Slashdot Mirror
Nmap Author Receives FBI Subpoenas
spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"."
Update: 11/25 20:21 GMT by T :
Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
Do you know that Google searches are subpoenable?
So Googling your victim, for example, before committing the crime is not very smart.
Unless of course you can randomly change your ip
in a pretty large range of course, heh heh.
I wish more webmasters put such letters on their websites. More people would get aware of that surfing the net leaves traces and all of us would have more clear picture of how many subpoenas are served to webmasters.
I'm not a script kiddie or a cracker, but I have done some interesting things out there. It sends chills up my back to think of the number of times I'd have been caught if a third party download site like this had had a five minute window opened in their logs. I'm impressed by the FBI's request, it's a technique that has a negligible chance of walking over someone's privacy (he even states that there were no results), yet has a good shot of working. I'm surprised that they didn't get anybody. But then again, the FBI aren't in the habit of tracking down small fry.
Hmmm...
Perhaps they might catch the odd Script Kiddie (provided their "press button to h4X0r" tool doesn't download Nmap automatically, and if they do know that Nmap exists).
But on the large, they won't catch any serious hacker - first of all, they gonna run through anonymous proxies, secondly they already know the URL (probably in a txt file or something), and thirdly, if they use some kind of tool to help them, self-made or not, it will have a "get Nmap or similar" button.
All in all, nice try, no cigar though.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
Personally I would like to encourage everyone, escpecially ISPs to not maintain logs. That way they can answer every subpeona as unable to comply. But that is just me.
In a language without a pronoun for a person of unknown gender, she is as good as he.
They're looking for these chicks!
Assume I was drunk when I posted this.
Please. I'm not sure that I would call it a "stereotype," even though it probably could be defined as one. It's a legitimate assumption based on experience. Let's face it: On average, as a whole, "hackers" and people knowledgeable about computers are male. I can count the number of females I know who realize that Windows != computers on one hand. This trend is apparent in other science and engineering fields, albiet to a lesser degree. Why is this? I can't really say, and that's beyond the scope of this article. I'm just saying that I don't think it's fair to say that someone is not thinking clearly and being influenced by stereotypes when they refer to an unknown hacker as male. He is probably saying that becuase all of the hackers he knows are male.
Sleep is futile.
From the "One of the Slashdot Posts Worth Saving" Department:
* --All right, I'm only going to say this once: 'He' is the singular indefinite pronoun in English ("if a person drinks too much, he will likely experience a hangover"). 'He' also happens to be the masculine personal pronoun.
'She' is the singular pronoun of personification in English ("if England fails to advance America's foreign-policy ambitions, she will suffer terrible consequences"). 'She' also happens to be the feminine personal pronoun.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance. Using the feminine personal pronoun as an indefinite article is as moronic as using the masculine personal pronoun for personification. Thus the captain greets us: "Welcome to my ship. Isn't he splendid?"
Give it up, people. It's not thoughtful; it's just illiterate. ®
Actually, if enough people manage to read this then it won't ever be a problem again....
Honestly, if you really wanted to make this work and just get left alone by the FBI and the kiddies...
Download links could be generated at request with a unique identifier embedded.
Thusly, if someone generates a dynamic link and pastes that into their term for wget... bam... you have an identifiable link with both addresses.
just make sure everything is logged quite properly.
It would certain ease the issue of tracking.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
not be saving our web logs. At least not the ones that keep track of visitors. They can't see what doesn't exist. But I wonder if they could force us to keep web logs?
FBI == Fucking Ballbusting Imbeciles
How many FBI agents do you know?
http://tinyurl.com/3t236
This is I think the perfect type of narrowly targeted investigative technique that I would support. The FBI KNOWS a crime has been committed, and is following and building an evidence trail.
The problem is, the FBI has squandered a lot of their social capital in the IT space by pulling all sorts of ugly students in trolling the net to harasss or intimidate folks or prosucte crimes that folks don't consider serious to merit such strong persuit.
Now, when they take an appropriate approach, folks are still skeptical.
Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?
No, the question is "What's wrong with getting a valid subpoena *before* asking for the logs?" The issue is not the worthiness of the cause, but relying on general security paranoia and flag waving to bypass due process. Fyodor is right to demand a valid subpoena -- if the FBI is such a bumbling set of wankers as to not be able to come up with a subpoena, why trust them to accurately identify the suspect, or to not abuse the information they get?
When in doubt, have a man come through a door with a gun in his hand.
Out of curriosity, how does one verify that a subpoena is served properly? I assume that you read such very carefully, and call it a day.
Zapman
By convention, Eve is a passive attacker, the active attacker is named Mallory, which is usually regarded as a male persona.
So I'm sorry, but that's not the reason Fyodor used "she."
I touch computers in naughty places
If you give government power - and money is economic power - that power will be abused.
So don't give 'em any!
Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?
Er. how about this: the FBI should worry about crimes that *shock* actually matter *shock*,like serial killers, for instance. Maybe someday in the distant future when there are no more serious crimes, the FBI should get itself involved in utter trivialities like computer "crime".
One major point to pay attention to here is that if you have a data retention policy that is written that says for example, "I don't keep logs older than 1 hour" and you follow it, you can't respond to subpoenas for any data that falls outside your retention period.
A very, very good point. I work at two competing ISPs. Once logs everything and keeps logs for months, the other (on my advice) keeps them for as short as reasonable. (30 days)
You can guess which one got caught up in a nasty discovery distraction during a client lawsuit....
Better just to clear the log, and get it out of the way. What's the point in keeping old email or RADIUS logs? Parse them for the statistical numbers, and then dump 'em!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Kevin Poulsen: The author of the popular freeware hacking tool Nmap warned users this week that FBI agents are increasingly seeking access to information from the server logs of his download site, insecure.org.
I'd like to know exactly when nmap was officially dubbed a "hack tool." It is merely a port scanner! Port scanning != hacking. One might argue the article is writen in laymans terms -- as most news is. However, I think in the case of nmap, a politically technilogically correct phrase would be "a tool commonly used by 'hackers.'" Negative conotations bother me.
but some of my friends got busted for smoking pot in their dorm... except they werent - they had smoked off campus hours before. anyway, the cops "smell" it from the hallway after being notified by an RA and then push open the door to the room to see 4 people passed out around a tv and a half empty forty. so now the cops are in the room to stay - half an hour later there's a warrant, and i was doing my best to advise my friends so i told them to read it to me. the cops close the door. so i shout for them to yell it; the cops say we're being too loud after midnight. so my friend calls me on the phone - and we see the warrant is dated for the NEXT day. blah blah, another warrant comes in, things get confiscated, papers are filled out and such.
end of the story? no charges were ever filed, not only due to the whole debacle of a post dated warrant, but also because they failed to knock and announce themselves before opening the door.
just know your rights and read the paperwork - dont let them drown you in it. and if youre too bored to, hire a lawyer