linux security - Jun 1998 - WARNING: Break-in attempts

B. James Phillippe wrote:
> Greetings all,
>
>         I''m forwarding a copy of an email I sent reporting
attempted
> break-ins on my main server, earth.terran.org.  I am forwarding this
[... deleted ... ]
> Web server logs showing attempted breakin:
>
> pmnac1-4.inu.net - - [18/Jun/1998:23:49:57 -0700] "GET
/cgi-bin/phf" 302 -
> pmnac1-4.inu.net - - [18/Jun/1998:23:49:58 -0700] "GET
/cgi-bin/test-cgi"
> 403 -
> pmnac1-4.inu.net - - [18/Jun/1998:23:49:59 -0700] "GET
/cgi-bin/handler"
> 404 -
>
[... deleted ...]

It is nice being paranoid, but what that person did is *not* illegal and would
not hold and water in a court of law.

He caused no loss of money, no denial of service, nothing.

How can you deduce that the attacks were made by root user?  ident is easily
spoofable.
How do you know that inu.net was not infacted 0wned first and he was using
that host for some sort of diversion mechanism?
How do you know that he is not reading your e:mail right now and laughing at
you because he knows nothing happened?

There are so many variables in situations like this you have to take into
effect, and it seems that you haven''t.


It is nice being paranoid, but really.  What this person did is not illegal,
and you should just forget about it.  This happens to me everyday, if I really
wanted to threaten them then I would send email to their admins, but there is
no use.

They would rather have people doing bad stuff and paying  money, than have no
money at all.

Regards.

Greetings all,

	I''m forwarding a copy of an email I sent reporting attempted
break-ins on my main server, earth.terran.org.  I am forwarding this
because I think it is relevant that folks watch for this kind of activity
in their logs to catch people who "try doorknobs" in the middle of the
night.  After sending this email, I sent a talk request to the user, who
was still logged onto a RedHat 4.2 system via dialup.  Though he did not
respond, within minutes he had downed his link.
	No damage was done to my system (I have all up-to-date security
mechanisms in place).  I believe this user is a Joe-random Linux user who
just found some pre-packaged linux security exploits.

cheers,
-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

[mod: Normally "I got hacked" messages are rejected, but this is an 
"I didn''t get hacked" report OK? -- REW ;-]


---------- Forwarded message ----------
Subject: BREAK-IN ATTEMPT!
Date: Fri, 19 Jun 1998 01:09:55 -0700 (PDT)
From: "B. James Phillippe" <bryan@terran.org>
To: webmaster@inu.net, root@inu.net, postmaster@inu.net

Greetings,

	As administrator of terran.org (TERRAN3-DOM), I am writing to
inform you that I have significant log data to confirm that several
attempts to break into my main server earth.terran.org were made from a
host on your network.  The host in question is pmnac1-4.inu.net and the
attacks were made from the superuser (root).  Before I go further, let me
present the evidence:

Attempt on IMAP server:

Jun 18 23:49:49 earth imapd[25125]: command stream end of file, while
reading line user=??? host=pmnac1-4.inu.net
Jun 18 23:49:49 earth ipop3d[25126]: Connection broken while reading line
user=??? host=pmnac1-4.inu.net

IP Firewall logs showing attempt on portmapper and X server:

Jun 18 23:49:47 earth kernel: IP acct in ppp0 TCP 208.164.139.14:3624
208.152.24.33:6000 L=44 S=0x00 I=36775 F=0x0000 T=54
Jun 18 23:49:55 earth kernel: IP acct in ppp0 TCP 208.164.139.14:741
208.152.24.33:111 L=44 S=0x00 I=37060 F=0x0000 T=54
Jun 18 23:49:59 earth kernel: IP acct in ppp0 UDP 208.164.139.14:766
208.152.24.33:111 L=84 S=0x00 I=37187 F=0x0000 T=54
Jun 18 23:50:00 earth kernel: IP acct in ppp0 UDP 208.164.139.14:767
208.152.24.33:111 L=84 S=0x00 I=37203 F=0x0000 T=54

System logs showing attempt on telnet and portmapper:

Jun 18 23:49:48 earth in.telnetd[25124]: refused connect from
root@pmnac1-4.inu.net
Jun 18 23:49:49 earth in.telnetd[25127]: refused connect from
root@pmnac1-4.inu.net
Jun 18 23:49:56 earth portmap[25132]: connect from 208.164.139.14 to
dump(): request from unauthorized host
Jun 18 23:49:59 earth portmap[25133]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host
Jun 18 23:50:00 earth portmap[25134]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host

Access log showing more of same:

Jun 18 23:49:48 earth logger[25129]: remote mail poll from
root@208.164.139.14
Jun 18 23:49:49 earth logger[25131]: remote mail poll from
root@208.164.139.14

More:

Jun 18 23:19:39 earth ipop3d[25105]: connect from 209.20.133.158
Jun 18 23:21:01 earth ipop3d[25108]: connect from 209.20.133.158
Jun 18 23:49:48 earth in.telnetd[25124]: refused connect from
root@pmnac1-4.inu.net
Jun 18 23:49:48 earth imapd[25125]: connect from root@208.164.139.14
Jun 18 23:49:49 earth in.telnetd[25127]: refused connect from
root@pmnac1-4.inu.net
Jun 18 23:49:49 earth ipop3d[25126]: connect from root@208.164.139.14

More:

Jun 18 23:49:59 earth portmap[25133]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host
Jun 18 23:50:00 earth portmap[25134]: connect from 208.164.139.14 to
getport(mountd): request from unauthorized host

Web server logs showing attempted breakin:

pmnac1-4.inu.net - - [18/Jun/1998:23:49:57 -0700] "GET /cgi-bin/phf"
302 -
pmnac1-4.inu.net - - [18/Jun/1998:23:49:58 -0700] "GET
/cgi-bin/test-cgi"
403 -
pmnac1-4.inu.net - - [18/Jun/1998:23:49:59 -0700] "GET
/cgi-bin/handler"
404 -

I have taken measures to block all further access attempts from your
systems, and will be watching my logs very closely.  If I do not receive a
formal explanation of events within the next few hours (I see root is
logged in on your system now), I will be forwarding this information to
CERT and to the security lists of which I am a member.  If I determine that
any breach of information has occured, I may prosecute.

Your response is anticipated,
-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

On Thu, 18 Jun 1998, Shaun Hedges wrote:
> It is nice being paranoid, but what that person did is *not* illegal and
would
> not hold and water in a court of law.
> 
> He caused no loss of money, no denial of service, nothing.
No, being paranoid is not nice.  Being paranoid sucks, however, it''s a
necessary foundation to having good security policies.  Warning against
intrusion with the threat of legal recourse is also a prudent measure of
warding off low-class tech criminals.
> How can you deduce that the attacks were made by root user?  ident is
easily
> spoofable.
Because the user was logged into his system as root and several of the
attacks originated on well-known ports.  Well-known ports can only be
opened by priviledged processes (priviledged meens root).
> How do you know that inu.net was not infacted 0wned first and he was using
> that host for some sort of diversion mechanism?
Who could?  Who cares?  The only relevant information is that a dialup-host
was probing a critical system.  If attacks were originating from additional
hosts, I''d be suspicious of them, too.
> How do you know that he is not reading your e:mail right now and laughing
at
> you because he knows nothing happened?
There are several types of crackers in this world.  Most of them are
"little
guys".  "Little guys" are newbies.  They''ve just
downloaded Satan or LRK
and are playing with it.  They have prebuilt copies of nestea, bonk,
teardrop, et al.  They don''t know what it does, just how to run it. 
These
novices are by far one of the greatest threats simply because of the number
of other novices (innocent ones) available to be prayed on.  Launching an
awkward, ill-planned and easily identifyable attack against those of us
that are not novices, is not a laughing matter.
> There are so many variables in situations like this you have to take into
> effect, and it seems that you haven''t.
This amusing comment doesn''t need a response. ;)
> It is nice being paranoid, but really.  What this person did is not
illegal,
> and you should just forget about it.  This happens to me everyday, if I
really
> wanted to threaten them then I would send email to their admins, but there
is
> no use.
>
> They would rather have people doing bad stuff and paying  money, than have
no
> money at all.
Some of them would.  Most of them however realize that time spent handling
complaints and repairing damage done to their systems due to retribution is
more than the amount they make on a single user.  But in any case, those of
us who are concerned about security appreciate (at least) the following
guidelines:

