Security Basics mailing list archives
RE: application for an employment
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 30 Mar 2006 15:29:30 -0800
-----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Thursday, March 30, 2006 10:35 AM To: security-basics () securityfocus com Subject: Re: application for an employment On 2006-03-30 David Gillett wrote:The legitimate reason you have is the simple fact that youdon't haveany other option of determining what services are available on a given host or range of hosts.Yes you do.No, I don't. There are some exceptions, where I don't have to, but in general there is no way of finding out other than actually connecting to the service.Suppose you want to send me an email. By your argument,your onlyoption is to scan our whole address block(s!) looking for machines that will answer on port 25. Bzzzt! WRONG! Do a DNS lookup for the MX records for our domain.So, how do I do a DNS lookup without somehow accessing port 53/udp of a DNS server that I do not own? How do I get permission to do that?
You don't. You send your DNS query to a server you *do* have permission to access, and it queries servers that *it* has permission to, and so on. By registering our domain, we've given the root servers permission to refer queries *about our domain* to the servers we've registered.
Suppose you want to register online to take courses here.By yourargument, your only option is to scan our address space forhosts thatanswer on ports 80 and 443. Bzzzt! WRONG! Point your browser at the college homepage (you could Google for it) and follow the links to "Registration".So, how does Google get the address of your webserver? Or permission to access/index it? How do I get permission to access Google? And how does a listing of $something in Google give me the permission to access it?
AFAIK, Google still supports a mechanism for telling them about specific pages to be indexed. And their spider plays by the robots.txt rules, which your port scanner probably does not.
Suppose you want to compromise one of our hosts to set up a warez server. By your argument, your only option is to scan our address space looking for a host running a service for which you have an exploit available. Uh, wait. You just lost the qualifier "legitimate".I was by no means talking about exploits. In fact I expressly stated that one may be held liable when breaking something (which you obviously chose to ignore for whatever reason).
Oh, okay, let's exclude all non-legitimate examples. Then give me a legitimate one, please, that I *can't* knock down.
If I want you to be able to use a service X on host Y, Iwill findsome way to advertise that service. If I don't advertisethe service,it may be something that I don't even know is there -- perhaps installed silently by the OS or some legitimate application, or perhaps by some cracker. In neither case is there apresumption thatI'm inviting you to use it, if only you can find it.That's ridiculous and you know it. The Internet does not have advertisement mechanisms for services. The network is public and so is every service on it. It was your decision to put the box into a public network and there are ways to know what services it provides (and to disable those services you don't want to provide). I cannot know if you made a service available on purpose, and I do not have to assume that you didn't. If I had to, the Internet would have to be shut down right this second.
I've already listed two "advertising" mechanisms, without going into silly proprietary endeavors like SLP.
Bottom line: If you don't want your property trespassed, don't put it into public places.
Our data center is not, by any stretch, a public place. By your analogy, my lawn becomes a public parking lot because a driveway connects it to the street. Once again, "Bzzzt! Wrong."
Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
David Gillett --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: application for an employment, (continued)
- Re: application for an employment Cesc (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- Re: Spam:RE: application for an employment Ian Scott (Mar 30)
- RE: Spam:RE: application for an employment Mark Gorman (Mar 29)
- RE: application for an employment Craig Wright (Mar 29)
- RE: application for an employment Murad Talukdar (Mar 29)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)