Re: Scanning the Internet for Vulnerabilities Re: 202207272146.AYC

2022-07-27 Thread Abraham Y. Chen 

Hi, John:

0) Thanks for sharing your thoughts. The IoT identification (IP address) 
versus privacy is a rather convoluted topic. It can quickly get 
distracted and diluted if we look at it by piecemeal. Allow me to go 
through an overview to convey my logic.


1) It is true that a dynamic IoT identification is harder to track down 
than a static one, thus providing some sense of privacy or security, 
theoretically. This went well with the need for dynamic practice due to 
the limited IPv4 address pool. So, this idea sank deep into most 
people's mind as inherent for the Internet.


2) It turned out that there were many ways (as you eluded to) to track 
down an IoT even with a dynamic address. There was a classical research 
paper that outlined various techniques to do so:


https://www.ccsl.carleton.ca/paper-archive/muir-computingsurveys-09.pdf

 To save your time, I extracted part of its conclusions as below:
 "6 Concluding Remarks ... while some commercial organizations have 
claimed that they can do it with 99% accuracy. … It’s meant for the 99 
percent of the general public who are just at home surfing. … We note 
that even if accurate IP geolocation is possible for 99% of IP 
addresses, if the remaining 1% is fixed and predictable by an adversary, 
and such that the adversary can place themselves within this subspace, 
then they can evade geolocation 100% of the time. …"


 We do not need to check its validity quantitatively, today, because 
technology has advanced a lot. However, it is probably still pretty 
accurate qualitatively, judging by how successful "targeted marketing" 
is, while how hard various perpetrators may be identified, not to 
mention physically locating one.


3) As long as the general public embrace the Internet technologists' 
promise of privacy by dynamic addressing, however, the LE (Law 
Enforcement) agencies have the excuse for exercising mass surveillance 
that scoops up everything possible from the Internet for offline 
analysis. Big businesses have been doing the same under the same cover. 
So, most people end up without privacy anyway. (Remember the news that 
German Chancellor's phone call was somehow picked up by the NSA of US? 
For anyone with a little imagination, it was a clear hint for the tip of 
an iceberg.).


4) Static communication terminal (IoT) identification practice will 
remove a significant number of entities (the 99%) from LE's monitor 
operation, enabling them to focus on the 1% as well as requiring them to 
submit justification for court order before doing so. The last part has 
disappeared under the Internet environment. See URL below for an 
example. The static IP address practice will simplify the whole game. 
That is, the LEs can do their job easier, while the general public will 
get the legally protected privacy back.


 
https://www.usatoday.com/story/news/2021/12/08/federal-court-upholds-terrorism-conviction-mass-surveillance-case/6440325001/


Regards,



Abe (2022-07-27 23:28 EDT)







On 2022-07-24 13:57, John Curran wrote:

On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen  wrote:

Hi, John:

1) "...  dynamically assigned IP address space can still be tracked back to a given 
system ... ": I fully agree with this statement. However,
A. You overlooked the critical consideration of the response time. If this 
can not be done in real time for law enforcement purposes, it is meaningless.

Abe -

That’s correct - but that does not require having static addresses to 
accomplish (as you postulated earlier),
rather it just requires having appropriately functioning logging apparatus.


B. Also, the goal is to spot the specific perpetrator, not the "system" which is too 
general to be meaningful. In fact, this would penalize the innocent users who happen to be on the 
same implied "system".

Yes, it is quite obvious that a degree of care is necessary.


C. In addition, for your “whack-a-mole” metaphor, the party in charge is 
the mole, not the party with the mallet. It is a losing game for the mallet 
right from the beginning.

As with all enforcement, it is a question on changing to breakeven point 
calculation on incentives & risks
for the would be perpetrators, and presently there’s almost nearly no risk 
involved.


So, the current Internet practices put us way behind the starting line even 
before the game. Overall, this environment is favored by multi-national 
businesses with perpetrators riding along in the background. When security is 
breached, there are more than enough excuses to point the finger to. No wonder 
the outcome has always been disappointing for the general public.

Indeed.


2) What we need to do is to reverse the roles in every one of the above 
situations, if we hope for any meaningful result, at all. The starting point is 
to review the root differences between the Internet and the traditional 
communication systems. With near half a century of the Internet experience, we 
should be ready to study each issue

Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC

2022-07-24 Thread Jay Hennigan 

On 7/24/22 07:20, Abraham Y. Chen wrote:

Hi, John:

1) "...  dynamically assigned IP address space can still be tracked back 
to a given system ... ": I fully agree with this statement. However,
    A. You overlooked the critical consideration of the response time. 
If this can not be done in real time for law enforcement purposes, it is 
meaningless.


The same is true for statically assigned addresses, unless you're 
proposing that ISPs be forced to preemptively divulge all customer data 
to law enforcement and keep that data updated in real time. At least in 
the US, this would almost certainly be ruled an unconstitutional search.


It also fails to address the CGNAT scenarios often required to provide 
IPv4 Internet access at all.


    B. Also, the goal is to spot the specific perpetrator, not the 
"system" which is too general to be meaningful. In fact, this would 
penalize the innocent users who happen to be on the same implied "system".


"System" isn't implied. It would be the AS and assigned CIDR block from 
the RIR.


    C. In addition, for your “whack-a-mole” metaphor, the party in 
charge is the mole, not the party with the mallet. It is a losing game 
for the mallet right from the beginning.


The party in charge (ISP) is the programmer of the game that also holds 
the records of where the mole has been historically. With the proper 
warrant, law enforcement can get those records. It matters not whether 
the IP is static, dynamic, or part of a CGNAT pool.


    So, the current Internet practices put us way behind the starting 
line even before the game. Overall, this environment is favored by 
multi-national businesses with perpetrators riding along in the 
background. When security is breached, there are more than enough 
excuses to point the finger to.


Overall, this environment is favored by most users of the Internet that 
don't want law enforcement to be handed yet another virtual wiretap by 
their ISP. It's also required in many cases to provide IPv4 Internet 
access at all, as there aren't enough static addresses to go around.



No wonder the outcome has always been disappointing for the general public.


I disagree that the general public is disappointed. No one I know wants 
yet more agencies tracking them on the Internet, particularly agencies 
employing people with guns and the ability to throw them in jail.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC

2022-07-24 Thread John Curran 



> On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen  wrote:
> 
> Hi, John:
> 
> 1) "...  dynamically assigned IP address space can still be tracked back to a 
> given system ... ": I fully agree with this statement. However,
>A. You overlooked the critical consideration of the response time. If this 
> can not be done in real time for law enforcement purposes, it is meaningless.

Abe - 

That’s correct - but that does not require having static addresses to 
accomplish (as you postulated earlier), 
rather it just requires having appropriately functioning logging apparatus. 

>B. Also, the goal is to spot the specific perpetrator, not the "system" 
> which is too general to be meaningful. In fact, this would penalize the 
> innocent users who happen to be on the same implied "system".

Yes, it is quite obvious that a degree of care is necessary.

>C. In addition, for your “whack-a-mole” metaphor, the party in charge is 
> the mole, not the party with the mallet. It is a losing game for the mallet 
> right from the beginning.

As with all enforcement, it is a question on changing to breakeven point 
calculation on incentives & risks
for the would be perpetrators, and presently there’s almost nearly no risk 
involved. 

>So, the current Internet practices put us way behind the starting line 
> even before the game. Overall, this environment is favored by multi-national 
> businesses with perpetrators riding along in the background. When security is 
> breached, there are more than enough excuses to point the finger to. No 
> wonder the outcome has always been disappointing for the general public.

Indeed.

> 2) What we need to do is to reverse the roles in every one of the above 
> situations, if we hope for any meaningful result, at all. The starting point 
> is to review the root differences between the Internet and the traditional 
> communication systems. With near half a century of the Internet experience, 
> we should be ready to study each issue from its source, not by perpetuating 
> its misleading manifestations.

That’s one possible approach, although before becoming too enamored with it, it 
is probably worth remembering] 
that the “traditional communication systems” have also suffered from similar 
exploits occasion (they’ve been fewer
in number, but then again, the number of connected devices was also several 
orders of magnitude smaller.)

Thanks,
/John

Disclaimer:  my views alone – use caution - contents may be hot!

> ...
> 
> On 2022-07-24 07:27, John Curran wrote:
>> Abe -
>> 
>> Static versus dynamic address assignment isn’t the problem - dynamically 
>> assigned IP address space can
>> still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 
>> for discussion of the
>> requirements and various related issues.)
>> 
>> Tracking back to a particular server doesn’t really matter if all that 
>> happens is that the service is terminated
>> (as the culprit will simply appear elsewhere in the Internet with a new 
>> connection/server and start over.)
>> 
>> Alas, the situation doesn’t change unless/until there’s a willingness to 
>> engage law enforcement and pursue
>> the attackers to prevent recurrence.  This is non-trivial, both because of 
>> the skills necessary, the volume of
>> attacks, the various jurisdictions involved, etc. – but the greatest 
>> obstacle is simply the attitude of “Why bother,
>> that’s just the way it is…”
>> 
>> With zero effective back pressure, we shouldn’t be surprised as frequency of 
>> attempts grows without bound.
>> 
>> Thanks,
>> /John
>> 
>> Disclaimers: my views alone – no one else would claim them.  Feel free to 
>> use/reuse/discard as you see fit.
>>

Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC

2022-07-24 Thread Abraham Y. Chen 

Hi, John:

1) "...  dynamically assigned IP address space can still be tracked back 
to a given system ... ": I fully agree with this statement. However,
   A. You overlooked the critical consideration of the response time. 
If this can not be done in real time for law enforcement purposes, it is 
meaningless.


   B. Also, the goal is to spot the specific perpetrator, not the 
"system" which is too general to be meaningful. In fact, this would 
penalize the innocent users who happen to be on the same implied "system".


   C. In addition, for your “whack-a-mole” metaphor, the party in 
charge is the mole, not the party with the mallet. It is a losing game 
for the mallet right from the beginning.


   So, the current Internet practices put us way behind the starting 
line even before the game. Overall, this environment is favored by 
multi-national businesses with perpetrators riding along in the 
background. When security is breached, there are more than enough 
excuses to point the finger to. No wonder the outcome has always been 
disappointing for the general public.


2) What we need to do is to reverse the roles in every one of the above 
situations, if we hope for any meaningful result, at all. The starting 
point is to review the root differences between the Internet and the 
traditional communication systems. With near half a century of the 
Internet experience, we should be ready to study each issue from its 
source, not by perpetuating its misleading manifestations.


Regards,


Abe (2022-07-24 10:19 EDT)


On 2022-07-24 07:27, John Curran wrote:

Abe -

Static versus dynamic address assignment isn’t the problem - 
dynamically assigned IP address space can
still be tracked back to a given system (reference: RFC6302/BCP162 & 
RFC6269 for discussion of the

requirements and various related issues.)

Tracking back to a particular server doesn’t really matter if all that 
happens is that the service is terminated
(as the culprit will simply appear elsewhere in the Internet with a 
new connection/server and start over.)


Alas, the situation doesn’t change unless/until there’s a willingness 
to engage law enforcement and pursue
the attackers to prevent recurrence.  This is non-trivial, both 
because of the skills necessary, the volume of
attacks, the various jurisdictions involved, etc. – but the greatest 
obstacle is simply the attitude of “Why bother,

that’s just the way it is…”

With zero effective back pressure, we shouldn’t be surprised as 
frequency of attempts grows without bound.


Thanks,
/John

Disclaimers: my views alone – no one else would claim them.  Feel free 
to use/reuse/discard as you see fit.



On 23 Jul 2022, at 10:28 PM, Abraham Y. Chen  wrote:

Hi, John:

1) "... i.e. we’re instead going to engage in the worlds longest 
running game of “whack-a-mole” by just blocking their last known 
website/mail server/botnet and the wishing for the best… ":


Perhaps it is time for us to consider the "Back to the Future" 
strategy, i.e., the Internet should practice static IP address like 
all traditional communication system did?


Regards,

Abe (2022-07-23 22:27 EDT)


On 2022-06-22 10:35, John Curran wrote:

Barry -

There is indeed a metaphor to your “rattling doorknobs", but it’s
not pretty when it comes to the Internet…

If you call the police because someone is creeping around your
property checking doors and windows for
possible entry, then they will indeed come out and attempt to
arrest the perpetrator (I am most certainly
not a lawyer, but as I understand it even the act of opening an
unlocked window or door is sufficient in many
jurisdictions to satisfy the “breaking the seal of the property”
premise and warrant charging under breaking
and entering statues.)

Now welcome to the Internet… paint all your windows black, remove
all lighting save for one small bulb
over your front entry. Sit back and enjoy the continuous sounds
of rattling doorknobs and scratching at
the windows.

If/when you find a digital culprit creeping around inside the
home, your best option is burn down the place
and start anew with the copies you keep offsite in storage
elsewhere. Similarly if you find a “trap” (e.g.,
a phishing email) placed on your patio or amongst your mail…
discard such cautiously and hope your
kids use equal care.

“Best practice” for handling these situations on the Internet is
effectively to cope as best you can despite
being inundated with attempts – i.e. most Internet security
professionals and law enforcement will tell you
that the idea of actually trying to identify and stop any of the
culprits involved is considered rather quaint
at best – i.e. we’re instead going to engage in the worlds longest
running game of “whack-a-mole” by just
blocking their last known website/mail server/botnet and the
wishing for the best…


Enjoy your Internet!
/John

Disclaimers: My views alone - use, reuse, or discard as desired.
This message made of 100% recycled electrons.


On 22 Jun 2022, at 12:04

Re: Scanning the Internet for Vulnerabilities Re: 202207232217.AYC

2022-07-24 Thread John Curran 
Abe - 

Static versus dynamic address assignment isn’t the problem - dynamically 
assigned IP address space can 
still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 
for discussion of the 
requirements and various related issues.) 

Tracking back to a particular server doesn’t really matter if all that happens 
is that the service is terminated 
(as the culprit will simply appear elsewhere in the Internet with a new 
connection/server and start over.)

Alas, the situation doesn’t change unless/until there’s a willingness to engage 
law enforcement and pursue
the attackers to prevent recurrence.  This is non-trivial, both because of the 
skills necessary, the volume of 
attacks, the various jurisdictions involved, etc. – but the greatest obstacle 
is simply the attitude of “Why bother,
that’s just the way it is…” 

With zero effective back pressure, we shouldn’t be surprised as frequency of 
attempts grows without bound.

Thanks,
/John

Disclaimers: my views alone – no one else would claim them.  Feel free to 
use/reuse/discard as you see fit. 

> On 23 Jul 2022, at 10:28 PM, Abraham Y. Chen  wrote:
> 
> Hi, John:
> 
> 1) "... i.e. we’re instead going to engage in the worlds longest running game 
> of “whack-a-mole” by just blocking their last known website/mail 
> server/botnet and the wishing for the best… ":
> 
> Perhaps it is time for us to consider the "Back to the Future" strategy, 
> i.e., the Internet should practice static IP address like all traditional 
> communication system did?
> 
> Regards,
> 
> Abe (2022-07-23 22:27 EDT)
> 
> 
> On 2022-06-22 10:35, John Curran wrote:
>> Barry -
>> 
>> There is indeed a metaphor to your “rattling doorknobs", but it’s
>> not pretty when it comes to the Internet…
>> 
>> If you call the police because someone is creeping around your
>> property checking doors and windows for
>> possible entry, then they will indeed come out and attempt to
>> arrest the perpetrator (I am most certainly
>> not a lawyer, but as I understand it even the act of opening an
>> unlocked window or door is sufficient in many
>> jurisdictions to satisfy the “breaking the seal of the property”
>> premise and warrant charging under breaking
>> and entering statues.)
>> 
>> Now welcome to the Internet… paint all your windows black, remove
>> all lighting save for one small bulb
>> over your front entry. Sit back and enjoy the continuous sounds
>> of rattling doorknobs and scratching at
>> the windows.
>> 
>> If/when you find a digital culprit creeping around inside the
>> home, your best option is burn down the place
>> and start anew with the copies you keep offsite in storage
>> elsewhere. Similarly if you find a “trap” (e.g.,
>> a phishing email) placed on your patio or amongst your mail…
>> discard such cautiously and hope your
>> kids use equal care.
>> 
>> “Best practice” for handling these situations on the Internet is
>> effectively to cope as best you can despite
>> being inundated with attempts – i.e. most Internet security
>> professionals and law enforcement will tell you
>> that the idea of actually trying to identify and stop any of the
>> culprits involved is considered rather quaint
>> at best – i.e. we’re instead going to engage in the worlds longest
>> running game of “whack-a-mole” by just
>> blocking their last known website/mail server/botnet and the
>> wishing for the best…
>> 
>> 
>> Enjoy your Internet!
>> /John
>> 
>> Disclaimers: My views alone - use, reuse, or discard as desired.
>> This message made of 100% recycled electrons.
>> 
>>> On 22 Jun 2022, at 12:04 AM, b...@theworld.com wrote:
>>> 
>>> 
>>> When I lock the doors etc to my home I'll often mutter "ya know, if
>>> someone is rattling my door knob I already have a big problem."
>>> 
>>> I suppose when I'm home it might give me a warning if I hear it.
>>> 
>>> There must be a metaphor in there somewhere.
>>> 
>>> I do recall as a teen noticing that one of the closed store's on the
>>> main drag's door was unlocked late one night walking home (this was in
>>> NYC.)
>>> 
>>> I saw a cop and told him and he scolded me angrily for rattling door
>>> knobs, I could be arrested for that! But verified it, looked around
>>> inside with his flashlight, and called it in.
>>> 
>>> I forget how I noticed but I wasn't in the habit of rattling stores'
>>> door knobs, I think the door was just a bit ajar.
>>> 
>>> There must be a metaphor in there somewhere.
>>> 
>>> On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
 On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
> When researchers, or whoever, claim their scanning an altruistic service,
> I ask them if they would mind someone coming to their home and trying to
> open all the doors and windows every night.
 
 If there were a few hundred people with nefarious intent trying to open 
 your
 doors and windows every night, someone doing the same thing with altruistic
 intent might not be

Re: Scanning the Internet for Vulnerabilities Re: 202207232217.AYC

2022-07-23 Thread Abraham Y. Chen 

Hi, John:

1) "... i.e. we’re instead going to engage in the worlds longest running 
game of “whack-a-mole” by just blocking their last known website/mail 
server/botnet and the wishing for the best… ":


Perhaps it is time for us to consider the "Back to the Future" strategy, 
i.e., the Internet should practice static IP address like all 
traditional communication system did?


Regards,

Abe (2022-07-23 22:27 EDT)


On 2022-06-22 10:35, John Curran wrote:

Barry -

There is indeed a metaphor to your “rattling doorknobs", but it’s
not pretty when it comes to the Internet…

If you call the police because someone is creeping around your
property checking doors and windows for
possible entry, then they will indeed come out and attempt to
arrest the perpetrator (I am most certainly
not a lawyer, but as I understand it even the act of opening an
unlocked window or door is sufficient in many
jurisdictions to satisfy the “breaking the seal of the property”
premise and warrant charging under breaking
and entering statues.)

Now welcome to the Internet…  paint all your windows black, remove
all lighting save for one small bulb
over your front entry.   Sit back and enjoy the continuous sounds
of rattling doorknobs and scratching at
the windows.

If/when you find a digital culprit creeping around inside the
home, your best option is burn down the place
and start anew with the copies you keep offsite in storage
elsewhere.   Similarly if you find a “trap” (e.g.,
a phishing email) placed on your patio or amongst your mail…
discard such cautiously and hope your
kids use equal care.

“Best practice” for handling these situations on the Internet is
effectively to cope as best you can despite
being inundated with attempts – i.e. most Internet security
professionals and law enforcement will tell you
that the idea of actually trying to identify and stop any of the
culprits involved is considered rather quaint
at best – i.e. we’re instead going to engage in the worlds longest
running game of “whack-a-mole” by just
blocking their last known website/mail server/botnet and the
wishing for the best…


Enjoy your Internet!
/John

Disclaimers:  My views alone - use, reuse, or discard as desired.
                      This message made of 100% recycled electrons.


On 22 Jun 2022, at 12:04 AM, b...@theworld.com wrote:


When I lock the doors etc to my home I'll often mutter "ya know, if
someone is rattling my door knob I already have a big problem."

I suppose when I'm home it might give me a warning if I hear it.

There must be a metaphor in there somewhere.

I do recall as a teen noticing that one of the closed store's on the
main drag's door was unlocked late one night walking home (this was in
NYC.)

I saw a cop and told him and he scolded me angrily for rattling door
knobs, I could be arrested for that! But verified it, looked around
inside with his flashlight, and called it in.

I forget how I noticed but I wasn't in the habit of rattling stores'
door knobs, I think the door was just a bit ajar.

There must be a metaphor in there somewhere.

On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:

On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
When researchers, or whoever, claim their scanning an altruistic 
service,
I ask them if they would mind someone coming to their home and 
trying to

open all the doors and windows every night.


If there were a few hundred people with nefarious intent trying to 
open your
doors and windows every night, someone doing the same thing with 
altruistic

intent might not be such a bad thing.

- Matt


--
   -Barry Shein

Software Tool & Die    | b...@theworld.com | 
http://www.TheWorld.com 

Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*





--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Re: Scanning the Internet for Vulnerabilities

2022-06-22 Thread John Curran 
Barry -

I did not say “obligation” - enforcement of laws is always modulated by local 
factors
 (just look at the formal decision not to prosecute “minor” crimes in some 
cities) - 
but rather said that police will pursue in many jurisdictions.   This is 
particularly true 
in cases where the perpetrator is still on the premises to be taken into 
custody.

Yes, there are indeed places in the physical world where legal recourse against 
a 
perpetrator is becoming less likely (just as it is on the Internet); this is 
particularly 
disappointing given that legal recourse is recognized as a basic human right.

Thanks,
/John

Disclaimers: my views alone.  Use/reuse/delete as desired. 
Contents may be hot; use caution when handling.

> On Jun 22, 2022, at 5:45 PM, b...@theworld.com wrote:
> 
> 
>> On June 22, 2022 at 10:35 jcur...@istaff.org (John Curran) wrote:
>> Barry - 
>> 
>> 
>>There is indeed a metaphor to your “rattling doorknobs", but it’s not
>>pretty when it comes to the Internet…   
>> 
>>If you call the police because someone is creeping around your property
>>checking doors and windows for 
>>possible entry, then they will indeed come out and attempt to arrest the
>>perpetrator (I am most certainly 
>>not a lawyer, but as I understand it even the act of opening an unlocked
>>window or door is sufficient in many 
>>jurisdictions to satisfy the “breaking the seal of the property” premise
> 
> One can find a lot of articles and court decisions which amount to no,
> the police have no such obligation despite people's strong belief that
> they do:
> 
>  
> https://mises.org/power-market/police-have-no-duty-protect-you-federal-court-affirms-yet-again
> 
>  https://en.wikipedia.org/wiki/Town_of_Castle_Rock_v._Gonzales
> 
>  (not even if you have a restraining order against the person)
> 
> etc.
> 
> They do have an obligation to protect someone when they are in their
> custody but that's about it.
> 
> The recent behavior of the Uvalde police standing around while
> children were being shot may not have been their proudest moment but
> they violated nothing by doing so.
> 
>  https://www.thenation.com/article/society/uvalde-police-supreme-court/
> 
> So let's try to extrapolate that to the internet and LEOs...good luck!
> 
>>and warrant charging under breaking 
>>and entering statues.)
>> 
>>Now welcome to the Internet…  paint all your windows black, remove all
>>lighting save for one small bulb
>>over your front entry.   Sit back and enjoy the continuous sounds of
>>rattling doorknobs and scratching at 
>>the windows.
>> 
>>If/when you find a digital culprit creeping around inside the home, your
>>best option is burn down the place 
>>and start anew with the copies you keep offsite in storage elsewhere.  
>>Similarly if you find a “trap” (e.g., 
>>a phishing email) placed on your patio or amongst your mail… discard such
>>cautiously and hope your 
>>kids use equal care. 
>> 
>>“Best practice” for handling these situations on the Internet is
>>effectively to cope as best you can despite
>>being inundated with attempts – i.e. most Internet security professionals
>>and law enforcement will tell you
>>that the idea of actually trying to identify and stop any of the culprits
>>involved is considered rather quaint
>>at best – i.e. we’re instead going to engage in the worlds longest running
>>game of “whack-a-mole” by just
>>blocking their last known website/mail server/botnet and the wishing for
>>the best…  
>> 
>> 
>> Enjoy your Internet! 
>> /John
>> 
>> Disclaimers:  My views alone - use, reuse, or discard as desired.   
>>  This message made of 100% recycled electrons. 
>> 
>> 
>>On 22 Jun 2022, at 12:04 AM, b...@theworld.com wrote:
>> 
>> 
>>When I lock the doors etc to my home I'll often mutter "ya know, if
>>someone is rattling my door knob I already have a big problem."
>> 
>>I suppose when I'm home it might give me a warning if I hear it.
>> 
>>There must be a metaphor in there somewhere.
>> 
>>I do recall as a teen noticing that one of the closed store's on the
>>main drag's door was unlocked late one night walking home (this was in
>>NYC.)
>> 
>>I saw a cop and told him and he scolded me angrily for rattling door
>>knobs, I could be arrested for that! But verified it, looked around
>>inside with his flashlight, and called it in.
>> 
>>I forget how I noticed but I wasn't in the habit of rattling stores'
>>door knobs, I think the door was just a bit ajar.
>> 
>>There must be a metaphor in there somewhere.
>> 
>>On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
>> 
>>On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
>> 
>>When researchers, or whoever, claim their scanning an altruistic
>>service,
>>I

Re: Scanning the Internet for Vulnerabilities

2022-06-22 Thread bzs 


On June 22, 2022 at 10:35 jcur...@istaff.org (John Curran) wrote:
 > Barry - 
 > 
 > 
 > There is indeed a metaphor to your “rattling doorknobs", but it’s not
 > pretty when it comes to the Internet…   
 > 
 > If you call the police because someone is creeping around your property
 > checking doors and windows for 
 > possible entry, then they will indeed come out and attempt to arrest the
 > perpetrator (I am most certainly 
 > not a lawyer, but as I understand it even the act of opening an unlocked
 > window or door is sufficient in many 
 > jurisdictions to satisfy the “breaking the seal of the property” premise

One can find a lot of articles and court decisions which amount to no,
the police have no such obligation despite people's strong belief that
they do:

  
https://mises.org/power-market/police-have-no-duty-protect-you-federal-court-affirms-yet-again

  https://en.wikipedia.org/wiki/Town_of_Castle_Rock_v._Gonzales

  (not even if you have a restraining order against the person)

etc.

They do have an obligation to protect someone when they are in their
custody but that's about it.

The recent behavior of the Uvalde police standing around while
children were being shot may not have been their proudest moment but
they violated nothing by doing so.

  https://www.thenation.com/article/society/uvalde-police-supreme-court/

So let's try to extrapolate that to the internet and LEOs...good luck!

 > and warrant charging under breaking 
 > and entering statues.)
 > 
 > Now welcome to the Internet…  paint all your windows black, remove all
 > lighting save for one small bulb
 > over your front entry.   Sit back and enjoy the continuous sounds of
 > rattling doorknobs and scratching at 
 > the windows.
 > 
 > If/when you find a digital culprit creeping around inside the home, your
 > best option is burn down the place 
 > and start anew with the copies you keep offsite in storage elsewhere.  
 > Similarly if you find a “trap” (e.g., 
 > a phishing email) placed on your patio or amongst your mail… discard such
 > cautiously and hope your 
 > kids use equal care. 
 > 
 > “Best practice” for handling these situations on the Internet is
 > effectively to cope as best you can despite
 > being inundated with attempts – i.e. most Internet security professionals
 > and law enforcement will tell you
 > that the idea of actually trying to identify and stop any of the culprits
 > involved is considered rather quaint
 > at best – i.e. we’re instead going to engage in the worlds longest 
 > running
 > game of “whack-a-mole” by just
 > blocking their last known website/mail server/botnet and the wishing for
 > the best…  
 > 
 > 
 > Enjoy your Internet! 
 > /John
 > 
 > Disclaimers:  My views alone - use, reuse, or discard as desired.   
 >   This message made of 100% recycled electrons. 
 > 
 > 
 > On 22 Jun 2022, at 12:04 AM, b...@theworld.com wrote:
 > 
 > 
 > When I lock the doors etc to my home I'll often mutter "ya know, if
 > someone is rattling my door knob I already have a big problem."
 > 
 > I suppose when I'm home it might give me a warning if I hear it.
 > 
 > There must be a metaphor in there somewhere.
 > 
 > I do recall as a teen noticing that one of the closed store's on the
 > main drag's door was unlocked late one night walking home (this was in
 > NYC.)
 > 
 > I saw a cop and told him and he scolded me angrily for rattling door
 > knobs, I could be arrested for that! But verified it, looked around
 > inside with his flashlight, and called it in.
 > 
 > I forget how I noticed but I wasn't in the habit of rattling stores'
 > door knobs, I think the door was just a bit ajar.
 > 
 > There must be a metaphor in there somewhere.
 > 
 > On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
 > 
 > On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
 > 
 > When researchers, or whoever, claim their scanning an altruistic
 > service,
 > I ask them if they would mind someone coming to their home and
 > trying to
 > open all the doors and windows every night.
 > 
 > 
 > If there were a few hundred people with nefarious intent trying to 
 > open
 > your
 > doors and windows every night, someone doing the same thing with
 > altruistic
 > intent might not be such a bad thing.
 > 
 > - Matt
 > 
 > 
 > --
 >-Barry Shein
 > 
 > Software Tool & Die| b...@theworld.com | http://
 > www.TheWorld.com
 > Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
 > The World: Since 1989  | A Public Information Utility | *oo*
 > 
 > 

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com |

Re: Scanning the Internet for Vulnerabilities

2022-06-22 Thread Fernando Gont 

Hi,

While it's possible to have a discussion on the topic, I think that the 
only safe bet is that, when connected to the Internet, you'll definitely 
be subject to scanning.


