Re: Relays, Blacklists, and Laws
- Date: Tue, 19 Jun 2001 01:18:29 +0200 (MET DST)
Roland Perry roland@localhost wrote:
>There is an argument floated by Law Enforcement in the UK which asks if
>port scanning is an activity which "no-one would do unless of malicious
>intent". It is likened to going down a row of parked cars, trying the
>doors [to see if they are unlocked]. The problem is: if there are good
>guys doing this as well as bad guys, how can you tell them apart?
Ok, but as long as Law Enforcement themselves seem unclear on
whether this is really illegal, and UK ISPs haven't invoked the
law to protect themselves against unwanted relay testing, I see
no reason to list all UK networks. You can still mail me. ;-)
With respect to the question posed by Law Enforcement, I would
begin by separating systematic scanning from occasional probing.
You can't tell by any simple, automatic means whether a probe is
part of a systematic scan or not, but you need to analyze logs
and the like, looking for behavioural patterns. A systematic
scan may be spread out over a long period of time in order not
to attract attention, and a well-intentioned test may have
drastic effects which the offender neither intended nor became
aware of until the police knocked on his door.
It's easy to come up with a reasonable justification for a single
probe (let's say I was spammed by that host and wanted to know
whether it was a dynamically assigned address or a mail gateway).
With one probe justified, you may extend the same reasoning to a
few more, or maybe several magnitudes more, depending on the exact
circumstances ("no, I wasn't spammed by every IP address in that
Class C network" - "yes, I wanted to know whether every host on
that Class C network would relay spam just like the first five
ones that actually spammed me, and the next five I tried that
also turned out to be open relays").
Thus, the validity of the argument that "no-one would do it unless
of malicious intent" becomes dependant on a large number of fuzzy
factors plus your own imagination, to the point that I'd consider
the argument useless. You simply can't determine intent from your
computer log files alone.
The problem with the car analogy is not that it's flawed, but that
it's far from the only analogy. What about likening the network
probe to going down a public library shelf, paging through every
book to see if either a) someone has forgotten a 10-pound bill as a
bookmark, or b) the book is out of copyright so that you can scan
its contents and submit it to Project Gutenberg? Normally, people
don't do these things, and it would be difficult to show malicious
intent (except that the librarians may complain about the books
being worn out too fast), but I think it's a reasonable analogy,
just like the one about the cars. Now, who gets to decide which
analogy to pick for the legal precedent?
If cars in parking lots were just as likely to magically unlock
themselves as computers are to relay third-party e-mail, parking
lot owners would hire teenagers to systematically check the locks
of every parked car, and friends would check each other's cars
without ever asking for permission to do so.
Analogies are good for explaining computer technology to beginner
users (such as lawyers), but not to set legal precedent for which
uses of a computer are legal and which are not. As we have seen,
likening e-mail to paper mail may result in the senders being able
to shun all responsibility for the resources they consume; "just
press DELETE if you aren't interested". The fax analogy is better?
Of course, but please convince your average judge who has never
been able to fax an audio or video recording.
Now, is relay-testing your mail server similar to trying to reach
your apartment door lock from the inside via your letter slit, or
to dropping a misaddressed envelope into that same letter slit just
to see if you will return it to the post office the next day? :-)
Anders Andersson, Dept. of Computer Systems, Uppsala University
Paper Mail: Box 325, S-751 05 UPPSALA, Sweden
Phone: +46 18 4713170 EMail: andersa@localhost