[Dshield] Question on appropriate university research

Tom dshield at oitc.com
Tue Sep 18 13:48:56 GMT 2007


What they told me is that they are doing research in an "effort to 
offer improved mechanisms for SSH clients to authenticate servers"

I gotta believe that their attempt to obtain statistics is fatally 
flawed and that there are better ways to reach their goal.


At 7:14 AM -0500 9/18/07, Stasiniewicz, Adam wrote:
>Content-Language: en-us
>Content-Type: multipart/signed;
>	boundary="----=_NextPart_000_0060_01C7F9C3.7B35A280";
>	micalg=2.16.840.;
>	protocol="application/x-pkcs7-signature"
>Interestingly enough, the simple act of port scanning is not illegal in the
>US (in 2001 a federal court case, Moulton v. VC3, decided this).  But DOS
>attacks (say by flooding a network with port 22 SYNs) and using exploits (to
>gain unauthorized access to SSH servers) are illegal.  In addition I can see
>a crafty lawyer being able to make arguments for the following two
>scenarios: First, that you explicitly tell CMU not to port scan you, but
>they still do (trespassing laws).  Second, that if CMU were to publish their
>results and those results specify your organization and all their SSH server
>(privacy laws).
>But legality aside.  I agree there is a strong ethical issue here.  I think
>it is only reasonable to ask IP block owners for their permission before
>scanning their networks.  Not that I think IP block owners have something to
>hide or that by being notified there is some sort of security gain, rather,
>out of simple curtsey IP block owners should be advised that their network
>is going to be the subject of research.
>I would be interested to hear more about what exactly this research project
>is attempting to do.  Does anyone have any more specific information about
>My $0.02,
>Adam Stasiniewicz
>-----Original Message-----
>From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
>On Behalf Of Tom
>Sent: Monday, September 17, 2007 8:39 PM
>To: General DShield Discussion List
>Subject: [Dshield] Question on appropriate university research
>We were probed by a machine on CMU's network weekly on port 22. We
>reported this to CMU abuse and received the following response:
>The machine cited in your notification is running a research project
>involving SSH scanning.  I have cc'd the network manager of the
>department so that this message can be forwarded to the researcher
>for a response.
>Thank you,
>John K. Lerchey
>Information Security Office"
>Now, this "SSH scanning" project looks just like a bot net searching
>for hosts to attack later from my machines viewpoint.
>Don't you think that this is at best ill advised without contacting
>the IP block owners? Further what they're trying to sample is not
>what they are sampling but thats another story.
>Your comments and inputs are appreciate because I think this guys PHD
>Advisor is way out of line to condone this activity.
>Tom Shaw - Chief Engineer, OITC
><tshaw at oitc.com>, http://www.oitc.com/
>US Phone Numbers: 321-984-3714, 321-729-6258(fax),
>321-258-2475(cell/voice mail,pager)
>Text Paging: http://www.oitc.com/Pager/sendmessage.html
>AIM/iChat: trshaw at mac.com
>Google Talk: trshaw at gmail.com
>SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>SANS top instructors.  http://www.sans.org/info/9346
>SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>SANS top instructors.  http://www.sans.org/info/9346


Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com

More information about the list mailing list