1.) Log all suspicious behavior.
2.) Investigage/monitor logs.
3.) Respond to the authoritative figures regarding all suspicious activity.

-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

Shaun Hedges wrote:
> 
> It is nice being paranoid, but what that person did is *not* illegal and
would
> not hold and water in a court of law.
> 
> He caused no loss of money, no denial of service, nothing.
He modified the systems he attacked without consent or approval of the
owner. 

The modification consists of getting stuff into the log files.
Moreover the attacks on the web server clearly show his intent of
breaking into the machine, not just "what''s this machine?"
prodding.

As far as I''m told, this would be enough to get a conviction in the
state of Oregon, and possibly many more. 

I agree with you that this SHOULD NOT be punishable. Those laws are so
"strict" that everybody who uses a computer breaks them (without
knowing that they are breaking the law), and if someone gets it in
their stubborn head that you are a bad guy, they can always prove
you''re guilty because everybody is breaking the law on a dayly basis. 

It happened to Randal Schwartz, read about it at
   http://www.lightlink.com/spacenka/fors/

Americans, it could happen to you next time, do something about it!

					Roger. 

-- 
Actor asks a collegue: "To what do you owe your success in acting?"
Answer: "Honesty. Once you''ve learned how to fake that,
you''ve got it made."
-------- Custom Linux device drivers for sale! Call for a quote. ----------
Email: R.E.Wolff@BitWizard.nl || Tel: +31-15-2137555 || FAX: +31-15-2138217

On Thu, 18 Jun 1998, Shaun Hedges wrote:
> It is nice being paranoid, but what that person did is *not* illegal and
would
> not hold and water in a court of law.
I don''t know the laws in .ca, but here in the US, it would be possible 
under a number of circumstances to gain a conviction from the evidence 
presented.  One doesn''t have to be successful in breaking in for it to
be
illegal in this country.  In general, it would be difficult to get a 
prosecutor to handle the criminal case, but could be done in some 
circumstnaces, depending on the machine, prosecutor, and jurisdiction in 
question.  Any attack crossing a state boundry in the US, by default is 
an attack on a "federal interest computer", and whilst the DOJ has 
guidlines of loss, it''s no less legal than attempting to break into 
Dockmaster.
> He caused no loss of money, no denial of service, nothing.
Not relevent, at least in a number of US jurisdictions.  Attempted murder 
doesn''t always produce a victim either BTW, but you''re not
allowed to
keep shooting until your aim improves.
> How can you deduce that the attacks were made by root user?  ident is
easily
> spoofable.
> How do you know that inu.net was not infacted 0wned first and he was using
> that host for some sort of diversion mechanism?
> How do you know that he is not reading your e:mail right now and laughing
at
> you because he knows nothing happened?
So, you''d ignore all incidents until the person had successfully 
compromised a machine, but since the packets could maybe possibly be 
spoofed, perhaps you''d ignore that too?  This accomplishes what
exactly?
> It is nice being paranoid, but really.  What this person did is not
illegal,
I''m no more of a lawyer than you, but I''d say that this
statement is pure
hogwash.  If you need a fair parallel, Intel vs. Schwartz would be a good 
starting point for an instance where this is completely untrue.  Did no 
harm by admission of both parties, caused no loss of services, caused no 
loss of money, gained a felony conviction.
> and you should just forget about it.  This happens to me everyday, if I
really
> wanted to threaten them then I would send email to their admins, but there
is
> no use.
If you ignore them, they will keep at it until (a) they get your sytem, 
or (b) they get soemone elses system.  This serves *nobody* other than 
the attacker.
> They would rather have people doing bad stuff and paying  money, than have
no
> money at all.
That''s not true of a number of ISPs, who are good "citizens",
or who would
rather not be liable for the actions of their users, especially once warned of 
a potential bad user.  

