Slashdot Mirror
Battle Creek, Michigan Settles Dispute with ORBZ
Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"
A government entity thinking clearly and levelly, and actually thanking geeks for trying to help them? Astounding.
Okay, everyone, it's time to pack up and go. Would the last one out of the server room please hit the BRS?
They that would sacrifice their
My personal boycott of Kellogg's products continues at least until they repay Ian for his legal expenses incurred as a result of the need to defend against the city's stupidity.
I understand that Kellogg's has nothing to do with the stupidity of the city, but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me. As an American, collateral damage means nothing to me!
Warning: This signature may offend some viewers.
"...we recognize that [ORBZ.ORG] has done us a service."
It's about fucking time that someone pulled their heads out of their asses and realized that it wasn't necessary to start filing lawsuits and criminal charges to punish *smart* tech behavior!
Unfortuneately, it may already be too late for ORBZ. Here's hoping that ORBZ comes back up in light of this statement.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
First the boss makes a stink about ORBZ an then they get slashdotted. Glad I don't work there.
-- I have a private email server in my basement.
The good news: For once, a government entity came to communicate with someone who wasn't really doing it harm, but actually good, and managed to realize that.
The bad news: They still haven't quite understood the situation yet, based on the article taken from the City of Battle Creek page:
Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server.
They are getting better, though.
"What's so random about flipping a coin? Ever heard of the I Ching?"
Pity that their first reply was to sue, before even considering the case. It's a pity that ORBZ let itself be SLAPPed out of existance first.
Unfortunately, there really isn't any way to stop this sort of behaviour apart from instuting very harsh penalties for threatening to sue and not following through with the threat or reaching an adequate mediated position with all affected parties.
A$#*holes I say - even if they have recanted now, it's too late to fix the damage. For example the mail-filters plugin for Squirrelmail has had orbz removed - even if it comes back up, people running that code won't be using it.
Comment removed based on user account deletion
ORBZ was scanning for open relays.
One of the known exploits for spammers to use open relays also happens to overlap with an old flaw in Lotus Notes, causing it to go into an infinite loop.
Battlecreek got whammied by ORBZ, unintentionally, and filed criminal charges.
"The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server.
The City also announced that it really like to be capitalized when referred to. It also notes that the word "of" is still banned when referring to stories about The City.
------
Today's Top Deals
Nope. Read Ian's message. He said that he wasn't closing ORBZ because of *this* case. He was closing it because of the subsequent cases.
-russ
Don't piss off The Angry Economist
I told Ian, time and time again, that he shouldn't be testing innocent servers. Test servers that have sent spam, yes, by all means. But you can't go around invading innocent servers.
-russ
Don't piss off The Angry Economist
The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.
So ORBZ isn't out of the woods yet.
That is all.
Note to Battle Creek city managers: hire competent IT professionals, and this won't happen.
This is a very good development. It is refreshing to see people admit their mistake and back down. It is even more refreshing to see them confess that they realize that ORBZ has actually done them a service, the problem was theirs in the first place and they will try and do better in future.
All is forgiven Michigan IMHO.
Yea, that would be a mail bomb, but I haven't heard the phrase used in years.
Ahh, these are both perfect examples of why reasoning by analogy is the exclusive preserve of imbeciles. ORBZ tested mail servers. He did not distribute crack to children and he did not shoot anyone.
I'm not into reasoning by analogy but if you feel the need in future here are some alternatives you might try, at the very least they betray your disgusting attempts to impugn ORBZ:
ORBZ is squeezing the fruit in the supermarket to see if it's ripe.
Another:
ORBZ is playing a tune to see if they approve of the melody.
Now go scurry under your rock and stop implying that what ORBZ did is anything other than a public service, or worse; equating it to selling coke to kids. These things are not morally equivalent you dolt.
for a better link...
./test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's network for about a day on March 22, 2002.
The email test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's email network for about a day on February 25, 2002.
The
-jim
From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:
This analogy is flawed. Here's why:
Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.
A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.
My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).
It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.
I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:
Also, get the reverse DNS fixed on your mail server.
now we need to go OSS in diesel cars
Oh, no, you can't. People who don't wear bulletproof vests (unlike badly configured mail-servers) harm only themselves, not others.
No. But they might get a court order to turn over all the account information. Maybe then we can find out who the real Anonymous Coward is :-)
now we need to go OSS in diesel cars
Disney's animatronics are much more convincing than Senator Hollings. You'd think that Disney's Imagineers could give him pointers on how to appear more life-like....
