Battle Creek, Michigan Settles Dispute with ORBZ 259
Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"
Absolutely amazing. (Score:3, Funny)
A government entity thinking clearly and levelly, and actually thanking geeks for trying to help them? Astounding.
Okay, everyone, it's time to pack up and go. Would the last one out of the server room please hit the BRS?
Re:Absolutely amazing. (Score:3, Insightful)
They should be investigating the marklars at lotus who apparently are not great programmers. No email should *ever* be able to bring down an e-mail server.
Re:Absolutely amazing. (Score:3, Insightful)
Uh, there is no such thing as "just an investigation."
I worked for a government agency. It was absurd because all of the policies would go through these weird legal distortions. If they wanted a simple policy, say changing from a 15 to 20 minute break, they would pass a law, and it would be illegal to take an 15 minute break. They lost the ability for people to communicate with people as people.
ORBZ may have been a bit cavalier in its testing of security holes in servers, but was altruistically trying to perform a service. Instead of trying to communicate, however, the legal system immediately jumps into litigation confrontation and threats. It is really a screwed up system.
Re:Absolutely amazing. (Score:2)
Re:Absolutely amazing. (Score:3, Insightful)
The rules/regulations that agencies make have the force of law, however. That is, you can be imprisoned for not following them, with the full force of the US government behind them.
Re:Absolutely amazing. (Score:2)
The problem was that their 'investigation' was a bit on the "shoot first and question the cadaver later" nature. Their first step should have been to spend some time figuring out what happened and the nature of the apparent 'attack'. Had they done that, I think that they would have realized that the 'attack' was quite possibly a mistake and/or the result of a problem with the configuration of their box.
In this case, it appears that one of the first things they did was to issue a search warrant. As far as I'm concerned, a search warrant should not be issued lightly. I think that both the police department and the judge who signed the warrant should get a (virtual) public flogginh over their actions under these conditions.
As for analogies, I think that a closer one of someone going around the neighbourhood checking for unlocked doors and informing the owner of the insecure box...
then one day, you find a house where the door is unlocked, and the house is armed.
Re:Absolutely amazing. (Score:3, Funny)
Er, um.. that should have been "and the house (door) is alarmed. This actually happened to me once, when I was trying to find my way out of a place where I was doing some late night admin work.. I tried a door that turned out to be an entrance to a neighbor's space. The door was unlocked, but had a chain on it and an alarm (which was set up).
It was kinda half-amusing the conversation I had with the police when they arrived...
Re:Absolutely amazing. (Score:2, Insightful)
Hmmm. I'll tell you what. Do something, anything, even a bit mildly innocuous and find yourself the subject of an investigation. A search warrant is issued and people enter your home, without your consent. You're interrogated and have to spend big bucks on a lawyer even though legally, you did nothing wrong.
If you don't think that's "scary", you're either one bad-ass mofo or just trolling.
Re:Absolutely amazing. (Score:2, Insightful)
Re:Absolutely amazing. (Score:3, Informative)
Not so fast there Bucko... From the press release: "Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server."
Seems to me like they still have a few things to learn...
Battle Creek and Kellogg's (Score:4, Funny)
I understand that Kellogg's has nothing to do with the stupidity of the city, but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me. As an American, collateral damage means nothing to me!
Re:Battle Creek and Kellogg's (Score:3, Funny)
He rolled over like a puppy getting patted on the belly precisely *because* he wanted to avoid legal expenses.
Of course, kelloggs does make Smacks [kellogs.de]. Maybe that's what I'm smelling.
Re:Battle Creek and Kellogg's (Score:2)
Wait, is this a joke? What legal expense?
Read the article, the guy got a lawyer..
Re:Battle Creek and Kellogg's (Score:3, Informative)
HAH!! I grew up in the town! You have NO idea how wrong you are about that. They ran the town so effectively that they blackmailed a surrounding township to merge with the city and then had the city tear down several blocks of downtown for a research center and a high class hotel that wouldn't make visiting VIPs feel like they were in No-Tell Motel Hell. Millions in taxpayer money went to this while the surrounding neighborhoods turned into run down rat infested crack houses. Eventually, Kellogg's laid off so many people that they've lost some of their influence.
but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me.
Actually, Nippondenso and Battle Creek Health Systems are bigger nowadays. Also, you should know that Post and Ralston Purina have factories there.
As far as a boycott goes, I've been doing that ever since the day I saw how corn flakes were actually made
The Battle Creek Police would be ill equipped to investigate a case like this. They have more trouble than they can handle in that town as it is.
