Security Incidents mailing list archives
Re: RPAT - Realtime Proxy Abuse Triangulation
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 30 Dec 2002 11:45:35 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Dec 2002, Greg Barnes wrote:
JDD> Such a practice strikes me as teleologically ethical[1]. A system Technologically Ethical? Is that like 'technically honest' but not honest by any other definition?
No. There are two primary camps in ethics: deontological and teleological. Deontological holds that all ethical constructs are absolute and unwavering, regardless of circumstance. These rules are typically given to humanity by a deity or some other authority. Teleological ethics holds that all ethical proscriptions arise from value assessments of undesirable consequences that come from unethical actions. Teleological ethics also hold that the quality of an otherwise seeming transgression is mitigated by both intent and outcome. To bust it down in the simplest terms for an example: it is wrong to lie. But if I was harboring Jews from the Nazis during WWII and the Nazis asked me if I had seen any Jews and I told them I hadn't, then I would have lied. That lie, while deontologically unethical, was teleologically ethical.
JDD> is being abused and we recipient systems are paying the canonical JDD> price for it. And since we bear the cost of someone else's JDD> irresponsibility, we have both the right and the responsibility to JDD> pick up the slack created by the other party so that other systems JDD> do not receive the same net.abuse ours have. This would be true if you represented an extension of law enforcement.
Actually, your assessment is inaccurate. Law enforcement is far more constrained in their sanctioned actions than the laity. I, for example, can engage in dumpster diving at will to find information I need. Law enforcement cannot do so without the blessing of the courts.
JDD> The only thing that would color such a practice as even remotely JDD> unethical would be later utilization of such findings for the JDD> purpose of further spamming or other nefarious conduct. Who defines nefarious?
Simple. Anything you'd do that would not make your mother proud. ;) But seriously, we don't need to define was 'is' is here. Nefarious is simply a cute word I use to entail further net.abuse.
The rule of law defines it. And there are agencies established for the purpose of enforcing the law.
And while many an agent in said agencies are good people doing good work, the reality is that agencies are bureaucracies. And as bureaucracies, they move at a positively glacial pace...and with the rapid pace of the 'net, their involvement is not simply impractical, it's counterproductive. The net.realities of today have simply outpaced the laws provided by the legislature. Thus, relying on old (and increasingly archaic) laws and agencies for definition and handling of genuine net.realities is kludgy at best, silly at worst.
JDD> As a rule, when my systems are spammed via an open relay, I do JDD> indeed perform open relay tests on the offending system to confirm JDD> that the relayed spam is genuine or trivially spoofed[2]. With JDD> those findings, So how does one justify any scanning beyond that which is required to determine the source of a problem in the course of one's day to day duties
All scanning is done from a "rule out" standpoint. I rule out other possible explanations [spoofing, forgery, misconfigured MTA data] as it pertains to the spam that appears to have come from an open relay or proxy and then gather the data. Once that's done, a fairly clear picture of what's what has emerged.
and furthermore with the end goal of notifying the cognizant authority of the offense?
Whenever my systems are attacked, I take it upon myself to accumulate all evidence necessary to present to the cognizant admin of the offending system. My reasons are twofold: first, they can use the information to compare to their own logs (rather than go on a large fishing expedition), and that saves time; second, I've met more than my fair share of "admins" who couldn't find their butt with both hands. Those folks need a *lot* of hand-holding in order to bring the net.abuse to a conclusion.
JDD> I file my reports with the cognizant admins and/or upstream JDD> providers so that an end may be put to that nonsense. All well and good, but again - to what end, the additional scanning?
I'm not sure what you mean. I don't keep on scanning every system that's poked, prodded or spammed mine after I've gathered the information I require. Hell, if I did that, I wouldn't have time to do anything else. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) | = |-' `--' `--' `How about a 10-day waiting period on YOUR rights?' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY m5AmsjNb4QAmxoKOg71SKOA= =TL7v -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: RPAT - Realtime Proxy Abuse Triangulation, (continued)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kevin Reardon (Dec 27)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Gary Flynn (Dec 30)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Syzop (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Virus? Trojan? David Gillett (Dec 30)
- Re: Virus? Trojan? Peter Kruse (Dec 30)