Battle Creek, Michigan Settles Dispute with ORBZ

Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"

Nope.

[Russ+Nelson]

Nope. Read Ian's message. He said that he wasn't closing ORBZ because of *this* case. He was closing it because of the subsequent cases.
-russ

Re:more info?

[frank_adrian314159]

There was a defect in releases earlier than 5.0.9. When E-mail was received from an address having a certain form, the system would go into a hung state, consuming 100% of the server's CPU cycles. Here is the reference to the details.

The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.

So ORBZ isn't out of the woods yet.

Shooting people to tests for vests

[Skapare]

From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:

"But, if I can draw the analogy that just because everyone should wear a computerized bulletproof vest doesn't mean that shooting people to find out who isn't wearing one is the best answer. If Mr. Gulliver chooses to do this, he perhaps shouldn't be surprised that he will occasionally be confused with the type of individual he is fighting against."

This analogy is flawed. Here's why:

Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.

A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.

My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).

It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.

I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:

• Whenever something causes a system to fail, include in any investigation of the cause an analysis of why it failed, including the protocols and software codes involved. Don't just hand it over to the police after the first jump to conclusion. Gain an understanding of exactly why the system failed, especially if the failure repeats.
• Whenever a problem is tracked to some source, don't jump into threatening mode on initial contact, unless you have a reason to believe the communication would fail any other way. Serious intent to investigate and followup on real crimes does not mean aggression in legal procedures gains anything. Were this a real internet cracker, there wouldn't have been any useful information from this first step, anyway.
• Place stronger protection between office LANs and city WANs and the internet itself. But do more than just a simple firewall that allows raw TCP streams to pass. Use a strong secure server with proxying where possible. Systems like Lotus Notes are Microsoft Exchange are too likely to be vulnerable, and too mission critical for staff operations, to be expected to also serve as the shield facing the internet. Run an OpenBSD server with something like Postfix to forward mail, and Squid to cache web accesses both in and out.
• Institute new procedures that outline standard timeframes for keeping computer systems up to date, especially with the latest security alerts. All security patches should be installed within 7 days of availability or a report made to the top official regarding why that patch cannot be applied, describing alternative steps to deal with the risk. All other systems should be upgraded to the latest version within 90 days, if free. If not free, an analysis of the benefits (if any) of purchasing such an upgrade should be provided to the person in charge of making system software purchasing decisions, within 90 days.

Also, get the reverse DNS fixed on your mail server.

Re:Shooting people to tests for vests

[Skapare]

Here is the letter I sent, sans the spam itself (typical relayed spam). As you can see, I didn't focus on the spam, and I didn't subject them to my usual "block first, ask questions later" approach (else how would I have gotten his response).

The following is a complaint regarding SPAM from the Spencer
Public Schools.

Spam is bad enough for some company on the internet sends it
out to you. But it can be stopped easily by recording the
location it comes from in a list of places to reject mail from.
Thousands of Internet Service Providers and other companies
are now doing this.

Now spam is coming from the Spencer Public Schools. I don't
think this is what the tax dollars of your community are for.
Yet it is paying for helping some spammer on the internet to
send his junk mail to millions of people. It not only costs
you money, but it also costs other people money.

I have been seeing this kind of thing happen in many many
places throughout the Internet. Mail servers are set up on
the Internet, and they are either set up incorrectly, or they
are set up with bad software. One or the other of these did
happen at Spencer Public Schools. That's how the spam came
through.

When a mail server is set up, if the person who sets it up is
not specifically thinking about making sure others cannot relay
their spam through it, they might as well accept the fact that
it is going to happen. The same thing applies to security.
Can you be sure that your servers (all of them) are really so
secure if the person who sets them up is so careless as to let
spam come through a mail server? Do you know that when they
set up the other servers they thought carefully about all the
security issues when they did it to make sure no one can access
things like confidential records? Have you audited the security
of the Spencer Public Schools computers?

So you're running Windows 2000. That doesn't make it secure.
Obviously it doesn't if a simple thing like using your computer
to send spam throughout the world for some con artist can be
done. Setting up ANY computer requires that the person who
sets it up realizes that it is NOT secure until they do all the
steps necessary to make it secure.

