RE: application for an employment

[Mike Fetherston <mike_sha () shaw ca>]

> On 2006-03-29 Craddock, Larry wrote:
> > That may be how you interpret it but I think they're very analogous.
> > The point is simple ... no one has any legitimate business checking
> > the status of the doors and windows on my property and no one has any
> > legitimate business port scanning someone else's network. What
> > legitimate reason would I have in port scanning your network? Let me
> > answer that for you ... absolutely none. At best, my answer would be
> > curiosity and that doesn't qualify as legitimate.
>
> *sigh*
>
> I'd rather stayed out of this discussion, but since various people have
> shown a gross ignorance of the technial realities of the 'net I'll throw
> my 2 cent in.
>
> The legitimate reason you have is the simple fact that you don't have
> any other option of determining what services are available on a given
> host or range of hosts. It's absolutely ridiculous to think that one
> would need express permission to find out whether a shop is open or not.
> Or if there is a shop in the first place.
>
> Of course if your scan breaks something you may (or may not) be held
> liable for that, but that's a different story.

I agree.  Pointing a web browser to a server that does not offer any
http/https services could be thought of as a "port scan".  Same with
accidentally pointing anything, whether it be telnet, ssh, ftp, r*, or any
kind of network tool, at a server that does not offer those services.  A
connect has to be made to find out if you can use that service.  There is
nothing malicious in that.

It's easy to make the analogy between real-world private property and
trespass, but it simply doesn't equate well to the network world.  There's a
reason why they're called PUBLIC IP addresses.  Anybody that connects a
machine to the *public* internet should *expect* to be scanned.  This is
public information and can be freely used.  If scanning were illegal and
criminal, what of Netcraft?  What of search engine spiders?


Back to the OP's topic..  I wouldn't offer that information during the
interview or *even on the job*.  EDU's can be political and you don't want
to get mixed up in that.  You could use what information you've learned
about the school's network to help raise some awareness about what network
security is and what can be done if a network isn't secured.  Then go about
properly scanning the network both internally and externally with written
consent.

Sincerely,

Mike Fetherston




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------