-
Companies do it via vulnerability scans. Doesn't seem to be illegal there?
But that's a business employing people, with the business either owning the assets, or the user agreeing with the scans, not a business to consumer relation.
There's a whole discussion on The Reg on improving the devices itself, but as they're made internationally with varying standards that's probably near impossible.
Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)
JWestland-
Companies do it via vulnerability scans. Doesn't seem to be illegal there?
Anyone can scan and probe, document "this port appears to be accessible, it's port 22 so I'll presume this is SSH". This is legal.
What you can't do is scan and probe and try lots of usernames:passwords, this is covered by the Computer Misuse Act and various EU legislation. This is illegal.
When companies do it to other companies, via penetration tests and other tests. This is legal because it is not a misuse of a computer if you've gained permission in advance. In this scenario the company would have contracted someone to try and gain access so that they have a list of things to do to then make sure that they are not vulnerable to real attackers. This is the "white hat" (we do it with your permission to keep you safe, and we tell you what we found in a responsible way) vs "black hat" (we don't ask permission, and do it for our own profit).
Don't mistake the existence of white hat security companies to imply that their activities, if non-sanctioned by the party in question, would be legal. They would not.
Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)
This would be naive.
No law should state which ports should be blocked, as this would inhibit innovation and the evolution of the internet.
A law should simply state that end user telecommunication services should be configured to provide minimal services at time of purchase, but to retain common carrier status the end user should be able to configure this to allow any service to be available.
Also, there are privacy implications. Imagine if an application could be identified by its' traffic or port numbers, the ISP having a database of which users have enabled that service means that they can be compelled to give up that information. So there are downsides.
Velocio
This is illegal.
You cannot attempt to access a computer you do not have the right to access, and the act of trying a password is to do that.
Either you prevent the spread of malware to avoid becoming part of a botnet (by blocking inbound traffic to certain ports) or you prevent a machine from doing anything to another once part of a botnet (by blocking outbound traffic to anything that isn't configured to be open by an end user).
That's it. No other legal or practical solution exists.
The ISP is the only one who could do either of the above, but unfortunately they have no incentive to do either right now (legal, economic, etc).