Re: Korea (was RE: ?)

[james.drissel () CMET AF MIL (Drissel, James W.)]

If you don't have any info on the machine, how could you know that the
socket that you connected to is connected to a root shell?  Are you
responsible for the hack if you telnet to port 80 and get a root shell
instead of a login?  Does it matter what port it is on?  Can you be sure it
really is a root shell and not a sandbox or honeypot program?

I say if you are under attack, you are entitled to look in the windows of
your attacker's house, so to speak.  If you are just being scanned, I don't
think you should do anything except log and report it.

Given the difficulty of getting some machine owners to fix wide open holes,
I might even be tempted to load a clean compiler and sources and re-build
the system's executables, patch everything and re-boot it!  Yes that would
be very intrusive, but it may be the only way to stop the attack.  I make
the analogy of having a thief trying to run you over in your neighbor's
stolen car.  You know that the car is stolen, but you can still legally get
in and take it over to stop the thief!  Why doesn't/shouldn't this principle
apply in cyberspace?

Under Texas Law, if a person is entitled under law to use force to defend
self or property, but does not, can not, or fails to effectively defend self
or property, anyone who comes along can defend them or their property to the
same extent and the owner can.  You can find the law in Vernon's Texas Code,
sections 9-41 and 9-42.  Would this justify taking a look around in a
machine that is compromised?  Is not a root shell on a port prima-facia
evidence of a break in?  Is it any different than seeing that your
neighbor's door has been kicked in and going in to see if they are OK?  If
it is different, why is it different?

How would re-building the system and kicking out the intruder differ from
going in through the smashed door, escorting the intruder out at gun-point
and fixing the door be any different morally or legally?

Just a few thoughts on cyber self defense

James Drissel

-----Original Message-----
From: Brooke, O'Neil [mailto:o'neil.brooke () LMCO COM]
Sent: Friday, January 28, 2000 9:26 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Korea (was RE: ?)

I do not know Robert either, and maybe I am a bit more sensative to this
than others. The point remains though.

> And if I stumbled uppon a rootshell bound to a port on any machine that
> had recently been used to attack me, I sure would use it to investigate.
> I dont see *any* harm in that what so ever. the most likly reason for the

Here's a whatif for you. The admins of that server did not detect the
person that had installed the backdoor. They do detect you though. Now
you have been accused of cracking this machine. Depending on where in
the world you live, the police could show up at your door seize all of
your computer equipment and put you in jail. Sure you didn't crack this
machine, but there is a clear audit trail of you accessing the backdoor
and you have the joy of tring to prove you are NOT responsible for the
exploitation of this machine. The harm is in your own personal
liability. You have no right to 'investigate', if by that you mean using
any unauthorized access to a machine that is not legally yours to
administrate.

As for Robert's comments. Several nations are in the process of building
offensive information warfare groups. I do not think that Robert's
comments reflect an official government position, but as an individual
within the government he has suggested an activity that could be
illegal. As an Internet Technologist will he be involved with the
discussions that develop official policy? His statement can give fuel to
alot of negative conjecture. I am just suggesting a little discretion.

We run the risk of supporting an IO arms race here. One government
agency supports 'hack-back' and will let the lawful admins of a machine
know about the activity. Will that spur another agency to support
'hack-back' and take it to another level? Perhaps the next step is to
install another backdoor so that the machine can be monitored and
crackers that visit it in the future can be detected, like a remote
honeypot. After all these crackers attack local computers as well.

If a nation that you consider to be an adversary supports 'hack-back'
with remote honey pots, you would probably feel threatened. Crackers
exploit your computers and then this adversary feels authorized to
install trojans to use for their own purposes. What IO policies does
your nation take to counter this threat? You see the potential for
escalation here?

Official statements are not required to kick-off this escalation. The
personal ramblings of individuals within government agencies speaks
volumes.

> ----------
> From:  Kim Robert Blix[SMTP:kim () nhi no]
> Sent:  Friday, January 28, 2000 4:30 AM
> To:    Brooke, O'Neil
> Cc:    INCIDENTS () SECURITYFOCUS COM
> Subject:       Re: Korea (was RE: ?)
>
>
> > > Robert G. Ferrell
> > > National Business Center, US DoI
> >
> > This is not a very ethical statement. Especially when you consider the
> > email address you have used to send this message. Does the National
> > Business Center condone 'cracking', when it is useful?
> >
> > "Brooke, O'Neil"
>
> Although I don't know the first think about Robert G. Ferrell, I'd like to
> point at that it is standard list/usenet policy to assume that a person
> speaks for himself and noone else unless so noted.
>
> And if I stumbled uppon a rootshell bound to a port on any machine that
> had recently been used to attack me, I sure would use it to investigate.
> I dont see *any* harm in that what so ever. the most likly reason for the
> shell being there is that the machine has been compromised and is used to
> launch attacks elsewhere. So by checking it out and then placing a
> phonecall you are doing them a favor.
>
> What you seems to be saying is that if your neighbours house and their
> door is wide open in the middle of the night, you should just move along.
> I'd sure stick my head in and ask if everything is allright.
>
> K