As we venture further into ethical hacking and network scanning, I think we begin to enter the gray area of where ethical and non ethical hacking meet. Port scanning, I believe, is right in the middle of this gray area as tools like nmap do not cause any damage to a system but is very revealing of how someone “could” cause damage. The comparison I have seen people make to explain the ethics of port scanning is it’s like going up to someone’s house and checking which windows and doors are unlocked. Could you necessarily go to jail for this? Maybe in some county in some state. Would the home owner be happy you came on to their property and started opening doors? Definitely not. Port scanning may technically not be illegal but it’s probably not ethical. There have been numerous court cases in which scanning was not found to be illegal. The article references Moulton v. VC3 to highlight this. The article also references the Computer Code of Conduct at Rochester Institute of Technology which makes no mention of scanning. As Professor Mackey stressed in the beginning of the course, it is best to get permission before any scanning/hacking activities!
https://www.sans.org/reading-room/whitepapers/legal/ethics-legality-port-scanning-71
Jon Whitehurst says
Port scanning may vary country to country. In the US I don’t think its illegal, nor do I think it should be. Universities get scanned constantly by IP addresses in other countries. In those cases since we can’t go the ISP in that country to tell them to stop we simply place them on the blacklist. If you are a hospital,or a company that has government contracts or anyone else that has strict business guidelines you would want to whitelist only what your want to talk to and black list the rest to protect yourself from being scanned.
Mauchel Barthelemy says
I agree with you Jon. I don’t believe port scanning neither should be illegal nor would otherwise be one of the best solutions against hacking. In the above example, Ryan explained that home owners would not be happy that a stranger shows up at their door steps to check whether doors are properly locked. On way to combat that is to install security cameras outside their houses in case something occurs. This is the same way companies can apply firewalls, IDS, IPS and other security tools to protect themselves from port scanning. Also, pen testers getting permission is a good approach, but it’s important to remember that it should be a written consent from top executives and reviewed by you or your company’s lawyer.