"[...] the cyberterrorist threat at this time is too great to ignore,"
Amazing. Beyond having their privacy trampled by these "cyberterrorists," Australians will lose privacy to their self-proclaimed benevolent government, and time in jail for anyone who dares keep a suspicious shell script on their private hard drive -- hell, the hard drive really isn't your property anymore if they can demand all the information off of it.
Wake up, Australia, these swings at your liberties do not deliver their promised safety. Don't let them live your life, or deny you your basic human dignities.
You've never been responsible for administering a secure system have you? If you have, then you're miserable at it.
So far, so good, no one has managed to break into any of my systems. I've also discovered a vulnerbility in some software and have done code audits. You?
[...]
Both of these books describe one of the primary security priniciples: "least privilege". In short it says, don't allow anything that you don't have to.
Least privilege is wonderful, yes. But as I pointed out before, you are already publishing your DNS information to the world, but you keep your TCP port 53 closed. That's fine, but you want to keep it closed and cause trouble to anyone who dares to connect. That has nothing to do with least privilege and is uncalled for.
[W]hen people come poking at my alarm system to see what happens, especially when they have no reason for doing it, I can't help but assume that they're trying to figure out my weaknesses for some other reason.
TCP/IP is a well defined, simple system designed to facilitate access to resources. An alarm is a system, maybe obscure, designed to restrict access to resources. A TCP connection does not amount to fiddling with an alarm.
Your analogy is collosally bad. It assumes that you can look at my computer, without it impacting my computer. In the store analogy, you are of course correct, simply looking at the store to see if its closed is not criminal. But looking at my computer, requires that you actively use bandwidth that I PAID FOR, and make use of computing equipment that I PAID FOR.
My analogy still stands. For one thing, you do not pay for the entire Internet. For another thing, think of the store owner who owns the sidewalk in front of his store (as is the case in some jurisdictions I'm sure). Though the owner owns it, it effectively becomes sort of a public right of way, and the owner has no recourse when people come onto his bit of the sidewalk to find his store closed. Your TCP/IP stack is effectively a store front and part of the sidewalk. Short of someone blocking your sidewalk (DoS attack), you should relax. Their behavior is harmless, maybe beneficial, and I'm sure you do the same.
You should have *no* expectation that I'm providing DNS zone transfers, therefore you should not go looking.
I have every expectation that if you aren't providing DNS zone transfers, you will refuse the connection. Ditto for connecting to port 80. If you have public information on either port there is no problem, if you deny connections there is also no problem. A few packets isn't worth breaking a sweat over. If it is, get off the Internet. You are like the person in the subway car who screams bloody murder when someone bumps into them.
You are an id10t. 31337 is the TCP connect port for BackOriface. 27374 is the TCP connect port for SubSeven. These are remote controllable trojan horses that have been widely spread through email virii. Anyone connecting on those ports, should by default be seen as hostile.
According to my copy of/etc/services, port 31337 is unassigned and port 27374 belongs to "asp." But in any event, I've seen HTTP and FTP servers running on 31337, and I'm sure there is nothing magical about port 27374.
Leave shooting first and asking questions later to the movies.
The original intention of the Internet also included the idea that no for profit organizations should be on the internet. The original intention of the internet included bugs. So, according to you, we should simply drop all prudence because someone 30 years ago couldn't forsee everything that would be happening today?
I was talking about protocol intentions, not philosophy, and a few bugs does not demand jail sentences for Internet users.
I think the deal here is that you want to continue running your port scans and justify it under the heading of "well it's just the way the Internet is sposed to work".
It is better than causing Internet users much grief over nothing.
But do that to my machines and I will make trouble for you. Don't like it? I don't care.
In order to avoid gaining your ire I would have to avoid ever connecting to your hosts. This is rather difficult since 1. I don't know who you are ("mjh?"), 2. I'm only human, I could accidently connect to your host while doing something else, 3. Hell, someone could do <img src="http://yourhost:53/"> in a web page I'm loading. To be safe from persecution I and everyone else would have to stop using the Internet. No thanks. I think it would be much better if you would relax.
You are already publically publishing that information.
The only people who should be looking for a zone transfer are your secondaries. Either they are already allowed, or you have none. No one else should be requesting a zone transfer. Allowing them is stupid because you now allow in any bugs that are associated with dns zone transfers.
There are also bugs associated with straight DNS queries. Go, now, and shut down BIND.
I request zone transfers all the time, usually to keep track of what is going on under ma.us. If a given host, for whatever reason, doesn't want to allow zone transfers, then it simply declines the request. Otherwise, it accepts it. This is like a store with a "closed, come back later" sign vs. a "open" sign. Are people made criminals for looking at a closed store in your world?
