legal possibilities of attack reaction

Michael Weiser

17 Oct 2000 17 Oct '00

17:14

Hello, I'm administering some Linux machines permanently connected to the internet which I'm trying to protect reasonably. Therefore I disable unneeded services, keep software up-to-date, run a packet filtering firewall and use a intrusion detection and protection tool (snort). But the number of ping-, version- and portscans increases every day, which makes me want to react more actively. Of course it'd be stupid to attack the attacker myself but I'd like to at least notify the administrators of the malicious users/customers of what's going on so that they (can) stop it. No problem so far but unfortunately a lot of sysadmins don't seem to feel responsible until someone sues them. Therefore I'd like to send out a carefully researched mail filled with some paragraphs to make 'em think. But since I'm a complete idiot at legal issues I don't want to do it myself and prefer some already better done work of someone who knows what she is speaking about. :) So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd especially be interested in German and American law since I and the machines in question are situated in Germany and most attacks come from American networks. Thanks for your help and sorry if it's really an FAQ and already answered elsewhere. -- bye, Michael Elephants don't play chess!

Show replies by date

Michael Galloway

17 Oct 17 Oct

18:17

New subject: [suse-security] legal possibilities of attack reaction

Moin Michael! one strategy you could employ is to to use portsentry (http://www.psionic.com/abacus/portsentry/). it includes several 'active' defense methods (rerouting the attackers ip/modifying access control via hosts.deny). perhaps not much help to you, but worth looking at. -- michael Michael Weiser schrieb am Dienstag, den 17. Oktober 2000:

...

Hello,

I'm administering some Linux machines permanently connected to the internet which I'm trying to protect reasonably. Therefore I disable unneeded services, keep software up-to-date, run a packet filtering firewall and use a intrusion detection and protection tool (snort).

But the number of ping-, version- and portscans increases every day, which makes me want to react more actively. Of course it'd be stupid to attack the attacker myself but I'd like to at least notify the administrators of the malicious users/customers of what's going on so that they (can) stop it.

No problem so far but unfortunately a lot of sysadmins don't seem to feel responsible until someone sues them. Therefore I'd like to send out a carefully researched mail filled with some paragraphs to make 'em think. But since I'm a complete idiot at legal issues I don't want to do it myself and prefer some already better done work of someone who knows what she is speaking about. :)

So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd especially be interested in German and American law since I and the machines in question are situated in Germany and most attacks come from American networks.

Thanks for your help and sorry if it's really an FAQ and already answered elsewhere. -- bye, Michael Elephants don't play chess!

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Kurt Seifried

22:18

New subject: [suse-security] legal possibilities of attack reaction

Often times the attacks are launched from compromised machines that the admin is not aware of. Most admins are way to over worked keeping things working to have time to proactively fix security problems, so they end up being reactive, if they are lucky. A nice note notifying them is more then enough, no need to sue. Generally speaking it is exceedingly rare for a professional admin to attack others. I would spend my time on securing my network and possibly helping others to secure theirs.

...

Hello,

I'm administering some Linux machines permanently connected to the internet which I'm trying to protect reasonably. Therefore I disable unneeded services, keep software up-to-date, run a packet filtering firewall and use a intrusion detection and protection tool (snort).

But the number of ping-, version- and portscans increases every day, which makes me want to react more actively. Of course it'd be stupid to attack the attacker myself but I'd like to at least notify the administrators of the malicious users/customers of what's going on so that they (can) stop it.

No problem so far but unfortunately a lot of sysadmins don't seem to feel responsible until someone sues them. Therefore I'd like to send out a carefully researched mail filled with some paragraphs to make 'em think. But since I'm a complete idiot at legal issues I don't want to do it myself and prefer some already better done work of someone who knows what she is speaking about. :)

So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd especially be interested in German and American law since I and the machines in question are situated in Germany and most attacks come from American networks.

Thanks for your help and sorry if it's really an FAQ and already answered elsewhere. -- bye, Michael Elephants don't play chess!

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Eduardo Carriles

22:58

New subject: [suse-security] legal possibilities of attack reaction

Hi Kurt, I adhere. But our friend Michael can do a <as he sees fit> search on CERT.org or your place SecurityPortal.com, just to obtain some docs on _legal_ twisted issues. Do you have any of them there?? (Just wondering) Bring us some carefully selected _url's_ if you wish. Cheers. =8`) ---- Kurt Seifried wrote:

...

Often times the attacks are launched from compromised machines that the admin is not aware of. Most admins are way to over worked keeping things working to have time to proactively fix security problems, so they end up being reactive, if they are lucky. A nice note notifying them is more then enough, no need to sue. Generally speaking it is exceedingly rare for a professional admin to attack others. I would spend my time on securing my network and possibly helping others to secure theirs.

[snip...]

-- HTH Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...]

