Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Netgate.net.nz/ORBS spam colusion

  • From: Alex P. Rudnev
  • Date: Mon Jan 10 00:30:21 2000

Hmm, what does mean _PROBE? If my Unix open TCP connection with You windows, it
does not mean I probe YOUR property; this deal concern this twoi OS only... I do
not think anyone except may be Americal lawers (ORBS are out of their scope) can
accuse them; they only run some anty-relkaying system, not more...


It looks like Y2K problem. Don't be too paranoyed about them; block them if
they bother you, and forget this problem. Even if some lawers can open the
suite, it's 100% useless.



On Sat, 8 Jan 2000, Dean Anderson wrote:

> Date: Sat, 08 Jan 2000 17:30:15 -0500
> From: Dean Anderson <dean@av8.com>
> To: Owen DeLong <owen@dixon.delong.sj.ca.us>, wsimpson@greendragon.com,
     william@dso.net
> Cc: nanog@merit.edu
> Subject: Re: Netgate.net.nz/ORBS spam colusion
> 
> 
> Around 08:14 AM 1/8/2000 -0800, rumor has it that Owen DeLong said:
> >
> >
> >However, I must question whether the activity Dean discusses is actually
> >criminal.  He does not accuse them of carrying out the attacks, he
> >accuses them of transporting information published by a third party
> >which notifies the world that his site is vulnerable to these attacks.
> 
> Umm, for the record, I do make such an accusation. When they probe a
> non-public government computer, they are violating 18 USC 1030 Sections
> 2(b), 2(c), and 3.  Those are criminal violations.  You simply may not
> probe government computers. Doing so is immediately a crime.  The $5000
> limit is only for non-government computers.
> 
> Then they do other things, some of which are criminal (fraud is criminal),
> and some of which may not be.
> 
> >Since Dean has published information to NANOG and other public forums
> >stating that:
> >	1.	His sites _ARE_ vulnerable.
> 
> My customer shell servers' telnet sessions are vulnerable to password
> theft, and password guessing. So are yours. So what?
> 
> >	2.	He has no willingness to fix these vulnerabilities.
> 
> There isn't anyway to fix them.  There may be a protocol extension in the
> future, but its not here yet.  I've been through this with 50 people in the
> last 6 months.  That doesn't permit others to exploit them.
> 
> >	3.	He intends to make the internet at large responsible
> >		for his negligence WRT these sites.
> 
> We have no negligence. And we do not hold the internet at large
> responsible. Just those that exploit protocol vulnerabilites, and those who
> assist with the exploitation.  If your customer commits crimes, and you
> don't do anything about it after complaints are made, I expect that you
> bear responsibility and liability.
> 
> >I seriously doubt that publishing a list of known public-nuissances
> >is genuinely illegal.  Further, unless Dean has presented netgate
> >with a court-order showing that the court has indeed found said
> >activity to be illegal, I think they would be negligent in turning
> >off said service.
> 
> So publishing a list of sites which have vulnerabilities detected by SATAN
> scans wouldn't be illegal?  Thats what you are saying.
> 
> As far as court orders go, the point of this discussion is to make sure we
> have exhausted all non-litiguous options.
> 
> >How would you like it if your ISP shut you down because I
> >complained to them that you were sending out messages that
> >contained information that was publicly available, but which
> >I didn't want published?  That's what Dean's really saying.
> 
> No, its not what I'm saying.  Would you object if I published a list of
> your servers which could be broken into, and said that it was OK with you
> to break into those systems?  I think you would.  
> 
> But if you wouldn't mind, I'll be happy to have your permission to scan
> your net with SATAN and publish a web page for the script kiddies.  What
> was that? You don't give me permission?  I didn't think so.
> 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc                  dean@av8.com
>            LAN/WAN/UNIX/NT/TCPIP          http://www.av8.com
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 

Aleksei Roudnev,
(+1 415) 585-3489 /San Francisco CA/






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.