Security Basics mailing list archives
RE: application for an employment
From: Mike Fetherston <mike_sha () shaw ca>
Date: Thu, 30 Mar 2006 12:19:50 -0500
On 2006-03-29 Craddock, Larry wrote:That may be how you interpret it but I think they're very analogous. The point is simple ... no one has any legitimate business checking the status of the doors and windows on my property and no one has any legitimate business port scanning someone else's network. What legitimate reason would I have in port scanning your network? Let me answer that for you ... absolutely none. At best, my answer would be curiosity and that doesn't qualify as legitimate.*sigh* I'd rather stayed out of this discussion, but since various people have shown a gross ignorance of the technial realities of the 'net I'll throw my 2 cent in. The legitimate reason you have is the simple fact that you don't have any other option of determining what services are available on a given host or range of hosts. It's absolutely ridiculous to think that one would need express permission to find out whether a shop is open or not. Or if there is a shop in the first place. Of course if your scan breaks something you may (or may not) be held liable for that, but that's a different story.
I agree. Pointing a web browser to a server that does not offer any http/https services could be thought of as a "port scan". Same with accidentally pointing anything, whether it be telnet, ssh, ftp, r*, or any kind of network tool, at a server that does not offer those services. A connect has to be made to find out if you can use that service. There is nothing malicious in that. It's easy to make the analogy between real-world private property and trespass, but it simply doesn't equate well to the network world. There's a reason why they're called PUBLIC IP addresses. Anybody that connects a machine to the *public* internet should *expect* to be scanned. This is public information and can be freely used. If scanning were illegal and criminal, what of Netcraft? What of search engine spiders? Back to the OP's topic.. I wouldn't offer that information during the interview or *even on the job*. EDU's can be political and you don't want to get mixed up in that. You could use what information you've learned about the school's network to help raise some awareness about what network security is and what can be done if a network isn't secured. Then go about properly scanning the network both internally and externally with written consent. Sincerely, Mike Fetherston --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Craig Wright (Mar 29)
- RE: application for an employment Murad Talukdar (Mar 29)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment Craig Wright (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)