Re: RPAT - Realtime Proxy Abuse Triangulation

From: Greg Barnes (greg@ins.com)
Date: 12/30/02

  • Next message: Syzop: "Re: RPAT - Realtime Proxy Abuse Triangulation" 
    Date: Mon, 30 Dec 2002 14:05:54 -0600
From: Greg Barnes <greg@ins.com>
To: "Jay D. Dyson" <jdyson@treachery.net>

    And so I learn!!

    BTW - HUGE thanks for the clarification on ethics.

    More comments inline.

    Monday, December 30, 2002, 1:45:35 PM, you wrote:
    JDD> -----BEGIN PGP SIGNED MESSAGE-----
    JDD> Hash: SHA1

    JDD> On Mon, 30 Dec 2002, Greg Barnes wrote:

    >> JDD> Such a practice strikes me as teleologically ethical[1]. A system
    >>
    >> Technologically Ethical? Is that like 'technically honest' but not
    >> honest by any other definition?

    JDD> No. There are two primary camps in ethics: deontological and
    JDD> teleological. Deontological holds that all ethical constructs are
    JDD> absolute and unwavering, regardless of circumstance. These rules are
    JDD> typically given to humanity by a deity or some other authority.
    JDD> Teleological ethics holds that all ethical proscriptions arise from value
    JDD> assessments of undesirable consequences that come from unethical actions.
    JDD> Teleological ethics also hold that the quality of an otherwise seeming
    JDD> transgression is mitigated by both intent and outcome.

    JDD> To bust it down in the simplest terms for an example: it is wrong
    JDD> to lie. But if I was harboring Jews from the Nazis during WWII and the
    JDD> Nazis asked me if I had seen any Jews and I told them I hadn't, then I
    JDD> would have lied. That lie, while deontologically unethical, was
    JDD> teleologically ethical.

    Again, thanks for the clarification. And now that I understand the
    difference between the two ethical camps, I know enough to know
    that I will be more careful when answering questions regarding
    the ethics of an action/inaction in the future.

    >> JDD> is being abused and we recipient systems are paying the canonical
    >> JDD> price for it. And since we bear the cost of someone else's
    >> JDD> irresponsibility, we have both the right and the responsibility to
    >> JDD> pick up the slack created by the other party so that other systems
    >> JDD> do not receive the same net.abuse ours have.
    >>
    >> This would be true if you represented an extension of law enforcement.

    JDD> Actually, your assessment is inaccurate. Law enforcement is far
    JDD> more constrained in their sanctioned actions than the laity. I, for
    JDD> example, can engage in dumpster diving at will to find information I need.
    JDD> Law enforcement cannot do so without the blessing of the courts.

    And this is precisely because it is illegal. I'm not a lawyer
    (or an ethics expert !clearly!) but perusing other people's
    property appears to fall into one of the camps you describe
    earlier...So, I have to ask myself, by what standard, and by
    whom will I be judged?

    And that's the standard I will apply (I'm assuming only one
    will apply here, and if more than one applies, I have to make
    a value judgement right?).

    >> JDD> The only thing that would color such a practice as even remotely
    >> JDD> unethical would be later utilization of such findings for the
    >> JDD> purpose of further spamming or other nefarious conduct.
    >>
    >> Who defines nefarious?

    JDD> Simple. Anything you'd do that would not make your mother proud.
    JDD> ;) But seriously, we don't need to define was 'is' is here. Nefarious is
    JDD> simply a cute word I use to entail further net.abuse.

    >> The rule of law defines it. And there are agencies established for the
    >> purpose of enforcing the law.

    JDD> And while many an agent in said agencies are good people doing
    JDD> good work, the reality is that agencies are bureaucracies. And as
    JDD> bureaucracies, they move at a positively glacial pace...and with the rapid
    JDD> pace of the 'net, their involvement is not simply impractical, it's
    JDD> counterproductive. The net.realities of today have simply outpaced the
    JDD> laws provided by the legislature. Thus, relying on old (and increasingly
    JDD> archaic) laws and agencies for definition and handling of genuine
    JDD> net.realities is kludgy at best, silly at worst.

    >> JDD> As a rule, when my systems are spammed via an open relay, I do
    >> JDD> indeed perform open relay tests on the offending system to confirm
    >> JDD> that the relayed spam is genuine or trivially spoofed[2]. With
    >> JDD> those findings,
    >>
    >> So how does one justify any scanning beyond that which is required to
    >> determine the source of a problem in the course of one's day to day
    >> duties

    JDD> All scanning is done from a "rule out" standpoint. I rule out
    JDD> other possible explanations [spoofing, forgery, misconfigured MTA data] as
    JDD> it pertains to the spam that appears to have come from an open relay or
    JDD> proxy and then gather the data. Once that's done, a fairly clear picture
    JDD> of what's what has emerged.

    Ahh, so we're on the same page. We're not talking about
    scanning 65k ports then (for example)...I guess I misunderstood.

    >> and furthermore with the end goal of notifying the cognizant authority
    >> of the offense?

    JDD> Whenever my systems are attacked, I take it upon myself to
    JDD> accumulate all evidence necessary to present to the cognizant admin of the
    JDD> offending system. My reasons are twofold: first, they can use the
    JDD> information to compare to their own logs (rather than go on a large
    JDD> fishing expedition), and that saves time; second, I've met more than my
    JDD> fair share of "admins" who couldn't find their *** with both hands.
    JDD> Those folks need a *lot* of hand-holding in order to bring the net.abuse
    JDD> to a conclusion.

    >> JDD> I file my reports with the cognizant admins and/or upstream
    >> JDD> providers so that an end may be put to that nonsense.
    >>
    >> All well and good, but again - to what end, the additional scanning?

    JDD> I'm not sure what you mean. I don't keep on scanning every system
    JDD> that's poked, prodded or spammed mine after I've gathered the information
    JDD> I require. Hell, if I did that, I wouldn't have time to do anything else.

    heheheh. So let it be written then. Thanks for the response!!

    JDD> - -Jay

    JDD> ( ( _______
    JDD> )) )) .-"There's always time for a good cup of coffee."-. >====<--.
    JDD> C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
    JDD> `--' `--' `How about a 10-day waiting period on YOUR rights?' `------'

    JDD> -----BEGIN PGP SIGNATURE-----
    JDD> Version: GnuPG v1.0.7 (TreacherOS)
    JDD> Comment: See http://www.treachery.net/~jdyson/ for current keys.

    JDD> iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY
    JDD> m5AmsjNb4QAmxoKOg71SKOA=
    JDD> =TL7v
    JDD> -----END PGP SIGNATURE-----

    -

    Regards,

    Greg

    PGP Fingerprint:
    723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    • Quantcast