Secretive Company Scanning the Net

Zarf writes: "A start-up called Quova is pinging and tracerouting the entire Internet, causing firewalls and Intrusion Detection Systems to go crazy, and some security-types to get mad, according to this story at Security Focus. What's interesting is that the company won't say what they're doing with the information they're gathering, but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs."

Re:So what's the problem?

[j-pimp]

Being able to probe without detection is still a bit skin-crawling.

if your so afraid then lock your system down to the point where they can't get in. Encrypt you sensitive data, etc.

Its not paranoia to object..

[davebooth]

Many folks have dismissed the concerns about Quova with comments along the lines of "Its just some paranoid sysadmins getting in a knot..." but it isnt paranoia. The usual precursor to an attack on any system is a ping sweep or portscan of your subnet looking for places there might be sploits, therefore its usual for these probes to set off alarms and usual for sysadmins to block them and bitch about them whenever they catch 'em.

I'm not paranoid but I know that by the time a vulnerability is analysed and patched its usually been in the hands of a couple of script kiddies for a while so as well as keeping up to date with my patches I make damn sure that my network gives out as little info as possible - I may have patched my bind but it is still configured not to tell anyone its version, just in case. If somebody is walking down the street jiggling doorknobs to see if they are unlocked, peering over every garden fence and through any windows they can reach how long do you let them do it before calling the cops? So what do you do if there aint no cops? At the very least if you lived on that street you'd want a decent door lock, heavy curtains and you'd warn your neighbors when you saw a total stranger wandering down the road like that. In some parts of town those neighbors might well grab that stranger and try to convince him not to come back...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking

Re:You ARE "worrysome"

[nphinit]

>>DU teaching you anything besides engineering?

Please, don't insult me in such a disgusting way.

I'm a physics major, and for all I care, the engineering dept. can get blown off the face of the earth by aliens;)

btw, secrecy is legal, protected under the consitution. they have the *right* to hide their intentions. as long as they don't break the law, it's none of our business. if that bothers you, stop using the net, it's one big anonymous underground

here's their blocks

[jbridge21]

http://www.arin.net/whois/
Quova Inc. (NETBLK-UU-63-109-88-104) UU-63-109-88-104
63.109.88.104 - 63.109.88.111
Quova, Inc (NETBLK-UU-63-102-181) UU-63-102-181 63.102.181.0 - 63.102.181.255

and I put this in my linux 2.2 firewall script:
$IPCHAINS -A output -d 63.109.88.104/29 -j REJECT
$IPCHAINS -A output -d 63.102.181.0/24 -j REJECT

Have a nice day!

Re:I disagree

[toyboat]

I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open: Is it "fair use" of my front door?

It is not even comparable. Someone pinging your system isn't going to open any door, regardless of your security. You're probably one of those people that compares downloading mp3s to stealing cars, aren't you?

Wow, we're paranoid!

[jmaslak]

BTW: I used to do Internet security consulting and computer forensics work, as well as sysadmin. Hopefully that means I know what I'm talking about.

I've dealt with some of this before. I used to run a web hosting company's network. As a result of us hosting 100s of websites (we were small - I hate to see what the big guys deal with), we would daily get pings, traceroutes, port scans, attempted attacks, DOS attacks, VRFY/EXPNs, telnets, etc. Now, note that we only provided four services: WWW, FrontPage, FTP, and mail.

If I even looked at all the logs for these "attacks", I would not be doing my job! I can hear it now, "He wasn't doing his job; he wasn't being alert about his systems." No, I disagree. I would get litterally hundreds of these "attacks" daily, and only a couple DOS attacks a month would be "serious" enough to disrupt things (and very mildly, I'll add). Yes, I noticed things that affected our customers. But, I didn't care about the rest of the $#@^! After all, if they got in, the logs would no longer exist. If they didn't, it is kind of pointless to look at logs for attacks that failed.

I have to wonder what the people complaining about this do for a living. Obviously, they can't be complaining about a ping scan of a significant network, for they wouldn't have time to do that!

As for the "ping is dangerous" theory, yes it is used sometimes by crackers. But, I bet that I could send your system an IP fragment and determine if it existed or not. I could even traceroute with it. Chances are, even if your system is behind a packet filter (vs. a real firewall), I would *STILL* be able to map your topography! It wouldn't show up on your filters, either. Do we really believe that our network design is so unusual and important that we need to protect it using "closed source" methods?

Personally, I don't care if you look at my network. $#@^ with it, however, by causing DOS or breaking in, and you can bet that I'll call the FBI. Before then, though, because of the state of the Internet, I'm going to ignore you. I have no time to investigate every hacker coming through a chain of 10 trojaned Windoze boxes.

Re:Wow, we're paranoid!

[Todd+Knarr]

True points, but there's one difference. You're talking about, most likely, pings of specific hosts, or VRFYs of specific e-mail addresses. No, those aren't enough to raise flags. But Quova is running scans of entire networks. Repeated pings through your entire address space, or repeated VRFYs scanning all possible mail addresses, are just a little more alarming than individual ones. And the fact that they want to do their scans without alerting me to the fact that they're scanning is even more alarming. That they want to scan is bad enough, but why do they want me not knowing they're scanning?

Re:Wow, we're paranoid!

[ghoti221]

Sorry, I have to disagree. (8-)

I think this viewpoint is the problem with the 'Net these days. Because of all the problems with the 'Net, our response has been to turn turtle -- hunker down behind our firewalls, and ignore the anarchy outside. We justify it in a lot of ways -- we don't have time to deal with it, there's nothing I can do about it, etc.

But as long as we let these people play outside, they'll eventually find a way in. You can't beat these people by defence alone. And by ignoring the logs (I'm assuming you don't even do automated scanning?) you might miss the signs that somebody is probing. In which case, your first sign that somebody is attacking you and the world is crashing down around you. (And do you really believe that the FBI is a threat to most hackers?)

JGH

Or you could just call the founders and ask...

[dmp]

According to Yahoo! People Search:
There is one R. Bhargava listed in the state of CA and he lives in San Jose:
408-985-0603

One Andrew Sack in Redlands, CA:
909-335-9574 and 909-792-0080 (Modem or Fax on 2nd number???)

Return the favor...

[kirkb]

I'd suggest that the tens of thousands of affected sysadmins return the favor by periodically pinging Quova's systems.

Personal port scan, huh?

[cthulhubob]

nmap Jerry-in-the-cubicle-next-to-me

hmmm... let's see...

Looks like the well-known vulnerability "mouth" is open. This port should be blocked or bacteria, viruses and "poison" trojan horses may enter, denying service to such vital daemons as "heart", "brain", and "liver".

The "nose" port is open - this port should usually be left open for oxygen filtering purposes. If "nose" becomes blocked or firewalled, "mouth" may be used as a substitute.

"ear" is open. This port is necessary for audial input. If an overload of audio is expected, the common firewalling solution "earplugs" may be utilized to block DOS attacks which can result in disruption of services like "eardrum".

Hmmm - I think I should let Jerry know he should install a firewall.

Re:Sinister?

[jmd!]

> Secondly, there are 2^8*2^8*2^8*2*8=2^32
> possible IP addresses [...] 34 years of scanning

34 years with 1 machine. 17 with 2. 0.68 years with 50 machines, which im sure this company can afford, seeing as a perfectly suitable x86 clone goes for about $400 now.

Re:Misleading Figues

[jejones]

The problem is that if Quova can do it, the hax0rs can. For that matter, if you're a hax0r, or the US government, which wants to be able to read everyone's data (don't worry, though, it's "for the children"), what a cool scam it would be to set up a company so that you can get paid to crack everyone's system?</conspiracy>

Re:Misleading Figues

[swordgeek]

"Not setting off alarms" in this case means hacking through firewalls and scanning the machines within. They explicitly stated this. THAT is a gross violation of privacy, and possibly even illegal. A firewall should be just as much a sign that 'you are not welcome' as a banner statement on your login, and just as defensible (if not moreso, as it's a physical deterrent rather than just a statement) in court.

Re:where they're operating out of...

[Dave+The+Magni]

There's no surprise that they're hosted by / running through Exodus. From their own web pages:

Founders Rajat Bhargava, President & CEO Rajat has successfully started and run a number of Internet companies. Most recently he was co-founder of Interliant (NASDAQ: INIT), a public company in the hosting services space. Rajat was also a founder and board member of Service Metrics, which was acquired by Exodus Communications (NASDAQ: EXDS) in November 1999. Prior to this, Rajat was founder, president and CEO of net.Genesis.

Re:Pinging and tracerouting ...

[isil]

why on earth would you use ping for performance monitoring?
imap packets can be reprioritized or dumped entiredly so what real data can you expect to get?

only data you can honestly get is: machine xxx.xxx.xxx.xxx is alive and responds to pings.

Re:Yea and...?

[Paradigm+Lost]

Also:

Running MacOS - Can sell them anything, as long as it has bright pretty colours

Disclaimer: Typed on an iMac

So what's the problem?

[carlhirsch]

Unless they're actually intruding, i.e. busting through firewalls or cracking in some way, it seems that this falls well within "fair use" of TCP/IP. When I was larval, I would scan any network I could find just to see how it was put together.

If you don't want companies like this to see it, lock it down. It's not hard.

-carl

Re:So what's the problem?

[MadAhab]

It's a pretty good guess that they are mapping the Internet for some large-scale profiling; this would involve either a media-metrix type sampling of areas of the net in order to make correlations between where you are on the net and what you are likely to be interested in. The other possibility is that they are going to compile a geographic-IP correlation map like DoubleClick has...

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:So what's the problem?

[rtscts]

Unless they're actually intruding, i.e. busting through firewalls or cracking in some way, it seems that this falls well within "fair use" of TCP/IP

sure, no problem. everyone on /. please ping/traceroute this company constantly, it's fair use. i wonder how many complaints they'll have after a six month long /.'ing.

Re:So what's the problem?

[ender-]

For instance, a psychographic profile that shows a predilection for 'Herb Alpert and the Tijuana Brass'...

Yeah, how would YOU like it if suddenly the whole world knew you liked the song "Tequila" and had a thing for pr0n theaters...

Oh wait... they already know... sorry Pee Wee... :)

Re:So what's the problem?

[AndyL]

Even if it's not a problem it's a bit of a curiosity isn't it?
Someone is quietly, secretly poking around. Come on, Aren't you the least bit curious?

Re:So what's the problem?

[pezchik]

But from the sound of things, they're not doing it just to see how different networks are put together. Some later posts also pointed out that they're openly hoping to get around those firewalls in the future, but still won't say what they're doing this for.

Even if there's nothing illegal about it, doesn't it make your skin crawl, just a little?

And could somebody who knows about "psychographic information" please explain how mapping this out could make it easier to target advertisements?

Re:So what's the problem?

[jeffrey_goines]

he he he he thats rights.. every here at Quova we are just a bunch of evil hackers bent on downing the whole internet for some hidden purpose.. ha ha ha ha ha... Of course once the internet is dead we are going to launch what we call the extranet.. yeah that the ticket the extra net.. yeah.. and then we will rule the world yeah.. thats it..

Re:So what's the problem?

[ranessin]

It seems to me that they're not trying to get around those firewalls, but, rather, not trying to set off any alarms with their probes of those firewalls. There is a *big* difference. Adam

Re:So what's the problem?

[carlos_benj]

And could somebody who knows about "psychographic information" please explain how mapping this out could make it easier to target advertisements?

Psychographic (the word) is a combination of Psychology and Demographic. Basically it's an analysis of what you've shown a preference for in the past. For instance, a psychographic profile that shows a predilection for 'Herb Alpert and the Tijuana Brass' could be used to determine that you might also like the 'Baja Marimba Brass'. This is a somewhat simplified explanation.

The Net Scanning Secretive Company

[Wolfier]

Let's ping them back...it's gonna be fun.

Their scan is a bit more than you imply.

[MO!]

OK, using your anology about mapping a non-gated community, this isn't about simply driving down the street snapping pictures of the houses. A ping is a test to see if a host is "alive" - so the anology would have to be extended to the mapper knocking on the door to see which houses are actually occupied. Just because an address block is registered, does not mean that every address is being utilized. If all they were doing was "taking photographs of the neighborhood", then they simply need to find out who has which address blocks registered. Knocking on every door to see who's home is far more invasive than you imply.

Re:Their scan is a bit more than you imply.

[RyuMaou]

Yeah, I like your anology better. It's like taking a really big census, door-to-door.

TBH, the thing that disturbs me about it, is that it looks like the first stage of a less than professional hacker (or cracker if you prefer) attack. An inital probe of the defenses, as it were. Why would a company that does "psychographic" work need that kind of information? Unless, of course, they plan to steal usage stats from sites across the 'net.

Maybe it's just a case of secrecy working against itself by default. I don't know what they're up to, but I just automatically distrust corporations that do things like this and keep secret their intentions. Now, of course, I'm waiting for all the conspiracy theories to start working this in!

Cheers!
RyuMaou

Re:Security survey?

[jallen02]

To make it worse this guys cell phone/pager goes off EVERY time this happens, hes on the phone talking to me like, Yeah weve had xx,xxx attempts on this machine and no ones gotten through (I could just envision the lil grin on his face) I was like hmmn yes I can see why as soon as someone port scans you rip out the cat5 cable.

Re:Misleading Figues

[sqlrob]

But most of the complaints have simply been that Quova set off the alarms. If this kind of mapping can be done without setting off alarms, and no harm is being done, what's the problem?

Because, if this can be done without setting off alarms, what else can be done without setting off alarms? Maybe nothing, but are you going to risk valuable data on that assumption?

Psycographics

[Space]

Hmm would that have anything to do with the strange dreams ive been having or was that just from listening to Pink Floyd too much?

Re:Psycographics

[TVmisGuided]

No, that was Alan Parsons.

Re:Psycographics

[carlos_benj]

Hmm would that have anything to do with the strange dreams ive been having or was that just from listening to Pink Floyd too much?

No, it's from looking at old Jimi Hendrix posters. You know, the ones with fuzzy day-glo appliques that seem to undulate under a black light.

And?

[FascDot+Killed+My+Pr]

There are some non-secretive companies doing the same thing. Netcraft and Google come to mind. What's the big deal? Remember, all this data was explicitly made public by the respective owners--there is no privacy issue here.


--

Re:And?

[bssea]

Then what's your problem?? If your network is secured then you don't have to worry about this. What they are doing is perfectly fine. It's not like they are gonna use the whole 23 bytes of ping data to adversely affect your machine or institute a DoS... you're lucky if you even see the little spike in your bandwidth, and unless you have a Port Sentry running you'll never know about it anyway

Re:And?

[/dev/niall]

NO! Netcraft and Google are not doing these types of scans. I think you are confusing Layers 3 and 4 with Layer 7. A ping sweep is much more invasive than a web spider or an HTTP GET request. These ping sweeps are mapping networks, not following links. I consider my network private property and anyone attempting to scan it (for whatever reason) is trespassing.

That's great! I believe in the tooth fairy. ;)

But seriously folks, scanning a network should not be invasive. If you're running services that give you cause to worry -- turn them off! Making comparisons to jiggling the door knob is well and good, but it's a just a comparison -- doors and services are two totally seperate things and I just don't see how the analogy applies.

Scanning someone might be rude, but it's not invasive. Invasive is someone hAx0ring your boxen and replacing login. ;)

Re:And?

[pallex]

People seem to have this `what about the CHEEEEELdren` attitude whenever people mention privacy, cookies etc.

This story just sounds like a bunch of hype to me. Now everyone knows a company called queer or something is collecting pings...uh..hacking... something?

And anyway, arent they called `demographics`? Or is psychographics a more interesting word?
;)

Re:And?

[xee]

NO! Netcraft and Google are not doing these types of scans. I think you are confusing Layers 3 and 4 with Layer 7. A ping sweep is much more invasive than a web spider or an HTTP GET request. These ping sweeps are mapping networks, not following links. I consider my network private property and anyone attempting to scan it (for whatever reason) is trespassing.


