Re: Korea (was RE: ?)

[o'neil.brooke () LMCO COM (Brooke, O'Neil)]

I do not know Robert either, and maybe I am a bit more sensative to this
than others. The point remains though.

> And if I stumbled uppon a rootshell bound to a port on any machine that
> had recently been used to attack me, I sure would use it to investigate.
> I dont see *any* harm in that what so ever. the most likly reason for the

Here's a whatif for you. The admins of that server did not detect the
person that had installed the backdoor. They do detect you though. Now
you have been accused of cracking this machine. Depending on where in
the world you live, the police could show up at your door seize all of
your computer equipment and put you in jail. Sure you didn't crack this
machine, but there is a clear audit trail of you accessing the backdoor
and you have the joy of tring to prove you are NOT responsible for the
exploitation of this machine. The harm is in your own personal
liability. You have no right to 'investigate', if by that you mean using
any unauthorized access to a machine that is not legally yours to
administrate.

As for Robert's comments. Several nations are in the process of building
offensive information warfare groups. I do not think that Robert's
comments reflect an official government position, but as an individual
within the government he has suggested an activity that could be
illegal. As an Internet Technologist will he be involved with the
discussions that develop official policy? His statement can give fuel to
alot of negative conjecture. I am just suggesting a little discretion.

We run the risk of supporting an IO arms race here. One government
agency supports 'hack-back' and will let the lawful admins of a machine
know about the activity. Will that spur another agency to support
'hack-back' and take it to another level? Perhaps the next step is to
install another backdoor so that the machine can be monitored and
crackers that visit it in the future can be detected, like a remote
honeypot. After all these crackers attack local computers as well.

If a nation that you consider to be an adversary supports 'hack-back'
with remote honey pots, you would probably feel threatened. Crackers
exploit your computers and then this adversary feels authorized to
install trojans to use for their own purposes. What IO policies does
your nation take to counter this threat? You see the potential for
escalation here?

Official statements are not required to kick-off this escalation. The
personal ramblings of individuals within government agencies speaks
volumes.

> ----------
> From:  Kim Robert Blix[SMTP:kim () nhi no]
> Sent:  Friday, January 28, 2000 4:30 AM
> To:    Brooke, O'Neil
> Cc:    INCIDENTS () SECURITYFOCUS COM
> Subject:       Re: Korea (was RE: ?)
>
>
> > > Robert G. Ferrell
> > > National Business Center, US DoI
> >
> > This is not a very ethical statement. Especially when you consider the
> > email address you have used to send this message. Does the National
> > Business Center condone 'cracking', when it is useful?
> >
> > "Brooke, O'Neil"
>
> Although I don't know the first think about Robert G. Ferrell, I'd like to
> point at that it is standard list/usenet policy to assume that a person
> speaks for himself and noone else unless so noted.
>
> And if I stumbled uppon a rootshell bound to a port on any machine that
> had recently been used to attack me, I sure would use it to investigate.
> I dont see *any* harm in that what so ever. the most likly reason for the
> shell being there is that the machine has been compromised and is used to
> launch attacks elsewhere. So by checking it out and then placing a
> phonecall you are doing them a favor.
>
> What you seems to be saying is that if your neighbours house and their
> door is wide open in the middle of the night, you should just move along.
> I'd sure stick my head in and ask if everything is allright.
>
> K