Kind of makes you wonder, if its legal to shoot someone trespassing on your
property, then what is the electronic equivalent? <g>
-----Original Message-----
From: Dave Watts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, April 06, 2000 11:04 AM
Subject: RE: Security holes revisited
> I disagree. Your open ports are your "interface" to the
> world. Is it wrong for me to test one port? That's essentially
> what I'd do if I tried typing http://yoursite.com/ in by browser.
> Two, what if I fingered your box when I found we were[n't]
> running a webserver. If one or two ports are legit, why not
> three, four, ... or 65k?
The difference is one of degree, not of kind, and one of perceived intent.
If you connect to one port, using an HTTP client, you're trying to retrieve
HTML documents from a web server. If you do a port scan, what's your intent?
You're obviously not interested in using a specific service, are you?
The problem is determining intent and malice, but in the "real world" we
solve that problem all the time. We determine intent based on the observed
behavior of the potential bad actor. Why should it be any different for
things we do with computers? If I see someone walking through the
neighborhood rattling all the doorknobs, shouldn't I assume the worst?
> Slippery slope, yes. But you could make the argument that
> it's unethical to try to connect to a machine on port 80 if
> it hasn't been "advertized" as a web server.
It certainly may be unethical. Again, it goes back to intent. If I use ONE
SINGLE PORT with the intent of penetrating the system, that's unethical -
unless it's my own system. However, no one will be able to tell that I've
got bad intentions if I connect to just one port.
> I guess the best real-world analogy is walking through an office and
> turning door knobs to see which are or aren't locked. Of course,
> real-world analogies are pretty flawed, but this one isn't too bad. To
> qualify for "looking in the clothes hamper" status, I think you'd have
> to actually comprimise the system to some degree. You can't look in a
> hamper just by trying the doorknob, and seeing what happens.
Again, if I see someone walking through the office, trying all the
doorknobs, I'm going to assume bad intent, all other things being equal.
And, why do you say that real-world analogies are flawed? I happen to live
in the real world, and the ideas that we live by all come from the real
world. We've got nothing but real-world analogies to go by, in determining
right and wrong in the computer world. Why should property rights disappear
when it comes to computers?
It's very important that we use real-world analogies; it's also important
that we find the closest analogy. That's how we determine whether an act is
right or wrong. People in our profession need to spend a little more time
doing this, or the legislators will do it themselves, and their analogies
might not be any good.
> Oh, and about the locksmith scenerio, let's rephrase it so he
> doesn't enter and leave a note. He picks the lock, opens the
> door (maybe not even), closes it, locks it, leaves, and calls
> later to leave voicemail.
Well, then, I guess that's OK. However, if he was doing this at night, and I
assumed the worst, and when he pushed the door open I let him have both
barrels, that would be OK too. Or, let's suppose I was out, and I came back
and saw him busy at work picking the lock. Should I wait for him to finish,
and write his note?
Picking a lock to show its weaknesses, or compromising a site to show its
weaknesses, is wrong, unless it's your lock or your site. It's as simple as
that. Now, you'd certainly want to differentiate between compromising and
scanning; if the locksmith looked at the lock, and said, "Oh, that's one of
those cheap Taiwanese locks - I could pick that in 30 seconds" that would be
a scan. If he takes his credit card and slips it into the door jamb to open
the door, he's compromised your security. Even if his intent was good, how
would I know at the time he did it? We generally judge perceived intent at
the time of the act - if the police saw him, and he said, "I'm sorry,
officer, but I just wanted to demonstrate the weakness of this lock" I don't
think they'd buy it.
> In my original post, I neglected the "post publicly" clause.
> I agree that it's wrong to do that. Locksmith putting up a
> sign in the yard is a good analogy. The proper thing to do
> (regarless of whether the initial survey is proper or not)
> would be to contact a sysadmin discreetly.
>
> I once discovered a CF site (see, on topic! almost) that was
> vulnerable to the ::$DATA IIS problem. I took his index.cfm
> and emailed it to him, with some explanation and a couple of
> links. I received a nice thank you note, which I thought was
> appropriate. Your attitude makes me feel like I should have
> kept my mouth shut for fear of p[ros|ers]ecution.
No, I don't think there's anything wrong with what you did, based on my
appreciation of your intent. The person who you informed also judged your
intent to be good, and he thanked you. If you'd used that as a marketing
lead, both he and I would likely question your intent. If you followed this
scan (which is, at most, all you really did) by taking his source code,
figuring out some other vulnerability, then exploiting that, again, your
intent would be questionable.
A few months back, someone posted the same problem about someone else's site
on this list. Some people applauded the poster, others said it wasn't a good
idea to post that kind of information. Obviously, our professional ethics
aren't very definitive about this kind of thing yet, which isn't surprising
for such a young industry. But we'd better start thinking through these
sorts of things, or they'll be thought through for us by people who don't
understand the issues, or don't care to understand.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
