This is a faq file for comp.security.misc and comp.security.unix.  It is
cross-posted to alt.security because I think it will also be useful there.
Yes, I know that syntactically, these are not all "questions".

Please check whether your question is in this file before posting.
Also, unix-specific questions should be posted to comp.security.unix, not
comp.security.misc; so if they're in here, there are now TWO reasons not to
post them to comp.security.misc.

New for August: the "what should I read" question.

------------------------------

Subject: Table of contents

- This faq

- Can anyone here tell me how to exploit the [whatever] bug?
  or Can anyone here tell me how to break in to my ISP?

- What do the "identd" lines in my syslog mean?  Is this a security
  exposure?  Can I turn off identd?

- I just noticed that [something].  Has my machine been compromised?

- What does port number [whatever] mean?

- Here's new, unbreakable encryption software.

- What should I read to learn how to secure my computers?  What should I read
  to learn about computer security?

- Is there a newer version of cops?

- Tripwire fails the self-test, dumps core when building the database, and
  dumps core when verifying.

- Cops won't "make" in some versions of linux (GNU).

- What's that weird URL with SATAN/SAINT?  I'm not running a web server!
  or SATAN says "Can't find my own hostname".

- SATAN doesn't display right in my web browser; it asks me to save the file.

- How do I find all setuid and setgid files?

- I can't get .rhosts/.shosts to work with ssh.
(Note: there is a newsgroup comp.security.ssh)

- Should I block all ICMP at my firewall/router?

- How do I prevent my machine from announcing OS version, daemon version,
  etc in the banner message?

- Is a portscan of a machine malicious/illegal/unfriendly?

- Can my ISP/employer monitor [various things I'm doing]?

------------------------------

Subject: This faq

This is not supposed to be a statement of group consensus.  This is simply
supposed to be a few VERY frequently asked questions and their answers, so
that we can snidely say "see the faq" when people ask them.  The answers
supplied are supposed to be completely uncontroversial amongst people who
know what they're talking about.  (My first answer might be a bit borderline
in this respect but I don't recall ever having seen a contrary opinion here.)
Except for the portscan question, in which I've attempted to present ALL of
the major views.

Contributions of questions are welcome (with or without answers); however,
the idea is that they are supposed to be things which have straightforward
answers and which we see very frequently (at least prior to their inclusion
in this document).  If your answer is long, it might not belong in this
document, at least as I see the purpose of this document.  For example, it is
intentional that this document doesn't contain firewall recommendations, even
though that's a frequently-asked question here.  (But see the firewall faq at
http://www.clark.net/pub/mjr/pubs/fwfaq/)

Thanks to Juan Gallego, Lamont Granquist, and Martin Ouwehand for additional
suggestions re finding setuid files on different systems.  Thanks to Dan Niles
and Jyrki Havia for tripwire bug details as posted to the newsgroup.
Thanks to Dan Farmer for making me aware of cops 1.04+ (cf 1.04).
Also taken from the newsgroup are some words from Olaf Schreck about
correctly editing the SATAN perl file (responding to a newbie error).
Thanks to Scott Barman for a Windows NT security book reference.

Disclaimer: The posting of this file is not to be construed as a commitment
to provide free consulting to people I don't know.  Post your questions to
the newsgroup and I might answer them there, or someone else might do it
better.  (Although if you say "please send e-mail copies", I'm going to
ignore your message.)

Disclaimer 2: There ARE errors in this file, but at the time of writing, I
didn't know what they were.  (If I knew, I would have fixed them.)  This
document is offered on an "as-is" basis, no warranty is implied, blah blah blah.

The metafaqs say you should choose a random day of the month to post monthly
faqs on, so I just used random() and got the number 22 (I don't think it's
necessary for it to be a cryptographic random number).

------------------------------

Subject: Can anyone here tell me how to exploit the [whatever] bug?
	or Can anyone here tell me how to break in to my ISP?

No.  We're security professionals.  We try to secure systems.  We think that
securing systems and fixing bugs are more intellectual activities than running
a program which someone else wrote which you don't understand.

