Re: Computer Misuse Act
- From: Mike Ross <mike@xxxxxxxxxxxxx>
- Date: Thu, 20 Oct 2005 18:03:42 -0400
On Thu, 20 Oct 2005 20:46:44 +0100, Cynic <cynic_999@xxxxxxxxxxx>
wrote:
>On Thu, 20 Oct 2005 08:44:37 GMT, Mike Scott
><usenet.9@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>>Alex Heney wrote:
>>...
>>> It is NOT reasonable to assume access is authorised to every IP
>>> address you can find.
>>
>>True.
>>
>>But is *is* reasonable to assume you can ask at that address whether you
>>are allowed access to something. Practically speaking, there's no
>>alternative, and it's how the system is designed to operate.
>
>Hmmm. Assume there is an ordinary person, with about average knowlege
>of computers and the 'net. Let's call him Fred. He gets broadband,
>and buys himself an ADSL router, and follows the "idiot guide" on the
>box. After a few hours, his computer bursts into life on the
>Internet, and he congratulates himself for figuring out how to get
>such a complex setup working. Now that it's working, he does not
>consider fiddling further with the settings, so everything he has not
>had to change is set to their defaults.
>
>Somewhere else in the World is a nerdy computer hacker
Bzzzzz.
Stand in the corner, and repeat the following mantra until I say
'enough':
Hackers build, crackers break
Hackers build, crackers break
....
>, I'll call Mal.
>Mal has figured out that a particular range of IP addresses is used by
>a particular ISP for its ADSL customers. So he goes through all the
>addresses in the range, looking for open ports.
And that's where things start to go wrong. That's called a 'port scan'
and has no legitimate purpose(1). It's akin (since you're so fond of
analogy) to trying car doors, looking for one to break into. Simple
possesion of the tools to do this isn't illegal, they have legitimate
uses, but using them on systems you don't control is a no-no.
>Mal quickly looks up the
>instruction manual for that make of router (conveniently available on
>their web site in PDF format), and finds the default login password.
>He tries it and it works.
Password guessing. He's found an interesting car, and is now trying to
pick the lock, if you prefer. Cracker behaviour number 2.
>So now he uses the router's web
>configuration pages to find out the local NAT address of the connected
>PC and sets up a few port-forwarding rules to that address.
Now he's *altering* data that doesn't belong to him; he's in big
trouble. He's started the car and is driving it away. Cracker
behaviour number 3.
(1) A port scan could be legitimate in a couple of cases - if the
administrator of the system requests it, as a security test, or if
carried out by an ISP, trying to find customer systems infected with
worms or trojans.
A slightly similar scanning technique is used by search engines
looking for websites to index. That's considered legitimate because
they only scan port 80, and honour a file called 'robots.txt' which
you place on your webserver to control the behaviour of these search
engine robot scans - if you tell them to piss off, they will.
Mike, who has been called a hacker.
--
http://www.corestore.org
'As I walk along these shores
I am the history within'
.
- Follow-Ups:
- Re: Computer Misuse Act
- From: Cynic
- Re: Computer Misuse Act
- References:
- Re: Computer Misuse Act
- From: Alex Heney
- Re: Computer Misuse Act
- From: Mike
- Re: Computer Misuse Act
- From: Guy Fawkes
- Re: Computer Misuse Act
- From: Mike
- Re: Computer Misuse Act
- From: Alex Heney
- Re: Computer Misuse Act
- From: Mike Ross
- Re: Computer Misuse Act
- From: Alex Heney
- Re: Computer Misuse Act
- From: Mike Scott
- Re: Computer Misuse Act
- From: Cynic
- Re: Computer Misuse Act
- Prev by Date: Re: Table leg shooting police cleared.
- Next by Date: The dwarf Stalker runs away
- Previous by thread: Re: Computer Misuse Act
- Next by thread: Re: Computer Misuse Act
- Index(es):
Relevant Pages
|
