RE: application for an employment

[Kurt Reimer <greimer () fccc edu>]

     As much as I dislike most of the laws covering these issues, I'm 
grateful for the discussion of them in this thread. People should know the 
laws, even the ones they don't agree with.

     But I'm no less of the opinion that the laws governing these aspects 
of cyber-security are biased in favor of large entities with elaborate 
online presences, and those people (including professionals in the 
electronic security industry) who serve them.

	One day last week, after reading many posters to this thread agree 
that port-scanning an organization's network was similiar to throwing 
small rocks at the windows of a house, I happened to tune into a 
Talk-Radio station during my homeward commute, and picked up the Michael 
Medved show. Michael is one of the more civil and intellectually rigorous
rightwing talkshow hosts, and he was interviewing a woman who leads some 
sort of protest organization against RFID tags, whose wafer-thin little 
radio transmitters that look like ordinary bar-code labels but which can 
transmit a radio signal several meters when powered by induction. This 
woman described several imaginative scenarios in which data could be 
collected in unexpected ways; ex. The RFID tags embedded in your latest 
pair of shoes, and associated with your identity at their Point-Of-Sale,
could be used to determine whether you stopped and admired the display in 
a storefront, and could perhaps result in targeted junk mail being sent
to your mailbox.

	Mr Medved's attitude was basically, "So what?" His standard was 
that this woman had to demonstrate ironclad evidence of inevitable serious 
harm resulting from this kind of surveilance before he would regard her 
as anything other than a paranoid, hysterical Kook.

	One could easily imagine many people sharing this viewpoint, and 
certainly no one would expect the organizations that manufacture RFID tags 
to be overly concerned about the future possibility of this kind of 
surveilance. Yet this is the exact opposite of the attitude which is being 
expressed by many people in this thread. The mere examination of the 
possibility of there being vulnerabilities in an organization's internet 
presence is virtually equated with the act of mailicously exploiting such 
a weakness. And once again I can't help noticing that when it's the 
privacy of an individual that's being compromised, the burden is put on 
that indiviual to demonstrate conclusively what harm is being done, while 
an institution's privacy is sacrosanct.

	The informative postings from Craig and others in this thread 
show that the supposition that a portscan is criminal behavior seems 
firmly embedded in our legal system. Yet I've seen precious little 
demonstration of actual harm that comes of it. One poster in this thread 
said that it makes it more likely that the scanned system will be 
compromised because a 3rd party may break into the system from which the 
scanning was done, find the logs of the scans, and attack the 
vulnerabilities found in the original scanned system. I'd call this a 
vanishingly small danger in comparison to that of the 3rd party finding 
and attacking the original vulnerable system! Another poster said that 
the people who run port scans are likely to brag to their friends about 
the vulnerabilities that they have found. This tells me that the 
character assasination of people who run port scans is extensive 
if not complete.

Further, I believe that it's easy to demonstrate that beyond being 
strongly biased towards the short-term interests of large organizations 
that hire electronic security professionals, our present laws and cultural 
attidudes actually harm the individual user of the internet and society in 
general, because they basically promote the continuance of an atmosphere 
in which security weaknesses are allowed to continue to exist.

	It's no exaggeration to say that online fraud and identity theft 
and serious problems and they are getting worse. I've lost track of how 
many times over the past year I've heard of this or that financial or 
commercial institution that has exposed the personal, financial, and/or
legal information of it's customers by the thousands or hundreds of 
thousands. In an earlier post to this thread I advanced the idea that a 
person might have a legitimate interest in knowing about the security of 
the internet presence of a potential employer. Couldn't it also be said 
that any consumer has a legitimate interest in knowing about the internet 
security of any organization that they might patronize, or invest in?
Indeed, in this country some states have already mandated in law that 
organizations must publicly acknowledge breaches of their electronic 
security!

	Let's imagine for a moment what is probably the ultimate nightmare 
scenario for many people on this mailing list: Some individual or group 
with time and money to spare, a reliable high-bandwidth internet 
connection, and immunity from prosecution establishes the new website
"http://www.OpenPortsAtTheFortune500.com";, and reliably keeps it updated 
in realtime!

	Assuming that this site takes off and becomes popular, what 
would be it's short- and long-term effects? Would it result in more or 
fewer electronic compromises of fortune 500 companies in the short term? 
What about the long term? Would it result in a more secure or less secure 
average internet presence for members of the Fortune 500? Would it result 
in a greater or lesser degree of security in the average commercial 
operating system and application software product? Would it's effects, 
(whatever they are) be strictly confined to the Fortune 500 or would they 
have some tendency to spread over the Internet at large?

	In an earlier post I noted the limitations of reasoning by 
analogy, and many people agreed, but it didn't seem to stop anybody. It 
seems to me that the present legal and cultural attitudes towards the 
concept of a port-scan would require us to add an additional final 
paragraph to that old fairy tale, "The Emperor's New Clothes". In this 
final paragraph the little boy would immediately be surrounded by several 
large men wearing black suits and sunglasses and be whisked off to a 
re-education facility, and the populace would once again praise the 
emporer's sartorial splendor.

Yours,

Kurt Reimer

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------