Re: I got an intruder ...
Julian Assange (proff@suburbia.net)
Fri, 17 Nov 1995 11:13:37 +1100 (EST)
Spaf, thank you for your in-depth reply. I don't agree with all of your
views as you are no doubt already aware, but at least your message was
detailed.
I am going to make a rather large number of generlizations, because they
happened to fit the vast majority of events and persons involved. I am
in a undiplomatic mood, so I'm going to be fairly harsh. There are exceptions
on both sides of the fence; some of which I have the greatest respect for
and am proud to have had an involvement with.
> First of all, there are some environments where the security admin is
> required, as a matter of law, to report the incident and cooperate
> with law enforcement personnel. For instance, computers that are part
> of a government operation (esp. military), or certain forms of
> regulated financial institution may require reporting.
That may sometimes be the case. However original post which sparked
this dialog suggested that the computer manager concerned had quite
some discretion over the matter. Indeed he had asked his associate
who forwarded the question to the IDS list on exactly how he should
proceed. i.e how that discretion should be exercised. If the manager
was mandated to escalate the penetration into an law enforcement
backed investigation then there would be no question as to how
he should conduct his response.
[...]
> or espionage). For example, if I discover that hackerX has
> compromised my system and is using it to hack into Bankk of America,
> and I do nothing, then I might possibly be the target of a civil suit
> by the bank as it attempts to recoup some losses...or set some
> examples.
I don't believe there is any such precendent for this; though it may be
a theoretical legal attack. Political realities always more important
legal ones. Though, be warned. My current opinion of the legal
profession is at an all time low. I have yet to encounter more rigid and
uncreative set of individuals (with some notable, but unfortuantely rare
exceptions).
Now for the flip side of the coin. I am aware of many institutions that
have nievely contacted law enforcement investigators about their systems
being used as a "launch pad" or routing point for further penetration
into other systems. In one particular case the police forced the
penetrated institution to allow the intruders to have free reign of
their systems for over three months, in order to conduct extensive
packet logging. The disingenuous `care factor is low' attitude shown to
the hackers by the administrators only served encouraged them. Unfetted use
the institutions computer systems was a great boon to the hackers. In
otherwords, the instiution knowingly AIDED the hackers illegal
activities.
After several months, the hackers had penetrated literally thousands of
sites via the institution's machines. They had used those machines to
develop various security penetration programs. The instution developed a
bad reputation amoung the network community as it was seen as the source
of a increasing number of attacks.
They eventually saw the light and severed their involvement with the
police - who immediately went to up to the highest level of management and
applied strong political preassure to force their continued association.
Feed the devil with a short spoon and you just may loose your whole
arm.
Police are like journolists. They want the BIG bust. It gets them
promoted. It gets their section/unit (in this case computer crime)
publicity, status and FUNDING. Why bust a couple of "teenage computer
hobbists" for penetrating one or two sites, which won't even make the
papers, when you can wait three, four, six months or a year and bust "a
international ring of computer thieves who broke into thousands of sites
around the globe".
If a crime is occuring then it should be stopped immediately. Though
real world analogies are dangerous in this field lets look at one for a
moment, concentrating only on the law enforcement aspect.
I think most people would find this kind of police "logic" obscene:
Why bust a rapest when you can bust a SERIAL rapest! Normal rapests
hardly even make the papers these days. Convicting/arresting one
won't bring you much status or funding. Its not something one can
brag about to other police, or wear with pride on your lapel. It
probably won't even get an opperation name. Our suspect raped
someone in Exhibition park. We will make it a bit easier for him,
by turning off the overhead lighting. We will force the park
management to help us. Then we will set up an infra-red
surveillance behind the size 19 green waste bin. We will tap his
phone and videotape him walking from and to his residence following
each rape. When he has raped a few hundred women over the course of
a year, we will bust him big time. It will be a garla event. Our
evidence will be fantastic! We will have arrested one of the worst
serial rapests in the history of this country! The trial will be
HUGE.
> Given all that, how do you decide what to do? Well, like anything
> else in computer security, you need to do some cost-benefit analysis
> based on threat, loss, and effect. Here are some of the things you
> need to take into account with such an analysis:
Exactly.
> + successful investigations and prosecutions help decrease the overall
> threat by taking some hackers off the wires, and by discouraging
> others.
I strongly disagree. I believe it only serves to glamorise and stimulate
the potential body of hackers in the wider community. As for active
hackers, the majority will merely become (and indeed have become) far
more occulted in their behavior. It may look as if the hackery in your
part of the world has decreased, but only because your eyes are not good
enough to see what is under your nose. You can forget trying to talk
unix_junky-unix_junky (etc) with them in any country where there is a
climate of immediate legal retaliation. You can forget wooing them into
telling you what they were doing in your system, or telling you what the
security holes were.
> + successful investigations etc. may cut down on threat to you from
> hackers (or at least the wannabes) by making you a more dangerous
> target to mess with. (Example: on our campus, it is well known that
> some departments aggressively investigate and prosecute misuse,
> including expulsion from the university and arrest. Those
> departments have less security incidents than those with a "let it
> be" attitude.)
I'd rather spend my time on making my network secure than persecuting my
students. Isn't this really just another form of STO? Where the O is
really "Retaliation after the event"? At which department would you rather
be a student? I recall many moons ago being at one like you describe.
I mistyped "du" as "su", only to find my account suspended the next
day. It did not aid my studies or serve to further my respect for the
computers managers who ran the computing facilities. Incidentially
over several years, they they were involved in major police investigations
t least dozen times. They continue to have numerous security incidents,
which undoubtably has more to do with their continued reliance on
unshadowed passwords, YP and NFS than their draconian dicipline policy.
> + successful investigations can sometimes be a prelude to recovering
> losses via a civil judgement
It is extraordinarly unlikely that any such civil judgement for compensation,
years after the event, will cover anything like the costs of such an
entanglement, and even if it did the likely hood is that it will be
never by paid by the defendent who has no doubt spent all his money and
then some on his defence.
> + successful investigations can result in better security. For
> instance, I know of several cases where firms found that they had
> other, undiscovered security problems. The way they found this was
> when they had search warrants executed against suspects in security
> cases and the authorities discovered evidence of other problems.
Your are correct in stating this has happened. However I have never heard of
a more idiotic way to secure a network. Relying on evidence obtained
from some individual of dubious qualifications, who in all likelyhood
was only interested in a small part of your network for a specific
purpose over a short period months or years before you recieve a copy
of the siezed information is indescribably foolhardly. Hire a professional
and get the job done properly.
> + investigations may result in reduced insurance rates, and certainly
> in helping reduce your liability profile.
I'm ill informed on how the insurance industry operates. However having
a car accident (and of course learning from the very memorable
experiance) tends only to increase your insurance fees.
Get a professional security group to assses your security.
Surely its more avisable to tell your insurance fund "We have had an
independent expert security professional assess our security
liabilities. He made 38 recomendations and we have implimented 37 of
them", as opposed to "Our security was so bad it was breached. We
suffered some losses. The police were called in. And international law
enforcement investigation was started; it maybe years before the matter
makes it out of the criminal jurisdiction. We have performed an internal
audit, and we now rate ourselves as been A-OK."
> - investigations may be time and labor intensive.
Your not wrong.
[...]
> - investigations may result in negative publicity about the incident
> (however, a good PR person can often spin this to a positive)
I'd prefer not to take the risk in the first place. If you have the
choice between an already good reputation, a partially soiled reputation
or a slightly better reputation I'd advise to choose the former (call
me conservative).
[...]
[...some good points about not knowing a penetrators motivations, or
the depth of their penetration...]
If your computer systems need to be secure, and you find out they are
not secure, then they should be secured. That securing process may take
considerable time and energy. That an intruder was in your systems is to
some extent irrelevant. If you did not have good
security/auditing/intrusion detection/binary signatures at any point in
the past and you were connected to an untrusted network then you must
assume that not only has your network been penetrated but that all
manner of backdoors were installed. This has been a difficult issue
for me and other security people and one that clients certainly
do not want to hear.
I agree that an investigation may be required to assertain what the
intruder's detailed actions and motivations were; at a level
proportional to the value and confidentiality of the material stored on
the breached network. Police rarely have the expertise or motivation to aid
in this procedure to any significant degree. If you don't have the expertise
in-house then hire someone who does. Once you have analysied what has
happened, present the information you have to senior management. Let them
decide if its worth the risk and expense of taking it further.
> 3) The field of computer crime investgation is new. Law enforcement
> personnel are learning as they go. They need good cases and
> cooperation to get that experience, though. Not every case will
> work. But more will as time goes on. And more resources will become
I'm sorry to say it, but computer crime police take the easy way out.
They go after kids not professionals. If someone thinks they are a part
time secret agent because they do the digital equiviant of helping the
FBI bust graffiti artists and pranksters they are very deluded.
What's worse is a bizarre vicious circle forms, where the hackers like
to believe they are international data commandos because they are
generally immature, introverted personalities with fragile ego's and the
police and their informants like to believe they are CI operatives on
some mission from God. The hackers want to believe the police line, and
the police want to believe the hacker line. Together they have a pact,
of which neither would be proud. These self-delusions act in unison to
increase their respecive status to themselves and amoung their piers and
the broader community.
Many people in this industry do not want to hear this sort of thing, it
devalues their work and I'm sure I shall win no friends by stating it.
However I find the current climate of self-hype and lack of rigorous
objectivity altogether dispalatable. It is one thing to create publicity
to recruit clients or garnish next year's funding; its another when you
actually start believing it.
The latest dogmatic neurosis over internet credit card transactions is
very symptomatic. Credit card transactions never were secure. They
didn't suddenly become insecure when people started using them on the
'net.
--
+----------------------------------+-----------------------------------------+
|Julian Assange | "if you think the United States has |
|FAX: +61-3-9819-9066 | has stood still, who built the largest |
|EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+