You are sure to get many complaints due to this spam. The first
thing that will happen is someone will quickly go make changes
to the mail server to prevent this one security leak. That may
seem fine at first. But what about all the other security holes?
Will they also be plugged up? Do you even know what they are?
And what about your computer operating procedures and policies?
Did they cover this kind of situation? They obviously failed
to prevent it. But were they even written to prevent it or did
they just not even address the issue at all?

You clearly need to get some competent computer help involved
in making sure your computers are secured. Perhaps you can get
this help from WiscNet. But you definitely need to get that
help, and get it soon. And don't ask one of the students who
might seem to be very bright with computers. They might be
good at cracking into computers or writing nifty programs, but
what you need is a professional analysis of your procedures and
security policy. And you need to get it done before the fall
school term begins. If not, you are almost certain to become
a victim again, and again; if not from spammers, then maybe
even from one of your own students.

As for this spam incident, normally my very first action after
sending a formal complaint is to totally cut off the offenders
network from our network. If I did that here, you'd have to
make a request to me to restore that access by some means other
than through your own mail server. It's usually inconvenient,
but it gets a serious message across to Internet scofflaws.

In this case, I'm not going to do this. I won't be blocking
your network. If the problem repeats, I'll change my mind.
I have over 21,000 networks blocked right now (over 3,000 of
them are in China). And those are the ones where the people
running them just don't care.

Normal spam complains include a copy of the spam that caused the
complaint to be made. So I'm including that below. Each line
of the original is intended with a "|" character at the left
side of each line. Here it is:

Re:Absolutely amazing.

[caferace]

Would the last one out of the server room please hit the BRS?

Not so fast there Bucko... From the press release: "Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server."

Seems to me like they still have a few things to learn...

Re:Better late than never?

[flamingcow]

"The purpose of the search warrant was to determine the identity of the person who sent the email that caused our system to fail so we could then determine whether further investigation would be necessary."

The search warrant cited our domain no less than 7 times. Had the detective taken the time to read the website, the situation would have been quite clear to him.

Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

Having more knowledge here of what went on than you, please trust me. In my opinion, this 'settlement' wouldn't have been nearly as forthcoming if a certain Wired.com article didn't cause major embarassment. I believe that this 'settlement' is much more public relations damage control than an actual realization that a mistake was made.

Re:A day too late?

[haystd]

We used ordb.org and while it did block a significant amount of spam, it also seemed to block a considerable number of our clients (we service healthcare companies and I won't speculate about what this says about their IS/IT groups). The last straw was when it added a major ISP's email server (which probably did need fixing but we nonetheless couldn't afford the downtime). Of late, I've quit using blacklists in favor of simply blocking offending netblocks which has actually yielded better results with less grief. This works because most of the offending netblocks are not something that we'd be expecting legitimate email from.

Re:Battle Creek and Kellogg's

[pyramid+termite]

I understand that Kellogg's has nothing to do with the stupidity of the city,

HAH!! I grew up in the town! You have NO idea how wrong you are about that. They ran the town so effectively that they blackmailed a surrounding township to merge with the city and then had the city tear down several blocks of downtown for a research center and a high class hotel that wouldn't make visiting VIPs feel like they were in No-Tell Motel Hell. Millions in taxpayer money went to this while the surrounding neighborhoods turned into run down rat infested crack houses. Eventually, Kellogg's laid off so many people that they've lost some of their influence.

but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me.

Actually, Nippondenso and Battle Creek Health Systems are bigger nowadays. Also, you should know that Post and Ralston Purina have factories there.

As far as a boycott goes, I've been doing that ever since the day I saw how corn flakes were actually made ... And you've no idea what it's like when the sickly sweet smell of Sugar Frosted Flakes or Sugar Pops floats over the city like the sugar hangover from hell. Sour, sweet and totally nauseating.

The Battle Creek Police would be ill equipped to investigate a case like this. They have more trouble than they can handle in that town as it is.

Don't be too tough on BC - hell, they JUST got cable modem service two months ago and the geek population is just about zero as the few who grew up there either moved out or got buried under a football field somewhere by the team ...

Do you know how pathetic the place is? They have an army base named after Gen. Custer. Need I say more?

I love living in Kalamazoo ...