On 20 Jul 99, at 8:33, Bill Stackpole wrote:
> Just curious what other think about the rattling door knobs question. Is
> it wrong to probe a system for security flaws if you have no evil intent?
> I check my neighbor's doors when they are on vacation to make sure no one
> has broken in, look in the windows to make sure everything is normal. Does
> that make me a criminal? I doubt it.
We often *ask* a neighbor to do just that. We often even lend them a key,
so that they don't have to act like a prowler or a "peeping tom" (and risk
prosecution...) to do it.
> Over the years, I've called many a company to inform them of potential
> security risks I have observed. Some have come to me in the mail, some as
> extraneous packets on my Internet connection and others as the result of
> my testing the effectiveness of certain security tools.
I divide access attempts to our system into three basic categories:
1. Access to the system as intended.
2. Attempts to access the system in unintended ways, either due to
misconfiguration or simply cluelessness.
3. Attempts to access the system in unintended ways, by uncovering or
exploiting a security flaw.
In theory, there's a gray area between #2 and #3 that calls for a
judgement. In practice, this is usually pretty easy. If I see that someone
tried to reach one of our "obvious" servers using TCP ports 110 (POP) and 143
(IMAP) a couple of times, they clearly don't understand quite how to use our
messaging services -- if they keep trying and trying and trying, I'll send
their ISP a note suggesting that they call our Customer Support department
for assistance. If I see them trying 110 and 143 and 635 (mountd) and 79
(finger) and 53 (DNS) against every address in our public block, it's pretty
clear that they're running a script looking for known exploits against
specific OSes, and even if they don't find them here, they're probably doing
the same on adjacent address blocks as well -- who might be more vulnerable.
If you try to hot-wire a neighbor's car in the middle of the night, nobody
is going to care whether you were *really* trying to steal it, or "just
curious about how hard it would be". If you're young and it's a first
offense, a kind-hearted cop might just march you home to face your parents,
but that doesn't mean it wasn't illegal.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]