On Tue, 27 Jul 1999, David Getchell wrote:
> On Fri, 23 Jul 1999 14:41:35 -0400 Dave Thompson wrote:
>
> >>In a place of business, there is a front door, and there is often a private
> >>back door. The front door is to be used by the public so they can come in
> >>and look around. They can rattle the doorknob to their hearts' content.
> >>
> >>The private door, however, isn't intended for public use. It's still
> >>accessible from the street, but just because it accesses the street doesn't
> >>mean it's intended for just anyone to use--nor is it intended for people to
> >>even come rattle the doorknob to see if it's open. Someone may come to open
> >>the door by mistake because he doesn't realize the door isn't for public
> >>use, but most people have enough sense about them to recognize which door
> >>they are meant to use.
> >>
> >>In this analogy, the front door is the Web site that is open to the
> >>public--and this is the only part of the system that's open to the public.
> >>The private door, however, is ftp, telnet, etc., which aren't meant for
> >>public use. (I know some sites grant public ftp and telnet--that's not my
> >>point. Stick to the analogy!) The private door accesses files and tools
> >>that were never meant to be used or even seen by the public. Just having a
> >>door doesn't give people permission to try to open it.
>
> On Mon, 26 Jul 1999 13:32:44 -0400, Dana Nowell wrote:
>
> >Your analog does not completely hold. Since may sites on the net offer
> >many different public access 'doors' it is not as clear cut for a 'member
> >of the public' to tell public from private. Assume you have a main street
> >that has several store fronts and you have a parking lot at the rear of the
> >stores along the main street. Now further assume some percentage of the
> >stores on the main street allow public access through the standard unmarked
> >back door as a convenience to the public. John Q Public walks up to a back
> >door and tries the knob, door is locked. Does the cop on the beat even
> >stop and question him? I doubt it. Same scenaro but no public access via
> >the parking lot, the guy gets questioned. Why, perceived/acceptable public
> >access may be different than publicised or conventional public access.
> >
> >Same is true on the net. If I FTP/telnet to your host and claim that I
> >thought it had a server or I thought it was a differnet site, do I get
> >questioned more, no, perceived legit usage or honest mistake. If I do it
> >say 20 times in a week the ISP would most certainly cancel my account. Or
> >suppose I'm an end user and you log BGP route change requests from my
> >machine, do I get booted, sure.
>
> I have an intersting situation and would like to gather your thoughts
> as to the nettiquite and legality involved.
>
> I wish to remotely access a web server on the the PC that sits on my
> desk. It is behind a NAT firewall, which in turn is intermittently
> connected to the Internet on a dynamic IP (dialup) address. I am the
> administrator of the firewall, and have directed incoming http
> requests to the PC.
>
> I have no convenient way of locating the PC from the Internet. I
> cannot use an IP posting type program, since the PC does not know the
> current external IP address of the firewall. I know that if it is
> connected, it will appear on one of four class C networks. I can
> locate it by scanning port 80, and then loading the addresses which
> respond in my browser. In the process, I'm sending attempted
> connections to many machines that aren't running web servers, as well
> as loading the home page of several machines that aren't mine. In
> practice, the about half of the latter are servers that have been
> configured to display a public page, and about half are unconfigured
> (Microsoft IIS demo pages are very common).
>
> In theory, I could be looking for unconfigured servers in an attempt
> to exploit weaknesses in the default configurations. In reality, I'm
> just hunting for my PC.
>
> Comments? Is this, or should this be, illegal? Is it rude?
If I'm correct and you are doing this from a homesite, to your employers
site, then most certainly it all depends upon protocol at your employer.
If you have permission from the boss, then at worst you might showup on
some higherend users IDS logging system and be questioned about the scans.
I would see no reason why they should not show any interest in these
connection attempts, nor perhaps even find them mildly rudely intrusive,
but it would ultimately rest with your employers policies and whether you
have permission to be making the connections you are attempting.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
