On Mon, Oct 06, 1997 at 09:30:11PM -0500, Phil Howard wrote:
Steve Mansfield writes...
[snip snip snip]
S'okay. Have the feds subpoena UUNET for the connect logs for these max'es. UUNET keeps the logs and is capable, given the exact time of the attack(s), of going through the logs, identifying exactly who it was, and if it's one of their customers, giving the personal info to the feds. If it's a reseller's customer, they can get the user info and forward it to the reseller and inform the feds who they need to talk to for the personal info. Whoever it was is as good as nailed.
Unless it was a stolen account. With more and more "naive" users coming online, the chance of this kind of thing happening is greater and greater. You can shut off the account. Feds can visit the home of whoever owns the account. They can even be blocked from ever getting any account at any ISP for life. But if this possibility is fact, you won't have the perp and they can attack again.
Now if the telco has records of all the phone calls you can find out where the calls actually came from. Maybe that's the perp. Maybe not.
What is ultimately needed is some better real time detection of this kind of thing sufficiently deployed so that it is present on all routers where the exposure exists. You may not catch the perp, but you might reduce the damage it causes.
How to encourage this to be done is left as an exercise for the reader.
Uh, the other side of this is that if it was done over ISDN, then the ANI of the caller *IS* in the logs on the ISP side. Even if the account is stolen, the access point is known. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex modem support is now available Voice: [+1 312 803-MCS1 x219]| 56kbps DIGITAL ISDN DOV on analog lines! Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal