Re: Malicious use of grc.com

From: H C (keydet89at_private)
Date: Wed Nov 28 2001 - 10:54:28 PST

Next message: B.K. DeLong: "Black Hat Windows Sec. Briefings CFP - Deadline 12/15"

Previous message: Ryan Permeh: "Re: xor encoding / decoding of shellcode"
In reply to: Aussie: "Re: Malicious use of grc.com"
Next in thread: Chris: "Re: Malicious use of grc.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Is it my ignorance, or does Gibson seem to not
> really understand that the 
> port scans in question HAVE a valid IP...his systems
> and therefore are 
> being returned, via his systems, to the attacker who
> has just effectively 
> hidden his (her?) real IP by using Gibson's IP range
> instead. Is this not 
> a form of spoofing?

I think Gibson fully understands this...and he also
understands that in the US, port scanning is not
illegal.  Therefore, no one can come to him and take
an legal action against him if someone else scans his
site.  After all, even if someone does use the
information returned from a port scan to then attack
and compromise a site, once they start to do so, they
no longer can use Gibson's site (at this point,
anyway).  Once they get the port scan data back, they
have to either attack the target site directly, or
launch their attacks through some other proxy or
port-redirection mechanism.

> Is Gibson suggesting that his unauthorised (by me)
> and unwanted (by me) 
> checks of certain ports on MY system should not be
> defined by me as attacks or intrusion attempts? 

They aren't.  Regardless of what you may think or feel
about the subject, the US legal system (and several
European ones that I'm aware of) do not consider port
scanning illegal.

> Further, by what right does Gibson 
> determine that MY firewall/IDS is faulty because it
> deliberately 
> generates reports to indicate that someone port
> scanned me without my 
> authorisation? If someone scans the 10 ports or so
> that Gibson's Shield-
> Up product scans, I like to think that I have every
> right to determine 
> that the person has attacked and possibly attempted
> an intrusion on my 
> private systems. Maybe I'm completely wrong, after
> all, IANAL.

To be completely honest, your above statement doesn't
make any sense to me...but maybe it's just me.  I've
handled "abuse@" emails for a large telecomm/ISP, and
I've seen threats of legal action for single ICMP
packets.

"I like to think that I have every right to determine 
that the person has attacked and possibly attempted
an intrusion on my private systems."

Well, of course you do.  You have every right to NOT
believe what Gibson says.  But I fail to see how a
couple of SYN packets, most of which are most likely
dropped by the firewall or responded to as closed
ports anyway, constitutes an "attack" or "possible
attempted intrusion".


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

Next message: B.K. DeLong: "Black Hat Windows Sec. Briefings CFP - Deadline 12/15"
Previous message: Ryan Permeh: "Re: xor encoding / decoding of shellcode"
In reply to: Aussie: "Re: Malicious use of grc.com"
Next in thread: Chris: "Re: Malicious use of grc.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 11:53:40 PST