-------

Re:And?

[fatphil]

Not always - this data was by default made public by the distribution of the operating system used at the site. Smurf amplifiers being a good example of something no sane sysadmin would enable by choice.

Re:And?

If you consider your network private property you better secure it as such. Might we suggest you adopt a network topology not based on a 'consensus model' of security?

Re:And?

[QuMa]

If you want it private, shut the gate. Pull the plug on your router.

Re:And?

[xee]

I have taken measures to secure my network. Duh! That's why it'd be trespassing to come inside.


-------

ping vs portscan

[oog_rocks]

a ping is like looking to see if your house is even there, it won't report any potential vulnerabilities.

a portscan is a thorough examination.

the house and system security metaphor is way overused and simply not relevant though.
Computers and houses have an entirely different mode of operation and set of security problems.

Re:Jihad!

Here is my little contribution:

www.quova.com [205.177.226.233]
Port State Service
23/tcp open telnet
80/tcp open http
111/tcp open sunrpc
514/tcp open shell
2049/tcp open nfs

So what?

[SecretAsianMan]

The information is out there, free, public, to be had. I would say that most of us would be hypocrites if we were to get mad about this...

Now what the ..

[Stskeeps]

"but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs." - Okay, first thing that rises to mind - how in the world can you get to know what lifestyle an certain IP or host has got, and what belief? This more looks like a group of grown up script kiddies really - "wh0a, w3 gotta scan the whole internet and find as many exploits as possible". Anyone who scans subnets/whole nets with pings for no official and very good reason should be shot really. There's no use for this but annoying ISPs and sysadmins world over.

Re:Now what the ..

[GC]

The traceroute information is a useful tool in narrowing the location. Plot a traceroute on a map, and you'll intuitively start guessing what part of the country it's going to end up in. At some point it resolves to your local ISP, which gives them your county or city.

Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user.

Here's how ping fits in

A traceroute is a number of pings. Here is how it works:

Each ICMP packet is sent out with a "Time-To-Live" (TTL), as the packet passes each router the TTL is reduced by one, when the TTL reaches zero the ICMP-echo packet is returned to the source IP with TTL expired.

When doing a traceroute the source IP sends out a "ping" (ICMP-echo) packet with a TTL of 1, the TTL expires at the first hop and you get the reply "Reply from router.at.hop.1: TTL expired" then it sends out a ping to the same address with a TTL of 2, it passes the first host (usually router.at.hop.1) and gets to "router.at.hop.2" where, once again the TTL expires and the echo gets sent back with "Reply from router.at.hop.2: TTL expired" this goes on until the destination IP is reached or some other thing happens ("Network Unreachable" for instance)

That is how traceroute works. It is just a load of pings.

Aside: TTL wasn't designed for traceroute - it's main use is to prevent packets entering cyclic routes and taking up enormous bandwidths ad infinitum.

Hope this is informative to you.

Re:Now what the ..

[rhdwdg]

Close, but wrong. Go to a Unix box with good manpages and run man traceroute. traceroute recieves ICMP packets, but it does not send them, nor are they ICMP echoes or echo-replies. So this doesn't explain pings at all.

But who cares? Since everyone else is posting their ideas, here's where this stuff falls on my security scale. ping sweep: normal noise. traceroute sweep: not an issue the first time. second traceroute sweep: could be doing OS detection. Slightly interesting.

Every network I've run (where I've actually had a firewall to log such things -- OK, some employers and clients are cheaper and dumber than others) has gotten so much more than that coming in every day that I can't be bothered to wake up for a non-flood ping. I personally haven't met the admin who could be bothered. The eighties are over and the Internet has grown a bit ...

Re:Now what the ..

[non]

Think about it this way, more and more people will be getting broadband access in the near future. Don't ask for for growth figures, lets just say they're up there. Now for evey single one of those nodes, there's a gateway, router, subdomain, etc. right? Well in meatspace there are zip codes, right? But here, there aren't. Not yet any way. So lets imagine that my cable provider is ###.###.*.*, and lets imagine that its subnetted in some fashion that has geographical correspondance. Oh, now I have zip codes for the 'net. Forget about your average ISP, its too difficult to corraborate the data. All I need is one piece of geographical information for each of the various subnets and then I can sell this data to...DoubleClick!

--

Re:Now what the ..

[edunbar93]

Heh. You mean you can make your firewall swallow?

Hmm.

Definitely time for some wild speculation. ;)
---

Re:Now what the ..

[revin]

to find out the lifestyle behind the IP's they should download the whole internet, not ping ;-)

Re:Now what the ..

[pe1rxq]

They were using standard ping and traceroute packets, what is wrong about that? If you are so paranoid that you don't even want to be pinged you need your head checked.

Jeroen

Re:Now what the ..

[jra]

> They are developing localized web advertising. They are working to resolve IP addresses to physical locations: cities and neighbourhoods.
> I'm more and more positive that this is their goal!

There's only one, small problem.

It won't work.

Ok, it wont work *well*. :-)

To take one specific example, I have, for a number of years, been a customer of Mindspring in one way or another. I've had occasion to dial into a West Central Florida MS dialup number from at least a dozen sites, in at least 40,000 square miles, using at least half a dozen different numbers, which I *know* were on different physical POPs (that is, I know they weren't just different numbers terminating in the same building -- the traceroutes showed routers with names in different cities).

All of these connections got an IP address in 207.69/16.

In East Central Florida, they all seem to be 209.86/16.

Since the dialup servers in question use RADIUS to retrieve the IP addresses they're going to hand out, it's possible for *every dialup downstream of their Orlando router* to come from the same pool.

For more detail on why this is hard to do, and what alternative solutions have been proposed, check out RFC 1712 and RFC 1876.

Oh, and while we're talking about things related to DNS, you might also enjoy RFC 2100.

:-}

Cheers,
-- jra
-----

Re:Now what the ..

[GC]

errr...

Sorry mate:

traceroute is done via sending & receiving ICMP packets - if you want to come up with some other fanciful way that it works please get back to me. (Email please - this will be archived before you work it out)... It's Friday after all I''m ready to laugh at others expense.

Glad you're happy to trivialise the point though.

Keep on learning...

Re:Now what the ..

[FFFish]

THIS IS WHAT THEY ARE DOING:

Based on the senior engineer job posting that someone else mentioned, some of the discussion here and a bit of creative thinking, here's what I believe they are doing:

They are developing localized web advertising. They are working to resolve IP addresses to physical locations: cities and neighbourhoods.

Once they've built a map that translates virtual space to realspace, they can sell advertising services that are far more effective.

Your local retailers, for instance, can advertise to you. Just like they do in your newspaper, only in banner format.

Further, they will be able to target your demographic specifically. Some neighbourhoods are richer than others. No point in selling you McDonald's advertising if you're of La Maison Rouge quality.

The traceroute information is a useful tool in narrowing the location. Plot a traceroute on a map, and you'll intuitively start guessing what part of the country it's going to end up in. At some point it resolves to your local ISP, which gives them your county or city.

Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user.

What we'd all better hope is that there's no way for them to patent the map. Doing so would be the equivalent of having the patent for the map of all the roads in the country.

ooooh... and tie the IP addresses to DoubleClick's personal database, and they'll be able to do targeted snailmail advertising. If you've got a fulltime connect, your IP is as good as your street address. If you're dialup, the number is shared with others in your locale... but all of you are a distinctly different demographic than the population that doesn't access the Internet.

And, tied to the DC's database, they can really get into the psychographic stuff. "This IP reads a lot of pr0n; this one is a snowboarding junkie; here's one that's been researching home decorating..."

I'm more and more positive that this is their goal!

--

Re:Now what the ..

[Tuck]

Classic Unix traceroute used UDP packets to a random, high-numbered ports. It sends the first with a TTL of 1, which causes the first router to respond with an ICMP "time exceeded" message. This continues until the TTL high enough to actually reach the target; in that case the target sends back an ICMP "port unreachable".

Now having said that, Win95/NT (dunno about W2K, never checked) use ICMP "echo requests" (ie pings) instead of UDP packets to high-numbered ports.

In summary: Both varieties require ICMP time exceeded to actually trace the path. Classic Unix traceroutes use UDP probes and rely on port unreachables to know they've hit their target, while MS-type tracert's use ICMP echo requests and get an echo reply when they've hit their target.

Re:Now what the ..

[ogre2112]

You smoke a lot of weed, don't you? :*)

Kidding aside, I'd say you've got to be awfully close.

Re:Now what the ..

[rhdwdg]

Linux man-pages 1.26:

This program attempts to trace the route an IP packet would follow to some internet host by launching UDP probe packets with a small ttl (time to live) then listening for an ICMP "time exceeded" reply from a gateway. We start our probes with a ttl of one and increase by one until we get an ICMP "port unreachable" (which means we got to "host") or hit a max (which defaults to 30 hops & can be changed with the -m flag).

Now I don't read raw IP packets every day, but the last time I did I don't remember ICMP being involved in sending a UDP datagram, and ttl-exceeded and port-unreachable are not echo-request or echo-reply. I can't claim I just checked traceroute.c, but I can say I've read many tcpdumps of traceroutes before.

Oh, well, if I'm wrong maybe I'll learn something, and that's never trivial. Otherwise it is nit-picking, and I clearly have nothing better to do, but I hate passing by "Informative" posts that are wrong when I can knowingly try to educate. More so on slow work days. :-)

OTOH, are we both right? I just now remember something about Windows tracert being ICMP based. Well shoot, now I'll have to go actually read the article and see what kind of traces people are picking up. If they are pure ICMP then the great-grandparent of this comment is entirely correct and I'm a sucker and a common, failed karma whore.

So this is what Signal 11 feels like. <gdr>

Re:Now what the ..

[Crazy+Diamond]

Here's the man page from OpenBSD to show you're both right (sort of)

...blah, blah, blah...

-P proto
Change the protocol being used from UDP to a numeric protocol or
a name as specified in /etc/protocols. This will not work reli-
ably for most protocols. If set to 1 (ICMP), then ICMP Echo Re-
quest messages will be used (same as ping(8)).

...blah, blah, blah...

This program attempts to trace the route an IP packet would follow to
some internet host by launching UDP probe packets with a small ttl (time
to live) then listening for an ICMP "time exceeded" reply from a gateway.
We start out probes with a ttl of one and increase by one until we get an
ICMP "port unreachable" (which means we got to "host") or hit a max
(which defaults to 30 hops & can be changed with the -m flag). Three
probes (changed with -q flag) are sent at each ttl setting and a line is
printed showing the ttl, address of the gateway and round trip time of
each probe. If the probe answers come from different gateways, the ad-
dress of each responding system will be printed. If there is no response
within a 5 sec. timeout interval (changed with the -w flag), a "*" is
printed for that probe.

Solaris man page says it only uses UDP but as the OpenBSD man page says, tracerouting really can use whatever protocol tickles your fancy.

Re:Now what the ..

[edb]

And, tied to the DC's database, they can really get into the psychographic stuff. "This IP reads a lot of pr0n; this one is a snowboarding junkie; here's one that's been researching home decorating..."

But how will they know what IP addresses my IP is exchanging packets with, unless they somehow get wedged into my ISP's routers?

This is starting to sound like worrying about the wrong number caller "knowing" my phone number, and thereby being able to find out all the phone numbers that I call from my number. Please explain how my packet traffic can be tied to DoubleClick's or any other database just given my IP address, even with other information the ping/traceroute can give them, like time-of-day my IP responds.

Re:Now what the ..

[Mike1024]

Hey,

When you download something from, say, www.slashdot.org, the /. servers are told your IP. If /. decides they want some DoubleClick banners to raise cash, they put thier banners up, and when you load slashdot, you load the banners from DoubleClick servers. And DoubleClick then knows your IP, and that you are looking at /.

From this, they can say, hey 127.201.194.163 has been regularly loading adverts for 1 hour from the slashdot page. He must be an open-source fan. They can then tell thier servers that any time any page sends 127.201.194.163 to get adverts from the DoubleClick servers, it will return open-source oriented adverts.Then they can say, hey 127.201.194.163 clicks on banners coloured blue 50% more often than other types of banner! then they can ask clients for a selection of banners, and they can target you with banners you respond to best.

That's my take on the situation... maybe I'm wrong. Who knows?

Re:Now what the ..

[Kaa]

Anyone who scans subnets/whole nets with pings for no official and very good reason should be shot really.

Anybody who tries to "look under the hood" of his hardware should be shot really.

Anybody who tries to read DVD discs on his own without a licensed reader should be shot really.

Anybody in Manhattan high-rises who has a telescope should be shot really.

Anybody who is disrespectful of authority should be shot really.

Shall I continue?

Kaa

Re:Now what the ..

[sleeperservice]

how in the world can you get to know what lifestyle an certain IP or host has got, and what belief?

Lifestyle of 209.165.23.3: Preliminary Report

• Primary Activities: Appears to read a lot, and has a wide breadth of favorite material, from erotic stories to cheese-making in Switzerland.
• Common Actions: A fair amount of handshaking, sends and receives a lot of packets, and occasionally stops everything for a moment for a breather.
• Possible Concerns: Appears to respond to most requests the same way, and although generally accepting, will occasionally deny requests for no clear reason.

Recommended Action:

Further study is recommended, perhaps with an attempt to follow and study some of the close associates of the subject, namely 209.143.25.4 and 208.132.43.31.

Re:Now what the ..

[Tower]

I saw a commercial for AOL where they talked about downloading the internet. I tried it out, and now I have the internet on a Zip disk (it doesn't fit on a floppy anymore, though it used to before there was so many pages). If anyone wants a copy of the internet, I can copy my Zip disk for you or e-mail it to you. AOL didn't tell me about any ping though, maybe I missed that part of the internet. e-mail me at st00p1d_lu53r@aol.com for the internet.

[arrrggh]

Re:I disagree

[Spasemunki]

I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open:

I don't really think that those two are comperable. Ping tells you almost nothing. It gives no information about level of security (except "not blocking ping packets"), and there is no implication that someone would "come in" if the door was unlocked. Ping checks if something exists or is alive; it's information that anyone could get by a lot of methods, and this is probably the most "polite" one. It isn't someone jiggling a door, by telnetting into another port and playing patty-cake with your daemons; it's someone looking at the sign on the door that says "The doctor is not dead".

No harm, no foul.

"Sweet creeping zombie Jesus!"

Re:Better than doing a port scan on my person.

[PigleT]

"Is the information superhighway system any different than the automobile superhighway system? IMHO, it shouldn't be!"

Would you object if someone came along and started rubbing your windscreen, out of nowhere? *Precisely* the same analogy. You got no business touching my car, you get lost off my front-facing webservers too, thank you very much ;)
~Tim
--
.|` Clouds cross the black moonlight,

Secretive

What's it secreting? Puss? Goo? Yellow foam? Inquiring minds want to know.

Couldn't they just buy this info?

[Mr.Phil]

Couldn't they just buy this info from all the script kiddies on IRC? Just as for thier databases of IP numbers and offer cash...

Misleading Figues

[jyuter]

But after six months of constant probing, Quova says it's received only 100 complaints. A 1998 Internet mapping project by Bell Labs researcher Bill Cheswick drew 30 complaints after six months of scanning.

Yes, but it's possible many others didn't detect it and would have complained if they knew about it. Look at the last quote:

"...To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

They don't care about the people or their complaints; they just care about getting caught.



Being with you, it's just one epiphany after another

Re:Misleading Figues

[swordgeek]

I disagree. If they're trying to get _behind_ the firewall, then they are de facto trying to make the firewall transparent to their scan. I guess it depends on how you interpret "fly stealthily beneath the radar of firewalls and intrusion detection systems." I say that means they're planning on getting behind firewalls.

Good distinction, though. It's an important one.