IANAL, but if warned of an abusive user, and that''s ignored, the ISP
stands
to lose some defenses (the "bad apple" defense, disassocating itself
from
the actions of its user, for one), especially in civil cases (again in the US 
depending on jurisdiction).  ISPs in this country have yet, that I''m 
aware of, to successfully employ a "common carrier" defense which
might
offer them some protections from their user''s actions, but even in that
case, a common carrier who ignores reports of an abusive customer stands 
to lose in court.

Having no idea what the attacker''s motives are, complacency seems to be
rather silly.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

On Sun, 21 Jun 1998, Rogier Wolff wrote:
> He modified the systems he attacked without consent or approval of the
> owner. 
> 
> The modification consists of getting stuff into the log files.
If you mean probing the system remotely "modified" it by appending the
log
files....I''d say that''s one hell of a stretch.  Opening
connections to a
few ports is not necessarily a breakin.
> As far as I''m told, this would be enough to get a conviction in
the
> state of Oregon, and possibly many more. 
I doubt that.  Having recently dealt with the FBI in a case where real
damage was done, I was quite surprised to find just how hard it is to get
the FBI to take an interest and how hard it is for them to get the US
Attorney to give them the go ahead to investigate a case.  You need to be
able to show that thousands of dollars of damage has been done.  An
unsuccessful breakin attempt doesn''t cause a whole lot of financial 
damage.  Then, even if you can show sufficient damage was done, you have a
good chance of finding the person responsible is a minor (under 18 in the
US), and the FBI can do nothing to them.  I guess I was unfortunate that
neither the compromised system nor the person who compromised it, nor any
of the other systems he was traced to were in Oregon.
> It happened to Randal Schwartz, read about it at
>    http://www.lightlink.com/spacenka/fors/
> 
> Americans, it could happen to you next time, do something about it!
Has anyone seriously looked into challenging the constitutionality of
Oregon''s computer crimes law?

------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Spammers will be winnuked or 
 Network Administrator       |  drawn and quartered...whichever
 Florida Digital Turnpike    |  is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

*you know the thread*

It really bothers me how easily it is to frame someone for something, when
people trust in logs. Just as easy as an intruder can erase his tracks
from the log files, he can put another ones adress there.. This is a *big*
concern since atleast where I live the police have no knowledge at all
about such matters, and there are plenty of not-so-competent admins. 

Picture a portscan.. People get their accounts ''n connections closed
because of such things!.. So even the ISPs blindly believe in it. A simple
SYN-scan is no evidence for anything else but the fact that the person
with that IP *somehow* is involved.. It''s bothering that not even the
ISPs
realize that packets don''t even have to originate from the computer
with
that IP assigned. 

Another issue that I want to push forward with this is syslog remote
logging, and in fact syslog at all. UDP packets are easy forgable.. If
someone wants to frame another one for it, he doesn''t even have to
crack
the computer to do it. imap[...]: Crack attempt from 1.1.1.1 .. Ofcourse..
the pid can show that it''s not 100% reliable then. But there are still
dangers (more than just that) with remote syslogging.. If it is to be
used, then use secure syslog or something.. (look at http://www.core-sdi.com/)

There is another fact syslog.. *ANY* user on the system can put things
like above in syslog *WITH* a suitful PID. 

