Nmap Author Receives FBI Subpoenas 390
spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"."
Update: 11/25 20:21 GMT by T :
Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
Seems reasonable (Score:5, Insightful)
Re:Seems reasonable (Score:5, Insightful)
Yes, though the main concern of mine is that he says the FBI were using subpoenas that were improperly served - how many people wouldn't bother checking, and just give up information straightaway?
Re:Seems reasonable (Score:5, Interesting)
Re:Seems reasonable (Score:5, Insightful)
Re:Seems reasonable (Score:3, Informative)
A subpoena is an order demanding compliance with a legal proceeding, more usually in terms of attendance or provision of evidence. It doesn't require immediate action. You've got time to talk to your legal guy about it before acting on it, and to challenge it if you think it's wrong.
A warrant to search or seize, however, gives them permission to do just that, right there and then. You can call your lawyer or whatever, but that's not going to stop them doing exactly what it
Re:Seems reasonable (Score:2)
Nmap can be get by a number of other sources (mirrors, linux/bsd distributions, CDs, etc). What am I missing here?
Re:Seems reasonable (Score:5, Insightful)
Personally I don't see the problem with this. They are not just sniffing around looking for "suspicious" things, they know what they are looking for and where it's likely to be. This is not randomly searching people on the street, this is going directly to the CCTV tapes.
Re:Seems reasonable (Score:5, Funny)
Well, now they can visit slashdot instead...
Re:Seems reasonable (Score:5, Insightful)
Okay, now they only have to check the server does have it's clock in sync, otherwise those 5 minute clips of logs won't be very useful..
Re:Seems reasonable (Score:4, Informative)
Incorrect. Fyodor's clock can read 1988, and the logs would still be useful. The spooks can sync his logs up with the 'real time' by comparing his network activities with other servers, and what THEIR clocks said in THEIR logs. For instance, the probes that THEY were doing to his server, would be logged, as well as when they did the probes.
Re:Seems reasonable (Score:5, Interesting)
Honestly, if you really wanted to make this work and just get left alone by the FBI and the kiddies...
Download links could be generated at request with a unique identifier embedded.
Thusly, if someone generates a dynamic link and pastes that into their term for wget... bam... you have an identifiable link with both addresses.
just make sure everything is logged quite properly.
It would certain ease the issue of tracking.
Trinity used Nmap....look where it got her. (Score:4, Funny)
Re:Trinity used Nmap....look where it got her. (Score:5, Funny)
if the server goes down... (Score:5, Informative)
Dear Nmap hackers,
Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm
hard at work on a holiday Nmap version which should be available by
Christmas.
But enough pleasantries -- I want to discuss a sobering topic. With
increasing regularity this year, FBI agents from all over the country
have contacted me demanding webserver log data from Insecure.Org.
They don't give me reasons, but they generally seem to be
investigating a specific attacker who they think may have visited the
Nmap page at a certain time. If they see that an attacker ran the
command "wget http://download.insecure.org/nmap/dist/nmap-3.77.
from a compromised host, they assume that she might have obtained that
URL by visiting the Nmap download page from her home computer. So
far, I have never given them anything. In some cases, they asked too
late and data had already been purged through our data retention
policy. In other cases, they failed to serve the subpoena properly.
Sometimes they try asking without a subpoena and give up when I demand
one.
One can argue whether helping the FBI is good or bad. Remember that
they might be going after spammers, cyber-extortionists, DDOS kiddies,
etc. In this, I wish them the best. Nmap was designed to help
security -- the criminals and spammers put my work to shame! But the
desirability of helping the FBI is immaterial -- I may be forced by
law to comply with legal, properly served subpoenas. At the same
time, I'll try to fight anything too broad (like if they ask for
weblogs for a whole month). Protecting your privacy is important to
me, but Nmap users should be savvy enough to know that all of your
network activity leave traces. I'm not the only one who gets these
subpoenas -- large ISPs and webmail providers receive them daily.
Most other major security sites probably do too. Most of you probably
don't care if someone finds out that you downloaded Nmap, Nessus,
Hping2, John the Ripper, etc. Nothing on Insecure.Org is illegal.
But for those of you who do care, there are plenty of mechanisms
available to preserve your anonymity. Remember this security mantra:
defense in depth.
Cheers,
Fyodor
Re:if the server goes down... (Score:5, Insightful)
Re:if the server goes down... (Score:3, Interesting)
A very, very good point. I work at two competing ISPs. Once logs everything and keeps logs for months, the other (on my advice) keeps them for as short as reasonable. (30 days)
You can guess which one got caught up in a nasty discovery distract
Re:if the server goes down... (Score:5, Insightful)
Why? What's wrong with a narrowly tailored subpoena in regards to a specific, discrete illegal act?
