RE: Calcuating Loss

[Scott Taylor <security () 303underground com>]

Do you know how many people have unconfigured and therefore wide open
wireless access points in the same county as me? Well over 2000. The
number of configured though not necessarily secure is over 5000. That is
all less than 20 miles from home. And I didn't even bother to map out
most of the side streets. I doubt any of those are really bothering to
keep or even know what a logfile is. Yeah lets get a good record of who
has their ip address, so that the FBI can come drag them off when
someone parks in their neighborhood and blasts out malware pleasantly
stamped with their ip address. In fact with a good antenna and amplifier
one could do that from over a mile away. You could do that and not even
know where the poor sucker hosting your temporary internet connection
is. Just nailing down a few addresses is not going to solve the problem,
i'm afraid.

On Wed, 2004-05-12 at 09:56, Schmidt, Michael R. wrote:
> Well one of the biggest issues that allows people to remain anonymous is DHCP.  If everyone on the internet was 
> required to get a static IP address, or to log which IP they were using - using a secure technology then everyone 
> could be tracked, sure a few "super" hackers could still manage to escape detection I am sure, but there is nothing 
> that is the equivalent of a drivers license on the internet.
>
> Sure there would still be criminals using stolen credentials, but IPs are handed out based on location or where you 
> dialed in from. Dialing in can be traced using caller ID, wireless by IP and base station proximity, so just like 
> today, people would have a alibi for the time and place the criminal used their identity.
>
> What we need is something that you have to log into (securely) or your DHCP is revoked immediately.  And of course 
> static IPs are well, static and since they are routed, routes can be logged and therefore trackable.
>
> So again it is anonymity that causes most of the grief.  If all code had to be signed, then you'd know who wrote it, 
> and running unsigned code would be your own stupid fault.
>
> If you replace a part on some new cars with a non-manufacturers part, you void the warranty.  But when you run 
> unsigned downloaded for free or sent through email code on your dell, who do you call and expect to fix it when it 
> stops working?  The end user is the moron, we require no test to get on the internet and yet we let more people 
> anonymously sign on the net everyday.
<stuff deleted>
--
Scott Taylor - <security () 303underground com> 

A woman went into a hospital one day to give birth.  Afterwards, the doctor
came to her and said, "I have some... odd news for you."
        "Is my baby all right?" the woman anxiously asked.
        "Yes, he is," the doctor replied, "but we don't know how.  Your son
(we assume) was born with no body.  He only has a head."
        Well, the doctor was correct.  The Head was alive and well, though no
one knew how.  The Head turned out to be fairly normal, ignoring his lack of
a body, and lived for some time as typical a life as could be expected under
the circumstances.
        One day, about twenty years after the fateful birth, the woman got a
phone call from another doctor.  The doctor said, "I have recently perfected
an operation.  Your son can live a normal life now: we can graft a body onto
his head!"
        The woman, practically weeping with joy, thanked the doctor and hung
up.  She ran up the stairs saying, "Johnny, Johnny, I have a *wonderful*
surprise for you!"
        "Oh no," cried The Head, "not another HAT!"

    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html