[Dshield] Question on appropriate university research

Stasiniewicz, Adam stasinia at msoe.edu
Tue Sep 18 12:14:03 GMT 2007

Interestingly enough, the simple act of port scanning is not illegal in the
US (in 2001 a federal court case, Moulton v. VC3, decided this).  But DOS
attacks (say by flooding a network with port 22 SYNs) and using exploits (to
gain unauthorized access to SSH servers) are illegal.  In addition I can see
a crafty lawyer being able to make arguments for the following two
scenarios: First, that you explicitly tell CMU not to port scan you, but
they still do (trespassing laws).  Second, that if CMU were to publish their
results and those results specify your organization and all their SSH server
(privacy laws).

But legality aside.  I agree there is a strong ethical issue here.  I think
it is only reasonable to ask IP block owners for their permission before
scanning their networks.  Not that I think IP block owners have something to
hide or that by being notified there is some sort of security gain, rather,
out of simple curtsey IP block owners should be advised that their network
is going to be the subject of research.

I would be interested to hear more about what exactly this research project
is attempting to do.  Does anyone have any more specific information about

My $0.02,
Adam Stasiniewicz

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Tom
Sent: Monday, September 17, 2007 8:39 PM
To: General DShield Discussion List
Subject: [Dshield] Question on appropriate university research

We were probed by a machine on CMU's network weekly on port 22. We 
reported this to CMU abuse and received the following response:


The machine cited in your notification is running a research project 
involving SSH scanning.  I have cc'd the network manager of the 
department so that this message can be forwarded to the researcher 
for a response.

Thank you,

John K. Lerchey
Information Security Office"

Now, this "SSH scanning" project looks just like a bot net searching 
for hosts to attack later from my machines viewpoint.

Don't you think that this is at best ill advised without contacting 
the IP block owners? Further what they're trying to sample is not 
what they are sampling but thats another story.

Your comments and inputs are appreciate because I think this guys PHD 
Advisor is way out of line to condone this activity.



Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com

SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors.  http://www.sans.org/info/9346

More information about the list mailing list