You should only attempt "penetration testing" of a system with the consent
of its administrators and/or owners.  They will only be interested in your
services if you know something.  You can start your education by learning
some general computer science and computer programming, and by reading
computer security textbooks and/or newsgroups.

------------------------------

Subject: What do the "identd" lines in my syslog mean?  Is this a security
	exposure?  Can I turn off identd?

Discarding the timestamp and hostname, the lines look something like this:

    identd[10362]: from: 205.238.143.33 ( mail.dejanews.com ) for: 20546, 25
    identd[10362]: Successful lookup: 20546 , 25 : flaps.users

This states that the machine 205.238.143.33 asked your machine who was
connecting from port 20546 on your machine to port 25 on 205.238.143.33.
And your machine responded that the user was "flaps", and that flaps's group
is "users".  (10362 is the process id number of this particular invocation of
identd; for example, if two identd requests happened at about the same time
and the two lines were interleaved, it would help you sort them out.)

Theoretically, this is a security-sensitive data exposure, although the
practical effect of this is arguably nil.  And it can be very helpful to the
admin of a machine which often has more than a few simultaneous users.  When
one of your users does something untoward, this allows the remote machine to
log the username, and then the remote sysadmin's complaint to you will
contain information useful to you.  A linux machine at home connected to the
internet via ppp and with only one user should not be running identd because
it does not contribute to this process.  Very few things on the net REQUIRE
the sender to be running identd, because many machines don't have it and
because many people turn it off.

Your identd program probably has various options to configure what
information it discloses; see the man page.  You might want to run it with
options to minimize data OTHER than the above (-o and -e in the common
implementation), and/or perhaps run it with the option to report numeric uids
rather than lognames (-n), which is just as useful for tracking down
offenders from your point of view.  On the other hand, if you report numeric
uids, then in some cases the remote people will be able to gain logname<->uid
translation info (e.g. the outgoing connection is a mail message bearing
'from' information), so it's hard to say which discloses less data.

If you feel that this data is sensitive but still want to run identd, there
are some identd servers out there which report the data encrypted, so that
all the target sysadmins can do with the information they get is to send the
token back to you for your own use.  This facility might be available as -C.

You specify these options on the identd command-line, wherever it appears,
which is usually in /etc/inetd.conf.

The identd protocol is documented in RFC 1413.  It is the same as "auth".
The query specifies the port numbers only; the two IP addresses are the sender
and target of the identd query.  Thus you cannot query about IP connections to
other machines, although you can query about connections which don't concern
you but are to a machine you have an account on.

RFC 1413 states, "If you wouldn't run a 'finger' server due to privacy
considerations you may not want to run this protocol."  I agree with this but
suggest that it might not apply to a cryptographic identd (e.g. -C).

------------------------------

Subject: I just noticed that [something].  Has my machine been compromised?

Maybe.  You probably don't know whether it always was like this.  You should
look around your system enough of the time that you get used to how things
look BEFORE you get broken into.  And you should make a practice of following
up oddities you find, so that your judgement as to what is and is not weird
improves with experience.

If it's too late for that, before posting to comp.security.* ask at least
one local expert in the OS you're running, or in the case of unix, one local
unix expert.  There may be a straightforward, happy explanation for the
behaviour you observe.  Or there may not.  Not all anomalies are the result
of an intrusion; to some extent "My machine has been broken into!" has
replaced the "I have a virus!" default explanation of a few years ago.
On the other hand, machine breakins are very common these days, too.

------------------------------

Subject: What does port number [whatever] mean?

The basic reference is RFC 1700, or
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

However, you can write a program which uses any port number, whether it has a
standard meaning or not; and similarly you can write a program which uses a
port number in a way contrary to its standard meaning.

If you notice an attempted connection to a weird port number on your machine,
the connection might have been meant for some other machine running an
idiosyncratic service (perhaps someone typoed the IP address or hostname), it
might be a probe for a widely-spread trojan horse program, it might be part
of some kind of portscan, or plenty of other possibilities.

If you notice your machine listening on an unexpected port, you may
have been broken into, or it may be a "feature" of your OS distribution
or some third-party software you're running.  In unix, most ports your
OS distribution will use will be listed in /etc/services, along with
MANY you don't use.  /etc/inetd.conf lists services whose daemons are
started on demand by inetd, the internet "super-server" (see the man page).
In different ways depending on OS version, /etc/rc* specifies some standalone
daemons to be started up on boot (or initlevel change); see man pages
(including man init).  These are conventional ways to start services but
any program can listen on a port (unprivileged processes can only listen
on port numbers >=1024 in most multiuser OSes).

Some port numbers are not fixed.  There are several possibilities here, but
in unix these most notably include port numbers bearing services registered
under the "portmapper", which listens on port 111.  Type "rpcinfo -p
yourmachine" for a list of services for which the portmapper is serving as a
directory.  (Some of these port numbers may in fact be fixed, in which case
client programs have two different ways to find the port number (hardcode the
port number or use the portmapper).)

To see what listeners you have running (open ports), the canonical
incantation is "netstat -an".  But doing a portscan from a remote machine
might be more reliable if you suspect your machine has been compromised,
because the netstat program could have been replaced.  To find out what
process is doing the listening, try something like lsof.  Again, once
your machine has been compromised, this might report the wrong answer;
the purpose of using lsof would be to investigate the normal behaviour of
your machine, not to check whether it's been compromised.

------------------------------

Subject: Here's new, unbreakable encryption software.

It's probably not substantially new, and I'm sure it's not unbreakable.
Read the snake oil FAQ at
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

------------------------------

Subject: What should I read to learn how to secure my computers?  What should
	I read to learn about computer security?

The number one thing to do is to install all of your vendor's security
patches and to disable unused services (in unix, comment things out of
/etc/inetd.conf, and remove daemon invocations from /etc/rc* (details
depend on OS version)).  See some other basic information in
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
Subscribe to the CERT advisory list and to your vendor's security alert list
to keep current in future.

If you're trying to learn your way around unix and internet security in
general, I suggest you want to start with a good grasp of unix basics, e.g.
from the Kernighan & Pike book.  You'll also want to be strong in C, which
education you can begin with the Kernighan & Ritchie book.  (Of course
there are alternatives to both.)

If you're feeling strong after that and want to go for the details, read
Farmer & Venema's "Improving the Security of Your Site by Breaking Into
it" at http://www.fish.com/security/admin-guide-to-cracking.html , and
the Cheswick & Bellovin firewalls book.  For a gentler approach covering
a broader range of security issues, read Spafford & Garfinkel's "Practical
Unix and Internet Security".  A more hands-on-oriented book about firewalls
is Chapman & Zwicky.

If you're interested in cryptography, the canonical book is Schneier's
"Applied Cryptography", and you might be interested in RFC 1750.

I've received a recommendation for "Windows NT Security" by Rutstein.

Some URLs with security notes for particular systems (in addition to those
above, and don't forget your vendor's security patch list):

Linux security:
	http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html

Irix (out of date but contains notes which are still important):
	ftp://rtfm.mit.edu/pub/faqs/sgi/faq/security

Improve assorted file permissions for solaris 2.2 through 2.6, changing
the pkg database to match:
	ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz

Solaris security:
	http://www.sunworld.com/common/security-faq.html

Unix versus Windows NT:
	http://www.unix-vs-nt.org

(Canonical URLs for additional platforms solicited!  Non-vendor URLs preferred.)

------------------------------

Subject: Is there a newer version of cops?

No.  Version 1.04+ is a bit old but performs some functions which are still as
useful as they ever were.  (And the message "/usr/lib/sendmail could have a
hole/bug!" is still right although the cert advisory quoted could be changed.)

(1.04+ contains an assortment of minor fixes and enhancements to 1.04,
and was released in 1993 by the original author (Dan Farmer).)

------------------------------

Subject: Tripwire fails the self-test, dumps core when building the database,
	and dumps core when verifying.

