[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: probe my ports from internet server

There's a few items that I feel I have to bring up.  If you're testing a
firewall, you need to be paranoid, so this is a paranoid email.  Also These
Are General Comments, Not Trying To Pick On Any Individual Or Group, Even
If Named In This Email.

1) How much do you trust an external project to scan you and then
responsibly use the data?  Lets say you request "joehacker.org" to scan
you.  How do you know that they are doing a "good" job, how do you know
they aren't filing the results for later use / abuse?  How do you know they
are testing against the "latest" exploits?

Frankly, using a free scanning / cracking service (or for that matter, a
paying scanning / cracking service) is kind of like putting an add in the
newspaper asking unknown people to walk around the company car pool, trying
to break into cars.  Anyone doing that who is in charge of a car pool would
rightly be fired, and the analogy is pretty clear.

2) Why pay for questionable service or trust an unknown service when you
can do a better job for "free"?  Get a laptop running Linux with modem and
ethernet, a dialup internet account, and a telephone line, and scan heck
out of yourself.  If you don't know how to scan yourself, you aren't really
a security professional.  Kind of like someone who claims to be a
"locksmith" but doesn't actually know how locks work.

I'm surprised not to hear reports of "poisoned" internet security products.
It would be very easy to setup a site claiming to "scan you for free", then
save all open problems, then pass them along to a hacker group.  No-one
really checks on who owns and runs "free scanning" sites anyway.  Then when
the hackers eventually are uncovered and caught, there's the weird legal
difficulties, "but, your honor, the plaintiff explicitly requested that we
try to break through his firewall, we were only following the plaintiff's
clearly defined wishes" and then your case gets thrown out.

3) Never buy, or utilize for free, a security service of any sort, not
armed guards, not P.I., not an internet firewall, unless you both sign a
binding legal contract and have some form of insurance bond.  Otherwise the
legal situation can get Very Dicey Very Quickly when something inevitably
goes wrong, especially if you are the consultant in the middle.  You have
to have some documentation.  Admittedly no internet firewall companies that
I am aware of will sign a contract that binds them to your damages if their
product fails, so GPL products are just as good, but realize that when you
are sued, you will need to back that up, by showing that, for example,
Microsoft's end user license provides no more responsibility for the
producer than the GPL does, or at least you need to cite previous legal
decisions agreeing with that.

Probably, the most important project someone in the free software community
could pursue, would be to generate a site or document showing how most if
not all commercial software vendor's end user licenses provide no legal
recourse in the event of failure, thus GPLed software is no different and
is equally good from a legal standpoint.  And then someone needs to make a
Debian package of it.

Finally, despite all my negative comments, I'm sure most if not all
scanning services are run by the "good guys".  But all you need is one bad
apple out there and its all over.  And what makes you sure you aren't
dealing with that one bad apple?  Its not like open source where you know
whats happening on the inside.

                    <mikpolniak@ade        To:     <debian-firewall@lists.debian.org> archive/latest/992              
                    lphia.net>             cc:     (bcc: Vince Mulhollon/Norlight)                                    
                                           Fax to:                                                                    
                    11/09/2000             Subject:     Re: probe my ports from internet server                       
                    07:59 AM                                                                                          
                    Please respond                                                                                    
                    to mike                                                                                           

On Thu, 9 Nov 2000 00:47:06 -0600 (CST), Jonathan Hankins said:

> Look in the "Nmap related projects" section of
>  http://www.insecure.org/nmap, it mentions some sites that offer various
>  "scan-yourself" services based on nmap. I haven't checked any of them to
>  see if they let you dictate the details of the scan, ie, port range.
>  On 8 Nov 2000, mike wrote:
>  >            I am testing my firewall and had the 'probe my ports' test
>  > from the server at SheildsUp (grc.com). This only probes a dozen
>  > popular ports. Is there a similar net-based server i can run to probe
>  > all 65535 ports.
>  >            I know about nmap, netstat and lsof, but am looking for a
>  > probe from an outside source.
           Thanks! Checked out hackerwhacker which does a free scan on
about 2000 ports using         'nmap' and charges for an all-ports
scan.This is
just what i was looking for.
gEEk||dOOd^Deb+iaN&&XFce$aaZZ goes<Pronto>(-_-)

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: