Security Incidents mailing list archives
Re: Korea (was RE: ?)
From: james.drissel () CMET AF MIL (Drissel, James W.)
Date: Mon, 31 Jan 2000 11:33:07 -0600
If you don't have any info on the machine, how could you know that the socket that you connected to is connected to a root shell? Are you responsible for the hack if you telnet to port 80 and get a root shell instead of a login? Does it matter what port it is on? Can you be sure it really is a root shell and not a sandbox or honeypot program? I say if you are under attack, you are entitled to look in the windows of your attacker's house, so to speak. If you are just being scanned, I don't think you should do anything except log and report it. Given the difficulty of getting some machine owners to fix wide open holes, I might even be tempted to load a clean compiler and sources and re-build the system's executables, patch everything and re-boot it! Yes that would be very intrusive, but it may be the only way to stop the attack. I make the analogy of having a thief trying to run you over in your neighbor's stolen car. You know that the car is stolen, but you can still legally get in and take it over to stop the thief! Why doesn't/shouldn't this principle apply in cyberspace? Under Texas Law, if a person is entitled under law to use force to defend self or property, but does not, can not, or fails to effectively defend self or property, anyone who comes along can defend them or their property to the same extent and the owner can. You can find the law in Vernon's Texas Code, sections 9-41 and 9-42. Would this justify taking a look around in a machine that is compromised? Is not a root shell on a port prima-facia evidence of a break in? Is it any different than seeing that your neighbor's door has been kicked in and going in to see if they are OK? If it is different, why is it different? How would re-building the system and kicking out the intruder differ from going in through the smashed door, escorting the intruder out at gun-point and fixing the door be any different morally or legally? Just a few thoughts on cyber self defense James Drissel -----Original Message----- From: Brooke, O'Neil [mailto:o'neil.brooke () LMCO COM] Sent: Friday, January 28, 2000 9:26 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Korea (was RE: ?) I do not know Robert either, and maybe I am a bit more sensative to this than others. The point remains though.
And if I stumbled uppon a rootshell bound to a port on any machine that had recently been used to attack me, I sure would use it to investigate. I dont see *any* harm in that what so ever. the most likly reason for the
Here's a whatif for you. The admins of that server did not detect the person that had installed the backdoor. They do detect you though. Now you have been accused of cracking this machine. Depending on where in the world you live, the police could show up at your door seize all of your computer equipment and put you in jail. Sure you didn't crack this machine, but there is a clear audit trail of you accessing the backdoor and you have the joy of tring to prove you are NOT responsible for the exploitation of this machine. The harm is in your own personal liability. You have no right to 'investigate', if by that you mean using any unauthorized access to a machine that is not legally yours to administrate. As for Robert's comments. Several nations are in the process of building offensive information warfare groups. I do not think that Robert's comments reflect an official government position, but as an individual within the government he has suggested an activity that could be illegal. As an Internet Technologist will he be involved with the discussions that develop official policy? His statement can give fuel to alot of negative conjecture. I am just suggesting a little discretion. We run the risk of supporting an IO arms race here. One government agency supports 'hack-back' and will let the lawful admins of a machine know about the activity. Will that spur another agency to support 'hack-back' and take it to another level? Perhaps the next step is to install another backdoor so that the machine can be monitored and crackers that visit it in the future can be detected, like a remote honeypot. After all these crackers attack local computers as well. If a nation that you consider to be an adversary supports 'hack-back' with remote honey pots, you would probably feel threatened. Crackers exploit your computers and then this adversary feels authorized to install trojans to use for their own purposes. What IO policies does your nation take to counter this threat? You see the potential for escalation here? Official statements are not required to kick-off this escalation. The personal ramblings of individuals within government agencies speaks volumes.
---------- From: Kim Robert Blix[SMTP:kim () nhi no] Sent: Friday, January 28, 2000 4:30 AM To: Brooke, O'Neil Cc: INCIDENTS () SECURITYFOCUS COM Subject: Re: Korea (was RE: ?)Robert G. Ferrell National Business Center, US DoIThis is not a very ethical statement. Especially when you consider the email address you have used to send this message. Does the National Business Center condone 'cracking', when it is useful? "Brooke, O'Neil"Although I don't know the first think about Robert G. Ferrell, I'd like to point at that it is standard list/usenet policy to assume that a person speaks for himself and noone else unless so noted. And if I stumbled uppon a rootshell bound to a port on any machine that had recently been used to attack me, I sure would use it to investigate. I dont see *any* harm in that what so ever. the most likly reason for the shell being there is that the machine has been compromised and is used to launch attacks elsewhere. So by checking it out and then placing a phonecall you are doing them a favor. What you seems to be saying is that if your neighbours house and their door is wide open in the middle of the night, you should just move along. I'd sure stick my head in and ask if everything is allright. K
Current thread:
- Re: Korea (was RE: ?), (continued)
- Re: Korea (was RE: ?) Kim Robert Blix (Jan 28)
- probe backs? was Re: [INCIDENTS] Korea Jose Nazario (Jan 28)
- Re: Korea (was RE: ?) Mark Seiden (Jan 28)
- Re: Korea (was RE: ?) Rob McCauley (Jan 29)
- Re: Korea (was RE: ?) JJ Gray (Jan 28)
- Re: Korea (was RE: ?) David Brumley (Jan 28)
- Re: Korea (was RE: ?) Kim Robert Blix (Jan 28)
- Re: Korea (was RE: ?) Brooke, O'Neil (Jan 28)
- R: Re: Korea (was RE: ?) Raistlin (Jan 30)
- Re: Korea (was RE: ?) Robert G. Ferrell (Jan 28)
- Re: Korea (was RE: ?) Andy Hooper (Jan 28)
- Re: Korea (was RE: ?) Drissel, James W. (Jan 31)