Slashdot Mirror
Nmap Author Receives FBI Subpoenas
spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"."
Update: 11/25 20:21 GMT by T :
Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
That seems like a legitimate investigative technique. They're probably trying to match up different pieces of evidence to find the person behind things.
Up shit creek sans paddle.
the text is here
t gz"
Dear Nmap hackers,
Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm
hard at work on a holiday Nmap version which should be available by
Christmas.
But enough pleasantries -- I want to discuss a sobering topic. With
increasing regularity this year, FBI agents from all over the country
have contacted me demanding webserver log data from Insecure.Org.
They don't give me reasons, but they generally seem to be
investigating a specific attacker who they think may have visited the
Nmap page at a certain time. If they see that an attacker ran the
command "wget http://download.insecure.org/nmap/dist/nmap-3.77.
from a compromised host, they assume that she might have obtained that
URL by visiting the Nmap download page from her home computer. So
far, I have never given them anything. In some cases, they asked too
late and data had already been purged through our data retention
policy. In other cases, they failed to serve the subpoena properly.
Sometimes they try asking without a subpoena and give up when I demand
one.
One can argue whether helping the FBI is good or bad. Remember that
they might be going after spammers, cyber-extortionists, DDOS kiddies,
etc. In this, I wish them the best. Nmap was designed to help
security -- the criminals and spammers put my work to shame! But the
desirability of helping the FBI is immaterial -- I may be forced by
law to comply with legal, properly served subpoenas. At the same
time, I'll try to fight anything too broad (like if they ask for
weblogs for a whole month). Protecting your privacy is important to
me, but Nmap users should be savvy enough to know that all of your
network activity leave traces. I'm not the only one who gets these
subpoenas -- large ISPs and webmail providers receive them daily.
Most other major security sites probably do too. Most of you probably
don't care if someone finds out that you downloaded Nmap, Nessus,
Hping2, John the Ripper, etc. Nothing on Insecure.Org is illegal.
But for those of you who do care, there are plenty of mechanisms
available to preserve your anonymity. Remember this security mantra:
defense in depth.
Cheers,
Fyodor
Even the Nmap Author seems to agree that it could help in the fight against these undesirable script kiddies, etc. However, I think it is great that this author has brought this to public attention, and will hopefully increase oversight of these cyber-investigations.
Of course, we do need law enforcement and this is a legitimate field to investigate so that we can have protected web commerce. With eyes on their activities, we can hopefully keep the Internet free and safe. Thoughts?
"There's no success like failure, and failure's no success at all."
- Bob Dylan
Are we talking about Trinity?
Well, I'm pretty sure that if a person downloaded nmap to a compromised host that person most likely visited the nmap website some time. The problem is that a lot of people visit that site, and it is nearly impossible to weed out the false positives from the person they are seeking. Furthermore, the FBI approach would only work if the person visisted the site recently, which might not be the case. It'd be impossible to figure it out if the person last visisted the namp website several months ago forexample.
Any sufficiently advanced technology is indistinguishable from magic.
Do you know that Google searches are subpoenable?
So Googling your victim, for example, before committing the crime is not very smart.
Unless of course you can randomly change your ip
in a pretty large range of course, heh heh.
If they used Tor, subpoenas wouldn't really have given any useful information away. Then again, it's so sloooow perhaps they'd still be downloading ;).
Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm hard at work on a holiday Nmap version which should be available by Christmas.
I suppose this new version will give a new meaning to the Xmas scan, no?
In soviet russia, You ask not what country do for you, but what you do for country!
Oh wait...
No wonder he's reticent about providing information.
Fyodors are supposed to remain closed at all times.
(Sorry)
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Seriously, that is the dumbest thing I ever heard.
Nmap is popular as hell - unless they already have a suspect, this isn't going to be useful for them, all it will do is give them a scapegoat 9 times out of 10 - lets say they do get Fyodor's webserver log - which I doubt he'll be keeping in the future, assuming he does now - all that would give them is the IP addresses of a few dozen nmap users - one or two of which may be script kiddies of some sort.
And if they can verify that a script kiddy A downloaded nmap in their window of interest, what are they going to do? Assume they're responsible for the wrong crime and charge him or her. It's stupid and its a witchhunt and it's a shot in the dark.
Of course, if the FBI has already got a suspect, they might be able to strengthen their case, but that's still pretty circumstantial evidence. Not exactly a smoking gun.
Just my $0.02US
I wish more webmasters put such letters on their websites. More people would get aware of that surfing the net leaves traces and all of us would have more clear picture of how many subpoenas are served to webmasters.
The FBI has tracked down a perpetrated hacker after a slip-of-tongue by Fyodor in a recent nmap-hackers list posting, relating a female hacker using wget command to get nmap. After searching the homes of the 3 females known by Fyodor, they have identified and captured the assailant.
I'm not a script kiddie or a cracker, but I have done some interesting things out there. It sends chills up my back to think of the number of times I'd have been caught if a third party download site like this had had a five minute window opened in their logs. I'm impressed by the FBI's request, it's a technique that has a negligible chance of walking over someone's privacy (he even states that there were no results), yet has a good shot of working. I'm surprised that they didn't get anybody. But then again, the FBI aren't in the habit of tracking down small fry.
My first thought when I got that e-mail was that the feds wanted to know who was downloading Nmap pr0n.
Of course, I'm the one who wrote the script and shot the video, so it's only natural.
I think Fyodor is doing the right thing, and I think the feds are just using standard intimidation tactics... but then again, I've always been about state powers as opposed to federal powers. At least with state powers, you can always choose to move to a different state...
HaXXXor.com - Naked Chicks Teach You How To Ha
I think this is purposeful, and, frankly, smart.
The assumption here is that the person the FBI is looking for is breaking the law, and is cracking boxes and other unsavory things.
Why do we assume that the person is a he?
It is possible that it's a she.
People seem to be more sympathetic to women, and so I'd think this would be a good way to combat the steriotype of male "hackers".
Hmmm...
Perhaps they might catch the odd Script Kiddie (provided their "press button to h4X0r" tool doesn't download Nmap automatically, and if they do know that Nmap exists).
But on the large, they won't catch any serious hacker - first of all, they gonna run through anonymous proxies, secondly they already know the URL (probably in a txt file or something), and thirdly, if they use some kind of tool to help them, self-made or not, it will have a "get Nmap or similar" button.
All in all, nice try, no cigar though.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
Personally I would like to encourage everyone, escpecially ISPs to not maintain logs. That way they can answer every subpeona as unable to comply. But that is just me.
In a language without a pronoun for a person of unknown gender, she is as good as he.
So, this girl that has been downloading... are there photos of her? Huh? Huh?
'Thats they exact same thing a banana wrench monkey.'
made for backhats
Are those over by the asshats?
The problem is that when we start trusting the government like that they can take it to far and then we are screwed. It may well be that they had a legitamate reason to want to see the logs but we can't trust that that is always the case. As for wget, I use it all the time to download things onto my shells.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
There are so many things wrong with this.
Can you challenge subpoenas?
Assume I was drunk when I posted this.
They're looking for these chicks!
Assume I was drunk when I posted this.
...that it wasn't a Patriot Act subpoena:
he could be prosecuted merely for revealing that he'd RECEIVED it, even AFTER it became defunct.
Welcome to John Ashcroft's post-Constitution USA.
(and why in God's name has he continued preserving logs, after having received even ONE approach from the government?!)
Some people here seem to think that they'd have to be snooping lots and lots of net traffic in order for this to be any good to them. Not so. If you strongly suspect that the perpetrator comes from some small set, like, say, employees of a certain corporation, students at a certain school, etc., then a 5-minute window of logs will likely show only one hit from that IP range. That, along with what they have that leads them to suspect that IP range in the first place could be enough to execute a warrant.
WARNING: there is a trojan on your
I wonder. Why can't they automate the subpoenas?
That way they'd have one ready and well-written in case of a hacker emergency.
Oh well.
If the "translated" site contains any pictures, your browser will download them directly from the server. Unless you're using lynx, or something.
/wideopenbackside.jpg"
The server logs will contain "2004-11-25 23:59 - 80.70.60.50 GET
... have feelings too, the proper way to refer to something unknown is he/she/it, to be abbrevaiated as s/h/it! ;-)
Paul B.
Please. I'm not sure that I would call it a "stereotype," even though it probably could be defined as one. It's a legitimate assumption based on experience. Let's face it: On average, as a whole, "hackers" and people knowledgeable about computers are male. I can count the number of females I know who realize that Windows != computers on one hand. This trend is apparent in other science and engineering fields, albiet to a lesser degree. Why is this? I can't really say, and that's beyond the scope of this article. I'm just saying that I don't think it's fair to say that someone is not thinking clearly and being influenced by stereotypes when they refer to an unknown hacker as male. He is probably saying that becuase all of the hackers he knows are male.
Sleep is futile.
I'm all for public access points but I do think that you should know what you're getting yourself into when you run a public AP. Most businesses especially should make sure they are covered.
A little off topic of the FBI but related to public APs.. Something I like to do is run a public AP that doesn't have access to the Internet. It just acts as something of a localized BBS system. Anyone within reach can message each other, trade files, participate in the forums, or check out the wiki. It's not hard to make it so that someone connecting will get you're entrace page anytime they try to connect to something other than your system. With a decent antenea you can reach a fairly large group of people in a crowded metro area. An interesting way to meet your neighbors.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Perhaps you don't understand the point behind nmap, but that is exactly why it was created. The idea was to provide a general purpose tool that gave intelligent admins the ability to scan and "attack" their own network with the exact same tools and techniques used by attackers. Nmap provides a centralized tool for all of these techniques that does not involve combing warez sites looking for each individual tool.