There are FAR FAR too many known attacks against both bind and rpc to assume that either of these are accidents! Should I assume that some luser is not trying to attack when I see ports: 31337, 27374, 12345?
Again, see my open vs. closed store analogy. People normally walk into open stores in without seeking explicit permission. If there is nothing there they leave, and if they bust up the store then that is a crime.
The Internet is public. People use it. People see what a host has to offer publicly, as far as accepting email, anonymous FTP, or public web pages. There are facilities in TCP/IP and various upper level protocols to indicate that certain resources are unavailable to the requesting user, if available at all. The average Internet user has no idea that you are offended when they connect to port 31337 because they were trying to get to some high-port FTP site, but they can infer from the connection refusal that there is nothing there for them.
If security for you includes worrying about incoming TCP SYN packets, fine. But don't make trouble for users because they had the nerve to use the Internet as it was intended, because I'm sure you use the Internet too.
A single connection request often indicates an automated scanner. Particularly with the linux worms, I will get a single packet every few days to different address in our range.
It could also be someone mistyping an IP or port, or some lemur doing <img src="http://somehost:53/foo">, or any number of things.
Whether I chase it up depends on the port. Current favourites are 53, 111, 515, 21 etc.
A TCP connection to port 53 could be someone looking for a zone transfer. That isn't anything to hide, you are publishing it to the world anyway.
I trust your RPC service (port 111) has suitable access controls that declines unauthorized access attempts. But it is not good to consider such connections "attacks," what if some new whizbang Internet P2P application uses RPC (ignoring the merits of using it). Are those users all of a sudden criminals because they had the nerve to ask your host if it could talk a particular protocol?
I do send an email to obvious scanners, mostly the owner hasn't a clue what is going on, and hopefully they will learn a bit about security and close the more targeted holes. In this case notification helps the user and (very slightly) reduces the easy meat for crackers.
Not having them lynched sets you apart from other admins apparently.
Like on a crowded subway car, people bump into each other on the Internet. Connection refused? Pardon me.
Ideally the person at the receiving end should understand and get over it. After all, they have sent their share of bad connection requests too.
Now we have paranoid admins who cry foul whenever someone sends one lousy connection request, or sends on strange packet, or whatever. If you can't handle a crowded subway car, don't get on it. Likewise, if you can't handle sharing the Internet, don't get on it.
In that vein, port scanning isn't too horrible. If you don't want people to see what you are running, get off the Internet. Otherwise, you just have a storefront on a busy street where people can see if the store is open or closed.
Retarded administration causes more problems than port scanning ever will.
Asylum in Canada is an embarrassment to the US if it is granted. Canada is America's closest Neighbor and closest ali (Except for burning that building which had to be repainted and is now called "The White House").
That debt was settled with Canada after we accidently blew up Halifax, Nova Scotia, back in World War I. Whoops.
The body charged with enforcing this particular code can't distribute copies of the code to its employees without paying extra fees to the copyright holder. Ignorance may not be an excuse, but it helps if the cops are just as clueless as you are.
I think that most hackers who are saavy about the kernel know better than to download one from a mirror.
Expecially after all the virus problems with RedHat, now is not the time to risk downloading a tainted version of
the kernel [...]
That's a bad argument, kernel releases are PGP signed.
... It would
produce a crater the width of a football field and up to 100 feet (30 meters) deep.' They
say that using copper will help get more accurate readings."
Funny, I claimed that blowing things up would obtain more accurate readings for my high school physics labs, but the teacher didn't give me extra credit.:(
THE ROMANIAN HACKER IS SYSOP aka METAL: Valcu Ghita Gheorghe aka Sysop -- 19 years old Str
Brandusei nr2 sc.b ap.14 et. 3 Timisoara. cod 1900 Romania Phone: 4093462828 cellular: 4093738043 This is
the HACKER CAUSING all the problems on Undernet.
Confirmed. From wallops earlier Thursday (timestamps are EST):
[15:20:53] -Run/Wallops- <-- Knows someone who is going to pay $2000
out of his own pocket for every day he has been attacking servers:)).
Its the little things that make life worthwhile don't you think?:)
[15:21:34] -mregit/Wallops- I hope he is going to be paying all the
users who lost ops.
[15:27:36] -Run/Wallops- No no no - people, calm down... They don't
have him YET. Well, perhaps sysop- (thats his nick) wants to tell you
himself what he thinks. Sysop-: msg me, then you'll get ONE free
wallops:).
