[GabeIsko]

You give up consent for a device to not be scanned the second it is connected to the public internet. There are botnets that are continuously scanning all allocated IP blocks for potentially vulnerable devices - try logging requests to an open 22 port and take a look at the kinds of requests you get. That's the price you pay for connecting to an open world wide network.

Now the conduct and what the operators of a massive scanning operation intend to do with the data they have collected should be regulated, and punishments should be instilled by those who use this data to facilitate attacks on others. But the ship has sailed for consent to connections from other devices over the internet.

[EricMausler]

The Ship has not sailed. The ship is still on its way to port. Complete internet surveillance is arguably an unstoppable force on the way to shore.

I think when it gets here there is going to be a lot more trouble for cybersecurity experts due to a lack of clear understanding around what is considered legal activity or not from them. Right now the obscurity is something they hide in - they can choose whether or not to reveal they found a vulnerability.

But what if that's not always the case? What if you get "caught" before you are able to show you had no intentions of doing anything malicious?

We can have the trial by fire we usually do, and let a round of innocent people face unjust consequences and use them as martyrs to create new laws - or we can use some foresight and build some legal frameworks in advance that enable researchers to be "by the book" and not worry at all about legal repercussions

[GabeIsko]

I just don't think that sending port scans to random internet addresses is a big violation of privacy, or undue conduct for a government to participate in. Having your connection details public is the price you pay for connecting to the internet. If you don't like it, than run a private network and firewall the ports on your gateway - the default behavior of all consumer routers.

Quite simply, you will absolutely get portscanned if you have a port open to the public internet today. Try it. No doubt CIA has access to at least some of those botnets. We need policy protections that face the reality of the world we live in today, and harden devices that would like to communicate over the internet in an automated fashion. That includes punishments for operating massive, systemic botnets, but also some auditing of critical infrastructure that is publicly accessible.

For all their problems, certificate authorities have largely let us figure this stuff out on the internet browser side, and I would argue that has had a positive effect on privacy and security. Now it is time to do something similar for devices that connect to the internet in an automated way. For all it's

[EricMausler]

I agree on the subject, but I think we can leave port scans out of the discussion because they are not an issue as you suggest and still apply everything I am saying to other issues.

There would still be upside of potentially addressing the scan spam as well, though