Fails the self-test (on fast machines):

You have to slow it down (just the self-test scripts, not the tripwire binary
itself).  The test scripts create and then update a file, and then fail to
detect that the timestamp has changed.  But this is ok, because the timestamp
has indeed not changed, because this all happens within a second on some
modern machines.  This occurs in a few places in the test scripts.  If a
second-boundary happens to be crossed during this brief interval, then that
particular test will succeed, but another one might fail soon.

In the tests directory, edit 3 of the 4 files named test.*.sh:
in test.escape.sh, add "sleep 1" on line 46 (in the cert version), just before
running tripwire; in inter and update, un-comment-out the "sleep 1".
If this isn't good enough (obscure but can happen), use "sleep 2".  See
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/README-third


Dumps core when building the database (if you have 8-bit chars in filenames):

Tripwire 1.2 contains a bug relating to octal printing of 8-bit chars in file
names.  The bug occurs in filename_escape() in src/utils.c.  Double the size
of the "octal_array" to contain all 256 possible entries, and change
octal_array[(int)(*pcin)] to octal_array[*pcin & 255] farther down.
(This only works if you have eight-bit bytes, of course, but most of us do.)


Dumps core when verifying (this bug surfaces on some systems only):

In config.parse.c just before the end of configfile_read(), on line 356 in
the tripwire 1.2 distribution, there is a "rewind(fpout);".  It should be
conditional on "specified_configmode" as in the previous 'if' statement:
at this point the values "fpin" and "fpout" are the same (see line 184), so
it is actually rewinding the fp it might have closed in the previous line.
So simply add the word "else" before the "rewind".  (Perhaps change "fpout"
to "fpin" for clarity, although this won't affect its behaviour.)

------------------------------

Subject: Cops won't "make" in some versions of linux (GNU).

Remove the '#' from "BRAINDEADFLAGS" in the makefile.
(This adds a "-lcrypt" to the compilation of pass.c.)

------------------------------

Subject: What's that weird URL with SATAN/SAINT?  I'm not running a web server!
	or SATAN says "Can't find my own hostname".

SATAN acts as a web server so that it can use HTML conveniently.  The main
thing it gets out of HTML is its hypertext capabilities (you can click on
stuff).

The web browser communicates with it using the HTTP protocol.  This allows
it to generate responses to queries dynamically, rather than having to
generate a huge number of static files (to be accessed via file://).  It
includes a cryptographic random number at the beginning of the URL so that
others can't contact your copy of SATAN and retrieve the information it's
supplying.

If SATAN claims it "can't find my own hostname" or if the web browser can't
resolve your hostname in the URL, try adding your hostname to /etc/hosts.
You can list multiple hostnames for a given IP address in /etc/hosts; among
them should be the output from the "hostname" command and also your
fully-qualified domain name ("myname.dept.organization.org" rather than
"myname" or "myname.dept").

------------------------------

Subject: SATAN doesn't display right in my web browser; it asks me to save
	the file.

Newer web browsers seem to use different algorithms in guessing mime types
when the web server doesn't supply them.  Anyway, web servers are supposed to
supply the correct mime type and it's easy to fix SATAN to do so.

Add, in perl/html.pl, in process_html_request before it sends anything
(actually I see I put it just before the "Make sure they gave us the right
magic number"):

	#
	# ajr addition
	#
	print CLIENT <<EOF
HTTP/1.0 200 Document follows
Content-Type: text/html

EOF
;

Make sure you include the blank line; this separates the headers (just one,
here) from the content, and make sure it's really blank (no spaces etc).
Note similarly that the "HTTP", "Content-Type", and "EOF" words *MUST* start
at the beginning of the line.  In particular, if you get a syntax error from
perl, check that the "EOF" is at the beginning of the line, with no white
space before or after.

