companies and individuals will start to protect their rights as they discover them.

So you have decided out of the blue to port scan a site. Maybe it is your bank and you want to be sure that it is safe. Whatever the reason or the excuse, you have to do this, without express authorisation you may find yourself in trouble as some recent cases have demonstrated.

The law is no different in many ways whether we look at new technologies or old. Property (as defined in legal terms) as is associated with servers, routers and information systems in general is known in the law as consisting of chattels. Servers are chattels. The data are Intellectual Property.

The law on these subjects has existed for hundreds of years. We just do our best to not understand new technology in old terms.

There are a standard bundle of rights associated with property:

• The right to control use of the property,

• The right to receive benefit from the property,

• The right to assign, transfer or sell the property,

• and the right to exclude others from the property.

In the case of port scans we are looking at point 4, the right to exclude and point 1, the right to control. The rights we need to look at as was noted are the right of control and the right of exclusion.

The Rights

The right of control is the right to determine how the property is used. Uses were originally the equitable or beneficial interests in the property. The right of control allows the system owner to determine how the system is to operate according to law.

Trespass is basically a strict liability offence. This means that your intentions are to whether you did the act only. Intentions do not cover whether you intended to do damage of start a malicious action, just did you do it. A system owner has the right to state that they do not allow ping (or any ICMP for example). To enforce this they could filter any ICMP traffic.

This is relevant as this is one of the more innocuous acts. If you can get into trouble for an act as simple as this, that SQL injection test is even more likely to cost you dearly.

If in this example the system owner had determined that they would stop all ICMP traffic to/from the server, they could state this and than any access via ICMP would be a violation of the property rights. If the system owner had not taken steps to notify the public through some means (eg a terms notice on the primary web site) then the rights still exist but are not enforceable in law. This means that the act of trying to ping this server is illegal but there is no way to enforce this right. It could be argued that there is a right of access to standard ports and services. The burden of proof is on you (the defendant) to show this if you are going to rely on it.

First what is misunderstood by some is that the response to a property right is a general duty on other people not to interfere with the res (thing). Some people assume that the law is there to protect the rights of the individual to do whatever they wish unless this act is expressly forbidden. This is a mistake. Illegal means not legal. It does not mean against the law. There is a difference. Not legal can mean that there is not an express right to do the action.

To enforce the right the system owner has to do something to bring the right of control to the notice of the person who seeks to violate this right. An example here is a banner on a telnet login. The action is still illegal as stated, but there is not an action to enforce the right without the notification. The notification does not need to be ongoing. It just needs to occur. It does not even need to be particularly verbose or even grammatically correct. The notification does not even need to be sent using the same protocol. Sending an email off to the attacker would satisfy the requirement.

In a criminal case there needs to be proof that the warning/disclaimer was seen by the attacker. This is not the case in a civil action. The fact that there is a disclaimer on the site is enough to bring an action for trespass. An argument in defence of scanning a server as to implied right to commons will fail. Access to a web server is a license to use the web service. This is the web port and no other ports. Checking what else is running is a rights violation and is actionable.

The ICMP types

The case of Harrison v. Carswell involved defendant arguing that they had a right to protest. This is a right under law for freedom of speech and expression. The Mall owner (and the claimant in the case) stated a property right to exclude. The owner of the mall won. The owners of the shopping mall were able to obtain an equitable injunction to stop the protester from entering the mall property and surrounds (i.e. the areas that customers may go). The case has been criticised of course by people who want to be able to protest anywhere. It is held that though there was a right of protest, the rights of the property owner are superior. You can protest, but somewhere else - easy...

A person is subject to liability to another for trespass, irrespective of whether he thereby causes harm to any legally protected interest of the other, if he intentionally ... enters land in the possession of the other, or causes ... a third person to do so. Trespass as I have previously stated is the wrongful interference with other persons or with their possession of goods or land. To constitute a trespass the interference must be unauthorised, direct and done voluntarily.

The Restatement (Second) of Torts § 217 defines trespass to chattels as intentionally… dispossessing another of the chattel, or using or intermeddling with a chattel in the possession of another. Port scanning is using the resources of the server. This need not be a significant use of the resources, just one that is in any manner measurable. Measurable could be in cycles per second.

A simple manner of transmitting intent of property rights is to have ICMP responses allowed. By allowing this traffic and using ingress and egress filters and sending ICMP type 3 replies. In particular type 3/13 replies could be sent (Communication Administratively Prohibited). Upon receiving this response, the person scanning has effectively received notification (eg like a banner). There is no legal requirement that they take notice of the packet, just that it is delivered.

Other ICMP types that would effect this include: 3/9 – the destination network is administratively prohibited; 3/10 – the destination host is administratively prohibited; 3/11 – the network is unreachable for Type Of Service; 3/12 – the host is unreachable for Type Of Service.

Sending ICMP 3/9 is the most effective solution. (This is easy to configure on Cisco routers, other routers may or may not be able to achieve this). On receipt of the first packet, the person scanning is effectively notified. If they then scan or test any port on the network, they are effectively breaching the conditions as they have been notified to the transgression (similar to trespass on real property when you have asked the trespasser to leave and you have rights to the land).

If the person ports scan’s the site and ingress filters are configured to send ICMP 3/9 replies as soon as a packet is received to any port on any server other than the validly allowed ports, there is a breach. In this case, continued scanning becomes a breach of rights with an attached enforceable action. In this case you have the ability to litigate the person scanning the site civilly for a port scan and nothing more (i.e. no real damage).

Why do some people wait till you see a banner and log till then? When you see the banner this becomes a course of action. If you keep scanning after seeing the banner, then you have an action in criminal terms and you do not need to have damage to be able to seek action.

The right of exclusion is the right to dictate what others can do. This means that the property owner has the right to exercise control and to dictate what level of access (if any) another has to the property. In respect to the Internet, access from your gateway to another server is completed under an effect of easement. There are both public and private easements. A public easement is one that grants the right to a large group of individuals or to the public in general. This in the terms of the Internet is analogous to the backbone routers.

The backbone router

A DOS or DDoS attack against DNS or the backbone routers is in effect the same as blocking access to someone who has an easement. It is a trespass upon the right of easement and creates a cause of action for civil suit. In most jurisdictions this is also not codified or in statute as a criminal offence. It is still illegal as a civil breach when not directly excluded.

Exclusion allows the property owner (in our case the system owner) to designate what actions are acceptable. They only need to state that an action is against the policy of the site for this to become an enforceable action, further, where the system is a state owned system (take US Federal government for example) all access is considered to be expressly controlled unless access is expressly allowed.

A d v e r t i s e m e n t

sum:

0 €