Firewall Wizards mailing list archives
Re: new topic-professional hacking tecniques
From: "REID FOX" <reidfox () direct ca>
Date: Mon, 8 Nov 1999 12:04:40 -0800
Im not advocating a standard whois query system for ISP's just some kind of page you could go to, first of all how could you write a web page that is able to query all ISP's when there is no standard and secondly what ISP would allow the amount of traffic to this list that would occour if this were to happen? easy to accomplish- have a searchable database only accessable through the ISP's search engine -there are several small search engines available that are able to provide this type of security even force the one who wishes to make such a query to give an email address to obtain a password just as some web sites do. Now we are able to create a log of who is making queries about the individual. Dont we already have rules about unsolicited e-mail? I dont have it all figured out, just an idea I had. All Im saying is that half the trouble with Internet ethics is that it is too anomanous. If you dont think this is going to be a major problem in the future just take a look at some of these script-kiddie tools, they are getting more and more sofisticated. There are real gurus who are writing applications with a user-interface that is designed to attack known vulnerabilities on a system. Or you can get an application that will write viruses, you dont even need to know how a virus works. Why do these guys write these applications? maybe if there is enough of this going on then they can sneak around less noticed, maybe half these apps are trojans that are used by the programmer, the script kiddie stumbles onto something good and the guy who wrote the app uses the trojan to launch a real attack. My brother in law plays with these things (against my advice) he showed me this "boot" program designed for use on chat that is able to "get into" the other guys system as well as "protect you" from this type of attack. I took a look at it , this thing installs with "full authority" over the entire system by way of the unknowing user saying "yes to everything" because he is wanting "security",can I have control of the registry? "yes" can I have control of the kernal? "yes" can I have access to all logfiles? "yes" can you say TROJAN? I cant remember right now what the name of it was, but Im sure there are several of them, here he is giving "all priveleges" to this unethical app that promises "protection" so now a resourceful "real hacker" has an army of unaware "script kiddies" who have downloaded and installed this thing from a temporary website. Privacy is important but this is all completely untracable sound scary? They are getting more sopisticated all the time REID
IMHO, Reid's idea is terrible! (no offense). Adding a whois query to people's IP address demolishes privacy. How would you like ot AUTOMATICALLY be placed on every web site's mass mailing list just by visiting their site? In fact, you could be going through the 394,423,548 matches on altavista about what you were looking for, knowing full well that 394,423,543 of them are irrelevant (but you need to find those 5 good ones...). Just think how many spam sources you could get from just one day of research/surfing/whatever. Hit a XXX site... forget about it! Now they "know" or at least "believe" you'd visit their site, they'll NEVER leave you alone. (I've often
searched
for stuff and somehow ended up in XXX sites... for one thing, do a search on any actor/actress). IRC now becomes no longer anonymous, in fact, nothing else does. Steven Osman Terratron Technologies Inc. ----- Original Message ----- From: Matt Doughty <doughtym () bsjkk co jp> To: REID FOX <reidfox () direct ca> Cc: <firewall-wizards () nfr net> Sent: Friday, November 05, 1999 1:33 AM Subject: Re: new topic-professional hacking tecniquesOn Wed, Nov 03, 1999 at 10:29:26AM -0800, REID FOX wrote:However if say ISP's start to use static IP addresses for their
client's
then perhaps the ISP's could post a directory (a whois) not with any sensitive personal info but maybe just an e-mail and a name. That wouldmakeusers more accountable just as Domains are accountable (or known) on
the
net. I cant see any honest client having a big problem with that. Like
I
said before this is no security cure but it is however a step in therightdirection. eg. Your getting some degree of attack from a certain IP regularly. You trace it back to an ISP look it up in the ISP's whois list e-mail the person "are you aware of ......? If this continues your ISPwillbe notified ...." the next day you get a reply from a parent of some script kid "I usethisPC for business ..... dont know whats happening" send reply "If you have portscan , crackers. BO Netbus etc on yoursystemthen someone is using your PC unethically, you should uninstall these applications otherwise your system has been compromised etc etc.." I am sure that an honest person wether they know computers or not would promptly deal with it and if your lucky and the person does know alittlebit about these things then now the seasoned hacker is unaware that hismaskis off. The advantage of this is 1: If it's a teen then the parents are informed without getting intotroublewith their ISP (ISP dont need to be involved) 2: Also the parents do not allow this to continue because they now knowwhatcertain apps are. (cracker BO Netbus etc) where before they had no
idea
what their kids were capable of doing with these strange programs. 3: The new ISP when the parents get sucked into thinking that they were wrongfully cut off, does not have to deal with it. 4: One more future hacker on the road to ethics. Now the question is who has to deal with this growing problem? The ISP's or the Parents?You assume a relatively high level of knowledge of the parents.... I mean your basically asking to hold someones hand through a search of their system for these programs. Kids tend to know a lot more about the computers then the parents. besides if you started contacting the people directly then crackers are just going to start filtering the mail first so their parents never get the message. file://Matt
Current thread:
- new topic-professional hacking tecniques REID FOX (Nov 02)
- <Possible follow-ups>
- Re: new topic-professional hacking tecniques Steven M. Bellovin (Nov 04)
- Re: new topic-professional hacking tecniques REID FOX (Nov 04)
- Re: new topic-professional hacking tecniques Matt Doughty (Nov 05)
- Re: new topic-professional hacking tecniques Steven Osman (Nov 08)
- Re: new topic-professional hacking tecniques dreamwvr (Nov 09)
- Re: new topic-professional hacking tecniques R. DuFresne (Nov 10)
- Re: new topic-professional hacking tecniques Johann G. Hautzinger (Nov 10)
- Re: new topic-professional hacking tecniques Matt Doughty (Nov 05)
- Re: new topic-professional hacking tecniques Saravana Ram (Nov 06)