Re: RPAT - Realtime Proxy Abuse Triangulation

[Greg Barnes <greg () ins com>]

And so I learn!!

BTW - HUGE thanks for the clarification on ethics.

More comments inline.


Monday, December 30, 2002, 1:45:35 PM, you wrote:
JDD> -----BEGIN PGP SIGNED MESSAGE-----
JDD> Hash: SHA1

JDD> On Mon, 30 Dec 2002, Greg Barnes wrote: 

> > JDD> Such a practice strikes me as teleologically ethical[1].  A system
> >
> > Technologically Ethical?  Is that like 'technically honest' but not
> > honest by any other definition? 

JDD>         No.  There are two primary camps in ethics: deontological and
JDD> teleological.  Deontological holds that all ethical constructs are
JDD> absolute and unwavering, regardless of circumstance.  These rules are
JDD> typically given to humanity by a deity or some other authority. 
JDD> Teleological ethics holds that all ethical proscriptions arise from value
JDD> assessments of undesirable consequences that come from unethical actions.
JDD> Teleological ethics also hold that the quality of an otherwise seeming
JDD> transgression is mitigated by both intent and outcome. 

JDD>         To bust it down in the simplest terms for an example: it is wrong
JDD> to lie.  But if I was harboring Jews from the Nazis during WWII and the
JDD> Nazis asked me if I had seen any Jews and I told them I hadn't, then I
JDD> would have lied.  That lie, while deontologically unethical, was
JDD> teleologically ethical.

Again, thanks for the clarification.  And now that I understand the
difference between the two ethical camps, I know enough to know
that I will be more careful when answering questions regarding
the ethics of an action/inaction in the future.

> > JDD> is being abused and we recipient systems are paying the canonical
> > JDD> price for it.  And since we bear the cost of someone else's
> > JDD> irresponsibility, we have both the right and the responsibility to
> > JDD> pick up the slack created by the other party so that other systems
> > JDD> do not receive the same net.abuse ours have.
> >
> > This would be true if you represented an extension of law enforcement. 

JDD>         Actually, your assessment is inaccurate.  Law enforcement is far
JDD> more constrained in their sanctioned actions than the laity.  I, for
JDD> example, can engage in dumpster diving at will to find information I need. 
JDD> Law enforcement cannot do so without the blessing of the courts.

And this is precisely because it is illegal.  I'm not a lawyer
(or an ethics expert !clearly!) but perusing other people's
property appears to fall into one of the camps you describe
earlier...So, I have to ask myself, by what standard, and by
whom will I be judged?

And that's the standard I will apply (I'm assuming only one
will apply here, and if more than one applies, I have to make
a value judgement right?).

> > JDD> The only thing that would color such a practice as even remotely 
> > JDD> unethical would be later utilization of such findings for the
> > JDD> purpose of further spamming or other nefarious conduct.
> >
> > Who defines nefarious?

JDD>         Simple.  Anything you'd do that would not make your mother proud.
JDD> ;)  But seriously, we don't need to define was 'is' is here.  Nefarious is
JDD> simply a cute word I use to entail further net.abuse.

> > The rule of law defines it.  And there are agencies established for the
> > purpose of enforcing the law.

JDD>         And while many an agent in said agencies are good people doing
JDD> good work, the reality is that agencies are bureaucracies.  And as
JDD> bureaucracies, they move at a positively glacial pace...and with the rapid
JDD> pace of the 'net, their involvement is not simply impractical, it's
JDD> counterproductive.  The net.realities of today have simply outpaced the
JDD> laws provided by the legislature.  Thus, relying on old (and increasingly
JDD> archaic) laws and agencies for definition and handling of genuine
JDD> net.realities is kludgy at best, silly at worst. 

> > JDD> As a rule, when my systems are spammed via an open relay, I do
> > JDD> indeed perform open relay tests on the offending system to confirm
> > JDD> that the relayed spam is genuine or trivially spoofed[2].  With
> > JDD> those findings,
> >
> > So how does one justify any scanning beyond that which is required to
> > determine the source of a problem in the course of one's day to day
> > duties

JDD>         All scanning is done from a "rule out" standpoint.  I rule out
JDD> other possible explanations [spoofing, forgery, misconfigured MTA data] as
JDD> it pertains to the spam that appears to have come from an open relay or
JDD> proxy and then gather the data.  Once that's done, a fairly clear picture
JDD> of what's what has emerged.

Ahh, so we're on the same page.  We're not talking about
scanning 65k ports then (for example)...I guess I misunderstood.

> > and furthermore with the end goal of notifying the cognizant authority
> > of the offense? 

JDD>         Whenever my systems are attacked, I take it upon myself to
JDD> accumulate all evidence necessary to present to the cognizant admin of the
JDD> offending system.  My reasons are twofold: first, they can use the
JDD> information to compare to their own logs (rather than go on a large
JDD> fishing expedition), and that saves time; second, I've met more than my
JDD> fair share of "admins" who couldn't find their butt with both hands.
JDD> Those folks need a *lot* of hand-holding in order to bring the net.abuse
JDD> to a conclusion.

> > JDD> I file my reports with the cognizant admins and/or upstream
> > JDD> providers so that an end may be put to that nonsense.
> >
> > All well and good, but again - to what end, the additional scanning?

JDD>         I'm not sure what you mean.  I don't keep on scanning every system
JDD> that's poked, prodded or spammed mine after I've gathered the information
JDD> I require.  Hell, if I did that, I wouldn't have time to do anything else. 

heheheh.  So let it be written then.  Thanks for the response!!

JDD> - -Jay

JDD>    (    (                                                         _______
JDD>    ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
JDD>  C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
JDD>   `--' `--'  `How about a 10-day waiting period on YOUR rights?'  `------'

JDD> -----BEGIN PGP SIGNATURE-----
JDD> Version: GnuPG v1.0.7 (TreacherOS)
JDD> Comment: See http://www.treachery.net/~jdyson/ for current keys.

JDD> iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY
JDD> m5AmsjNb4QAmxoKOg71SKOA=
JDD> =TL7v
JDD> -----END PGP SIGNATURE-----


-

Regards,

Greg

PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8  5279 71A5 A594 E6A7 C48E


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com