This Sysop- guy is a regular on #madness, which was involved in at
least two takeover attempts of #978. Happy days.
disable the standard ping reply, and add a daemon in/etc/inetd that does the same, but with flood controll. like
dont answer more than 5 pings per sec
Conventional inetd only works on UDP and TCP sockets, not the raw sockets necessary for its own ICMP support. Besides those rejected inbound pings still take up bandwidth, so you have not thwarted any DoS attack.
But only undernet had audacity of
putting in an O flag to track if someone/whois'd and Oper... for the purpose of G-lining them.
A quick glance of the Undernet ircd source (avaiable at the Undernet coder committee site) doesn't show any special flags or other state being set on the client record when the client does a/whois on an oper. Could you provide a citation if I'm mistaken?
So let's kill the little twerp involved, and not give any sympathy where it's NOT due.
Some Undernet officials have serious issues. The #zt help channel bans you if you have the audacity to help people, for example. But even if these attacks are directed at those assholes, other groups (#978) are suffering collateral damage.
If someone walks into this open house, takes the gun you have in there and then kills someone with it, you are
responsible for letting them obtain the gun.
Firearm ownership is legal (at least in the United States, per second ammendment). Taking things that do not belong to you isn't legal.
Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your
ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off
everyone whose systems got rooted, for negligence, aiding and abetting, you name it.
Why not include the little old lady down the street? Sounds like you don't want to put in the effort to find who is really responsible, and choose to settle with fault by proxy.
You have the right to do whatever you want with your system, but if something bad happens with them, they
are ultimately your responsibility.
So the victim of the original crime can expect to have the judicial system turned on them? Was the rape victim asking for it?
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
You can't claim that your act is passive, since
you actually have to talk to my network interface in order to gain your information - ie. you're not just sitting out on
the street counting windows. Your act of (maybe) curiosity takes processor cycles from my hardware, and most
likely registers as usage on my network. It's flat-out unasked for and intrusive.
That negative externality is similar to the resources you use on other systems on the Internet, thus it cancels out and the analogy still stands.
don't know about the portscans you see, but the portscans I see are more analogous to someone walking up to
your back door in the middle of the night and jiggling the knob to see if it's open.
Not hardly. Thats analogous to trying to get into an ftp site without authorization. The mere connection to the ftp port and seeing that it doesn't offer anonymous access is akin to looking at a structure and saying "that is a private residence; I should not enter it as I would with a public store."
Americans are damned arrogant and think the world should learn English to accommodate us, but we shouldn't need to do
likewise.
So are the French, but give the Americans credit: we are still a world superpower, and a large part of the developed world does speak English as a first or second language.
Slashdot Mirror
Amazing. Beyond having their privacy trampled by these "cyberterrorists," Australians will lose privacy to their self-proclaimed benevolent government, and time in jail for anyone who dares keep a suspicious shell script on their private hard drive -- hell, the hard drive really isn't your property anymore if they can demand all the information off of it.
Wake up, Australia, these swings at your liberties do not deliver their promised safety. Don't let them live your life, or deny you your basic human dignities.
No, they will hit the web servers that someone forgot to secure. There is no difference.
So far, so good, no one has managed to break into any of my systems. I've also discovered a vulnerbility in some software and have done code audits. You?
Least privilege is wonderful, yes. But as I pointed out before, you are already publishing your DNS information to the world, but you keep your TCP port 53 closed. That's fine, but you want to keep it closed and cause trouble to anyone who dares to connect. That has nothing to do with least privilege and is uncalled for.
TCP/IP is a well defined, simple system designed to facilitate access to resources. An alarm is a system, maybe obscure, designed to restrict access to resources. A TCP connection does not amount to fiddling with an alarm.My analogy still stands. For one thing, you do not pay for the entire Internet. For another thing, think of the store owner who owns the sidewalk in front of his store (as is the case in some jurisdictions I'm sure). Though the owner owns it, it effectively becomes sort of a public right of way, and the owner has no recourse when people come onto his bit of the sidewalk to find his store closed. Your TCP/IP stack is effectively a store front and part of the sidewalk. Short of someone blocking your sidewalk (DoS attack), you should relax. Their behavior is harmless, maybe beneficial, and I'm sure you do the same.
I have every expectation that if you aren't providing DNS zone transfers, you will refuse the connection. Ditto for connecting to port 80. If you have public information on either port there is no problem, if you deny connections there is also no problem. A few packets isn't worth breaking a sweat over. If it is, get off the Internet. You are like the person in the subway car who screams bloody murder when someone bumps into them.
