Re: A question for the list...

From: Chip Mefford (cmeffordat_private)
Date: Tue May 20 2003 - 14:23:44 PDT

Next message: Mark Ng: "RE: A question for the list..."

Previous message: Dave Sharp: "RE: A question for the list..."
In reply to: Steven: "Re: A question for the list..."
Next in thread: Dave Sharp: "RE: A question for the list..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven wrote:
> In-Reply-To: <3EC6C60E.1070706at_private>
> 
> A fun thread, indeed.
Indeed
> 
> Some elements to consider -
> 
> a) Current inter-network is based on the assumption of competence.
> If you offer a service on an external NIC,
snip for space (sfs)

> You telenet to some.com. No tricks, no hacks, no nada.  Username: Guest.  
> Password: [blank].  You get a shell.
> 
> Should you be there?

With you so far

> b) (Yep, this one's bounds check, but...) Admin of a machine had ample 
> time and opportunity to mitigate an exploit vector, but didn't. His box 
> gets exploited. The competence element implies that he intended that an 
> exploit using that vector should occur,

I don't think this is fair.
To wit;
I engage in social interaction every day.
Meeting strangers at the counter at the local
convenience store does not imply that I accept
a violent mugging, robbery, et al even though
I was aware that the potential for this exploit
existed and I was in a common area.
(sfs)
 > any usage of that vector (and anything
> resulting from it) to be acceptable,

I don't think this is so. I think the logic
fails. Just because my wallet is in my pocket
doens't make it okay for "guest" to take, even though
the pocket is pretty much accessable to anyone
in the physical "net" of my immediate space.


> On the other hand, if the admin claims no responsibility for the exploited 
> behavior, then he has implicitly denied having any authority over it.

I concurr here.
Overall, as you said, interesting thread.

-- 
|"Reality must take precedence over public relations,
|for nature cannot be fooled."
| --Richard P. Feynman

Chip Mefford, generalist
cmeffordat_private

AVWashington
1 Export Drive
Sterling, VA 20164-4421

tel 703.404.8900
fax 703 404.8940

www.avwashington.com

Our fourth decade.
avitecture (sm): audiovisual systems for architecture


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Mark Ng: "RE: A question for the list..."
Previous message: Dave Sharp: "RE: A question for the list..."
In reply to: Steven: "Re: A question for the list..."
Next in thread: Dave Sharp: "RE: A question for the list..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 21 2003 - 09:25:34 PDT