This is exactly what everyone here's been asking for for years. Some of you obviously won't be happy until the FBI refrains from prosecuting every single computer-based crime.
Subpoena automation? Hmmm.... (Score:2, Funny)
That way they'd have one ready and well-written in case of a hacker emergency.
Oh well.
Re:Subpoena automation? Hmmm.... (Score:2)
Besides it would be easier to defeat in court if it were automated.
Re:Subpoena automation? Hmmm.... (Score:3, Informative)
To get a subpoena you need to send an application to a judge specifying precisely why you want it and what you want, then convince the judge to say "yes". The long part of this is handing the paper to the Judge and convincing him/her to sign it.
In theory there should never be a full automating of this process, since that would also imply that the requests get rubber-stamped.
Besides, you're gonna be spending way more time in the initial investigation (to
my 2 cents (Score:4, Interesting)
No, the question is "What's wrong with getting a valid subpoena *before* asking for the logs?" The issue is not the worthiness of the cause, but relying on general security paranoia and flag waving to bypass due process. Fyodor is right to demand a valid subpoena -- if the FBI is such a bumbling set of wankers as to not be able to come up with a subpoena, why trust them to accurately identify the suspect, or to not abuse the information they get?
Re:my 2 cents (Score:3, Interesting)
Nothing. It's just that IPs per se are no sacred data and just because you have the right to ask for a subpoena, there are a lot of people who willingly provide such data without subpoena if a request looks genuine (no paranoia or flag waving involved). And so it only sounds reasonble for the FBI to see if more paperwork can be avoided by asking first.*
And while your argument, that the FBI shouldn't be trusted i
Re:my 2 cents (Score:5, Insightful)
No hypocrisy in that.
Re:if the server goes down... (Score:3, Interesting)
Er. how about this: the FBI should worry about crimes that *shock* actually matter *shock*,like serial killers, for instance. Maybe someday in the distant future when there are no more serious crimes, the FBI should get itself involved in utter trivialities like computer "crime".
Re:At last! (Score:2)
Seems valid (Score:5, Insightful)
Of course, we do need law enforcement and this is a legitimate field to investigate so that we can have protected web commerce. With eyes on their activities, we can hopefully keep the Internet free and safe. Thoughts?
Re:Seems valid (Score:4, Insightful)
Re:Seems valid (Score:4, Insightful)
Re:Seems valid (Score:5, Funny)
I think you misspelled "police"?
Re:Seems valid (Score:5, Informative)
oversight ('&schwa.Uv&schwa.rsaIt), sb. [OVER- 7, 5.] The action of overseeing
or overlooking.
1 a Supervision, superintendence, inspection; charge, care, management,
control.
Re:Seems valid (Score:4, Funny)
Your use of language might need some oversight.
KFG
She? (Score:4, Funny)
Re:She? (Score:4, Funny)
What with all the new Gov. VoIP regulations being debated about, it's only reasonable that the FBI would want to prevent unauthorized access to the Matrix.
Reasonable (Score:3, Insightful)
Re:Reasonable (Score:2, Insightful)
Re:Reasonable (Score:3, Insightful)
Suppose that the FBI is investigating a largeish case that involves multiple sites, but they have a reasonable idea it's all the same guy.
Now, request the nmap logs for the time window that nmap was downloaded at each site. Presto, if you're lucky there will be a correlating netblock (or IP) prior to the download for each event.
Re:Reasonable (Score:5, Insightful)
The easiest way of getting the exact url to download is to check it directly on the site yourself. Even if the link was found from elsewhere on the net, the person doing the download would have probably checked that the link was valid in advance.
The key word here is "most" - sure if someone is really really really careful to cover every track they could possibly leave, then maybe they won't have directly visited the site. Most people would have done though. Of course the difficult part is determining when.
-- Pete.
FBI spies (Score:5, Interesting)
So Googling your victim, for example, before committing the crime is not very smart.
Unless of course you can randomly change your ip
in a pretty large range of course, heh heh.
Re:FBI spies (Score:5, Interesting)
Fortunately most hackers are dumb and lazy so they aren't that hard to trace.
Re:About wireless (Score:2)
Re:About wireless (Score:5, Informative)
A little off topic of the FBI but related to public APs.. Something I like to do is run a public AP that doesn't have access to the Internet. It just acts as something of a localized BBS system. Anyone within reach can message each other, trade files, participate in the forums, or check out the wiki. It's not hard to make it so that someone connecting will get you're entrace page anytime they try to connect to something other than your system. With a decent antenea you can reach a fairly large group of people in a crowded metro area. An interesting way to meet your neighbors.
