Here's some info from all.net and a host of players IRT the "telnet" fiasco and assorted activities related to it. Crypto relevance is oblique, but some people on this list have implied "knob twidling" intentions. It would appear any number of sites are trying more than twidling. One interesting notion that surfaces in this is what's a "normal" automated inquiry for information versus an "attack." Do I commit computer trespass when I finger someone? Or do I have to try to telnet? Is attempting a telnet into a "guest" account OK if I just want to see if the machine's policy is to welcome visitors? Do they have to post "do not trespass" signs? If all.net's policy is really "nobody's allowed to telnet in," they why don't they just shutdown the damn telnetd, and be done with it? Or, if they want only "authorized" personnel, why not add sufficient crypto to secure the channel? Anyway, it makes for an interesting read.... **BEGIN FORWARDED MATERIAL** --------------------------------------------- Date: Wed, 13 Mar 1996 21:25:03 -0500 (EST) >From: Sick Puppy <sikpuppy@maestro.com> Subject: Re: IW Mailing List iw/960313

[Moderator's Note: I believe that the federal computer abuse statutes don't require a warning banner. If they did, than any denial of service > attack that ignored responses would be legal.]

In our discussions with the FBI about how we could meet the legal requirements for a successful prosecution that would not be thrown out on technicalities, the need for a warning statement or warning banner was stressed by the FBI. I don't remember the specifics but the need to have a warning banner is related to the freedoms guaranteed by the US Constitution and its Amendments. The FBI mentioned a couple of prosecutions by the Secret Service where part of the case was thrown out and the whole case was significantly weakened, because there was no warning banner. I believe that CERT also covers this point in its annual conference/seminar for incident response teams. They usually get a FBI agent with experience in the rules of evidence to speak during the lunch breaks. Maybe there is someone on the list whose recollection on this point is more precise than mine. --------------------------------------------- Date: Wed, 13 Mar 1996 18:46:52 -0600

From: Walt Auch <waltauch@hiwaay.net> Subject: Re: IW Mailing List iw/960313

Quote: [Moderator's Note: I believe that the federal computer abuse statutes don't require a warning banner. If they did, than any denial of service attack that ignored responses would be legal.] Unquote Banners are not REQUIRED, but DOJ has indicated in many conversations that they are "looked upon favorably" by the Court. You do NOT have to prove that they were read - much like you don't have to prove a speed limit sign was read in order to prove speeding - you should just be able to show it was posted. (Scott Charney is the DOJ person - not sure that should be posted.) ---------------------------------------------

From: fc (Fred Cohen) Subject: More progress Date: Wed, 13 Mar 1996 23:59:56 -0500 (EST)

So far, we have traced down: A breakin at a community college in Pennsylnavia where the attacker rigged the University computer to automatically telnet to our site every 5 minutes. A port scan followed by a series of scores of attempts to telnet into our site for over an hour from a University site in Arizona. The attacker has been caught. Several IP spoofing attempts that we are tracing down to the specific dial-in accounts used to launch the attack. An intentional insider corruption of a Web page designed to turn innocent browsers into launchpads for their attack. This one was tracked down yesterday and has been stopped after recurrences by contacting this ISPs ISP and the FBI. A web site which is misleading people into telnetting into our site under the auspices of getting a letter from a self-proclaimed computer security expert. What appeared to be a systems administrator at a prominant university who did a port scan followed by numerous telnets. It now looks like this person may not have been authorized by the university to do any of this and it has been raised to another level in the University. Several other individuals have been tracked down as well. 19:52

From: "Matthew G. Devost" <mdevost@chelsea.ios.com> ... I am concerned over the all.net statement that it will pursue criminal conspiracy charges against all those that telnet to their site. I asked > what sort of warning banner was in place and hadn't gotten a reply yet so I checked to see. Well, there is NO warning banner. You simply get a connection refused by foreign host (and I imagine, a email to root at my ISP saying I am an evil hacker!).

The message changed as incidents occured. Contrary to what previous postings indicated, we haven't historically claimed these events as attacks. We simply state that (current form): A user at your site has just attempted to telnet into our site. No users from your site are authorized to telnet into this site. We thought you would like to know so you could investigate further. If more telnets come from your site, this may indicate a more substantial attempted entry originating from your site, and should be followed up in more depth and more quickly.

Here is my point. It is obvious that someone (an individual) has a > gripe with you or just wants to target your machine, but I would not > call the other attempts a conspiracy. I could post the following message to a cancer survivor newsgroup or list:

At this point in time [see above] several different individuals have been identified as having intentionally attacked this site during the incident. About 5 individuals are responsible for over 90% of all of the attempted entries.

"Hello all! Just wanted you to know that I have set up a Cancer > Survivors network on my host machine. It requires telnet access > for now, but we are hoping to find an easier way to access the computer in the near future. Please give it a try by telneting > to all.net."

Excellent example. This would not be a criminal conspiracy unless some of the participants became accomplices after the fact by lying about the source of the message and actively creating their own similar messages. Then they would become co-conspirators. That's what appears to have happened here. ...

