RE: application for an employment

["Craig Wright" <cwright () bdosyd com au>]

Hello,
I am sorry to say I find this change of argument shows more ignorance or
neglect than I had though was in the security community.

The idea that you as a general Internet user have to scan a host to find
services is technically wrong and ludicrous in its inception. Never has
this been the case. The idea that having to connect to a service could
be justification for port scanning is incredulous to state the least.

Most people who use the Internet in any of its means do not port scan
systems. This is a simple reasonableness test. If you want to send mail
- do you have to scan a site - the answer, No. When going to a web site
do you have to check if the have an IPsec VPN to the host, the answer,
No.

The idea that completing a DNS request could be in ANY way equated to
port scanning is ignorant and negligent as a suggestion given the
knowledge of the person who stated it.

Google crawls sites. It goes from link to link. This is a valid use of a
web spyder. This is not port scanning. Google reads the robots.txt file
and acts (unlike some search engines) in accordance with the sites
policy (if they have one).

In response to: Bottom line: "If you don't want your property
trespassed, don't put it into public places"
Rights (for right or wrong) are rights. How do you expect that any
server would be on the Internet? Not securing a system is wrong. It
leaves the owners of the site open to claims of negligence. It means
that they can be held liable by other parties for their failure.

Vigilante action is not a solution. This is what port scanning for "fun
and profit" is. This is what is being advocated. Like it or not, you
have no rights to act as anti-hero and protect the world. Nor does most
of the world want you to do this.

Ansgar stated:"The network is public and so is every service on it".
Wrong. The idea that you can argue a secured VPN concentrator is public
is foolish. Nothing is ever 100% (NOTHING) Secure. Not ever, not
possible, not achievable. The likelihood may be close to 0 of an attack
- but it is NEVER going to be zero.

Regards,
Craig

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: 31 March 2006 5:35
To: security-basics () securityfocus com
Subject: Re: application for an employment

On 2006-03-30 David Gillett wrote:
> > The legitimate reason you have is the simple fact that you don't have

> > any other option of determining what services are available on a
> > given host or range of hosts.
>
>   Yes you do.

No, I don't. There are some exceptions, where I don't have to, but in
general there is no way of finding out other than actually connecting to
the service.

>   Suppose you want to send me an email.  By your argument, your only
> option is to scan our whole address block(s!) looking for machines
> that will answer on port 25.
>   Bzzzt!  WRONG!  Do a DNS lookup for the MX records for our domain.

So, how do I do a DNS lookup without somehow accessing port 53/udp of a
DNS server that I do not own? How do I get permission to do that?

>   Suppose you want to register online to take courses here.  By your
> argument, your only option is to scan our address space for hosts that

> answer on ports 80 and 443.
>   Bzzzt!  WRONG!  Point your browser at the college homepage (you
> could Google for it) and follow the links to "Registration".

So, how does Google get the address of your webserver? Or permission to
access/index it? How do I get permission to access Google? And how does
a listing of $something in Google give me the permission to access it?

>   Suppose you want to compromise one of our hosts to set up a warez
> server.  By your argument, your only option is to scan our address
> space looking for a host running a service for which you have an
> exploit available.
>   Uh, wait.  You just lost the qualifier "legitimate".

I was by no means talking about exploits. In fact I expressly stated
that one may be held liable when breaking something (which you obviously
chose to ignore for whatever reason).

>   If I want you to be able to use a service X on host Y, I will find
> some way to advertise that service.  If I don't advertise the service,

> it may be something that I don't even know is there -- perhaps
> installed silently by the OS or some legitimate application, or
> perhaps by some cracker.  In neither case is there a presumption that
> I'm inviting you to use it, if only you can find it.

That's ridiculous and you know it. The Internet does not have
advertisement mechanisms for services. The network is public and so is
every service on it. It was your decision to put the box into a public
network and there are ways to know what services it provides (and to
disable those services you don't want to provide). I cannot know if you
made a service available on purpose, and I do not have to assume that
you didn't. If I had to, the Internet would have to be shut down right
this second.

Bottom line: If you don't want your property trespassed, don't put it
into public places.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------