Security Incidents mailing list archives

Re: Positive response from provider re: incident report

From: Dave Salovesh <salovesh () RAMASSOCIATES COM>
Date: Mon, 12 Feb 2001 16:42:22 -0500

-----Original Message-----
From: Mark Challender [mailto:MarkC () mtbaker wednet edu]
Sent: Monday, February 12, 2001 2:53 PM

 Wow!  You seem to be saying that because someone leaves a
door accidentally
unlocked and then someone comes in and uses your property
that a person
should just clean up and forget about it?


I don't seem to be saying that at all - you did.  If I had wanted to say
that, I would have.  Try and stay with me here...  ;-)

The network itself is -all- doors, and most of them are open without
question to anyone who can reach them.  Dozens of routers, firewalls,
proxies, and servers are a few hops away, and hardly a one will try to
restrict me from using the services that are offered there.  Routers route
me.  Proxies proxy me.  Firewalls, well, they keep me in line while they let
me through, if that's what they're supposed to do...

But please keep clear on this - I'm not talking about someone "jiggling
doorknobs", "coming into my home", or "taking my car out for a drive and not
putting any gas in the tank" - I'm talking about me running a server that's
connected to an accessible network, where there are some services I'd like
to offer to the "public", some I'd like to offer privately, and some I don't
want to offer anyone.  This situation didn't sneak up on me - I didn't bake
a cake and discover an FTP server in it - I set out to do this, and I didn't
get it right.  It is my job to configure all those services correctly, isn't
it?

So how the heck is J. Random Luser supposed to be held accountable for
entering an area I should have locked, when the rest of the network isn't
locked at all and isn't supposed to be?  I can't say I didn't know she was
out there, I can't say she should have known that I meant to lock it, and I
can't say I didn't know she might come jiggling on the doorknob (oops) so
what's my excuse, that I thought she'd play nice?

We can say "it's obvious", or that "they never got permission", but what
does that really mean when we fail to use obvious means to regulate the
permissions in the first place?

--
Dave Salovesh
RAM Associates, Inc.
(202) 543-3635

Current thread:

Positive response from provider re: incident report Sean Brown (Feb 10)
- <Possible follow-ups>
- Re: Positive response from provider re: incident report Mark Challender (Feb 10)
- Re: Positive response from provider re: incident report Dave Salovesh (Feb 12)