Tom Liston of the Internet Storm Center posted a follow-up of their earlier 'packetslinger' article. It would seem that the previous article was one of their top articles in terms of controversy sparked. And Liston takes time to point out where the controversy lay.
If you look at the Slashdot article it is clear that the top thread is "is port-scanning illegal?". And in the words of Liston:
The original assignment told students to perform their scans over the internet. I've since learned that in class the professor said that they should not do the scans from inside the WWU perimeter in order to keep things fair. This is a good policy. Our stuff gets scanned from the internet multiple times an hour, and with stuff more probing than a simple NMAP scan with service-scanning turned on. By originating the scans on that side, the incoming traffic looks like the normal crud we deal with on a daily basis and is therefore much less likely to crash systems. So in our case simple port-scans from the outside have a very low chance of causing damage.
But, that doesn't change the notification requirement. All this setup does is minimize the chance of damage (and coincidentally, the chances of outright detection). Port-scanning in general is risky, though it is a lower risk activity than an outright vulnerability scan. Even so, before such actions are commenced it is required that you gain permission in order to mitigate any potential civil-penalties that might ensue in the case of an unfortunate crash.
The professor has now limited his students to specific ranges of IPs that the professor has pre-cleared. This is all to the good. And as this comment points out, the student hadn't started scanning. The situation is handled.
If you look at the Slashdot article it is clear that the top thread is "is port-scanning illegal?". And in the words of Liston:
The legality of port scanning is an unsettled matter. The legality of breaking someone else's machine or causing monetary damage isn't. The problem is this: there's no difference between the two when it happens... and then it's too late.So, port scanning by itself isn't illegal, but it becomes so when the port-scan actually does damage. Again:
I've been there, I've done that, and I've got the "I tipped over a system using Nmap" t-shirt to prove it.And I have that shirt too as it happens, it was an nmap service-scan and it knocked over something on a NetWare server. The article of today is much less sensationalist as the original article, which is a nice thing. This addresses the issues involved without raising the specter of jack-booted fascists knocking on your door in the depth of night for having the temerity to port-scan a friend's PC without them knowing it.
The original assignment told students to perform their scans over the internet. I've since learned that in class the professor said that they should not do the scans from inside the WWU perimeter in order to keep things fair. This is a good policy. Our stuff gets scanned from the internet multiple times an hour, and with stuff more probing than a simple NMAP scan with service-scanning turned on. By originating the scans on that side, the incoming traffic looks like the normal crud we deal with on a daily basis and is therefore much less likely to crash systems. So in our case simple port-scans from the outside have a very low chance of causing damage.
But, that doesn't change the notification requirement. All this setup does is minimize the chance of damage (and coincidentally, the chances of outright detection). Port-scanning in general is risky, though it is a lower risk activity than an outright vulnerability scan. Even so, before such actions are commenced it is required that you gain permission in order to mitigate any potential civil-penalties that might ensue in the case of an unfortunate crash.
The professor has now limited his students to specific ranges of IPs that the professor has pre-cleared. This is all to the good. And as this comment points out, the student hadn't started scanning. The situation is handled.
If your systems are so unstable as to be tipped over by any sort of nmap scan at all, you are in deep shizzle. What's more, you should be grateful you were tipped over by a student doing a project for school, and not a blackhat looking for fun. Even better, how about a student NOT in a security class looking to change grades? Examine the attack vectors: the people with the motive to attack your servers are people INSIDE your network. As such, saying "It's unfair to scan from outside! " is not going to hold water. I am disgusted that you ran to SANS and I am even more disgusted with the way they handled it. The legality of the issue is not what's in question; it's the morrality of your actions. You should have the sense to recognize that scans by students are not a threat. If your point was to make students aware that scans can be interpreted as an attack, you would have done well to email Dr. Bover with a request that A) you be allowed to speak to the class, or B) he bring up these issues. You have managed to besmirch the name of western, besmirch Dr. Bover's good name, and make yourself look like a raving paranoid lunatic all at once. There are even rumblings that whoever was so afraid of an nmap scan as to run to ISC about it might have some awfully insecure systems...