[NTLUG:Discuss] crackers

MadHat madhat at unspecific.com
Fri Aug 27 10:57:06 CDT 1999 

Greg E wrote:
> 
> The 4 reasons I suggested a fee:
> 
>   1.  if you advertise this service on the NTLUG web site the number of
>       people wanting the service could be huge and if they need to cough
>       over a couple of bucks, maybe $10 or something on that order, it'll
>       weed out the not so serious, doing a onesy twosy isn't a load but
>       if 200 people ask in the span of 2 or 3 days:)
> 
>   2.  everyone's time and knowledge is worth something even MadHat's,
>       although some may argue about that:)

I'm not sure how to take that...

> 
>   3.  FUND RAISER, call it a donation not a fee if you want
> 
>   4.  putting NTLUG behind it insures that not just anybody is being asked
>       to attack your system, the requester is guaranteed that no hard will
>       be done if the system is compromised
> 

Good points.  I wasn't saying that it could not be done on a "donation"
type thing, but making people pay, just seems bad...  I could easily
write a script that you could put in your IP and email in a web page and
it would do all this automagically, but then "script kiddies" would be
using it to find holes in other systems and not have ties back to the
victim, the victim just sees my system or whatever.

> All you'd need to make a request is provide you domain, ie nutlug.org, and
> an email address to return the results to.  NTLUG sends an email to a member
> of the test team on a round robin with the domain name.  The tester sends
> a report back to NTLUG and NTLUG forwards the report to the requester along
> with a bill and mailing address.  A few days later NTLUG gets a check in the
> mail.  Everything on the NTLUG side can be automated except the bank deposits
> and writing the checks to the testers.

How do you know that the domain is of the real person that requested. 
What if it is a dialup or DHCP, you can't tell if you are scanning the
owner, or their neighbor they want to get back for something.  It is a
sticky situation.  Think of the legal issues.  There would need to be a
contract to keep NTLUG free of prosicution(sp?).

What if I offered a page that would check the IP that you are coming
from.  Look for common holes and display them on the screen?  You go to
the site and it reports right there about the requesting host.  No
email, no taking ip or domains.

hmmmmmm.....

-- 
MadHat

More information about the Discuss mailing list