I doubt there's much you want to do at a SOC about it unless it's a 
recurring situation involving a somewhat big traffic load -- in which 
case, you'd probably handle it as you'd do with a DoS attack.


Scans of one sort of another happen way to often to bother (or to afford 
to bother, if you wish) -- for instance, just a few days ago I was 
setting up an imap server, and happened to find the service being 
scanned by censys in terms of hours. For regular mass scans, you can 
normally block them proactively, via a number of feeds (abuseipdb, 
dshield, and others), if you find them as a nuissance or don't want to 
show up in the scanner's results.


As for targetted scans, the only safe bet is that you *will* be 
targetted.  So... keep the windows and doors locked. And, better, check 
if they actually are locked regularly.


Thanks,
Fernando




On 22/6/22 01:04, b...@theworld.com wrote:


When I lock the doors etc to my home I'll often mutter "ya know, if
someone is rattling my door knob I already have a big problem."

I suppose when I'm home it might give me a warning if I hear it.

There must be a metaphor in there somewhere.

I do recall as a teen noticing that one of the closed store's on the
main drag's door was unlocked late one night walking home (this was in
NYC.)

I saw a cop and told him and he scolded me angrily for rattling door
knobs, I could be arrested for that! But verified it, looked around
inside with his flashlight, and called it in.

I forget how I noticed but I wasn't in the habit of rattling stores'
door knobs, I think the door was just a bit ajar.

There must be a metaphor in there somewhere.

On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
  > On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
  > > When researchers, or whoever, claim their scanning an altruistic service,
  > > I ask them if they would mind someone coming to their home and trying to
  > > open all the doors and windows every night.
  >
  > If there were a few hundred people with nefarious intent trying to open your
  > doors and windows every night, someone doing the same thing with altruistic
  > intent might not be such a bad thing.
  >
  > - Matt



--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Scanning the Internet for Vulnerabilities

2022-06-22 Thread John Curran 
Barry - 

There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty 
when it comes to the Internet…   

If you call the police because someone is creeping around your property 
checking doors and windows for 
possible entry, then they will indeed come out and attempt to arrest the 
perpetrator (I am most certainly 
not a lawyer, but as I understand it even the act of opening an unlocked window 
or door is sufficient in many 
jurisdictions to satisfy the “breaking the seal of the property” premise and 
warrant charging under breaking 
and entering statues.)

Now welcome to the Internet…  paint all your windows black, remove all lighting 
save for one small bulb
over your front entry.   Sit back and enjoy the continuous sounds of rattling 
doorknobs and scratching at 
the windows.

If/when you find a digital culprit creeping around inside the home, your best 
option is burn down the place 
and start anew with the copies you keep offsite in storage elsewhere.   
Similarly if you find a “trap” (e.g., 
a phishing email) placed on your patio or amongst your mail… discard such 
cautiously and hope your 
kids use equal care. 

“Best practice” for handling these situations on the Internet is effectively to 
cope as best you can despite
being inundated with attempts – i.e. most Internet security professionals and 
law enforcement will tell you
that the idea of actually trying to identify and stop any of the culprits 
involved is considered rather quaint
at best – i.e. we’re instead going to engage in the worlds longest running game 
of “whack-a-mole” by just
blocking their last known website/mail server/botnet and the wishing for the 
best…  

Enjoy your Internet! 
/John

Disclaimers:  My views alone - use, reuse, or discard as desired.   
  This message made of 100% recycled electrons. 

> On 22 Jun 2022, at 12:04 AM, b...@theworld.com wrote:
> 
> 
> When I lock the doors etc to my home I'll often mutter "ya know, if
> someone is rattling my door knob I already have a big problem."
> 
> I suppose when I'm home it might give me a warning if I hear it.
> 
> There must be a metaphor in there somewhere.
> 
> I do recall as a teen noticing that one of the closed store's on the
> main drag's door was unlocked late one night walking home (this was in
> NYC.)
> 
> I saw a cop and told him and he scolded me angrily for rattling door
> knobs, I could be arrested for that! But verified it, looked around
> inside with his flashlight, and called it in.
> 
> I forget how I noticed but I wasn't in the habit of rattling stores'
> door knobs, I think the door was just a bit ajar.
> 
> There must be a metaphor in there somewhere.
> 
> On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
>> On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
>>> When researchers, or whoever, claim their scanning an altruistic service,
>>> I ask them if they would mind someone coming to their home and trying to
>>> open all the doors and windows every night.
>> 
>> If there were a few hundred people with nefarious intent trying to open your
>> doors and windows every night, someone doing the same thing with altruistic
>> intent might not be such a bad thing.
>> 
>> - Matt
> 
> -- 
>-Barry Shein
> 
> Software Tool & Die| b...@theworld.com | 
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
> The World: Since 1989  | A Public Information Utility | *oo*

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread bzs 


When I lock the doors etc to my home I'll often mutter "ya know, if
someone is rattling my door knob I already have a big problem."

I suppose when I'm home it might give me a warning if I hear it.

There must be a metaphor in there somewhere.

I do recall as a teen noticing that one of the closed store's on the
main drag's door was unlocked late one night walking home (this was in
NYC.)

I saw a cop and told him and he scolded me angrily for rattling door
knobs, I could be arrested for that! But verified it, looked around
inside with his flashlight, and called it in.

I forget how I noticed but I wasn't in the habit of rattling stores'
door knobs, I think the door was just a bit ajar.

There must be a metaphor in there somewhere.

On June 21, 2022 at 10:01 mpal...@hezmatt.org (Matt Palmer) wrote:
 > On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
 > > When researchers, or whoever, claim their scanning an altruistic service,
 > > I ask them if they would mind someone coming to their home and trying to
 > > open all the doors and windows every night.
 > 
 > If there were a few hundred people with nefarious intent trying to open your
 > doors and windows every night, someone doing the same thing with altruistic
 > intent might not be such a bad thing.
 > 
 > - Matt

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread bzs 


On June 20, 2022 at 18:01 jhellent...@dataix.net (J. Hellenthal) wrote:
 > 
 > To what extent and to whom will you authorize to do that? 100 random college 
 > students? X number of new security firms? At some point it will break.

Define "authorize".

 > 
 > -- 
 >  J. Hellenthal
 > 
 > The fact that there's a highway to Hell but only a stairway to Heaven says a 
 > lot about anticipated traffic volume.
 > 
 > > On Jun 20, 2022, at 17:04, b...@theworld.com wrote:
 > > 
 > > 
 > > It seems to me there's vulnerability testing and there's vulnerability
 > > testing and just lumping them all together motivates disparate
 > > opinions.
 > > 
 > > For example it's one thing to perhaps see if home routers
 > > login/passwords are admin/admin or similar, or if systems seem to be
 > > vuln to easily exploitable bugs and reporting such problems to someone
 > > in charge versus, say, hammering at some network to see when/if DDoS
 > > mitigation kicks in.
 > > 
 > > For example I've gotten email in the past that some of my servers were
 > > running ntp in a way which makes them vuln to being used for DDoS
 > > amplification and, I believe, fixed that. I didn't mind.
 > > 
 > > Anyhow, you all probably get my point without further hypotheticals or
 > > examples.
 > > 
 > > Scanning for known vulns and reporting can be ok, testing to
 > > destruction? Not so much.
 > > 
 > > -- 
 > >-Barry Shein
 > > 
 > > Software Tool & Die| b...@theworld.com | 
 > > http://www.TheWorld.com
 > > Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
 > > The World: Since 1989  | A Public Information Utility | *oo*

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread Daniel Seagraves 


> On Jun 20, 2022, at 10:02 AM, Michael Butler via NANOG  
> wrote:
> 
> I treat these folk with the same respect they afford me. Not once in 30 years 
> of having a connected network (v4 or v6) has any entity asked "is it OK if we 
> .. ?".

Quite the opposite, I once had to endure significant frustration in contacting 
the organization running a system that kept emailing my abuse contacts about a 
historical computer I maintained, advising me that my “Insecure CISCO Router” 
was still accepting “dangerous" telnet connections despite the host’s banner 
including the text “This system is not a router; The availability of telnet 
access to this system is intentional.”

If you are engaging in mass scanning and are not going to listen to the targets 
of your scanning please at least pay attention to your results.

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread Fernando Gont 

Hi, Ronald,

On 21/6/22 03:53, Ronald F. Guilmette wrote:

In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1...@si6networks.com>,
Fernando Gont  wrote:


Note: What's most usually done out there is scanning for ports, rather
than for vulnerabilities.


Yes, and at least some of the responses in this thread have not, I think,
noted this rather important distinction.


Agreed.



For my part I intended to ask specifically about attitudes towards scanning
for actual vulnerabilities, e.g. those that have been assigned CVE numbers.


Please note that in most of these cases, "vulnerability scanning" is, 
for the most part, simply banner-grabbing, with some off-line comparison 
against CVE database -- with banner-grabbing being at times simply the 
result of completing the TCP three-way handshake (i.e., something that 
would happen anyway, unless doing non-connect() scans). IOW, you 
probably cannot even tell if you're being subject to a port-scan or a 
"vulnerability scan" of this type.


Then there are other cases where the scans are way more intrusive, such 
as e.g. scanning for SQL injection in web applications, or., e.g., 
simply scanning the vulnerability by trying to exploit it. I'd probably 
be concerned about these sorts of "scans", but not about 
port-scans/banner-grabbing.





