Notifying user of open Internet access

I was using some IP discovery tools, and found an IP addres on my providers
subnet with multiple open shares. This person is definitely open to
problems. It took no effort to map a share, and see all their files.
Ethically, it is wrong, but feel bad this person is exposed. How would YOU
handle this situtaion. If I send an anonymous email, then that person could
search the ISP log, and trace back. It is like watching someone in a car
crash bleeding to death, and not helping. Should I inform the user of their
vulnerabilities? Contact the ISP??

What would you do.

Ready for the "FLAME" war...but I am seriious...I would want to know, if I
was that vulnerabile.

EDOOD

In article <Jarud.41139$> , "EDOOD"
<info<nospam>@thecomputerdood.com> says...
> I was using some IP discovery tools, and found an IP addres on my providers
> subnet with multiple open shares. This person is definitely open to
> problems. It took no effort to map a share, and see all their files.
> Ethically, it is wrong, but feel bad this person is exposed. How would YOU
> handle this situtaion. If I send an anonymous email, then that person could
> search the ISP log, and trace back. It is like watching someone in a car
> crash bleeding to death, and not helping. Should I inform the user of their
> vulnerabilities? Contact the ISP??
>
> What would you do.

I would report you to the local ISP for scanning my computer and hope
they yank your service.

What you did is a direct violation of most ISP's terms of service and
AUP.

As noble as you think your action are/were, you are no different than
the countless number of hackers in your actions. Since you have no
permission to scan the ISP's network, no permission to access the users
shares, you are in violation of many ethics rules and possibly could
loose your service.

--
--

(Remove 999 to reply to me)

Leythos

On Sat, 11 Dec 2004 01:05:33 GMT, Leythos <> wrote:

>I would report you to the local ISP for scanning my computer and hope
>they yank your service.
##########################
That wasn't his question. He asked if he should inform them about the
hole. I don't think he should. They might try to blame him for the
problem which is the usual response. Don't try to be a hero. Pretend
you never even saw it.
donnie.

donnie

An analogy I've heard ... it's perfectly legal to walk around in an
apartment building, just not legal to walk into someone's apartment, even if
the door is open. I once did basically the same as you ... I was amazed at
the information available ... I stopped. My recommendation ...do nothing ...
it's their property, their responsibility. And stay off other peoples PCs.

"EDOOD @thecomputerdood.com>" <info<nospam> wrote in message
news:Jarud.41139$. com...
> I was using some IP discovery tools, and found an IP addres on my
providers
> subnet with multiple open shares. This person is definitely open to
> problems. It took no effort to map a share, and see all their files.
> Ethically, it is wrong, but feel bad this person is exposed. How would
YOU
> handle this situtaion. If I send an anonymous email, then that person
could
> search the ISP log, and trace back. It is like watching someone in a car
> crash bleeding to death, and not helping. Should I inform the user of
their
> vulnerabilities? Contact the ISP??
>
> What would you do.
>
> Ready for the "FLAME" war...but I am seriious...I would want to know, if I
> was that vulnerabile.
>
>
>

bowgus

EDOOD <info wrote:
> I was using some IP discovery tools, and found an IP addres on my providers
> subnet with multiple open shares. This person is definitely open to
> problems. It took no effort to map a share, and see all their files.
> Ethically, it is wrong, but feel bad this person is exposed. How would YOU
> handle this situtaion. If I send an anonymous email, then that person could
> search the ISP log, and trace back. It is like watching someone in a car
> crash bleeding to death, and not helping. Should I inform the user of their
> vulnerabilities? Contact the ISP??
>
> What would you do.
>
> Ready for the "FLAME" war...but I am seriious...I would want to know, if I
> was that vulnerabile.
>
>
>
In answer to what you did, the answer is would you "tell" someone you
downloaded a FTP file? HTTP?

Some have criticized your activity. If the share was open and you
retrieved files, not even sure to the illegality (not talking ethics) of
the question. If the computer had services exposed, without even
minimal security in place, I am not sure of a legal issue. The patriot
act defines the law as being broken when the threshold of damage exceeds
$500. If I remember right the telecommunications act threshold is
2500$. If the user was on a current WinX system they had to bypass many
warnings not to to expose the share.

If the browser of data did not use the information to personal or
detrimental gain, didn't transfer pornography, didn't upload data files,
didn't damage the remote system, didn't download copy write materials,
I suspect it would be difficult to be prosecuted. If this were a
commercial server doing interstate commerce there are other laws that
might come into play. If the user was on a Win9x system, well, they are
pretty much exposed with no firewall.

Scanning of systems is not a violation of law nor of many ISP rules,
unless it causes a denial of service condition, shaking a door handle is
not a violation, though entering a door might be an issue if the user
could prove the damage threshold.

There are several reasons this might occur:

1. User is an idiot. Possible and no amount of informing will
persuade/fix this user because the light bulb probably isn't on. It may
be some sort of malware has exposed his system so and the user wouldn't
understand the issue. Any file you retrieved could not be trusted, and
you prolly have better stuff on your own computer.

2. The hole is a honey pot. Good reason not to play.

3. The individual is purposely and deliberately sharing the shares
openly for a number of legitimate reasons. Sharing LDAP to host Net
meeting session(example).

4. Several p2p tools will do the behavior described if the user does
not constrain them properly, in fact they share the entire computer to
the world. This is probably the highest probability. The user is
probably a KAZZA user who installed the program with defaults sharing
c:\. I have seen this with several popular music file sharing programs.
This user probably already has more issues than he can handle and
probably belongs to paragraph 1.

Many applications will tell you the OS, computer name, every account on
the computer and whether or no a password is required to access the
account on the system, what shares are available, and other information
about the system (I didn't say properly configured systems). Exposed
NETBIOS is always informative. This is a common functionality of many
legitimate tools (Microsoft Visio for example). This is done by just
checking the door handle and never entering the system. This, in
itself, is not illegal.

As I write this I keep coming up with more reasons so I'll just stop let
y'all come with more reasons of your own.

But as far as the law is written I doubt you would have many legal
issues unless it happened to be a commercial or government host (While
they may not prosecute you, they might make life fun for awhile, there
are ways to hurt you even if they can't put you in jail (priced lawyers
lately?)) I don't know of any laws that prohibit foot printing ... yet.

Ethics on the other hand....

Winged

winged

On 11 Dec 2004 18:47:24 EST, winged wrote:
> If the computer had services exposed, without even
> minimal security in place, I am not sure of a legal issue.

Even a ping _could_ be used to give you a hard time.

Just a few state selections.

http://www.capitol.state.tx.us/statutes/pe.toc.htm
Read 33.01. Definitions (1) "Access"
then 33.02. Breach of Computer Security (a)


http://www.umpqua.cc.or.us/policy/oregon-law.htm
Read 1 (a) then (4)

Bit Twister

In article <cpg0uc$>,
says...
> Scanning of systems is not a violation of law nor of many ISP rules,
> unless it causes a denial of service condition, shaking a door handle is
> not a violation, though entering a door might be an issue if the user
> could prove the damage threshold.

Actually, scanning ISP networks is a violation of MOST ISP's acceptable
use policies. The violator can have their service terminated for it.

--
--

(Remove 999 to reply to me)

Leythos

Bit Twister wrote:
> On 11 Dec 2004 18:47:24 EST, winged wrote:
>
>>If the computer had services exposed, without even
>>minimal security in place, I am not sure of a legal issue.
>
>
> Even a ping _could_ be used to give you a hard time.
>
> Just a few state selections.
>
> http://www.capitol.state.tx.us/statutes/pe.toc.htm
> Read 33.01. Definitions (1) "Access"
> then 33.02. Breach of Computer Security (a)
>
>
> http://www.umpqua.cc.or.us/policy/oregon-law.htm
> Read 1 (a) then (4)



"Effective consent" is a key issue of both the Texas and the Oregon laws
cited. If one has exposed (open access) services be it ftp, http, etc.
one has granted "effective consent" for anyone to access a system. Every
bot on the net has legal right to crawl your system. If one requires a
logon and password to acess a service "effective consent" is not
present. If one has ping services turned on one has granted "effective
consent" under the Oregon and Texas provisions cited. Unless you lock
the door, you provide "effective consent" under both of the laws cited.
If you have ping services turned on and exposed you have provided
"effective consent" for others to use those services.

This is why if you have an exposed computer in a public area one would
not be violation of the law (Texas example) to walk by a computer. If
that computer were secured where aceess would be restricted, walking by
that same computer "could" make you in violation of the law because
"effective consent" was not granted. If a company representative
granted you access to the same area under non fraudulent conditions
(access to the restricted area), you could not be prosecuted for the
same act of walking by the same computer in the same area because they
provided "effective consent" for you to walk by the computer.

Tricky little clause.

Winged

winged

On 11 Dec 2004 21:02:24 EST, winged <> wrote:

>"Effective consent" is a key issue of both the Texas and the Oregon laws
>cited. If one has exposed (open access) services be it ftp, http, etc.
>one has granted "effective consent" for anyone to access a system
##########################
I agree w/ that 100%.
donnie

donnie

Leythos wrote:
> In article <cpg0uc$>,
> says...
>
>>Scanning of systems is not a violation of law nor of many ISP rules,
>>unless it causes a denial of service condition, shaking a door handle is
>>not a violation, though entering a door might be an issue if the user
>>could prove the damage threshold.
>
>
> Actually, scanning ISP networks is a violation of MOST ISP's acceptable
> use policies. The violator can have their service terminated for it.
>
Your right!

Most ISP's don't pursue that clause unless it creates a problem (DOS) or
sufficient complaint. A properly performed scan will probably never be
noticed. In reality, they can deny service for almost no reason if they
choose IAW the agreement. Of course if service is denied, payment for
non-service is usually waived. Most ISPs work on credit and therefore
seldom invoke this clause. If a user is sufficiently worried about
their activities and their ISP reaction they should probably learn how
to do things differently, so not to raise the ire of the ISP
administrators. Afraid I don't worry much about scanners from a security
perspective(as long as they are not on "MY" network assets). Ethically
one should only scan "ones own owned" assets.

Winged

winged