From: Mark Aldrich <maldrich@grctechs.va.grci.com>
To: cypherpunks@toad.com
Message Hash: 74a4cdbba97b1ef8750756bc3534044042644a98ed397143f812e6fb56ced0a8
Message ID: <Pine.SCO.3.91.960315101330.22528A-100000@grctechs.va.grci.com>
Reply To: N/A
UTC Datetime: 1996-03-15 17:47:54 UTC
Raw Date: Sat, 16 Mar 1996 01:47:54 +0800
From: Mark Aldrich <maldrich@grctechs.va.grci.com>
Date: Sat, 16 Mar 1996 01:47:54 +0800
To: cypherpunks@toad.com
Subject: [NOISE] The all.net controversy continues
Message-ID: <Pine.SCO.3.91.960315101330.22528A-100000@grctechs.va.grci.com>
MIME-Version: 1.0
Content-Type: text/plain
Here's some info from all.net and a host of players IRT the "telnet"
fiasco and assorted activities related to it.
Crypto relevance is oblique, but some people on this list have implied
"knob twidling" intentions. It would appear any number of sites are
trying more than twidling.
One interesting notion that surfaces in this is what's a "normal"
automated inquiry for information versus an "attack." Do I commit
computer trespass when I finger someone? Or do I have to try to telnet?
Is attempting a telnet into a "guest" account OK if I just want to see if
the machine's policy is to welcome visitors? Do they have to post "do
not trespass" signs?
If all.net's policy is really "nobody's allowed to telnet in," they why
don't they just shutdown the damn telnetd, and be done with it? Or, if
they want only "authorized" personnel, why not add sufficient crypto to
secure the channel?
Anyway, it makes for an interesting read....
**BEGIN FORWARDED MATERIAL**
---------------------------------------------
Date: Wed, 13 Mar 1996
21:25:03 -0500 (EST) >From: Sick Puppy <sikpuppy@maestro.com> Subject:
Re: IW Mailing List iw/960313
> [Moderator's Note: I believe that the federal computer abuse statutes
> don't require a warning banner. If they did, than any denial of
service > attack that ignored responses would be legal.]
In our discussions with the FBI about how we could meet the legal
requirements for a successful prosecution that would not be thrown out on
technicalities, the need for a warning statement or warning banner was
stressed by the FBI. I don't remember the specifics but the need to have
a warning banner is related to the freedoms guaranteed by the US
Constitution and its Amendments. The FBI mentioned a couple of
prosecutions by the Secret Service where part of the case was thrown out
and the whole case was significantly weakened, because there was no
warning banner.
I believe that CERT also covers this point in its annual
conference/seminar for incident response teams. They usually get a FBI
agent with experience in the rules of evidence to speak during the lunch
breaks.
Maybe there is someone on the list whose recollection on this point is
more precise than mine.
---------------------------------------------
Date: Wed, 13 Mar 1996
18:46:52 -0600
>From: Walt Auch <waltauch@hiwaay.net>
Subject: Re: IW Mailing List iw/960313
Quote:
[Moderator's Note: I believe that the federal computer abuse statutes
don't require a warning banner. If they did, than any denial of service
attack that ignored responses would be legal.]
Unquote
Banners are not REQUIRED, but DOJ has indicated in many conversations
that they are "looked upon favorably" by the Court. You do NOT have to
prove that they were read - much like you don't have to prove a speed
limit sign was read in order to prove speeding - you should just be able
to show it was posted. (Scott Charney is the DOJ person - not sure that
should be posted.)
---------------------------------------------
>From: fc (Fred Cohen)
Subject: More progress
Date: Wed, 13 Mar 1996 23:59:56 -0500 (EST)
So far, we have traced down:
A breakin at a community college in Pennsylnavia where the
attacker rigged the University computer to automatically telnet to our
site every 5 minutes.
A port scan followed by a series of scores of attempts to telnet
into our site for over an hour from a University site in Arizona. The
attacker has been caught.
Several IP spoofing attempts that we are tracing down to the
specific dial-in accounts used to launch the attack.
An intentional insider corruption of a Web page designed to
turn innocent browsers into launchpads for their attack. This one was
tracked down yesterday and has been stopped after recurrences by
contacting this ISPs ISP and the FBI.
A web site which is misleading people into telnetting into
our site under the auspices of getting a letter from a self-proclaimed
computer security expert.
What appeared to be a systems administrator at a prominant
university who did a port scan followed by numerous telnets. It now
looks like this person may not have been authorized by the university to
do any of this and it has been raised to another level in the University.
Several other individuals have been tracked down as well.
19:52
> From: "Matthew G. Devost" <mdevost@chelsea.ios.com> ...
> I am concerned over the all.net statement that it will pursue criminal
> conspiracy charges against all those that telnet to their site. I
asked > what sort of warning banner was in place and hadn't gotten a
reply yet
> so I checked to see. Well, there is NO warning banner. You simply get
> a connection refused by foreign host (and I imagine, a email to root at
> my ISP saying I am an evil hacker!).
The message changed as incidents occured. Contrary to what previous
postings indicated, we haven't historically claimed these events as
attacks. We simply state that (current form):
A user at your site has just attempted to telnet into our site.
No users from your site are authorized to telnet into this site.
We thought you would like to know so you could investigate further.
If more telnets come from your site, this may indicate a more
substantial attempted entry originating from your site, and
should be followed up in more depth and more quickly.
> Here is my point. It is obvious that someone (an individual) has a >
gripe with you or just wants to target your machine, but I would not >
call the other attempts a conspiracy. I could post the following
> message to a cancer survivor newsgroup or list:
At this point in time [see above] several different individuals have been
identified as having intentionally attacked this site during the
incident. About 5 individuals are responsible for over 90% of all of the
attempted entries.
> "Hello all! Just wanted you to know that I have set up a Cancer >
Survivors network on my host machine. It requires telnet access >
for now, but we are hoping to find an easier way to access the
> computer in the near future. Please give it a try by telneting >
to all.net."
Excellent example. This would not be a criminal conspiracy unless some
of the participants became accomplices after the fact by lying about the
source of the message and actively creating their own similar messages.
Then they would become co-conspirators. That's what appears to have
happened here.
...
> My point, and I realize I am taking a long time getting there, is that
> at the very least you should provide a warning banner when folks telnet
> to you site telling them that an unauthorized telnet attempt will be
> considered an intrusion.
We express this in our finger daemon: No users are allowed on
this system
In the case of telnet, we don't want people getting that far into our
system because we believe that such mechanisms may be breakable by high
volume attacks. We prefer to stop things at the earliest possible phase
and to have layered defenses after that.
---------------------------------------------
Subject: Re: IW Mailing List iw/960313
Date: Thu, 14 Mar 1996 10:02:56 -0500
>From: "Michael G. Reed" <reed@itd.nrl.navy.mil>
|> Well congrats for sparking the list back to life! I think it is
|> definitely an IW attack at the Class I level, but I would agree with
|> most of the comments from the list that perhaps [all.net is]
overreacting.
Over reacting, no, inflaming the situation, yes. It is well
within the rights of all.net to treat attempted telnets to their machine
as attempted break-ins if the proper notification has been given; but
personally, I think their handling of the situation is
quite silly. One does not get up on a soap box and scream and shout to
the world like this -- it just invites (no, begs) more attacks. Instead,
you deal with it in the professional manner that system administrators
have used for years -- contact other admins and deal with the problem
directly.
The big problem is *ARE YOU SURE* you have the right people?
IP spoofing is trivial these days (a problem that won't be solved until
IPv6, if even then) and it would be very easy to mount a concerted attack
that *NO ONE* would be able to track down unless you start looking at
backbone router logs (which I seriously doubt are being generated or
kept) or placing sniffers all over the Internet.
[Moderator's Note: Apparently all.net has this well covered because of
their previous efforts in automated vulnerability testing.]
...
Actually, there are both CERT and DoD bulletins on appropriate
warning banners. These banners should (ideally) be displayed *PRIOR* to
login (ie, before the login prompt), but most OS's today don't allow for
this and as such the banners are normally displayed in the motd. For us
(DoD/USN), the message is as follows (at least this is what is showing up
on all of our machines):
* * * WARNING! * * *
This is a U.S. Government/Department of the Navy
Automated Information System.
This system may be used only for unclassified official business.
Unauthorized use of this system is prohibited by
Title 18, Section 1030, United States Code.
Department of the Navy Automated Information Systems and related
equipment are intended for the communication, processing and storage of
U.S. Government information, and are subject to monitoring to ensure
proper functioning, to protect against improper or unauthorized use or
access, to verify the presence or performance of applicable security
features or procedures, and for other like purposes. Such monitoring may
result in the acquisition, recording, and analysis of all data being
communicated, transmitted, processed or stored in this system by a user.
If monitoring reveals evidence of possible criminal activity, such
evidence may be provided to law enforcement personnel.
* * * USE OF THIS SYSTEM CONSTITUTES CONSENT TO SUCH MONITORING. * * *
Send questions and/or problem reports to root@foobar.mil
|> Let me first start by saying that a telnet attempt is the first and
most |> obvious step in any electronic intrusion. ...
|> Telnet's only purpose is to establish access.
I think this is stretching the law a bit. Let me give you an
analogy: Suppose I walk up to a military installation. At the gate they
will ask me for my pass, but I don't have one on me. Now, as long as I
do not attempt to enter, and leave the grounds at that point, have I done
anything wrong? Is my attempt to "break in" illegal? I would contend
no. Now, if I had been trying to scale the fence at the time I was
detected, that is a COMPLETELY different story, but by following normal
protocol I am within my rights. This doesn't preclude handling
denial-of-service attacks either. If I continually walk up to the
military installation and ask for entry without the proper pass, then I
am *POSSIBLY* breaking the law (disturbing the peace or harassment at the
minimum) or if there are big signs (which I ignore) stating that
unauthorized attempts to enter will result in prosecution, then I *AM*
breaking the law.
|> As for alerting an administrator, it is extremely likely that a person
|> trying to get into one system also tries to get into dozens of others. ...
Yes, this is what all system administrators should do. I am
not saying that systems should hide the fact that they are (or have been)
attacked, but that they should handle it professionally and not throw a
tantrum (I'm sorry, but that's what all.net's message looks like to me --
a tantrum -- my personal take on reading it).
Security on the Internet is a *MAJOR* problem today, the
problem is that few people realize this (or to what extent it is a
problem). The one good thing coming out of all of all.net's attention to
this "attack" is the quality discussions about security, the handling of
threats, and what should be done in the future.
[Moderator's Note: The all.net banner is shown above.]
--------------------------------------------- Date: Thu, 14 Mar 1996
10:24:03 -0800 (PST) >From: watson@tds.com
Subject: Re: hackers and the law
>[Moderator's Note: I believe that the federal computer abuse statutes
>don't require a warning banner. If they did, than any denial of service
>attack that ignored responses would be legal.]
There was a CERT or CIAC about late 1992, and a sidebar in Cheswick and
Bellovin that summarizes the fuzzy state of this assertion. Apparently,
the attackee has some risk of prosecution under wiretap laws if actions
are taken against an attacker without proper notice. The warning banner
is considered necessary defense against the attacker's lawyers when he
claims he was "just knocking on the door." I haven't heard of a clear
precedent on this. Probably varies by jurisdiction, phase of the moon,
etc. I would encourage those who post on this topic to state their legal
credentials.
[Moderator's Note: I'll bite - what are your legal credentials?]
---------------------------------------------
**END FORWARDED MATERIAL**
-------------------------------------------------------------------------
| Liberty is truly dead |Mark Aldrich |
| when the slaves are willing |GRCI INFOSEC Engineering |
| to forge their own chains. |maldrich@grci.com |
| STOP THE CDA NOW! |MAldrich@dockmaster.ncsc.mil |
|_______________________________________________________________________|
|The author is PGP Empowered. Public key at: finger maldrich@grci.com |
| The opinions expressed herein are strictly those of the author |
| and my employer gets no credit for them whatsoever. |
-------------------------------------------------------------------------
Return to March 1996
Return to “Mark Aldrich <maldrich@grctechs.va.grci.com>”