Demonstration of Concept

Chiapas, Mexico - January 3rd, 2000 - the Zapatista Air Force "bombarded" the federal barracks of the Mexican Army with hundreds of paper airplanes. Each airplane carried a message for the soldiers monitoring the border. In remembrance of this event the Electronic Disturbance Theater (EDT) releases a digital version of the Zapatista Air Force Action: the Zapatista Tribal Port Scan.

What is a port?

A port is an abstraction for the connection points used for network services, such as e-mail and the WWW. Every computer connected to the Internet has 65536 ports through which other computers on the net might establish socket connections. Common services such as http (the web) and e-mail are implemented as socket connections, using standard ports such as 80 (http), and 25 (smtp).

What is a port scan?

It is possible, actually common, to attempt to make socket connections on a server's multitude of ports in order to determine what services reside on that machine.

Why scan ports?

Port scans should be non-controversial. If your machine is connected to the Internet, you are exposing all of your ports, and you should expect connection attempts on any of them. Because a port scan is sometimes, very rarely, a prelude to hacking attempts, many fascist leaning system administrators mistakenly classify the port scan itself as a hostile act. But just because a port scan may on rare occasions reveal an exploitable weakness, it is not the same as actually exploiting the weakness. It is no different in principle from counting the windows and doors of a secure building from a public sidewalk. If a machine is on the public Internet, the ports are visible from that public sidewalk. It is the responsibility of building security to evaluate any threat, no law can be passed against looking. (Except under fascism, of course.)

Who is paranoid about their ports?

Typically it is the most powerful who can afford the high cost of total paranoia. Some systems utilize sophisticated security software that report on every attempted connection, or warn administrators about large numbers of unusual connection attempts. From this you may draw your own conclusions about exactly whose machines and people are likely to pay attention to the kind of tribal scan that ZTPS performs.

What is Tribal?

Tribal is a term that refers to the use of more than one computer (their different network identities), to distribute the work. The Zapatista Tribal Port Scan uses the Java Virtual Machine available in all standard web browsers to implement the port scan. The participating user simply visits the web site URL of a ZTPS implementation, and the scanning begins. Designed to be opened in a smallish browser window and minimized for all day scanning at home, work, or school, the ZTPS applet will scan a random port on a particular machine (chosen by the implementers posting the ZTPS site), from once per minute to once per hour, selectable by the user. Using both TCP and UDP socket connections, ZTPS may be configured to randomly select from an implementer-selected list of text messages, some of which may be logged by targeted machines. (Messages flying over the fence.) A download button in the applet interface makes it easy for users to download ready-to-implement software, and full source code for their own purposes, (or for modification). ZTPS effectiveness improves with the number of participating user/activists, so collective participation, as always, is very important.

Why a Zapatista Port Scan?

The Zapatistas are winning the war. Their intelligent and calculated application of the responsibility to risk, their creativity and conceptual edge in terms of activism, and their commitment to provocative transgressions that turn the opposition's borders into Zapatista assets, all point toward port scanning as an activist tool, and conceptual art. (Remember that Subcomandante Marcos was a Professor of Digital Media.)

EDT offers ZTPS to the community of net activists and artists with a few requests. Please improve, mutate, grow and spread the code. (Click the download button in the ztps interface for a complete archive.) Please also think of the system administrators who will pick up your packet airplanes when they land in the security logs on the other side of the fence;-)


There are two ways to implement ztps on the client side.
  1. The participant/user enters the URL of a signed ztps implementation their web browser. The ztps then loads into the web browser and begins scanning the domain pre-selected by the implementers of the ztps web site. Code signing is necessary (more info below), because the ztps applet must be granted special permission to make a network socket connection to any server other than the one from which it itself loaded. (see demonstration link below for an unsigned sample)
  2. Participants or users may download ztps, and run it locally as a desktop Java application on any platform/OS that has an available Java Virtual Machine. (Almost all platforms/OS) When running ztps as an application, there are no applet security restrictions, so code signing is unnecessary. When used as an application, the user can choose which site to scan instead of having that choice made by the implementer of a ztps web site. To download a complete archive including source, visit the link below and click the download button in the ztps interface.
Download Here
ztps concept and interface demo
This demo is hosted by Switch, the new media journal of the Computers in Art, Design, Research and Education Digital Media Laboratory at San Jose State University. (CADRE)

Code signing:

If you wish to implement ztps via the web as an applet, you will need to acquire a code signing certificate from a certification authority and sign the applet code. This will enable the mobile code to ask the individual user for permission to make the network connections necessary to scan a third site. If you do not, the applet will not connect to the target server, giving output similar to this:

port 63351: trying TCP="tactical media"; no connection;[]: cannot connect to ""

This is because the applet loaded from (in this case) is trying to connect to another server ( The target server is not being scanned. The only work around for a mass demonstration is to sign the applet code (which may require code modification for some browsers), or to encourage users to download the ztps archive and run it as a local application.

Java Code signing resources:

Excellent educational resource by Roedy Green
Signing Classes with the Netscape Object Signing Tool:
Signing Java Applets with Microsoft's Authenticode

Get a Certificate

Get Java

Users who wish to run ztps as an application can refer to the following resources. You will need to download a Java virtual machine suitable for Java 1.1.x programs.

Sun's Java site:

Java 2 Platform - install the Java runtime environment on your system and you can run ztps as a desktop application:

Related links on port scanning

Wired articles on the Draft Convention on Cyber-crime, a proposed international treaty that could make port scan illegal world wide.

Privacy a Likely Loser in Treaty
Dec 7th 2000,1283,40576,00.html
"[The treaty] could also make it illegal to distribute some kinds of security products used by system administrators to secure their networks against intruders."

Police Treaty a Global Invasion?
October 17th 2000,1283,39519,00.html
"Technical experts have said Article 6 of the measure, titled "Illegal Devices," could ban commonplace network security tools like crack and nmap, which is included with Linux as a standard utility."
(nmap is a sophisticated port scanner)

Draft Convention onCyber-crime (Council of Europe)

Wired article on Norwegian Supreme Court Decision:
Let the Web Server Beware

Dec 23 1998,1283,17024,00.html
"The essence of [the ruling] is that if you want to join the Internet, you have to assure that you're protected," said Gunnel Wullstein, president and CEO of Norman Data Security. "If you don't want to be visited, close your ports."