|
|
|
Who is here?
69 responses total.
Well, obviously, *I* am. :-)
Well, I wouldn't call myself a "refugee", but here I am. Looks like a nice place here.
I wonder why that particular title was chosen for this item. Has there been some sort of policy change there or something?
I wonder too. Brenner and bubbles are sort of refugees.
The well has been down for two days. Is bubbles still around?
No policy change, just 2 days of downtime for a hardware and security upgrade due to some major system cracking you may have read about in the national press. Keven Mitnick...are you familiar with this? Made the New York Times. Anyway, I'm Michael Newman, 4.5 year veteran of the WELL, and host of several conferences over there. Nice to be here.
brenner slipped in (so, that happens here too) FYMW ;-)
Nice to have you here jstraw. Have you checked out the other conferences. The cyberpunk conference that I fairwitness has some info on Mitnick's latest activities.
Welcome to Grex Michael. Hope you stick around after the Well comes back up. Hopefully the security measures being taken will do the intended things, and not create any new holes. I hadn't known about Mitnick using the Well.
From what I read, the people who run The Well sat there and watched as Mitnick hacked at them for several weeks, so as not to tip him off that he was being watched. It was by watching him on The Well that the Feds were able to figure out where he was.
Welcome to Grex, everyone. Hope you find Grex to be better than the Well. (it is!)
What is the address of the WELL? Also, I'm very curious about Mitnick. What is the story concerning him?
This response has been erased.
Wow! Welcome to Grex all of you from the Well. I had entered these comments on Monday in our cyberpunk conference (j cyber), but there has been no response there. I don't think too many people are paying attention to that conference. ---copied from cyberpunk--- Has any reader of this conference been following the exploits of Kevin Mitnick? He broke into the Well and netcom.com recently, obtained root, read people's mail, stole the credit card numbers of all the paying accounts, and then used IP spoofing to get past the firewall protecting Tsumomu Shimomura's computers - stealing security programs. Shimomura is a noted internet security expert, and worked with the FBI to track Mitchnik down. Mitchnik was in Raleigh NC, using a cellular phone system to do all his hacking. The authorities traced the phone usage to the location and arrested him. Mitnick had been underground for two years, as he was wanted for other crimes. A lot of this has been printed in mainstream papers like the New York Times. See Sunday's "News of the week in review" NYT section for an interesting perspective by John Markoff. ---end of copy---- As a staff member here on Grex, I breathe a sigh of relief whenever this type of person is captured. I tip my hat to anyone who helped in the capture. Nevertheless one must recongize that the people running the Well were faced with a difficult ethical problem. They contributed to the capture of Mitnick by not tipping their hand to him, at the expense of the privacy of Well participants. I don't know how I could have handled that choice. I might have done the same, but I wouldn't have slept well. One more thing. I just noted that in today's NY Times Business section (2/22 page C1) there is an article by Peter H. Lewis on this break-in. It contains details of the sequence of events in the IP-spoofing attack of Dec 25, which I haven't had time to digest yet.
Whoa, I hadn't heard about that. I was thinking about jin ing the well when I first got on line. Too expensive though
If the well (or any other accessible ssytem for that matter) +keeps+ the cardit card numbers and other related data ON LINE - - it's like dangling minnows in front of hungry bass! Glad to know about the well's "policy and procedure!" Won't see my young butt over there - and you can tell them I said so, fwiw. good luck to the rest of you - - and WELOCOME to Grex, we do NOT keep such stuff on line (of course we con't collect it either, but that's not the point).
re # 14 Speak for yourself about people paying attention to the cyberpunk
conf, considering it's only a couple months old I think it's rather
healthy.
set drift=off
TS, I'd agree, I'm very surprised they'd keep CC#'s online! I think one part of security planning on a system like Grex or the Well should be to acknowledge that root will get cracked from time to time, and to avoid unnecessary fallout when it happens. It might be nice to keep some fake "flag" CC#'s online though, that could alert CC companies to a thief's whereabouts.
Well, the WELL is back up, and ye, here I am. :-) There is much controversy surrounding the WELL's handling of the Mitnick affair. I wish I was more technically oriented, then I could explain. Maybe Anita could take a stab at it. I can't say that I'll ever see that Grex is better, for the simple reason that your pico is so primative. We have a wizard named Bryan Higgans that has enhanced picospan beyonf MW's wildest dreams. No offence intended. Since this place seems to be *free*, I'm sure I'll gradually poke and prod my way about. Incidently, one of the confs I host on the WELL is the Midwest conf. I live in Topeka, KS, and grew up in Omaha, and Chicago.
Out here on the frontier of the net, we like our pico rough and tough.
:-) :-)
There is a program on the WELL called "post" which is the basis for a lot of pico-enhacing scripts. I like pico a lot, btw. it is better than caucus for brainstarming. As for the WELL, it is not clear what happened. A lot of us understood the need for secrecy before the monitoring of the WELL, but were dissapointed that most of what we learned after came from newspapers and not management. it *is* a tough ethical choice --- do you sacrifice the privacy of the users to capture a hacker? But on the WELL, where bounced mail goes in its entirety (not just headers) to the postmaster (sysop), I am not sure what the level commitment is to user privacy. All of this, plus other issues, are affecting the WELL right now.
Interesting. Maybe on Grex we should poll members for what we'd want staff to do if a similar situation came up, since they can't very well ask how secret to be in the midst of such a hackathon.
The only problem with that is that depending on circumstances, the best thing to do might be the other option. There is *no* ruleset that can be made in advance to deal with vandals. Each occurance has its own set of problems and oppurtunities. Ugh. I do understand that the people over on the Well went through in dealing with Mitnick. Forunately, we've never had to deal with this kind of problem--the only time I actually saw a vandal start reading someone elses mail, I blew him (it?) off the system; it didn't realize that I'd been watching it for half an hour, seeing what it did. But if we had a real, ongoing problem, it might be needed to 'bait' the person to keep them online as tracing commenced. I hope we never are in that position, and have to think about things like this.
Tom Digby (bubbles) used to hang out on Grex a lot. He was a veteran of the Well, and he also extolled the virtues of their enhancements to picospan. I hope our lack of features will not scare others from the Well away. I don't really have any facts about what was stolen. Credit card info was supposed to have been taken , though, but netcom.com was also broken into and involved, somehow. I read this in the newspaper. I would also point out in defense of the Well that it is common internet practice to send complete bounced mail to the postmaster. If you are concerned about email security, you should be using PGP. There is now a legal version, but that's drift. I think it would be an interesting discussion (perhaps in coop) to delve into the ethical questions facing the Grex staff in the hypothetical situation where we are invaded and then law enforcement asks us to keep 'hands off' until the trap is set.
Grex *used* to bounce a whole email message to the postmaster, totally unannounced - happened across it by accident - but I was told later that "there was just too much mail" for that practive to continue. Whatever the reason, I'm glad it's different now. Still that way? I presume so. Notice that headers are sufficient for 99.99% of bounces, and taht the UM does bit-flipping on MTS,a for their postmasters - and presumabely, that posture/practice has continued into the Unix world. bit-flipping for the body-text (not headers ...) <g>
I'm not postmaster here, but this is all news to me. I think bounced mail is sent to postmasters, not bit-flipped, not only here but at most other places. I would welcome being corrected.
That is correct, Steve. It has always been that way here, unless sendmail 8.6.9 (and now .10) are doing something I don't know about.
Different versions of sendmail do different things - and there are a *lot* of different versions out there today. If you're sending mail across the net, you really shouldn't assume it's that secure. In particular, you should pay attention to some of the things the government has been asking of data communications services! Yes, the sendmail that's here (at least in theory) doesn't send the message body to the postmaster. At least, that's what the comment in the source advertises. In most respects, the sendmail that's here is pretty much the virgin "out of the box" distribution; the differences are almost entirely for efficiency reasons. So far as PicoSpan goes - when last I checked in to the well, most of the changes to PicoSpan were in terms of customization. My guess is you could get 80-90% of the changes on the well merely by putting the right magic into .cfrc/.cfonce here on grex, perhaps with the right combination of extra scripts. So far as CC#'s online, yes - that is certainly something I don't think we should be keeping online. And, indeed, we're not; the treasurer keeps all of that sort of financial recordkeeping offline, so that a system cracker can't get into the membership or money records. I can't think of any reason anyone would want to do things differently than that. So far as what staff would do in the case of a vandal, what we could and would do would certainly be guided by EPCA. Most of our vandals today come in over the internet. Not infrequently, we find evidence that suggests they've broken into other systems on the way into grex. In such cases, we make an effort to notify those other systems of the activities of their "users". In these cases, our interest is to be a "good net citizen" and to extend the same curtesy to those other systems that we hope they would extend to us. In every case, so far, we've not found it necessary to reveal any private information to those other systems - publically accessible information (such as login times) has been sufficient to allow these other sites to consult their logs, determine if there is a problem at their end, and act from there. So far, our worst problem in dealing with vandals is, very few *other* places are all that sophisticated, technically. Where there's been more than one e-mail message has always been with sites or organizations that aren't as savvy as they should be on the technology.
If an orginization had multiple people dealing with the membership records or credit card mnumbers, it might make sense to put it on line somewhere. Still, it would make sense to put it somewhere other than on the system the information pertained to, and not to publicize what computer it was on.
Well, #14 said the hacker penetrated a firewall, which is meant to be a barrier between systems. But still, they could have kept the info on a LAN that wasn't even connected to the internet. But the Well isn't a huge multinational conglomerate, I'm sure they're dealing with a limited budget, and tried to do their best.
According to #14, the firewall was protecting Tsumomu Shimomura's computers, not the well's financial CC# database.
Actually I'm not sure if the CC #s came from the Well or from Netcom. The firewall was definitely protecting Tsumomu Shimomura's computers, not the Well's. They don't have a firewall as they need to be visible on the net. While Mitnick had root on the Well, I believe from what I read in the newspapers, that the folks who run it knew he was reading people's mail. Admittedly, they found out they had been attacked by the same people who had asked them not to stop him, but once they knew what he was doing it seems like a lot to ask of sys admins.
marcus, did you know that every well user sees your name when they logon? And that next to "gopod" your name is invoked in mysterious ways on the well?
steve slipped in... seriously, I am not in a position to second-guess the WELL's decisions as to Mitnick, but do have concerns about the lack of openness *now*.
It was part of my contract with NETI that my name show up there - so yup, I knew. I take it I'm considered some sort of minor devil there? Ah well, I guess that's life... We're in even worse a position to 2nd-guess the well, but I can see or imagine cases where they might have difficulty being open. For instance, if there was a hole in the system that they didn't understand, or couldn't afford to plug up, then they might well not want to publicize it. Even if it was a hole they could plug up, they might not want to for fear some other systems might still have the vulnerability. Holes are most often the result of mistakes--nobody is perfect, after all, and even the most competent person can make mistakes. The well might have felt that kind of pressure on a staff member was not appropriate. If the problem results in a court case, it's very probable that the lawyers or the judge will ask that the case not be discussed in public until after the trial. The well might also not want to discuss details about how they investigated a problem that might make it easier for another person to crack the well's defenses. There are a bunch of interesting problems in that -- how important is the privacy of the victims? Or of the unindicted criminal, who might not be a criminal? How does one balance privacy and security, with openness? Is the goal to stop the incident, to plug the hole, or to catch the bad guy? There's also always the question of how much time and energy can be spent on the problem. To a lot of these kinds of questions, especially in real life, there isn't any one clear & obvious right answer. Different people will often come to different "right" answers, just to make the problem worse.
I am not really trying to heap any criticism on the Well. Like I said, I don't know what I'd do. I feel sorry for them that they actually had to face the choice. Grex is very open, but even here we do not discuss breakins in public in any detail. It makes me wonder. Marcus is right that there are conflicting goals, and there is no clear right thing to do. It is a difficult ethical question, and if we were ever faced with it, we'd have to decide what to do *without* asking our users what they would prefer. Since we are not currently (to my knowledge) in that situation, perhaps this is a good time to poll the folks out there to see what they would prefer to see the Grex Staff do, if faced with a hypothetical situation such as this. I might word the question like this: Suppose that the FBI came to the Grex staff one day and announced, "You have been invaded by a master hacker. We have been trying to catch this guy for several years, and we need you to avoid tipping him off, until we can spring the trap." Suppose further that we verify that it is actually the FBI, and that we actually *have* been invaded. In fact, we can now see that he is logged in as root and looking at other people's mail. The question is, if we have any choice in the matter, should we cooperate with the FBI, or should we resist in any way? Different users will feel differently about this, but is there any clear trend among the users?
re: master hacker scenario, I'd suggest that any real master hacker would be very suspicious of grex if any root fooling around was not snuffed out in short order by staff. That is the norm, and I would suggest to the FIB (er FBI) that we follow our normal routine with hackers or any wise hacker would know that something is up. Also, along the same vein, it is unlikely that the FBI would know we were being hacked before the staff here would: Think of that implication. It's more likely that we would be approached about a *seeming legitimate* user, and isn't that a can of worms? Even more likely is that they may not ask staff at all before snooping or hacking themselves, and probably on a non-hacking but perhaps suspicious to the FBI person.
(Mike, that first sentence didn't make sense to me. Can you restate it, please?)
(that's with the implication that you might have lost a word or two while typing.)
|
|
|
- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss