Notifying user of open Internet access

Discussion in 'Computer Security' started by EDOOD, Dec 11, 2004.

  1. EDOOD

    EDOOD Guest

    I was using some IP discovery tools, and found an IP addres on my providers
    subnet with multiple open shares. This person is definitely open to
    problems. It took no effort to map a share, and see all their files.
    Ethically, it is wrong, but feel bad this person is exposed. How would YOU
    handle this situtaion. If I send an anonymous email, then that person could
    search the ISP log, and trace back. It is like watching someone in a car
    crash bleeding to death, and not helping. Should I inform the user of their
    vulnerabilities? Contact the ISP??

    What would you do.

    Ready for the "FLAME" war...but I am seriious...I would want to know, if I
    was that vulnerabile.
    EDOOD, Dec 11, 2004
    1. Advertisements

  2. EDOOD

    Leythos Guest

    I would report you to the local ISP for scanning my computer and hope
    they yank your service.

    What you did is a direct violation of most ISP's terms of service and

    As noble as you think your action are/were, you are no different than
    the countless number of hackers in your actions. Since you have no
    permission to scan the ISP's network, no permission to access the users
    shares, you are in violation of many ethics rules and possibly could
    loose your service.
    Leythos, Dec 11, 2004
    1. Advertisements

  3. EDOOD

    donnie Guest

    That wasn't his question. He asked if he should inform them about the
    hole. I don't think he should. They might try to blame him for the
    problem which is the usual response. Don't try to be a hero. Pretend
    you never even saw it.
    donnie, Dec 11, 2004
  4. EDOOD

    bowgus Guest

    An analogy I've heard ... it's perfectly legal to walk around in an
    apartment building, just not legal to walk into someone's apartment, even if
    the door is open. I once did basically the same as you ... I was amazed at
    the information available ... I stopped. My recommendation nothing ...
    it's their property, their responsibility. And stay off other peoples PCs.
    bowgus, Dec 11, 2004
  5. EDOOD

    winged Guest

    In answer to what you did, the answer is would you "tell" someone you
    downloaded a FTP file? HTTP?

    Some have criticized your activity. If the share was open and you
    retrieved files, not even sure to the illegality (not talking ethics) of
    the question. If the computer had services exposed, without even
    minimal security in place, I am not sure of a legal issue. The patriot
    act defines the law as being broken when the threshold of damage exceeds
    $500. If I remember right the telecommunications act threshold is
    2500$. If the user was on a current WinX system they had to bypass many
    warnings not to to expose the share.

    If the browser of data did not use the information to personal or
    detrimental gain, didn't transfer pornography, didn't upload data files,
    didn't damage the remote system, didn't download copy write materials,
    I suspect it would be difficult to be prosecuted. If this were a
    commercial server doing interstate commerce there are other laws that
    might come into play. If the user was on a Win9x system, well, they are
    pretty much exposed with no firewall.

    Scanning of systems is not a violation of law nor of many ISP rules,
    unless it causes a denial of service condition, shaking a door handle is
    not a violation, though entering a door might be an issue if the user
    could prove the damage threshold.

    There are several reasons this might occur:

    1. User is an idiot. Possible and no amount of informing will
    persuade/fix this user because the light bulb probably isn't on. It may
    be some sort of malware has exposed his system so and the user wouldn't
    understand the issue. Any file you retrieved could not be trusted, and
    you prolly have better stuff on your own computer.

    2. The hole is a honey pot. Good reason not to play.

    3. The individual is purposely and deliberately sharing the shares
    openly for a number of legitimate reasons. Sharing LDAP to host Net
    meeting session(example).

    4. Several p2p tools will do the behavior described if the user does
    not constrain them properly, in fact they share the entire computer to
    the world. This is probably the highest probability. The user is
    probably a KAZZA user who installed the program with defaults sharing
    c:\. I have seen this with several popular music file sharing programs.
    This user probably already has more issues than he can handle and
    probably belongs to paragraph 1.

    Many applications will tell you the OS, computer name, every account on
    the computer and whether or no a password is required to access the
    account on the system, what shares are available, and other information
    about the system (I didn't say properly configured systems). Exposed
    NETBIOS is always informative. This is a common functionality of many
    legitimate tools (Microsoft Visio for example). This is done by just
    checking the door handle and never entering the system. This, in
    itself, is not illegal.

    As I write this I keep coming up with more reasons so I'll just stop let
    y'all come with more reasons of your own.

