RE: application for an employment

["Craddock, Larry" <l_craddock () wfec com>]

Well ... *double sigh*

Since other various people have a shown a gross willingness to obfuscate the
obvious intent of port scanning, I'll respond. When is the last time you ran
a port scan just to make sure someone had a webserver running instead of just
pointing a browser to it?  The legitimate way to find whether or not someone
is running a service is to give it a try with a client application. If you
don't have a client app that needs to connect to a server implementing that
port then why do you need to connect in the first place?

Larry Craddock


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
Sent: Wednesday, March 29, 2006 6:38 PM
To: security-basics () securityfocus com
Subject: Re: application for an employment

On 2006-03-29 Craddock, Larry wrote:
> That may be how you interpret it but I think they're very analogous.
> The point is simple ... no one has any legitimate business checking 
> the status of the doors and windows on my property and no one has any 
> legitimate business port scanning someone else's network. What 
> legitimate reason would I have in port scanning your network? Let me 
> answer that for you ... absolutely none. At best, my answer would be 
> curiosity and that doesn't qualify as legitimate.

*sigh*

I'd rather stayed out of this discussion, but since various people have shown
a gross ignorance of the technial realities of the 'net I'll throw my 2 cent
in.

The legitimate reason you have is the simple fact that you don't have any
other option of determining what services are available on a given host or
range of hosts. It's absolutely ridiculous to think that one would need
express permission to find out whether a shop is open or not.
Or if there is a shop in the first place.

Of course if your scan breaks something you may (or may not) be held liable
for that, but that's a different story.

FWIW

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches becoming
available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and the
case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------