Home page logo
/

basics logo Security Basics mailing list archives

RE: application for an employment
From: "Soderland, Craig" <craig.soderland () sap com>
Date: Fri, 24 Mar 2006 15:00:08 -0500

I believe the correct analogy is that Mathias walked down the street knocking on doors, and came to one when he knocked 
swung wide open (as it was never closed properly) as long as he does not cross the threshold no BNE has occurred. If he 
left a note telling his neighbor to push the door completely closed, so that it latches, he is basically a good 
Samaritan. 

And in the US this should keep him legally in the clear, though to may not preclude the neighbor form going after him 
civilly since people over here can sue for any darn reason that they want. 

However when we are talking about a computer system/network, at what point is he knocking on the Door, and what point 
is he  stepping over the threshold. 

Running Nessus to map a system is akin, to a knock trying to connect is akin to jiggling the door and if it opens 
stepping over the threshold. Running a Sploit, is well kicking the door in and walking in. It all boils down to intent. 
If he is freely offering up his findings, from merely knocking. It can be argued that no trespass has occurred, as he 
has not yet crossed that threshold. And since he is freely given his findings, well there is not a case of extortion. 
At any other level, a trespass has occurred and well the laws are pretty clear about that. 

 

-----Original Message-----
From: L G [mailto:nitziya74 () hotmail com] 
Sent: Wednesday, March 22, 2006 7:23 PM
To: security-basics () securityfocus com
Subject: Re: application for an employment

This is a good thread which begs further discussion.

My question is, at what point is it illegal?  Do we have correspondents on this list better versed in the law?  
Obviously, based Randal's experience, you need to be careful in Oregon, but at what point is port scanning illegal?  
And what are the precedents?

Is dig-ing illegal?  Are not dns entries, domain names and associated ip ranges, and net block owners all public 
knowledge?

I guess the crudest part of my question is, was Mathias picking a lock, or did he see a door hanging wide open?
And at what point is someone going through an open door versus looking in a window versus admiring someone's 
architecture from the street?

lg

----- Original Message -----
From: "Al Gettier" <agettier () tealeaf com>
To: <security-basics () securityfocus com>
Sent: Tuesday, March 21, 2006 1:57 PM
Subject: RE: application for an employment


What you did might be illegal without their permission.  Take a look at the
Randal Schwartz situation over 10 years ago:

http://www.lightlink.com/spacenka/fors/



-----Original Message-----
From: Steveb () tshore com [mailto:Steveb () tshore com]
Sent: Tuesday, March 21, 2006 7:14 AM
To: MatzeGuentert () gmx de; security-basics () securityfocus com
Subject: RE: application for an employment

Not if you want them to employ you.  It's not good practice to probe their
network without their permission.  There may be a serious lack of trust if
you reveal to them that you where doing so without going through proper
channels.

-----Original Message-----
From: Matthias Güntert [mailto:MatzeGuentert () gmx de]
Sent: Monday, March 20, 2006 7:46 AM
To: security-basics () securityfocus com
Subject: application for an employment

Dear listmembers,

i am seeking for a new job as a Unix/Linux systemadministrator. There has
been an advertisement at a well known university. So I started to prepare my
self for the application. While collecting some information about the
network, using nmap, dig, etc... I was able to read the whole namespace from
the ip range (255.255.0.0)

My question is should I use some of the information I have found out to push
my application forward? What do you think how a director would react?

--
Mit freundlichen Grüßen

                Matthias Güntert


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault