Re: RPAT - Realtime Proxy Abuse Triangulation

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 30 Dec 2002, Greg Barnes wrote: 

> JDD> Such a practice strikes me as teleologically ethical[1].  A system
>
> Technologically Ethical?  Is that like 'technically honest' but not
> honest by any other definition? 

        No.  There are two primary camps in ethics: deontological and
teleological.  Deontological holds that all ethical constructs are
absolute and unwavering, regardless of circumstance.  These rules are
typically given to humanity by a deity or some other authority. 
Teleological ethics holds that all ethical proscriptions arise from value
assessments of undesirable consequences that come from unethical actions.
Teleological ethics also hold that the quality of an otherwise seeming
transgression is mitigated by both intent and outcome. 

        To bust it down in the simplest terms for an example: it is wrong
to lie.  But if I was harboring Jews from the Nazis during WWII and the
Nazis asked me if I had seen any Jews and I told them I hadn't, then I
would have lied.  That lie, while deontologically unethical, was
teleologically ethical.

> JDD> is being abused and we recipient systems are paying the canonical
> JDD> price for it.  And since we bear the cost of someone else's
> JDD> irresponsibility, we have both the right and the responsibility to
> JDD> pick up the slack created by the other party so that other systems
> JDD> do not receive the same net.abuse ours have.
>
> This would be true if you represented an extension of law enforcement. 

        Actually, your assessment is inaccurate.  Law enforcement is far
more constrained in their sanctioned actions than the laity.  I, for
example, can engage in dumpster diving at will to find information I need. 
Law enforcement cannot do so without the blessing of the courts.

> JDD> The only thing that would color such a practice as even remotely 
> JDD> unethical would be later utilization of such findings for the
> JDD> purpose of further spamming or other nefarious conduct.
>
> Who defines nefarious?

        Simple.  Anything you'd do that would not make your mother proud.
;)  But seriously, we don't need to define was 'is' is here.  Nefarious is
simply a cute word I use to entail further net.abuse.

> The rule of law defines it.  And there are agencies established for the
> purpose of enforcing the law.

        And while many an agent in said agencies are good people doing
good work, the reality is that agencies are bureaucracies.  And as
bureaucracies, they move at a positively glacial pace...and with the rapid
pace of the 'net, their involvement is not simply impractical, it's
counterproductive.  The net.realities of today have simply outpaced the
laws provided by the legislature.  Thus, relying on old (and increasingly
archaic) laws and agencies for definition and handling of genuine
net.realities is kludgy at best, silly at worst. 

> JDD> As a rule, when my systems are spammed via an open relay, I do
> JDD> indeed perform open relay tests on the offending system to confirm
> JDD> that the relayed spam is genuine or trivially spoofed[2].  With
> JDD> those findings,
>
> So how does one justify any scanning beyond that which is required to
> determine the source of a problem in the course of one's day to day
> duties

        All scanning is done from a "rule out" standpoint.  I rule out
other possible explanations [spoofing, forgery, misconfigured MTA data] as
it pertains to the spam that appears to have come from an open relay or
proxy and then gather the data.  Once that's done, a fairly clear picture
of what's what has emerged.

> and furthermore with the end goal of notifying the cognizant authority
> of the offense? 

        Whenever my systems are attacked, I take it upon myself to
accumulate all evidence necessary to present to the cognizant admin of the
offending system.  My reasons are twofold: first, they can use the
information to compare to their own logs (rather than go on a large
fishing expedition), and that saves time; second, I've met more than my
fair share of "admins" who couldn't find their butt with both hands.
Those folks need a *lot* of hand-holding in order to bring the net.abuse
to a conclusion.

> JDD> I file my reports with the cognizant admins and/or upstream
> JDD> providers so that an end may be put to that nonsense.
>
> All well and good, but again - to what end, the additional scanning?

        I'm not sure what you mean.  I don't keep on scanning every system
that's poked, prodded or spammed mine after I've gathered the information
I require.  Hell, if I did that, I wouldn't have time to do anything else. 

- -Jay

   (    (                                                         _______
   ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
  `--' `--'  `How about a 10-day waiting period on YOUR rights?'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY
m5AmsjNb4QAmxoKOg71SKOA=
=TL7v
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com