Re:Misleading Figues

[True+Dork]

I have a feeling that most admins wont care. I certainly dont. I get pings, odd port attempts, old exploit attempts on several different firewalls on several different subnets every day. They dont work, so I simply dont care. It's not that I dont see them, they just dont matter to me. If I am extremely bored I'll telnet into their mail server and leave one for root that says "IMAP scanning is rude" or something similar, but past that who cares?

Re:Misleading Figues

[Stalky]

You're saying that they want the firewall to transparent to their scan, when what they really said was that they want their scan to be transparent to the firewall.

Re:Misleading Figues

[hattig]

"...To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

So they want to hack through all the Firewalls on the Internet, and they are publically saying that? Is it 911? "Hi, we have found people who are trying to crack their way into systems around the world..."

I agree with the other poster, these people are basically script kiddies. I hope they don't map the UK internet topology, that information is the property of the companies that set it up, and would be covered by the Data Protection Act 1998. Possibly.

And I don't get how this information would help them do what their aim is?

Re:Misleading Figues

[Battra]

This is a very interesting comparison. Remember that Cheswick *invented* the firewall! His mapping project was meant to get some understanding of the topology of the modern Internet. He discovered that you can supposedly get from any one site to any other in something like 10 clicks.

There has been a lot of traffic on the SecurityFocus mailing lists over the last couple of weeks about Quova. Many people are upset with them because they see port scans and ping scans as the equivalent of casing a building for break in. There is nothing strictly illegal about rattling doorknobs, but you can imagine that it will not win you any favor with your neighbors.

By the way, I heard Cheswick speak a couple of years ago at a SANS conference. He was one of the most widely knowledgable and overall brilliant speakers I have ever heard. He's a cool guy and definitely *not* in the same league as Quova.

Re:Misleading Figues

[PhilHibbs]

If they're trying to get _behind_ the firewall,

Are they, though? I don't think that's clear from what they said. If you have a system that automatically maps networks, then surely the only way that it is going to even *know* that there is a firewall there is when it hits it. AIUI, they just want this to not hit off any alarms, that's all. Note: I know next to nothing about the technical side of this issue. CMIIW.

Re:Misleading Figues

[pianoman113]

It is that last quote that really bothers me: they want to run in a lower "stealth mode." The very prospect of that scares me, from a net admin standpoint. While it is more comforting that it is a commercial company finding a way to get around firewalls as opposed to script kiddies, I don't seeing it taking much longer for the crackers to find the same way through.

Re:Misleading Figues

[PhilHibbs]

They don't care about the people or their complaints; they just care about getting caught.

But most of the complaints have simply been that Quova set off the alarms. If this kind of mapping can be done without setting off alarms, and no harm is being done, what's the problem?

Re:Misleading Figues

[AndrewD]

I hope they don't map the UK internet topology, that information is the property of the companies that set it up, and would be covered by the Data Protection Act 1998. Possibly.

Or possibly not. The DPA '98 covers information held by data controllers about data subjects or from which data subjects might be identified, where:

• Data controllers are any persons or corporations who handle data, defined as any organised body of information whether held on a computer or not held other than for purely private purposes, and
• Data subjects are, basically, anything with two arms, two legs, a pulse and a current or future right to vote. And, er, given current law on the franchise, the royal family and people currently sectioned under the Mental Health Act.

(The foregoing definitions are rather more colloquial than the ones the Act uses, but they'll do for present purposes).

Basically, mapping information on .uk net topology will not come within the Act unless information about individuals forms part of that (eg. as a result of copying scads and scads of whois info.)

For further info, see The Data Protection Registry Site generally.

For the record, I am a lawyer, and the foregoing is not offered as specific advice for your specific circumstances. This is: don't base decisions that could cost you money or liberty on /. postings. Take advice from a lawyer who's acting specifically for you.

Re:Misleading Figues

[Garpenlov]

It is that last quote that really bothers me: they want to run in a lower "stealth mode." The very prospect of that scares me, from a net admin standpoint

Uhm.. the whole reason that they said (again, all I have to go on is what I read in the article) they wanted run in "stealth mode" is because people were noticing, getting paged, getting pissed off. So they expressed a desire to perform their operations with a more bit finesse, so as not to cause people to think their networks were being attacked. So, basically, they're trying to refine their techniques so they don't look like attacks. I guess the only question is, are they attacks or not? Cause if they're not, what does it matter?

IP Address Ranges

[Mark__]

For anyone that wants to block these guys at your routers/firewalls.

63.109.88.104 - 63.109.88.111

63.102.181.0 - 63.102.181.255

Re:I disagree

[jeffrey_goines]

And On the Other Other Hand.. Don't forget that people at Quova like myself can read. If there are any issues that any of you are facing you can send an e-mail to abuse@quova.com or even concerns@quova.com remember a DoS attack is illegal.

Re:You 'authorised' portscans when u plugged into

[Milican]

Horray! Horray! Good points. I think people that freak over non-abusive portscans are *way* to anal. If you setup a good firewall (or any security system for that matter) you should be laughing at the people that are portscanning you. In addition, people that freak over portscans are usually just doing the blowfish thing. Pretending they are a really big fish when really they are scrawny and weak. So in conclusion, pissed about portscans? Get the hell off the net!

JOhn
P.S. If you can give me valid reasons to be pissed about portscans and prove your point I would be all ears. Don't just say "cuz someone formattted my drive". Give details! :)

Actually,

[MO!]

A ping and traceroute would be the first step at automating a more detailed investigation. If you're trying to get accurate information, in a timely manner (like a business would want to do), you'd want to target any further probing at active IP addresses. I believe the article mentioned that they were looking for more "stealthly" methods to continue their probing. This implies that they are not done yet, and may initiate more intrusive probes in the future. I believe this is what is so concerning to people - it is to me!

Not even close

[Casca]

They didn't say they wanted to hack through firewalls, just not be detected by them. There is a big difference. If you are reaching out and touching tcp port 80 on a webserver, to see if it is there, you probably won't get noticed by a firewall, it is when you do it to 254 different addresses that you might raise an eyebrow (though unlikely with current network security skillsets). He wants to be able to do just that, reach out and verify that there is something there without anyone knowing (this can be extended to include traceroutes and other mapping techniques). Not exactly cracking into a site if you ask me.

Re:I disagree

[Windigo+The+Feral+(N]

Babykong dun said:

It is perfectly legal to go through a neighborhood and knock on doors to see who answers. In fact, it's called market research. Most state laws consider this a right of easement

Actually, this can vary from not only state to state but from county to county and even city to city or township to township.

Most notably, here in Kentucky if anyone goes knocking on all the doors in an area where it is marked "POSTED NO TRESSPASSING" (yes, there is actually a legal status to a "posted" No Tresspassing sign--you actually register it with the county courthouse) or in areas with "No Soliciting" ordinances, they can quickly find themselves taken to the county jail and charged with tresspassing. Yes, this even applies to Girl Scouts/Girl Guides, Jehovah's Witnesses, those annoying folks selling magazines, etc. Literally the ONLY things that "No Soliciting" ordinances don't cover are census workers and police with warrants; I'm not entirely sure that even census workers are allowed on posted property (I think they may have to actually get police escort or a warrant to perform census to legally go on the land without permission of the landowner).

For the record, yes, I not only am part owner of property that is "posted" but live in an apartment complex with a "No Soliciting" rule. Yes, I do have people removed who are tresspassing and/or soliciting without my permission (as it is, in my area the Girl Scouts generally don't go door-to-door both out of safety concerns and because a lot of apartments and even entire communities have "No Soliciting" ordinances--they sell outside grocery stores and to family members and friends of family). :)=

Saw them, warned them,...

[coyote-san]

The funniest thing is that I interviewed with them prior to posting to that site (in fact, I suggested that site!) and warned them that what they were proposing could be misinterpreted as an attack. I pointed them to the then-recently completed Internet Security Scan.

I don't think they believed me.

I passed on the job for other reasons, and unless they've gone off into a wildly different direction in the past 6 months or so they really do need a lot of data and they really are attempting to extract innoculuous information. But I can't talk about it, sorry!

Quova Website

[phUnBalanced]

Just a note,

I've been in contact with Digiweb (an Interliant company).

Just FYI, the scans are not coming from them. Their website is simply hosted there. But in response and to avoid security "problems", the site has been taken down. Gotta love security precautions

So for now, at least they can't spread anymore of their corporate mumbo jumbo

Also it appears the DNS is in the process of changing. We're seeing odd IP changes here (I'm right off the Digiweb network) so it appears they are moving the site.

Any info on the source of the IP scans would be appreciated.

Re:How should one go about mapping the net?

[Prof_Dagoski]

I may be a litte out of date here--been a while since I did any networking--, but most people are suprisingly ignorant about SNMP. On you own network, you should be able to use SNMP queries to retrieve the routing tables from routers. In addition many people forget to lock down this protocol on their network, so you poll them as well. The amount of inforation you can get this way is astounding. Applications like Cabletron's Spectrum and HP Openview use this protocol to manage networks. There's even a couple of good free tcl/tk based solutions out there. As far as the ethics go, routers have to share routing information or the Internet doesn't work, so what's the problem with collecting this information? The only practical problem with trying to map the Internet is memory and disk space.

Re:I disagree

[Legolas-Greenleaf]

Pinging is more like knocking on the door and waiting for a responce. I would argue that a portscan is more like checking the doors. There is nothing illegal about little Girl Guides knocking on your door, selling cookies. (At least in Canada - i contacted the RCMP about portscans). Again, if you have a good firewall up, people won't even get to the doors because they are blocked at the bardwire electrified fence around the perimeter of your property.

Gack! The comparisons to real life are killing me.
-legolas

i've looked at love from both sides now. from win and lose, and still somehow...

Re:where they're operating out of...

[zenray]

You had the same idea as I did but you posted it before I could. When I ran nmap on them I got the responce that the site 'appears to be down'. Would adding '127.0.0.1 www.quova.com' to the host file stop them from getting the responce they are looking for? At some point in the future Quova will have to sell the data that they are collecting. How are they going to keep what they have a secret after they start that activity?

Re:Information from a ping/traceroute?

[JonK]

Are you sure you're not referring to this:

ICBM address n.

(Also `missile address') The form used to register a site with the Usenet mapping project, back before the day of pervasive Internet, included a blank for longitude and latitude, preferably to seconds-of-arc accuracy. This was actually used for generating geographically-correct maps of Usenet links on a plotter; however, it became traditional to refer to this as one's `ICBM address' or `missile address', and some people include it in their sig block with that name. (A real missile address would include target elevation.)

Borrowed from the Jargon File: hopefully attributing it will stop ESR shooting me...
--
Cheers

Anybody wanna start a pool...

[BlueUnderwear]

... about how long it'll take until 205.177.226.233 becomes a DeCSS mirror? Or worse: until sysadmins will actually have a very good reason for getting their panties in a knot about packets from 205.177.226.233 . Oh gawd, and to make matters even worse, it's Friday!

Re:Information from a ping/traceroute?

[sqlrob]

Yeah, so how many millions of people are coming from Dulles,VA (home of AOL)?

Re:Are networks private property?

[dpilot]

I like you're analogy.

But it leaves me wondering about those roads with no gate, but the sign, "Private Road - no tresspassing" on them. They don't receive town snowplowing, and are usually (though not always) unpaved.

What's the net analog to Private Roads?

This discussion makes me wonder if their "No Tresspassing" is as toothy as a pre-UCITA shrink-wrap license.

Why they are doing it...

[Desdinova77]

Something i thought of when i was reading the original article is this... Often when i do a traceroute i notice the ISP routers will often be named with geographic names.. perhaps they are gathering a database that will allow banner ads with regional flavor and maybe even different languages. It wont be a perfect system but it will be 'better' to adverstisers than the data they have now. IMHO i dont think its a big deal. They are running ping and traceroute only which is not at all invasive and quite easy to block, and not very intrusive from a security standpoint. If they were port scanning then i might be worried about it but this really seems like a lot of hype over nothing.. I bet it wouldn't have made it to slashdot if they weren't associated with marekting technology..

Re:Howdy Goedel

[Oddball]

my god that is scarry. To think that the freaks that idly entertain me are somewhat important.
ack!
And damnit, I really want them to make FudgeBunny.

Re:where they're operating out of...

[emir]

just add them into your firewall and they wont bother you......

My opinion

[Ex+Machina]

they're pissing off sysadmins to draw sysadmins (looking for a place to complain) to their webstie which will be a sysadmin portal....

Re:I disagree

[zmooc]

`I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open: Is it "fair use" of my front door?'

I consider pinging my system to be the electronic equivalent of looking at my house to see if it is still there.

Portscanning though...that's jiggling your front doorknop and all of your windows.

Why would they be so secretive if ..

[FooRat]

.. they have only innocent intentions?

Really, the company has obviously gone to great pains, and spent quite a lot of money (e.g. the part about "our attorneys carefully crafted" a generic service category). Why would somebody spend so much money, time and effort on something that is, as they claim, completely innocent?

If it's so innocent why is nobody allowed to know?

What's more likely, I think, that some company (or a group of companies) organized this to conduct research into viability of something. As an arbitrary example :), a company like Microsoft would probably find this data immensely useful for their .NET intentions - it would effectively tell them how viable .NET is at this point in time. By repeating the survey every year or two, they can determine when the best time would be to start shovelling .NET down everyone's throats.

This is just one example though. Telecommunications providers like MCI etc would probably also find data like this very useful, as it would tell them where good growth markets are and where to focus development and marketing. This sounds valid, but then keeping it secret would have no benefit.

The solution is simple - ping em back.

[Moderation+abuser]

They're pinging everything to see what's out there? Well. I think we should show them. Make it easier for them and all that.

Everybody ping them back and run traceroutes to their systems.

Go on, ping www.quova.com today. :)

Re:Howdy Goedel

[Ex+Machina]

perhaps we should submit this comment to f2k and then they will make the SOMAD?

Re:where they're operating out of...

[Phroggy]

Would adding '127.0.0.1 www.quova.com' to the host file stop them from getting the responce they are looking for?

No. That will make DNS looups for that hostname return 127.0.0.1, but your system will identify them by IP address rather than hostname, and they probably wouldn't be scanning from the Web server anyway. Remember, the hosts file is not a firewall; merely a way to locally override your DNS server.

--

Re:I disagree

[babykong]

It is perfectly legal to go through a neighborhood and knock on doors to see who answers. In fact, it's called market research. Most state laws consider this a right of easement.

As long as the ICMP packets are normal and not maliciously malformed so as to either do a DOS or get more information than ICMP was designed to give. Then I don't have a problem with it.

That is why I have a network inside my firewall which you can't ping, and a network outside my firewall, provided by my company for public access, which you can ping.

Hosts on the Internet are there for public access, the internet is a public place. Use of these tools is designed to improove that access which is apparently what this company is trying to do.

ON THE OTHER HAND.

Might be fun to play with a gentle (not a DOS, throttle it back a little) Nmap scan on THEIR network. Since they are in stealth mode, they can't complain very loud :)

The AC has it

[Spiff28]

The post to which this is replying has the proper links. Our friendly karma whore's /. reference is good, but the link to the paper isn't. The AC's posted great links. Modding 'em up would help.

More about what they're doing

[Dave+The+Magni]

Okay, bad form following up to my own post, but...

Got more info from the Service Metrics pages:

The performance data used in Service Metrics' offerings are collected by Data Collection Agents (DCAs) located throughout the worldwide Internet and stored in a centralized Data Warehouse.

The difference appears to be that Service Metrics pitches its data collection services to contracted customers, then monitors those clients. Quova is mapping the space now, and will probably use the traceroutes to figure out the best virtual places to put similar agents for a similar service.