What I''m saying is, DON''T TRUST YOUR LOGS!.. And please make
the police
and every silly admin realize that. If something suspicious turns up in
the logs, then don''t freak out ''n think "HE DID
IT!". What you *should* do
is sniff you own computer pretty good and look for suspicious packets.
When you find those packets containing things like "cat
/st00pid/tcp.log",
and it''s not from a dialup, then *call* the owner of the
computer/network
and talk to him, or if he''s had his system compromised too. Backtracing
such as this should finally get you to a dialup-source, where you probably
won''t get any further. What to do from there - up to you.

On Sun, 21 Jun 1998, The Nolander wrote:
> What I''m saying is, DON''T TRUST YOUR LOGS!.. And please
make the police
> and every silly admin realize that. If something suspicious turns up in
> the logs, then don''t freak out ''n think "HE DID
IT!". What you *should* do
Yes and no.  Logs should always be taken with a grain of salt, yes.  In the
case of intelligent crackers, there will be false logs or no logs at all.
However, the majority of the time your logs serve as a vital source of
information to detect signs of an attempted break-in.  Most of the time,
they are your *only* source of information.  Yes, there are varying degrees
of log integrity; some logs are harder to screw over then others.  In the
case of the break-in attempt I reported, every log on my box had consistant
and accurate information that pointed to the same source.  Naturally, I
followed up on the log data by investigating the host that was apparently
generating them, and cross-indexing my logs with those of the administrator
of the remote site.  And, it panned out.  This crack attempt was from a
novice (as most are) who knew nothing about log falsification, or probably
even that he was being logged at all.  So yes, don''t put your logs on a
pedestal.  But don''t be ignorant of their existance, either.  Read
them,
frequently.

-bp
--
B. James Phillippe <bryan@terran.org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan

On Fri, 19 Jun 1998, B. James Phillippe wrote:
> I''m forwarding a copy of an email I sent reporting attempted
> break-ins on my main server, earth.terran.org.  I am forwarding this
> because I think it is relevant that folks watch for this kind of
> activity in their logs to catch people who "try doorknobs" in the
> middle of the night.
James,

	If your system was really under attack, then don''t rely
too much on your local log files.

	Second, why don''t you implement a "black box" log system ?
That''s all log generated by all hosts on your network is forwarded
to a seperate log machine called black box.  Such computer grants
no access to any body whatsoever except for user "root" loginning on
the console.

-M.

On Sun, 21 Jun 1998, Jon Lewis wrote:
> On Sun, 21 Jun 1998, Rogier Wolff wrote:
> 
> > He modified the systems he attacked without consent or approval of the
> > owner. 
> > 
> > The modification consists of getting stuff into the log files.
> 
> If you mean probing the system remotely "modified" it by
appending the log
> files....I''d say that''s one hell of a stretch.  Opening
connections to a
> few ports is not necessarily a breakin.
Stretch in logic, yes, stretch in the Oregon statute?  Please read it and 
draw your own conclusions.  Both the 1993 aned 1995 revisions are 
available at the lightlink site.  The gist is that if there is intent to 
access without authorization then it''s illegal.
  
> > As far as I''m told, this would be enough to get a conviction
in the
> > state of Oregon, and possibly many more. 
> 
> I doubt that.  Having recently dealt with the FBI in a case where real
> damage was done, I was quite surprised to find just how hard it is to get
> the FBI to take an interest and how hard it is for them to get the US
> Attorney to give them the go ahead to investigate a case.  You need to be
In the case of the state of Oregon, obviously you don''t *need* the FBI,
since it''s a _state_ law.  Just a zealous local prosecutor, and
you''re set.

Federal law is very *easy* to break in computer cases, since an attack 
which happens across state lines is automatically an attack against a 
"Federal Interest Computer."  Because of this, the DOJ has set
_guidelines_
for both the FBI''s investigation, as well as federal prosecutors. 
It''s
important to note that they are guidelines, which can be totally ignored by
all the involved parties.

