Re: Scanning the Internet for Vulnerabilities
Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/ -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Jun 20, 2022, at 06:22, Carsten Bormann <cabo@tzi.org> wrote:
On 2022-06-20, at 04:18, Mel Beckman <mel@beckman.org> wrote:
When researchers, or whoever, claim their scanning an altruistic service, I ask them if they would mind someone coming to their home and trying to open all the doors and windows every night.
Well, it is more like the guy who comes once a year and checks that your central heating is not going to blow up.
(Disclaimer: I have supervised students who designed and executed benign mass-scans of the IPv4 Internet in order to validate hypotheses about market penetration of certain security updates, and I definitely would do that again if there is a good reason to perform such a scan.)
Grüße, Carsten
J.,
On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/
there was some actual research involved. I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this. I do not agree that this externality makes any research in this space unethical. You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say). Grüße, Carsten
On Mon, Jun 20, 2022 at 02:47:27PM +0200, Carsten Bormann wrote:
J.,
On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/
No no not saying there wasnt. Research is needed for sure and education is very important. But the fact of most matters stand in that area where some code may not exactly be up to par from "some students" and still exaust itself on the public internet of things where little real oversight actually happens from its origin until it has already impacted multiple destinations that did not ask for it. Definately did sign up for it! and with all the proper checks and balances, can handle them appropriately at 2am when when N students have been asleep letting their code run wild. Sorry not picking on "you/this" in particular on your part. It's just not all of them are exactly up to par while following what they believe are best practices governed by an instructor(not you) that deems it benign where I have found some instructors/educators have very little knowledge in the field whatsoever beyond a textbook and a home computer/lab. I look forward to the school years to begin, it brings a challenge where traffic from skids drops between certain hours in different countries and the detection begins for advertisement scanners and real threats. Noise is cool, it gives pretty results where the ugly of the networks typically just annoy you. Not cool when its amplified by N number of whatever (advertising/company/students) like a udp amplification attack but initiated by india.edu, america.edu, X.edu all at the wrong time. Anyway I retract Happy fathers day yesterday and hope all your're weekends have been great.
there was some actual research involved.
I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
I do not agree that this externality makes any research in this space unethical.
You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
Grüße, Carsten
-- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
On Mon, 20 Jun 2022, Carsten Bormann wrote:
On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal@dataix.net> wrote: Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/ there was some actual research involved.
I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
I do not agree that this externality makes any research in this space unethical.
Consent is what makes it unethical.
You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
"If you dont like the unsolicited email, just hit delete" ? How about ... NO. -Dan
On 2022-06-20, at 19:36, goemon--- via NANOG <nanog@nanog.org> wrote:
On Mon, 20 Jun 2022, Carsten Bormann wrote:
On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal@dataix.net> wrote: Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/ there was some actual research involved.
I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
I do not agree that this externality makes any research in this space unethical.
Consent is what makes it unethical.
You consented to receiving packets by connecting to the Internet. Now there is a limit to that consent (e.g., when these packets have an actual material negative effect), and here we enter an area where all simple schematic approaches fail — you really have to think about outcomes instead of expounding fundamentalist stances.
You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
"If you dont like the unsolicited email, just hit delete" ?
How about ... NO.
How about: It’s really hard to properly apply analogies. Unsolicited email wastes people’s time, and actually a lot of that. (Responsibly performed) packet probes waste machine time, and very little so. (If you are wasting human time on packet probes, you are holding it wrong.) Totally different outcome, and hence totally different ethics. This “discussion" is getting a bit off-topic. Grüße, Carsten
Carsten, The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators. Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited. In fact, when I Google that precise phrase along with “Acceptable Use Policy” I get thousands of hits. I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information they’re not authorized to. -mel
On Jun 20, 2022, at 1:11 PM, Carsten Bormann <cabo@tzi.org> wrote:
On 2022-06-20, at 19:36, goemon--- via NANOG <nanog@nanog.org> wrote:
On Mon, 20 Jun 2022, Carsten Bormann wrote:
On 2022-06-20, at 14:14, J. Hellenthal <jhellenthal@dataix.net> wrote: Yeah that's another thing, "research" cause you need to learn it let's have them do it too, multiply that by every university \o/ there was some actual research involved.
I agree that there should be a very good reason to expend a tiny bit of everyone’s resources on this.
I do not agree that this externality makes any research in this space unethical.
Consent is what makes it unethical.
You consented to receiving packets by connecting to the Internet.
Now there is a limit to that consent (e.g., when these packets have an actual material negative effect), and here we enter an area where all simple schematic approaches fail — you really have to think about outcomes instead of expounding fundamentalist stances.
You signed up for this when you joined the Internet (er, stuck with the IPv4 Internet, I should probably say).
"If you dont like the unsolicited email, just hit delete" ?
How about ... NO.
How about: It’s really hard to properly apply analogies.
Unsolicited email wastes people’s time, and actually a lot of that. (Responsibly performed) packet probes waste machine time, and very little so. (If you are wasting human time on packet probes, you are holding it wrong.) Totally different outcome, and hence totally different ethics.
This “discussion" is getting a bit off-topic.
Grüße, Carsten
On 2022-06-20, at 23:02, Mel Beckman <mel@beckman.org> wrote:
Carsten,
The discussion is not getting far afield: it’s on point. And it’s a hugely germane topic for network operators.
Regarding your claim “You consented to receiving packets when connecting to the Internet“, I counter with what is in virtually every ISP’sAUP for customers: Unauthorized port scanning is expressly prohibited.
Of course they don’t want their customers to do that. (They might find out that the ISP is cooking with water…) I’m not your customer, though.
I strongly suspect that this is probably also a violation of the U.S. Computer Abuse and Fraud Act, which criminalizes anyone who “Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” A great many VA plug-ins attempt to — and often do — extract information they’re not authorized to.
You would think so, but then it turns out the CFAA is not actually being policed in the way you think it should be. (The whole thing is a bit of a “soviet law" situation, where everyone is routinely doing things that could theoretically be criminalized, but aren’t, except when some thug is exceptionally interested in doing so and can thus abuse the law to exert unreasonable power over you.) So CFAA is more a case of us logical people trying to interpret a law that clearly is not subject to applying logic. In any case, I’d argue I’m concludently authorized by you having opened to my access that port I’m probing — the computer simply isn’t “protected”. .oOo. I can understand very well that everyone here is allergic to the large-scale scanners (most of which are done in a spectacularly stupid way) that are loading our servers. That problem is not being solved by banning well-thought-out academic research; you wouldn’t be able to note the difference if that stopped. (Oh, and, as a service, our ISP scans our ports and looks for vulns, which is a good service so we don’t have to do this as much for systems set up by our students.) Grüße, Carsten
participants (5)
-
Carsten Bormann -
goemon@sasami.anime.net -
J. Hellenthal -
J. Hellenthal
-
Mel Beckman