Home page logo
/

basics logo Security Basics mailing list archives

RE: FW: Legal? Road Runner proactive scanning.[Scanned]
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 18 Mar 2004 09:27:57 -0800

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Subject: Re: FW: Legal? Road Runner proactive scanning.[Scanned]

Ansgar -59cobalt- Wiechers said:

Your are going to explain how you are going to do that, e.g. for
publically available services on ports that are not well-known,
aren't you? And even if so, what's it hurt if someone goes finding
out for himself? I still don't get your point.

Which word exactly of "ports that are not well-known" didn't you
understand?

A portscan is a method of taking a wide-angle snapshot of my system.
Not quite the same thing.  Hope that explains it.

No. I still fail to see how you are going to provide arbitrary users
with the information I mentioned above.

  In what way does the discovery that some unknown -- and, in the Internet
of 2004 as opposed to 1994 or even earlier, quite possibly UNAUTHORISED --
service on my box is listening to port 12345 provide to you the information
that a service you want and believe (why? ESP?) that I provide via my box
is, in fact, the service on that port?  Answer:  It doesn't.
  If I want a service to be *publically* available, that doesn't mean 
"available to anyone who portscans my box and then reads my mind to find
out what's on those ports".  It means that I'm either going to put the
services on well-known ports, or I'm going to find some way to advertise
the service -- not just its port number, but enough information so that
the wider public can actually make use of it.  My failure to do so is
not anybody else's problem to try and solve.

David Gillett



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]