Re:Your port 137 scans

[don_carnage]

thankfully, the great rosie_bhjp has spoken.
--

Re:I disagree

[Spasemunki]

I'm not sure it even gives you that information.
Well, if you get a ping back, you know they're "not blocking ping packets" ; )
But your point is definately valid; from the standpoint of ping (or traceroute), there's no difference between a system that is blocking certain packets and one that has bought the farm. You're probably right that that information can be extracted somehow, but it would take more work. And it reinforces the idea that the threat posed by these guys pinging and tracerouting random systems poses roughly as much danger as a wrong number on the telephone ("Some stranger knows my phone number works! Run!").

"Sweet creeping zombie Jesus!"

Re:where they're operating out of...

[Ex+Machina]

Your tragic misspelling of "please" has tainted the Matrix. Your question is therefore REJECTED!

Re:where they're operating out of...

[ibis]

Yes, but this is the info everyone wants!

Too bad they don't seem to know how to secure their DNS server!!

(It's also too bad <pre> tags don't work)

> ls -d quova.com
[ns1.quova.com]
$ORIGIN quova.com.
@ 1D IN SOA ns1 hostmaster (
2000062901 ; serial
1H ; refresh
15M ; retry
2W ; expiry
1D ) ; minimum

1D IN NS ns1
1D IN A 208.37.145.34
1D IN MX 10 mailhost
1D IN MX 20 imail
1D IN MX 30 mail.DIGIWEB.com.
pophost 1D IN A 208.37.145.37
cgi 1D IN A 206.161.225.46
fw 1D IN CNAME @
mailhost 1D IN A 208.37.145.36
mail 1D IN CNAME mailhost
www 1D IN A 205.177.226.233
chat 1D IN A 206.161.237.88
imail 1D IN A 207.226.255.43
ns1 1D IN A 208.37.145.35
ftp 1D IN A 64.41.164.58
@ 1D IN SOA ns1 hostmaster (
2000062901 ; serial
1H ; refresh
15M ; retry
2W ; expiry
1D ) ; minimum

Why I followup portscans

[slashdot-me]

Very few script kiddies are stupid enough to run port scans off their own machines (I'm going out on a limb here). I've found that most scans originate from compromised hosts. By calling/emailing the owners I let them know their site has been hacked. About a quarter of replies thank me for discovering a script kiddie.

Ryan

Re:Sinister?

[Kinlan]

People are saying that all this can be used to get surfers habits, well I thought that most of the people that use the internet are either surfers that are on Dialup accounts where there IP address changes each time they login or they are behind a firewall/masquerade that will give a incorrect information.

Wouldn't that mean quite alot of there research is incorrect.

For instance I use my dial up account, I get given a IP, I go do a bit of browsing, at Amazon, PCBware.co.uk etc. Person logs on after I have logged off and is using the same IP addr. but he goes and looks at porn THis means that there info they may have gathered is deffinelty incorrect. The same is applicable if you are on a large network that employs masquerading.

Personally what I think they could be using this for is to see which parts of the Internet are fastest and slowest, they can then use this to sell to ISP, Large compaines etc. I mean why would they traceroute/ping things, because you can't get information about my habits (this is what some people seem to be sugesting here).

-

interesting route they choose

[catkinson]

I wonder exactly how well this is going to translate into future earnings potential?

This little publicity stunt (which seemingly has little to do with their focus .. maybe I'm wrong) is a good garnerer of attention in that tight marketplace of Silicon Valley.

Perhaps in a short while when their VC funding dries up we will all be reporting them to fsckedcompany.com instead of /.

Re:Howdy Goedel

[Oddball]

check out the recent questions.
Here's the link:
http ://www.forum2000.org/matrix/forum_std_answers?cook ie=numbered&lm=962917762.
it's a true story, too. I have some wierd friends.

Re:Packet Log: input REJECT ppp0 PROTO=17 x.x.x.x:

[don_carnage]

Very interesting -- cause I randomly tried an FTP to the box and it turned up as an NT workstation.

However, one of them was an ADSL connection from pacbell -- I wonder how this puppy works and why we haven't heard from CERT yet...
--

Re:Interesting how Quova.com...

[Christianfreak]

Try pinging www.quova.com :)

Never knock on Death's door:

Re:Packet Log: input REJECT ppp0 PROTO=17 x.x.x.x:

[don_carnage]

My bad...read rosie's post. 911 worm...
--

Re:Security survey?

[Th3+D0t]

32 bits per packet?

TCP packets are at least 40 bytes.
So that's a whopping 40k :)
Where'd you get 32 bits from?
---

Are you sure?

[Nailer]

I'm by no means an expert, but I seem to recall having blocked ICMP packets that this does not affect traceroute, which I have also previously been told does also not use ICMP.

Are you sure?

Thanks!

Re:Are you sure?

[Rumble]

If you are interested, why not try reading a traceroute man page somewhere.

-Ryan

Re:The information is public until...

[wholesomegrits]

Yeah, I'm replying to myself, but to clarify, all this information is incorrect in my post.

Unfortunately, the correct information is not as highly moderated, so no one will see it. This should be moderated down to like a 1, and the correct post in this thread moderate up.

It's hard to belive that this would get so highly moderated, but I guess the moderators don't bother to read half the crap they moderate.

Re:What's your point?

[Kaa]

All he was saying was that conducting massive scans on other peoples networks without providing a reason is considered bad practice.

Well, no. I was under the impression that he was making a stronger point. I understood him to mean that portscanning is a BAD THING, that people shouldn't be doing it, and those who do and are caught should be punished in some way. In other word, he was basically arguing for making portscanning illegal in some way.

And my point, spelled out in simple words, is that people in positions of authority and responsibility (e.g. sysadmins) dislike stuff which makes their life more complicated (e.g. portscanning) and often are inclined to make this stuff forbidden/illegal -- just to make their life easier. I don't think this is a good reason. I don't think that poking at a network is a harmful action that should be punished. Granted, it is a frequent prelude to an attack, but that by itself is not a good enough reason to outlaw it. And the increase in the sysadmins' stress level is not a good reason, either.


Kaa

Who cares

[Jeff+Knox]

People are blowing this way out of proportion. So they are ping scaning the internet. Who cares. They are not hurting anyone by finding out if a machine is up or not.
The fears of malicious intent are also blown way out of proportion. People have said if they dont have any ill-intent why are they doing it so secretely. Read these post, its fairly obviously, because you get lots of idiots that get all paranoid about people portscanning them. Doing it secretely possibly reduces the amount of people who go crazy because they think they are under attack.
Thier are alot of legitamate uses for this data. For one, internet topology maps. There are multiple internet mapping websites that scan the internet and creat a graphs and maps of the data they find. Statistics are vary valuable, and it helps governments and companies to make descisions based on internet usage in certain areas. Two, like mentioned before, they could possible using the information to find geographic locations with high latency. With this information companies can best locate servers to provide the fastest speed to their customers.
Basically everyone needs to loosen up. IF they were running a vunerability scan on your network, that is one thing to get upset about. That is still perfectly legal, and they could do that if they wish. But they are not, they are traceroute and portscanning.

They won't be scanning EVERYONE

[mwalker]

They won't be scanning EVERYONE

i just added their IP address range as a DROP rule to my company's ipchains configuration. we can no longer view their web page, and they can no longer ping or traceroute us. we will appear dead to them.

i encourage the rest of you to do the same until we know what happens to this information. remember, the human genome is patented (by the company across the street from me, celera!) so i'm pretty sure the "web genome" or "web topology" could be patented too... think about it...

Semi-OT: Tracking people online

[Delphis]

Hi to the user at 141.204.214.xx (last digits removed for security) who had a glance around my websites from my page link in this thread about half an hour ago ...

No that's not meant to intimidate people, I think that's just a case in point for people that like to know what's going on .. just have some sort of logging for unknown hosts and know what part of your system is available to the public and what isn't.

Of course this works both ways... I was able to see which pages this particular (very welcome in this case) visitor was looking at and in what order .. now that's what marketing people REALLY want to do .. not ping and traceroute networks. As many people pointed out, that's pretty worthless information.

Fortunately I am not one of them and I maintain a fairly comprehensive website logging just because:

a) I felt like it
b) I wanted to play with PHP and MySQL
c) I love knowing how people find my pages and what they actually find of interest about what I like to put on the web

Of course c is closest to the what the 'marketroids' want .. in the right hands it's just interesting.. in the wrong hands it's scary.

--

interesting...

[jmccay]

My guess is they are building a database of all information they can get there hands on. If you check the web site, they are looking for people with database developers with experience. From the web page:

"You must be a professional and able to communicate on all levels of business. Technical skills are Internet and RDBMS technologies, including XML, C++, UNIX, client-server applications, RDBMS applications, middleware applications, and 3-tiered architectures. Experience with schema design and deployment, application development, and database tuning desired, in an Oracle 8 and Oracle 8i environment. "

I don't like the sound of them operating in "stealth mode". Their could be some privacy issues that they might be violating. I wonder what they do when they don't find a firewall or other security protection. I think they need to come clean sooner rather than later.

Another possibilty is they may be trying to map the most efficient ways to get from point a to point b at certain times. The way it is described, it seems that this could be used to build a map of the web itself. I don't know what they would use it for. If you put all the information you'd get from this into a database, you can easily start to analise the patterns.

Either way, I don't like it. I won't like it until they come clean. Maybe this is another Microsoft company try to get info on us. ;)

Not quite what I found...

[cmeckhardt]

I got different information from ARIN.
For Mountainview, CA I got the range 63.102.181.0-63.102.181.255, and for Westminster, CO I got 63.109.88.104-63.109.88.111. These are both through UUNet.

A dig at their secondary nameserver yeilded 8 distinct IPs of presumably colocated machines:
208.37.145.34-208.37.145.37
206.161.255.46
206.161.237.88
207.226.255.43
61.41.164.58

The four contiguous IPs in the above list do come from Concentric, as wholesomegrits noted. However, the range in that comment is the entire range of IPs that Concentric owns- as far as I can tell, only the above four out of Concentric's range are being used for Quova servers.

The next three IPs (206. and 207.) belong to CAIS.
The last one belongs to APNIC.

Happy firewalling.

Re:Information from a ping/traceroute?

[hburch]

DNS LOC is what I believe you're referring to. Look at rfc1876 for more information, or look here.

If you change the phrase 'comparitvely few' to 'effectively zero,' your statement was correct. Battling the 'it's difficult to determine and update lat/long and not worth it' problem, as well as the 'it's proprietary information where our boxes are at' problem means that DNS LOC is doubtful to be useful.

Evolution of the Job Market

[Icebox]

This is just the market evolving. Back in the Phrack days hackers had to get arrested first, then when they got out a company would offer them a sweet job. A couple of years ago a bunch of hackers began calling themselves 'white hat' and started their own security consulting firms. This latest stage allows the lowly script kiddies a shot at going legit.

Re:Security survey?

[griffjon]

When I get portscanned, I usually take a notice, but presuming they wander off after finding no ports open they can sploit using their rootkit of the day, I ignore it. if, when reading logs, I see patterns of attempts, I usually rdns them back, see if it's my ISP scanning me, or some kiddie, and deal with it as appropriate. a portscan is a portscan, and if your system's well configured and proactively patched, nothing to worry about. repeated activity and explicit port-specific probes are something to investigate.

Re:teehee!, thats not what i got...

[RAruler]

Think fool, Think.
Quova.com != Quova.net

---

Re:The information is public until...

[bssea]

The point is they don't *have* to tell us. It's much like a person calling on your phone and then, when you answer, hangs up, with that nice "No Data Sent" Id.

Sure it's rude, but they're nothing bad about it. At least we know where it's coming from, and you can take steps to make sure it doesn't happen anymore.

Re:Security survey?

Javascript is a security hole you idiot, cookies are just a privacy violation. Try here and here for more info.

I did something like this

[stevey]

I setup something like this once, to see if I could measure the size of the internet.

What I did was generate IP addresses randomly .. then ping them. By calculating the ratio of valid responses against attempted IP's I could see what proportion of the IP space was in use.

I did get some irate responses .. so I abondonded the whole thing, but it was interesting; one of the statistics I found was that 57% of IP's, in my test, were running a web server.

Steve
---

Howdy Goedel

[Oddball]

A Forum2000 reference on /.... Wow. I'm feeling happy. And with a MST3k reference just a few weeks back, this is just that much more special. Besides, I had some spare mod points laying around. =)

For those of you not in the know, check out www.forum2000.org. It's great.

Re:Howdy Goedel

[Ex+Machina]

Indeed. Did you know Peterb is on the head of the internet2 security division?

Re:You 'authorised' portscans when u plugged into

[Demona]

>And guess what, people can call your telephone number too, without your authorisation.

Yeah, and I consider that a bug. Every time a telespammer hits me, I call the phone company and ask to order a phone that only allows authorized numbers to call it -- i.e., an "opt-in" phone line. They tell me there's no such thing. I tell them to make one, and while they're at it, start charging to LIST your number in the phone book instead of charging you to NOT list it.

You're all idiots

[periscope]

All the people that replied to the above comment failed to notice that the 0.5 second timing is for a single thread to ping a host and has nothing to do with available bandwidth.

A single host with several thousand simulataneous threads scanning hosts in "parallel" would easily manage the entire address range.

My goodness, aren't we all so dumb not to have thought of this?

--
Jon.

Security survey?

[Spiff28]

You know, I really wish I had a link for this, it's a great story, and I know I'll screw it up.

Something like a year or two ago something really similar was done. A group of people had gotten together and decided to survey the 'net on security. They did this, as I recall, by doing your standard ping/traceroute/portscan for just about anything. IIRC, they also 'tested' to see if the then 10 most common exploits were vulnerable.

Two interesting things came about from this. One, of course, was the results. Only something in the vicinity of 12% of their search space was 'secure' by their tests. .com's and .gov's were the most vulnerable, as well.

The second was the people they pissed off. Scr1pt K1dd13s DoS'd once or twice. Some network admins sent and e-mail asking why portscans had come from that domain. Others threatened legal action and had 'sent logs to the FBI.' And then there was this one guy... I can't even do him justice, but in .7 seconds he'd fscked their systems like you wouldn't believe.

Anyway, it wouldn't surprise me to find that something similar was happening again. I've got no problems with my box being probed. Honestly, if you freak at a portscan, you're a liittle paranoid.

Oh, and hey... some karma whore go dig that link up. May very well have been from this site ;)

Re:Security survey?

[emir]

he should let portsentry add scanners ip into ipchains, that way he is not blocking his site for legitimate traffic

Re:Security survey?

[Kartoffel]

He had port sentry setup and it detected nmap as a DoS attack [and] port sentry shut down their ROUTER!
He was some major security buff who just happened to maintain this mud server

Perhaps he was a buff, but he certainly didn't know what he was doing. LOL, good story. Unless they're stuck on a dialup connection, getting scanned hardly constitutes a denial of service attack. Running "nmap -sS" against 1024 ports will send exactly 1024 SYN packets (plus a RST to the ports which replied), so if you assume, say, 32 bits per packet and 0% loss, that scan will throw at most a whopping 12k of data transfer. Sheesh.

I think it's scary that any random sysadmin could write your ISP and get them to shut down your account over some perceived slight. Anybody else smell a social engineering exploit?

Re:Security survey?

[jacobm]

As a matter of fact, it was from this site. The Internet Auditing Project, posted here on August 14, 1999. It's a really good article, certainly worth a read.

Your friendly karma whore,
--
-jacob

Re:Security survey?

[Kartoffel]

I have not authorized anybody to scan my computer.

That's okay, because nobody asked for your permission anyway. I can understand why one would be nervous about getting scanned, but if your system is secure, you have nothing to fear.

Anyhow, there's a legend about Werner Von Braun at NASA that goes like this: In the early days of the space program, Von Braun was in charge of the facilities at the Redstone Arsenal in Huntsville Alabama. They needed to build a large neutral bouyance tank to simulate weightlessness, so they just built one. Later when government officials were visiting, they saw the large tank and were upset that Von Braun never went through any red tape in Washington to get an official budget to build the tank.

