Security Basics mailing list archives
Re: application for an employment
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 31 Mar 2006 14:30:41 +0200
On 2006-03-31 Craig Wright wrote:
The idea that you as a general Internet user have to scan a host to find services is technically wrong and ludicrous in its inception. Never has this been the case. The idea that having to connect to a service could be justification for port scanning is incredulous to state the least.
Please elaborate. Why do you believe this to be technically wrong. What other mechanism than portscanning do you have at hand that will give you an overview of which hosts run which services in a given network range?
Most people who use the Internet in any of its means do not port scan systems.
Entirely besides the point.
This is a simple reasonableness test. If you want to send mail - do you have to scan a site - the answer, No. When going to a web site do you have to check if the have an IPsec VPN to the host, the answer, No.
How do I find out about the mail server? How do I find out about the webserver? How do I get permission to access them?
The idea that completing a DNS request could be in ANY way equated to port scanning is ignorant and negligent as a suggestion given the knowledge of the person who stated it.
Wrong. The only technical differences between a portscanner and dig are: - A portscan will report that a port is open/closed/filtered, whereas dig will retrieve data after the connect. - A portscan may be run against a range of ports and/or a range of hosts (giving you an overview of the network), whereas dig will only connect to a single port on a single host.
Google crawls sites. It goes from link to link. This is a valid use of a web spyder. This is not port scanning. Google reads the robots.txt file and acts (unlike some search engines) in accordance with the sites policy (if they have one).
How can it do this without actually connecting to the webserver port? And how does Google get started in the first place? How do I get permission to access Google? How is Google different from me running my own search engine?
In response to: Bottom line: "If you don't want your property trespassed, don't put it into public places" Rights (for right or wrong) are rights.
True. But I seriously doubt that some rights claimed in this discussion actually exist That's what I'm objecting to. [...]
Ansgar stated:"The network is public and so is every service on it". Wrong. The idea that you can argue a secured VPN concentrator is public is foolish.
Of course the concentrator itself (i.e. its external interface) is public. However, everything behind it isn't. That's why it has authentication. The concentrator is a boundary separating private from public.
Nothing is ever 100% (NOTHING) Secure. Not ever, not possible, not achievable. The likelihood may be close to 0 of an attack - but it is NEVER going to be zero.
True. But again entirely besides the point. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: application for an employment, (continued)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 30)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment David Gillett (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 30)
- RE: application for an employment Craddock, Larry (Mar 29)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Mar 31)