Slashdot Mirror
Nmap Author Receives FBI Subpoenas
spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"."
Update: 11/25 20:21 GMT by T :
Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
That seems like a legitimate investigative technique. They're probably trying to match up different pieces of evidence to find the person behind things.
Even the Nmap Author seems to agree that it could help in the fight against these undesirable script kiddies, etc. However, I think it is great that this author has brought this to public attention, and will hopefully increase oversight of these cyber-investigations.
Of course, we do need law enforcement and this is a legitimate field to investigate so that we can have protected web commerce. With eyes on their activities, we can hopefully keep the Internet free and safe. Thoughts?
"There's no success like failure, and failure's no success at all."
- Bob Dylan
Well, I'm pretty sure that if a person downloaded nmap to a compromised host that person most likely visited the nmap website some time. The problem is that a lot of people visit that site, and it is nearly impossible to weed out the false positives from the person they are seeking. Furthermore, the FBI approach would only work if the person visisted the site recently, which might not be the case. It'd be impossible to figure it out if the person last visisted the namp website several months ago forexample.
Any sufficiently advanced technology is indistinguishable from magic.
Seriously, that is the dumbest thing I ever heard.
Nmap is popular as hell - unless they already have a suspect, this isn't going to be useful for them, all it will do is give them a scapegoat 9 times out of 10 - lets say they do get Fyodor's webserver log - which I doubt he'll be keeping in the future, assuming he does now - all that would give them is the IP addresses of a few dozen nmap users - one or two of which may be script kiddies of some sort.
And if they can verify that a script kiddy A downloaded nmap in their window of interest, what are they going to do? Assume they're responsible for the wrong crime and charge him or her. It's stupid and its a witchhunt and it's a shot in the dark.
Of course, if the FBI has already got a suspect, they might be able to strengthen their case, but that's still pretty circumstantial evidence. Not exactly a smoking gun.
Just my $0.02US
My first thought when I got that e-mail was that the feds wanted to know who was downloading Nmap pr0n.
Of course, I'm the one who wrote the script and shot the video, so it's only natural.
I think Fyodor is doing the right thing, and I think the feds are just using standard intimidation tactics... but then again, I've always been about state powers as opposed to federal powers. At least with state powers, you can always choose to move to a different state...
HaXXXor.com - Naked Chicks Teach You How To Ha
Not all so-called criminals are really "bad" for society, nor does everything the police does acutally help society more than it gives them a false impression to the public that they are actually doing something useful.
I think this is purposeful, and, frankly, smart.
The assumption here is that the person the FBI is looking for is breaking the law, and is cracking boxes and other unsavory things.
Why do we assume that the person is a he?
It is possible that it's a she.
People seem to be more sympathetic to women, and so I'd think this would be a good way to combat the steriotype of male "hackers".
(Not as OT as it seems: the new head of the CIA, Porter Goss, has said that all CIA officers must support the Bush government's policies. Draw your own conclusions about political control of instruments of the state - extra credit for reference to the early years after the 1917 revolution and Marxist/Leninist thought. Oh and whilst I'm giong dopwn tangents, I just read today that a key political ally for the US in Iraq is... the ICP (Iraqi Communist Party)! (No, that's just the first Google result, not where I read it.))
More obviously on-topic - I have worked as a penetration tester, including work for one of the five most significant financial institutions in the world and many large corporates. Naturally Nmap was probably the single most important app I used. I'd just like to thank Fyodor for Nmap and to offer my own, insignificant, support in knocking back spurious and dangerous attempts to institute a surveillance society and remove our freedoms in the name of (ha!) security.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
One major point to pay attention to here is that if you have a data retention policy that is written that says for example, "I don't keep logs older than 1 hour" and you follow it, you can't respond to subpoenas for any data that falls outside your retention period.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
Way to go, FBI! [/sarcasm] I can't imagine many acts more calculated to alienate infosec geeks from the FBI in particular, and the US govt / law enforcement forces in general
Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?
This is exactly what everyone here's been asking for for years. Some of you obviously won't be happy until the FBI refrains from prosecuting every single computer-based crime.
Nothing; that's exactly the point. From the article, in each case, either the information was too old to have been retained (according to a pre-existing policy), or the subpoena is incorrect, invalid, or far too broad.
The problem is that when we start trusting the government like that they can take it to far and then we are screwed. It may well be that they had a legitamate reason to want to see the logs but we can't trust that that is always the case. As for wget, I use it all the time to download things onto my shells.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
There are so many things wrong with this.
