RE: application for an employment

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
>
> You're contradicting yourself. A root server may refer my 
> query to your server, but it's still my server connecting to 
> your server to do the actual query, thus it must somehow have 
> gotten your permission. Besides, how do I get permission to 
> access the root servers or any other upstream DNS server not 
> owned by myself? 

  Your ISP tells you about a DNS server you may use, either textually
when you contract for their services, or automatically via DHCP (or
both).  That server may later inform you of other services for which
permission has been arranged.
 
> >   AFAIK, Google still supports a mechanism for telling them about 
> > specific pages to be indexed.  And their spider plays by the 
> > robots.txt rules, which your port scanner probably does not.
>
> That doesn't answer the questions. To read a robots.txt the 
> spider must already have connected to your server. How does 
> Google get permission to do that? And how do I get permission 
> to access Google?

  Google pays money to television networks to tell the world:  come
connect to our servers *VIA HTTP (PORT 80)*.  Goggle doesn't give
you permission to portscan them by doing so.

  Google doesn't port-scan; it follows links on public pages, just as
a user could.  It has to assume, reasonably, that links on public pages
are probably to other public pages.  If some miscreant publicly posts 
a link to a page that's not supposed to be public, the poster is liable,
not people or programs that follow the link *in good faith*.

> >   Oh, okay, let's exclude all non-legitimate examples.  
> Then give me a 
> > legitimate one, please, that I *can't* knock down.
>
> I already gave you some. Up to now you failed to knock them 
> down. In fact you didn't answer a single question of mine.

  I believe I've responded to everything that looked like a 
sensible question.  If you don't agree, we may have reached the
bounds of rational discourse.
 
> >   I've already listed two "advertising" mechanisms, without 
> going into 
> > silly proprietary endeavors like SLP.
>
> Neither of them would work if you were right, and both of 
> them are very specific in their advertisements. I repeat: 
> there is no general advertisement mechanism for services in 
> the Internet. And I still can neither know nor assume that 
> any service is not provided purposely, unless it requires 
> authentication of some sort.

  Since they *DO* work, millions of times a day, obviously your
theory that they wouldn't fails to account for reality.
  You cannot *legally* assume that any service *is* provided 
purposely, unless told so and invited to use it.  Luckily,
enough services are provided purposely that this is rarely 
an issue for people who do not go hunting for unadvertised
services.
 
> > > Bottom line: If you don't want your property trespassed, 
> don't put it 
> > > into public places.
> >
> >   Our data center is not, by any stretch, a public place.
>
> Does it have a public IP address? Does it provide services 
> towards the Internet? If so: how can it *not* be a public place?

  Certainly it has a connection to other network facilities.  You
know what?  THEY are not public places either -- they are OWNED by
entities who enforce policies of access and behaviour.
  Is your phone a public place?  Is your house a public place because
it contains your phone?  Is the public invited to call you, 24-7, to
find out if you're awake or not, because of course there's no other
general mechanism to tell whether you're awake or not, ergo your 
phone number constitutes an invitation to the world to call whenever
they want to find out.  No, I don't think so.

David Gillett



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------