Slashdot Mirror


Nmap Author Receives FBI Subpoenas

spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"." Update: 11/25 20:21 GMT by T : Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.

20 of 390 comments (clear)

  1. Seems reasonable by Anonymous Coward · · Score: 5, Insightful

    That seems like a legitimate investigative technique. They're probably trying to match up different pieces of evidence to find the person behind things.

    1. Re:Seems reasonable by RonnyJ · · Score: 5, Insightful
      That seems like a legitimate investigative technique.

      Yes, though the main concern of mine is that he says the FBI were using subpoenas that were improperly served - how many people wouldn't bother checking, and just give up information straightaway?

    2. Re:Seems reasonable by Gordonjcp · · Score: 4, Insightful
      Well, the suggestion is that they are trying to find out who downloaded the source onto a compromised machine. So - someone has cracked root on an unknown machine, visits insecure.org with the browser on their own machine, pastes the URL for the tarball into the shell on the compromised machine, and makes nmap. What it sounds like they are looking for is the IP address of the browser used to get the URL for the source.


      Personally I don't see the problem with this. They are not just sniffing around looking for "suspicious" things, they know what they are looking for and where it's likely to be. This is not randomly searching people on the street, this is going directly to the CCTV tapes.

    3. Re:Seems reasonable by kimmo · · Score: 4, Insightful

      Doh!

      Okay, now they only have to check the server does have it's clock in sync, otherwise those 5 minute clips of logs won't be very useful.. :)

    4. Re:Seems reasonable by Frizzle+Fry · · Score: 4, Insightful

      You ask a good lawyer to look at for you. Even if you read it "very carefully", you aren't an expert on what is required for it be to proper (I assume, based on the fact that you are asking this question), so you might draw the wrong conclusions.

      --
      I'd rather be lucky than good.
  2. Seems valid by Staplerh · · Score: 5, Insightful

    Even the Nmap Author seems to agree that it could help in the fight against these undesirable script kiddies, etc. However, I think it is great that this author has brought this to public attention, and will hopefully increase oversight of these cyber-investigations.

    Of course, we do need law enforcement and this is a legitimate field to investigate so that we can have protected web commerce. With eyes on their activities, we can hopefully keep the Internet free and safe. Thoughts?

    --
    "There's no success like failure, and failure's no success at all."
    - Bob Dylan
    1. Re:Seems valid by Chundra · · Score: 4, Insightful

      Hopefully the internet will continue to be unsafe, filthy, and represent all that is wrong with our species as a whole. It makes things more interesting and certainly more entertaining. Thoughts?

    2. Re:Seems valid by hunterx11 · · Score: 3, Insightful

      Perhaps you were trolling, but I think there is some validity in what you say, but only partially. The internet does often represent all things human, and this includes both the good and the bad. In polite society you censor the bad, but on the internet there is no such censorship.

      --
      English is easier said than done.
  3. Reasonable by SorcererX · · Score: 3, Insightful

    Well, I'm pretty sure that if a person downloaded nmap to a compromised host that person most likely visited the nmap website some time. The problem is that a lot of people visit that site, and it is nearly impossible to weed out the false positives from the person they are seeking. Furthermore, the FBI approach would only work if the person visisted the site recently, which might not be the case. It'd be impossible to figure it out if the person last visisted the namp website several months ago forexample.

    --
    Any sufficiently advanced technology is indistinguishable from magic.
    1. Re:Reasonable by Pete+(big-pete) · · Score: 4, Insightful

      SorcererX (818515)
      Well, I'm pretty sure that if a person downloaded nmap to a compromised host that person most likely visited the nmap website some time.

      kfg (145172)
      Why?

      The easiest way of getting the exact url to download is to check it directly on the site yourself. Even if the link was found from elsewhere on the net, the person doing the download would have probably checked that the link was valid in advance.

      The key word here is "most" - sure if someone is really really really careful to cover every track they could possibly leave, then maybe they won't have directly visited the site. Most people would have done though. Of course the difficult part is determining when.

      -- Pete.

  4. Valid investigation techniques? by Dogun · · Score: 4, Insightful

    Seriously, that is the dumbest thing I ever heard.

    Nmap is popular as hell - unless they already have a suspect, this isn't going to be useful for them, all it will do is give them a scapegoat 9 times out of 10 - lets say they do get Fyodor's webserver log - which I doubt he'll be keeping in the future, assuming he does now - all that would give them is the IP addresses of a few dozen nmap users - one or two of which may be script kiddies of some sort.

