Security Basics mailing list archives
RE: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 6 Apr 2006 11:55:57 +1000
Hello, What a lot of this argument comes down to is personal philosophy. Ansgar is of the side of the fence who believe that the Internet is a open public community, a commons with no restrictions. This is a fallacy. An ideal that many hold that has never been true. Unfortunately, for him and others like him, they do not realise that the Internet was never free or open. Arpanet was a US (and Australian - let us not forget) project aimed at the creation of a resilient network for then use of the military and government. Darpa (with the help of the Uni of Melbourne staff) started a project to formulate a network with built in survivability. [not nuclear attacks - just general switching failures]. The issue comes to property again. Even in the early days when the Internet was "open" and ideas where shared - access was not actually free. Way back, in a time long ago, I had access to an account on a PDP-11 that used a 75 baud modem connection. I did not have to pay - that is what family was for, but it was not free. It was access charged per cycle. There have been other listed posts "Death of the security community" for instance that reflect this perspective. Unfortunately, all of this has never really been the case. There has never been and never will be a glorified hacker utopia. A decade ago I was fairly active on the other side of the fence in view if not action. Post a brief stint in the military and in part to rebel against this I participated in lists such as Cypherpunks (using names like doshai etc) and others back then and like some of the people wanted to have an open world where all information is free and we can do anything we like. I grew up. We argued than like now that this firewall is better than that and thought that we where better than everyone else as we could code a C library and they could not. The "The great source code debate" was strong than as now and there seems to be no end. I used to issue 128 bit crypto patches to all of the Microsoft products in defiance of the US crypto laws. All offered free (and the act is now well past the limitations). Than, I too was foolish and had the belief that I could do what I like as many have touted. Luckily for me the world was a different place and most prosecutors could not email let alone hope to understand the complexities of a crypto algorithm. Seeing some of the effects when in the mid to late 90's I was the security manager for the ASX I came to see the effects of my views. That they where not valid. If you happen to be too busy to read and care as to what is written, this is no skin off my back. When I was coming up the ranks I also thought that I knew it all. The difference is that I have come to understand that I was wrong back than and that rights in a free country come with obligations. There is a duty not to interfere with the rights of others. The law recognises this, your belief in the fact does not alter it. So choose not to read the law, ignore the cases and state that you are right. Protest, complain and ignore the facts of the matter. This is your right (in a "free" country at least). If you think that I am a bit of a bastard, you should listen to somebody like Marcus Ranum - even better an after drinks at a conference version (no offence meant). He actually tries to get corporations to sue people who transgress their policy. I just spout civil rights. When somebody finally takes action against you, do not come crying to me for help. Regards, Craig -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: 5 April 2006 5:57 To: security-basics () securityfocus com Subject: Re: application for an employment On 2006-04-03 Ramsdell, Scott wrote:
Craig Wright has tried exhaustively to clear this issue up.
I'm not sure *what* Craig tried, but I proved every single of his arguments wrong. I have also shown that every law he referenced to support his claims did not apply at all to the discussed matter.
David Gillett provided an excellent "throw a rock at a window to see if it's open" analogy.
I have my issues with this analogy since a rock is much more likely to break a window than a portscan is likely to break a computer, but I'll agree that it's one of the more fitting analogies. [...]
The points I would like to address are that (1) IP addresses are public (the point was inferred then that the public can do with them as they will), and (2) how does Google get permission to visit my site?
[...]
The following will get you arrested at my family's businesses: 1) coming in through the back door, locked or not, even during business hours (analogous to coming in on an admin port) 2) coming in through the window, locked or not, even during
business
hours (analogous to coming in on an unknowingly improperly configured service's port)
This analogy doesn't really fit, because (almost) each of the 2x 65535 doors (ports) of a computer is a shop of its own. A customer cannot know which shop was opened purposely and which wasn't. At least not before entering the shop.
3) standing in the front doors and not letting others in (analogous to a DoS)
Undisputedly illegal and not subject to this discussion.
4) continuously entering and leaving the front doors, preventing others from coming or going (analogous to a half-open syn attack)
This is a DoS as well.
5) entering the premises through the publicly available front door and shoplifting (analogous to coming in over port 80 and stealing my documents you weren't supposed to have)
Undisputedly illegal and not subject to this discussion.
6) standing out front of my family's publicly available store with
no
intent to enter talking to customers (gathering reconnaissance, perhaps to have an adult purchase alcohol or cigarettes (MitM attack),
loosely analogous to port scanning)
Undisputedly illegal, not subject to this discussion, and in no way analogous to port scanning.
7) standing across the street and staring at the store for an extended period of time (gathering reconnaissance , perhaps to find social engineering possibilities, again loosely analogous to a port scan)
Of arguable legality, but still not analogous to port scanning and not subject to this discussion.
8) posing as a vendor/supplier/etc. (analogous to impersonation)
Undisputedly illegal and not subject to this discussion.
Each of the above real world possibilities would be precipitated with "casing". "Casing" is illegal, because of the intent. My family's stores are "public". That in no way implies the public has
any say over how the resources of the store are used. Abuses will be punished.
This is also undisputed.
How does the public get approval to enter the stores? By using the front door and obeying commonly understood and accepted social practices.
But on the Internet "using the front door" is "connecting to an open port". If anything, then "using an exploit" would be similar to "using the back door". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Port scanning/illegalities, (continued)
- Message not available
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
- RE: Port scanning/illegalities Ramsdell, Scott (Apr 06)
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 06)
- Re: Port scanning/illegalities Jeffrey F. Bloss (Apr 07)
- RE: application for an employment Kurt Reimer (Apr 06)
- RE: application for an employment David Gillett (Apr 06)
- RE: application for an employment Kurt Reimer (Apr 07)