From: iw@all.net
Subject: IW Mailing List iw/960314
---------------------------------------------
Date: Wed, 13 Mar 1996 21:25:03 -0500 (EST)
From: Sick Puppy 
Subject: Re: IW Mailing List iw/960313

> [Moderator's Note: I believe that the federal computer abuse statutes
> don't require a warning banner.  If they did, than any denial of service
> attack that ignored responses would be legal.]

In our discussions with the FBI about how we could meet the legal
requirements for a successful prosecution that would not be thrown out
on technicalities, the need for a warning statement or warning banner
was stressed by the FBI.  I don't remember the specifics but the need to
have a warning banner is related to the freedoms guaranteed by the US
Constitution and its Amendments.  The FBI mentioned a couple of
prosecutions by the Secret Service where part of the case was thrown out
and the whole case was significantly weakened, because there was no
warning banner. 

I believe that CERT also covers this point in its annual
conference/seminar for incident response teams.  They usually get a FBI
agent with experience in the rules of evidence to speak during the lunch
breaks. 

Maybe there is someone on the list whose recollection on this point is 
more precise than mine.
---------------------------------------------
Date: Wed, 13 Mar 1996 18:46:52 -0600
From: Walt Auch 
Subject: Re: IW Mailing List iw/960313

Quote:
[Moderator's Note: I believe that the federal computer abuse statutes
don't require a warning banner.  If they did, than any denial of service
attack that ignored responses would be legal.]
Unquote

Banners are not REQUIRED, but DOJ has indicated in many conversations
that they are "looked upon favorably" by the Court.  You do NOT have to
prove that they were read - much like you don't have to prove a speed
limit sign was read in order to prove speeding - you should just be able
to show it was posted.  (Scott Charney is the DOJ person - not sure that
should be posted.)
---------------------------------------------
From: fc (Fred Cohen)
Subject: More progress
Date: Wed, 13 Mar 1996 23:59:56 -0500 (EST)

So far, we have traced down:

	A breakin at a community college in Pennsylnavia where the
attacker rigged the University computer to automatically telnet to our
site every 5 minutes. 

	A port scan followed by a series of scores of attempts to
telnet into our site for over an hour from a University site in
Arizona.  The attacker has been caught.

	Several IP spoofing attempts that we are tracing down to
the specific dial-in accounts used to launch the attack.

	An intentional insider corruption of a Web page designed to
turn innocent browsers into launchpads for their attack.  This one
was tracked down yesterday and has been stopped after recurrences
by contacting this ISPs ISP and the FBI.

	A web site which is misleading people into telnetting into
our site under the auspices of getting a letter from a self-proclaimed
computer security expert.

	What appeared to be a systems administrator at a prominant
university who did a port scan followed by numerous telnets.  It now
looks like this person may not have been authorized by the university to
do any of this and it has been raised to another level in the
University.

	Several other individuals have been tracked down as well.

19:52

> From: "Matthew G. Devost" 
...
> I am concerned over the all.net statement that it will pursue criminal
> conspiracy charges against all those that telnet to their site.  I asked
> what sort of warning banner was in place and hadn't gotten a reply yet
> so I checked to see.  Well, there is NO warning banner.  You simply get
> a connection refused by foreign host (and I imagine, a email to root at
> my ISP saying I am an evil hacker!).

The message changed as incidents occured.  Contrary to what previous
postings indicated, we haven't historically claimed these events as
attacks.  We simply state that (current form):

	A user at your site has just attempted to telnet into our site. 
	No users from your site are authorized to telnet into this site. 
	We thought you would like to know so you could investigate
	further.  If more telnets come from your site, this may indicate
	a more substantial attempted entry originating from your site,
	and should be followed up in more depth and more quickly. 

> Here is my point.  It is obvious that someone (an individual) has a
> gripe with you or just wants to target your machine, but I would not
> call the other attempts a conspiracy.  I could post the following
> message to a cancer survivor newsgroup or list:

At this point in time [see above] several different individuals have
been identified as having intentionally attacked this site during the
incident.  About 5 individuals are responsible for over 90% of all of
the attempted entries. 

> 	"Hello all! Just wanted you to know that I have set up a Cancer
> 	Survivors network on my host machine.  It requires telnet access
> 	for now, but we are hoping to find an easier way to access the
> 	computer in the near future.  Please give it a try by telneting
> 	to all.net."

Excellent example.  This would not be a criminal conspiracy unless some
of the participants became accomplices after the fact by lying about the
source of the message and actively creating their own similar messages. 
Then they would become co-conspirators.  That's what appears to have
happened here. 

...
> My point, and I realize I am taking a long time getting there, is that
> at the very least you should provide a warning banner when folks telnet
> to you site telling them that an unauthorized telnet attempt will be
> considered an intrusion. 

We express this in our finger daemon:
		No users are allowed on this system

In the case of telnet, we don't want people getting that far into our
system because we believe that such mechanisms may be breakable by high
volume attacks.  We prefer to stop things at the earliest possible phase
and to have layered defenses after that.
---------------------------------------------
Subject: Re: IW Mailing List iw/960313 
Date: Thu, 14 Mar 1996 10:02:56 -0500
From: "Michael G. Reed" 

|> Well congrats for sparking the list back to life! I think it is
|> definitely an IW attack at the Class I level, but I would agree with
|> most of the comments from the list that perhaps [all.net is] overreacting. 