There's some bad advice out there about adding a handler with the ".pl"
suffix in your netscape preferences.
1) This is wrong.  What's relevant about the satan response is that it is
indeed html code, not the fact that the requesting URL ends in .pl.  A web cgi
URL might end in .pl but the program might return a gif.  Unlike with e-mail,
mime types are an integral part of the http protocol.
2) This is dangerous (the version of the advice which says to set it to
invoke the perl interpreter).  You don't want to execute arbitrary perl code
off the net.  It also won't work, because the satan response is html code, not
a perl program.

The recommendation to deactivate an existing ".pl" handler is ok, but the
above is better imho; it fixes the real problem, and the fix won't go away
when you switch web browsers or use a different account.

------------------------------

Subject: How do I find all setuid and setgid files?

find / -local -type f \( -perm -4000 -o -perm -2000 \) -print

or to do an "ls -l" of them:

find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;

You may want to add the "-u" option to ls to see last-accessed times rather
than last-modified times (esp to help gauge how harmful it would be to
unsetuid the file).

Some versions of "find" don't have the "-local" option.  Its purpose is to
avoid searching nfs volumes.  If you don't have any nfs mounts, you can omit
the "-local".  If you do, here are some other possibilities:
    * On some systems you can do something like
	    find / -fstype nfs -prune -o -type f \( -perm -4000 ...
    * Some systems have "-xdev" or "-mount", which prevent find from
      traversing mounts.  But then you have to run it for each local
      filesystem separately.
    * Do the check with nfs filesystems unmounted (e.g. single-user mode).
    * As an alternative to find, "ncheck -s" will tell you all setuid and
      setgid files, plus all device files (which is something of equal
      interest, although usually much less problematic in OS distributions).
      It too must be run separately for each filesystem.

Please note that this is insufficient if you suspect backdoors have been
installed on your system.  The backdoor installation activity could have
included modifying the "find" command.  The purpose of the above is to find
locally-installed or vendor-supplied security bugs waiting to happen, not to
find backdoors.

Also note that on some systems, "-local" doesn't do what you'd think, because
it still traverses the entire remote filesystem, and rejects all nodes in it
as non-local.  In this case you want "! -local -prune -o", i.e. if not local
prune the search, else ... .

------------------------------

Subject: I can't get .rhosts/.shosts to work with ssh.

If ssh doesn't do what you want, the output of "ssh -v" may be helpful.

For .rhosts or .shosts (or hosts.equiv or shosts.equiv) to take effect with
ssh with the default configuration, a few somewhat unobvious things must be
the case.  These are all good restrictions and the rationale is included here.

    * The request must be coming in from a "privileged port"; thus, the ssh
      client must be setuid.  Without this restriction, any user could
      masquerade (for the purposes of passwordless login) as any other on the
      same source machine.  (Even with it, root can; but there's no way to
      restrict THAT without the user typing something or involving a third
      machine (i.e. some hardware which root doesn't have access to).)  Also,
      the ssh client must be able to read /etc/ssh_host_key (the private one)
      to be able to do the public key authentication thing to prove you're on
      the host whose IP address you're using.  N.B. that the 1.2.25 makefile
      sometimes turns off the setuid bit on ssh when doing a "make install"
      (it's a bug in the makefile, fixed in 1.2.26).

    * .rhosts or .shosts must be owned by the appropriate user and not be
      writable by group or others.  Sshd does not check for the situation of
      single-user groups common on some versions of unix these days (esp some
      versions of GNU/linux); you have to chmod g-w .rhosts/.shosts if your
      umask is 2.  (There is no way for sshd to detect the single-user group
      situation; current membership of size one doesn't tell you its history.)
      Similarly, your home directory should not be writable by group or others.

    * The source host must be in /etc/ssh_known_hosts or
      ~user/.ssh/known_hosts on the target machine.
      This is the difference between "RhostsRSAAuthentication" (allowed by
      default) and "RhostsAuthentication" (disallowed by default).  Without
      this, ssh is not gaining you any login security, although it is still
      gaining you anti-sniffing security.

When all else fails, try "ssh -v".
Take further questions to comp.security.ssh.

------------------------------

Subject: Should I block all ICMP at my firewall/router?