<feds>: We never gave you permission to build the neutral buoancy tank!
<VonBraun>: That's OK, I never asked ;)

Re:Security survey?

[jallen02]

SYN packets thats it! :)

He said I was tripping a SYN flood. And his network was locking itself down

Re:Security survey?

[fatphil]

>

Depends if you know what the result would be.
If you know the result would show you're secure, don't freak.
If you know the result would show you're insecure, freak. Not at what _they_ are doing, but what you are knowingly leaving open.
If you don't know the result, you have no right to care.

Re:Security survey?

[jallen02]

Heh, let me tell you my story about a portscan.

I do a lot of mud hacking, I love muds. A friend of mines mud runs at xyz.com

It is a mud hosting service so as you can guess they have multiple muds running on their site. I downloaded nmap and was learning to use it. So I scanned 1-1024 ports first I think that is the default not sure.

Anyways I did it again and let it go 1-10000 to find most any mud on their, I can give a crap about any of their other services I think using exploits on peoples systems is just so lame but I digress from my story :).

He had port sentry setup and it detected nmap as a DoS attack from the type of packets it was using. Ugh I cant remember the word for them, Im losing it. Anyways Port sentry shut down their ROUTER!!!!

They emailed my ISP and my ISP shut down my account with them! I was livid.

No You dont have business port scanning but I mean come on!!SOOOOO

I log onto the net with another account and I send him my phone # and tell him to call me.

I have a little chat with him established my intentions and hes all talking if it happens again they are pressing charges because they have it set up so that it detects this as a DoS and just freaking locks downt he router and ALL their systems hardcore. I felt this was a bit paranoid but I was not certain of my rights and if I indeed was violating any laws, he believed I was. He was some major security buff who just happened to maintain this mud server.

Ahhhh. I just found the entire thing a bit hmmmn.. interesting. So he calls my ISP up says the issue is resolved and my account is restored.

Hmmmn?

Jeremy

Re:Security survey?

[CrazyFraggle]

Honestly, if you freak at a portscan, you're a liittle paranoid.

Or maybe you've already had to reinstall a system from scratch because somebody hacked into it once already? If I get a portscan on my computer (and that happemns almost on a daily basis now), I automatically suspect something bogus going on. I have not authorized anybody to scan my computer. I don't like that any more than I would like people sneaking around my house checking if the doors or windows are unlocked.

Of course, freaking out on a smal ping or traceroute is going a bit far. I generally keep an eye on those checking for telnetd, portmap, named, ftpd, etc. Luckily hosts.allow can be used for many interesting things, like sending me an email whenever that happens.

Re:Security survey?

[AtariDatacenter]

Honestly, if you freak at a portscan, you're a liittle paranoid.

Then the job of a systems administrator is to be paranoid. If my systems are being portscanned, I *better* investigate it and figure out what is going on.

Onto the bigger issue, I can see both sides. On one hand, I consider "ping" to be a _public_ network service. That is, if I send a ping packet to your machine, and it responds, it isn't intrusion (or "theft of CPU time") because you provide ICMP responses to the world as a regular service.

On the other hand, if someone is pinging my network in order to scan it, I am going to get miffed. Nothing I can do about it.

Re:Security survey?

Here is the guy that did this, and here is a link to his paper.

Re:Security survey?

Luckily hosts.allow can be used for many interesting things, like sending me an email whenever that happens.

Good, now I know how to DoS you. Now if only your were penis bird guy or *syringe, then I could use it to stop them posting to slashdot.

Re:Security survey?

[orabidoo]

auto-shutting down a router on response to a portscan is one of the dumbest things I"ve seen in a long time. by doing this all they're doing is making it *really* easy to DoS them, even without meaning to.

Re:Security survey?

[delysid-x]

Haha, that guy sounds like one of those morons who surfs with their javascript and cookies turned off because it's a "security hole"

Re:I disagree -- this is why you have a gate.

[matthew_gream]

I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open: Is it "fair use" of my front door?

Are they jiggling your doorknob, or your gate ? These analogies are not always good.

ICMP is a network service: it could be argued that as a network service, it is a common across the board infrastructure and its like the road that comes up to your front gate. Anything above the network (transport layer, session layer, application layer, etc) is the analogy to your doorknob. TCP and UDP ports are private property to your system, but IP is your contract with the rest of the network. No one else on the network needs to run TCP or UDP, but everyone must run IP or you can't communicate. Therefore, IP is on the boundary of public/private property and is a gray area.

If they started scanning your TCP or UDP ports, then it's time to get annoyed. I still see a valid concern about touching your IP, but I think that is a similar concern to the problem we have with direct junk mail. Perhaps the solution is to eventually have any of these IP scanners abide by some kind of fair use agreement (like web spiders), so that you can deny them access.

Pinging and tracerouting ...

[mbyte]

This could be some effordt to make some performance maps for the internet. There were quite a few academic projects that tracerouted quite a lot hosts, to get some performance data.

In fact I am writing my master thesis about something similar right now, but active network probes (like traceroute) consume too much bandwith to be usefull in performance monitoring ...

A strange Thing is, that they only traceroute from their hosts. IIRC I read some paper (about 2-3 years old) that stated that they used about 120 public traceroute servers ...


Samba Information HQ

Re:Pinging and tracerouting ...

[xee]

It is not necessary to go beyone perimiter routers of a company or individuals network. Those performance issues are of no importance to the rest of the Internet.


-------

Running in stealth mode?

[Anonymous+Shepherd]

So they want to be able to run their scans and not look like attacks...

Conceivably, isn't that *also* the same goal any well educated cracker/hacker has? Not that I know, since I am neither, but being able to observe without arousing suspicion is pretty important, isn't it?

In which case, wouldn't the goal of security experts be to be better able to discriminate between a dangerous scan and a harmless inquery? So unless Quova has a clearly nondangerous fingerprint, won't they always be triggering alarms as hacks/cracks start using similar techniques?

-AS

Re:Running in stealth mode?

[hburch]

Caveat: I have not seen a trace of a scan from Quova.

The difference between a ping scan from Quova and a ping scan from a hacker has nothing to do with the ping scan but what happens after the ping scan. Add to that the fact that not alarming on a ping scan could make you miss the precursing to an attack and you have the intrusion detection people in a bind.

As I can think of several (IM not so HO) non-harmless uses of the information for a company beyond the obvious use for advertisers, I'm not convince your implied assertion that Quova shouldn't throw alarms is actually valid.

Re:Running in stealth mode?

[burris]

"Stealth Mode" means a startup company that is keeping everything they do secret, in an attempt to surprise the market and thus gain competitive advantage. It isn't related to their methods of contducting scans, but to the purpose.

For months/years nobody really knew what Transmeta was up to and only public patent filings gave any clues. They were in "Stealth Mode" ...

Burris

Sinister?

[TheNecromancer]

"It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

I find it disturbing that this is one of Quova's goals, coupled with the fact that they won't reveal what their service is. Does he mean that his goal is to hit servers across the Internet without being detected?

Scary.

Re:Sinister?

[11223]

"It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

Funny, I get a warning on my logs whenever my router gets a packet that's not a reply to a packet that came from inside the network. How are they going to do this without setting off any alarms?

Secondly, there are 2^8*2^8*2^8*2*8=2^32 possible IP addresses - how are they going to hit them all in any possible sort of time? Even if only half those are taken up, that's still 2^31 IP addresses! If it takes a half-a-second to verify that an IP address is valid and traceroute it (very low, considering the time of a traceroute), that's 2^30 seconds==34 years of scanning!

Re:Sinister?

[matthew_gream]

This number can be reduced somewhat because there is knowledge of subnetting and so on. What is interesting is that Quova could take a lead position, because it will build maps, data and correlations which are largely stationary over time. For instance, a large domain will remain 'relatively' static and does not need to be revisited with a high frequency.

Kind of like someone trying to get into the search engine business: they need to allow for the bootstrapping period to scan the net before the large databases are built, and once the databases are built, they can exploit caching, compression and other information optimisation techniques to maintain leadership over peers.

Re:Sinister?

[11223]

If they didn't scan each subnet, it would take them 2^23 seconds in this instance, equal to 97 days. I guess that's a bit more managable.

Maybe they're doing an nmap -O on everybody, too. How else do they get the demographic information?

Re:Sinister?

[Delphis]

On their website www.quova.com they have a contact page giving various email addresses including one for concerns .. I don't see what there is to get upset about really.

If you have sensitive services that you don't want accessible by the whole internet, use hosts.allow / hosts.deny etc. .. seeing if a machine is alive does not endanger security .. only if AFTER establishing that then particular security flaw exploits are attempted on these services is there a problem. Use qmail for smtp, apache for www, and lock down ssh to only a few allowed hosts or networks and that should help alleviate a lot of fear imho. For those that would whine about ssh, if you allow telnet then you're not serious about security.

If your network and system is secure, who gives a flying fuck what people do on the internet? .. it IS a public network after all..

--

Re:Sinister?

[j-pimp]

Does he mean that his goal is to hit servers across the Internet without being detected?
I was reading a post yesterday on the script kiddie story which stated pretty much that stronger predators lead to stronger prey, and it applies here too. This means one of two things are going to happen:

1. We find new ways to detect their stealth scans
2. This leads to a hightened awareness of security so they can scan us all they want and won't find any SpLoIts.

Re:Sinister?

[QuMa]

And, you run 200 traceroutes in parallel, and you're set to have the whole thing done in a few months.

General annoyance with computer/house comparison

[Mawbid]

It seems to me that comparing computers to houses and network interfaces with doors on Slashdot is just totally stupid. OK, maybe if you're a reporter writing for the general public, it can be helpful in giving non-technical readers some vague idea of what terms like 'ping' and 'portscan' mean, but when people who understand how networks work already, it doesn't help. It doesn't clarify anything and it exaggerates the seriousness of the situation.
--

Yanno...

[laslo2]

I don't take offense to someone (quova or someone else) pinging my machines/network. It's a public network. How many of us, upon setting up a new machine on a network, type 'ping www.yahoo.com' to see if everything is cool?

Now...if you do anything besides a ping (and/or) traceroute, or you do it repeatedly, I'm going to get suspicious.

Re:Yanno...

[PigleT]

Yahoo? Please, show some taste. Try www.ibm.com instead ;8)
This shows my second point: not everyone is likely to respond to pings. We linux users don't *have* to respond to pings either.

I also totally fail to see how RTTs give demographic data anyway.
~Tim
--
.|` Clouds cross the black moonlight,

Re:You 'authorised' portscans when u plugged into

[Jeppe+Salvesen]

If the portscan is successful (they find an exploitable port) and they use it, then that is similar to someone finding an open window on your ground level and entering rather than warning you or walking by. Though the reason for anger is more of the "how could i be so dumb!" sort, it is still an anger. So - when I see people sneaking around in my backyard, I tend to ask them to leave.

resources

[Spider-X]

They should have just did a search on google for their data... here's some interesting resources for people interested in the layout of the internet, in no particular order:

http://www.mids.org/mmq/603/big/intrworld.html
M.I.D.S. = Matrix Information and Directory Services

http://www.cs.bell-labs.com/who/ches/map/gallery /index.html
Internet Mapping Project

I remember there was this java map of traceroutes completed from various hosts, can't seem to find it though.

Quova Lying to the PTO?

[sbarber]

Here's an aspect that showed up in the SecurityFocus Quova article that I haven't seen anyone comment on.

SecurityFocus notes that the Quova service mark is registered at the USPTO for "providing demographic, geographic and psychographic information to others."

SecurityFocus also paraphrases Quova CEO Bhargava as asserting that the "service mark description is a broad category crafted by company attorneys, and has little to do with Quova's business plan."

Registering a mark whose service description exceeds the actual services provided can result in that mark being invalidated by the PTO. In other words, it's illegal.

Sounds to me like Quova is being disingenuous here, at best, and trying to pass it off as an inevitable result of their secrecy or their lawyers' overreaching. I'm not buying it.

So?

[nphinit]

There is absoutely nothing wrong with that. Nothing creepy about it at all, IMHO.

It's a free country, internet, whatever. Of course people will find bigger and better ways to do "market research". It's all part of the game. I'm a lot less worrysome about some advert company spying on me than the FBI, Uncle Sam, etc. Companies are more concerned with making money from you than censoring and opressing you...

...unless of course they can make money by doing that;)

Re:So?

[monkeydo]

There are plenty of companies mapping/monitoring the Internet that aren't so secretive. The company's claim that they are trying to "come in under the radar" doesn't make anyone feel more comfortable.

The article also states that they have in certain case excluded networks, but from the discussions I have seen on security lists, thie type response is more like go f--- yourself.

They claim to be using propietary technology to make performace maps of the Internet, but ICMP from one network to the rest of the Internet hardly provides useful data.

MIDS has been mapping/monitoring the Internet for some time now without pissing everyone off.

Re:I disagree

[Mike1024]

Hey,

And it reinforces the idea that the threat posed by these guys pinging and tracerouting random systems poses roughly as much danger as a wrong number on the telephone ("Some stranger knows my phone number works! Run!").

Yeah, but if a company set a machine up to phone up random numbers and if someone answers, add them to an advertising database correlated by time, for instance, and they woke you up at 5am with a computerized message and automatically hung up, that would be considerably bas etiquette. Most victims would consider it 'annoying', or even 'very annoying'.

I don't think we can pass judgement, or for that matter think up a valid analogy, until we know what the company does. As far as I'm concerned, if they won't tell me what they are doing, I'm going to assume they're doing something bad. The IP ranges they have registered are blocked at my router computer.

Just my $0.02

Michael Tandy

The information is public until...

[BlueUnderwear]

... we specifically block their IP in our firewalls. I think that the beef that most people would have with this company is that it is secretive, they don't tell us what they're doing with this info. On the other hand, Google's and Netcraft's motives are entirely clear: search engine and OS surveys, so nobody objects.

Btw, does anybody know Quova's IP address range, so that we know what to block?

Re:The information is public until...

[wholesomegrits]

From the ARIN whois search:

Concentric Network Corporation (NET-CNCX-BLK-5)
1400 Parkmoor Avenue
San Jose, CA 95126-3429
US

Netname: CNCX-BLK-5
Netblock: 208.36.0.0 - 208.37.255.255
Maintainer: CNCX

Coordinator:
DNS and IP ADMIN (DIA-ORG-ARIN) hostmaster@CONCENTRIC.NET
(408) 817-2800
Fax- - - (408) 817-2630

Domain System inverse mapping provided by:

NAMESERVER1.CONCENTRIC.NET 207.155.183.73
NAMESERVER2.CONCENTRIC.NET 207.155.184.72
NAMESERVER3.CONCENTRIC.NET 206.173.119.72
NAMESERVER.CONCENTRIC.NET 207.155.183.72

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

*RWHOIS information on assignments from this
*block available from: rwhois.concentric.net 4321

Record last updated on 21-Jan-2000.
Database last updated on 7-Jul-2000 06:54:50 EDT.

So there you have it: 208.36.0.0 - 208.37.255.255

Re:The information is public until...

[SecretAsianMan]

I think that the beef that most people would have ... they don't tell us what they're doing with this info

If I collect some public information at a library (provided it hasn't been banned by some authority (firewall)), why should I tell the libraries' proprietors what I am doing with said information? The whole "information wants to be free" thing works both ways.

Re:where they're operating out of...

[jehreg]

Well, I needed a target to test out my Nessus version, so here goes:

Nessus Scan Report

Number of hosts which were alive during the test : 1
Number of security holes found : 5
Number of security warnings found : 1
Number of security notes found : 2

List of the tested hosts :

• 205.177.226.233 (Security holes found)

[ Back to the top ] 205.177.226.233 :

List of open ports :

• • telnet (23/tcp)
  • www (80/tcp) (Security hole found)
  • sunrpc (111/tcp)
  • shell (514/tcp)
  • unknown (2049/tcp)
  • general/udp (Security notes found)

[ back to the list of ports ]

Vulnerability found on port www (80/tcp)

• The 'perl' cgi is installed and can be launched
• 
  as a CGI. This is like giving a free shell to anyone, with the
  http server privileges (root or nobody).
  
