On Fri, 23 Jul 1999, Dave Gillett wrote:
[ Much snipped for brevity's sake]
I agree with most of the things that you say before this point, I just
don't see that they help your argument any. Basically we both said that
there's neither a clear definition of what is acceptable nor what is not
acceptable. Agreed. That only makes it easier for someone charged with a
crime to get off.
Or at least it would, except the media and law enforcement have portrayed
system crackers as the ultimate evil force in the universe, which is
simply silly. Most crackers, even ones that do gain access, dont do any
real damage and are relatively harmless. Most are curious teenagers.
Curiosity is a good thing, and in-and-of-itself should not be punishable,
it should be encouraged. BUT, that doesn't mean they shouldnt' be
punished if harm is done. As I continue to say, let the punishment fit the
crime.
What's the punishment for simple trespass? I occasionally watch COPS and
see them escort the trespasser off the property, and that's the end of it,
so long as that's their only offense. When they do damage to the
people, thats when they get hauled off to jail. My sense of what happens
to system crackers from the stories and news reports that I've seen/heard
is that their punishment is often much more severe for what amounts to the
same thing.
Their homes are raided, their equipment is confiscated, and they are
incarcerated for long, long periods of time. From what I understand, Kevin
Mitnick was imprisoned for YEARS before he even had a trial date (I know
he plead guilty, doesn't matter -- it isn't supposed to work that way).
Some of them probably deserve it, but from what I've seen, most don't.
This is why I take such an extreme perspective on what would seemingly be
a rather small issue.
[I realize that Mitnick is only one case, and probably doesn't represent
the norm, but IMO even one case of serious injustice is far too many.]
To continue with your post:
> > Therefore, the only practical way for me to find out what services are
> > running and hence what services I have permission to connect to on your
> > server, is to connect to it and see.
>
> Therefore, if you have not been told that server X is hosting service Y, it
> is entirely possible that service Y is only provided for customers on list Z,
> who would have been informed of its availability.
That isn't true. There are litterally millions of web sites out there
that I have not been told about, but that doesn't make them any less
public, nor does it mean that I don't have permission to connect to them.
> [Your axiom seems (to me) to be: "What is permitted to ANY is permitted to
> ALL". Essentially, you're rejecting the whole notion of private property, and
> regarding all of cyberspace as Commons.
Not precisely, but you had me until you said that I reject private
property. Wether you, or any other private entity likes it, the internet
is a PUBLIC network. If you put a machine on it, you should expect that
people will try to connect to it. Again, that doesn't mean you should
expect to have it vandalized.
Don't want the public at large connecting to your private server? Use a
VPN solution or other direct connect such as a leased line directly to the
party you want to connect to.
You don't have to like it, but you do have to deal with it. The ARPANet,
and subsequently the Internet, was intended from the start to be a public
network. The whole idea was to make it easy to share stuff. All this
commercial crap came later, when the greedy capitalists (which I have
nothing against, by the way) moved in and tried to make it theirs. It was
never designed or intended to do the kinds of things people are doing with
it. Frankly I think this is why there is so much trouble with security.
Before that happened, the amount of trouble on the internet was pretty
small.
It's exactly this kind of attitude that had many people who were already a
part of the internet community (before the advent of graphical http
browsers) concerned... It was VERY public before, and now everyone's
trying to run around and privatize it, and commercialize it, and tax it.
I'm not saying that the recent changes are all for the bad, I just think
that you (in the general sense) need to realize that you can't have your
cake and eat it too.
The benefits of the internet are that so many people have access to it.
The drawbacks of the internet are that so many people have access to it.
Crackers are here to stay. I don't want my system broken into
> As an Ideal, I think this is commendable. [I think Proudhon made the case
Me too. Deal sternly with the abusers, and there won't be much abuse.
Just be careful not to step on those who haven't done anything injurious.
Like port scanning. Does no one harm. (Again, note that this discounts
those using it as a DoS attack.)
> pretty convincingly.] As a practical matter, I see this as the basis for a
> great deal of abuse, including the famous Green Card Lottery spam of a few
> years back. [The argument of the lawyers who perpetrated that incident
> seemed to me to amount to a claim that if there was no billboard already on
> the side of my house, it was fair game for them to erect one there....]
I'm not familiar with this case. I never said there weren't absurdities on
the other side of the argument. But as Thomas Jefferson said, better 100
guilty men go free than one innocent man lose his liberty. I don't like
to see guilty men go free any more than anyone else, but I really believe
that.
> If we reject the notion that servers are property, with owners who are
> entitled to determine what uses to permit and what to deny, AND TO WHOM, then
> of course we have no longer any basis for Computer Security as a field; we
> should pack up this mailing list and all go find USEFUL things to do instead.]
>
> > This is why people use the analogy of the store front. It really is a very
> > good analogy. The idea is here that you have a store, and the store has a
> > front door, and in order for you to see if the store is open for business
> > you have to try to open the door... No?
>
> Do you walk up to the door of the local Ford plant when you want to buy a
> car? Do you knock on every door on your block, looking for someone who has a
> car to sell? Does every building, by virtue of having a street address,
> invite your inquiry as to whether perhaps they have a car to sell?
> NO. You notice (or look for) an advertisement, on TV or in the Yellow
> Pages or in the newspaper, for someone who tells the world that they have the
> kind of car you want *offered for sale*.
>
This doesn't really apply to the Net. In the physical world, we have the
concept of zones. Some areas are zoned for business and some are not. We
don't ahve this with the internet. The whole thing is publicly accessible,
by design.
> Simple analogies to the material world break down when applied to port-
> scanning.
Agreed. But when making logical arguments, theyre about all we have, no?
:)
> In the material world, we can stand across the street and count
> the windows on a building without approaching. With a port scan, we
> *effectively* have to take a pole and tap on the wall, looking for spaces or
> places that sound like glass when tapped (or perhaps toss a baseball at the
> wall), and then try to insist to the owner that we were not trying to *break*
> any of the windows, just count them.
Which, as I said, is technically the same action as what one does when one
connects to what you think of as a public service. The problem is that
TCP/IP doesn't care what you think is public, it thinks everything is.
Again, by design.
> The fact that the technology doesn't allow us to "stand across the street
> and count the windows" does NOT, I think, constitute an implicit permission
> to determine the number of windows by more agressive/intimate means. It may
> mean that we have to live with not always knowing how many windows every
> building has, especially when we cannot demonstrate any compelling need to
> know that. I'm afraid I don't grasp why some people find that idea so
> intolerable.
I would agree with you if you could clearly and precisely define what
acceptable use and non-permissible use when referring to the act of
connecting to ports. But I don't think that can be done. Or more
specifically, I don't think they can be distinguished, except maybe in the
mind of the procurer. Since virtually no Internet user has access to the
mind of the procurer, and since such a wide variety of LEGITIMATE services
exists on different ports on different servers on this very public
network, effectively there is no way to define what is permissive and what
isn't. Therefore I do not see how you can call it "just" to punish someone
for doing it. Especially since the cost to the scanee is nil. There needs
to be more. That's the bottom line to my argument.
--
Derek D. Martin | UNIX System Administrator
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