My point, and I realize I am taking a long time getting there, is that at the very least you should provide a warning banner when folks telnet to you site telling them that an unauthorized telnet attempt will be considered an intrusion.

We express this in our finger daemon: No users are allowed on this system In the case of telnet, we don't want people getting that far into our system because we believe that such mechanisms may be breakable by high volume attacks. We prefer to stop things at the earliest possible phase and to have layered defenses after that. --------------------------------------------- Subject: Re: IW Mailing List iw/960313 Date: Thu, 14 Mar 1996 10:02:56 -0500

From: "Michael G. Reed" <reed@itd.nrl.navy.mil>

|> Well congrats for sparking the list back to life! I think it is |> definitely an IW attack at the Class I level, but I would agree with |> most of the comments from the list that perhaps [all.net is] overreacting. Over reacting, no, inflaming the situation, yes. It is well within the rights of all.net to treat attempted telnets to their machine as attempted break-ins if the proper notification has been given; but personally, I think their handling of the situation is quite silly. One does not get up on a soap box and scream and shout to the world like this -- it just invites (no, begs) more attacks. Instead, you deal with it in the professional manner that system administrators have used for years -- contact other admins and deal with the problem directly. The big problem is *ARE YOU SURE* you have the right people? IP spoofing is trivial these days (a problem that won't be solved until IPv6, if even then) and it would be very easy to mount a concerted attack that *NO ONE* would be able to track down unless you start looking at backbone router logs (which I seriously doubt are being generated or kept) or placing sniffers all over the Internet. [Moderator's Note: Apparently all.net has this well covered because of their previous efforts in automated vulnerability testing.] ... Actually, there are both CERT and DoD bulletins on appropriate warning banners. These banners should (ideally) be displayed *PRIOR* to login (ie, before the login prompt), but most OS's today don't allow for this and as such the banners are normally displayed in the motd. For us (DoD/USN), the message is as follows (at least this is what is showing up on all of our machines): * * * WARNING! * * * This is a U.S. Government/Department of the Navy Automated Information System. This system may be used only for unclassified official business. Unauthorized use of this system is prohibited by Title 18, Section 1030, United States Code. Department of the Navy Automated Information Systems and related equipment are intended for the communication, processing and storage of U.S. Government information, and are subject to monitoring to ensure proper functioning, to protect against improper or unauthorized use or access, to verify the presence or performance of applicable security features or procedures, and for other like purposes. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals evidence of possible criminal activity, such evidence may be provided to law enforcement personnel. * * * USE OF THIS SYSTEM CONSTITUTES CONSENT TO SUCH MONITORING. * * * Send questions and/or problem reports to root@foobar.mil |> Let me first start by saying that a telnet attempt is the first and most |> obvious step in any electronic intrusion. ... |> Telnet's only purpose is to establish access. I think this is stretching the law a bit. Let me give you an analogy: Suppose I walk up to a military installation. At the gate they will ask me for my pass, but I don't have one on me. Now, as long as I do not attempt to enter, and leave the grounds at that point, have I done anything wrong? Is my attempt to "break in" illegal? I would contend no. Now, if I had been trying to scale the fence at the time I was detected, that is a COMPLETELY different story, but by following normal protocol I am within my rights. This doesn't preclude handling denial-of-service attacks either. If I continually walk up to the military installation and ask for entry without the proper pass, then I am *POSSIBLY* breaking the law (disturbing the peace or harassment at the minimum) or if there are big signs (which I ignore) stating that unauthorized attempts to enter will result in prosecution, then I *AM* breaking the law. |> As for alerting an administrator, it is extremely likely that a person |> trying to get into one system also tries to get into dozens of others. ... Yes, this is what all system administrators should do. I am not saying that systems should hide the fact that they are (or have been) attacked, but that they should handle it professionally and not throw a tantrum (I'm sorry, but that's what all.net's message looks like to me -- a tantrum -- my personal take on reading it). Security on the Internet is a *MAJOR* problem today, the problem is that few people realize this (or to what extent it is a problem). The one good thing coming out of all of all.net's attention to this "attack" is the quality discussions about security, the handling of threats, and what should be done in the future. [Moderator's Note: The all.net banner is shown above.] --------------------------------------------- Date: Thu, 14 Mar 1996 10:24:03 -0800 (PST) >From: watson@tds.com Subject: Re: hackers and the law

[Moderator's Note: I believe that the federal computer abuse statutes don't require a warning banner. If they did, than any denial of service attack that ignored responses would be legal.]

There was a CERT or CIAC about late 1992, and a sidebar in Cheswick and Bellovin that summarizes the fuzzy state of this assertion. Apparently, the attackee has some risk of prosecution under wiretap laws if actions are taken against an attacker without proper notice. The warning banner is considered necessary defense against the attacker's lawyers when he claims he was "just knocking on the door." I haven't heard of a clear precedent on this. Probably varies by jurisdiction, phase of the moon, etc. I would encourage those who post on this topic to state their legal credentials. [Moderator's Note: I'll bite - what are your legal credentials?] --------------------------------------------- **END FORWARDED MATERIAL** ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich@grci.com | | STOP THE CDA NOW! |MAldrich@dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich@grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | -------------------------------------------------------------------------