Kurt Seifried

23:35

New subject: [suse-security] legal possibilities of attack reaction

...

Hi Kurt,

I adhere.

But our friend Michael can do a <as he sees fit> search on CERT.org or your place SecurityPortal.com, just to obtain some docs on _legal_ twisted issues.

Do you have any of them there?? (Just wondering)

Bring us some carefully selected _url's_ if you wish.

I'm pretty sure we don't have, and pretty sure we won't write anything to definitive. Why? Legal liability issues. We are not going to give what can be construed as legal advice, since we could end up getting sued all to heck and back. If you are unsure whether an action is possibily illegal, it probably is, consult your legal council or lawyer first before taking action. I am not a lawyer and this is not legal advice =). I am now planning an article on it, as it is something that needs to be covered, but it'll be a while since I don't want to end up in potential legal trouble.

...

Cheers. =8`)

Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/

bolo＠lupa.de

18 Oct 18 Oct

10:28

New subject: [suse-security] legal possibilities of attack reaction

Hi, I had the same problem with reporting hack-, DoS- or spam attempts to sysadmins of offending networks - most of them didn't even reply, so in most cases I had to stop all network activity from/to the corresponding networks in order to protect our users and my mind from driving crazy; this just cures the immediate attacks but it's useless against the real black hats. This may lead to the conclusion that some admins just don't know (and don't *want* to know) anything about network security in general. Often there are ambitious employees with autodidactive knowledge who are going to be assigned to manage huge networks. In this process they are so deeply covered with problems that they just do not have the nerve to care about security; they just hope that nobody attacks their systems and carry on solving their petty problems. I once had a chat with a bunch of lawyers about this problem where we discussed certain ways of proper reaction against "immutable" sysadmins, but soon we agreed that sueing these people or threatening them with mails filled with excerpts from certain laws wouldn't do any good; a slightly mistyped or misinterpreted paragraph of such a mail may lead to more legal trouble for yourself than your mail to the sysadmin could provoke in his company, even more if the offending network is based in an other country than you are; legislation and the law is quite a complex thing to deal with. In this context I thought about some kind of early warning system for responsible sysadmins like the bugtraq list for security vulnerabilites; what do you folks think, is it possible to set up some kind of mailing list or newsgroup where data about insecure/offensive networks can be posted and/or commented? Boris --- On 17-Oct-00 Michael Weiser wrote:

...

Hello,

I'm administering some Linux machines permanently connected to the internet which I'm trying to protect reasonably. Therefore I disable unneeded services, keep software up-to-date, run a packet filtering firewall and use a intrusion detection and protection tool (snort).

But the number of ping-, version- and portscans increases every day, which makes me want to react more actively. Of course it'd be stupid to attack the attacker myself but I'd like to at least notify the administrators of the malicious users/customers of what's going on so that they (can) stop it.

No problem so far but unfortunately a lot of sysadmins don't seem to feel responsible until someone sues them. Therefore I'd like to send out a carefully researched mail filled with some paragraphs to make 'em think. But since I'm a complete idiot at legal issues I don't want to do it myself and prefer some already better done work of someone who knows what she is speaking about. :)

So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd especially be interested in German and American law since I and the machines in question are situated in Germany and most attacks come from American networks. [...]

jochen

10:42

New subject: [suse-security] legal possibilities of attack reaction

...

In this context I thought about some kind of early warning system for responsible sysadmins like the bugtraq list for security vulnerabilites; what do you folks think, is it possible to set up some kind of mailing list or newsgroup where data about insecure/offensive networks can be posted and/or commented?

Boris --- Great idea! I also had some problems with attacks from other networks and the sysad there did not seem to be intersted in that his servers are being abused for attacking other systems. But instead of a mailinglist I'd propose some kind of a public index of those networks (like those openrelaydatabases). How about thta??

Jochen

Roman Drahtmueller

10:44

New subject: [suse-security] legal possibilities of attack reaction

...

Great idea! I also had some problems with attacks from other networks and the sysad there did not seem to be intersted in that his servers are being abused for attacking other systems. But instead of a mailinglist I'd propose some kind of a public index of those networks (like those openrelaydatabases). How about thta??

Negative. If people/network admins really use this database, then it can be easily used as a DoS against someone an attacker doesn't like. In addition, it violates the victim's right for privacy (would you like to be listed there if someone broke into your mailserver and started hacking from it?). Another problem: Even if you don't relay spam through the world, you might end up on the ORBS blacklist, just because you might happen to not meet all criteria that they impose (happened to me several times). In this case, the problem might even get out of control: "Message suppression" is a serious crime in Germany, and with methods like this you're walking along a very thin line...

...

Jochen

Thanks, Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

bolo＠lupa.de

19 Oct 19 Oct

17:16

New subject: [suse-security] legal possibilities of attack reaction

...

