On 2006-03-30 David Gillett wrote:
Thursday, March 30, 2006 10:35 AM, Ansgar -59cobalt- Wiechers wrote:
On 2006-03-30 David Gillett wrote:
Suppose you want to send me an email. By your argument, your only
option is to scan our whole address block(s!) looking for machines
that will answer on port 25.
Bzzzt! WRONG! Do a DNS lookup for the MX records for our domain.
So, how do I do a DNS lookup without somehow accessing port 53/udp of
a DNS server that I do not own? How do I get permission to do that?
You don't. You send your DNS query to a server you *do* have
permission to access, and it queries servers that *it* has permission
to, and so on. By registering our domain, we've given the root servers
permission to refer queries *about our domain* to the servers we've
registered.
You're contradicting yourself. A root server may refer my query to your
server, but it's still my server connecting to your server to do the
actual query, thus it must somehow have gotten your permission. Besides,
how do I get permission to access the root servers or any other upstream
DNS server not owned by myself?
Suppose you want to register online to take courses here. By your
argument, your only option is to scan our address space for hosts
that answer on ports 80 and 443.
Bzzzt! WRONG! Point your browser at the college homepage (you
could Google for it) and follow the links to "Registration".
So, how does Google get the address of your webserver? Or permission
to access/index it? How do I get permission to access Google? And how
does a listing of $something in Google give me the permission to
access it?
AFAIK, Google still supports a mechanism for telling them about
specific pages to be indexed. And their spider plays by the
robots.txt rules, which your port scanner probably does not.
That doesn't answer the questions. To read a robots.txt the spider must
already have connected to your server. How does Google get permission to
do that? And how do I get permission to access Google?
Suppose you want to compromise one of our hosts to set up a warez
server. By your argument, your only option is to scan our address
space looking for a host running a service for which you have an
exploit available.
Uh, wait. You just lost the qualifier "legitimate".
I was by no means talking about exploits. In fact I expressly stated
that one may be held liable when breaking something (which you
obviously chose to ignore for whatever reason).
Oh, okay, let's exclude all non-legitimate examples. Then give me a
legitimate one, please, that I *can't* knock down.
I already gave you some. Up to now you failed to knock them down. In
fact you didn't answer a single question of mine.
If I want you to be able to use a service X on host Y, I will find
some way to advertise that service. If I don't advertise the
service, it may be something that I don't even know is there --
perhaps installed silently by the OS or some legitimate application,
or perhaps by some cracker. In neither case is there a presumption
that I'm inviting you to use it, if only you can find it.
That's ridiculous and you know it. The Internet does not have
advertisement mechanisms for services. The network is public and so
is every service on it. It was your decision to put the box into a
public network and there are ways to know what services it provides
(and to disable those services you don't want to provide). I cannot
know if you made a service available on purpose, and I do not have to
assume that you didn't. If I had to, the Internet would have to be
shut down right this second.
I've already listed two "advertising" mechanisms, without going into
silly proprietary endeavors like SLP.
Neither of them would work if you were right, and both of them are very
specific in their advertisements. I repeat: there is no general
advertisement mechanism for services in the Internet. And I still can
neither know nor assume that any service is not provided purposely,
unless it requires authentication of some sort.
Bottom line: If you don't want your property trespassed, don't put it
into public places.
Our data center is not, by any stretch, a public place.
Does it have a public IP address? Does it provide services towards the
Internet? If so: how can it *not* be a public place?
By your analogy, my lawn becomes a public parking lot because a
driveway connects it to the street.
No, my analogy doesn't allow that conclusion. At all.
Once again, "Bzzzt! Wrong."
Yes, you are.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