Local jurisdictions don''t have the same high watermarks for their 
guidelines, which is why it''s almost always easier to prosecute under 
local statutes.
 
> able to show that thousands of dollars of damage has been done.  An
> unsuccessful breakin attempt doesn''t cause a whole lot of
financial
> damage.  Then, even if you can show sufficient damage was done, you have a
> good chance of finding the person responsible is a minor (under 18 in the
> US), and the FBI can do nothing to them.  I guess I was unfortunate that
> neither the compromised system nor the person who compromised it, nor any
> of the other systems he was traced to were in Oregon.
Yes, it would appear that you were.  Once again though, the point of 
legality/illegality isn''t always the same as the point of prosecution. 
I
would suggest that all administrators who may have to deal with breakin 
attempts spend some time with their general counsel, and learn about the 
relevent laws.  It''s not certain that the investigating authorities
will
know what is and isn''t germain.  If that fails, then there''s
always civil
court, which doesn''t have the same burdens of proof, nor the same
burdens
of federal prosecutor guidelines.
> 
> > It happened to Randal Schwartz, read about it at
> >    http://www.lightlink.com/spacenka/fors/
> > 
> > Americans, it could happen to you next time, do something about it!
> 
> Has anyone seriously looked into challenging the constitutionality of
> Oregon''s computer crimes law?
Exactly which part of the US Consitution do you think is being violated?  
Now, IANAL, nor is Constitutional law in my sphere of interest outside of 
being a US Citizen, but I honestly don''t see a conflict with the 
Constitution, common sense, perhaps, but not the Constitution.

Here''s the "everything else" clause from the Oregon law:

(4) Any person who knowingly and without authorization uses,
    accesses or attempts to access any computer, computer system,
    computer network, or any computer software, program,
    documentation or data contained in such computer, computer
    system or computer network, commits computer crime.

Paragraph 4 is the misdemenor section, rm''ing a file maliciously can be
felononius in Oregon.

If we expect broadly encompassing local laws to continue, and in the case 
of Oregon, I''d certainly never work there without doing so,
I''d advise
anyone working in the computer field in such jurisdictions to look 
seriously into gettin a signed statement from a company officer giving 
them the permission to access any and all systems or network components.  
It''s time that administrators started protecting themselves from such 
laws.

Having seen that cases like the AA BBS where a California Adult BBS sysop 
was successfully prosecuted in Tennasee for violating their community 
standards sets some very interesting precedents about 
cross-jurisdictional enforcement in the US.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

(to mod: I know this is off-topic for the list, use your judgement, I
won''t be offended :))

> and you should just forget about it.  This happens to me 
> everyday, if I really
> wanted to threaten them then I would send email to their 
> admins, but there is
> no use.
> 
> They would rather have people doing bad stuff and paying  
> money, than have no
> money at all.
This is untrue.  My first SA job was with a startup ISP.  We would have
terminated this user under our "We reserve the right to be as*holes with
no apparent reason" clause, if we had to.  Consider for a moment.  A
user is worth (here) 24.95/month.  If said user (and undoubtedly he
would eventually) pisses someone else off enough to cause them to DOS
us, we lose, big time.  Why would we risk that on a user who had clearly
shown him or herself to be actively attempting to gain entrance to
another person''s system?

And if he''s trying to get into your system, undoubtedly he''s
trying ours
too.  No thanks.

We also nuked several users for massmails.  We tried to be good
net-citizens.

Anyway, I think you underestimate how much some ISP SA''s care about
this
sort of garbage.

Dale Babiy,
Network & Integration Specialist
Yukon Territorial Govt
Department of Education

All the discussion of legal issues reminds me of a comment in the
O''Reilly book on security:

Prosecution may actually jeopardize the security of your system,
as equipment that has been seized as evidence won''t be very useful.

I would guess that conflicts of jurisdiction and misunderstanding
of the law (all apparent from this thread) would only enhance the
bureaucratic hoops that must be jumped through to regain seized
equipment.

Has anyone here had experience with seizure or other negative impacts
of investigation/prosecution?

Jacob (langford@uiuc.edu)

The reason that Randall Schwartz was prosecuted is that Intel has a lot of
money, and that gives them priveleges the rest of us do not have.  I run
an ISP in the same metropolitan area where Randall lives and was
prosecuted, and have taken break-ins to the authorities, including ones
where confidential information was taken from the system, and got the same
response that the rest of you seem to be reporting.

The computer crimes law in Oregon is not available to those of us who are
not in positions of power.  

The purpose of the law seems to be to give corporations more control over
their employees, and to make it appear to the general public that the
government is concerned about computer security in general.

Given that, your constitutional rights disappear at the corporate door
step, and so a constitutional challenge of the law is unlikely.

Meanwhile, the rest of us in the "real world" are on our own in this,
and
our only option is increased watchfulness, coupled with greater knowledge
of security.


Sean


[mod: Context removed with authors permission. We can discuss bad
Oregon laws for ages, but lets get back to linux-security soon OK? --REW]

On Mon, 22 Jun 1998, Paul D. Robertson wrote:
> Stretch in logic, yes, stretch in the Oregon statute?  Please read it and 
> draw your own conclusions.  Both the 1993 aned 1995 revisions are 
> available at the lightlink site.  The gist is that if there is intent to 
> access without authorization then it''s illegal.
This "authorization" issue is far too vague.  If I send a broadcast
icmp
echo request into some remote network because I''m scanning the net to
make
a list of possible smurf amp networks, is that unauthorized access?  If
they don''t want me sending icmp echo requests, they should filter them.
If
I run my copy of Word for Windows under WABI, is that unauthorized use of
a licensed program?  Word was certainly not intended to be used under
other operating systems.  If I run Crack on a system that I maintain, but
my employer didn''t specifically tell me to, is that unauthorized
access?
> > Has anyone seriously looked into challenging the constitutionality of
> > Oregon''s computer crimes law?
> 
> Exactly which part of the US Consitution do you think is being violated?  
Ok...bad choice of words.  The law is stupid...but the constitution
doesn''t doesn''t forbid stupid laws.  I had a quick rereading
of the
ammendments and a bit of the articles, and did find one interesting part
in article 1, section 10.

No state shall enter into any treaty, alliance, or confederation; grant
letters of marque and reprisal; coin money; emit bills of credit; make
anything but gold and silver coin a tender in payment of debts; pass any
bill of attainder, ex post facto law, or law impairing the obligation of
contracts, or grant any title of nobility.

I don''t have any law degrees, but you might be able to argue that such
a
vague law makes working on a network (especially in an administrative
position) impossible, impairing the obligation of your employment
contract.  Maybe that''s a huge stretch.
> (4) Any person who knowingly and without authorization uses,
>     accesses or attempts to access any computer, computer system,
>     computer network, or any computer software, program,
>     documentation or data contained in such computer, computer
>     system or computer network, commits computer crime.
This part is just too vague.  Is it a crime to ping a system in Oregon? 
Nobody''s given me authorization to do so.  The silver lining though is
that this makes it pretty clearly a crime to relay spam through computers
located in Oregon. 

------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  Spammers will be winnuked or 
 Network Administrator       |  drawn and quartered...whichever
 Florida Digital Turnpike    |  is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

On Mon, 22 Jun 1998, Jon Lewis wrote:
> This "authorization" issue is far too vague.  If I send a
broadcast icmp
> echo request into some remote network because I''m scanning the net
to make
> a list of possible smurf amp networks, is that unauthorized access?  If
> they don''t want me sending icmp echo requests, they should filter
them. If
> I run my copy of Word for Windows under WABI, is that unauthorized use of
> a licensed program?  Word was certainly not intended to be used under
> other operating systems.  If I run Crack on a system that I maintain, but
> my employer didn''t specifically tell me to, is that unauthorized
access?
Well, the last one at least has been at least partially answered.
 