Re:FBI spies (Score:3, Insightful)
I wouldn't say it's impossible. If I had the investigative resources of the FBI the first thing I would do when I found out an attack happened from a "borrowed" WiFi point is get the MAC addresses of recently connected cards. Then all you have to do is go back to the manufacturers and find out who the cards were sold to and what their serial numbers are, and follow the trail of
Of course.... (Score:2, Informative)
New Christmas Version ... ? (Score:4, Funny)
Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm hard at work on a holiday Nmap version which should be available by Christmas.
I suppose this new version will give a new meaning to the Xmas scan, no?
Re:New Christmas Version ... ? (Score:5, Funny)
Scanning it twice.
The FBI knows,
Who's naughty or nice...
Bad joke... (Score:5, Funny)
Fyodors are supposed to remain closed at all times.
(Sorry)
Re:Bad joke... (Score:3)
Maybe if you try to sell small chunks of it to multiple bidders, it'll sell faster.
Valid investigation techniques? (Score:4, Insightful)
Nmap is popular as hell - unless they already have a suspect, this isn't going to be useful for them, all it will do is give them a scapegoat 9 times out of 10 - lets say they do get Fyodor's webserver log - which I doubt he'll be keeping in the future, assuming he does now - all that would give them is the IP addresses of a few dozen nmap users - one or two of which may be script kiddies of some sort.
And if they can verify that a script kiddy A downloaded nmap in their window of interest, what are they going to do? Assume they're responsible for the wrong crime and charge him or her. It's stupid and its a witchhunt and it's a shot in the dark.
Of course, if the FBI has already got a suspect, they might be able to strengthen their case, but that's still pretty circumstantial evidence. Not exactly a smoking gun.
Just my $0.02US
Re:Valid investigation techniques? (Score:5, Insightful)
-Restil
Re:Valid investigation techniques? (Score:2)
Re:Valid investigation techniques? (Score:5, Insightful)
Ask anyone who's ever caught a fish.
Seriously, if they don't have any concrete leads, what are they supposed to do? Just stop investigating?
Re:Valid investigation techniques? (Score:2)
It seems like there ought to be some limits someplace.
Also legally can fyodor simply log to
Re:Valid investigation techniques? (Score:2)
Doesn't work in the UK if you are an ISP though. The RIP Act requires them to keep logs.
Re:Valid investigation techniques? (Score:2)
What I meant though was that the FBI definitely shouldn't be seeing Fyodor's site logs indicating suspect 56 visited his site about 30 seconds before the compromised host visited the site as an indication of guilt - certainly, they should follow up on it as a lead. But they should attempt to get some sort of hard link between the suspect and the compromised host. And they don't always get it.
And that doesn't stop people from getting convicted without any hard evidence.
Re:Valid investigation techniques? (Score:2)
Compared to the hit rate of spam, that would be pretty bloody good.
rj
Thanks for author (Score:3, Interesting)
Re:Thanks for author (Score:2, Interesting)
Meanwhile, those helpful popups do tell people that their computer is broadcasting an IP address.
Re:Thanks for author (Score:3, Insightful)
IANAL
'She'... in related news.. (Score:5, Funny)
Re:'She'... in related news.. (Score:2)
...who turned out to be a Slashdot troll pretending to be a woman [slashdot.org].
Impressive (Score:2, Interesting)
Naked Nmap Chick... (Score:3, Insightful)
Of course, I'm the one who wrote the script and shot the video, so it's only natural.
I think Fyodor is doing the right thing, and I think the feds are just using standard intimidation tactics... but then again, I've always been about state powers as opposed to federal powers. At least with state powers, you can always choose to move to a different state...
no green states (Score:2)
Re:Naked Nmap Chick... (Score:2)
You also start to run in to issues such as nationality, and citizenship, and entitlement.
However, personally, I don't think it's unreasonable to be able to find something appealing with 50 states to choose from. I object to the homogenization of America.
hah. (Score:2)
A *real* webmaster (Score:5, Funny)
Re:A *real* webmaster (Score:2)
More like, my website-hosts are hemorrhaging information, and there's no way to find out, nor to delete logs more frequently.
Now if only an XS4ALL website [xs4all.nl] website didn't cost 9 times as much as the current solution [PHP+MySQL], we might be gettting somewhere...
Catching Script-Kiddies? Maybe... (Score:2, Interesting)
Perhaps they might catch the odd Script Kiddie (provided their "press button to h4X0r" tool doesn't download Nmap automatically, and if they do know that Nmap exists).
