Re: Recent Attacks

[David LeBlanc <dleblanc () mindspring com>]

At 08:10 PM 2/19/00 -0800, Ryan Russell wrote:

> Mixter says he didn't mean for anyone to use his tool like that.

Quite frankly, I call bullshit.  What else can it be used for?  Maybe he
didn't mean for it to cost people huge amounts of money, and make CNN, but
what else can you do with it?  It is _designed_ to avoid detection.

> And for the moment, I'm not talking about use,
> I'm talking about production.  

I'm not concerned about production.  I'm concerned about use.  I can fondle
my gun all day long, and nothing is illegal.  As soon as I hurt someone
with it, I've violated the law.  If I give it to a bunch of children, and
encourage them to go shoot up the playground, I've also violated laws.
That's where Mixter is on very, very thin ice.

> Internet Scanner is as close to antitank
> weaponry as you're going to get for security tools.

Please.  I wrote nearly all the NT checks, and ported a lot of the UNIX
checks.  It's a good tool, but not in that class.  It comes close to
leveling the playing field between the admins and the script kiddies.  Two
main points - it will always take ISS weeks to come up with the newer
exploits (sometimes months), and the scanner is noisier than hell.  Plus, I
don't think anything other than the NT version has ever hit the warez sites
- this means that it is almost certainly being run from the machine the
hacker is sitting in front of.  It is INCREDIBLY, and INTENTIONALLY noisy.
You'd be hex editing all day long to get that out of it, and even so, it
will leave HUGE tracks, especially against UNIX boxes.  No sane hacker is
going to use it.  Using the scanner against an unauthorized network is a
really good way to end up in jail quickly.  Even the initial ping sweeps
have information in them.  If running it doesn't sound alarms, then
something is wrong. _I_ do not use it if I wish to be stealthy even when I
have a get out of jail free card.  Plus, it is really slow, and is getting
slower.  Takes a long time to run.  You scan the wrong network, and the
cops will be at the door before it finishes.

> And once you outlawing tools, you eventually outlaw all security tools.
> Start with TFN, since it's 95% evil.  Next, get L0phtcrack since it's 80%.
> Then COPS, it's 60%.  Internet Scanner is about 40-50%, so it won't be
> long for that tool.  We'll be left with MS' c2config.  Whee.

I think this is an overreaction.

> > I'm going to stand over here with the people who
> > are sick of it, won't tolerate it, and are trying to be part of the
> > solution.

> Either that, or it will swing my way, and apologists for law enforcement's
> abuses of hackers will be the minority.  (I know, not likely, but I can
> hope.)

Considering that computer crime largely goes unprosecuted, and that people
are running around blaming the victim, I think we're going to have to swing
a long way towards law enforcment before we've gone too far.  If you spray
painted someone's physical storefront, there would be no question that you
were a vandal and a criminal.  If hackers could have stuck to just cruising
around, not tampering with things, and learning, 'hacker' wouldn't be a
dirty word.  Instead, we've got a bunch of juvenile dumbasses going around
screwing up people's business, costing them real money, and surprise,
surprise, surprise, now there is going to be a crackdown.  What did you
expect?

Also consider that getting in the way of legitimate business tends to give
people problems - the fact that a legitimate security tool business exists
means that the laws won't come down too hard on making the tools - just
using them illegally will get you nailed.  Consider that Sen. Sam Nunn
works closely with ISS, and Tom Noonan went to the White House - ISS is
extremely well politically connected (due largely to some very astute moves
on Noonan's part).  I don't think that making tools to check your own
network with are going to be illegal any time soon.


David LeBlanc
dleblanc () mindspring com