Security Basics mailing list archives
Re: application for an employment
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Apr 2006 21:18:13 +0200
On 2006-04-03 Raoul Armfield wrote:
Ansgar -59cobalt- Wiechers wrote:On 2006-03-31 Craig Wright wrote:The idea that you as a general Internet user have to scan a host to find services is technically wrong and ludicrous in its inception. Never has this been the case. The idea that having to connect to a service could be justification for port scanning is incredulous to state the least.Please elaborate. Why do you believe this to be technically wrong. What other mechanism than portscanning do you have at hand that will give you an overview of which hosts run which services in a given network range?DNS. Dig or nslookup is entirely different than a portscan. These two tools simply connect to your approved DNS server and pulls down records that I have made publicly available (advertised if you will). There is no protscanning involved. (unless of course you wrote your own version of dig :) )
So your dig or nslookup don't connect to a remote port? Interesting.
This is a simple reasonableness test. If you want to send mail - do you have to scan a site - the answer, No. When going to a web site do you have to check if the have an IPsec VPN to the host, the answer, No.How do I find out about the mail server? How do I find out about the webserver? How do I get permission to access them?Why do you need to know if I am running a mailserver?
Why am I supposed not to?
If you have email then you have a mail server that you have permission to use.
Who says I want to use it? Maybe I'm just curious. Besides, you surely have your mail server configured not to accept unsolicited mail, don't you?
There is no reason to portscan my systems to see if I am running a mail server. If I want my mail server to me known about there will be a DNS server somewhere who has my MX record registered. This DNS will in turn register it with other DNS servers thus giving permission for others to find out about it.
There are other services than just mail, and DNS is not a mechanism to advertise services.
It could be said that registering with DNS is advertising these services thus granting permission.
No and no.
Same applies to webservices. Anything beyond that will be advertised via links on various sites. Why do you need to portscan my IP space to see if I have an FTP server running. If there is something there you need?
Maybe. I'll know when I see it. What I really don't understand: why are you people so eager to put your private stuff on a public network if you don't want the public to see it? That's like putting a showcase with a sign "DON'T LOOK AT ME!" on it into Main Street. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: application for an employment, (continued)
- Re: application for an employment Micheal Espinola Jr (Apr 05)
- RE: application for an employment Craig Wright (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment Anthony Ettinger (Apr 03)
- RE: application for an employment Mike Fetherston (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Raoul Armfield (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Ramsdell, Scott (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment John E. Fleming (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 05)
- RE: application for an employment onowlin (Apr 03)
- RE: application for an employment Craddock, Larry (Apr 03)
- RE: application for an employment Craig Wright (Apr 03)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 03)
- Re: application for an employment c.s.wright (Apr 04)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
(Thread continues...)