Re: RPAT - Realtime Proxy Abuse Triangulation

From: Greg Barnes <greg(at)ins.com>
Date: Mon Dec 30 2002 - 15:05:54 EST

And so I learn!!

BTW - HUGE thanks for the clarification on ethics.

More comments inline.

Monday, December 30, 2002, 1:45:35 PM, you wrote: JDD> -----BEGIN PGP SIGNED MESSAGE-----
JDD> Hash: SHA1

JDD> On Mon, 30 Dec 2002, Greg Barnes wrote:

>> JDD> Such a practice strikes me as teleologically ethical[1]. A system
>>
>> Technologically Ethical? Is that like 'technically honest' but not
>> honest by any other definition?

JDD>         No.  There are two primary camps in ethics: deontological and
JDD> teleological.  Deontological holds that all ethical constructs are
JDD> absolute and unwavering, regardless of circumstance.  These rules are
JDD> typically given to humanity by a deity or some other authority. 
JDD> Teleological ethics holds that all ethical proscriptions arise from value
JDD> assessments of undesirable consequences that come from unethical actions.
JDD> Teleological ethics also hold that the quality of an otherwise seeming
JDD> transgression is mitigated by both intent and outcome. 

JDD>         To bust it down in the simplest terms for an example: it is wrong
JDD> to lie.  But if I was harboring Jews from the Nazis during WWII and the
JDD> Nazis asked me if I had seen any Jews and I told them I hadn't, then I

JDD> would have lied. That lie, while deontologically unethical, was JDD> teleologically ethical.

Again, thanks for the clarification. And now that I understand the difference between the two ethical camps, I know enough to know that I will be more careful when answering questions regarding the ethics of an action/inaction in the future.

>> JDD> is being abused and we recipient systems are paying the canonical
>> JDD> price for it. And since we bear the cost of someone else's
>> JDD> irresponsibility, we have both the right and the responsibility to
>> JDD> pick up the slack created by the other party so that other systems
>> JDD> do not receive the same net.abuse ours have.
>>
>> This would be true if you represented an extension of law enforcement.

JDD>         Actually, your assessment is inaccurate.  Law enforcement is far
JDD> more constrained in their sanctioned actions than the laity.  I, for
JDD> example, can engage in dumpster diving at will to find information I need. 
JDD> Law enforcement cannot do so without the blessing of the courts.

And this is precisely because it is illegal. I'm not a lawyer (or an ethics expert !clearly!) but perusing other people's property appears to fall into one of the camps you describe earlier...So, I have to ask myself, by what standard, and by whom will I be judged?

And that's the standard I will apply (I'm assuming only one will apply here, and if more than one applies, I have to make a value judgement right?).

>> JDD> The only thing that would color such a practice as even remotely
>> JDD> unethical would be later utilization of such findings for the
>> JDD> purpose of further spamming or other nefarious conduct.
>>
>> Who defines nefarious?

JDD>         Simple.  Anything you'd do that would not make your mother proud.
JDD> ;)  But seriously, we don't need to define was 'is' is here.  Nefarious is
JDD> simply a cute word I use to entail further net.abuse.

>> The rule of law defines it. And there are agencies established for the
>> purpose of enforcing the law.

JDD>         And while many an agent in said agencies are good people doing
JDD> good work, the reality is that agencies are bureaucracies.  And as
JDD> bureaucracies, they move at a positively glacial pace...and with the rapid
JDD> pace of the 'net, their involvement is not simply impractical, it's
JDD> counterproductive.  The net.realities of today have simply outpaced the
JDD> laws provided by the legislature.  Thus, relying on old (and increasingly
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
JDD> archaic) laws and agencies for definition and handling of genuine
JDD> net.realities is kludgy at best, silly at worst. 

>> JDD> As a rule, when my systems are spammed via an open relay, I do

>> JDD> indeed perform open relay tests on the offending system to confirm

>> JDD> that the relayed spam is genuine or trivially spoofed[2]. With
>> JDD> those findings,
>>
>> So how does one justify any scanning beyond that which is required to

JDD>         All scanning is done from a "rule out" standpoint.  I rule out
JDD> other possible explanations [spoofing, forgery, misconfigured MTA data] as
JDD> it pertains to the spam that appears to have come from an open relay or
JDD> proxy and then gather the data.  Once that's done, a fairly clear picture
JDD> of what's what has emerged.

Ahh, so we're on the same page. We're not talking about scanning 65k ports then (for example)...I guess I misunderstood.

>> and furthermore with the end goal of notifying the cognizant authority
>> of the offense?

JDD>         Whenever my systems are attacked, I take it upon myself to
JDD> accumulate all evidence necessary to present to the cognizant admin of the
JDD> offending system.  My reasons are twofold: first, they can use the
JDD> information to compare to their own logs (rather than go on a large
JDD> fishing expedition), and that saves time; second, I've met more than my
JDD> fair share of "admins" who couldn't find their butt with both hands.
JDD> Those folks need a *lot* of hand-holding in order to bring the net.abuse
JDD> to a conclusion.

>> JDD> I file my reports with the cognizant admins and/or upstream
>> JDD> providers so that an end may be put to that nonsense.
>>
>> All well and good, but again - to what end, the additional scanning?

JDD>         I'm not sure what you mean.  I don't keep on scanning every system
JDD> that's poked, prodded or spammed mine after I've gathered the information
JDD> I require.  Hell, if I did that, I wouldn't have time to do anything else. 

heheheh. So let it be written then. Thanks for the response!!

JDD> - -Jay

JDD>    (    (                                                         _______
JDD>    ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.

JDD> C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-' JDD> `--' `--' `How about a 10-day waiting period on YOUR rights?' `------'

JDD> -----BEGIN PGP SIGNATURE-----
JDD> Version: GnuPG v1.0.7 (TreacherOS)
JDD> Comment: See 
http://www.treachery.net/~jdyson/ for current keys.

JDD> iD8DBQE+EKJkTqL/+mXtpucRAkMHAJ9roysRFsNI0t2z874ID5xjIfgSZgCeM7vY
JDD> m5AmsjNb4QAmxoKOg71SKOA=

JDD> =TL7v
JDD> -----END PGP SIGNATURE----- -

Regards,

Greg

PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 30 16:06:42 2002