According to my copy of /etc/services, port 31337 is unassigned and port 27374 belongs to "asp." But in any event, I've seen HTTP and FTP servers running on 31337, and I'm sure there is nothing magical about port 27374.
Leave shooting first and asking questions later to the movies.
I was talking about protocol intentions, not philosophy, and a few bugs does not demand jail sentences for Internet users.
It is better than causing Internet users much grief over nothing.
In order to avoid gaining your ire I would have to avoid ever connecting to your hosts. This is rather difficult since 1. I don't know who you are ("mjh?"), 2. I'm only human, I could accidently connect to your host while doing something else, 3. Hell, someone could do <img src="http://yourhost:53/"> in a web page I'm loading. To be safe from persecution I and everyone else would have to stop using the Internet. No thanks. I think it would be much better if you would relax.
And a spider crawl of a web site can be the prelude to an intrusion too. What's your point?
A zone transfer *is* something to hide.
You are already publically publishing that information.
The only people who should be looking for a zone transfer are your secondaries. Either they are already allowed, or you have none. No one else should be requesting a zone transfer. Allowing them is stupid because you now allow in any bugs that are associated with dns zone transfers.
There are also bugs associated with straight DNS queries. Go, now, and shut down BIND.
I request zone transfers all the time, usually to keep track of what is going on under ma.us. If a given host, for whatever reason, doesn't want to allow zone transfers, then it simply declines the request. Otherwise, it accepts it. This is like a store with a "closed, come back later" sign vs. a "open" sign. Are people made criminals for looking at a closed store in your world?
There are FAR FAR too many known attacks against both bind and rpc to assume that either of these are accidents! Should I assume that some luser is not trying to attack when I see ports: 31337, 27374, 12345?
Again, see my open vs. closed store analogy. People normally walk into open stores in without seeking explicit permission. If there is nothing there they leave, and if they bust up the store then that is a crime.
The Internet is public. People use it. People see what a host has to offer publicly, as far as accepting email, anonymous FTP, or public web pages. There are facilities in TCP/IP and various upper level protocols to indicate that certain resources are unavailable to the requesting user, if available at all. The average Internet user has no idea that you are offended when they connect to port 31337 because they were trying to get to some high-port FTP site, but they can infer from the connection refusal that there is nothing there for them.
If security for you includes worrying about incoming TCP SYN packets, fine. But don't make trouble for users because they had the nerve to use the Internet as it was intended, because I'm sure you use the Internet too.
A single connection request often indicates an automated scanner. Particularly with the linux worms, I will get a single packet every few days to different address in our range.
It could also be someone mistyping an IP or port, or some lemur doing <img src="http://somehost:53/foo">, or any number of things.
Whether I chase it up depends on the port. Current favourites are 53, 111, 515, 21 etc.
A TCP connection to port 53 could be someone looking for a zone transfer. That isn't anything to hide, you are publishing it to the world anyway.
I trust your RPC service (port 111) has suitable access controls that declines unauthorized access attempts. But it is not good to consider such connections "attacks," what if some new whizbang Internet P2P application uses RPC (ignoring the merits of using it). Are those users all of a sudden criminals because they had the nerve to ask your host if it could talk a particular protocol?
I do send an email to obvious scanners, mostly the owner hasn't a clue what is going on, and hopefully they will learn a bit about security and close the more targeted holes. In this case notification helps the user and (very slightly) reduces the easy meat for crackers.
Not having them lynched sets you apart from other admins apparently.
If you leave all of your car doors open, you run more of a risk of something getting stolen. The same goes for computer security.
That is hardly a reasonable analogy. In this case it is more like executing someone just because they glanced at your car while walking by.
Like on a crowded subway car, people bump into each other on the Internet. Connection refused? Pardon me.
Ideally the person at the receiving end should understand and get over it. After all, they have sent their share of bad connection requests too.
Now we have paranoid admins who cry foul whenever someone sends one lousy connection request, or sends on strange packet, or whatever. If you can't handle a crowded subway car, don't get on it. Likewise, if you can't handle sharing the Internet, don't get on it.
In that vein, port scanning isn't too horrible. If you don't want people to see what you are running, get off the Internet. Otherwise, you just have a storefront on a busy street where people can see if the store is open or closed.
Retarded administration causes more problems than port scanning ever will.
Asylum in Canada is an embarrassment to the US if it is granted. Canada is America's closest Neighbor and closest ali (Except for burning that building which had to be repainted and is now called "The White House").