Out of all the options that you listed above, the only one I haven't personally used is the decoy scanning as I don't have a use for it. Combinations of the other settings are very useful for checking the setup of both network monitoring tools as well as verifying configurations very quickly across multiple servers or desktop systems. In addition, I have found nmap to be very useful in tracking down certain virus infections. When I know that a virus opens a specific port on a compromised box, I can do a network wide scan and quickly return all hosts that are potentially compromised (as we are talking student computers at a college, we are not directly responsible for the machines themselves).
True, nmap does put this same power in the hands of potentially malicious users, but given that they would have these same tools whether or not nmap existed, I much prefer being able to access them easily myself.
From the "One of the Slashdot Posts Worth Saving" Department:
* --All right, I'm only going to say this once: 'He' is the singular indefinite pronoun in English ("if a person drinks too much, he will likely experience a hangover"). 'He' also happens to be the masculine personal pronoun.
'She' is the singular pronoun of personification in English ("if England fails to advance America's foreign-policy ambitions, she will suffer terrible consequences"). 'She' also happens to be the feminine personal pronoun.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance. Using the feminine personal pronoun as an indefinite article is as moronic as using the masculine personal pronoun for personification. Thus the captain greets us: "Welcome to my ship. Isn't he splendid?"
Give it up, people. It's not thoughtful; it's just illiterate. ®
I think it's just from looking at simple security/crypto convention. The two people who want to to "legit" things with their intarWeb are generally named Bob and Alice. Eve is usually the nasty interloper trying to foil all their plans. So... in crypto at least... your attacker is a chick named Eve.
Oh god, that woman is John Romero!
not be saving our web logs. At least not the ones that keep track of visitors. They can't see what doesn't exist. But I wonder if they could force us to keep web logs?
FBI == Fucking Ballbusting Imbeciles
How many FBI agents do you know?
http://tinyurl.com/3t236
This is I think the perfect type of narrowly targeted investigative technique that I would support. The FBI KNOWS a crime has been committed, and is following and building an evidence trail.
The problem is, the FBI has squandered a lot of their social capital in the IT space by pulling all sorts of ugly students in trolling the net to harasss or intimidate folks or prosucte crimes that folks don't consider serious to merit such strong persuit.
Now, when they take an appropriate approach, folks are still skeptical.
'He' is the singular indefinite pronoun in English [...] 'He' also happens to be the masculine personal pronoun.
...", no one would blink.
You say that as if it just "happened". It's also not true; if you wrote "when a nurse comes, she will start by
'She' is the singular pronoun of personification in English
Ships are usually she. That doesn't mean it's the only pronoun of personification; if you wish to personify an object as male, it's entirely correct.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance.
A speaker's ignorance for what, some grammarian's rigid idea of what English should be? It's clear, whatever English was a hundred years ago or even 20 years ago, that using she is appropriate in today's English.
This overbearing post about some rigid rules of someone's conception of what English's rules should be is worth trashing, not saving.
Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"
How do they assume what time the attacker visited nmap's site in the first place? If i was a well grounded hacker i'd probably have visited nmap's site so many times i have the url memorized, only having visited nmap's site in the first place, years before.
and what's with accusing a 'she' to be the perporting hacker? If anything I think it was they.
Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?
No, the question is "What's wrong with getting a valid subpoena *before* asking for the logs?" The issue is not the worthiness of the cause, but relying on general security paranoia and flag waving to bypass due process. Fyodor is right to demand a valid subpoena -- if the FBI is such a bumbling set of wankers as to not be able to come up with a subpoena, why trust them to accurately identify the suspect, or to not abuse the information they get?
When in doubt, have a man come through a door with a gun in his hand.
By convention, Eve is a passive attacker, the active attacker is named Mallory, which is usually regarded as a male persona.
So I'm sorry, but that's not the reason Fyodor used "she."
I touch computers in naughty places
There are virtually no female hackers. Pick whichever adverb you want. Don't throw a fscking bitch fit because you perceive, for whatever reason, that the males among us somehow don't "recognize" female hackers (or female geeks for that matter).
The simple truth is that we're such an extreme minority that it is no wonder we are overlooked in most texts. I have stopped being offended by the seemingly exclusionist behavior because I'm smart/mature/whatever enough to realize that isn't really what it is.
So in short, get over yourself. The injured-ego oppressed feminist act gets old real quick, especially among hackers (since you seem to be claiming to be one yourself).
"He does look a bit Oompa like, even if his Loompa is a bit off-kilter."