Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: A question for the list...
From: Chip Mefford <cmefford () avwashington com>
Date: Tue, 20 May 2003 17:23:44 -0400
Steven wrote:

In-Reply-To: <3EC6C60E.1070706 () pclocals com>

A fun thread, indeed.

Indeed


Some elements to consider -

a) Current inter-network is based on the assumption of competence.
If you offer a service on an external NIC,

snip for space (sfs)
You telenet to some.com. No tricks, no hacks, no nada. Username: Guest. Password: [blank]. You get a shell. 

Should you be there?


With you so far
b) (Yep, this one's bounds check, but...) Admin of a machine had ample time and opportunity to mitigate an exploit vector, but didn't. His box gets exploited. The competence element implies that he intended that an exploit using that vector should occur, 

I don't think this is fair.
To wit;
I engage in social interaction every day.
Meeting strangers at the counter at the local
convenience store does not imply that I accept
a violent mugging, robbery, et al even though
I was aware that the potential for this exploit
existed and I was in a common area.
(sfs)
> any usage of that vector (and anything

resulting from it) to be acceptable,


I don't think this is so. I think the logic
fails. Just because my wallet is in my pocket
doens't make it okay for "guest" to take, even though
the pocket is pretty much accessable to anyone
in the physical "net" of my immediate space.
On the other hand, if the admin claims no responsibility for the exploited behavior, then he has implicitly denied having any authority over it. 

I concurr here.
Overall, as you said, interesting thread.

--
|"Reality must take precedence over public relations,
|for nature cannot be fooled."
| --Richard P. Feynman

Chip Mefford, generalist
cmefford () avwashington com

AVWashington
1 Export Drive
Sterling, VA 20164-4421

tel 703.404.8900
fax 703 404.8940

www.avwashington.com

Our fourth decade.
avitecture (sm): audiovisual systems for architecture


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents 
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]