That debt was settled with Canada after we accidently blew up Halifax, Nova Scotia, back in World War I. Whoops.
The body charged with enforcing this particular code can't distribute copies of the code to its employees without paying extra fees to the copyright holder. Ignorance may not be an excuse, but it helps if the cops are just as clueless as you are.
Slashdotted already.
One of these days, this is going to happen one time too many. You guys really need to start thinking about how linking sites like this affects them.
If this concerns you so much, perhaps you should use your local caching HTTP proxy or hook up with a cache hierarchy.
I think that most hackers who are saavy about the kernel know better than to download one from a mirror. Expecially after all the virus problems with RedHat, now is not the time to risk downloading a tainted version of the kernel [...]
That's a bad argument, kernel releases are PGP signed.
Funny, I claimed that blowing things up would obtain more accurate readings for my high school physics labs, but the teacher didn't give me extra credit. :(
THE ROMANIAN HACKER IS SYSOP aka METAL: Valcu Ghita Gheorghe aka Sysop -- 19 years old Str Brandusei nr2 sc.b ap.14 et. 3 Timisoara. cod 1900 Romania Phone: 4093462828 cellular: 4093738043 This is the HACKER CAUSING all the problems on Undernet.
Confirmed. From wallops earlier Thursday (timestamps are EST):
This Sysop- guy is a regular on #madness, which was involved in at least two takeover attempts of #978. Happy days.
disable the standard ping reply, and add a daemon in /etc/inetd that does the same, but with flood controll. like
dont answer more than 5 pings per sec
Conventional inetd only works on UDP and TCP sockets, not the raw sockets necessary for its own ICMP support. Besides those rejected inbound pings still take up bandwidth, so you have not thwarted any DoS attack.
Comment out the code between the first set of curly braces, recompile your kernel, and your machine won't answer pings anymore ;-p
Then your host will no longer be compliant with Internet standards, and you have not solved any DoS problem. Whats the point?
But only undernet had audacity of putting in an O flag to track if someone /whois'd and Oper... for the purpose of G-lining them.
A quick glance of the Undernet ircd source (avaiable at the Undernet coder committee site) doesn't show any special flags or other state being set on the client record when the client does a /whois on an oper. Could you provide a citation if I'm mistaken?
So let's kill the little twerp involved, and not give any sympathy where it's NOT due.
Some Undernet officials have serious issues. The #zt help channel bans you if you have the audacity to help people, for example. But even if these attacks are directed at those assholes, other groups (#978) are suffering collateral damage.
If someone walks into this open house, takes the gun you have in there and then kills someone with it, you are responsible for letting them obtain the gun.
Firearm ownership is legal (at least in the United States, per second ammendment). Taking things that do not belong to you isn't legal.
Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off everyone whose systems got rooted, for negligence, aiding and abetting, you name it.
Why not include the little old lady down the street? Sounds like you don't want to put in the effort to find who is really responsible, and choose to settle with fault by proxy.
You have the right to do whatever you want with your system, but if something bad happens with them, they are ultimately your responsibility.
So the victim of the original crime can expect to have the judicial system turned on them? Was the rape victim asking for it?
[...] the creator has plans to build another robot that would be able to search out it's own food source.
Wonderful. A famine caused by artificial bugs eating crops.
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
According to the Academie Francaise and the various defenders of the French language, it is "Le Shuttle", a politic compromise.
Every other culture in the world manages to get by with words from different languages in their vocabulary; the French are acting like crybabies.
I'll call it "Chunnel." I don't care to be Franc-correct.
You can't claim that your act is passive, since you actually have to talk to my network interface in order to gain your information - ie. you're not just sitting out on the street counting windows. Your act of (maybe) curiosity takes processor cycles from my hardware, and most likely registers as usage on my network. It's flat-out unasked for and intrusive.
That negative externality is similar to the resources you use on other systems on the Internet, thus it cancels out and the analogy still stands.
don't know about the portscans you see, but the portscans I see are more analogous to someone walking up to your back door in the middle of the night and jiggling the knob to see if it's open.
Not hardly. Thats analogous to trying to get into an ftp site without authorization. The mere connection to the ftp port and seeing that it doesn't offer anonymous access is akin to looking at a structure and saying "that is a private residence; I should not enter it as I would with a public store."
Yeah, let me know when I can wonder around your house or apartment looking at stuff.
More like wandering by your house and counting the number of windows it has.
Americans are damned arrogant and think the world should learn English to accommodate us, but we shouldn't need to do likewise.
So are the French, but give the Americans credit: we are still a world superpower, and a large part of the developed world does speak English as a first or second language.