At 07:32 PM 00/04/05 -0400, you wrote:
>> Not to mention the fact that you don't actually have to utilize a
>> vulnerability to know that it is there. Vulnerabilities all
>> have signatures or characteristics that make them visible without
>> doing anything illegal at all, unless you want to argue that having
>> your router route traffic to the machine in question constitutes
>> improper use of your private property. Anyway, there are numerous
>> tools out there that will not only scan a machine for vulnerabilities
>> and report back what they are, but also how they work, and how they
>> can be fixed. In my opinion, this is like driving by a house with
>> all the doors wide open and then leaving a note saying, "Hey, <silly
>> person>! You left your doors wide open." As long as they don't take
>> your TV or tell their friend to do so nothing has changed. I feel
>> that a lot of the anger and rant following this sort of thing stems
>> from pure embarrassment. Get over it and learn to tighten up the ship.
>> If it's that critical it shouldn't be scannable to begin with.
>
>This is one of the rare times I have to disagree with you. Not all
>vulnerabilities are simply a matter of scanning, and scanning itself,
>carried to its extreme, is an intrusion. Following your analogy, a complete
>system scan (say all ports from 1-65k, attempts to communicate with IPC
>listeners, OS/service identification, etc) wouldn't be like someone driving
>by my house, but more like someone walking through my house and looking in
>the clothes hamper! Even if they didn't touch anything, they've gone where
>they shouldn't. I'm not the only one who feels this way: do some complete,
>non-subtle port scans on federal or state government networks, and see how
>long it takes for the hostmaster for your IP address range to get an email
>(The answer: less than 10 minutes).
>
I disagree. Your open ports are your "interface" to the world. Is it wrong
for me to test one port? That's essentially what I'd do if I tried typing
http://yoursite.com/ in by browser. Two, what if I fingered your box
when I found we were[n't] running a webserver. If one or two ports are
legit, why not three, four, ... or 65k?
Slippery slope, yes. But you could make the argument that it's unethical
to try to connect to a machine on port 80 if it hasn't been "advertized" as
a web server.
I guess the best real-world analogy is walking through an office and
turning door knobs to see which are or aren't locked. Of course, real-world
analogies are pretty flawed, but this one isn't too bad. To qualify for
"looking in the clothes hamper" status, I think you'd have to actually
comprimise the system to some degree. You can't look in a hamper just
by trying the doorknob, and seeing what happens.
Oh, and about the locksmith scenerio, let's rephrase it so he doesn't enter
and leave a note. He picks the lock, opens the door (maybe not even),
closes it, locks it, leaves, and calls later to leave voicemail.
One more thing, that probably should be it's own message, but seeing as this
has gone pretty far OT....
In my original post, I neglected the "post publicly" clause. I agree that
it's wrong to do that. Locksmith putting up a sign in the yard is a good
analogy. The proper thing to do (regarless of whether the initial survey
is proper or not) would be to contact a sysadmin discreetly.
I once discovered a CF site (see, on topic! almost) that was vulnerable to
the ::$DATA IIS problem. I took his index.cfm and emailed it to him, with
some explanation and a couple of links. I recieved a nice thank you note,
which I thought was appropriate. Your attitude makes me feel like I should
have kept my mouth shut for fear of p[ros|ers]ecution.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
