Re: RPAT - Realtime Proxy Abuse Triangulation

[Greg Barnes <greg () ins com>]

Hi Rob,

All true as told IMHO - but I have 2 slight issues with
one of the statements you made here, the last one.

With all due respect, SNMP is not something we
inherited 'from the time when the entire Internet was
a trustable network'.  SNMPv1 had weak control mechanisms
*built into it* because its power 'to do evil' was
foreseen by the IETF working group....

The other issue is that the Internet was never the
type of network you described IMNSHO....it has always
been 'untrustworthy'.

Not picking on you, just feeling cagey today I guess. :-)

Friday, December 27, 2002, 7:00:16 PM, you wrote:
RS> SNMP is used to manage networks.  As it has weak authentication (except
RS> in some implementations, which are not entirely interoperatble with
RS> other such implementations), it is insecure, profoundly so, over
RS> untrusted lines.  It is definitely NOT used to manage the internet, just
RS> certain parts of it, and even then SNMP is not allowed in or out of the
RS> border of those networks, when properly done.  Queries are illegal in
RS> some jurisdictions, as they are both more informational and less casual
RS> than, say, a ping sweep.  Simply put, SNMP is something that we have
RS> inherited from the time when the entire internet was a trustable
RS> network.

> > -----Original Message-----
> > From: Kevin Reardon [mailto:Kevin.Reardon () oracle com] 
> > Sent: Friday, December 27, 2002 1:55 PM
> > To: Incidents List
> > Subject: Re: RPAT - Realtime Proxy Abuse Triangulation
> >
> >
> > Is not SNMP used to manage the Internet?  I would think that 
> > queries on 
> > public would not be illegal at all.  More like a passerby 
> > looking at the 
> >   sign on the door.  Breaking into the system into the read/write 
> > community might land you in the clink (or if somebody got 
> > rambunctious, 
> > in Cuba).
> >
> > ---K
> >
> > Jay D. Dyson wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On Tue, 24 Dec 2002, Mathias Wegner wrote:
> > >
> > >
> > > > > I would be very nervous about running this, remote SNMP queries of 
> > > > > someone elses system (say a .gov or .mil proxy) may be considered 
> > > > > illegal activity in some jurisdictions.
> > > > Depending on the SNMP daemon, it would/should be as illegal 
> > as opening 
> > > > an ssh investigating the system from the command line.  Most SNMP 
> > > > offers at least some amount of configuration via the read/write 
> > > > community.  I know that when I see SNMP queries on network hardware 
> > > > that I manage, I consider it hostile activity.
> > >
> > >     Color me jaded, but if someone has an open proxy and 
> > spam is spewed 
> > > my way via that avenue, it's a pretty fair bet that the system I'm 
> > > scanning is run by an admin who -- whether through 
> > ignorance or sloth 
> > > -- doesn't know or do jack about securing or monitoring his system. 
> > > Moreover, open is open; whether a relay, proxy or anonymous FTP 
> > > server. It is impossible to be charged with breaking and 
> > entering when 
> > > there's no breaking involved.
> > >
> > >     With that in mind, I would not waste any time or energy 
> > worrying 
> > > about whether or not my scan would be picked up.  Let's face it, a 
> > > spammer just spewed through the idiot's proxy.  Yet we're 
> > supposed to 
> > > believe that this otherwise lazy dope now possesses the 
> > Eagle Eye of 
> > > All Intrusion Detection Systems?  Maybe I'm just cynical, 
> > but I really 
> > > doubt it.
> > >
> > >     All that said, I should point out that I am not a 
> > lawyer.  I prefer 
> > > to make an honest living.
> > >
> > > - -Jay
> > >
> > >    (    (                                                   
> >       _______
> > >    ))   ))   .-"There's always time for a good cup of 
> > coffee."-.   >====<--.
> > >  C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net 
> > ------<) |    = |-'
> > >   `--' `--'  `How about a 10-day waiting period on YOUR rights?'  
> > > `------'
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.0.7 (TreacherOS)
> > > Comment: See http://www.treachery.net/~jdyson/ for current keys.
> > >
> > > iD8DBQE+DJooTqL/+mXtpucRAjy+AKCZ9eiSmvKyuSzZuNX9hbXTF9IDRACg4/gN
> > > 2Gs+0tVYEQqykUc+/AUgFBg=
> > > =/ofa
> > > -----END PGP SIGNATURE-----
> > ----------------------------------------------------------------------
> > > ------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management 
> > > and tracking system please see: http://aris.securityfocus.com
> >
> >
> >
> > --------------------------------------------------------------
> > --------------
> > This list is provided by the SecurityFocus ARIS analyzer 
> > service. For more information on this free incident handling, 
> > management 
> > and tracking system please see: http://aris.securityfocus.com


RS> ----------------------------------------------------------------------------
RS> This list is provided by the SecurityFocus ARIS analyzer service.
RS> For more information on this free incident handling, management 
RS> and tracking system please see: http://aris.securityfocus.com


-

Regards,

Greg

PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8  5279 71A5 A594 E6A7 C48E


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com