RE: application for an employment

["onowlin" <nowlin.enteract () transitchicago com>]

There have been some very interesting discussion going on regarding this topic.  Just thought I'd add another extension 
to this particular analogy.

If you use the analogy of a store then you have to also consider the items that are in the backroom and not available 
for public view/access (stocked items, damaged/defective items, etc.,).  These are items not available to the public 
for various reasons (including safety reasons etc.), so even though they are in the store (on the network) and possibly 
even visible from the 'public' portion of the store, they are not meant for public access.

This could also extend to other areas of the store too, e.g. employee break room, which are public areas for 'certain' 
people only (a store employee could access it, but not the public) just as a website's registered customers are 
'authorized' to view certain portions of a website).  If I am a customer I am not authorized to go into the employee 
break room, or better yet, the security  monitoring room, even if their only security turns out to just be a sign 
saying 'employees only'.  Just because it doesn't have 3 deadbolt locks and an armed guard does not mean that I can 
just walk in because its in the store.  Most systems include a warning banner of some sort, the equivalent of a sign, 
and that legally is a good enough measure to let me know where the public area stops and the priv area begins.

So, just like a 'public' store has the rights to declare what areas are actually accessible to the public, a site admin 
can declare what services the 'public' is authorized to use.  Also, I don't recall if the site that was scanned had any 
types of warning banner, but a port scan would most likely be a violation of the university's policies.

Again, just another viewpoint.

OAN




-----Original Message-----
From:   ettinger () gmail com on behalf of Anthony Ettinger
Sent:   Fri 3/31/2006 3:57 PM
To:     Hans Meier (John Doe)
Cc:     security-basics () securityfocus com
Subject:        Re: application for an employment

On 3/31/06, Hans Meier (John Doe) <security.department () tele2 ch> wrote:
> Matthias Güntert am Montag, 20. März 2006 13.45:
> > Dear listmembers,
> >
> > i am seeking for a new job as a Unix/Linux systemadministrator. There
> > has been an advertisement at a well known university. So I started to
> > prepare my self for the application. While collecting some information
> > about the network, using nmap, dig, etc... I was able to read the whole
> > namespace from the ip range (255.255.0.0)
> >
> > My question is should I use some of the information I have found out to
> > push my application forward? What do you think how a director would
> > react?
>
> Hello all, and sorry for my quite bad english (and not being a lawyer, and not
> being an admin of a university network)
>
> This is one of the most interesting discussions I've ever read on this list.
>
> It shows, in my opinion, beside other things:
>
> [] two main perspectives, a legal, and a technical, which lead to rather
> different conclusions.
> [] that (although I'm not sure) it's also a question of "culture"; It seems
> that in the US culture a port scan is seen as a bigger problem than in
> Europe.
> [] that it has an impact on the "public internet usage by the masses" [sorry,
> don't know better to say] in the future, if the legal or technical
> perspective triumph.
>   (and since economy and products and property rights tend to get virtual to
> circumvent the limitation of real resources and to guarantee constant
> economic growth, and laws are most suitable as a means of power, the
> former will triumph, I'm sure)
>
> I have another analogy try (sorry for that :-) :
>
> Putting a box with a public IP on a public net offering public services is
> like presenting products in a Walmart or an Aldi respectively. I'm neither
> obliged to know what I'll buy before visiting the store, nor to only buy
> products that have been advertised. I look at different places, and search,
> to see what's availabe, and touch. This is all legal.
>   I'm also not obliged to only look for one product, say, a day: I'm allowed
> to scan what's available with a quick eye scan. If the store does not want to
> sell a certain product, it does not place it in the store. It may close the
> store (the ability for others to see what's available) for a certain time.
>   Illegality starts when stealing/destroying a product or entering the store
> when it's closed.
>
> (Most of) the analogies with the doors and windows miss a main point: My house
> is not a *public* building - and I can't take it completely "offline" like a
> computer, so the public/private context is completely different.
>
> When I was Matthias Günthert, I would present the collected information (in
> Europe) to demonstrate my skills, although it may be a risk. A better
> alternative could be to offer a live network examination and repeat the steps
> already done (without mentioning the preparation and thus appear even more
> capable ;-)
>
> But hey, to minimize risks be mainstream, present certifications, say what
> they want to hear, don't show any individual profile...
>
> Asking an European list would be an idea too...
>
> Hans

That brings to mind another idea I was thinking about at lunch...when
you walk through the WalMart store, you can see the items in the store
and pick up the package, look at it, and put it back down, that is
just like doing a port scan and querying what service is running on
that port.

In my previous analogy, it would be like you getting upset as the
owner of the house when someone simply "looked" at your front door
from the sidewalk or rang your doorbell.

The ethical boundary is reached when someone comes up to ring your
doorbell, and then check the lock, but then start picking the lock
(exploiting known holes in the service running on that public port).

port scans are like people on a busy sidewalk. They will occassionally
look in your direction, maybe even ring the doorbell :-)

I suspect the analogy could be continued by getting a pitbull or
rottwailer in your fenced front yard (lawyers).

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------