From: Mark Aldrich <maldrich@grctechs.va.grci.com>
Date: Sat, 16 Mar 1996 01:47:54 +0800
To: cypherpunks@toad.com
Subject: [NOISE] The all.net controversy continues
Message-ID: <Pine.SCO.3.91.960315101330.22528A-100000@grctechs.va.grci.com>
MIME-Version: 1.0
Content-Type: text/plain


Here's some info from all.net and a host of players IRT the "telnet" 
fiasco and assorted activities related to it.

Crypto relevance is oblique, but some people on this list have implied 
"knob twidling" intentions.  It would appear any number of sites are 
trying more than twidling.

One interesting notion that surfaces in this is what's a "normal" 
automated inquiry for information versus an "attack."  Do I commit 
computer trespass when I finger someone?  Or do I have to try to telnet?  
Is attempting a telnet into a "guest" account OK if I just want to see if 
the machine's policy is to welcome visitors?  Do they have to post "do 
not trespass" signs?

If all.net's policy is really "nobody's allowed to telnet in," they why 
don't they just shutdown the damn telnetd, and be done with it?  Or, if 
they want only "authorized" personnel, why not add sufficient crypto to 
secure the channel?

Anyway, it makes for an interesting read....

**BEGIN FORWARDED MATERIAL**

--------------------------------------------- 
Date: Wed, 13 Mar 1996 
21:25:03 -0500 (EST) >From: Sick Puppy <sikpuppy@maestro.com> Subject: 
Re: IW Mailing List iw/960313

> [Moderator's Note: I believe that the federal computer abuse statutes
> don't require a warning banner.  If they did, than any denial of 
service > attack that ignored responses would be legal.]

In our discussions with the FBI about how we could meet the legal 
requirements for a successful prosecution that would not be thrown out on 
technicalities, the need for a warning statement or warning banner was 
stressed by the FBI.  I don't remember the specifics but the need to have 
a warning banner is related to the freedoms guaranteed by the US 
Constitution and its Amendments.  The FBI mentioned a couple of 
prosecutions by the Secret Service where part of the case was thrown out 
and the whole case was significantly weakened, because there was no 
warning banner. 

I believe that CERT also covers this point in its annual 
conference/seminar for incident response teams.  They usually get a FBI 
agent with experience in the rules of evidence to speak during the lunch 
breaks. 

Maybe there is someone on the list whose recollection on this point is 
more precise than mine.
---------------------------------------------
Date: Wed, 13 Mar 1996 
18:46:52 -0600
>From: Walt Auch <waltauch@hiwaay.net> 
Subject: Re: IW Mailing List iw/960313

Quote:
[Moderator's Note: I believe that the federal computer abuse statutes 
don't require a warning banner.  If they did, than any denial of service 
attack that ignored responses would be legal.]
Unquote

Banners are not REQUIRED, but DOJ has indicated in many conversations 
that they are "looked upon favorably" by the Court.  You do NOT have to 
prove that they were read - much like you don't have to prove a speed 
limit sign was read in order to prove speeding - you should just be able 
to show it was posted.  (Scott Charney is the DOJ person - not sure that 
should be posted.)
--------------------------------------------- 
>From: fc (Fred Cohen)
Subject: More progress
Date: Wed, 13 Mar 1996 23:59:56 -0500 (EST)

So far, we have traced down:

	A breakin at a community college in Pennsylnavia where the
attacker rigged the University computer to automatically telnet to our 
site every 5 minutes. 

	A port scan followed by a series of scores of attempts to telnet 
into our site for over an hour from a University site in Arizona.  The 
attacker has been caught.

	Several IP spoofing attempts that we are tracing down to the 
specific dial-in accounts used to launch the attack.

	An intentional insider corruption of a Web page designed to
turn innocent browsers into launchpads for their attack.  This one was 
tracked down yesterday and has been stopped after recurrences by 
contacting this ISPs ISP and the FBI.

	A web site which is misleading people into telnetting into
our site under the auspices of getting a letter from a self-proclaimed 
computer security expert.

	What appeared to be a systems administrator at a prominant 
university who did a port scan followed by numerous telnets.  It now
looks like this person may not have been authorized by the university to 
do any of this and it has been raised to another level in the University.

