Scanning the Internet for Vulnerabilities

Mon Jun 20 21:02:47 UTC 2022

Carsten,

The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators. 

Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited. 

In fact, when I Google that precise phrase along with “Acceptable Use Policy” I get thousands of hits. 

I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information they’re not authorized to. 

-mel

> On Jun 20, 2022, at 1:11 PM, Carsten Bormann <cabo at tzi.org> wrote:
> 
> On 2022-06-20, at 19:36, goemon--- via NANOG <nanog at nanog.org> wrote:
>> 
>> On Mon, 20 Jun 2022, Carsten Bormann wrote:
>>>>> On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal at dataix.net> wrote:
>>>>> Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/
>>> there was some actual research involved.
>>> 
>>> I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
>>> 
>>> I do not agree that this externality makes any research in this space unethical.
>> 
>> Consent is what makes it unethical.
> 
> You consented to receiving packets by connecting to the Internet.
> 
> Now there is a limit to that consent (e.g., when these packets have an actual material negative effect), and here we enter an area where all simple schematic approaches fail — you really have to think about outcomes instead of expounding fundamentalist stances.
> 
>>> You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
>> 
>> "If you dont like the unsolicited email, just hit delete" ?
>> 
>> How about ... NO.
> 
> How about: It’s really hard to properly apply analogies.
> 
> Unsolicited email wastes people’s time, and actually a lot of that.
> (Responsibly performed) packet probes waste machine time, and very little so.
> (If you are wasting human time on packet probes, you are holding it wrong.)
> Totally different outcome, and hence totally different ethics.
> 
> This “discussion" is getting a bit off-topic.
> 
> Grüße, Carsten
> 