Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
However, I must question whether the activity Dean discusses is actually criminal. He does not accuse them of carrying out the attacks, he accuses them of transporting information published by a third party which notifies the world that his site is vulnerable to these attacks.
Umm, for the record, I do make such an accusation. When they probe a non-public government computer, they are violating 18 USC 1030 Sections 2(b), 2(c), and 3. Those are criminal violations. You simply may not probe government computers. Doing so is immediately a crime. The $5000 limit is only for non-government computers. Then they do other things, some of which are criminal (fraud is criminal), and some of which may not be.
Since Dean has published information to NANOG and other public forums stating that: 1. His sites _ARE_ vulnerable.
My customer shell servers' telnet sessions are vulnerable to password theft, and password guessing. So are yours. So what?
2. He has no willingness to fix these vulnerabilities.
There isn't anyway to fix them. There may be a protocol extension in the future, but its not here yet. I've been through this with 50 people in the last 6 months. That doesn't permit others to exploit them.
3. He intends to make the internet at large responsible for his negligence WRT these sites.
We have no negligence. And we do not hold the internet at large responsible. Just those that exploit protocol vulnerabilites, and those who assist with the exploitation. If your customer commits crimes, and you don't do anything about it after complaints are made, I expect that you bear responsibility and liability.
I seriously doubt that publishing a list of known public-nuissances is genuinely illegal. Further, unless Dean has presented netgate with a court-order showing that the court has indeed found said activity to be illegal, I think they would be negligent in turning off said service.
So publishing a list of sites which have vulnerabilities detected by SATAN scans wouldn't be illegal? Thats what you are saying. As far as court orders go, the point of this discussion is to make sure we have exhausted all non-litiguous options.
How would you like it if your ISP shut you down because I complained to them that you were sending out messages that contained information that was publicly available, but which I didn't want published? That's what Dean's really saying.
No, its not what I'm saying. Would you object if I published a list of your servers which could be broken into, and said that it was OK with you to break into those systems? I think you would. But if you wouldn't mind, I'll be happy to have your permission to scan your net with SATAN and publish a web page for the script kiddies. What was that? You don't give me permission? I didn't think so. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++