Slashdot Mirror
Nmap Author Receives FBI Subpoenas
spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"."
Update: 11/25 20:21 GMT by T :
Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
the text is here
t gz"
Dear Nmap hackers,
Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm
hard at work on a holiday Nmap version which should be available by
Christmas.
But enough pleasantries -- I want to discuss a sobering topic. With
increasing regularity this year, FBI agents from all over the country
have contacted me demanding webserver log data from Insecure.Org.
They don't give me reasons, but they generally seem to be
investigating a specific attacker who they think may have visited the
Nmap page at a certain time. If they see that an attacker ran the
command "wget http://download.insecure.org/nmap/dist/nmap-3.77.
from a compromised host, they assume that she might have obtained that
URL by visiting the Nmap download page from her home computer. So
far, I have never given them anything. In some cases, they asked too
late and data had already been purged through our data retention
policy. In other cases, they failed to serve the subpoena properly.
Sometimes they try asking without a subpoena and give up when I demand
one.
One can argue whether helping the FBI is good or bad. Remember that
they might be going after spammers, cyber-extortionists, DDOS kiddies,
etc. In this, I wish them the best. Nmap was designed to help
security -- the criminals and spammers put my work to shame! But the
desirability of helping the FBI is immaterial -- I may be forced by
law to comply with legal, properly served subpoenas. At the same
time, I'll try to fight anything too broad (like if they ask for
weblogs for a whole month). Protecting your privacy is important to
me, but Nmap users should be savvy enough to know that all of your
network activity leave traces. I'm not the only one who gets these
subpoenas -- large ISPs and webmail providers receive them daily.
Most other major security sites probably do too. Most of you probably
don't care if someone finds out that you downloaded Nmap, Nessus,
Hping2, John the Ripper, etc. Nothing on Insecure.Org is illegal.
But for those of you who do care, there are plenty of mechanisms
available to preserve your anonymity. Remember this security mantra:
defense in depth.
Cheers,
Fyodor
If they used Tor, subpoenas wouldn't really have given any useful information away. Then again, it's so sloooow perhaps they'd still be downloading ;).
"Oversight" is not the noun from "oversee". In fact, "oversight" means ignoring something. You want to decrease oversight by increasing the degree of overseeing.
From the Oxford English Dictionary:
oversight ('&schwa.Uv&schwa.rsaIt), sb. [OVER- 7, 5.] The action of overseeing
or overlooking.
1 a Supervision, superintendence, inspection; charge, care, management,
control.
Fyodor's black hat ways exposed in a diary written a while ago. This man is not to be trusted at all.
I'm all for public access points but I do think that you should know what you're getting yourself into when you run a public AP. Most businesses especially should make sure they are covered.
A little off topic of the FBI but related to public APs.. Something I like to do is run a public AP that doesn't have access to the Internet. It just acts as something of a localized BBS system. Anyone within reach can message each other, trade files, participate in the forums, or check out the wiki. It's not hard to make it so that someone connecting will get you're entrace page anytime they try to connect to something other than your system. With a decent antenea you can reach a fairly large group of people in a crowded metro area. An interesting way to meet your neighbors.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Perhaps you don't understand the point behind nmap, but that is exactly why it was created. The idea was to provide a general purpose tool that gave intelligent admins the ability to scan and "attack" their own network with the exact same tools and techniques used by attackers. Nmap provides a centralized tool for all of these techniques that does not involve combing warez sites looking for each individual tool.
Out of all the options that you listed above, the only one I haven't personally used is the decoy scanning as I don't have a use for it. Combinations of the other settings are very useful for checking the setup of both network monitoring tools as well as verifying configurations very quickly across multiple servers or desktop systems. In addition, I have found nmap to be very useful in tracking down certain virus infections. When I know that a virus opens a specific port on a compromised box, I can do a network wide scan and quickly return all hosts that are potentially compromised (as we are talking student computers at a college, we are not directly responsible for the machines themselves).
True, nmap does put this same power in the hands of potentially malicious users, but given that they would have these same tools whether or not nmap existed, I much prefer being able to access them easily myself.
To get a subpoena you need to send an application to a judge specifying precisely why you want it and what you want, then convince the judge to say "yes". The long part of this is handing the paper to the Judge and convincing him/her to sign it.
In theory there should never be a full automating of this process, since that would also imply that the requests get rubber-stamped.
Besides, you're gonna be spending way more time in the initial investigation (to get enough evidence to convince the judge) and in the subsequent analysis of the resulting data (presuming that you get any) than you will typing the details of the subpoena into the boilerplate for the application.
Free Software: Like love, it grows best when given away.
Okay, now they only have to check the server does have it's clock in sync, otherwise those 5 minute clips of logs won't be very useful.. :)
Incorrect. Fyodor's clock can read 1988, and the logs would still be useful. The spooks can sync his logs up with the 'real time' by comparing his network activities with other servers, and what THEIR clocks said in THEIR logs. For instance, the probes that THEY were doing to his server, would be logged, as well as when they did the probes.
Mod down people who tell people how to mod in their sigs
IANAL, but a warrant != subpoena.
A subpoena is an order demanding compliance with a legal proceeding, more usually in terms of attendance or provision of evidence. It doesn't require immediate action. You've got time to talk to your legal guy about it before acting on it, and to challenge it if you think it's wrong.
A warrant to search or seize, however, gives them permission to do just that, right there and then. You can call your lawyer or whatever, but that's not going to stop them doing exactly what it says on the papers. You can still challenge it, but it's going to be after the fact.