[PLUG] The lion in Salem

Cliff Wells logiplex at qwest.net
Fri Aug 29 14:32:02 UTC 2003 

On Fri, 2003-08-29 at 12:32, Jeff Schwaber wrote:
> On Fri, 2003-08-29 at 12:02, AthlonRob wrote:
> > On Fri, 2003-08-29 at 10:43, Cliff Wells wrote:
> > 
> > > And it bothers me that running nmap is considered a crime.  It's called
> > > "looking".  Often people use "looking" as preparation for comitting a
> > > crime.  More often they don't.  Perhaps next time someone walks past my
> > > house and gives it a twice-over, I should call the police.  They might
> > > be casing the place.
> > 
> > As much as I hate to contribute to the continuation of this thread...
> > 
> > nmap isn't just looking so much.
> > 
> > To make the comparison of somebody on the street 'nmap'ing your house...
> > they don't walk past it, taking two looks at it.
> 
> Okay, I've heard all the analogies before, and I've been disgusted each
> and every time by everyone's fundamental lack of understanding that an
> analogy is only useful so much as it fits.
> 
> A server is not a house. A machine on the network IS NOT YOUR PERSONAL
> HOME.
> 
> It might be a slightly better analogy if you compared a server to a
> business, as a server offers services. I could make another analogy
> suggesting that nmapping is a way of asking a server what services it
> offers, as well as checking out the building, by walking into the store
> and looking around.
> 
> But that, too, would be a FLAWED analogy. Hugely flawed. 
> 
> Rather than trying to use flawed analogies to spin the actuality, can we
> study for a moment the actuality?

The reason analogies, albeit flawed ones, are often applied in these
types of discussions is because the analogies typically have clear-cut
(or at least more obvious) ethical implications.  Running nmap against a
machine does not, at least on the surface, imply right or wrong.  When
you are discussing the ethics of machinery, it often helps to compare it
to a more human domain where ethics at least have a general consensus.

> nmap studies a server, which is a machine intended to be publicly
> accessible in some manner (or highly misconfigured), and it gets a whole
> bunch of data about it. Yes, that data could be used to look up security
> vulnerabilities, but nmap the tool does not itself print those out, nor
> does it have capabilities to search for security vulnerabilities. That
> is left to the user.
> 
> Nmap is a tool, and the information it gathers is publicly available,
> simply because you put the machine on the net with the intent of
> providing services (if you didn't intend to provide services, that's
> what firewalls are there for--allowing a machine to be on the net
> without providing services).
> 
> running nmap on a publicly available server should not be criminal.
> Whether or not it is will be decided by technophobic judges, but as long
> as techies fail to understand the definition of analogy, they really
> desperately worsen the situation.

Well, I think we at least agree on these points.

-- 
Cliff Wells, Software Engineer
Logiplex Corporation (www.logiplex.net)
(503) 978-6726  (800) 735-0555

More information about the PLUG mailing list