Re: A question for the list...

From: Chip Mefford (cmefford_at_avwashington.com)
Date: 05/20/03

  • Next message: Gary Flynn: "Re: A question for the list..." 
    Date: Tue, 20 May 2003 17:23:44 -0400
To: Steven <steve@twcny.rr.com>

    Steven wrote:
    > In-Reply-To: <3EC6C60E.1070706@pclocals.com>
    >
    > A fun thread, indeed.
    Indeed
    >
    > Some elements to consider -
    >
    > a) Current inter-network is based on the assumption of competence.
    > If you offer a service on an external NIC,
    snip for space (sfs)

    > You telenet to some.com. No tricks, no hacks, no nada. Username: Guest.
    > Password: [blank]. You get a shell.
    >
    > Should you be there?

    With you so far

    > b) (Yep, this one's bounds check, but...) Admin of a machine had ample
    > time and opportunity to mitigate an exploit vector, but didn't. His box
    > gets exploited. The competence element implies that he intended that an
    > exploit using that vector should occur,

    I don't think this is fair.
    To wit;
    I engage in social interaction every day.
    Meeting strangers at the counter at the local
    convenience store does not imply that I accept
    a violent mugging, robbery, et al even though
    I was aware that the potential for this exploit
    existed and I was in a common area.
    (sfs)
    > any usage of that vector (and anything
    > resulting from it) to be acceptable,

    I don't think this is so. I think the logic
    fails. Just because my wallet is in my pocket
    doens't make it okay for "guest" to take, even though
    the pocket is pretty much accessable to anyone
    in the physical "net" of my immediate space.

    > On the other hand, if the admin claims no responsibility for the exploited
    > behavior, then he has implicitly denied having any authority over it.

    I concurr here.
    Overall, as you said, interesting thread. 

    -- 
|"Reality must take precedence over public relations,
|for nature cannot be fooled."
| --Richard P. Feynman
Chip Mefford, generalist
cmefford@avwashington.com
AVWashington
1 Export Drive
Sterling, VA 20164-4421
tel 703.404.8900
fax 703 404.8940
www.avwashington.com
Our fourth decade.
avitecture (sm): audiovisual systems for architecture
----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
  • Next message: Gary Flynn: "Re: A question for the list..."