Re: application for an employment

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-03-31 David Gillett wrote:
> From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
> > You're contradicting yourself. A root server may refer my query to
> > your server, but it's still my server connecting to your server to do
> > the actual query, thus it must somehow have gotten your permission.
> > Besides, how do I get permission to access the root servers or any
> > other upstream DNS server not owned by myself? 
>
>   Your ISP tells you about a DNS server you may use, either textually
> when you contract for their services, or automatically via DHCP (or
> both).  That server may later inform you of other services for which
> permission has been arranged.

I was expecting this answer. I was also expecting that you'd not say
anything about how I or my ISP get permission to access the root
servers.

> > >   AFAIK, Google still supports a mechanism for telling them about
> > > specific pages to be indexed.  And their spider plays by the
> > > robots.txt rules, which your port scanner probably does not.
> >
> > That doesn't answer the questions. To read a robots.txt the spider
> > must already have connected to your server. How does Google get
> > permission to do that? And how do I get permission to access Google?
>
>   Google pays money to television networks to tell the world:  come
> connect to our servers *VIA HTTP (PORT 80)*.

Maybe they do in the US. They don't do it here (at least I haven't seen
any TV ads). I repeat: how do I get permission to access Google? How do
I get permission to use other public services that don't spend money on
TV ads?

> Goggle doesn't give you permission to portscan them by doing so.

A connect to a port is a connect to a port. It doesnt't matter which way
it is done.

>   Google doesn't port-scan; it follows links on public pages, just as
> a user could.  It has to assume, reasonably, that links on public
> pages are probably to other public pages.  If some miscreant publicly
> posts a link to a page that's not supposed to be public, the poster is
> liable, not people or programs that follow the link *in good faith*.

To follow links they have to connect to port 80 of the web servers. And
they have to get started somewhere. So: how do they get permission to
access the starting point? What makes Google different from me running
my own search engine? And I wouldn't bet on Google not portscanning.

> > >   Oh, okay, let's exclude all non-legitimate examples.  Then give me
> > > a legitimate one, please, that I *can't* knock down.
> >
> > I already gave you some. Up to now you failed to knock them down. In
> > fact you didn't answer a single question of mine.
>
>   I believe I've responded to everything that looked like a sensible
> question.  If you don't agree, we may have reached the bounds of
> rational discourse.

Very clever. But wrong. I repeated some of my questions above. And you
still failed to explain what makes a connect to port 80 different from a
connect to port 81.

> > >   I've already listed two "advertising" mechanisms, without going
> > > into silly proprietary endeavors like SLP.
> >
> > Neither of them would work if you were right, and both of them are
> > very specific in their advertisements. I repeat: there is no general
> > advertisement mechanism for services in the Internet. And I still can
> > neither know nor assume that any service is not provided purposely,
> > unless it requires authentication of some sort.
>
>   Since they *DO* work, millions of times a day, obviously your theory
> that they wouldn't fails to account for reality.

I didn't say they don't work. I said they wouldn't *IF* your claim was
right.

>   You cannot *legally* assume that any service *is* provided
> purposely, unless told so and invited to use it.

Of course I can, unless there is some sort of authentication mechanism.

[...]
> > > > Bottom line: If you don't want your property trespassed, don't put
> > > > it into public places.
> > >
> > > Our data center is not, by any stretch, a public place.
> >
> > Does it have a public IP address? Does it provide services towards
> > the Internet? If so: how can it *not* be a public place?
>
>   Certainly it has a connection to other network facilities.  You know
> what?  THEY are not public places either -- they are OWNED by entities
> who enforce policies of access and behaviour.

Enforced access policies are a different story.

> Is your phone a public place?

Sure enough. It can be called by anyone who dials my number.

> Is your house a public place because it contains your phone?

No. It's a public place because it has a door and a bell. Anyone can
walk up to it and ring the bell.

> Is the public invited to call you, 24-7, to
> find out if you're awake or not, because of course there's no other
> general mechanism to tell whether you're awake or not, ergo your 
> phone number constitutes an invitation to the world to call whenever
> they want to find out.

Of course anyone can call me anytime they want. There is exactly nothing
I can do against it. However, people may find that I refuse to accept
their call depending on the time they call.

> No, I don't think so.

You think wrong. Again.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------