  Solution : remove it from /cgi-bin
  
  Risk factor : Serious
  CVE : CAN-1999-0509
  

[ back to the list of ports ]

Vulnerability found on port www (80/tcp)

• The 'jj' cgi is installed. This CGI has
• 
  a well known security flaw that lets anyone execute arbitrary
  commands with the privileges of the http daemon (root or nobody).
  
  Solution : remove it from /cgi-bin.
  
  Risk factor : Serious
  CVE : CVE-1999-0260
  

[ back to the list of ports ]

Vulnerability found on port www (80/tcp)

• The 'glimpse' cgi is installed. This CGI has
• 
  a well known security flaw that lets anyone execute arbitrary
  commands with the privileges of the http daemon (root or nobody).
  
  Note that we could not actually check for the presence
  of this vulnerability, so you may be using a patched
  version.
  
  Solution : remove it from /cgi-bin.
  
  Risk factor : Serious
  CVE : CVE-1999-0147
  

[ back to the list of ports ]

Vulnerability found on port www (80/tcp)

• The 'Count.cgi' cgi is installed. This CGI has
• 
  a well known security flaw that lets anyone execute arbitrary
  commands with the privileges of the http daemon (root or nobody).
  
  Solution : remove it from /cgi-bin.
  
  Risk factor : Serious
  CVE : CVE-1999-0021
  

[ back to the list of ports ]

Vulnerability found on port www (80/tcp)

• 'cgiwrap' is installed. This CGI has
• 
  a well known security flaw that lets anyone execute arbitrary
  commands with the privileges of the http daemon (root or nobody).
  
  Solution : remove it from /cgi-bin.
  
  Risk factor : Serious

[ back to the list of ports ]

Warning found on port www (80/tcp)

• The 'finger' cgi is installed. It is usually
  not a good idea to have such a service installed, since
  it usually gives more troubles than anything else.
  
  Double check that you really want to have this
  service installed.
  
  Solution : remove it from /cgi-bin.
  
  Risk factor : Serious
  CVE : CAN-1999-0197
  

[ back to the list of ports ]

Information found on port www (80/tcp)

• The remote web server type is :
  Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3
  
  
  We recommend that you configure your web server to return
  bogus versions, so that it makes the cracker job more difficult
  

[ back to the list of ports ]

Information found on port general/udp

• For your information, here is the traceroute to 205.177.226.233 :
  ?
  

This file was generated by Nessus, the open-sourced security scanner.

Network maps != psychographics

[don_carnage]

Gotta love our ultra-paranoid online culture, eh?

My point: what do pings and traceroutes have to do with psychographics or even demographics for that matter -- Let them draw their network maps and conclusions. Whatever.

On a side note, my firewall has been blocking some NetBIOS attempts over the last few days...
--

Re:Better than doing a port scan on my person.

[TheCovenant]

Extending that large egocentric american personal bubble onto the internet I suppose.

A little more info on 'Quova'

[front]

Howdy

A little more info (at this stage) on 'Quova' from the description of an opening they had for a Senior Network Developer :

http://www.e-oasis.com/rmiug-jobs/1223. html

cheers

front

I have a solution

[NumberSyx]

If this bothers you, there is a way to protect yourself from such things in Linux. At a command line log in as root and tyoe the following line;

echo 1 > proc/sys/net/ipv4/icmp_echo_ignore_all

Now add this line to your rc.local file, so when you have ever have to reboot your system, you won't have to remember to do it. This line make it so your system will not respond to ICMP packets, meaning ping and traceroute. I don't know if Windows has a similar feature or not.



---------------------------------------------
Jesus died for somebodies sins, but not mine

Re:I have a solution

[randombit]

I don't know if Windows has a similar feature or not.

Hopefully any Windows machines that are actually pingable on a normal basis (ie LAN, DSL, etc) are running behind a Linux or *BSD based firewall (not necessarily to block ping [IMHO it has too many legit uses to block], but to block all the other crap that's out there). In fact that ought to be the case for any small network, no matter what OS it's running. I know when my roomates and I get a DSL line a 486 with a pair of NICs and OpenBSD is going to go between the bridge and the switch.

BTW, DOS-ish based Windows (95/98/ME, etc) can't block anything without third party tools AFAIK. I think NT may be in that group as well (not real sure either way about that). I'm pretty sure 2000 has basic filtering abilites for ICMP as wells as TCP/UDP built in.

Re:I disagree

[Spasemunki]

Oh, I agree that it would be irritating as hell. But what I was trying to talk about was the security aspect of it; by pinging, they aren't getting any information that isn't publicly available somewhere else. I have no doubt that people are being bothered by it; I don't like it when people call my house (not just sales calls; anyone ; ), but I don't unplug my phone either. The issue (or at least the one I was directing my comment at) was the security and "fair use", as the person I origonally replied to put it. I agree that their methods are irritating, but getting pinged or tracerouted is something that happens daily to a lot of systems; I know I've been known to throw a few packets at a host that catches my attention. I don't see a reason why this is more of a cause for concern than those regular Internet events.

"Sweet creeping zombie Jesus!"

Information from a ping/traceroute?

[pingflood]

What actual valuable information can you get from a ping and/or traceroute? If this company's target is indeed "providing demographic, geographic and psychographic information to others," what on Earth could they possibly pull out of a traceroute log that would be of any use to them? Or is this just a ``first wave'' type of thing, which will be followed up with stealthier, but more intrusive, probes?

As for the stealth part, though, I don't quite see how they'll ``fly stealthily beneath the radar of firewalls and intrusion detection systems'' unless they have some truly `1337 TCP/IP h4x0rs at their site. :-)

-pf

Re:Information from a ping/traceroute?

[Emil+Brink]

Um, I don't know, but they're building a database, perhaps mapping IP pairs to network distance (hops and/or ping time), right? What can be done with such a database, then? Um... I don't know. How about use the database, in combination with some clever software, to optimize routing tables globally? That might be packagable into a sellable service... Or it might be totally impossible. Ack, too long since I took my internetworking courses. Shoot me down, network geeks! ;^)

Re:Information from a ping/traceroute?

[drnomad]

you can tie an ip-number to an adress or city. you can calculate critical net points and estimate ratio's in the amount of people you'll target - marketing!

Re:Information from a ping/traceroute?

[grahamsz]

I saw a windows util that plotted traceroutes on a map and certainly my ISP showed where all their own servers were scattered across the UK.

Admittedly sod all US servers seemed to have it.

Re:Information from a ping/traceroute?

[grahamsz]

There is an RFC for some sort of protocol that returns the longitude and latitude of the server with a particular IP address.

Cant remember what it was, and comparatively few servers actually supported it.

Re:Information from a ping/traceroute?

[interiot]

That would only work if the network stays static for a while. Considering the rate at which internet traffic is doubling, my hunch is that the tables would go old pretty quickly.
--

Re:Information from a ping/traceroute?

[pingflood]

There is an RFC for some sort of protocol that returns the longitude and latitude of the server with a particular IP address.

Cant remember what it was, and comparatively few servers actually supported it.

Well, if I were running a network (used to, when I was young and innocent, before the darkness, before ERP...errr...), I'm not sure that, unless used internally only, I would want anyone to be able to query my servers in order to find out where they're physically located. I can't see much constructive use for this information, but I can see how it could be abused.

-pf

Re:Me have started to think

[F0rlorn]

True.

But then 8 gazillion dollars wouldn't be put into trying to get a chip up to a gigahertz.

You could be still using that 386/33 with a 2400 baud modem.

Then again, I miss those days. But, man, downloading porn at 2400 was a pain. - Justin

When Freedom Becomes Abuse

[jd]

It's very clear that this company is violating the privacy and security of other users. The pings and traceroutes will give you a map of the entire corporate Internet, including "fenced-off" regions. Combine that information with publicly-stored data, such as compilations of websites around the globe, USENET postings that span years, maybe decades, and you've a very powerful profiling tool.

This is VERY different from the sorts of freedoms technophiles, hobbyist security gurus, geeks and Random Users expect, where the emphasis is on learning, experimenting and developing, not profiling and advertising.

But how to prohibit one and not the other?

It's a conspiracy!

[bleeeeck]

"Obviously, I want to decrease that number," says Muniz. To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."

They're just a cover company for the script kiddies.

Census workers

[Eric+Green]

As a former census worker:

Census workers, by federal law, are given the right to canvas all residences, including those that are officially "posted". Their Census ID badge serves as their warrant for that purpose. This law is authorized by the Constitution, which provides that a census shall be taken of all residences every 10 years. It's one of the few laws passed over the past 200 years which does abide by the Constitution :-}.

However, you are correct that there are some residences where census workers will not go without a police escort. Specifically, those where the resident's reaction to the census worker was to poke the barrel of a gun out the door! Our instructions when such things happened was to get the bleep out of there, and turn it over to a supervisor, who would probably give it to a cop who would go out there and give the guy a nice little talking-to about the inadvisability of brandishing guns at census workers. If we could talk to a neighbor and get the information, great. If not, then the next step was the supervisor and a cop going to the guy's house to politely question him about who was living in his house on Census day.

-E

Re:Times and Distributed Loads

[hburch]

Sorry, but it's doubtful that that'll help, if that's your concern. The databases can still be easily correlated, unless you have a dynamic IP or quite a few user on each machine. Just knowing who your ISP is and what your IP is gives a lot of information about where/who you are.

For example, my ISP is Bell Atlantic (*spit*), which means that I'm in northeastern United States. Add to that my IP address, and you get:
hal-port$ whois -h whois.radb.net 151.201.X.Y
route: 151.201.0.0/16
descr: Bell Atlantic Internet Solutions (hah!)
Pittsburgh, PA
[snip]

It's pretty difficult to hide where I am. Of course, YMMV. If you have your own address range, then it's likely the DNS system will give your exact identity.

Re:Sinister? No, fool!

[A+Big+Gnu+Thrush]

Don't be silly. Sysadmin's react to this kind of thing because they are afraid they will be cracked or Dos'd. Quova may have strange and sinister goals, but I don't think they've received VC money based on DoS attacks and cracking. They are mapping the net, and want to do it in such a way that they don't bother anyone.

Huh?

[Flynn777]

Rajat Bhargava wasn't a co-founder of Interliant. Interliant was originally WorldCom (before those LDDS-guys started doing business in the US), and was started by Eric Carmichael, Eric Sachs and Mathew Wolf. I knew half their senior staff.

When they started, they were the only successful public Lotus Notes network in existence (nobody but the two Erics could figure out how to run one.) They branched into more web and private networking stuff with the advent of Lotus' Domino, and eventually merged with some other company.

*sigh* I can't stand it when people lie on their resume.

Psychographics?

[Jeremiah]

Unles they're target-marketing to network admins, this sort of study doesn't make very much psychographic sense whatsoever.

Oh well. At least now the have lots and lots of data on what to expect when you ping the fsck out of your customers.

Re:Are networks private property?

[Sundiata]

Where this company is being unethical is in trying to do this activity as stealthily as possible. If a surveyor wants to try and map my neighborhood, fine. Let them show me their credentials and announce their presence. If I see someone skulking around in the middle of the night in a car with the lights dimmed, who pauses in front of each house for a while, I just may think they're up to no good. And someone else may think that and either call the cops (the offending visitor's ISP) or just shoot 'em.

...I'd use secretive instead of stealthy in this case. Why? If they were being stealthy, they wouldn't be setting off alarms everywhere they went and attracting the attention of network administrators. Rather, they're being secretive about why they're doing what they're doing, which, IMHO, is a perfectly reasonable thing to do.

Instead of thinking of a car trolling your neighborhood with it's lights low at 3 AM, try this. Think of a guy who walks down the street, stopping in front of each house to jot a few notes down on a notepad. Now, do you have any right to know what he is writing? No. Is he under any obligation, legal or ethical, to tell you what he is writing? No and no. He is simply taking notes based on information that is available to the public and is being acquired through perfectly legal means. If you don't like the idea of anybody being able to walk past your house and take notes on it, you move into a gated community (set up a firewall, turn off services, etc., etc..) Even if you do this, though, what's to keep people from walking up to the gate and taking notes on it? Nothing.

If you are connected to the Internet, there will invariably be some part of your network which anybody will be able to look at (i.e. ping), and there is nothing you can do to stop it. Period. You can build a massive, opaque cube all around your house to keep people from looking at your house, but there is absolutely nothing you can do to keep people from looking at your cube. The only way to keep your network truly and completely secret is to disconnect it from the Internet entirely.

On a related note, this strikes me as an excellent example of the Catch-22 nature of privacy and anonymity as discussed here on Slashdot. Is this company not entitled to the same right to excersize both their anonymity and privacy (of both the data they're collecting and their intentions?) We'd be raising holy hell if this article were about a law or corporate policy that required users to disclose the purpose behind their actions when using the Internet; why, then, do we expect a private company doing private research on public information to do the same?

don't worry about it

[nomadic]

Wait a few more months and their VC will probably dry up. End of problem.

Doesn't Akamai do geographic id'ing already?

[cpeterso]

Akamai's DNS servers recognize your source IP and resolve akamaitech.net to an IP close to your ISP (or preferably an Akamai cache server colocated at your ISP).

Advertisement by location

[marat]

The only use of IP-address location information is ranging banners for browsers.

I think we would end with proxying instead of routing so that server don't recieve any extra information about client.

Re:I disagree

[Lifewolf]

There is no good reason anybody should be pinging my system: you ping to test connectivity, and since you cannot connect to my system, you have no reason to be testing if you can connect.

As I've no reason to assume otherwise, I'm guessing you fall into the category of "clever people who know how to selectively filter ICMP packets." Good for you. Deny everything you don't need.

Unfortunately, a great number of people on the Internet seem inclined to block all ICMP packets in fear of ping and traceroute, and your message might accidentally encourage more users to do so. As you probably know (but others reading this might not), this goes against RFC1191 and breaks Path MTU (PMTU) discovery. To all those frightened admins out there: please reconfigure your firewalls to allow ICMP Destination Unreachable messages marked "Fragmentation Needed and 'Don't Fragment' Set".

Who knows? It might even fix the mysterious web and email problems your users keep complaining about. (See: http://www.worldgate.com/~marcs/mtu/)

Quova are hiring...

[brain159]

JobC enter link!

come on guys, is a little basing of Altavista (OK, Raging) really so beyond us?

"Secretive" businesses processes REVEALED!

[Mtgman]

Taken from an internal memo from Quova(they really should encrypt this stuff)

From: Rajat Bhargava
To: Rajat Bhargava
Subject: Memo to self

Well, sold my last startup for 280 mil. What to do next? Hmm, I think I'll start another business and secretly ping and traceroute all the servers I can find. Venture capital groups will be happy to finance me as long as I give them some lame story about "providing demographic information for advertising."
Actually I have no intentions for this information at all. I'll ping and traceroute people until they notice me and start discussing me on sites like SecurityFocus and Slashdot. I'll go public telling people that what we're doing with this data is secret and then I'll sit back and watch the speculation fly. Once someone comes up with a really good idea of what could be done with such information, I'll "accidentally" leak a little of my business plans, which will of course be that I intended to use this infomation like the good idea suggested, to the big businesses. HA! They'll buy me out immediately!
Dreaming of the Billions I'll make off this one,

your friend,
Rajat

Nitpicking...

[pen]

Shouldn't that be root@quova:~# ?

Wishing for the day Slashdot allows <U>

--

Paranoia run rampant

[BeBoxer]

I can't believe the number of posters who are worrying that this company is somehow scanning their networks or invading their privacy. Numerous posts refer to port scanning, despite the fact that the article neither states nor implies that they are doing any such thing. Numerous comparisons are made to walking down a street trying all the doorknobs looking for unlocked doors. This is a completely unfounded comparison.