> contract.  Maybe that''s a huge stretch.
Grand Canyonish methinks.  I doubt you''d get the contracts part upheld 
anywhere anyway, it''s too easy to put fun stuff in a contract ;)
> > (4) Any person who knowingly and without authorization uses,
> >     accesses or attempts to access any computer, computer system,
> >     computer network, or any computer software, program,
> >     documentation or data contained in such computer, computer
> >     system or computer network, commits computer crime.
> 
> This part is just too vague.  Is it a crime to ping a system in Oregon? 
> Nobody''s given me authorization to do so.  The silver lining
though is
> that this makes it pretty clearly a crime to relay spam through computers
> located in Oregon. 
It would seem that a broad interpretation would make it illegal to visit 
a Web site in Oregon without prior notice.  It was certainly eye-opening 
when I first read it.  

It''s all bets off when the lawyers come to play.  
One of the things I think fairly critical in the whole notification 
argument comes from administrator liability.  If I *don''t* report a 
break-in, and my company suffers harm, will the shareholders be able to 
file suit for negligence?  Some of the lawgeeks I''ve spoken to say this
is inevitable.  I spent a lot of time going over this with some of our 
corporate counsel, who was of the opinion that "best common practice"
was
all that was necessary.  In the intervening time, it''s been pointed out
to me that BCP failed the legal test of time in about 1938 in a case of 
lifejackets and barges in the Great Lakes or something.  

The Trade Secrets Act also looked pretty worrying to me, and I''m glad
the
AG has made a crusade of approving every case, but political times 
change, and while we have laws like these on the books, it''s more 
important to look at *what* behaviour is acceptable than the likelyhood 
of currently getting a prosecution (from both sides of the fence).

I won''t even run portscans for known friendlies anymore without 
permission in writing, but then I''m paranoid.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

>         Second, why don''t you implement a "black box"
log system ?
> That''s all log generated by all hosts on your network is forwarded
> to a seperate log machine called black box.  Such computer grants
> no access to any body whatsoever except for user "root" loginning
on
> the console.
how to setup a secure "black-box"? AFAIK, syslogd communication is not
authenticated/encrypted, so it is vulnerable to
spoofing/forging/eavesdropping/etc.
Could IPsec be used for protecting of syslogd communication? what other
means for protection are there? is any of this means usable for all UNIX
hosts?

--
                            Radovan Semancik (semancik@alert.sk)
                                  http://storm.alert.sk

On Tue, 23 Jun 1998, Radovan Semancik wrote:
> >         Second, why don''t you implement a "black
box" log system ?
> > That''s all log generated by all hosts on your network is
forwarded
> > to a seperate log machine called black box.  Such computer grants
> > no access to any body whatsoever except for user "root"
loginning on
> > the console.
> 
> how to setup a secure "black-box"? AFAIK, syslogd communication
is not
> authenticated/encrypted, so it is vulnerable to
> spoofing/forging/eavesdropping/etc.  Could IPsec be used for protecting
> of syslogd communication? what other means for protection are there? is
> any of this means usable for all UNIX hosts? 
Log to a serial line ("*.* /dev/ttyS0" in /etc/syslog.conf), and stick
an
old 386 with no networking at all on the other end, with a program that
just puts the serial data into files by date. If you want to be really
paranoid then put the log files on a loopback-encryption partition and
require the password at bootup. 

There was a "syslogng" project out there to write a syslog equivalent
with
all the features that syslog is missing, one of which included encryption
and authentication. Unfortunately, I''ve heard nary a peep about it on
BugTraq since the project was first announced there. 

-- Elliot
When I die, I want to die peacefully in my sleep like my grandfather...
	...not yelling and screaming like the people in the back of the
	   plane he was flying.