	Several other individuals have been tracked down as well.

19:52

> From: "Matthew G. Devost" <mdevost@chelsea.ios.com> ...
> I am concerned over the all.net statement that it will pursue criminal
> conspiracy charges against all those that telnet to their site.  I 
asked > what sort of warning banner was in place and hadn't gotten a 
reply yet
> so I checked to see.  Well, there is NO warning banner.  You simply get 
> a connection refused by foreign host (and I imagine, a email to root at 
> my ISP saying I am an evil hacker!).

The message changed as incidents occured.  Contrary to what previous 
postings indicated, we haven't historically claimed these events as 
attacks.  We simply state that (current form):

	A user at your site has just attempted to telnet into our site. 	
No users from your site are authorized to telnet into this site. 	
We thought you would like to know so you could investigate 	further.  
If more telnets come from your site, this may indicate 	a more 
substantial attempted entry originating from your site, 	and 
should be followed up in more depth and more quickly. 

> Here is my point.  It is obvious that someone (an individual) has a > 
gripe with you or just wants to target your machine, but I would not > 
call the other attempts a conspiracy.  I could post the following
> message to a cancer survivor newsgroup or list:

At this point in time [see above] several different individuals have been 
identified as having intentionally attacked this site during the 
incident.  About 5 individuals are responsible for over 90% of all of the 
attempted entries. 

> 	"Hello all! Just wanted you to know that I have set up a Cancer > 	
Survivors network on my host machine.  It requires telnet access > 	
for now, but we are hoping to find an easier way to access the
> 	computer in the near future.  Please give it a try by telneting > 	
to all.net."

Excellent example.  This would not be a criminal conspiracy unless some 
of the participants became accomplices after the fact by lying about the 
source of the message and actively creating their own similar messages. 
Then they would become co-conspirators.  That's what appears to have 
happened here. 

...
> My point, and I realize I am taking a long time getting there, is that 
> at the very least you should provide a warning banner when folks telnet 
> to you site telling them that an unauthorized telnet attempt will be
> considered an intrusion. 

We express this in our finger daemon: 		No users are allowed on 
this system

In the case of telnet, we don't want people getting that far into our 
system because we believe that such mechanisms may be breakable by high 
volume attacks.  We prefer to stop things at the earliest possible phase 
and to have layered defenses after that. 
---------------------------------------------
Subject: Re: IW Mailing List iw/960313 
Date: Thu, 14 Mar 1996 10:02:56 -0500
>From: "Michael G. Reed" <reed@itd.nrl.navy.mil>

|> Well congrats for sparking the list back to life! I think it is
|> definitely an IW attack at the Class I level, but I would agree with
|> most of the comments from the list that perhaps [all.net is] 
overreacting. 

	Over reacting, no, inflaming the situation, yes.  It is well 
within the rights of all.net to treat attempted telnets to their machine 
as attempted break-ins if the proper notification has been given; but 
personally, I think their handling of the situation is
quite silly.  One does not get up on a soap box and scream and shout to 
the world like this -- it just invites (no, begs) more attacks. Instead, 
you deal with it in the professional manner that system administrators 
have used for years -- contact other admins and deal with the problem 
directly.

	The big problem is *ARE YOU SURE* you have the right people?
IP spoofing is trivial these days (a problem that won't be solved until 
IPv6, if even then) and it would be very easy to mount a concerted attack 
that *NO ONE* would be able to track down unless you start looking at 
backbone router logs (which I seriously doubt are being generated or 
kept) or placing sniffers all over the Internet.

[Moderator's Note:  Apparently all.net has this well covered because of 
their previous efforts in automated vulnerability testing.]

...
	Actually, there are both CERT and DoD bulletins on appropriate 
warning banners.  These banners should (ideally) be displayed *PRIOR* to 
login (ie, before the login prompt), but most OS's today don't allow for 
this and as such the banners are normally displayed in the motd.  For us 
(DoD/USN), the message is as follows (at least this is what is showing up 
on all of our machines):

* * *   WARNING!   * * *

This is a U.S. Government/Department of the Navy
Automated Information System.
This system may be used only for unclassified official business.
Unauthorized use of this system is prohibited by
Title 18, Section 1030, United States Code.

