Slashdot Mirror
Battle Creek, Michigan Settles Dispute with ORBZ
Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"
A government entity thinking clearly and levelly, and actually thanking geeks for trying to help them? Astounding.
Okay, everyone, it's time to pack up and go. Would the last one out of the server room please hit the BRS?
They that would sacrifice their
My personal boycott of Kellogg's products continues at least until they repay Ian for his legal expenses incurred as a result of the need to defend against the city's stupidity.
I understand that Kellogg's has nothing to do with the stupidity of the city, but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me. As an American, collateral damage means nothing to me!
Warning: This signature may offend some viewers.
First the boss makes a stink about ORBZ an then they get slashdotted. Glad I don't work there.
-- I have a private email server in my basement.
The good news: For once, a government entity came to communicate with someone who wasn't really doing it harm, but actually good, and managed to realize that.
The bad news: They still haven't quite understood the situation yet, based on the article taken from the City of Battle Creek page:
Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server.
They are getting better, though.
"What's so random about flipping a coin? Ever heard of the I Ching?"
Comment removed based on user account deletion
ORBZ was scanning for open relays.
One of the known exploits for spammers to use open relays also happens to overlap with an old flaw in Lotus Notes, causing it to go into an infinite loop.
Battlecreek got whammied by ORBZ, unintentionally, and filed criminal charges.
"The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server.
The City also announced that it really like to be capitalized when referred to. It also notes that the word "of" is still banned when referring to stories about The City.
------
Today's Top Deals
Nope. Read Ian's message. He said that he wasn't closing ORBZ because of *this* case. He was closing it because of the subsequent cases.
-russ
Don't piss off The Angry Economist
I told Ian, time and time again, that he shouldn't be testing innocent servers. Test servers that have sent spam, yes, by all means. But you can't go around invading innocent servers.
-russ
Don't piss off The Angry Economist
The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.
So ORBZ isn't out of the woods yet.
That is all.
Note to Battle Creek city managers: hire competent IT professionals, and this won't happen.
Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.
I'm going to resist drawing any parallels between your hysterical and incorrect assessment of the situation and Ian's similar reaction, except to say: pay attention. Life is hard enough without going off half-cocked on incomplete information.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Ahh, these are both perfect examples of why reasoning by analogy is the exclusive preserve of imbeciles. ORBZ tested mail servers. He did not distribute crack to children and he did not shoot anyone.
I'm not into reasoning by analogy but if you feel the need in future here are some alternatives you might try, at the very least they betray your disgusting attempts to impugn ORBZ:
ORBZ is squeezing the fruit in the supermarket to see if it's ripe.
Another:
ORBZ is playing a tune to see if they approve of the melody.
Now go scurry under your rock and stop implying that what ORBZ did is anything other than a public service, or worse; equating it to selling coke to kids. These things are not morally equivalent you dolt.
for a better link...
./test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's network for about a day on March 22, 2002.
The email test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's email network for about a day on February 25, 2002.
The
-jim
From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:
This analogy is flawed. Here's why:
Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.
A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.
My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).
It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.
I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:
Also, get the reverse DNS fixed on your mail server.
now we need to go OSS in diesel cars
Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Must be something in the air in Battle Creek. I don't know what Kellogg's is belching out of their smokestacks these days, but I wish the RIAA and MPAA assholes would get a whiff of it.
~Philly
Having more knowledge here of what went on than you, please trust me. In my opinion, this 'settlement' wouldn't have been nearly as forthcoming if a certain Wired.com article didn't cause major embarassment. I believe that this 'settlement' is much more public relations damage control than an actual realization that a mistake was made.
In turn, however, we have asked him to reconsider his policy of making unannounced tests on servers.
But if sending a mail to a server could cause it to crash, how else could you contact someone to get permission to test? Phone calling?
creation science book
:)
hawk, watching for californians under his bed . . .
Let me guess (based on pure speculation):
There are always exceptions, but the average municipality is not stealing the top minds from NASA to run their IT operations. Every once in a while, I peruse IT job listings. When I see a huge list of unrelated requirements combined with a pitiful salary, it's usually (a) municipal gov't, (b) school systems (same thing), or (c) retail. Before I get flamed by an army of municipal IT workers, I will clarify this sweeping generality: Municipalities hire too few people, they overcommit their resources, and the salaries encourage turnover. Surely, any reasonably qualified sysadmin (certified or not) would have detected & fixed the Lotus vulnerability (even if after-the-fact). The press release tells a story that makes it look like they have no dedicated IT staff whatsoever. I could be wrong on this, but if they spent less on lawyers and more on IT, this problem would have been prevented or quickly resolved.
According to Netcraft, the website at ci.battle-creek.mi.us is running "Microsoft-IIS/5.0 on Windows 2000." The prosecution rests. This Battle Creek operation must have been a real bundle of joy when they discovered the "Code Red" worm.
Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.
It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.
This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.
Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.
ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.
The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.
The Future of Human Evolution: Autonomy
Even better, it's like me connecting to your web server, and your web server crashing because I used Opera, rather than IE. Then you get the police to obtain a search warrant, because my machine caused yours to crash, and you didn't have any better explaination.
Sounds like a case of CYA to me.
If I connect to your machine, that you've publicly connected to the internet, and you're offering services on, and send valid packets to request service, and your machine crashes? Well, too bad. Fix it, or learn to live with a server that doesn't work right.
What else is an SMTP server to do, other than accept mail. If your mail server crashes because it can't understand the mail, then it's the mail servers problem. NOT THE PERSON SENDING THE MAIL! Now, if I hacked my way into your internal network, and then used a non-public SMTP server to send mail, you might have a case.
That's like designing software that doesn't account for all types of input. When someone puts something in that you didn't anticipate, and the software crashes, then you blame the person who entered the data? Sheesh! Talk about passing hte buck.
Perhaps SillyMe out to get smacked by the clue stick.
Cheers!