Can you challenge subpoenas?
Assume I was drunk when I posted this.
...that it wasn't a Patriot Act subpoena:
he could be prosecuted merely for revealing that he'd RECEIVED it, even AFTER it became defunct.
Welcome to John Ashcroft's post-Constitution USA.
(and why in God's name has he continued preserving logs, after having received even ONE approach from the government?!)
Some people here seem to think that they'd have to be snooping lots and lots of net traffic in order for this to be any good to them. Not so. If you strongly suspect that the perpetrator comes from some small set, like, say, employees of a certain corporation, students at a certain school, etc., then a 5-minute window of logs will likely show only one hit from that IP range. That, along with what they have that leads them to suspect that IP range in the first place could be enough to execute a warrant.
WARNING: there is a trojan on your
If the "translated" site contains any pictures, your browser will download them directly from the server. Unless you're using lynx, or something.
/wideopenbackside.jpg"
The server logs will contain "2004-11-25 23:59 - 80.70.60.50 GET
I think it's just from looking at simple security/crypto convention. The two people who want to to "legit" things with their intarWeb are generally named Bob and Alice. Eve is usually the nasty interloper trying to foil all their plans. So... in crypto at least... your attacker is a chick named Eve.
Oh god, that woman is John Romero!
'He' is the singular indefinite pronoun in English [...] 'He' also happens to be the masculine personal pronoun.
...", no one would blink.
You say that as if it just "happened". It's also not true; if you wrote "when a nurse comes, she will start by
'She' is the singular pronoun of personification in English
Ships are usually she. That doesn't mean it's the only pronoun of personification; if you wish to personify an object as male, it's entirely correct.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance.
A speaker's ignorance for what, some grammarian's rigid idea of what English should be? It's clear, whatever English was a hundred years ago or even 20 years ago, that using she is appropriate in today's English.
This overbearing post about some rigid rules of someone's conception of what English's rules should be is worth trashing, not saving.
Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"
How do they assume what time the attacker visited nmap's site in the first place? If i was a well grounded hacker i'd probably have visited nmap's site so many times i have the url memorized, only having visited nmap's site in the first place, years before.
and what's with accusing a 'she' to be the perporting hacker? If anything I think it was they.
I would guess that the "Do not tell" restriction is on information specifics. To say that you recieved a supoena requestion information on IP addres X in this time window could get you in deap shit. Saying that you have been given a few Subpoenas over the last 6 months is probably no big deal.
IANAL
Erlang Developer and podcaster
That's why unprotected WiFi points are so useful. There is no way in heaven or hell to trace the connection back to the source.
:)
I wouldn't say it's impossible. If I had the investigative resources of the FBI the first thing I would do when I found out an attack happened from a "borrowed" WiFi point is get the MAC addresses of recently connected cards. Then all you have to do is go back to the manufacturers and find out who the cards were sold to and what their serial numbers are, and follow the trail of vendors all the way to the person who originally bought the card. Even if that person sold it on eBay or something, just keep following the trail.
Of course, the AP has to log the MAC addresses, and not have been reset since the attack, but I wouldn't say it's IMPOSSIBLE to be nabbed if you take over a wifi point. If what you did was bad enough, they'll find you. That is, unless perhaps you went through enough cascaded anonymous proxies
-R
If law enforcement doesnt want the public to get away with violating the law, then law enforcement shouldnt be suprised if the public requires law enforcement to follow the law as well. Thus law enforcement can get a subpoena or search warrant, or they can go pound sand.
No hypocrisy in that.
nothing wrong with holding up the FBI to high standards. the FBI are supposed to be the elite of law enforcement.
after all, who watches the watchers?
There are virtually no female hackers. Pick whichever adverb you want. Don't throw a fscking bitch fit because you perceive, for whatever reason, that the males among us somehow don't "recognize" female hackers (or female geeks for that matter).
The simple truth is that we're such an extreme minority that it is no wonder we are overlooked in most texts. I have stopped being offended by the seemingly exclusionist behavior because I'm smart/mature/whatever enough to realize that isn't really what it is.
So in short, get over yourself. The injured-ego oppressed feminist act gets old real quick, especially among hackers (since you seem to be claiming to be one yourself).
"He does look a bit Oompa like, even if his Loompa is a bit off-kilter."