Department of the Navy Automated Information Systems and related 
equipment are intended for the communication, processing and storage of 
U.S. Government information, and are subject to monitoring to ensure 
proper functioning, to protect against improper or unauthorized use or 
access, to verify the presence or performance of applicable security 
features or procedures, and for other like purposes.  Such monitoring may 
result in the acquisition, recording, and analysis of all data being 
communicated, transmitted, processed or stored in this system by a user.  
If monitoring reveals evidence of possible criminal activity, such 
evidence may be provided to law enforcement personnel.

* * *  USE OF THIS SYSTEM CONSTITUTES CONSENT TO SUCH MONITORING.  * * *

Send questions and/or problem reports to root@foobar.mil

|> Let me first start by saying that a telnet attempt is the first and 
most |> obvious step in any electronic intrusion. ...
|> Telnet's only purpose is to establish access. 

	I think this is stretching the law a bit.  Let me give you an 
analogy: Suppose I walk up to a military installation.  At the gate they 
will ask me for my pass, but I don't have one on me.  Now, as long as I 
do not attempt to enter, and leave the grounds at that point, have I done 
anything wrong?  Is my attempt to "break in" illegal?  I would contend 
no.  Now, if I had been trying to scale the fence at the time I was 
detected, that is a COMPLETELY different story, but by following normal 
protocol I am within my rights.  This doesn't preclude handling 
denial-of-service attacks either.  If I continually walk up to the 
military installation and ask for entry without the proper pass, then I 
am *POSSIBLY* breaking the law (disturbing the peace or harassment at the 
minimum) or if there are big signs (which I ignore) stating that 
unauthorized attempts to enter will result in prosecution, then I *AM* 
breaking the law.

|> As for alerting an administrator, it is extremely likely that a person 
|> trying to get into one system also tries to get into dozens of others. ...

	Yes, this is what all system administrators should do.  I am
not saying that systems should hide the fact that they are (or have been) 
attacked, but that they should handle it professionally and not throw a 
tantrum (I'm sorry, but that's what all.net's message looks like to me -- 
a tantrum -- my personal take on reading it).

	Security on the Internet is a *MAJOR* problem today, the
problem is that few people realize this (or to what extent it is a 
problem).  The one good thing coming out of all of all.net's attention to 
this "attack" is the quality discussions about security, the handling of 
threats, and what should be done in the future.

[Moderator's Note: The all.net banner is shown above.]

--------------------------------------------- Date: Thu, 14 Mar 1996 
10:24:03 -0800 (PST) >From: watson@tds.com
Subject: Re: hackers and the law

>[Moderator's Note: I believe that the federal computer abuse statutes 
>don't require a warning banner.  If they did, than any denial of service 
>attack that ignored responses would be legal.]

There was a CERT or CIAC about late 1992, and a sidebar in Cheswick and 
Bellovin that summarizes the fuzzy state of this assertion.  Apparently, 
the attackee has some risk of prosecution under wiretap laws if actions 
are taken against an attacker without proper notice.  The warning banner 
is considered necessary defense against the attacker's lawyers when he 
claims he was "just knocking on the door."  I haven't heard of a clear 
precedent on this.  Probably varies by jurisdiction, phase of the moon, 
etc.  I would encourage those who post on this topic to state their legal 
credentials.

[Moderator's Note: I'll bite - what are your legal credentials?] 
---------------------------------------------

**END FORWARDED MATERIAL**

------------------------------------------------------------------------- 
|      Liberty is truly dead              |Mark Aldrich                 | 
|    when the slaves are willing          |GRCI INFOSEC Engineering     | 
|     to forge their own chains.          |maldrich@grci.com            | 
|        STOP THE CDA NOW!                |MAldrich@dockmaster.ncsc.mil | 
|_______________________________________________________________________| 
|The author is PGP Empowered.  Public key at:  finger maldrich@grci.com |
|    The opinions expressed herein are strictly those of the author     | 
|         and my employer gets no credit for them whatsoever.           | 
-------------------------------------------------------------------------