...
Great idea! I also had some problems with attacks from other networks and the sysad there did not seem to be intersted in that his servers are being abused for attacking other systems. But instead of a mailinglist I'd propose some kind of a public index of those networks (like those openrelaydatabases). How about thta??

Negative. If people/network admins really use this database, then it can be easily used as a DoS against someone an attacker doesn't like.

In a slightly different way, mailing lists like suse-security or bugtraq could (and definitely will be) (ab)used not only by responsible admins but also by black hats of all flavours. Most admins write their mails to this security list from their own systems, therefore a collection of domains running SuSE distros with probably vulnerable subsystems would be a piece of cake.

...

In addition, it violates the victim's right for privacy (would you like to be listed there if someone broke into your mailserver and started hacking from it?).

You are right if you say that some kind of inaedequately set up hack incident list would probably violate the right for privacy. But consider this: If you run a mailserver which gets hacked, what do you do? Keep the rooted machine online, like some fools do? No, you probably would backup important data, save the log files for forensic examination and reinstall cleanly, so you may fix the problem days before someone puts your ip into some databases or even notices that something is wrong, respectively. I consider it a mere problem of proper techniques and responsible procedures to set up a mailing list or website for reporting insecure networks/hosts; you don't necessarily have to be as agressive as ORBS.

...

Another problem: Even if you don't relay spam through the world, you might end up on the ORBS blacklist, just because you might happen to not meet all criteria that they impose (happened to me several times). In this case, the problem might even get out of control: "Message suppression" is a serious crime in Germany, and with methods like this you're walking along a very thin line...

I'm getting used to be a tightrope walker ;-) But seriously: I mentioned that some proposed list of insecure networks should be carefully and responsibly constructed and should *NOT* be a black hole, just a basis for further information and discussion for admins. It's illegal to pay back violence with violence, but IMHO it's ok to pay back trickyness with trickyness. And if there would be some informal network of sysadmins working together to actively fix security problems in insecure networks (thus cooperating with admins often too tired/unskilled to properly react to certain security issues) I would be a part of it. Share what you know, learn what you don't. Boris ---

...

...
Jochen

Thanks, Roman. -- - - | Roman Drahtm�ller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | [...]

Volker Tanner

18 Oct 18 Oct

10:43

New subject: [suse-security] legal possibilities of attack reaction

On Wed, Oct 18, 2000 at 12:28 +0200, bolo@lupa.de wrote:

...

Hi,

In this context I thought about some kind of early warning system for responsible sysadmins like the bugtraq list for security vulnerabilites; what do you folks think, is it possible to set up some kind of mailing list or newsgroup where data about insecure/offensive networks can be posted and/or commented?

I don't think that a possible thing. Not that I'd say it's not useful but you may runin legal trouble with such a list. Imagine someone tells "the public" your network is malicious/insecure/ offensive, would you like that? Or wouldn't you sue the author? (no offence meant!) I think a bug in some software is a thing you can verify, an attack is not possible to verify in a similar manner. If you aren't the victim you usually don't even recognize an attack. But such a list would be usefull though. IMHO Greetings Volker

...

Boris ---

On 17-Oct-00 Michael Weiser wrote:

...
Hello,

I'm administering some Linux machines permanently connected to the internet which I'm trying to protect reasonably. Therefore I disable unneeded services, keep software up-to-date, run a packet filtering firewall and use a intrusion detection and protection tool (snort).

But the number of ping-, version- and portscans increases every day, which makes me want to react more actively. Of course it'd be stupid to attack the attacker myself but I'd like to at least notify the administrators of the malicious users/customers of what's going on so that they (can) stop it.

No problem so far but unfortunately a lot of sysadmins don't seem to feel responsible until someone sues them. Therefore I'd like to send out a carefully researched mail filled with some paragraphs to make 'em think. But since I'm a complete idiot at legal issues I don't want to do it myself and prefer some already better done work of someone who knows what she is speaking about. :)

So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd especially be interested in German and American law since I and the machines in question are situated in Germany and most attacks come from American networks. [...]

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- The main failure in computers is usually between keyboard and chair. (unknown) Volker Tanner

Michael Weiser

24 Oct 24 Oct

05:46

New subject: [suse-security] legal possibilities of attack reaction

Hello,

...

So my (frequently asked, I fear) question is: Can someone help me out with such a text, some facts or a starting point for a search? I'd Many thanks for all your responses and discussion. I have a bit more of a sense for the benefits and disadvantages now and will try to find a middle way after checking all the resources. Thanks very much! -- bye, Michael

8586

Age (days ago)

8593

Last active (days ago)

List overview

Download

10 comments

8 participants

participants (8)

bolo＠lupa.de
Eduardo Carriles
jochen
Kurt Seifried
Michael Galloway
Michael Weiser
Roman Drahtmueller
Volker Tanner