Yes, running a portscan of a host is a lot like checking to see if any windows or doors are unlocked. However, pinging hosts is not like trying doors. It's not even like knocking on doors. It like driving down a street and taking note of which lots have houses on them. Having somebody ping your host has zero negative impact on your performance, and the only security related information it reveals is whether or not the address is in use at all.

Traceroute is the same way. It's not revealing anything personal, private, or security related to the person running traceroute. It's most akin to somebody driving around your neighborhood building a map of the streets. Thank god the paranoids around here aren't making up the laws in meat space. They would make it illegal to drive into a neighborhood and even look at the houses without being escorted by a resident. After all, if a person doesn't live in your neighborhood, they don't have any business there, right? And everyone knows that criminals drive around looking at the houses trying to figure out which one to rob, right? So lets make it illegal to drive thru any neighborhood without the permission of the residents. Never mind that on the Internet, there is no zoning and there is no way to distinguish "residential" addresses from "business" addresses.

And I could care less if some of you get paged when these folks ping your network. That's your problem, that you let something this innocuous interrupt your life. You could have your pager go off every time time_t takes on a prime value, also. That doesn't make prime numbers evil.

demographics and metrics - a new protocol!

[matthew_gream]

Mapping the net is probably only second to their main business goal. I would speculate that they may be doing what Amazon is doing with Purchase Circles - building demographic information about originators of ecommerce transactions. There'd be a lot of value in information of this type, even if they only make 'fuzzy' correlations.

Maybe there needs to be an 'internet metric protocol' that is a more refined version of traceroute: even if just a designated name, such as 'XYZ.metric.WHATEVER.NAME.DOMAIN'; where XYZ could be any sort of subqualifier. Just an off the wall thought.

ping times

[AllynKC]

"Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user."

The ping time also provides a way to target advertisements based on the user's available bandwidth. If a fast ping time exists, they can sell more interactive advertisements; while slow ping time could default to a standard banner ad.

PING!

[basilfawlty]

Ping Is Not GNU!

Similar To Ebay's Complaint About Metasearch

[LaNMaN2000]

After the recent court decision, which determined that spidering Ebay's website to populate a metasearch engine is illegal use of Ebay's system resources, couldn't the affected networks file the same charges against Qouva? Quova intends to profit from information that it gathers using techniques, which: cause unwanted logs to be appended to the logfile, ping (contact) the affected company's network, and cause incidental damages relating to responding to "false alarms."

<offtopic>It is odd that a company officer would so completely contradict the statement concerning the company's mission. If the company is causing all of these problems without even being certain of its own function, let alone business plan, then how the f*** were they able to get funded?</offtopic>

Re:Similar To Ebay's Complaint About Metasearch

Was it determined that the spidering is illegal use, or that commercialising the result of that spidering is illegal use?

It's an important distinction. Like the difference between a team of people walking through Wall-Mart and that same team then selling the info about the sale items they identified to a competitor.

The minute it's made illegal to walk through the store noting prices, a line has been crossed over.

Crooks ..

[FooRat]

"Isn't it a bit more like someone knocking on your door?"

Well I guess then that this would be a case of somebody going round from door to door, and knocking to gather statistics on when people are home.

This is information that is generally useful *only* to a housebreaker (and maybe some Jehovah's Witnesses or something) .. in other words. Either way you don't want those people to have information on when you're home.

Of course, I don't see how this analogy extends to computers any more :) Ping doesn't say anything about whether or not somebody is behind there computer anyway. Also you don't "hear" ping's like you hear door knocks (unless you're ultra paranoid and run software to analyze every bit of traffic on your computer.)

Issue's not privacy...

[SubconsciousSeraphim]

It was not really the issue of privacy being invaded. Yes, it was done on a large scale. But the main point made was this:

It's not illegal, but to a lot of people it's invasive and rude to come through a network and do a ping scan...

So yeah, it was done on a large scale. Yes, we're right to be uneasy about a company acting in stealth mode. But it's our responsibility to guard our resources. The mature decision of the security community is not to thwap Quova, but to regard it cautiously and not to give an inch.

Re:I disagree

[FooRat]

"It gives no information about level of security (except "not blocking ping packets")"

I'm not sure it even gives you that information. What's the difference between pinging an existing host and getting nothing in return, and pinging an IP for which there is no host currently?

There may be other ways though. I'm not sure if it would work, but traceroute doesn't use ping packets (for example) .. it sends UDP datagrams with increasing TTL to each host along the route to elicit ICMP time exceeded replies ..

Internet Traffic Report?

[Prof_Dagoski]

Here's a thought about what they're doing. They're pinging and tracerouting to record latencies and packet loss broken down by geographical area and service provider. I know, I know this changes day by day if not hour by bour, but there are persistent trends. So, they might be compiling quality metrics for Internet service in your neighborhood. That would be a very valuable dataset to businesses of all sizes.

Re:Internet Traffic Report?

[Prof_Dagoski]

Yep. Looks a lot like what I was thinking about. Now, imagine a company with a lot resources looking to break it down by neighborhoods rather than metropolitan areas. Still, there _has_ to be a better way than scanning the entire Internet. I mean, I tried that once by accident and the map I got was utterly incomprehensible. Quick tech note here: Cabletron's Spectrum uses 0.0.0.0 to 255.255.255.255 as its default setting for mapping. Don't just hit enter :/

!!

[emufreak]

Pinging and tracerouting?!

Evil h4x0rZ!

nervous?

[ichimunki]

Before you get your panties in a bunch, you should read the article. Before you compare pings and traceroutes to read world property examples, you should take a deep breath and visualize a computer network as a bunch of beeps and boops or ones and zeros or whatever it takes to remind you that computer invasion, while potentially destructive to information, is not the same as home invasion. For the record, no, I don't think I'd like to have my systems hacked or my credit card number stolen any more than I'd like you to come into my house and pummel me with rotten fruit, but thanks for thinking of me!

Now, they say they are pinging and tracerouting. According to the article no one is complaining that Quova is portscanning or attempting connections. They haven't even started trying for reasonable connections like having a web browser attempt to get index.html via port 80 from IP addresses they've verified. So, at most what they have is a semi-accurate picture of which addresses have working machines connected to them (successful pings) and which IPs are wired to which other IPs (traceroute)--and based on ping times they might get a sense of where small pipes and/or congestion occur. The only thing that's annoying about this so far is that they are keeping this publicly available information to themselves in its compiled form. Any one of us could write simple Perl scripts that hook into a SQL db to record the same or similar information. Why I would care or who I could possibly sell this information to is beyond me, though.

If they were portscanning machines, they would be stretching the boundaries of courtesy, but they have still done little more than add information to their map of the network. Whether you've advertised the existence of your "private" ftp or apache server is irrelevant, especially since these guys don't appear to be planning anything harmful, perhaps immoral, but not harmful. If you are concerned about regular, non-damaging network traffic to your machine, either build different firewall rules or pull the plug.

Disclaimer: IANAPornStar or RealGeek and if I actually know what I'm talking about it's coincidence. These opinions are for entertainment purposes only.

Re:Me have started to think

[supabeast!]

"All pr0n would be free ;-) "

Dude, people were charging for pr0n online LONG before most geeks even had access thru work, much less home. I remember back when people used to use net enabled BBS's to sell pr0n to all us 2400 BPS modem users, and it was nothing new then.

I know it's legal....

[DustyHodges]

But this sort of thing just really creeps me out. I don't likt the idea of peopel actively trying to hunt me down to give me ads.. Of course, it could be the diablo 2 talking...

Re:Jihad!

[xee]

I know it's bad, but it sounds so good.


-------

Re:I disagree

[RollingThunder]

I can see both sides of this as a security/network admin... but I think the doorknob metaphor is a bit incorrect.

If your door and lock is your security, then a ping isn't going to see if it's in place (locked) or missing (unlocked). Unless it's a Ping of Death, but nobody sends those these days, as far as I've seen.

I think a better metaphor would be perhaps driving by the lots in a subdivision to see which have houses built.

Now, an actual -portscan- is a different beastie. And a Nessus run would be completely unacceptable.

Also, while you may know your system is outbound only, there's no way for anyone to know that just based off the IP. And there's a lot of handy things out there we all like to refer to that require a little ping or similar (WWW server software surveys, for instance).

It's certainly a matter of personal comfort though, and I'd never tell you your opinion is wrong. Just your metaphor. ;-)

Re:Are networks private property?

[Karl_Hungus]

Is this company not entitled to the same right to excersize both their anonymity and privacy (of both the data they're collecting and their intentions?) We'd be raising holy hell if this article were about a law or corporate policy that required users to disclose the purpose behind their actions when using the Internet; why, then, do we expect a private company doing private research on public information to do the same?

uh, sorry silly rabbit, but rights are for human beings, NOT corporations ;)
Sorry to sound like a Katzista, but that's how I see it. Rights are for peeps, not corps.

Data vs. Information

[hey!]

This reminds me a bit of the dichotomy some writers make between data and information -- data is essentially entropy, and information is something that helps you make a decision or plan an action. Of course this distinction isn't perfectly hard and fast, but the way you increase the information value of a datum is you juxtapose it with other data, e.g. three potatoes; three potatoes for five people; three potatoes for five people for seven days.

It appears that somebody thinks they have found a way to juxtapose relatively innocuous data about network topology with some other data to create what for them is useful information, such as: Joe likes to look at pr0n; Joe likes to look at pr0n at work; Joe likes to look at pro0n at work through the company firewall.

Yea and...?

[TheCarp]

I dunno about anyone else but this doesn't really bother me much. I mean, I run snort to look for port scans and exploit attempts...but just to know who is looking.

I always think its funny when some loser admin sends us an email saying a host on our network "Attacked" his box and to prove it shows a log saying he was port scanned.

Oh the horrors, a port scan! My god! What will they do next? Traceroute? telnet to it and read the banners to see what its running?

Of course...many of these people run chocolate^H^H^H^H^H^H^H^H^HFire Walls, so I can see why they might have some pretty silly notions of what an attack is....

Re:Yea and...?

[dohnut]

Yeah, maybe that's where this psycho-profile is coming from. They determine what software your box is running and then assess your personality and buying habits from that.

For instance...

Running Windows 95/98/NT - Will buy anything, start spamming immeadiately.
Running BeOS - Will buy anything, so long as it is obscure or different. Try to sell them some gas-powered boots.
Running Linux - Likes bandwagons. Try to off-load britney spears and pokemon.
Running Commercial Unix - Resists bandwagons. Try to sell them some more 5,000 dollar operating systems.
Running Windows 3.11 - Too stupid and/or poor. Don't bother.

Disclaimer: Please don't take these personally.

Re:Yea and...?

[Shimbo]

I always think its funny when some loser admin sends us an email saying a host on our network "Attacked" his box and to prove it shows a log saying he was port scanned.

That's what loser net admins always think, until they start getting their network blocked everywhere.

Re:Secretive Company Scanningthe Net? Nah...

[ChinaWhite]

It had to be destiny that I arrived at this site. Why ??? Not bright enough, but I will answer in respect to this magnificent site. I really do enjoy and learn from it. thanks. In reply, I see I really am off the overt theme of "secretive etc" but in my way I will answer covert .. All of it. not just this topic is about gathering data. The internet will of two things save or control the world re enter www.com-Advertising, yes that too, you know that with the cookies and the double click etc etc. that zip code demographics rich neighborhood poor, how one answers surveys do you pick all entertainment data? no investments? Daily Sign and fortune telling or learning? reading only people not forbes?. This is about Domination. At this time its an inspection, a survey gathering data, the cataloging not things, cataloging people. Different people's classified for their talent, creativity, brains, or enormous strength on the physical side. Don't have the space to go much more, its way toooo long. Rent an old movie Fahrenheit 451 with Julie Christi and you will see a part of the future. Or look up "Bee Colony" see how they live, function and for what??? Its all about control. -- I will add, in no way due I have the intellect of this group, they are intelligent, a protigy here a wizard there, in a class of genius, I stand corrected, just by reading some of their work there is more than on genius in this group. Well just look at their addy's --..I adore them and others who say different are jealous. But this group is enlightened, they walk in the light and are a part of the light as long as there about scrutinizing this internet, possibly we will not end up with totalitarianism. But for many of their tricks for following me around the net when I shop, and see banners with items they knew I would like from past buying style. The word here is CONTROL CONTROL, so before they get enough information on every aspect of your life and likes, and that is what its all about all the free stuff, all of it just look at some of those pages the word greed??? like the IRS etc. If you want your freedom as you know it, fight for privacy on this internet, its the perfect tool for their plan. Pass the word, make a colossal effort in getting this new way to censor "WE THE PEOPLE"

Re:Are networks private property?

[RyuMaou]

>>uh, sorry silly rabbit, but rights are for human beings, NOT corporations ;)
>>Sorry to sound like a Katzista, but that's how I see it. Rights are for peeps, not corps.

Well, that might be how you see it, but I think a lot of judges, corporate lawyers and corporations would disagree. If I can sue a corporation as a single entity, which I can, then that entity has rights. Now, they might have more limited rights than, say, a person, but they still have rights. In fact, they have specific rights regarding privacy, especially if they're not a "public" corporation. IOW, if my company isn't traded publicly, I can hide all kinds of stuff from the general public and other companies.
I'm not a lawyer, so, no, I don't know all the details, but I've been in business long enough to see some of this in action. In fact, I've survived a bankruptcy where there were numerous lawsuits filed back and forth between individuals and corporate entities.

Sorry to ruin your world-view,
RyuMaou

Me have started to think

[datadictator]

...not a good thing I know, but anyway I came to the concusion that we should never have told the idiots about the internet. Imagine if it was just geeks:

• All pr0n would be free ;-)
• Things like this would not happen
• Spam and Trolls wouldn't exist - that means you beerboy and penisbird
• The goverment wouldn't know how to destroy our privacy with it
• More slashdot posts would be worth the bandwith they consume.
• Microshit would be unable to fsck-up our open protocolls

Thus it is plain, the dumbest thing we ever did was to tell the idiots about the internet !!!

Re:Times and Distributed Loads

[phurley]

If it takes a half-a-second to verify that an IP address is valid and traceroute it (very low, considering the time of a traceroute), that's 2^30 seconds==34 years of scanning!

I don't know their purpose or goals, but of course using your (optimistic) numbers. Then 34 machines could do it in one year. Add more machines (properly spread around the internet) and you can do this every month or two.

Of course I still do not "get" what a traceroute tells people about my personal likes/dislikes/preferences etc...

My name is not spam, it's patrick

Re:Huh

[xee]

Check out the stuff at Secur ity Focus for the IP that they are doing the scanning from.


-------

Re:You 'authorised' portscans when u plugged into

[Jeppe+Salvesen]

That is the problem. However, even if you are 100% vigilant on reading up on all security exploits, patching all applicable daemons, there is still a variable time-frame between a malicious hacker finding an exploit, and a developer finding an exploit. So - portscans can still lead to a compromise of your system - even if you're patched to hell and back.

Re:I wonder what OS they're using.

[Schnedt+McWapt]

They are using CPM/86. Obviously it's Caldera, at it again.

How should one go about mapping the net?

[1984]

Everyone seems fairly concerned about the activities of Quova. Bugtraq has been heavy with traffic about Quova scans for a while, and it seems to have annoyed a lot of people, not least because nobody's so very sure about what they're doing with the information that is gathered.

But on a different note: how should one go about network mapping? Try using UDP or ICMP traceroute to anywhere and you can look forward to a flood of complaints to your ISP about 'hack attempts' as people interpret your actions as inbound scans (and UDP traceroute can look a lot like a straight scan of high UDP ports).

It isn't practical to contact every sys/network admin along the route -- remember you don't know what the routes are until you've mapped them. Even if you could, there are two problems: it's just your word you aren't doing anything nefarious; it's still going to set off a lot of intrusion detection systems, and why should anyone switch an IDS off just to avoid false alarms from your network mapping?

