Battle Creek, Michigan Settles Dispute with ORBZ

Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"

Battle Creek and Kellogg's

[asackett]

My personal boycott of Kellogg's products continues at least until they repay Ian for his legal expenses incurred as a result of the need to defend against the city's stupidity.

I understand that Kellogg's has nothing to do with the stupidity of the city, but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me. As an American, collateral damage means nothing to me!

Good News, Bad News

[Astral+Jung]

The good news: For once, a government entity came to communicate with someone who wasn't really doing it harm, but actually good, and managed to realize that.

The bad news: They still haven't quite understood the situation yet, based on the article taken from the City of Battle Creek page:

Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server.

They are getting better, though.

Also

[NiftyNews]

"The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server.

The City also announced that it really like to be capitalized when referred to. It also notes that the word "of" is still banned when referring to stories about The City.

Nope.

[Russ+Nelson]

Nope. Read Ian's message. He said that he wasn't closing ORBZ because of *this* case. He was closing it because of the subsequent cases.
-russ

Gee, the city manager agrees with me.

[Russ+Nelson]

I told Ian, time and time again, that he shouldn't be testing innocent servers. Test servers that have sent spam, yes, by all means. But you can't go around invading innocent servers.
-russ

Re:more info?

[frank_adrian314159]

There was a defect in releases earlier than 5.0.9. When E-mail was received from an address having a certain form, the system would go into a hung state, consuming 100% of the server's CPU cycles. Here is the reference to the details.

The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.

So ORBZ isn't out of the woods yet.

Re:Better late than never?

[legLess]

Breath into a paper bag for a minute before you hyperventilate. First, this wasn't a SLAPP, it was a court order. It wasn't even a criminal charge yet. More to the point, it was justified. Here's what the press release (which you obviously didn't read) says:

"The purpose of the search warrant was to determine the identity of the person who sent the email that caused our system to fail so we could then determine whether further investigation would be necessary."

Think for a second: you're a government agency, and you notice someone sending bits to your server that make it crash. What's your first response? What's anyone's first response? Find out who did it, and search warrants are very good at that.

Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

I'm going to resist drawing any parallels between your hysterical and incorrect assessment of the situation and Ian's similar reaction, except to say: pay attention. Life is hard enough without going off half-cocked on incomplete information.

Re:A better analogy...

[Performer+Guy]

Ahh, these are both perfect examples of why reasoning by analogy is the exclusive preserve of imbeciles. ORBZ tested mail servers. He did not distribute crack to children and he did not shoot anyone.

I'm not into reasoning by analogy but if you feel the need in future here are some alternatives you might try, at the very least they betray your disgusting attempts to impugn ORBZ:

ORBZ is squeezing the fruit in the supermarket to see if it's ripe.

Another:

ORBZ is playing a tune to see if they approve of the melody.

Now go scurry under your rock and stop implying that what ORBZ did is anything other than a public service, or worse; equating it to selling coke to kids. These things are not morally equivalent you dolt.

Shooting people to tests for vests

[Skapare]

From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:

"But, if I can draw the analogy that just because everyone should wear a computerized bulletproof vest doesn't mean that shooting people to find out who isn't wearing one is the best answer. If Mr. Gulliver chooses to do this, he perhaps shouldn't be surprised that he will occasionally be confused with the type of individual he is fighting against."

This analogy is flawed. Here's why:

Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.

A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.

My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).

It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.

I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:

• Whenever something causes a system to fail, include in any investigation of the cause an analysis of why it failed, including the protocols and software codes involved. Don't just hand it over to the police after the first jump to conclusion. Gain an understanding of exactly why the system failed, especially if the failure repeats.
• Whenever a problem is tracked to some source, don't jump into threatening mode on initial contact, unless you have a reason to believe the communication would fail any other way. Serious intent to investigate and followup on real crimes does not mean aggression in legal procedures gains anything. Were this a real internet cracker, there wouldn't have been any useful information from this first step, anyway.
• Place stronger protection between office LANs and city WANs and the internet itself. But do more than just a simple firewall that allows raw TCP streams to pass. Use a strong secure server with proxying where possible. Systems like Lotus Notes are Microsoft Exchange are too likely to be vulnerable, and too mission critical for staff operations, to be expected to also serve as the shield facing the internet. Run an OpenBSD server with something like Postfix to forward mail, and Squid to cache web accesses both in and out.
• Institute new procedures that outline standard timeframes for keeping computer systems up to date, especially with the latest security alerts. All security patches should be installed within 7 days of availability or a report made to the top official regarding why that patch cannot be applied, describing alternative steps to deal with the risk. All other systems should be upgraded to the latest version within 90 days, if free. If not free, an analysis of the benefits (if any) of purchasing such an upgrade should be provided to the person in charge of making system software purchasing decisions, within 90 days.

Also, get the reverse DNS fixed on your mail server.

Re:Shooting people to tests for vests

[Skapare]

Interesting that the latest banner I get is....
220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.

I had a run in that went a slightly different way with a member of the school board for the Spencer Wisconsin school district. I got spam from them. I reported the problem to them, noting also that this was an inappropriate way for tax dollars to be spent. I got this response:

Dear Phil,
We have talented people working hard to keep our system clean. Somehow
it seems that criminals and crackers are better funded than public school
systems. Figure that out. Meanwhile, if you would spend less time
criticizing honest hard working people and more time helping put a stop to
this sort of thing, we'd all be better off.
You sir, are a Prick.

Sincerely,
Jeff Darga
VP-Spencer Board of Education

What I'd like to know is why honest hard working people are incompetent and leave a mail server open to spamming abuses. Of course Mr. Darga doesn't really seem to care.

Re:Shooting people to tests for vests

So why didn't you send this information to the local newspaper? Seems to me the voters would love to see what a foul-mouth guy this "Jeff Darga" allegedly is.

Do other mail servers have similar flaws?

[billstewart]

I've been thinking about the spam problem and how to discourage attacks from open relays. Are there mail systems that don't do loop detection, or aren't good at detecting if mail is really addressed to their machine? For instance, what do the popular mailers do if they get mail for spambait.example.com and dns resolves the name to 127.0.0.1 or 127.0.0.2 or 255.255.255.255? Do they decide it's for them, or do they think it's for somebody else and send it back to themselves? Or if you set your DNS to tell spam-relay-1.com.kr that spambait.example.com's IP address is the address of spam-relay-2.com.kr and vice versa - will they end up in an endless mail loop the next time somebody sends mail to harvestme@spambait.example.com, or will they decide (at least after one or two iterations) that they've seen the message twice so they'll drop it or try to send bouncemail to the original (presumably fake) spammer's address?

Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.

Score one for common sense, for a change.

[phillymjs]

Must be something in the air in Battle Creek. I don't know what Kellogg's is belching out of their smokestacks these days, but I wish the RIAA and MPAA assholes would get a whiff of it.

~Philly

Re:Better late than never?

[flamingcow]

"The purpose of the search warrant was to determine the identity of the person who sent the email that caused our system to fail so we could then determine whether further investigation would be necessary."

The search warrant cited our domain no less than 7 times. Had the detective taken the time to read the website, the situation would have been quite clear to him.

Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

Having more knowledge here of what went on than you, please trust me. In my opinion, this 'settlement' wouldn't have been nearly as forthcoming if a certain Wired.com article didn't cause major embarassment. I believe that this 'settlement' is much more public relations damage control than an actual realization that a mistake was made.

Nope, you missed it

[hawk]

"The City" is known to mean San Francisco by all educated persons. The *real* question is why SF is involved in this. Was it infiltrating Battle Creek? Having dealt with California agencies while practicing law in Nevada, and being aware of their imperial pretensions, I want to know (and so should the residents of Battle Creek!).

:)

hawk, watching for californians under his bed . . .

What an embarrassment!

[dcavanaugh]

First, the writer [of the press release] describes spam as a "computer prank" instead of unsolicited commercial e-mail. The comment proves they don't know what spam is! Then we have the unmentioned IT person who somehow traced back the activity to ORBZ without realizing their Lotus server was a sitting duck for a DOS attack (intentional or not).

Let me guess (based on pure speculation):

• Lotus sever set up by the "consultant du jour", who handles support on a pay-as-you-go basis
  
• City calls for support, consultant quickly scans the log & points finger to ORBZ
  
• City mgmt. goes bezerk; legal dept. goes to DEFCON 1; unleashes nastygrams vs. ORBZ
  
• ORBZ explains cluelessness involved in having unpatched Lotus server; makes consultant look like idiot
  
• City finds new consultant; recommends upgrade to Linux+Sendmail+Amavis+Sophos
  

There are always exceptions, but the average municipality is not stealing the top minds from NASA to run their IT operations. Every once in a while, I peruse IT job listings. When I see a huge list of unrelated requirements combined with a pitiful salary, it's usually (a) municipal gov't, (b) school systems (same thing), or (c) retail. Before I get flamed by an army of municipal IT workers, I will clarify this sweeping generality: Municipalities hire too few people, they overcommit their resources, and the salaries encourage turnover. Surely, any reasonably qualified sysadmin (certified or not) would have detected & fixed the Lotus vulnerability (even if after-the-fact). The press release tells a story that makes it look like they have no dedicated IT staff whatsoever. I could be wrong on this, but if they spent less on lawyers and more on IT, this problem would have been prevented or quickly resolved.

According to Netcraft, the website at ci.battle-creek.mi.us is running "Microsoft-IIS/5.0 on Windows 2000." The prosecution rests. This Battle Creek operation must have been a real bundle of joy when they discovered the "Code Red" worm.

Why Should He Risk All to do *US* a Favor?

[FreeUser]

Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.

This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.

Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.

ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.

The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.