Security Basics mailing list archives

Re: application for an employment

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Apr 2006 21:56:44 +0200

On 2006-04-03 Ramsdell, Scott wrote:

Craig Wright has tried exhaustively to clear this issue up.


I'm not sure *what* Craig tried, but I proved every single of his
arguments wrong. I have also shown that every law he referenced to
support his claims did not apply at all to the discussed matter.

David Gillett provided an excellent "throw a rock at a window to see
if it's open" analogy.


I have my issues with this analogy since a rock is much more likely to
break a window than a portscan is likely to break a computer, but I'll
agree that it's one of the more fitting analogies.

[...]

The points I would like to address are that (1) IP addresses are
public (the point was inferred then that the public can do with them
as they will), and (2) how does Google get permission to visit my
site?

[...]

The following will get you arrested at my family's businesses:

1)    coming in through the back door, locked or not, even during
business hours (analogous to coming in on an admin port)
2)    coming in through the window, locked or not, even during business
hours (analogous to coming in on an unknowingly improperly configured
service's port)


This analogy doesn't really fit, because (almost) each of the 2x 65535
doors (ports) of a computer is a shop of its own. A customer cannot know
which shop was opened purposely and which wasn't. At least not before
entering the shop.

3)    standing in the front doors and not letting others in (analogous
to a DoS)


Undisputedly illegal and not subject to this discussion.

4)    continuously entering and leaving the front doors, preventing
others from coming or going (analogous to a half-open syn attack)


This is a DoS as well.

5)    entering the premises through the publicly available front door
and shoplifting (analogous to coming in over port 80 and stealing my
documents you weren't supposed to have)


Undisputedly illegal and not subject to this discussion.

6)    standing out front of my family's publicly available store with no
intent to enter talking to customers (gathering reconnaissance,
perhaps to have an adult purchase alcohol or cigarettes (MitM attack),
loosely analogous to port scanning)


Undisputedly illegal, not subject to this discussion, and in no way
analogous to port scanning.

7)    standing across the street and staring at the store for an
extended period of time (gathering reconnaissance , perhaps to find
social engineering possibilities, again loosely analogous to a port
scan)


Of arguable legality, but still not analogous to port scanning and not
subject to this discussion.

8)    posing as a vendor/supplier/etc. (analogous to impersonation)


Undisputedly illegal and not subject to this discussion.

Each of the above real world possibilities would be precipitated with
"casing".  "Casing" is illegal, because of the intent.

My family's stores are "public". That in no way implies the public has
any say over how the resources of the store are used.  Abuses will be
punished.


This is also undisputed.

How does the public get approval to enter the stores?  By using the
front door and obeying commonly understood and accepted social
practices.


But on the Internet "using the front door" is "connecting to an open
port". If anything, then "using an exploit" would be similar to "using
the back door".

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: application for an employment, (continued)
- RE: application for an employment Craig Wright (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- RE: application for an employment Mike Fetherston (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Raoul Armfield (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Ramsdell, Scott (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment John E. Fleming (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment c.s.wright (Apr 04)
  - Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
    - Message not available
    - Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
    - RE: Port scanning/illegalities Ramsdell, Scott (Apr 06)

(Thread continues...)