Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
However, I must question whether the activity Dean discusses is actually criminal. He does not accuse them of carrying out the attacks, he accuses them of transporting information published by a third party which notifies the world that his site is vulnerable to these attacks.
Umm, for the record, I do make such an accusation. When they probe a non-public government computer, they are violating 18 USC 1030 Sections 2(b), 2(c), and 3. Those are criminal violations. You simply may not probe government computers. Doing so is immediately a crime. The $5000 limit is only for non-government computers. Then they do other things, some of which are criminal (fraud is criminal), and some of which may not be.
Since Dean has published information to NANOG and other public forums stating that: 1. His sites _ARE_ vulnerable.
My customer shell servers' telnet sessions are vulnerable to password theft, and password guessing. So are yours. So what?
2. He has no willingness to fix these vulnerabilities.
There isn't anyway to fix them. There may be a protocol extension in the future, but its not here yet. I've been through this with 50 people in the last 6 months. That doesn't permit others to exploit them.
3. He intends to make the internet at large responsible for his negligence WRT these sites.
We have no negligence. And we do not hold the internet at large responsible. Just those that exploit protocol vulnerabilites, and those who assist with the exploitation. If your customer commits crimes, and you don't do anything about it after complaints are made, I expect that you bear responsibility and liability.
I seriously doubt that publishing a list of known public-nuissances is genuinely illegal. Further, unless Dean has presented netgate with a court-order showing that the court has indeed found said activity to be illegal, I think they would be negligent in turning off said service.
So publishing a list of sites which have vulnerabilities detected by SATAN scans wouldn't be illegal? Thats what you are saying. As far as court orders go, the point of this discussion is to make sure we have exhausted all non-litiguous options.
How would you like it if your ISP shut you down because I complained to them that you were sending out messages that contained information that was publicly available, but which I didn't want published? That's what Dean's really saying.
No, its not what I'm saying. Would you object if I published a list of your servers which could be broken into, and said that it was OK with you to break into those systems? I think you would. But if you wouldn't mind, I'll be happy to have your permission to scan your net with SATAN and publish a web page for the script kiddies. What was that? You don't give me permission? I didn't think so. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
At 5:30 PM -0500 1/8/00, Dean Anderson wrote:
Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
However, I must question whether the activity Dean discusses is actually criminal. He does not accuse them of carrying out the attacks, he accuses them of transporting information published by a third party which notifies the world that his site is vulnerable to these attacks.
Umm, for the record, I do make such an accusation. When they probe a non-public government computer, they are violating 18 USC 1030 Sections 2(b), 2(c), and 3. Those are criminal violations. You simply may not probe government computers. Doing so is immediately a crime. The $5000 limit is only for non-government computers.
Wait, let me get something clear here... 18 USC 1030... USC == United States Code netgate.net.nz ... nz == New Zealand Does the US somehow have jurisdiction over people in another country? Last time I checked, New Zealand was a sovereign country, and its citizens were bound by its OWN laws, and not the laws of the USA. D
Hmm, what does mean _PROBE? If my Unix open TCP connection with You windows, it does not mean I probe YOUR property; this deal concern this twoi OS only... I do not think anyone except may be Americal lawers (ORBS are out of their scope) can accuse them; they only run some anty-relkaying system, not more... It looks like Y2K problem. Don't be too paranoyed about them; block them if they bother you, and forget this problem. Even if some lawers can open the suite, it's 100% useless. On Sat, 8 Jan 2000, Dean Anderson wrote:
Date: Sat, 08 Jan 2000 17:30:15 -0500 From: Dean Anderson <dean@av8.com> To: Owen DeLong <owen@dixon.delong.sj.ca.us>, wsimpson@greendragon.com, william@dso.net Cc: nanog@merit.edu Subject: Re: Netgate.net.nz/ORBS spam colusion
Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
However, I must question whether the activity Dean discusses is actually criminal. He does not accuse them of carrying out the attacks, he accuses them of transporting information published by a third party which notifies the world that his site is vulnerable to these attacks.
Umm, for the record, I do make such an accusation. When they probe a non-public government computer, they are violating 18 USC 1030 Sections 2(b), 2(c), and 3. Those are criminal violations. You simply may not probe government computers. Doing so is immediately a crime. The $5000 limit is only for non-government computers.
Then they do other things, some of which are criminal (fraud is criminal), and some of which may not be.
Since Dean has published information to NANOG and other public forums stating that: 1. His sites _ARE_ vulnerable.
My customer shell servers' telnet sessions are vulnerable to password theft, and password guessing. So are yours. So what?
2. He has no willingness to fix these vulnerabilities.
There isn't anyway to fix them. There may be a protocol extension in the future, but its not here yet. I've been through this with 50 people in the last 6 months. That doesn't permit others to exploit them.
3. He intends to make the internet at large responsible for his negligence WRT these sites.
We have no negligence. And we do not hold the internet at large responsible. Just those that exploit protocol vulnerabilites, and those who assist with the exploitation. If your customer commits crimes, and you don't do anything about it after complaints are made, I expect that you bear responsibility and liability.
I seriously doubt that publishing a list of known public-nuissances is genuinely illegal. Further, unless Dean has presented netgate with a court-order showing that the court has indeed found said activity to be illegal, I think they would be negligent in turning off said service.
So publishing a list of sites which have vulnerabilities detected by SATAN scans wouldn't be illegal? Thats what you are saying.
As far as court orders go, the point of this discussion is to make sure we have exhausted all non-litiguous options.
How would you like it if your ISP shut you down because I complained to them that you were sending out messages that contained information that was publicly available, but which I didn't want published? That's what Dean's really saying.
No, its not what I'm saying. Would you object if I published a list of your servers which could be broken into, and said that it was OK with you to break into those systems? I think you would.
But if you wouldn't mind, I'll be happy to have your permission to scan your net with SATAN and publish a web page for the script kiddies. What was that? You don't give me permission? I didn't think so.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aleksei Roudnev, (+1 415) 585-3489 /San Francisco CA/
The spam issue is serous no doubt, but unless everyone understands the implications of attempting to apply U.S. law to please understand some basic concepts and reality. First the alleged violation has to be according to the letter of the law that is being applied, exactly by the letter of the law. Lets be very realistic, do we really want to seek to apply U.S. law to those outside the U.S? If this is the case then the end result could be the reverse, perhaps China would seek to apply Chinese law to American ISP's, network administrators, the end result being Americans who have never been to China being sentenced to life in prison or to death for posting matters the Chinese Government considers offensive. The witch hunt I see to address spamming is illogical and futile. Let me be very blunt, until someone is willing to take action all this talk about dealing with spammers is nothing more than saber rattling and is useless. I am an attorney in Massachusetts, and my experience is people get upset about spam and without exception no one is willing to follow through, I used to be willing to deal with spammers pro bono, but having been burned more than enough times by people "getting over it" that has passed. Talk is cheap.
participants (4)
-
Alex P. Rudnev
-
Charles E. Yow, Esq.
-
Dean Anderson
-
Derek J. Balling