Demonstration of Concept

What is a port?

A port is an abstraction for the connection points used for network services, such as e-mail and the WWW. Every computer connected to the Internet has 65536 ports through which other computers on the net might establish socket connections. Common services such as http (the web) and e-mail are implemented as socket connections, using standard ports such as 80 (http), and 25 (smtp).

What is a port scan?

It is possible, actually common, to attempt to make socket connections on a server's multitude of ports in order to determine what services reside on that machine.

Why scan ports?

Port scans should be non-controversial. If your machine is connected to the Internet, you are exposing all of your ports, and you should expect connection attempts on any of them. Because a port scan is sometimes, very rarely, a prelude to hacking attempts, many fascist leaning system administrators mistakenly classify the port scan itself as a hostile act. But just because a port scan may on rare occasions reveal an exploitable weakness, it is not the same as actually exploiting the weakness. It is no different in principle from counting the windows and doors of a secure building from a public sidewalk. If a machine is on the public Internet, the ports are visible from that public sidewalk. It is the responsibility of building security to evaluate any threat, no law can be passed against looking. (Except under fascism, of course.)

Who is paranoid about their ports?

Typically it is the most powerful who can afford the high cost of total paranoia. Some systems utilize sophisticated security software that report on every attempted connection, or warn administrators about large numbers of unusual connection attempts. From this you may draw your own conclusions about exactly whose machines and people are likely to pay attention to the kind of tribal scan that ZTPS performs.

What is Tribal?

Tribal is a term that refers to the use of more than one computer (their different network identities), to distribute the work. The Zapatista Tribal Port Scan uses the Java Virtual Machine available in all standard web browsers to implement the port scan. The participating user simply visits the web site URL of a ZTPS implementation, and the scanning begins. Designed to be opened in a smallish browser window and minimized for all day scanning at home, work, or school, the ZTPS applet will scan a random port on a particular machine (chosen by the implementers posting the ZTPS site), from once per minute to once per hour, selectable by the user. Using both TCP and UDP socket connections, ZTPS may be configured to randomly select from an implementer-selected list of text messages, some of which may be logged by targeted machines. (Messages flying over the fence.) A download button in the applet interface makes it easy for users to download ready-to-implement software, and full source code for their own purposes, (or for modification). ZTPS effectiveness improves with the number of participating user/activists, so collective participation, as always, is very important.

Why a Zapatista Port Scan?

The Zapatistas are winning the war. Their intelligent and calculated application of the responsibility to risk, their creativity and conceptual edge in terms of activism, and their commitment to provocative transgressions that turn the opposition's borders into Zapatista assets, all point toward port scanning as an activist tool, and conceptual art. (Remember that Subcomandante Marcos was a Professor of Digital Media.)

EDT offers ZTPS to the community of net activists and artists with a few requests. Please improve, mutate, grow and spread the code. (Click the download button in the ztps interface for a complete archive.) Please also think of the system administrators who will pick up your packet airplanes when they land in the security logs on the other side of the fence;-)

Implementation

1. The participant/user enters the URL of a signed ztps implementation their web browser. The ztps then loads into the web browser and begins scanning the domain pre-selected by the implementers of the ztps web site. Code signing is necessary (more info below), because the ztps applet must be granted special permission to make a network socket connection to any server other than the one from which it itself loaded. (see demonstration link below for an unsigned sample)
2. Participants or users may download ztps, and run it locally as a desktop Java application on any platform/OS that has an available Java Virtual Machine. (Almost all platforms/OS) When running ztps as an application, there are no applet security restrictions, so code signing is unnecessary. When used as an application, the user can choose which site to scan instead of having that choice made by the implementer of a ztps web site. To download a complete archive including source, visit the link below and click the download button in the ztps interface.

Code signing:

port 63351: trying TCP="tactical media"; no connection; com.ms.security.SecurityExceptionEx[socketChecker.run]: cannot connect to "www.whitehouse.gov"

This is because the applet loaded from (in this case) switch.sjsu.edu is trying to connect to another server (www.whitehouse.gov). The target server is not being scanned. The only work around for a mass demonstration is to sign the applet code (which may require code modification for some browsers), or to encourage users to download the ztps archive and run it as a local application.

Java Code signing resources:

http://www.securingjava.com
Signing Classes with the Netscape Object Signing Tool:
http://www.securingjava.com/appdx-c/appdx-c-1.html
Signing Java Applets with Microsoft's Authenticode
http://www.securingjava.com/appdx-c/appdx-c-2.html

Get a Certificate
http://www.verisign.com
http://www.thawte.com/

Get Java

Sun's Java site:
http://java.sun.com/

Java 2 Platform - install the Java runtime environment on your system and you can run ztps as a desktop application:
http://java.sun.com/j2se/1.3/

Related links on port scanning

Privacy a Likely Loser in Treaty
Dec 7th 2000
http://www.wired.com/news/politics/0,1283,40576,00.html
"[The treaty] could also make it illegal to distribute some kinds of security products used by system administrators to secure their networks against intruders."

Police Treaty a Global Invasion?
October 17th 2000
http://www.wired.com/news/politics/0,1283,39519,00.html
"Technical experts have said Article 6 of the measure, titled "Illegal Devices," could ban commonplace network security tools like crack and nmap, which is included with Linux as a standard utility."
(nmap is a sophisticated port scanner)

Draft Convention onCyber-crime (Council of Europe)
http://conventions.coe.int/treaty/EN/projets/projets.htm

Wired article on Norwegian Supreme Court Decision:
Let the Web Server Beware

Dec 23 1998 http://www.wired.com/news/politics/0,1283,17024,00.html
"The essence of [the ruling] is that if you want to join the Internet, you have to assure that you're protected," said Gunnel Wullstein, president and CEO of Norman Data Security. "If you don't want to be visited, close your ports."