Security Incidents mailing list archives
Re: Positive response from provider re: incident report
From: Dave Salovesh <salovesh () RAMASSOCIATES COM>
Date: Mon, 12 Feb 2001 16:42:22 -0500
-----Original Message----- From: Mark Challender [mailto:MarkC () mtbaker wednet edu] Sent: Monday, February 12, 2001 2:53 PM
Wow! You seem to be saying that because someone leaves a door accidentally unlocked and then someone comes in and uses your property that a person should just clean up and forget about it?
I don't seem to be saying that at all - you did. If I had wanted to say that, I would have. Try and stay with me here... ;-) The network itself is -all- doors, and most of them are open without question to anyone who can reach them. Dozens of routers, firewalls, proxies, and servers are a few hops away, and hardly a one will try to restrict me from using the services that are offered there. Routers route me. Proxies proxy me. Firewalls, well, they keep me in line while they let me through, if that's what they're supposed to do... But please keep clear on this - I'm not talking about someone "jiggling doorknobs", "coming into my home", or "taking my car out for a drive and not putting any gas in the tank" - I'm talking about me running a server that's connected to an accessible network, where there are some services I'd like to offer to the "public", some I'd like to offer privately, and some I don't want to offer anyone. This situation didn't sneak up on me - I didn't bake a cake and discover an FTP server in it - I set out to do this, and I didn't get it right. It is my job to configure all those services correctly, isn't it? So how the heck is J. Random Luser supposed to be held accountable for entering an area I should have locked, when the rest of the network isn't locked at all and isn't supposed to be? I can't say I didn't know she was out there, I can't say she should have known that I meant to lock it, and I can't say I didn't know she might come jiggling on the doorknob (oops) so what's my excuse, that I thought she'd play nice? We can say "it's obvious", or that "they never got permission", but what does that really mean when we fail to use obvious means to regulate the permissions in the first place? -- Dave Salovesh RAM Associates, Inc. (202) 543-3635
Current thread:
- Positive response from provider re: incident report Sean Brown (Feb 10)
- <Possible follow-ups>
- Re: Positive response from provider re: incident report Mark Challender (Feb 10)
- Re: Positive response from provider re: incident report Dave Salovesh (Feb 12)