Depending on who is doing it, and why, my personal feeling is that even
here in 2022 this should still be viewed as being exceptionally anti-social,
and worthy of calling out publicly, but I must allow for the possibility
that my personal views on this may be antiquated and out of step with current
prevailing norms and attitudes.


Aside from what I've noted above, and without really taking a stance on 
whether what you not might or might not make sense, I'd probably argue 
that, the folks that one should probably e most concerned about would 
probably run the scans from VMs they probably paid with cryptocurrency. 
 The attacks would probably be non-trivial to attribute, and if you 
manage to get their provider to take their VMs off-line, they would 
probably simply by a new one. -- not that I like it, but... "it is what 
it is".


Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread Fernando Gont 

Hi, Ronald,

On 19/6/22 07:13, Ronald F. Guilmette wrote:

I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.


Note: What's most usually done out there is scanning for ports, rather 
than for vulnerabilities.


That said, as noted by others, ports scans are kind of part of the echo 
system.


A vast number of them can be blocked proactively by e.g., feeding 
block-lists (e.g. abuseipdb's) dynamically into your firewalls' rulesets.




In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.


At the end of the day, the folks you should most likely be concerned 
about are the folks that won't even care about whether this is unsocial 
behavior.


For low-volume traffic, you can probably filter it out as discussed 
above, and, other than the possible noise, the scans shouldn't cause 
harm anyway (and if e.g. an IPv6 host scan is causing you neighbor cache 
exhaustion problems... that's an issue you need to deal with, anyway).


What's left probably falls into the DoS-like category... but is normally 
more targetted than sent to random networks/whole Internet.


Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread Ronald F. Guilmette 
In message <4e6319ba-d332-f25e-d128-1b8abc724...@si6networks.com>, 
Fernando Gont  wrote:

>> Depending on who is doing it, and why, my personal feeling is that even
>> here in 2022 this should still be viewed as being exceptionally anti-social,
>> and worthy of calling out publicly, but I must allow for the possibility
>> that my personal views on this may be antiquated and out of step with current
>> prevailing norms and attitudes.
>
>Aside from what I've noted above, and without really taking a stance on 
>whether what you not might or might not make sense, I'd probably argue 
>that, the folks that one should probably e most concerned about would 
>probably run the scans from VMs they probably paid with cryptocurrency. 
>  The attacks would probably be non-trivial to attribute...

Yes, to all of the above.

But there are always exceptions. :-)


Regards,
rfg

Re: Scanning the Internet for Vulnerabilities

2022-06-21 Thread Ronald F. Guilmette 
In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1...@si6networks.com>, 
Fernando Gont  wrote:

>Note: What's most usually done out there is scanning for ports, rather 
>than for vulnerabilities.

Yes, and at least some of the responses in this thread have not, I think,
noted this rather important distinction.

For my part I intended to ask specifically about attitudes towards scanning
for actual vulnerabilities, e.g. those that have been assigned CVE numbers.

Depending on who is doing it, and why, my personal feeling is that even
here in 2022 this should still be viewed as being exceptionally anti-social,
and worthy of calling out publicly, but I must allow for the possibility
that my personal views on this may be antiquated and out of step with current
prevailing norms and attitudes.


Regards,
rfg

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Randy Bush 
> To what extent and to whom will you authorize to do that? 100 random
> college students? X number of new security firms? At some point it
> will break.

definitely not raging nanog vigilantes :)

randy

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Randy Bush 
> For example I've gotten email in the past that some of my servers were
> running ntp in a way which makes them vuln to being used for DDoS
> amplification and, I believe, fixed that. I didn't mind.

that was a really well done campaign.  i thanked them profusely.

randy

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Joe Maimon 




Matt Palmer wrote:

On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:

When researchers, or whoever, claim their scanning an altruistic service,
I ask them if they would mind someone coming to their home and trying to
open all the doors and windows every night.

If there were a few hundred people with nefarious intent trying to open your
doors and windows every night, someone doing the same thing with altruistic
intent might not be such a bad thing.

- Matt



Yall seem to be saying the same thing.

So long as it blends into the general IPv4 background radiation, all good.

Joe

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Matt Palmer 
On Mon, Jun 20, 2022 at 02:18:30AM +, Mel Beckman wrote:
> When researchers, or whoever, claim their scanning an altruistic service,
> I ask them if they would mind someone coming to their home and trying to
> open all the doors and windows every night.

If there were a few hundred people with nefarious intent trying to open your
doors and windows every night, someone doing the same thing with altruistic
intent might not be such a bad thing.

- Matt

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 


To what extent and to whom will you authorize to do that? 100 random college 
students? X number of new security firms? At some point it will break.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jun 20, 2022, at 17:04, b...@theworld.com wrote:
> 
> 
> It seems to me there's vulnerability testing and there's vulnerability
> testing and just lumping them all together motivates disparate
> opinions.
> 
> For example it's one thing to perhaps see if home routers
> login/passwords are admin/admin or similar, or if systems seem to be
> vuln to easily exploitable bugs and reporting such problems to someone
> in charge versus, say, hammering at some network to see when/if DDoS
> mitigation kicks in.
> 
> For example I've gotten email in the past that some of my servers were
> running ntp in a way which makes them vuln to being used for DDoS
> amplification and, I believe, fixed that. I didn't mind.
> 
> Anyhow, you all probably get my point without further hypotheticals or
> examples.
> 
> Scanning for known vulns and reporting can be ok, testing to
> destruction? Not so much.
> 
> -- 
>-Barry Shein
> 
> Software Tool & Die| b...@theworld.com | 
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
> The World: Since 1989  | A Public Information Utility | *oo*

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Robert L Mathews 

On 6/20/22 12:24 PM, Matthew Craig wrote:
The intent behind vulnerability scans is good, however the majority of 
DOS attacks that my networks encounter these days are from cybersecurity 
organizations conducting cybersecurity research.


Yeah. The unwritten rule of this is "if you're going to do it, do it 
gently enough that the person receiving it doesn't notice".


If the load average on my server goes up by 20 because you've opened 20 
simultaneous HTTP connections and you're sending nonstop requests on all 
of them for thousands of random filenames that don't exist (but which 
each cause a PHP script to run), I'm not going to appreciate it.


Same if you send tens of thousands of TCP SYNs a second so you can 
quickly scan all possible ports of hundreds of IP addresses.


If I don't even notice it, though, I'm unlikely to be bothered to object 
to it.


--
Robert L Mathews

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread bzs 


It seems to me there's vulnerability testing and there's vulnerability
testing and just lumping them all together motivates disparate
opinions.

For example it's one thing to perhaps see if home routers
login/passwords are admin/admin or similar, or if systems seem to be
vuln to easily exploitable bugs and reporting such problems to someone
in charge versus, say, hammering at some network to see when/if DDoS
mitigation kicks in.

For example I've gotten email in the past that some of my servers were
running ntp in a way which makes them vuln to being used for DDoS
amplification and, I believe, fixed that. I didn't mind.

Anyhow, you all probably get my point without further hypotheticals or
examples.

Scanning for known vulns and reporting can be ok, testing to
destruction? Not so much.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Carsten Bormann 
On 2022-06-20, at 23:02, Mel Beckman  wrote:
> 
> Carsten,
> 
> The discussion is not getting far afield: it’s on point. And it’s a hugely 
> germane topic for network operators. 
> 
> Regarding your claim “You consented to receiving packets when connecting to 
> the Internet“, I counter with what is in virtually every ISP’sAUP for 
> customers: Unauthorized port scanning is expressly prohibited. 

Of course they don’t want their customers to do that.
(They might find out that the ISP is cooking with water…)
I’m not your customer, though.

> I strongly suspect that this is probably also a violation of the U.S. 
> Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally 
> accesses a computer without authorization or exceeds authorized access, and 
> thereby obtains … information from any protected computer.” A great many VA 
> plug-ins attempt to — and often do — extract information they’re not 
> authorized to. 

You would think so, but then it turns out the CFAA is not actually being 
policed in the way you think it should be.

(The whole thing is a bit of a “soviet law" situation, where everyone is 
routinely doing things that could theoretically be criminalized, but aren’t, 
except when some thug is exceptionally interested in doing so and can thus 
abuse the law to exert unreasonable power over you.)

So CFAA is more a case of us logical people trying to interpret a law that 
clearly is not subject to applying logic.

In any case, I’d argue I’m concludently authorized by you having opened to my 
access that port I’m probing — the computer simply isn’t “protected”.

.oOo.

I can understand very well that everyone here is allergic to the large-scale 
scanners (most of which are done in a spectacularly stupid way) that are 
loading our servers.  That problem is not being solved by banning 
well-thought-out academic research; you wouldn’t be able to note the difference 
if that stopped.

(Oh, and, as a service, our ISP scans our ports and looks for vulns, which is a 
good service so we don’t have to do this as much for systems set up by our 
students.)

Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Mel Beckman 
Carsten,

The discussion is not getting far afield: it’s on point. And it’s a hugely 
germane topic for network operators. 

Regarding your claim “You consented to receiving packets when connecting to the 
Internet“, I counter with what is in virtually every ISP’sAUP for customers: 
Unauthorized port scanning is expressly prohibited. 

In fact, when I Google that precise phrase along with “Acceptable Use Policy” I 
get thousands of hits. 

I strongly suspect that this is probably also a violation of the U.S. Computer 
Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a 
computer without authorization or exceeds authorized access, and thereby 
obtains … information from any protected computer.” A great many VA plug-ins 
attempt to — and often do — extract information they’re not authorized to. 

-mel

> On Jun 20, 2022, at 1:11 PM, Carsten Bormann  wrote:
> 
> On 2022-06-20, at 19:36, goemon--- via NANOG  wrote:
>> 
>> On Mon, 20 Jun 2022, Carsten Bormann wrote:
> On 2022-06-20, at 14:14, J. Hellenthal  wrote:
> Yeah that's another thing, "research" cause you need to learn it let's 
> have them do it too, multiply that by every university \o/
>>> there was some actual research involved.
>>> 
>>> I agree that there should be a very good reason to expend a tiny bit of 
>>> everyone’s resources on this.
>>> 
>>> I do not agree that this externality makes any research in this space 
>>> unethical.
>> 
>> Consent is what makes it unethical.
> 
> You consented to receiving packets by connecting to the Internet.
> 
> Now there is a limit to that consent (e.g., when these packets have an actual 
> material negative effect), and here we enter an area where all simple 
> schematic approaches fail — you really have to think about outcomes instead 
> of expounding fundamentalist stances.
> 
>>> You signed up for this when you joined the Internet (er, stuck with the 
>>> IPv4 Internet, I should probably say).
>> 
>> "If you dont like the unsolicited email, just hit delete" ?
>> 
>> How about ... NO.
> 
> How about: It’s really hard to properly apply analogies.
> 
> Unsolicited email wastes people’s time, and actually a lot of that.
> (Responsibly performed) packet probes waste machine time, and very little so.
> (If you are wasting human time on packet probes, you are holding it wrong.)
> Totally different outcome, and hence totally different ethics.
> 
> This “discussion" is getting a bit off-topic.
> 
> Grüße, Carsten
>

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Carsten Bormann 
On 2022-06-20, at 19:36, goemon--- via NANOG  wrote:
> 
> On Mon, 20 Jun 2022, Carsten Bormann wrote:
>>> On 2022-06-20, at 14:14, J. Hellenthal  wrote:
>>> Yeah that's another thing, "research" cause you need to learn it let's have 
>>> them do it too, multiply that by every university \o/
>> there was some actual research involved.
>> 
>> I agree that there should be a very good reason to expend a tiny bit of 
>> everyone’s resources on this.
>> 
>> I do not agree that this externality makes any research in this space 
>> unethical.
> 
> Consent is what makes it unethical.

You consented to receiving packets by connecting to the Internet.

Now there is a limit to that consent (e.g., when these packets have an actual 
material negative effect), and here we enter an area where all simple schematic 
approaches fail — you really have to think about outcomes instead of expounding 
fundamentalist stances.

>> You signed up for this when you joined the Internet (er, stuck with the IPv4 
>> Internet, I should probably say).
> 
> "If you dont like the unsolicited email, just hit delete" ?
> 
> How about ... NO.

How about: It’s really hard to properly apply analogies.

Unsolicited email wastes people’s time, and actually a lot of that.
(Responsibly performed) packet probes waste machine time, and very little so.
(If you are wasting human time on packet probes, you are holding it wrong.)
Totally different outcome, and hence totally different ethics.

This “discussion" is getting a bit off-topic.

Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread nanog08 
Hey - I have a neat new idea...  Let's test the structure of levees by 
flooding the rivers and seeing what levees don't survive.


Geoff


On 6/20/22 07:46, Mel Beckman wrote:

Carsten,

No, it’s more like 50,000 furnace guys who show up several times a 
day to rattle doorknobs, attempt to push slim Jim’s into window 
latches, hack your garage door opener, sneak into your back garden, 
and fly drones around your home to see what valuables you might have. 
Yes, some of them are altruistic, but some are self-righteous 
officious boobs, and the vast majority are career criminals that will 
rob your house, drain your retirement account, and kill your family 
with a spoofed SWAT raid.


-mel beckman


On Jun 20, 2022, at 4:20 AM, Carsten Bormann  wrote:
On 2022-06-20, at 04:18, Mel Beckman  wrote:
When researchers, or whoever, claim their scanning an altruistic 
service, I ask them if they would mind someone coming to their home 
and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that 
your central heating is not going to blow up.


(Disclaimer: I have supervised students who designed and executed 
benign mass-scans of the IPv4 Internet in order to validate 
hypotheses about market penetration of certain security updates, and 
I definitely would do that again if there is a good reason to perform 
such a scan.)


Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Mel Beckman 
Randy,

Great idea! And bill the taxpayers!

-mel via cell

> On Jun 20, 2022, at 11:55 AM, Randy Bush  wrote:
> 
> 
>> 
>> I treat these folk with the same respect they afford me. Not once in
>> 30 years of having a connected network (v4 or v6) has any entity asked
>> "is it OK if we .. ?".
> 
> how strange, considering you are replying to a thread doing so.
> 
> fwiw, i appreciate vuln scanners.  i do not have the hubris or tools to
> think i run a flawless network or servers.
> 
> randy

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Matthew Craig 

The intent behind vulnerability scans is good, however the majority of DOS 
attacks that my networks encounter these days are from cybersecurity 
organizations conducting cybersecurity research.

Funding requests for DOS mitigation solutions to protect my networks from 
cybersecurity researchers are not taken seriously.




-
Matt








On Jun 20, 2022, at 12:55 PM, Randy Bush mailto:ra...@psg.com>> 
wrote:

**Warning: This email originated external to the NMSU email system. Do not 
click on links or open attachments unless you are sure the content is safe.

I treat these folk with the same respect they afford me. Not once in
30 years of having a connected network (v4 or v6) has any entity asked
"is it OK if we .. ?".

how strange, considering you are replying to a thread doing so.

fwiw, i appreciate vuln scanners.  i do not have the hubris or tools to
think i run a flawless network or servers.

randy

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Randy Bush 
> I treat these folk with the same respect they afford me. Not once in
> 30 years of having a connected network (v4 or v6) has any entity asked
> "is it OK if we .. ?".

how strange, considering you are replying to a thread doing so.

fwiw, i appreciate vuln scanners.  i do not have the hubris or tools to
think i run a flawless network or servers.

randy

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread goemon--- via NANOG 

On Mon, 20 Jun 2022, Carsten Bormann wrote:

On 2022-06-20, at 14:14, J. Hellenthal  wrote:
Yeah that's another thing, "research" cause you need to learn it let's have 
them do it too, multiply that by every university \o/

there was some actual research involved.

I agree that there should be a very good reason to expend a tiny bit of 
everyone’s resources on this.

I do not agree that this externality makes any research in this space unethical.


Consent is what makes it unethical.


You signed up for this when you joined the Internet (er, stuck with the IPv4 
Internet, I should probably say).


"If you dont like the unsolicited email, just hit delete" ?

How about ... NO.

-Dan

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 
On Mon, Jun 20, 2022 at 11:02:25AM -0400, Michael Butler via NANOG wrote:
> I treat these folk with the same respect they afford me. Not once in 30
> years of having a connected network (v4 or v6) has any entity asked "is it
> OK if we .. ?".
> 
> To my mind, it seems rather idiotic and self-defeating to have the plumbing
> congested with packets intended to measure congestion :-(
> 
>   Michael

Well put!

> 
> On 6/20/22 09:46, Mel Beckman wrote:
> > Carsten,
> > 
> > No, it’s more like 50,000 furnace guys who show up several times a day to 
> > rattle doorknobs, attempt to push slim Jim’s into window latches, hack your 
> > garage door opener, sneak into your back garden, and fly drones around your 
> > home to see what valuables you might have. Yes, some of them are 
> > altruistic, but some are self-righteous officious boobs, and the vast 
> > majority are career criminals that will rob your house, drain your 
> > retirement account, and kill your family with a spoofed SWAT raid.
> > 
> >   -mel beckman
> > 
> > > On Jun 20, 2022, at 4:20 AM, Carsten Bormann  wrote:
> > > On 2022-06-20, at 04:18, Mel Beckman  wrote:
> > > > 
> > > > When researchers, or whoever, claim their scanning an altruistic 
> > > > service, I ask them if they would mind someone coming to their home and 
> > > > trying to open all the doors and windows every night.
> > > 
> > > Well, it is more like the guy who comes once a year and checks that your 
> > > central heating is not going to blow up.
> > > 
> > > (Disclaimer: I have supervised students who designed and executed benign 
> > > mass-scans of the IPv4 Internet in order to validate hypotheses about 
> > > market penetration of certain security updates, and I definitely would do 
> > > that again if there is a good reason to perform such a scan.)
> > > 
> > > Grüße, Carsten
> 

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


signature.asc
Description: PGP signature

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Michael Butler via NANOG 
I treat these folk with the same respect they afford me. Not once in 30 
years of having a connected network (v4 or v6) has any entity asked "is 
it OK if we .. ?".


To my mind, it seems rather idiotic and self-defeating to have the 
plumbing congested with packets intended to measure congestion :-(


Michael

On 6/20/22 09:46, Mel Beckman wrote:

Carsten,

No, it’s more like 50,000 furnace guys who show up several times a day to 
rattle doorknobs, attempt to push slim Jim’s into window latches, hack your 
garage door opener, sneak into your back garden, and fly drones around your 
home to see what valuables you might have. Yes, some of them are altruistic, 
but some are self-righteous officious boobs, and the vast majority are career 
criminals that will rob your house, drain your retirement account, and kill 
your family with a spoofed SWAT raid.

  -mel beckman


On Jun 20, 2022, at 4:20 AM, Carsten Bormann  wrote:
On 2022-06-20, at 04:18, Mel Beckman  wrote:


When researchers, or whoever, claim their scanning an altruistic service, I ask 
them if they would mind someone coming to their home and trying to open all the 
doors and windows every night.


Well, it is more like the guy who comes once a year and checks that your 
central heating is not going to blow up.

(Disclaimer: I have supervised students who designed and executed benign 
mass-scans of the IPv4 Internet in order to validate hypotheses about market 
penetration of certain security updates, and I definitely would do that again 
if there is a good reason to perform such a scan.)

Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 
On Mon, Jun 20, 2022 at 02:47:27PM +0200, Carsten Bormann wrote:
> J.,
> 
> > On 2022-06-20, at 14:14, J. Hellenthal  wrote:
> > 
> > Yeah that's another thing, "research" cause you need to learn it let's have 
> > them do it too, multiply that by every university \o/
> 

No no not saying there wasnt. Research is needed for sure and education
is very important. But the fact of most matters stand in that area where
some code may not exactly be up to par from "some students" and still
exaust itself on the public internet of things where little real
oversight actually happens from its origin until it has already impacted
multiple destinations that did not ask for it.

Definately did sign up for it! and with all the proper checks and
balances, can handle them appropriately at 2am when when N students have
been asleep letting their code run wild.

