Security Basics mailing list archives
Re: application for an employment
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Apr 2006 21:56:44 +0200
On 2006-04-03 Ramsdell, Scott wrote:
Craig Wright has tried exhaustively to clear this issue up.
I'm not sure *what* Craig tried, but I proved every single of his arguments wrong. I have also shown that every law he referenced to support his claims did not apply at all to the discussed matter.
David Gillett provided an excellent "throw a rock at a window to see if it's open" analogy.
I have my issues with this analogy since a rock is much more likely to break a window than a portscan is likely to break a computer, but I'll agree that it's one of the more fitting analogies. [...]
The points I would like to address are that (1) IP addresses are public (the point was inferred then that the public can do with them as they will), and (2) how does Google get permission to visit my site?
[...]
The following will get you arrested at my family's businesses: 1) coming in through the back door, locked or not, even during business hours (analogous to coming in on an admin port) 2) coming in through the window, locked or not, even during business hours (analogous to coming in on an unknowingly improperly configured service's port)
This analogy doesn't really fit, because (almost) each of the 2x 65535 doors (ports) of a computer is a shop of its own. A customer cannot know which shop was opened purposely and which wasn't. At least not before entering the shop.
3) standing in the front doors and not letting others in (analogous to a DoS)
Undisputedly illegal and not subject to this discussion.
4) continuously entering and leaving the front doors, preventing others from coming or going (analogous to a half-open syn attack)
This is a DoS as well.
5) entering the premises through the publicly available front door and shoplifting (analogous to coming in over port 80 and stealing my documents you weren't supposed to have)
Undisputedly illegal and not subject to this discussion.
6) standing out front of my family's publicly available store with no intent to enter talking to customers (gathering reconnaissance, perhaps to have an adult purchase alcohol or cigarettes (MitM attack), loosely analogous to port scanning)
Undisputedly illegal, not subject to this discussion, and in no way analogous to port scanning.
7) standing across the street and staring at the store for an extended period of time (gathering reconnaissance , perhaps to find social engineering possibilities, again loosely analogous to a port scan)
Of arguable legality, but still not analogous to port scanning and not subject to this discussion.
8) posing as a vendor/supplier/etc. (analogous to impersonation)
Undisputedly illegal and not subject to this discussion.
Each of the above real world possibilities would be precipitated with "casing". "Casing" is illegal, because of the intent. My family's stores are "public". That in no way implies the public has any say over how the resources of the store are used. Abuses will be punished.
This is also undisputed.
How does the public get approval to enter the stores? By using the front door and obeying commonly understood and accepted social practices.
But on the Internet "using the front door" is "connecting to an open port". If anything, then "using an exploit" would be similar to "using the back door". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- RE: application for an employment Mike Fetherston (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Raoul Armfield (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Ramsdell, Scott (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment John E. Fleming (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment c.s.wright (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Message not available
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
- RE: Port scanning/illegalities Ramsdell, Scott (Apr 06)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Craig Wright (Apr 03)