Over the past several days, we've been deluged with responses to our story on Professor Packetslinger and his assignment. The number of lawyer-wannabes among the infosec community appears to be at an all-time high, and so I've decided to step into the fray and offer a little unsolicited, yet sage advice:
If you think being a geek drives away chicks, being a lawyer is, if anything, worse.
That being said, I'd also like to toss out one more tidbit of wisdom that I've accumulated over time, like mold, within this lump of goo situated between my ears:
The legality of port scanning is an unsettled matter. The legality of breaking someone else's machine or causing monetary damage isn't. The problem is this: there's no difference between the two when it happens... and then it's too late.
(Note: I'll tempt fate. Honey... please don't leave me 'cause of this.. OK?)
The case that the budding Perry Mason's keep tossing at us is Moulton v. VC3:
Ask any infosec professional who has been around the block a time or three, and they'll be able to tell you stories about systems they've popped with nothing but a port scan. I've been there, I've done that, and I've got the "I tipped over a system using Nmap" t-shirt to prove it. Stepping beyond simple port scans to vulnerability scans is fraught with even more peril.
The point is this. If you're learning to be a professional, you need to act like a professional. If I fired off an on-site or remote test of a client without a signed "get out of jail free" document, my employer should, by rights, discharge me immediately. While the liability is, perhaps, low and there might be a decent argument that exposing machines that can tip over at the drop of a hat on any network is negligence, it doesn't change the fact that I am acting unprofessionally in this circumstance.
Professionals get permission, in writing, in advance. If you're not doing that, you're an attacker doing recon, despite how much you might want to convince yourself to the contrary. And while your actions by themselves may or may not be illegal, you certainly are tempting the law of unintended consequences to place your butt squarely within a sling.
So... unless and until you have authorization, take this Dad's advice: We look with our eyes, not with our hands... keep your packets in your pockets.
Tom Liston - Intelguardians
Mar 2nd 2006
Mar 2nd 2006
1 decade ago