Security Basics mailing list archives
RE: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 6 Apr 2006 07:40:10 +1000
Ansgar, your decision not to read the documents does not make you correct. Proof needs to be taken from authoritative sources. This you have not done. Opinion is never proof. Craig -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: 5 April 2006 5:57 To: security-basics () securityfocus com Subject: Re: application for an employment On 2006-04-03 Ramsdell, Scott wrote:
Craig Wright has tried exhaustively to clear this issue up.
I'm not sure *what* Craig tried, but I proved every single of his arguments wrong. I have also shown that every law he referenced to support his claims did not apply at all to the discussed matter.
David Gillett provided an excellent "throw a rock at a window to see if it's open" analogy.
I have my issues with this analogy since a rock is much more likely to break a window than a portscan is likely to break a computer, but I'll agree that it's one of the more fitting analogies. [...]
The points I would like to address are that (1) IP addresses are public (the point was inferred then that the public can do with them as they will), and (2) how does Google get permission to visit my site?
[...]
The following will get you arrested at my family's businesses: 1) coming in through the back door, locked or not, even during business hours (analogous to coming in on an admin port) 2) coming in through the window, locked or not, even during
business
hours (analogous to coming in on an unknowingly improperly configured service's port)
This analogy doesn't really fit, because (almost) each of the 2x 65535 doors (ports) of a computer is a shop of its own. A customer cannot know which shop was opened purposely and which wasn't. At least not before entering the shop.
3) standing in the front doors and not letting others in (analogous to a DoS)
Undisputedly illegal and not subject to this discussion.
4) continuously entering and leaving the front doors, preventing others from coming or going (analogous to a half-open syn attack)
This is a DoS as well.
5) entering the premises through the publicly available front door and shoplifting (analogous to coming in over port 80 and stealing my documents you weren't supposed to have)
Undisputedly illegal and not subject to this discussion.
6) standing out front of my family's publicly available store with
no
intent to enter talking to customers (gathering reconnaissance, perhaps to have an adult purchase alcohol or cigarettes (MitM attack),
loosely analogous to port scanning)
Undisputedly illegal, not subject to this discussion, and in no way analogous to port scanning.
7) standing across the street and staring at the store for an extended period of time (gathering reconnaissance , perhaps to find social engineering possibilities, again loosely analogous to a port scan)
Of arguable legality, but still not analogous to port scanning and not subject to this discussion.
8) posing as a vendor/supplier/etc. (analogous to impersonation)
Undisputedly illegal and not subject to this discussion.
Each of the above real world possibilities would be precipitated with "casing". "Casing" is illegal, because of the intent. My family's stores are "public". That in no way implies the public has
any say over how the resources of the store are used. Abuses will be punished.
This is also undisputed.
How does the public get approval to enter the stores? By using the front door and obeying commonly understood and accepted social practices.
But on the Internet "using the front door" is "connecting to an open port". If anything, then "using an exploit" would be similar to "using the back door". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: application for an employment, (continued)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- Message not available
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 05)
- RE: Port scanning/illegalities Ramsdell, Scott (Apr 06)
- Re: Port scanning/illegalities Ansgar -59cobalt- Wiechers (Apr 06)
- Re: Port scanning/illegalities Jeffrey F. Bloss (Apr 07)
- Re: application for an employment Ansgar -59cobalt- Wiechers (Apr 04)
- RE: application for an employment Kurt Reimer (Apr 06)
- RE: application for an employment David Gillett (Apr 06)
- RE: application for an employment Kurt Reimer (Apr 07)