Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Mother, May I?
Mark Rasch, 2008-01-23

"Mommy, can I have a cookie?"

Comments Mode:
Thanks Mark 2008-01-23
Andy S.
Mother, May I? 2008-01-23
Anonymous (1 replies)
Re: Mother, May I? 2008-01-24
Mark D. Rasch
You're overlooking some issues. 2008-01-23
Anonymous (2 replies)
Re: You're overlooking some issues. 2008-01-24
Mark D. Rasch
Re: You're overlooking some issues. 2008-02-14
Anonymous
Mother, May I? 2008-01-23
Erik N
Mother^H^H^H^H^H^H directory manager, May I? 2008-01-23
reiisi
OS utilities and public "keys" 2008-01-23
Ole Juul (1 replies)
Re: OS utilities and public "keys" 2008-01-28
Mark D. Rasch (1 replies)
Re: Re: OS utilities and public "keys" 2008-01-29
Jon Hash
Be careful what you ask for 2008-01-23
overshoot
Mother, May I? 2008-01-24
Thomas Downing (1 replies)
Internet as Commons 2008-01-28
Mark D. Rasch (1 replies)
Re: Internet as Commons 2008-01-29
Jon Hash (1 replies)
Re: Re: Internet as Commons 2008-02-01
Mark D. Rasch
Mother, May I? 2008-01-24
stacy
"is failing to prevent something the same authorizing it?"

I would look at it from the point of view of did he use or abuse a public interface. Using the host command (regardless of whether or not it is arcane knowledge) is not abusing the interface; exploiting a buffer overflow and SQL injection is abuse.

An analogy I would like to see explored is "dumpster diving". As I understand it, if you throw it in the trash, it is fair game. As long as I don't have to trespass to get at your trash, I am allowed to search through it. That aligns nicely with my "no abuse" rule. The purpose of DNS is to publish a mapping between host names and IP addresses so that people can find your hosts. There is no abuse of the interface to ask a DNS server for information that it has been instructed to publish. If you have hosts that you don't want the general public to know about, you shouldn't publish the information to the public. I think you have your question wrong, it was not a "failure to prevent"; someone configured a DNS server to take a set of data and publish it publicly. That to me implies that access to that information is authorised. They may have been mistaken when they did it, but that does not negate the authorisation.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/463/34884#34884
Not much of a cheese shop, is it? 2008-01-24
Mitch Smith (2 replies)
Re: Not much of a cheese shop, is it? 2008-01-28
Mark D. Rasch (1 replies)
Re: Re: Not much of a cheese shop, is it? 2008-01-29
Camambert
Re: Not much of a cheese shop, is it? 2008-01-29
Anonymous
Mother, May I? 2008-01-27
Anonymous (1 replies)
Re: Mother, May I? 2008-02-01
Mark D. Rasch
Mother, May I browse your public server? 2008-01-28
Anonymous (1 replies)
Re: Mother, May I browse your public server? 2008-02-01
Mark D. Rasch
It's Like a Phone Book 2008-01-30
danielc
Mother, May I? - WPAD hack appears to be legal 2008-02-01
Bertman
Mother, May I? 2008-02-07
Victor (1 replies)
Re: Mother, May I? 2008-02-07
Mark D. Rasch
Mother, May I?: Yet another real-world analogy, the court's homework, and ..."Microsoft itself"? 2008-02-09
Anonymous







 

Privacy Statement
Copyright 2008, SecurityFocus