Then what needs to be done is to recognize the versions of Lotus that are defect, and just don't send any tests to those. Do go ahead and list them as a "spam risk due to incompetent administration" (e.g. because they have not yet been upgraded).
now we need to go OSS in diesel cars
Actually, it's now running....
220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.
now we need to go OSS in diesel cars
One of the main issues here is whether ORBZ should be punished for checking a domain for SPAMing with authorization from that domain. There are several pros/cons for doing it this way:
PROS:
-SPAMing domain administrators aren't likely to respond to an email asking if they can be
-Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done.
-Some administrators will simply delete it by mistake, not ever finding out they have an open relay.
-Also more reasons which I haven't thought of because I'm dead tired.
CONS:
-Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway.
-Probably some that I haven't thought of here too.
I think the positives far outweigh the
We were using their service for about 12,000 customers, and it worked quite well. Ah well.
---
It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal
http://www.battlecreekenquirer.com/news/stories/20 020322/localnews/1871053.html
Oh, my. These folks need Tech Help in just the worst way - won't someone write them with a set of correct definitions?
"It is morally wrong to initiate the aggressive use of force.." Of course, defensive force is fair game...
Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm curious.. did they actually provide a security update, or was it a "buy the new version" sort of thing? If the second, I'm willing to give admins alot more slack when it comes to have an open system - upgrading to a new verion of something important like a mail server is not cheap, either in money or in time. Especially not at a goverment agency where every dollar has to be approved by 5 different committees.
The various parts of the US Government tend to be oblivious to Information Security issues. But they do know prosecution. And that they persue with gusto.
We were constantly told that there was no budget to support infosec activity. But when the inevitable compromise was discovered, in came the big investigation. Infosec meetings included management's gleefull discussion of FBI involvement, followed by an FBI agent's discussion of "lessons learned" (rarely touching on real issues and always tech-light) and what equipment had been taken as evidence. Of course, the lab loosing the IT resource rarely had the budget to replace the missing hardware. Everyone paid.
Of course, a bit of money up front to secure the environment from the beginning would probably avoid the whole investigation and enable the lab to continue using its hard-faught-for resources.
Back to Battle Creek. Sudden revisions on updating their infrastructure. Lots of grave concern over people running around doing damage to them, indestinguishable from all those Evil hackers. And prosecution talk.
Looks like the City of Battle Creek will be paying the high cost of ignoring infosec too.
You don't have to upgrade to get around this problem! I'm still running 5.08, but managed to 'patch' myself through a config setting outlined here before yesterday's story appeared on Slashdot.
It's a config setting, and Domino Administrators are (or bloody should be) prepared to tweak these settings.
I don't know if you're aware of this, but every Domino server, by default, installs as an open relay. Unless you lock it down with a setting in the server's configuration document (Router/SMTP - Restrictions and Controls - SMTP Inbound Controls - Inbound relay controls), you are going to have problems anyway.
It's a configuration issue.
Lotus are famous for leaving configurations wide open, and leaving it for the the Administrator to tweak. I admit that they completely missed this issue coming, but fixing it is a 20 second job. I suppose now their problem is letting admins know....
Information wants to be beer.
Must be something in the air in Battle Creek. I don't know what Kellogg's is belching out of their smokestacks these days, but I wish the RIAA and MPAA assholes would get a whiff of it.
~Philly
...stay very current on his Lotus Notes patches. Indeed, from now on, whenever news of a Lotus Notes security hole pops up on Securityfocus or elsewhere, guess who the script kiddies will try it out against first?
Say no to software patents.
I always thought a mail bomb was doing something like forging a request for the control file (or something huge) from NNTP servers. You post it to a newsgroup, and all the (now considered misconfigured) servers that receive your article would mail megabytes upon megabytes to the forged email address. The victim would get 100MB of mail a day for about a week. Now THAT was a mail bomb!! :)
This is more of a "crash the server exploit", or as many have already said, "DoS attack".
Intelligent Life on Earth
In turn, however, we have asked him to reconsider his policy of making unannounced tests on servers.
But if sending a mail to a server could cause it to crash, how else could you contact someone to get permission to test? Phone calling?
creation science book
:)
hawk, watching for californians under his bed . . .