Sorry not picking on "you/this" in particular on your part. It's just
not all of them are exactly up to par while following what they believe
are best practices governed by an instructor(not you) that deems it
benign where I have found some instructors/educators have very little
knowledge in the field whatsoever beyond a textbook and a home
computer/lab. I look forward to the school years to begin, it brings a
challenge where traffic from skids drops between certain hours in
different countries and the detection begins for advertisement scanners
and real threats.

Noise is cool, it gives pretty results where the ugly of the networks
typically just annoy you. Not cool when its amplified by N number of
whatever (advertising/company/students) like a udp amplification attack
but initiated by india.edu, america.edu, X.edu all at the wrong time.

Anyway I retract

Happy fathers day yesterday and hope all your're weekends have been
great.

> there was some actual research involved.
> 
> I agree that there should be a very good reason to expend a tiny bit of 
> everyone’s resources on this.
> 
> I do not agree that this externality makes any research in this space 
> unethical.
> 
> You signed up for this when you joined the Internet (er, stuck with the IPv4 
> Internet, I should probably say).
> 
> Grüße, Carsten
> 

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
lot about anticipated traffic volume.


signature.asc
Description: PGP signature

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Mel Beckman 
Carsten,

No, it’s more like 50,000 furnace guys who show up several times a day to 
rattle doorknobs, attempt to push slim Jim’s into window latches, hack your 
garage door opener, sneak into your back garden, and fly drones around your 
home to see what valuables you might have. Yes, some of them are altruistic, 
but some are self-righteous officious boobs, and the vast majority are career 
criminals that will rob your house, drain your retirement account, and kill 
your family with a spoofed SWAT raid.

 -mel beckman

> On Jun 20, 2022, at 4:20 AM, Carsten Bormann  wrote:
> On 2022-06-20, at 04:18, Mel Beckman  wrote:
>> 
>> When researchers, or whoever, claim their scanning an altruistic service, I 
>> ask them if they would mind someone coming to their home and trying to open 
>> all the doors and windows every night.
> 
> Well, it is more like the guy who comes once a year and checks that your 
> central heating is not going to blow up.  
> 
> (Disclaimer: I have supervised students who designed and executed benign 
> mass-scans of the IPv4 Internet in order to validate hypotheses about market 
> penetration of certain security updates, and I definitely would do that again 
> if there is a good reason to perform such a scan.)
> 
> Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread John Kristoff 
On Sun, 19 Jun 2022 08:06:59 -0400
Dovid Bender  wrote:

> I don't know who is doing it. I just know that IL Cert contacted our
> parent company which has an ISP in Israel when things were "hot".

Some national government infrastructure protection organizations will
relay notifications to local provider networks (e.g., abuse@) based
on reputable third party surveyors (aka network scanner operators).  I
think it is safe to assume this is generally done as a public service,
but perhaps with some mandates to measure and minimize risk within a
country's borders.

Most providers will usually convey the notification is fairly strong
language, usually demanding some sort of response and if applicable,
remediation.  The reports can contain false positives (e.g., when
scanners cannot differentiate between vulnerable systems and honeypots).

It isn't always clear based on the relayed reports who is running the
scans, but in my experience Shadowserver is the most widely used and
cited.  There are of course lots of others running scans.  Commercially,
Greynoise tracks many of them.  A research-based tracker is also
available here:

  

John

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Carsten Bormann 
J.,

> On 2022-06-20, at 14:14, J. Hellenthal  wrote:
> 
> Yeah that's another thing, "research" cause you need to learn it let's have 
> them do it too, multiply that by every university \o/

there was some actual research involved.

I agree that there should be a very good reason to expend a tiny bit of 
everyone’s resources on this.

I do not agree that this externality makes any research in this space unethical.

You signed up for this when you joined the Internet (er, stuck with the IPv4 
Internet, I should probably say).

Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 


Yeah that's another thing, "research" cause you need to learn it let's have 
them do it too, multiply that by every university \o/

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jun 20, 2022, at 06:22, Carsten Bormann  wrote:
> 
> On 2022-06-20, at 04:18, Mel Beckman  wrote:
>> 
>> When researchers, or whoever, claim their scanning an altruistic service, I 
>> ask them if they would mind someone coming to their home and trying to open 
>> all the doors and windows every night. 
> 
> Well, it is more like the guy who comes once a year and checks that your 
> central heating is not going to blow up.  
> 
> (Disclaimer: I have supervised students who designed and executed benign 
> mass-scans of the IPv4 Internet in order to validate hypotheses about market 
> penetration of certain security updates, and I definitely would do that again 
> if there is a good reason to perform such a scan.)
> 
> Grüße, Carsten
>

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Carsten Bormann 
On 2022-06-20, at 04:18, Mel Beckman  wrote:
> 
> When researchers, or whoever, claim their scanning an altruistic service, I 
> ask them if they would mind someone coming to their home and trying to open 
> all the doors and windows every night. 

Well, it is more like the guy who comes once a year and checks that your 
central heating is not going to blow up.  

(Disclaimer: I have supervised students who designed and executed benign 
mass-scans of the IPv4 Internet in order to validate hypotheses about market 
penetration of certain security updates, and I definitely would do that again 
if there is a good reason to perform such a scan.)

Grüße, Carsten

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 
Wish I still had that email from them where person "possibly not speaking for the company" stated that "they scan the entire internet for vulns and other nefarious things.Where I stated "don't care get your unwanted advertisement scans off my edge, if I want you in the future I know where to find you". And he kept beating around the bush.--  J. HellenthalThe fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.On Jun 20, 2022, at 01:09, Owen DeLong via NANOG  wrote:shadow server (to the best of my knowledge) only scans sites that have invited them to do so.OwenOn Jun 19, 2022, at 10:43 , Forrest Christian (List Account)  wrote:See shadowserver.netOn Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette  wrote:I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.

In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.


Regards,
rfg


P.S.  Just to be clear, I personally have neither any desire nor any intent
to undertake such activity myself, nor am I in communiacation with any party
or parties that have such an intent or desire.  I cannot however say that I
am unaware of any parties that may currently be involved in such activities.

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread J. Hellenthal via NANOG 
Yep that's exactly what that is. While the intention is good, it's all still unwarranted.--  J. HellenthalThe fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.On Jun 19, 2022, at 21:18, Mel Beckman  wrote:




When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night. 


 -mel beckman


On Jun 19, 2022, at 6:14 PM, J. Hellenthal via NANOG  wrote:




 Had to send these guys a cease and desist a few years back as they became so noisy it was causing to much of a disconnect between information we were trying to compare.






Personally I don't care who you are. Probably not hiring your services (free or not), stay off my edge.


-- 
 J. Hellenthal


The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

On Jun 19, 2022, at 13:56, Amreesh Phokeer  wrote:





Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to share the data with researchers:
https://www.rapid7.com/research/project-sonar/


On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden  wrote:


btw, if you want to do this yourself, you might consider using something like


https://github.com/opsdisk/scantron





-- 
Amreesh Phokeer

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Owen DeLong via NANOG 
shadow server (to the best of my knowledge) only scans sites that have invited 
them to do so.

Owen


> On Jun 19, 2022, at 10:43 , Forrest Christian (List Account) 
>  wrote:
> 
> See shadowserver.net 
> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette  > wrote:
> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known vulnerabilities.
> 
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such activities.

Re: Scanning the Internet for Vulnerabilities

2022-06-20 Thread Owen DeLong via NANOG 
I would still consider an uninvited scan of my network antisocial.

Other operators are, of course, free to make their own choices.


Owen


> On Jun 19, 2022, at 03:13 , Ronald F. Guilmette  
> wrote:
> 
> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known vulnerabilities.
> 
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such activities.

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread goemon--- via NANOG 

On Sun, 19 Jun 2022, Ronald F. Guilmette wrote:

In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.


This has not changed.

-Dan

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Ronald F. Guilmette 
In message , 
Mark Seiden  wrote:

>btw, if you want to do this yourself, you might consider using something like
>
>https://github.com/opsdisk/scantron

Thank you, but as I noted in the post beginning this thread, I personally
have no interest in performing this type of activity at the present time.
I am rather more interested in what others are already doing, and the
parameters of, and the current level of social acceptance thereof.


Regards,
rfg

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Ronald F. Guilmette 
In message , 
Mark Seiden  wrote:

>it should be mentioned that shadowserver also notifies those who 
>register as the owners of that address space.

Yes.  That is quite a public spirited endeavor in the best traditions of
the Internet.

>my thinking about this sort of thing, in general, is:
>
>- it depends on who's doing it and why, and what they do with the information

Yes.  And my question was deliberately open-ended with regards to those
two points, specifically.

Shadowserver is an example of a public-interest enterprise.  And unless
I'm mistaken, we can easily know who they are and what they do with the
information they collect.

There are however counter-examples... enterprises that are not quite so
forthright, either in their willingness to be identified or in the disposition
of their results data.

>- it's polite enough for me for the good guys to identify 
>themselves so you (the target) can worry
>less when you notice the activity.

I agree.  But that that raises the question:  How would (or should) a "benign"
scanning enterprise publicly identify itself in a manner so as to mitigate
undue alarm?


Regards,
rfg

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Mel Beckman 
When researchers, or whoever, claim their scanning an altruistic service, I ask 
them if they would mind someone coming to their home and trying to open all the 
doors and windows every night.

 -mel beckman

On Jun 19, 2022, at 6:14 PM, J. Hellenthal via NANOG  wrote:

 Had to send these guys a cease and desist a few years back as they became so 
noisy it was causing to much of a disconnect between information we were trying 
to compare.



Personally I don't care who you are. Probably not hiring your services (free or 
not), stay off my edge.

