Security Basics mailing list archives
Re: application for an employment
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 31 Mar 2006 23:41:55 +0200
On 2006-03-31 David Gillett wrote:
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]You're contradicting yourself. A root server may refer my query to your server, but it's still my server connecting to your server to do the actual query, thus it must somehow have gotten your permission. Besides, how do I get permission to access the root servers or any other upstream DNS server not owned by myself?Your ISP tells you about a DNS server you may use, either textually when you contract for their services, or automatically via DHCP (or both). That server may later inform you of other services for which permission has been arranged.
I was expecting this answer. I was also expecting that you'd not say anything about how I or my ISP get permission to access the root servers.
AFAIK, Google still supports a mechanism for telling them about specific pages to be indexed. And their spider plays by the robots.txt rules, which your port scanner probably does not.That doesn't answer the questions. To read a robots.txt the spider must already have connected to your server. How does Google get permission to do that? And how do I get permission to access Google?Google pays money to television networks to tell the world: come connect to our servers *VIA HTTP (PORT 80)*.
Maybe they do in the US. They don't do it here (at least I haven't seen any TV ads). I repeat: how do I get permission to access Google? How do I get permission to use other public services that don't spend money on TV ads?
Goggle doesn't give you permission to portscan them by doing so.
A connect to a port is a connect to a port. It doesnt't matter which way it is done.
Google doesn't port-scan; it follows links on public pages, just as a user could. It has to assume, reasonably, that links on public pages are probably to other public pages. If some miscreant publicly posts a link to a page that's not supposed to be public, the poster is liable, not people or programs that follow the link *in good faith*.
To follow links they have to connect to port 80 of the web servers. And they have to get started somewhere. So: how do they get permission to access the starting point? What makes Google different from me running my own search engine? And I wouldn't bet on Google not portscanning.
Oh, okay, let's exclude all non-legitimate examples. Then give me a legitimate one, please, that I *can't* knock down.I already gave you some. Up to now you failed to knock them down. In fact you didn't answer a single question of mine.I believe I've responded to everything that looked like a sensible question. If you don't agree, we may have reached the bounds of rational discourse.
Very clever. But wrong. I repeated some of my questions above. And you still failed to explain what makes a connect to port 80 different from a connect to port 81.
I've already listed two "advertising" mechanisms, without going into silly proprietary endeavors like SLP.Neither of them would work if you were right, and both of them are very specific in their advertisements. I repeat: there is no general advertisement mechanism for services in the Internet. And I still can neither know nor assume that any service is not provided purposely, unless it requires authentication of some sort.Since they *DO* work, millions of times a day, obviously your theory that they wouldn't fails to account for reality.
I didn't say they don't work. I said they wouldn't *IF* your claim was right.
You cannot *legally* assume that any service *is* provided purposely, unless told so and invited to use it.
Of course I can, unless there is some sort of authentication mechanism. [...]
Bottom line: If you don't want your property trespassed, don't put it into public places.Our data center is not, by any stretch, a public place.Does it have a public IP address? Does it provide services towards the Internet? If so: how can it *not* be a public place?Certainly it has a connection to other network facilities. You know what? THEY are not public places either -- they are OWNED by entities who enforce policies of access and behaviour.
Enforced access policies are a different story.
Is your phone a public place?
Sure enough. It can be called by anyone who dials my number.
Is your house a public place because it contains your phone?
No. It's a public place because it has a door and a bell. Anyone can walk up to it and ring the bell.
Is the public invited to call you, 24-7, to find out if you're awake or not, because of course there's no other general mechanism to tell whether you're awake or not, ergo your phone number constitutes an invitation to the world to call whenever they want to find out.
Of course anyone can call me anytime they want. There is exactly nothing I can do against it. However, people may find that I refuse to accept their call depending on the time they call.
No, I don't think so.
You think wrong. Again. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Message not available
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- Message not available
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- <Possible follow-ups>
- RE: application for an employment David Gillett (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- Re: RE: application for an employment cwright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment David Gillett (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Re: application for an employment D. Bolliger (Apr 05)
- Re: application for an employment Micheal Espinola Jr (Apr 05)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)