	Over reacting, no, inflaming the situation, yes.  It is well
within the rights of all.net to treat attempted telnets to their
machine as attempted break-ins if the proper notification has been
given; but personally, I think their handling of the situation is
quite silly.  One does not get up on a soap box and scream and shout
to the world like this -- it just invites (no, begs) more attacks.
Instead, you deal with it in the professional manner that system
administrators have used for years -- contact other admins and deal
with the problem directly.

	The big problem is *ARE YOU SURE* you have the right people?
IP spoofing is trivial these days (a problem that won't be solved
until IPv6, if even then) and it would be very easy to mount a
concerted attack that *NO ONE* would be able to track down unless you
start looking at backbone router logs (which I seriously doubt are
being generated or kept) or placing sniffers all over the Internet.

[Moderator's Note:  Apparently all.net has this well covered because of
their previous efforts in automated vulnerability testing.]

...
	Actually, there are both CERT and DoD bulletins on appropriate
warning banners.  These banners should (ideally) be displayed *PRIOR*
to login (ie, before the login prompt), but most OS's today don't
allow for this and as such the banners are normally displayed in the
motd.  For us (DoD/USN), the message is as follows (at least this is
what is showing up on all of our machines):

                            * * *   WARNING!   * * *
 
                This is a U.S. Government/Department of the Navy
                         Automated Information System.
        This system may be used only for unclassified official business.
                Unauthorized use of this system is prohibited by
                   Title 18, Section 1030, United States Code.
 
   Department of the Navy Automated Information Systems and related equipment
   are intended for the communication, processing and storage of U.S.
   Government information, and are subject to monitoring to ensure proper
   functioning, to protect against improper or unauthorized use or access, to
   verify the presence or performance of applicable security features or
   procedures, and for other like purposes.  Such monitoring may result in
   the acquisition, recording, and analysis of all data being communicated,
   transmitted, processed or stored in this system by a user.  If monitoring
   reveals evidence of possible criminal activity, such evidence may be
   provided to law enforcement personnel.
 
    * * *  USE OF THIS SYSTEM CONSTITUTES CONSENT TO SUCH MONITORING.  * * *
 
     Send questions and/or problem reports to root@foobar.mil

|> Let me first start by saying that a telnet attempt is the first and most
|> obvious step in any electronic intrusion. ...
|> Telnet's only purpose is to establish access. 

	I think this is stretching the law a bit.  Let me give you an
analogy: Suppose I walk up to a military installation.  At the gate
they will ask me for my pass, but I don't have one on me.  Now, as
long as I do not attempt to enter, and leave the grounds at that
point, have I done anything wrong?  Is my attempt to "break in"
illegal?  I would contend no.  Now, if I had been trying to scale the
fence at the time I was detected, that is a COMPLETELY different
story, but by following normal protocol I am within my rights.  This
doesn't preclude handling denial-of-service attacks either.  If I
continually walk up to the military installation and ask for entry
without the proper pass, then I am *POSSIBLY* breaking the law
(disturbing the peace or harassment at the minimum) or if there are
big signs (which I ignore) stating that unauthorized attempts to enter
will result in prosecution, then I *AM* breaking the law.

|> As for alerting an administrator, it is extremely likely that a person
|> trying to get into one system also tries to get into dozens of others. 
...

	Yes, this is what all system administrators should do.  I am
not saying that systems should hide the fact that they are (or have
been) attacked, but that they should handle it professionally and not
throw a tantrum (I'm sorry, but that's what all.net's message looks
like to me -- a tantrum -- my personal take on reading it).

	Security on the Internet is a *MAJOR* problem today, the
problem is that few people realize this (or to what extent it is a
problem).  The one good thing coming out of all of all.net's attention
to this "attack" is the quality discussions about security, the
handling of threats, and what should be done in the future.

[Moderator's Note: The all.net banner is shown above.]

---------------------------------------------
Date: Thu, 14 Mar 1996 10:24:03 -0800 (PST)
From: watson@tds.com
Subject: Re: hackers and the law

>[Moderator's Note: I believe that the federal computer abuse statutes
>don't require a warning banner.  If they did, than any denial of service
>attack that ignored responses would be legal.]

There was a CERT or CIAC about late 1992, and a sidebar in Cheswick and 
Bellovin that summarizes the fuzzy state of this assertion.  Apparently, 
the attackee has some risk of prosecution under wiretap laws if actions 
are taken against an attacker without proper notice.  The warning banner 
is considered necessary defense against the attacker's lawyers when he 
claims he was "just knocking on the door."  I haven't heard of a clear 
precedent on this.  Probably varies by jurisdiction, phase of the moon, 
etc.  I would encourage those who post on this topic to state their legal 
credentials.

[Moderator's Note: I'll bite - what are your legal credentials?]
---------------------------------------------