Automated Witchhunt: I've been slandered by a script.
On checking my mail early this morning I found this:
Received: from access4.digex.net by nfs1.digex.net with SMTP id AA24362 (5.67b8/IDA-1.5); Sun, 18 Dec 1994 02:10:05 -0500 Received: from nfs2.digex.net by access4.digex.net with SMTP id AA23077 (5.67b8/IDA-1.5); Sun, 18 Dec 1994 02:10:03 -0500 Received: from netcom17.netcom.com by nfs2.digex.net with SMTP id AA06122 (5.67b8/IDA-1.5); Sun, 18 Dec 1994 02:10:02 -0500 Received: by netcom17.netcom.com (8.6.9/Netcom) id XAA04015; Sat, 17 Dec 1994 23:09:54 -0800 Date: Sat, 17 Dec 1994 23:09:54 -0800 Message-Id: <199412180709.XAA04015@netcom17.netcom.com> To: unicorn@access.digex.net, cert@cert.org, emmanuel@well.sf.ca.us, postmaster@access.digex.net, postmaster@access.digex.net Subject: Re: Police & BBS...Sundevil revisited in Florida From: unicorn (Black Unicorn)
If you are not aware of the nature of the group alt.2600, I will explain it. It is a hacker/cracker newsgroup, containing many illegal messages. A great deal of its posters ask questions about or give advice on compromising system security, even that of the system they are on. Phone "phreaking" is freely discussed, and they explain to each other how to cheat the long distance telephone carriers. Pirate ftp and fsp sites are often traded by these people, and you should verify that one has not been set up on your system, and that the user does not have pirated software in his directory. Such could get your entire site shut down. Other verified topics that people explain how to do and admit to doing are disrupting irc, spamming, mailbombing, shoplifting, disrupting public transportation, and similar dangerous and illegal mischief.
This automated message is sent for two reasons:
1) To alert you of a potential threat to your system's security, in the cases of users asking about or being told how to attempt to exploit security vulnerabilities. Also, the poster may be using a stolen account.
2) To alert you that there are crackers on your machine. The account used to post from may not be legitimate, or may be stolen (it is _extremely_ common with alt.2600 posters to use fraudulently obtained accounts). Or, a post of its nature may likely be a violation of terms of a membership agreement. And, the user making this post may be preparing to break into yours or another system, if they have not done so already. It is suggested that you keep a close eye on users who have posted to alt.2600, and to inspect their files and email if the posting warrants such and you can legally do so.
All headers and complete text of original message follow: *************************************************************************** Xref: netcom.com comp.org.eff.talk:42937 alt.cyberpunk:43019 alt.cyberspace:8271 alt.wired:15428 alt.2600:40781 can.infohighway:2284 alt.pagan:82507 alt.bbs:37526 Path: netcom.com!ix.netcom.com!howland.reston.ans.net!news1.digex.net!access4!unicorn From: unicorn@access4.digex.net (Black Unicorn) Newsgroups: comp.org.eff.talk,alt.cyberpunk,alt.cyberspace,alt.wired,alt.2600,can.infohighway,alt.pagan,alt.bbs Subject: Re: Police & BBS...Sundevil revisited in Florida Followup-To: comp.org.eff.talk,alt.cyberpunk,alt.cyberspace,alt.wired,alt.2600,can.infohighway,alt.pagan,alt.bbs Date: 12 Dec 1994 20:56:36 GMT Organization: Express Access Online Communications, Greenbelt, MD USA Lines: 42 Distribution: inet Message-ID: <3cide4$e5n@news1.digex.net> References: <D0FFII.BM4@freenet.carleton.ca> <gradyD0G6xu.A13@netcom.com> <3c94ll$p9t@potogold.rmii.com> NNTP-Posting-Host: access4.digex.net X-Newsreader: TIN [version 1.2 PL2]
Tommy Watt - G.W. Technologies (gwtek@rmii.com) wrote: : Damn.. . all this reminds me of the bust the local police department did : on my BBS system..
: Under alligations of hacking, they took ALL my computer equipment, : anything that looked like a computer, anything that couldda been turned : into a computer, and misc. stuff..
: The warrant is pretty much invalid, on the blank where it says "things : that if found may be seized" is "-- SEE ATTACHMENT 'B'" . . I didnt even : SEE attachment B, and when I asked for it, they said they dont even have : to show me this.
It's typical to seal this document.
Unfortunately it's also a tool used for harassment, as you have to go to a hearing to get the document opened, or looked at by a judge who will make a determination as to the legitimacy of the sealed materials and their seizure.
Guess what the result in your case will be. (Left as an exercise to the reader.)
: This bullshit pisses me off. . . And now they are saying that if : anything is damaged I can't do shit because my computer equipment was : "laying out unprotected"..
Also typical of the type of computer seizures I have seen in past.
The common practice is to keep the equipment long enough that it's obsolete when you get it back. Easy to do now-a-days.
: Andy Goodwin
-uni- (Dark)
-- 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig!
** end quotation. ** Obviously, I did not post the portion claiming to be an "automated message" and a warning to whomever will listen. Yet, the post claims to be from me. It seems then that someone is running a process which looks for posts to alt.2600, and then automates the above response, original post attached, to warn off system admins, fight crime, save the day, etc. etc. Either that or Lance is bored again. Does this disturb anyone besides me? Most obviously, the misattributation is concerning. Clearly the threat of misattributed automated posting is merely one more argument for digitally signing each and every message and post. Less obvious, but perhaps more ominous is the concept itself of automated postings that amount to censorship chain letters. "System Administrator A didn't pay attention to this message and refused to snoop into his users directories and three weeks later his system was shut down. System Administrator B headed this letter's warning, and saved his access provider from certain doom!" Look carefully at what this letter says, what it urges system operators to do. 1> Because alt.2600 is occasionally used to trade pirate ftp sites, those who post to alt.2600 are probably pirates. ergo, System Admins. should check the directory of any users who post to alt.2600. If you don't snoop, your system will be shut down. 2> alt.2600 is used to promote shoplifting, and irc disruption. (No relevance is even attempted by the message on this point.) And the purpose of the letter? 1> To alert you that this user is probably posting from a stolen account. That the named user is probably a security risk, a troublemaker, a political dissident, or whatever else comes to mind. 2> "To alert you that there are crackers on your machine." Not that there MAY BE crackers, not that crackers are known to be on alt.2600, and therefore may be on your system, but that crackers ARE ON YOUR MACHINE. If the bald misrepresentation of this statement evades anyone who reads this, I simply give up all hope. 3> That the post may be a violation of the access provider's membership agreement. (As if the automated or manual sender of the message has any idea what the membership agreement of my particular provider might be) 4> The user making this post may be preparing to break into [your machine] or another system, if they have not done so already. 5> To suggest that system admins. "...keep a close eye on users who have posted to alt.2600, and to inspect their files and email [if it's legal]." For those recipients of this message that do not know me, I am an attorney, a member of the D.C. bar, and a law abiding person. The allegation that I, by replying to a message crossposted to alt.2600, am a hacker, a cracker, a shoplifter, a vandal, or whatever other villan of the week you might choose to insert is absurd. The above message constitutes slander, defamation of character, and is entirely untrue in any regard to me other than in so far as it indicates my words might have reached alt.2600 at some time or another. The content of my original quoted message alone should indicate to any reader how absurd the "automated posting"'s allegations are, and demonstrate the pure uselessness of such an approach as of means of accomplishing anything more than to annoy, accuse, threaten, and waste bandwidth. The fact that the automated posting proports to be sent from me almost makes whatever hacking I am supposed to have done seem tame.
From a legal standpoint, the automated posting is entirely lacking in any basis whatsoever for increased scrutiny of my, or any other account address which it slanders. Directing scrutiny to accounts posting at one time or another to "questionable" newsgroups should prompt one to ask one's self about the state of free speech in cyberspace, and increasingly, in this country.
What has become of our system that discussion forums, be they on "questionable" topics or not, become probable cause for investigating system users, or rummaging through accounts. I hereby inform the system administrators on my provider, as well as others, that I would consider increased attention to my account, or any other based on this sham of an "automated posting," harassment, invasion without cause, a violation of several electronic privacy acts, and simple witch hunting. Should I come by any indication that such attention is directed to my account, I shall immediately terminate my account with Express Access, and pursue what legal action is available to me to the full extent possible. System administrators would do well to inform themselves of the requirements for intrusion into users accounts, the protections provided those accounts both by statute, and constitution. hile anonymous writings, political speech and literary products have a long and sacred history in the United States, baseless accusations leveled by anonymous finger pointers do not. I find the tactic and tone of this automated posting distasteful and offensive in the extreme. I urge system admins at my, and other providers, to discourage the use of such automated witchhunts, and expose the party/parties responsible for the distribution. I, for one, would be very interested in talking to the individual/s responsible. -uni- (Dark) [unicorn@access.digex.net] 073BB885A786F666 nemo repente fuit turpissimus - potestas scientiae in usu est 6E6D4506F6EDBC17 quaere verum ad infinitum, loquitur sub rosa - wichtig!
Obviously, I did not post the portion claiming to be an "automated message" and a warning to whomever will listen. Yet, the post claims to be from me.
I have recieved a pair of similar messages; I found it quite irritating. The message is apparently from rcalasso@netcom.com, with pointers to ghoast@gnu.ai.mit.edu.
Does this disturb anyone besides me?
Yes. It irritates the shit out of me, to put it bluntly. I didn't post anything remotely insecure, but how am I to know that my admins will even read the text of my message? I don't want my account-space searched, even though I'm not worried about anything being found - it's a matter of principle.
very interested in talking to the individual/s responsible.
Addresses are above. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy@intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 )
Perhaps this is a prime time to sign all messages, and use hpack to protect those unix files and directories from prying eyes. I am still trying to figure out how to set up PGPsendmail or AutoPGP or connect PGP to some mail program so this can be done automatically. I would appreciate any help offerred. Meanwhile, what can you do other than swamp their sysadmin with complaints, forward their antics to CERT, as they have done? Regards, Dave On Sun, 18 Dec 1994, Jonathan Cooper wrote:
Yes. It irritates the shit out of me, to put it bluntly. I didn't post anything remotely insecure, but how am I to know that my admins will even read the text of my message? I don't want my account-space searched, even though I'm not worried about anything being found - it's a matter of principle. -jon ( --------[ Jonathan D. Cooper ]--------[ entropy@intnet.net ]-------- ) ( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 )
___ /\ PGP the Cutting Edge of Privacy /vvvvvvvvvvvv \-------------------------------------\ | WARRIOR ( |PGP Key Id 0X71FADEAD > Veritas Vincit `^^^^^^^^^^^^ /=====================================/ \/ Finger for PGP 2.6.2 public Key. PGP Fingerprint 59 BB DD BC BA E6 C7 77 34 81 09 92 62 6C 74 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Dave M. Harvey warrior@infinet.com| | PO Box 151311 dharvey@freenet.columbus.oh.us| | Columbus, OH 43215-8311 fm063@cleveland.freenet.edu| =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----BEGIN PGP SIGNED MESSAGE----- In article <Pine.SUN.3.91.941218033513.23234C-100000@access3.digex.net>, you wrote:
It seems then that someone is running a process which looks for posts to alt.2600, and then automates the above response, original post attached, to warn off system admins, fight crime, save the day, etc. etc. Either that or Lance is bored again.
Hi Uni, I found this in alt.revenge and it may have something to do with your problem. I didn't follow all of it, but then again I don't subscribe to alt.2600. Sam Path: skypoint.com!winternet.com!interactive.net!news.sprintlink.net!howland.reston.ans.net!gatech!n From: crk_test@guiness.ucns.uga.edu (Danhiel "Deviant?" Baker) Newsgroups: alt.2600,alt.revenge Subject: Thanks Cracker Buster! Date: 17 Dec 1994 17:16:24 GMT Organization: Beyond the Mists Lines: 27 Sender: crk_test@guiness.ucns.uga.edu Message-ID: <3cv6d8$mos@hobbes.cc.uga.edu> NNTP-Posting-Host: sb.dcs.uga.edu Approved-By: Derkhil CatSpawn Originator: dbaker@sb.dcs.uga.edu Xref: skypoint.com alt.2600:41189 alt.revenge:4501 It's surprising to me that no one else has touched on this before; it'd seem the natural thing for those that read 2600. While the automated messages are rather annoying when you are making a "legit" post, you can use this 'service' that Cracker Buster is providing for a bit of net-revenge. News is easy to forge - the spammer demonstrated that quite handily - and providing a new 'From:' line to a post that points to your favorite net- nemesis. Some on alt.2600 are pro'ly already doing a similiar switch in order to mis-direct the autoresponses and save themself a headache. With a little thought I'm sure that you could generate quite an interesting post that will have their sysadmin suspicious quite quickly. Just a thought... For all of his hypocritical "goods intentions", Cracker Buster has provided another method to cause all of that damage/destruction/evil/traffic stoppage that he accuses us of. *grin* No, I wouldn't actually suggest that you mis-direct the auto-replies in a malicious way; a couple of "legit" ideas along this line would be to screw-up your 'From:' line so that Cracker Buster gets a mailbox full of returned-mail-bad-address (this I *do* suggest, naturlich!) and to add your own 'Really-From: realme@real.address.com' line with your correct address so that ppl that _really_ want to get in touch with you can. Some variation on the line would be advised -- no need to make it easy for his responder to handle. Take a look at the headers on CB's apology post for more ideas and suggestions. Pro'ly need a "Sender:" line as well; I'll know exactly after this post goes thru. Danhiel ============================================================================== Doctors are just the same as lawyers; the only difference is that lawyers merely rob you, whereas doctors rob you and kill you too. --Anton Chekhov-- ============================================================================== skaplin@skypoint.com | "...vidi vici veni" - Overheard | outside a Roman brothel. PGP encrypted mail is accepted and | preferred. | Change is the only constant in the | Universe..."Four quarters, please." E-mail key@four11.com for PGP Key or | Finger skaplin@mirage.skypoint.com | Smile!! Big brother is watching. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: This message digitally signed to verify the identity of the sender iQEVAwUBLvWaWclnXxBRSgfNAQGNvwf9HyB5p5HtZhYWytQfFfBErf5XhFVrC/WZ OUfaNbz66XpsAiYVPPuVewH8p5gIDEvS/rqkrZB2QvnekcgsiEcjZgwQHQQDz2rk T+pbj8niz+s6RY7phauXyIRVA2Uve2y0EPvnmvUgBkiythW3rff0PuB0yWV0QpxK PfeNnMPZRB9cMfYr4sPerceKu64ttp9sDitxJNeNKJYrS5m1oU5vvjW1/c03r+5n C7Blulhc4BNMOqWjbWP7+TjoIl+qaXqgnkDToVCt8ZAOCW8v4ANKRnyC3El8K1rb fdlpAW0WIs5OU4dqbl4ay6OQi2EbMKcYcD1THU3dNOPBILk4xxQgSA== =LKp0 -----END PGP SIGNATURE-----
participants (4)
-
Black Unicorn -
Jonathan Cooper -
skaplin@skypoint.com -
warrior