No.  You need to allow the "can't fragment" message through or you will lose
connectivity to some number of sites with wacky packet sizes on their local
nets (notably token ring).  See http://www.worldgate.com/~marcs/mtu/

------------------------------

Subject: How do I prevent my machine from announcing OS version, daemon
	version, etc in the banner message?

In unix, find the daemon in question, possibly by finding its line
in /etc/inetd.conf, and read its man page.  For complex config files
(e.g. sendmail), search in the config file for the constant portions of
the string it's outputting (e.g. in sendmail.cf find the string "Sendmail"
with a capital 'S').  For telnetd, some systems have "-h" to suppress
the greeting and other systems' banners come from a file called something
like /etc/issue.  (Note that in redhat linux, you really want to modify
/etc/rc.d/rc.local rather than (or in addition to) /etc/issue*, because
it regenerates /etc/issue* upon boot.)  For Solaris 2.6 and greater, put
"BANNER=" (without the quotes) in /etc/default/telnetd.  The telnetd included
with Solaris <2.6 and SunOS can't suppress the banner, but there's no need
to use that particular software; you could use GNU telnetd, for example;
or you might edit the binary, as the strings appear in it.

But this might not really be a security issue and it might not be worth
your effort.  Suppressing banners probably doesn't restrict any information
which is genuinely useful to an attacker.  If an attacker has some "exploit"
program for sendmail 1.2.3 only, then rather than checking the banner
to see if your machine is in fact running sendmail 1.2.3, they might as
well just run the exploit program, which is a direct check of whether
you're vulnerable.  Whereas the banner suppression *will* interfere with
some kinds of checking of sendmail versions which you yourself may want
to do occasionally.

------------------------------

Subject: Is a portscan of a machine malicious/illegal/unfriendly?

This is included here because it's a recurring flamefest.  Please avoid
simply repeating the same old basic statements, because we've heard 'em all.

First of all, what a portscan is:  Basically (there are myriad variants),
it's an attempted connection to every single port number on a given machine
or range of machines.  Suppose you want to break in to a particular machine.
First thing you might do is to run a port-scanner to find out what all the
"open ports" are (ports with a listener).  Then you see, aha there's an
imapd, let's try the imapd exploit program.  Rather than just trying all
sorts of programs which wouldn't even connect let alone break in.

Portscanning your own machine is valuable; you may find listeners you didn't
know were there, and then you can close them off and/or check their security.

Since you have to secure each service on its own anyway, some people argue
that there's no need to defend against portscanning itself.  On the other
hand, you might configure your system to page you, or delete all your files,
or perform some such useful action when it detects a port-scanning in
progress.  Some defense systems cease accepting connections of any kind from
that IP address when they detect a portscan, and some sysadmins write to your
ISP and try to get you kicked off.  This leads to "stealth port-scanners"
which try to avoid triggering the alarms by various means.

Some people argue that there's not too much in the way of useful action you
can take automatically when you detect a port-scanning in progress, and
"counterattack" software is unwise and can be used via forgery to launch
attacks from your machine.


Now, the basic portscanning arguments.  (The discussion is only about
machines you don't admin, obviously; there is an additional, finer dispute
about the situation with machines you have some legitimate association with
but not as sysadmin.)  I might be willing to add other statements to this
list if they're similarly terse, and certainly do let me know if you feel
I've inadequately represented a viewpoint, except that I reserve the right to
apply a sense of humour.

Portscanning has been argued to be malicious/illegal/satanic because (see
rebuttals in subsequent section):
- a portscan is always/usually a prelude to or part of an attack, like testing
doorknobs to see if they're unlocked
- my pager beeps when I get portscanned, which takes my time unfairly (aka my
machine crashes, sends lots of e-mail, changes the root password to "soup")
- if everyone portscans a few machines for fun, in total there will be a
constant barrage of portscans to all/many/some machines, overloading them
- an attempt to commit a criminal offence is itself a criminal offence
- portscanning someone ELSE's machine is a completely different matter than
portscanning one's own
- a stealth portscan shows criminal intent even if you argue that a
traditional portscan does not
- any connection to a machine you're not explicitly authorized to use
constitutes the criminal offence of unauthorized access to a computer (i.e.
it's already a breakin)
- various lame analogies

