Security Basics mailing list archives
RE: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Tue, 28 Mar 2006 10:07:34 +1100
Assuming again that all points are public. An Internet connected host may not be public. An example of this world include a VPN server or a OWA system even. These could be on a separate non-private VPN making them private and not public. How do you know what is "public" and what is "private". Further if private and public services are on the same host but using differently ports you may just be asking for trouble. Still it is a little risky for me. I have do a lot of valid tests where taking all precautions a system had rebooted. Criminally charged because of an accident is not a case I would like to be in. Being that the action is going to be held as negligent than you are still likely to be found guilty if damage was proved from the outage (a fair possibility dependant on the system). Again, A simple SYN scan is not likely to get you into trouble - but why take the risk. A Nessus scan does far more than this and checking vulnerabilities requires that a connection is made in most instances. At the end of the day much of this will depend on the ability of the lawyers on each side and if the prosecutor has a point to make.
From a point of hiring the person, the risk is above the limit I would
accept and this means that they would not have a hope of getting my sign-off. Being that I work for a professional services firm (Chartered), the acts and standards that apply to the profession would not allow this type of action, so how could we take a risk to the firm (different to a Uni of course) that the prospect would amend his/her ways? Regards Craig -----Original Message----- From: Soderland, Craig [mailto:craig.soderland () sap com] Sent: 28 March 2006 9:54 To: Craig Wright Subject: RE: application for an employment Craig, All valid points. But, One point to contend with is that, if he is crossing the public network to conduct a port scan on the public segment, then in effect he is not crossing private property. this would be analogous to you walking down the street and knocking on the doors to shops. If I know and see that the door is open when I believe it should be closed, there can be no trespass as I have of yet not crossed into the private arena. This would be analogous to scanning a public web site and seeing that the server was listening on 135/139 TCP. Unless the server Reboots, there is no harm, and since it is a public facing system, there can be no trespass, unless I attempt to establish a connection. If I do a Syn scan there is no possible chance of a connection, only a confirmation of what the server is listening to and responding on. At this point I believe a prosecutor would be hard pressed to prove trespass, and providing a reboot did not occur at this time prove harm. Though like you said companies like Sony who have deep pockets may not try to throw money at the situation to prove otherwise. Cheers! Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Craddock, Larry (Mar 27)
- RE: application for an employment Woods_Beau (Mar 27)
- RE: application for an employment David Gillett (Mar 27)
- RE: application for an employment Murad Talukdar (Mar 28)
- RE: application for an employment Soderland, Craig (Mar 27)
- RE: application for an employment Craig Wright (Mar 27)
- RE: application for an employment David Gillett (Mar 27)
- RE: application for an employment Craig Wright (Mar 27)
- RE: application for an employment Andrew Williams (Mar 27)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- RE: application for an employment Craig Wright (Mar 28)
- Re: application for an employment Cesc (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- Re: Spam:RE: application for an employment Ian Scott (Mar 30)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: application for an employment Murad Talukdar (Mar 29)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
(Thread continues...)
- RE: application for an employment Craddock, Larry (Mar 27)