North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: spam colusion

  • From: Dean Anderson
  • Date: Sat Jan 08 17:40:50 2000

Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
>However, I must question whether the activity Dean discusses is actually
>criminal.  He does not accuse them of carrying out the attacks, he
>accuses them of transporting information published by a third party
>which notifies the world that his site is vulnerable to these attacks.

Umm, for the record, I do make such an accusation. When they probe a
non-public government computer, they are violating 18 USC 1030 Sections
2(b), 2(c), and 3.  Those are criminal violations.  You simply may not
probe government computers. Doing so is immediately a crime.  The $5000
limit is only for non-government computers.

Then they do other things, some of which are criminal (fraud is criminal),
and some of which may not be.

>Since Dean has published information to NANOG and other public forums
>stating that:
>	1.	His sites _ARE_ vulnerable.

My customer shell servers' telnet sessions are vulnerable to password
theft, and password guessing. So are yours. So what?

>	2.	He has no willingness to fix these vulnerabilities.

There isn't anyway to fix them.  There may be a protocol extension in the
future, but its not here yet.  I've been through this with 50 people in the
last 6 months.  That doesn't permit others to exploit them.

>	3.	He intends to make the internet at large responsible
>		for his negligence WRT these sites.

We have no negligence. And we do not hold the internet at large
responsible. Just those that exploit protocol vulnerabilites, and those who
assist with the exploitation.  If your customer commits crimes, and you
don't do anything about it after complaints are made, I expect that you
bear responsibility and liability.

>I seriously doubt that publishing a list of known public-nuissances
>is genuinely illegal.  Further, unless Dean has presented netgate
>with a court-order showing that the court has indeed found said
>activity to be illegal, I think they would be negligent in turning
>off said service.

So publishing a list of sites which have vulnerabilities detected by SATAN
scans wouldn't be illegal?  Thats what you are saying.

As far as court orders go, the point of this discussion is to make sure we
have exhausted all non-litiguous options.

>How would you like it if your ISP shut you down because I
>complained to them that you were sending out messages that
>contained information that was publicly available, but which
>I didn't want published?  That's what Dean's really saying.

No, its not what I'm saying.  Would you object if I published a list of
your servers which could be broken into, and said that it was OK with you
to break into those systems?  I think you would.  

But if you wouldn't mind, I'll be happy to have your permission to scan
your net with SATAN and publish a web page for the script kiddies.  What
was that? You don't give me permission?  I didn't think so.

           Plain Aviation, Inc                  [email protected]