Some network maps are available, but they aren't necessarily useful (they don't typically include BGP parameter and ACLs or equivalent for all boxes en route).

So my question is: is it possible to map the network in an 'ethical' fashion that's still practical?

Interesting how Quova.com...

[Digital_Quartz]

neither replies to pings nor traceroutes...

Re:Times and Distributed Loads

[Jor]

hmm, i just happen to think of all those Petabytes of Logs in the world, where all those IP addresses are related to you personal likes/dislikes/preferences....

Surfers leave traces. For years.

The only real problem was to relate these traces to individuals, or at least to workstations.

Now imagine combining the logs of sites like yahoo or altavista or ebay with the database gathered by this company, and you can figure out yourself what value they build up.

I just have to figure out the NETBLK's they own/use and install block-rules on all my border routers.

They wont scan my nets...

Secretive Company Scanningthe Net? Nah...

[ralmeida]

...someone just typed by accident:

root@quova:~$ ping *.*.*.*
root@quova:~$ traceroute *.*.*.*

--

where they're operating out of...

[Ex+Machina]

They rent rackspace from Exodus (who according to messages (index of week's messages) on INCIDENTS). Exodus is doing nothing it seems and condones their activities. They don't seem to be doing anything more than getting some REALLY paranoid sysadmins underwear in a knit, but I really don't like being batch scanned for no real reason. So here's my info I've scoped on them.
whois -h whois.networksolutions.com quova.net ...

Registrant:
David Naffziger (QUOVA2-DOM)
333 W Evelyn
Mountain View, CA 94043
US

Domain Name: QUOVA.NET

Administrative Contact, Technical Contact, Zone Contact:
hostmaster (HO8675-ORG) hostmaster@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025
Billing Contact:
billing (BI4691-ORG) billing@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025

Record last updated on 23-May-2000.
Record expires on 16-Nov-2001.
Record created on 16-Nov-1999.
Database last updated on 6-Jul-2000 18:55:18 EDT.
Domain servers in listed order:

NS1.QUOVA.COM 208.37.145.35
AUTH50.NS.UU.NET 198.6.1.161


www.quova.net is running Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3 on Solaris netcraft
AND SINCE THEY shouldn't mind!!!

cherrycoke:~$ sudo nmap -sX -vv -O www.quova.net
Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host (205.177.226.233) appears to be up ... good.
Initiating FIN,NULL, UDP, or Xmas stealth scan against (205.177.226.233)
The UDP or stealth FIN/NULL/XMAS scan took 69 seconds to scan 1525 ports.
For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled
Interesting ports on (205.177.226.233):
(The 1520 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
80/tcp open http
111/tcp open sunrpc
514/tcp open shell
2049/tcp open nfs

TCP Sequence Prediction: Class=random positive increments
Difficulty=132682 (Good luck!)

Sequence numbers: 6A1BA7D9 6A255F59 6A2A5515 6A2F4624 6A37B2F6 6A3CE0D6
Remote OS guesses: Solaris 2.6 - 2.7, Solaris 7
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2064A)
T1(Resp=Y%DF=Y%W=2297%ACK=S++%Flags=AS%Ops=NNTNWME )
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)


Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds


Some "security company," with all those notoriously insecure services running on their webserver (NFS, telnet, shell, RPC). Oh well. It looks like their webserver is colocated with some company.
cherrycoke:~$ traceroute www.quova.net
traceroute to www.quova.net (205.177.226.233), 30 hops max, 40 byte packets
1 orangecrush (192.168.0.1) 2.638 ms 2.239 ms 2.238 ms
2 quincy-asx-2.ziplink.net (206.15.185.18) 509.732 ms 203.12 ms 219.374 ms
3 206.15.185.17 (206.15.185.17) 209.86 ms 215.767 ms 199.762 ms
4 * zl-qnz-cisco2bcn.ziplink.net (206.15.158.150) 205.427 ms 214.611 ms
5 zl-pru-h20-1z172h209.ziplink.net (206.15.172.209) 219.845 ms 214.564 ms 219.459 ms
6 206.15.185.217 (206.15.185.217) 219.572 ms 216.462 ms 199.567 ms
7 bay4-322.quincy.ziplink.net (208.196.109.82) 279.498 ms 274.794 ms 259.6 ms
8 zl-sf-e20-2sf7k.ziplink.net (206.15.172.6) 279.477 ms 265.691 ms 279.473 ms
9 pacbell-1.globalcenter.net (198.32.128.32) 279.597 ms 272.632 ms 279.56 ms
10 pos4-2-155M.cr1.SNV.gblx.net (206.132.150.25) 269.622 ms 272.892 ms 299.483 ms
11 pos2-0-622M.cr1.IAD3.gblx.net (206.132.113.102) 337.01 ms 333.853 ms 339.512 ms
12 pos0-0-0-155M.br2.IAD3.gblx.net (206.132.253.26) 339.529 ms 343.903 ms 349.513 ms
13 digiweb.s2-1-1.br2.IAD.gblx.net (204.152.166.190) 349.878 ms 273.863 ms 299.393 ms
14 209.143.145.194 (209.143.145.194) 309.769 ms 277.821 ms 299.558 ms
15 ucla.digiweb.com (206.161.225.11) 299.497 ms 292.234 ms *

Really now...

[perlprog]

This is a non-issue. Remember people, watch out for paranoia!

Re:I disagree

[wowbagger]

Keep your door locked then. If it is, then there is no problem, if it's not, it's your fault.

Make you a deal, Sebastard: Post your physical address, and I'll come over and jiggle your front door some evening. Hey, if it's locked, it's not a problem, is it?

I think you'd be a little disturbed were this to happen, and I think you'd have a problem with it. If not, then you are far too trusting a soul for the world we find ourselves in.

I would offer to give you my physical address, but I find cleaning blood off my wooden front porch to be rather difficult....

I say hack 'em.

[Munky_v2]

They shouls be hacked so that all of their packets ping their own routers. ;>


-MunKy_v2

I disagree

[wowbagger]

I disagree with random pinging being "fair use", consider:

My computer is connected to the Internet 24/7 via DSL. However, I do not provide any services to the Internet, and in fact have my firewall configured to deny (do not accept, do not respond) any inbound connections. There is no good reason anybody should be pinging my system: you ping to test connectivity, and since you cannot connect to my system, you have no reason to be testing if you can connect.

I consider pinging my system to be the electronic equivalent of jiggling my front doorknob to see if the door will open: Is it "fair use" of my front door?

It's one thing to ping a public site ("Hello? Slashdot? You alive?") but randomly pinging hosts is wrong!

Re:I disagree

[kel-tor]

i agree, but to continue the metaphor... the guy jiggling the doornob cannot tell which houses hes allowed to go in and browse and which he cant until after he jiggles the doornob

Re:I disagree

[Sebastard]

Keep your door locked then. If it is, then there is no problem, if it's not, it's your fault.

Stealth, eh?

[TheOddOne]

As to their last comment on their goals: To get to the point that they dont't set off anyones alarms - For some reason, I would be more comfortable if my alarms DID go off, rather than a company possibly looking for something on my system (Or any one else's for that matter) and me not knowing about it. As has been said before, it soulds like they are just Grown-Up Script-Kiddies.

Re:Huh

[xee]

You're tracerouting their web server(s). Those are probably not the same systems used to do the network mapping. Thus, not the same IP addresses.


-------

Reminds me of when Israel was scanned from leb.net

[Shirotae]

When the "Internet Operating System Counter" scan reached the .il (israel) domain it caused some concern! At least they did give a plausible explanation, publish their results, and stop querying areas where people complained (like all of .il!).

When people start measuring your neighbourhood in great detail, and refuse to explain just what it is for, I think you have a right to be suspicious and uncooperative. I hope those who have the right tools in place will just set themselves to ignore (i.e. fail to respond to) traffic from these people. If they get no answer to their pings, it will server them right for being so secretive.

Re:Network maps != psychographics - Spam??

[ch-chuck]

maybe they're trying to keep the spam scam promised land going with Internet technobabble - "We offer you 250 million email address for $150, PLUS! New psychographic network topography data gathered by our state of the art analysts completely insures that YOUR MESSAGE is precisely timed and targeted to the audience primed for purchasing!! Act now!!!"

Re:One possible use

[xee]

As I've said before, it is not relavant for these purposes to scan inside the perimiter (public IPs or not) of a private network, corporate or not. There are few good reasons for mapping a network that you don't own, and they aren't very profitable. Grwon up script kiddies sounds about right.


-------

Re:Your port 137 scans

[rosie_bhjp]

Cert published an advisory not to long ago regarding scans on port 137 (netbios)

the advisory

rosie_bhjp

Anyone have logs?

[toast-]

Anyone have some indication they were scanned by this company on their home or work PC?

http://www.quova.org

[Bananenrepublik]

Their homepage carries some (vague) information: here.
You can apply for a job (mostly in sales though), if you want to know even more.

One possible use

[phurley]

I was having a really hard time trying to understand what they might use this information for. Then at least one thought (this does not happen often, so I took notice) occured to me. One possible use would be to try and map IP to region with a reasonable granularity in a database that could be sold. With a reasonable amount of detective work and the existing location data in the DNS system this could probably be accomplished (with a high, but reasonable error level).

Many brick and motors like to know your zip code so they can target advertising. If a banner add company was able to get a quick (and generally, but certainly not always) correct zip/region lookup based upon your IP address. Then they could better match an add to your income/region/etc. A large number of (high bandwidth) users are now on (semi) static ip address, adding to value of this information. If this was their goal, it would not be the worst idea for an internet startup that I had heard :-)

My name is not spam, it's patrick

.com actually

[Bananenrepublik]

The link in my post is correct, so mod it up ;)

Quova and the Auditing Project

[gunnerbunny]

To be honest I find all this a little disturbing. If Quova's purposes were trully 100% legit why would they feel the need to conceal them? and why would they seek to attain the ability of commencing their "security tests" without tripping anyones alarms? Maybe I'm paranoid, but the idea of a startup "company" officially declaring that they are trying to get around people's security measures is unnerving to me. I am also befuddled as to how running a portscan is going to tell you all kinds of personal information about someone's lifestyle..do they make special firewalls for lesbians or something? Run a port scan and you can immediately tell someone is jewish and they like to play tennis? The only way I can see this being relevant is that if they trully wish to advertise they'll know who to throw sales pitches for better security at.

Spoofed Intent?

[Effugas]

I can't read the actual story(it's not responding) but I have the feeling that nobody believes this company's rationale for scanning the net--demographics simply are not retrieved by traceroutes, unless you're trying to get a map organized by available bandwidth growth over time.

I don't think people trust that these guys aren't looking to distribute vulnerability profiles of major companies--what if the psychographics are regarding the IT staffs of major companies?

The Internet Auditing Project detected bugs, but did not identify those who were specifically vulnerable. If this startup goes under, who buys their *ahem* Customer Database?

That being said, they're in a nasty situation. They probably have something innocuous and cool and can't explain what they're doing or why because it'll spark off competition. They should NDA Mudge and let him say whether or not we should be worried.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

"Little Caesars? You do pizza?"

Did anybody think...

[theFool]

What if the demographics bit is a coverup?
They come right out and say that they want to get past alarms. Could it be that they really want to come up with a new security model? Maybe they really want to see how we (sysadmins) respond and what security we have.

Also, mapping networks could help to strategically (sp?) place some kind of security servers that they might be developing....

...And being secretive about developing security will help keep the script kiddies away until release.

Better than doing a port scan on my person.

[TheCovenant]

Is the information superhighway system any different than the automobile superhighway system? IMHO, it shouldn't be!

If it's NOT any different, then anyone should be able to drive down that highway as long as they aren't hurting anyone. Driving relatively within the speed limit is OK on a highway, but breaking that speed limit is thought to increase the acceptable level of danger and therefore shouldn't be done. If done, it will be punished.

The same should be said for internet traffic. Internet traffic that doesn't harm anyone shouldn't be bothered about.Port scans and pings don't hurt anyone, so why should we care. DOS attacks are like speeding and should be punished.

On the automobile infrastructure we have roads to our house and driveways. Driveways belong to us, and roads belong to everyone.

The difference between the highway and the road on our information superstructure should be delineated by routers and firewalls. If you don't have a firewall or a filtering router, or both, then its like building your house on the curb of an interstate. Most days, you will go outside and avoid the traffic, but one of these days, an 18 wheeler with a load full of squeeling pigs will drive right through your living room.

One possibility

[Little+Brother]

Hey, they might have a good reason to fear such things as pings, traceroutes, portscans, and telnet connections. They might be running NT servers and are afraid that the ping will overload them... :-)

teehee!, thats not what i got...

[pixel+fairy]

bloodwhore:~$ nmap quova.com

Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Nmap run completed -- 1 IP address (0 hosts up) scanned in 60 seconds

This company...

[Todd+Knarr]

Their pinging and tracerouting itself doesn't bother me a great deal. My firewalls can deal with that. The fact that they apparently want to get underneath my detection software so they can do this without setting off my alarms, however, bothers me a great deal. There's no legitimate reason to do that. So, time to track down their netblocks and drop everything from or to them into a black hole at the edge of my network.

Are networks private property?

[jht]

Common sense says "my network is my property, and mine alone to allow visitors".

However, the IP address space is a public resource, documented and available to any who are willing to participate. You can look up any address block and find out who owns it if you want (like a Registry of Deeds here in most US states). And in order to get a block, you have to agree to the "rules".

The question I'd ask here is "where is the boundary between public and private property?" Obviously, if a system is accessible over the Internet and a service is available, then that service, at least, probably meets the requirements of "public", even if the owner doesn't realize that the service is accessible. Using that service may be public, even though it's not polite.

I'd say if it's behind a firewall that blocks the pings, or not accessible through a NAT export, then it's private. Kind of like the difference between a gated community and a regular old subdivision, to use an imperfect analogy. I can drive into a subdivision, map and photograph every street and house I see, and then use the information for whatever legal purpose I want (I could legally sell it to people wanting, for instance, to publish guides to preferred neighborhoods). I'm free to look at the houses so long as I don't actually trespass on the private property that they rest on.

If I want to map and document a gated gommunity, though, the street is private and blocked off, with restricted access. I need the permission of whoever runs the gatehouse to go inside and map the streets and houses within. If I can see all the houses without having to go through the gatehouse I can still take my photographs, though.

And there's the conundrum. If I block all inbound access to my network (except for exported hosts), then the scans will be stopped at my gatehouse (firewall), and only the things I have chosen to make visible will be mapped. Those systems are public, though my network is private.

Where this company is being unethical is in trying to do this activity as stealthily as possible. If a surveyor wants to try and map my neighborhood, fine. Let them show me their credentials and announce their presence. If I see someone skulking around in the middle of the night in a car with the lights dimmed, who pauses in front of each house for a while, I just may think they're up to no good. And someone else may think that and either call the cops (the offending visitor's ISP) or just shoot 'em.

If I don't want to be mapped (and I, for one, don't), I'll erect my own gate and cordon off my address space that way. If someone sneaks in anyway then I may shoot the varmint myself.

- -Josh Turiel

Re:Huh

[Delphis]

Indeed...

nslookup www.quova.com returns 205.177.226.233

and

nslookup quova.com returns 208.37.145.34, a completely different network by the looks of it.

www.quova.com is running apache in a name virtual host setup that doesn't appear to be configured that well.. if you do a raw HTTP request with specifying the Host: header, you get a 404 .. So yes, the website could well be under some hosting company somewhere and nowhere near their actual 'HQ'.

--

Sorry,

[Goonie]

but my machine does not provide any public services, so nobody has any business connecting to it. If it did, I wouldn't mind this crowd connecting to it to use those public services, but attempting to connect to anything else is an abuse. Frankly, I hope more sysadmins install portsentry or its equivalent and stop these people cold.