But on the large, they won't catch any serious hacker - first of all, they gonna run through anonymous proxies, secondly they already know the URL (probably in a txt file or something), and thirdly, if they use some kind of tool to help them, self-made or not, it will have a "get Nmap or similar" button.
All in all, nice try, no cigar
Log Retention (Score:3, Interesting)
Re:Log Retention (Score:2)
The FBI (Score:2)
So, about this girl... (Score:3, Funny)
So, this girl that has been downloading... are there photos of her? Huh? Huh?
Too bloody scary (Score:2)
Personally.. (Score:2)
And who uses wget to download something from a website, anyway?
Re:Personally.. (Score:3, Insightful)
Re:Personally.. (Score:2)
Um... lots of package management systems use wget. And if someone emailed me a link to the latest version, or a site had a link to it, I might perhaps use wget instead of the browser if it is faster (don't have to specify download location, etc...)
Uh. Yeah. (Score:2, Insightful)
Can you challenge subpoenas?
I know who it was! (Score:2, Interesting)
Fyodor is lucky... (Score:5, Insightful)
he could be prosecuted merely for revealing that he'd RECEIVED it, even AFTER it became defunct.
Welcome to John Ashcroft's post-Constitution USA.
(and why in God's name has he continued preserving logs, after having received even ONE approach from the government?!)
How they use this (Score:4, Insightful)
What Fyodor is trying to tell us is that we should (Score:3, Interesting)
FBI == Fucking Ballbusting Imbeciles
How many FBI agents do you know?
Perfect, but FBI has shortage of trust (Score:3, Interesting)
The problem is, the FBI has squandered a lot of their social capital in the IT space by pulling all sorts of ugly students in trolling the net to harasss or intimidate folks or prosucte crimes that folks don't consider serious to merit such strong persuit.
Now, when they take an appropriate approach, folks are still skeptical.
Re:Perfect, but FBI has shortage of trust (Score:3, Insightful)
after all, who watches the watchers?
Re:She?! (Score:2)
It's either lazy typists, new English standards, or some sort of feminist brainwashing.
Re:She?! (Score:2)
Using the feminine all the time has its risks; if you wrote "We don't know who plundered the Fund to End World Hunger, but we're trying to identify her," you might have a spo
And of course since our furry and scaly friends... (Score:4, Funny)
Paul B.
Re:She?! (Score:2)
Re:She?! (Score:5, Insightful)
The assumption here is that the person the FBI is looking for is breaking the law, and is cracking boxes and other unsavory things.
Why do we assume that the person is a he?
It is possible that it's a she.
People seem to be more sympathetic to women, and so I'd think this would be a good way to combat the steriotype of male "hackers".
Re:She?! (Score:4, Interesting)
Re:She?! (Score:4, Interesting)
* --All right, I'm only going to say this once: 'He' is the singular indefinite pronoun in English ("if a person drinks too much, he will likely experience a hangover"). 'He' also happens to be the masculine personal pronoun.
'She' is the singular pronoun of personification in English ("if England fails to advance America's foreign-policy ambitions, she will suffer terrible consequences"). 'She' also happens to be the feminine personal pronoun.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance. Using the feminine personal pronoun as an indefinite article is as moronic as using the masculine personal pronoun for personification. Thus the captain greets us: "Welcome to my ship. Isn't he splendid?"
Give it up, people. It's not thoughtful; it's just illiterate. ®
Re:She?! (Score:5, Insightful)
You say that as if it just "happened". It's also not true; if you wrote "when a nurse comes, she will start by
'She' is the singular pronoun of personification in English
Ships are usually she. That doesn't mean it's the only pronoun of personification; if you wish to personify an object as male, it's entirely correct.
Confusing the two exhibits not a warm-and-fuzzy concern for the inclusion of women so much as a writer's or speaker's ignorance.
A speaker's ignorance for what, some grammarian's rigid idea of what English should be? It's clear, whatever English was a hundred years ago or even 20 years ago, that using she is appropriate in today's English.
This overbearing post about some rigid rules of someone's conception of what English's rules should be is worth trashing, not saving.
Re:Umm .... (Score:2)
Like it or not, (Score:2)
Re:She?! (Score:3, Insightful)
Re:She?! (Score:3, Interesting)
So I'm sorry, but that's not the reason Fyodor used "she."
Re:She?! (Score:2, Interesting)
Re:waste of money. (Score:2)
Re:time to flame fyodor into reality (Score:3, Funny)
Are those over by the asshats?
Re:time to flame fyodor into reality (Score:2, Informative)
Out of all the options that you listed above, the only one I haven't personally used is the de
Moron! :) (Score:2, Insightful)
The server logs will contain "2004-11-25 23:59 - 80.70.60.50 GET