    But as far as the law is written I doubt you would have many legal
    issues unless it happened to be a commercial or government host (While
    they may not prosecute you, they might make life fun for awhile, there
    are ways to hurt you even if they can't put you in jail (priced lawyers
    lately?)) I don't know of any laws that prohibit foot printing ... yet.

    Ethics on the other hand....

    winged, Dec 11, 2004
  6. EDOOD

    Bit Twister Guest

    Bit Twister, Dec 11, 2004
  7. EDOOD

    Leythos Guest

    Actually, scanning ISP networks is a violation of MOST ISP's acceptable
    use policies. The violator can have their service terminated for it.
    Leythos, Dec 12, 2004
  8. EDOOD

    winged Guest

    "Effective consent" is a key issue of both the Texas and the Oregon laws
    cited. If one has exposed (open access) services be it ftp, http, etc.
    one has granted "effective consent" for anyone to access a system. Every
    bot on the net has legal right to crawl your system. If one requires a
    logon and password to acess a service "effective consent" is not
    present. If one has ping services turned on one has granted "effective
    consent" under the Oregon and Texas provisions cited. Unless you lock
    the door, you provide "effective consent" under both of the laws cited.
    If you have ping services turned on and exposed you have provided
    "effective consent" for others to use those services.

    This is why if you have an exposed computer in a public area one would
    not be violation of the law (Texas example) to walk by a computer. If
    that computer were secured where aceess would be restricted, walking by
    that same computer "could" make you in violation of the law because
    "effective consent" was not granted. If a company representative
    granted you access to the same area under non fraudulent conditions
    (access to the restricted area), you could not be prosecuted for the
    same act of walking by the same computer in the same area because they
    provided "effective consent" for you to walk by the computer.

    Tricky little clause.

    winged, Dec 12, 2004
  9. EDOOD

    donnie Guest

    I agree w/ that 100%.
    donnie, Dec 12, 2004
  10. EDOOD

    winged Guest

    Your right!

    Most ISP's don't pursue that clause unless it creates a problem (DOS) or
    sufficient complaint. A properly performed scan will probably never be
    noticed. In reality, they can deny service for almost no reason if they
    choose IAW the agreement. Of course if service is denied, payment for
    non-service is usually waived. Most ISPs work on credit and therefore
    seldom invoke this clause. If a user is sufficiently worried about
    their activities and their ISP reaction they should probably learn how
    to do things differently, so not to raise the ire of the ISP
    administrators. Afraid I don't worry much about scanners from a security
    perspective(as long as they are not on "MY" network assets). Ethically
    one should only scan "ones own owned" assets.

    winged, Dec 12, 2004
  11. EDOOD

    Bit Twister Guest

    Texas escapes the consent with _or defect_ in (c)
    Oregon did not even bother with consent.

    They did that on purpose. Oregon was tired of the lawyers indicating
    the same kind of logic you proposed.

    Your "exposed computer in a public area" is not consent just like my
    public exposure of my house's front door is not consent for you to
    "communicate with the door knob" by twisting it.
    Bit Twister, Dec 12, 2004
  12. EDOOD

    winged Guest

    "Effective Consent" does allow me to knock on the door. If you leave
    the door open effective consent is implied. Effective consent may also
    apply to a login on the system if it does not have a password, for
    example some services may require a login (door closed) depending on the
    generally accepted use of the service. A service with a login password
    does not have effective consent to use that specific service (door
    locked) unless effective consent was given to me by the system owner by
    providing a login password. To make matters worse their are "some"
    cases where a login password also provides "effective consent"
    (anonymous FTP servers that require a mail addy for password comes to mind).

    Effective consent does apply to the Oregon law. Effective consent is a
    principle in law. It does not "have" to be specifically stated.

    If a service is exposed and the service has no warnings on the specific
    service, "effective consent" is implied under either states statutes.
    If you exploit a service (for example using a buffer overrun) to gain
    access that was not otherwise exposed, you are in violation of the
    "effective consent" principle.

    Under your argument any HTTP server I accessed in Texas or Oregon could
    be considered illegal because did not have specific permission to access
    the site.

    "Effective consent" does not allow me to do any damage the system in
    question, but if a service is open and exposed, one has implied consent
    to access the system.

    Exposed ICMP does provide effective consent under the law. If I pound
    the ICMP port enough to impede or significantly impact the devices
    normal operation I have lost effective consent because that can not be
    considered reasonable use.