--
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

On Jun 19, 2022, at 13:56, Amreesh Phokeer  wrote:


Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to 
share the data with researchers:
https://www.rapid7.com/research/project-sonar/

On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden 
mailto:m...@seiden.com>> wrote:
btw, if you want to do this yourself, you might consider using something like

https://github.com/opsdisk/scantron

--
Amreesh Phokeer

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread J. Hellenthal via NANOG 
Had to send these guys a cease and desist a few years back as they became so noisy it was causing to much of a disconnect between information we were trying to compare.Can't for for more idiot services to just jump on the wagon and deploy their own scanners and pollute edges without a just cause. Personally I don't care who you are. Probably not hiring your services (free or not), stay off my edge.--  J. HellenthalThe fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.On Jun 19, 2022, at 13:56, Amreesh Phokeer  wrote:Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough to share the data with researchers:https://www.rapid7.com/research/project-sonar/On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden  wrote:btw, if you want to do this yourself, you might consider using something likehttps://github.com/opsdisk/scantron-- Amreesh Phokeer

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Amreesh Phokeer 
Project Sonar from Rapid7 conducts internet-wide surveys and is kind enough
to share the data with researchers:
https://www.rapid7.com/research/project-sonar/

On Sun, Jun 19, 2022 at 10:24 PM Mark Seiden  wrote:

> btw, if you want to do this yourself, you might consider using something
> like
>
> https://github.com/opsdisk/scantron
>

-- 
Amreesh Phokeer

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Mark Seiden 
btw, if you want to do this yourself, you might consider using something like

https://github.com/opsdisk/scantron



> On Jun 19, 2022, at 11:17 AM, Mark Seiden  wrote:
> 
> greetings.
> 
> it should be mentioned that shadowserver also notifies those who register as 
> the owners of that address space.
> it’s very useful.  (it would be more useful if they calculated diffs and 
> notified about changes/additions.)
> 
> my thinking about this sort of thing, in general, is:
> 
> - it depends on who’s doing it and why, and what they do with the information
> (so what keeps you from doing it for the benefit of your less clueful 
> downstream customers?)
> 
> - absolutely nothing prevents bad guys from doing it, so discouraging it fits 
> in the category of
> “politeness rules only observed by nice people”.
> 
> - it’s polite enough for me for the good guys to identify themselves so you 
> (the target) can worry 
> less when you notice the activity.
> 
> (btw, this reasoning applies also about crawls of content from the wayback 
> machine.)
> 
> 
> 
>> On Jun 19, 2022, at 10:45 AM, Forrest Christian (List Account) 
>> mailto:li...@packetflux.com>> wrote:
>> 
>> Correction... shadowserver.org 
>> 
>> They scan the entire ipv4 internet daily for select potential 
>> vulnerabilities. 
>> 
>> On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) 
>> mailto:li...@packetflux.com>> wrote:
>> See shadowserver.net 
>> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette > > wrote:
>> I would like to solicit the opinions of network operators on the practice
>> of scanning all of, or large chunks of the internet for known 
>> vulnerabilities.
>> 
>> In earlier times, this was generally viewed as being distinctly anti-social
>> behavior, but perhaps attitudes have changed relative to earlier eras.
>> I would thus like to know how people feel about it now, in 2022.
>> 
>> 
>> Regards,
>> rfg
>> 
>> 
>> P.S.  Just to be clear, I personally have neither any desire nor any intent
>> to undertake such activity myself, nor am I in communiacation with any party
>> or parties that have such an intent or desire.  I cannot however say that I
>> am unaware of any parties that may currently be involved in such activities.
>

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Mark Seiden 
greetings.

it should be mentioned that shadowserver also notifies those who register as 
the owners of that address space.
it’s very useful.  (it would be more useful if they calculated diffs and 
notified about changes/additions.)

my thinking about this sort of thing, in general, is:

- it depends on who’s doing it and why, and what they do with the information
(so what keeps you from doing it for the benefit of your less clueful 
downstream customers?)

- absolutely nothing prevents bad guys from doing it, so discouraging it fits 
in the category of
“politeness rules only observed by nice people”.

- it’s polite enough for me for the good guys to identify themselves so you 
(the target) can worry 
less when you notice the activity.

(btw, this reasoning applies also about crawls of content from the wayback 
machine.)



> On Jun 19, 2022, at 10:45 AM, Forrest Christian (List Account) 
>  wrote:
> 
> Correction... shadowserver.org 
> 
> They scan the entire ipv4 internet daily for select potential 
> vulnerabilities. 
> 
> On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) 
> mailto:li...@packetflux.com>> wrote:
> See shadowserver.net 
> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette  > wrote:
> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known vulnerabilities.
> 
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such activities.

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Randy Bush 
> Also Germany and Estonia, they scan DE and EE IPs and send emails to
> ISPs every day.

being in EE space, never receiving such a notice, and lacking the hubris
to think that all our systems are squeaky clean, i have my doubts.

i suspect that we will be seeing folk who dress well scanning for vulns
more and more as this poorly tended mess rolls on.

randy

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Forrest Christian (List Account) 
Correction... shadowserver.org

They scan the entire ipv4 internet daily for select potential
vulnerabilities.

On Sun, Jun 19, 2022, 11:43 AM Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> See shadowserver.net
>
> On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette 
> wrote:
>
>> I would like to solicit the opinions of network operators on the practice
>> of scanning all of, or large chunks of the internet for known
>> vulnerabilities.
>>
>> In earlier times, this was generally viewed as being distinctly
>> anti-social
>> behavior, but perhaps attitudes have changed relative to earlier eras.
>> I would thus like to know how people feel about it now, in 2022.
>>
>>
>> Regards,
>> rfg
>>
>>
>> P.S.  Just to be clear, I personally have neither any desire nor any
>> intent
>> to undertake such activity myself, nor am I in communiacation with any
>> party
>> or parties that have such an intent or desire.  I cannot however say that
>> I
>> am unaware of any parties that may currently be involved in such
>> activities.
>>
>

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Forrest Christian (List Account) 
See shadowserver.net

On Sun, Jun 19, 2022, 4:13 AM Ronald F. Guilmette 
wrote:

> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known
> vulnerabilities.
>
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
>
>
> Regards,
> rfg
>
>
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any
> party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such
> activities.
>

RE: Scanning the Internet for Vulnerabilities

2022-06-19 Thread David Guo via NANOG 
Also Germany and Estonia, they scan DE and EE IPs and send emails to ISPs every 
day.

From: NANOG  On Behalf Of Dovid Bender
Sent: Sunday, June 19, 2022 19:51
To: Ronald F. Guilmette 
Cc: NANOG 
Subject: Re: Scanning the Internet for Vulnerabilities

I know that in Israel the cyber dept of the government scans IL IP space then 
notifies ISP's to notify their clients. This helps where you have clueless 
people that don't know they have devices that can easily be compromised.


On Sun, Jun 19, 2022 at 6:13 AM Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:
I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.

In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.


Regards,
rfg


P.S.  Just to be clear, I personally have neither any desire nor any intent
to undertake such activity myself, nor am I in communiacation with any party
or parties that have such an intent or desire.  I cannot however say that I
am unaware of any parties that may currently be involved in such activities.

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Dovid Bender 
On Sun, Jun 19, 2022 at 8:01 AM Ronald F. Guilmette 
wrote:

> In message  udtn6t1o+cv-nh6jbz...@mail.gmail.com>
> Dovid Bender 
> >I know that in Israel the cyber dept of the government scans IL IP space
> >then notifies ISP's to notify their clients. This helps where you have
> >clueless people that don't know they have devices that can easily be
> >compromised.
>
> That's most interesting and I certainly did not know that.
>
> Do you have confidence that such scanning is limited to Israeli IP
> addresses?
>
> Not at all. I think it's obvious that every nation state "pokes around"
the internet.

> Are there any private firms that you are aware of in Israel that engage in
> such scanning also?
>
I don't know who is doing it. I just know that IL Cert contacted our parent
company which has an ISP in Israel when things were "hot".

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Ronald F. Guilmette 
In message 
Dovid Bender I know that in Israel the cyber dept of the government scans IL IP space
>then notifies ISP's to notify their clients. This helps where you have
>clueless people that don't know they have devices that can easily be
>compromised.

That's most interesting and I certainly did not know that.

Do you have confidence that such scanning is limited to Israeli IP addresses?

Are there any private firms that you are aware of in Israel that engage in
such scanning also?

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Dovid Bender 
I know that in Israel the cyber dept of the government scans IL IP space
then notifies ISP's to notify their clients. This helps where you have
clueless people that don't know they have devices that can easily be
compromised.


On Sun, Jun 19, 2022 at 6:13 AM Ronald F. Guilmette 
wrote:

> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known
> vulnerabilities.
>
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
>
>
> Regards,
> rfg
>
>
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any
> party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such
> activities.
>

Re: Scanning the Internet for Vulnerabilities

2022-06-19 Thread Jorge Amodio 
IMHO not good.

-J

On Sun, Jun 19, 2022 at 5:14 AM Ronald F. Guilmette 
wrote:

> I would like to solicit the opinions of network operators on the practice
> of scanning all of, or large chunks of the internet for known
> vulnerabilities.
>
> In earlier times, this was generally viewed as being distinctly anti-social
> behavior, but perhaps attitudes have changed relative to earlier eras.
> I would thus like to know how people feel about it now, in 2022.
>
>
> Regards,
> rfg
>
>
> P.S.  Just to be clear, I personally have neither any desire nor any intent
> to undertake such activity myself, nor am I in communiacation with any
> party
> or parties that have such an intent or desire.  I cannot however say that I
> am unaware of any parties that may currently be involved in such
> activities.
>

Scanning the Internet for Vulnerabilities

2022-06-19 Thread Ronald F. Guilmette 
I would like to solicit the opinions of network operators on the practice
of scanning all of, or large chunks of the internet for known vulnerabilities.

In earlier times, this was generally viewed as being distinctly anti-social
behavior, but perhaps attitudes have changed relative to earlier eras.
I would thus like to know how people feel about it now, in 2022.


Regards,
rfg


P.S.  Just to be clear, I personally have neither any desire nor any intent
to undertake such activity myself, nor am I in communiacation with any party
or parties that have such an intent or desire.  I cannot however say that I
am unaware of any parties that may currently be involved in such activities.