Portscanning has been argued to be innocent/salutory/pure because (see
rebuttals in previous section):
- the "hands-on imperative": people should be curious, people should explore,
people should think
- a portscan uses a negligible amount of resources on the target machine
- if a portscan is a prelude to an attack, the ATTACK is what's wrong; the
portscan is not wrong, and is not usually a prelude to an attack anyway
- legally, "mere preparation" does not constitute an attempt
- having a listener on a port solicits connections; you can't complain that
someone makes the connection to the advertised port; port numbers are
"well-known" for a reason
- if a portscan crashes your system, it's crappy anyway; if your pager beeps
when you get portscanned, that's a stupid configuration
- if your machine is connected to the internet, it's your job as sysadmin to
deal with network activity and you shouldn't complain if you don't like it
- various lame analogies

Note re analogies:  Analogies are a good way to express a point of view but
usually the attempt to draw conclusions from them is essentially circular.
I recommend using an analogy to express views but not to argue.  Example of a
useful analogy:  "Looking through someone's protected files without their
permission is like looking through their desk drawers."  Very connotative;
conveys concepts of reasonable expectations of privacy despite organizational
ownership of the infrastructure; shows what the speaker thinks some of the
fundamental issues are; but note it's still not a proof of anything.  Example
of a useless analogy:  "Portscanning isn't like trying to turn the doorknob,
it's like looking at the doorknob while passing by on the street." Conveys no
information other than "I think portscanning is ok".  Neither is an argument,
but one of them gives a wealth of information as to the basic perspective of
the speaker and the other is useless.

------------------------------

Subject: Can my ISP/employer monitor [various things I'm doing]?

Do they have the technical ability?  Yes.  Your packets go through their
equipment.  Your packets are identified with your IP address, and they
contain the IP address of the destination; your ISP's routers need to know
the destination IP addresses to be able to route your packets.

The data you send (e.g. passwords, mail message contents, URLs) is all also
easily available, in the body of the packets.  If you use www.anonymizer.com,
the URL you request is still just as available in the outgoing packets.

If you use some form of encryption, e.g. ssh, they could still at least tell
the destination, even if the contents are unreadable.  In general, encryption
is the only way to render at least the contents unsnoopable, and only then if
the encryption and decryption are both done on machines which the overseers
DON'T control, and plain text not transmitted on any networks on which the
overseers have machines or are able to attach machines.  If you use their
computers (e.g. you run the encryption program on a unix machine run by
them), then everything you do is available to them, theoretically.

But perhaps you were asking "*May* my ISP monitor X": is it allowed, is it
ethical.

I think most sysadmins would feel that once there is reasonable suspicion that
you are acting improperly (breaking into computers, violating the acceptable
use policy, etc), that it is ethical for the admins to take a closer look.

It's unlikely that it's *illegal* for them to look at your stuff or what
you're doing, although there are some exceptions.  Under certain court orders
or subpoenas, it may be illegal for them *not* to look at your files or what
you're doing.

Many believe inquiry not in a case of suspicion and not under a court order
is unethical.  This is a potential topic for discussion in comp.security.misc
and comp.security.unix, but posters should refrain from the argument that
"they paid for it, they can do what they like with it" (which is advanced in
the case of employers or educational institutions).  This is surely false in
general and thus not the basis for a convincing argument.  For example, if
they do something criminal with their equipment, it's a criminal act, they
can be charged criminally, it doesn't matter that they paid for it.
Similarly, if they do something unethical, it's unethical even though they
paid for it.  The whole concept of professional ethics is based on the idea
that ethics transcends legality; the idea that an action can be legal but
unethical.  If "they paid for it" means that all legal acts are ethical, then
you've pretty much defined away the whole idea of professional ethics.
*That* is probably best not attempted on comp.security.misc/unix.