Let me guess (based on pure speculation):
There are always exceptions, but the average municipality is not stealing the top minds from NASA to run their IT operations. Every once in a while, I peruse IT job listings. When I see a huge list of unrelated requirements combined with a pitiful salary, it's usually (a) municipal gov't, (b) school systems (same thing), or (c) retail. Before I get flamed by an army of municipal IT workers, I will clarify this sweeping generality: Municipalities hire too few people, they overcommit their resources, and the salaries encourage turnover. Surely, any reasonably qualified sysadmin (certified or not) would have detected & fixed the Lotus vulnerability (even if after-the-fact). The press release tells a story that makes it look like they have no dedicated IT staff whatsoever. I could be wrong on this, but if they spent less on lawyers and more on IT, this problem would have been prevented or quickly resolved.
According to Netcraft, the website at ci.battle-creek.mi.us is running "Microsoft-IIS/5.0 on Windows 2000." The prosecution rests. This Battle Creek operation must have been a real bundle of joy when they discovered the "Code Red" worm.
Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.
It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.
This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.
Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.
ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.
The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.
The Future of Human Evolution: Autonomy
We used ordb.org and while it did block a significant amount of spam, it also seemed to block a considerable number of our clients (we service healthcare companies and I won't speculate about what this says about their IS/IT groups). The last straw was when it added a major ISP's email server (which probably did need fixing but we nonetheless couldn't afford the downtime). Of late, I've quit using blacklists in favor of simply blocking offending netblocks which has actually yielded better results with less grief. This works because most of the offending netblocks are not something that we'd be expecting legitimate email from.
Using services are orbz is opt in, not mandatory.
I for one could care less about an open relay getting a grace period to fix their problem.
It was only when a bunch of them were blacklisted did it get their attention to fix the problem.
Have you ever tried getting a response from a "postmaster" account?
The fact is until their users are impacted, it won't matter.
Now that ORBZ is offline, we have notice a SIGNIFICANT increase in the amount of crap flowing into our systems.
Old age and treachery almost always overcome youth and skill.
My one and only printed Slashdot story was an item at Slashback: 640K, Pioneer, Payback that tells about a site that already has a list of the 800 numbers used by SPAMMERS.
"Live Free or Die." Don't like it? Then keep out of the USA
Does anyone know if its possible to get the last snapshot of the reverse DNS database IAN had?
;)
I think if ORBZ was run on a patching basis we could choose to upgrade our databases on a daily basis.
Or better yet, use a P2P protocol among build a distributed network so that we don't have to suffer with the "READY-FIRE!-AIM" mentality of the technologically challenged
Old age and treachery almost always overcome youth and skill.
No, the fact that they used the word "duplicate" shows that they do not, in fact, "get it".
The definition of "spam" in the Jargon File lists duplication as the primary criterion under senses 3 and 4. Junk E-mail (UBE) enters the picture only in sense 5.
Funny: The first listed sense of "spam" refers to a buffer overflow.
Will I retire or break 10K?
As far as I know (and I may be wrong) it's not a paid upgrade for a sub-minor version.
That is all.
I'm glad to hear this, even if Ian doesn't bring back ORBZ. Kudos to the Battle Creek people for recognizing the truth and doing the right thing.
Manager Renews Search for New Police Chief Are the two events possibly related?
...
No, Battle Creek's been looking for a new police chief for quite some time - it's a thankless job
... for driving by Colors on the Corner on Friday night at 2:30
I would be all for that, except that spammers are not required to wait for any grace period.
funny munging
I disagree! A search warrant most certainly *is* a big deal. Primarily, it's "carte blanche" for authorities to invade your privacy, for the purpose of trying to collect evidence against you for a legal case.
Most often, it also includes seizures (supposedly necessary because the authorities can't fully determine the purpose/value of the "suspicious items" they turn up during the search without taking them to their labs and experts). That means ORBZ would lose use of their computer equipment until the investigation was completed. (And don't think they're always quick about it. They can, and usually do, hold onto seized items for years - meaning they'll be of little to no value by the time you get them back, even if they find you completely innocent!)
Think for a second: you're a government agency, and you notice someone sending bits to your server that make it crash. What's your first response? What's anyone's first response? Find out who did it, and search warrants are very good at that.
;-)
Think for a second: You're anybody on the face of the planet who is actually sane and rational. Your first response in the same situation: Block the bits, figure out why those bits crashed your shit, and then fix the fucking problem.
If your box explodes, then you are at fault. Period. Unless you are running M$ products.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Please do, and enjoy those delicious genetically modified products every morning until your colon grows eyeballs. Then you'll be able to comb your hair without need of a mirror. :D
Warning: This signature may offend some viewers.