    And if they can verify that a script kiddy A downloaded nmap in their window of interest, what are they going to do? Assume they're responsible for the wrong crime and charge him or her. It's stupid and its a witchhunt and it's a shot in the dark.

    Of course, if the FBI has already got a suspect, they might be able to strengthen their case, but that's still pretty circumstantial evidence. Not exactly a smoking gun.

    Just my $0.02US

    1. Re:Valid investigation techniques? by Restil · · Score: 4, Insightful

      In any large investigation, law enforcement typically questions hundreds of people, some of whom may be suspects, some potential witnesses, and some who are just shots in the dark. Yes, having 50 different ip addresses, only one of which MIGHT be a potential suspect might seem like a long shot, but if the IP address they're looking for IS in there, they might be able to match it up with other evidence. Considering the fact that Fyodor has yet to actually submit requested logs to an agent, in spite of numerous requests, means that this IS a long shot, a time consuming one to aquire, with a very short lifespan, and likely not really worth the effort to aquire. But it's still a legitimate source of evidence, and if it shuts down a spammer or script kiddy, I'm not going to fault them for trying.

      -Restil

      --
      Play with my webcams and lights here
    2. Re:Valid investigation techniques? by nomadic · · Score: 5, Insightful

      Since when are fishing expeditions effective?

      Ask anyone who's ever caught a fish.

      Seriously, if they don't have any concrete leads, what are they supposed to do? Just stop investigating?

  5. Re:She?! by SWroclawski · · Score: 4, Insightful

    I think this is purposeful, and, frankly, smart.

    The assumption here is that the person the FBI is looking for is breaking the law, and is cracking boxes and other unsavory things.

    Why do we assume that the person is a he?
    It is possible that it's a she.

    People seem to be more sympathetic to women, and so I'd think this would be a good way to combat the steriotype of male "hackers".

  6. Re:if the server goes down... by ralphus · · Score: 4, Insightful

    One major point to pay attention to here is that if you have a data retention policy that is written that says for example, "I don't keep logs older than 1 hour" and you follow it, you can't respond to subpoenas for any data that falls outside your retention period.

    --
    Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
  7. Re:if the server goes down... by nomadic · · Score: 4, Insightful

    Way to go, FBI! [/sarcasm] I can't imagine many acts more calculated to alienate infosec geeks from the FBI in particular, and the US govt / law enforcement forces in general

    Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?

    This is exactly what everyone here's been asking for for years. Some of you obviously won't be happy until the FBI refrains from prosecuting every single computer-based crime.

  8. Fyodor is lucky... by nusratt · · Score: 4, Insightful

    ...that it wasn't a Patriot Act subpoena:
    he could be prosecuted merely for revealing that he'd RECEIVED it, even AFTER it became defunct.
    Welcome to John Ashcroft's post-Constitution USA.

    (and why in God's name has he continued preserving logs, after having received even ONE approach from the government?!)

  9. How they use this by ca1v1n · · Score: 3, Insightful

    Some people here seem to think that they'd have to be snooping lots and lots of net traffic in order for this to be any good to them. Not so. If you strongly suspect that the perpetrator comes from some small set, like, say, employees of a certain corporation, students at a certain school, etc., then a 5-minute window of logs will likely show only one hit from that IP range. That, along with what they have that leads them to suspect that IP range in the first place could be enough to execute a warrant.

  10. Re:She?! by dvdeug · · Score: 4, Insightful

    'He' is the singular indefinite pronoun in English [...] 'He' also happens to be the masculine personal pronoun.

    You say that as if it just "happened". It's also not true; if you wrote "when a nurse comes, she will start by ...", no one would blink.

    'She' is the singular pronoun of personification in English

    Ships are usually she. That doesn't mean it's the only pronoun of personification; if you wish to personify an object as male, it's entirely correct.

    Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance.

    A speaker's ignorance for what, some grammarian's rigid idea of what English should be? It's clear, whatever English was a hundred years ago or even 20 years ago, that using she is appropriate in today's English.

    This overbearing post about some rigid rules of someone's conception of what English's rules should be is worth trashing, not saving.

  11. Re:my 2 cents by bani · · Score: 4, Insightful

    If law enforcement doesnt want the public to get away with violating the law, then law enforcement shouldnt be suprised if the public requires law enforcement to follow the law as well. Thus law enforcement can get a subpoena or search warrant, or they can go pound sand.

    No hypocrisy in that.