<http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/print.html> The Register Biting the hand that feeds IT The Register ; Security ; Network Security ; Original URL: http://www.theregister.co.uk/2004/11/25/nmap_draws_fbi_subpoenas/ Hacking tool 'draws FBI subpoenas' By Kevin Poulsen, SecurityFocus (klp at securityfocus.com) Published Thursday 25th November 2004 10:42 GMT The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org. "I may be forced by law to comply with legal, properly served subpoenas," wrote "Fyodor," the 27-year-old Silicon Valley coder responsible for the post scanning tool, in a mailing list message. "At the same time, I'll try to fight anything too broad... Protecting your privacy is important to me, but Nmap users should be savvy enough to know that all of your network activity leave traces." Probably the most widely-used freeware hacking tool, Nmap is a sophisticated port scanner that sends packets to a machine, or a network of machines, in an attempt to discern what services are running and to make an educated guess about the operating system. An Nmap port scan is a common prelude to an intrusion attempt, and the tool is popular both with security professionals performing penetration tests, and genuine intruders with mischief in their hearts. Last year Nmap crept into popular culture when the movie the Matrix Reloaded depicted Carrie-Anne Moss's leather-clad superhacker Trinity performing an Nmap portscan (http://www.theregister.co.uk/2003/05/16/matrix_sequel_has_hacker_cred/) on a power grid computer prior to hacking in. But success comes with a price, and on Tuesday Fyodor felt the need to broach the "sobering topic" of FBI subpoenas with his users. He advised his most privacy conscious users to use proxy servers or other techniques when downloading the latest version of Nmap if they want to ensure their anonymity. In a telephone interview, Fyodor said the disclaimer wasn't prompted by any particular incident, and that he'd received "less than half-a-dozen" subpoenas this year. "It's not a huge number, but I hadn't received any before 2004, and so it's a striking new issue," he said. None of the subpoenas produced anything, Fyodor says, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request has been narrowly crafted, usually directed at finding out who visited the site (http://www.insecure.org/) in a very short window of time, such as a five minute period. "They have not made any broad requests like, 'Give me anyone who's visited insecure.org for a certain day,'" he says. Fyodor theorizes the FBI is investigating cases in which an intruder downloaded Nmap directly onto a compromised machine. "They assume that she might have obtained that URL by visiting the Nmap download page from her home computer," he wrote. He confesses mixed feelings over the issue. "The side of me that questions authority is skeptical of these subpoenas," he told SecurityFocus. "The other side says, this may be a very serious crime committed ... and if I were the victim of such a crime I would probably want people to cooperate" -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'