Security Incidents mailing list archives
Re: RPAT - Realtime Proxy Abuse Triangulation
From: Greg Barnes <greg () ins com>
Date: Mon, 30 Dec 2002 14:05:54 -0600
And so I learn!! BTW - HUGE thanks for the clarification on ethics. More comments inline. Monday, December 30, 2002, 1:45:35 PM, you wrote: JDD> -----BEGIN PGP SIGNED MESSAGE----- JDD> Hash: SHA1 JDD> On Mon, 30 Dec 2002, Greg Barnes wrote:
JDD> Such a practice strikes me as teleologically ethical[1]. A system Technologically Ethical? Is that like 'technically honest' but not honest by any other definition?
JDD> No. There are two primary camps in ethics: deontological and JDD> teleological. Deontological holds that all ethical constructs are JDD> absolute and unwavering, regardless of circumstance. These rules are JDD> typically given to humanity by a deity or some other authority. JDD> Teleological ethics holds that all ethical proscriptions arise from value JDD> assessments of undesirable consequences that come from unethical actions. JDD> Teleological ethics also hold that the quality of an otherwise seeming JDD> transgression is mitigated by both intent and outcome. JDD> To bust it down in the simplest terms for an example: it is wrong JDD> to lie. But if I was harboring Jews from the Nazis during WWII and the JDD> Nazis asked me if I had seen any Jews and I told them I hadn't, then I JDD> would have lied. That lie, while deontologically unethical, was JDD> teleologically ethical. Again, thanks for the clarification. And now that I understand the difference between the two ethical camps, I know enough to know that I will be more careful when answering questions regarding the ethics of an action/inaction in the future.
JDD> is being abused and we recipient systems are paying the canonical JDD> price for it. And since we bear the cost of someone else's JDD> irresponsibility, we have both the right and the responsibility to JDD> pick up the slack created by the other party so that other systems JDD> do not receive the same net.abuse ours have. This would be true if you represented an extension of law enforcement.
JDD> Actually, your assessment is inaccurate. Law enforcement is far JDD> more constrained in their sanctioned actions than the laity. I, for JDD> example, can engage in dumpster diving at will to find information I need. JDD> Law enforcement cannot do so without the blessing of the courts. And this is precisely because it is illegal. I'm not a lawyer (or an ethics expert !clearly!) but perusing other people's property appears to fall into one of the camps you describe earlier...So, I have to ask myself, by what standard, and by whom will I be judged? And that's the standard I will apply (I'm assuming only one will apply here, and if more than one applies, I have to make a value judgement right?).
JDD> The only thing that would color such a practice as even remotely JDD> unethical would be later utilization of such findings for the JDD> purpose of further spamming or other nefarious conduct. Who defines nefarious?
JDD> Simple. Anything you'd do that would not make your mother proud. JDD> ;) But seriously, we don't need to define was 'is' is here. Nefarious is JDD> simply a cute word I use to entail further net.abuse.
The rule of law defines it. And there are agencies established for the purpose of enforcing the law.
JDD> And while many an agent in said agencies are good people doing JDD> good work, the reality is that agencies are bureaucracies. And as JDD> bureaucracies, they move at a positively glacial pace...and with the rapid JDD> pace of the 'net, their involvement is not simply impractical, it's JDD> counterproductive. The net.realities of today have simply outpaced the JDD> laws provided by the legislature. Thus, relying on old (and increasingly JDD> archaic) laws and agencies for definition and handling of genuine JDD> net.realities is kludgy at best, silly at worst.
JDD> As a rule, when my systems are spammed via an open relay, I do JDD> indeed perform open relay tests on the offending system to confirm JDD> that the relayed spam is genuine or trivially spoofed[2]. With JDD> those findings, So how does one justify any scanning beyond that which is required to determine the source of a problem in the course of one's day to day duties
JDD> All scanning is done from a "rule out" standpoint. I rule out JDD> other possible explanations [spoofing, forgery, misconfigured MTA data] as JDD> it pertains to the spam that appears to have come from an open relay or JDD> proxy and then gather the data. Once that's done, a fairly clear picture JDD> of what's what has emerged. Ahh, so we're on the same page. We're not talking about scanning 65k ports then (for example)...I guess I misunderstood.
and furthermore with the end goal of notifying the cognizant authority of the offense?
JDD> Whenever my systems are attacked, I take it upon myself to JDD> accumulate all evidence necessary to present to the cognizant admin of the JDD> offending system. My reasons are twofold: first, they can use the JDD> information to compare to their own logs (rather than go on a large JDD> fishing expedition), and that saves time; second, I've met more than my JDD> fair share of "admins" who couldn't find their butt with both hands. JDD> Those folks need a *lot* of hand-holding in order to bring the net.abuse JDD> to a conclusion.
JDD> I file my reports with the cognizant admins and/or upstream JDD> providers so that an end may be put to that nonsense. All well and good, but again - to what end, the additional scanning?
JDD> I'm not sure what you mean. I don't keep on scanning every system JDD> that's poked, prodded or spammed mine after I've gathered the information JDD> I require. Hell, if I did that, I wouldn't have time to do anything else. heheheh. So let it be written then. Thanks for the response!! JDD> - -Jay JDD> ( ( _______ JDD> )) )) .-"There's always time for a good cup of coffee."-. >====<--. JDD> C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) | = |-' JDD> `--' `--' `How about a 10-day waiting period on YOUR rights?' `------' JDD> -----BEGIN PGP SIGNATURE----- JDD> Version: GnuPG v1.0.7 (TreacherOS) JDD> Comment: See http://www.treachery.net/~jdyson/ for current keys. JDD> iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY JDD> m5AmsjNb4QAmxoKOg71SKOA= JDD> =TL7v JDD> -----END PGP SIGNATURE----- - Regards, Greg PGP Fingerprint: 723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: RPAT - Realtime Proxy Abuse Triangulation, (continued)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kevin Reardon (Dec 27)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Gary Flynn (Dec 30)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Syzop (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Virus? Trojan? David Gillett (Dec 30)
- Re: Virus? Trojan? Peter Kruse (Dec 30)