On 27 Jul 99, at 10:22, Randall, Mark wrote:
> > The fact that the technology doesn't allow us to "stand across the street
> >and count the windows" does NOT, I think, constitute an implicit permission
> >to determine the number of windows by more agressive/intimate means.
>
> I think this is the very point. Technology DOES allow us to "stand across
> the street and count windows". That's exactly what a port scan does. Not
> just from across the street, but from across the planet...to anything that
> is connected to the PUBLIC internets.
>
> I don't grasp why you perceive a simple port scan as a "more
> agressive/intimate means", since it is the least intrusive way to view a
> host across the net. I wouldn't even classify connection attempts to the
> various running services via telnet as aggressive or intimate. Connections
> are harmless.
You've failed to grasp the critical point of the analogy. I'll try to
explain it a bit more simply.
My server does not broadcast, to the whole world, at every instant, "I am
listening on ports 21, 23, 25, 79, 80, 110, 143, etc." THAT would allow you
to "stand across the street" and count the windows.
No, in order to find out whether my server listens to port 80, you have to
more-or-less try to connect to port 80, and see what happens. You cannot
just "stand across the street" -- you have to hurl a baseball and judge
whether it bounces off glass (a window) or brick (no window).[*]
[To extend the analogy to the case of the hospital equipment, the argument
is that (a) if a building has a window , it *will* be hit by baseballs; if
the blass breaks, it's the window manufacturer's fault, and if there's no
metal grate over the window, it's the security admin's fault, but it's
(apparently) never the fault of the person who threw the ball -- they were
just innocently "counting windows" and never meant to break one.]
The distinction is between "passive" sensors (examining the ambient
radiation reflected off of or emitted by the target) and "active" methods
(bouncing your own probes off the target). Locating a sniffer where you can
watch other peoples' connections to my server is much harder than picking a
place across the street to stand -- THIS is where the technology diverges
from the analogy.
People don't generally do hard time for breaking windows with baseballs --
possibly because they tend to adopt less risky behaviour after the first time
one breaks or, often, after they're asked to go play somewhere else. I would
say that my position is that owners of servers/hosts/nodes are within their
rights to request that port-scanners desist or go elsewhere, and have other
recourse if such requests are ignored.
Some people have painted this as "scan my ports -- go to jail", the "zero
tolerance" position. There are organizations out there that might, for
reasons such as "national security", adopt that stance, but I don't consider
that reasonable for most .com/.edu/.org sites; I'm not prepared to defend
that stance as a general recommendation.
Some people have denied that owners have any such right. It has been
interesting to consider this possibility, but at this point I don't think
many minds are going to be changed -- which is why I'm limiting my own
further contributions to this thread. [If you believe you have something
really truly NEW to say on this point, I wouldn't mind a private email to
that effect.]
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
