Well scanning has some useful security research applications. The part about scanning the whole internet is useful if you want to do larger scale research (like how many % of the internet run telnet).
In addition massscan is really interesting from a software engineering persepective. They do kernel bypass to talk to network drivers directly, have a custom TCP stack, custom mutexes, etc. All of that to be able to reach ~1.5M packets per second (from the README), allowing someone to scan the whole IPv4 range in 6 minutes. Really impressive work.
There's an argument to be made that if your system accepts a connection, then that's permission to connect.
If it then accepts a HTTP Request, as these folks have, then that's permission to continue with the request.
If they didn't want to accept any connections, they should've closed the port.
If they only wanted authorised users to connect, they should put an authorisation requirement on the connection.
As for your statement that there's no valid research purpose, that's your assertion, a lot of people will disagree.
What a machine does in response to a network packet does not prove the intent of the owner of the system. Otherwise RCEs and local privilege escalations would be permission to do as you will to any system which us susceptible to them.
Is it valid to research untreated syphilis in black men? Yes. Is it valid to research untreated syphilis in black men without their permission and informed consent? No.
That's pretty much a text-book straw-man argument. Two of them, actually.
We're not discussing the morals of human research, we're discussing IT security, and specifically in scenarios that are unlikely in the extreme to lead to any physical harm to people.
We're also not talking about trying to sabotage or attack a system.
Standard, well-formed web requests on standard HTTP sockets, made infrequently are very unlikely to cause problems on any system that's not outright deliberately misconfigured.
> Is it valid to research untreated syphilis in black men without their permission and informed consent? No.
The Tuskegee Syphilis Study was inappropriate because they purposely withheld information about the diagnosis and lied about the efficacy of the treatments they were giving.
The problem wasn't that they conducted the research without telling the patients. Obviously the patients were aware that they were part of a research effort, since they directly interacted with the clinicians conducting it.
This isn't exploiting a vulnerability. If I knock on your door and you open it and invite me in, you don't get to complain about how I'm trespassing. If your server responds to traffic on a port, then it's completely fair to conclude that you're okay with that.
Then upon them discovering that it's open to the world, their first response shouldn't be to blame the people connecting, but themselves for leaving it open.
Huge numbers of people have done this, I've certainly done it in the past when I knew less.
Discovering that the webserver logfiles were rather larger than I expected, or that HTTP Traffic was through the roof... oh, right, I left something open, better close that and remember it for next time.
Just chiming in from the other sub-thread to say that I actually agree with you on this point. A misconfigured access control policy isn't grounds to assume that you have access.
However I don't think it's a reasonable assumption that the open status of TCP ports is supposed to be private information.
It's valid to perform research on Earth by taking satellite photos and examining them for land cover use. It's valid to use a laser range finder to map the land elevation of the entire planet. Among the various governments which have done this, Airbus has as well. Presumably to ensure nobody flies a plane into a mountain.
If it's valid to shine a laser pulse from space/the sky onto the entire surface of the Earth (private property included) to determine the elevation of everything, it's valid to send TCP SYNs out to the entire surface of the internet.
That's a poor analogy. The outside colors of the majority of the homes in your neighborhood effectively broadcast that information into the public sphere. A more analogous question is "Is it valid to conduct research about all the homes in the world by around and attempting to peer into all their windows to see if there are any interior bedrooms with pink walls and fluffy animals?"
Alternately, you could ask me "If a computer is broadcasting packets to my computer which is connected to a network port that I'm allowed to connect to, is it ok for me to note that?" In which case I'd say yes.
Scanning through windows to find fluffy animals is certainly getting closer to crossing an ethical boundary but it's not strictly illegal.
I also think that moves the analogy too far in the other direction. While it may not be the case that servers are actively "broadcasting" their port open status to all internet users, that's only because it would not be feasible to do so. It is not because port open status is supposed to be private or secret information, like the inside of my bedroom for example.
In fact TCP/IP is designed with the intention that anyone can check the port open status without authentication. It is part of the intended usage of the protocol, so presumably it is safe to assume that anyone using it is probably using it with that intention.
Wut? It's like saying that going around in a google car taking pictures of all doors has "no valid research purpose". (And yes, checking if the doors are opened or closed, or cataloguing their locks, would be fairly legitimate too; as long as one does not step into an actual property, at which point it's trespass.)
In addition massscan is really interesting from a software engineering persepective. They do kernel bypass to talk to network drivers directly, have a custom TCP stack, custom mutexes, etc. All of that to be able to reach ~1.5M packets per second (from the README), allowing someone to scan the whole IPv4 range in 6 minutes. Really impressive work.