    It is key, if one works in the computer security field, to understand
    this concept. You must lock the computer doors with reasonable
    precautions to prevent "effective consent".

    winged, Dec 12, 2004
  13. EDOOD

    Bit Twister Guest

    Was not open, just not locked.
    The law did not say so. That is my main point. The law was made that loose
    because of the same kinds of arguments you have provied.

    Some of the arguments by cracker's lawers were
    How was my client to know the sys op was not giving consent because
    the sys op failed to secure his machine correctly.

    As for what computer industry thinks and what the lawyer provied is
    just word twisting. What comes to mind whas the @home ads showing
    unlimited internet access and the cutomers complaing of
    throttled cablem modems and download quotas. Seems the unlimited
    access meant you did not have to login to access the internet.
    Bit Twister, Dec 12, 2004
  14. EDOOD

    EDOOD Guest

    Holy S..T!!!!!
    I may never use my computer again!!!! Just kidding.
    I guess my only thought is, I have had a hacked Web Site (Chinese hackers,
    by tracing back logs and IP numbers), and had a virus attack, that the ISP
    said that I was sending out Viruses. If I received a note/letter/email
    stating that my firewall was WIDE OPEN, I would first close it, and second,
    thank whomever told me.

    It is hard for me to believe that someone shouldn't do anything....I think
    we are all "CLOSET HACKER". I would bet everyone on this list has used an
    IP discovery tool. So, I will let the FOOL go down into the abyss of hacker

    Thanks for the reply's!!!
    EDOOD, Dec 13, 2004
  15. EDOOD

    Leythos Guest

    At one time or another, before being information of it being against the
    TOS for my ISP at the time (not the current one), I use to look/help
    people that were exposed. When I use to get probed from SQL servers I
    would open a session with them and send a NET SEND to their entire LAN
    from the SQL Server telling everyone that the SQL server was fully
    exposed (without a password) to the internet. In all that time, I never
    saw one SQL server fixed or one computer fixed.

    People that are exposed just don't get it, they don't really care, and
    if they did care they would already have learned something about it.

    What would be great is if the ISP's blocked ports 135~139 and 445
    internally as well as externally, then we would have a lot less problems
    with Windows based systems.
    Leythos, Dec 13, 2004
  16. EDOOD

    EDOOD Guest

    On this idea of "effective consent", the person has no password control,
    allowing anyone to "MAP" effective drives to it. You use the usual FTP, and
    HTTP rule. Are these exclusive to the rule.? Mapping a drive, using a NET
    USE or NET VIEW command, and then viewing the contents, without a password,
    would be considered "effective consent". I don't see the difference. The
    WEB is made up of Clients (Browsers) and Servers (Web Hosts). So, basically
    I can use my "BROWSER" i.e. Windows "Net View" command (Port 139 Scan) to
    look for hosts.
    This idea of Public or Private is confusing, If I set up an FTP Server for
    myself, with "anonymous" as a user, have I given consent? Why is HTTP or
    FTP (protocols) any different than from NET VIEW (Port 139) protocol scans.

    I guess the idea is, if we see a car on fire, with people in it...Don't
    help, because they might blame you for starting the fire!!!
    EDOOD, Dec 13, 2004
  17. EDOOD

    Leythos Guest

    No, there are laws to protect you from civil suites in cases of
    emergency assistance, unless you are a medical type, then you are not

    In the case of probes, looking for exposed systems, the users are
    unaware that their systems are exposed, so no consent was intended or
    Leythos, Dec 13, 2004
  18. EDOOD

    donnie Guest

    Unfortunately, when it comes to computer and telephone systems, that
    is the case. They will blame you for the security holes or at least
    exploiting them. Only once, did I tell someone that their computer
    had files sharing enabled. The reason I notified them (and I say them
    because it was a family network) was because they had wingate running
    and someone was using their PC to post bad thinngs to usenet. I looked
    up their # and called using a pre-paid calling card. The guy was very
    appreciative but that's not always the case.
    As an update to computers w/ file sharing enabled, it's almost down to
    none. There was a time when one could find 40 opened PCs on a class C
    subnet but now if there are 4 opened PCs on a class C subnet, it's a
    lot. People have become a little more savvy either blocking it
    manually or running firewalls.
    donnie, Dec 14, 2004
  19. EDOOD

    winged Guest


    winged, Dec 14, 2004
  20. EDOOD

    donnie Guest

    ISPs can't block those ports. There are people who want to share files
    and they have the right to do that. Passwds are free, let them pick
    one. That could be part of the TOS.
    donnie, Dec 14, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.