Home page logo
/

basics logo Security Basics mailing list archives

Re: [Silly analogy]
From: Ed Spencer <espencer () usa net>
Date: Sun, 21 Mar 2004 16:35:17 -0900

Silly analogies?  Why not use one that I've used before and from what I can
tell it seems pretty accurate.

Port scanning is like driving down the street making a list of every window,
door or opening on your house.  The problem is that they only list one
window/door/opening every time they drive down your street (showing the
potential increase in traffic over normal from a single host/car).

If you go further and identify the version of the services that are running
it's like making a note of the manufacturer of every one of those openings,
and what type of room is on the other side.

If you search for vulnerabilities based on the manufacturer/type of entrance
it's like making a note of how to bypass the locks on each of those types of
entry points.

Keep in mind that technically you've broken no laws up to this point.  If the
police were notified you'd likely be stopped for questioning, but probably not
arrested.

The reason is that at no time does port scanning make a list of what's inside
the room/the type of data being stored (hence the lack of peeking in the
window type analogies), identify a specific vulnerability (checks to see if
the door/window is locked/if the service can be exploited), or attempt to gain
unauthorized access (push on the door/try to lift the window/try to gain
access to protected data).  All of these type of events would be performed by
security scanning software, hacker/cracker tools, or other similar means. 
These types of checks are also highly suspect and in most cases, illegal.

An additional note I usually add when I discuss this with a class is that if
this is done by knowledgeable security personnel within the company it's like
the police/hired security company doing the same thing, only they you should
get a list of things you should do to prevent someone from kicking in your
door/smashing your window, etc.   This makes you more secure in your own
home/workplace and should be done on a semi-regular basis.

Analogies are a great teaching tool as long as they are effective in
identifying what's actually going on.  Of course, if  you think my analogy is
crazy/silly/whatever, that's your perogative.  Just thought I'd share what
I've used with the students I've had in the past to have them understand more
clearly.

Ed Spencer
MCSE/MCT/MCP/CNA/A+/Security+/Network+
Network Technican
University of Alaska Fairbanks.

"Joe Dumass" <joe_dumass () hotmail com> wrote:



Ok, I'd like to make my silly analogy of port scanning...

It's not the benign peeking in windows thing; I mean, come on, it's not THAT

passive.  I'd liken it to knocking on a door to see if someone's home, and 
then running away if someone answers / opens the door.  Annoying yes.  
Illegal?  I wouldn't think so, unless someone's got a restraining order out

on you.

But if the door's a-knocking, watch out for flaming bags of dog turds.


Would you please stop making up stupid anlogies? Thank you. A port scan
is not telling someone what's inside your house. It tells just which of
the stores in the basement are open.

OK, the analogies are getting really silly.

_________________________________________________________________
Get reliable access on MSN 9 Dial-up. 3 months for the price of 1! 
(Limited-time offer)
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less

to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: [Silly analogy] Ed Spencer (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]