Don't be too tough on BC - hell, they JUST got cable modem service two months ago and the geek population is just about zero as the few who grew up there either moved out or got buried under a football field somewhere by the team
Do you know how pathetic the place is? They have an army base named after Gen. Custer. Need I say more?
I love living in Kalamazoo
Re:Battle Creek and Kellogg's (Score:2)
The press release referred to Mr. Gulliver's attorney. Apparently he has an attorney. That attorney should be paid for his services. Mr. Gulliver should not be the one to pay that.
That's what you get ... (Score:2)
Re:Antiboycotting Kellogg's (Score:2)
Please do, and enjoy those delicious genetically modified products every morning until your colon grows eyeballs. Then you'll be able to comb your hair without need of a mirror. :D
About fucking time... (Score:2, Insightful)
It's about fucking time that someone pulled their heads out of their asses and realized that it wasn't necessary to start filing lawsuits and criminal charges to punish *smart* tech behavior!
Unfortuneately, it may already be too late for ORBZ. Here's hoping that ORBZ comes back up in light of this statement.
Bad day in IT (Score:3, Funny)
Good News, Bad News (Score:4, Insightful)
The bad news: They still haven't quite understood the situation yet, based on the article taken from the City of Battle Creek page:
Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server.
They are getting better, though.
Re: (Score:3, Interesting)
Spam originally meant "buffer overflow" (Score:2)
No, the fact that they used the word "duplicate" shows that they do not, in fact, "get it".
The definition of "spam" in the Jargon File [tuxedo.org] lists duplication as the primary criterion under senses 3 and 4. Junk E-mail (UBE) enters the picture only in sense 5.
Funny: The first listed sense of "spam" refers to a buffer overflow.
Better late than never? (Score:2, Insightful)
Unfortunately, there really isn't any way to stop this sort of behaviour apart from instuting very harsh penalties for threatening to sue and not following through with the threat or reaching an adequate mediated position with all affected parties.
A$#*holes I say - even if they have recanted now, it's too late to fix the damage. For example the mail-filters plugin for Squirrelmail [squirrelmail.org] has had orbz removed - even if it comes back up, people running that code won't be using it.
Re:Better late than never? (Score:4, Insightful)
Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.
I'm going to resist drawing any parallels between your hysterical and incorrect assessment of the situation and Ian's similar reaction, except to say: pay attention. Life is hard enough without going off half-cocked on incomplete information.
Re:Better late than never? (Score:5, Informative)
Having more knowledge here of what went on than you, please trust me. In my opinion, this 'settlement' wouldn't have been nearly as forthcoming if a certain Wired.com article didn't cause major embarassment. I believe that this 'settlement' is much more public relations damage control than an actual realization that a mistake was made.
Re:Better late than never? (Score:2)
If we have juries composed of individuals such as yourself, we might as well allow Herr Ashcroft to act as Judge, Jury and Executioner.
How about zipping down to your hospital, and getting a full cranial curettage. It should improve your common sense.
Getting a search warrant, usually requires a very high probability that a crime occured. Since they really didn't know what had happened in the first place, it would seem hard to believe that any probability existed at all.
Cheers!
Re:Better late than never? (Score:2, Insightful)
Ian sent a syntax valid (check RFC2821) mail header to a mail server. Said mail serve is attached to the internet. What the hell do you think it is for? Let me give you a clue. Recieving mail. The server should not crash/lockup etc. because it recieves valid headers. This is like having a building that callapsed if you knock on the door. You might claim you door was for entering the building, not knocking, but that would not make it my fault the building collapsed.
Re:Better late than never? (Score:3, Interesting)
Sounds like a case of CYA to me.
If I connect to your machine, that you've publicly connected to the internet, and you're offering services on, and send valid packets to request service, and your machine crashes? Well, too bad. Fix it, or learn to live with a server that doesn't work right.
What else is an SMTP server to do, other than accept mail. If your mail server crashes because it can't understand the mail, then it's the mail servers problem. NOT THE PERSON SENDING THE MAIL! Now, if I hacked my way into your internal network, and then used a non-public SMTP server to send mail, you might have a case.
That's like designing software that doesn't account for all types of input. When someone puts something in that you didn't anticipate, and the software crashes, then you blame the person who entered the data? Sheesh! Talk about passing hte buck.
Perhaps SillyMe out to get smacked by the clue stick.
Cheers!
Re:Better late than never? (Score:2, Insightful)
Well, if you interface a mail server to the public Internet you should expect occasional probing, illicit as well as legitimate, to occur. If you were on an intranet you could expect exclusivity but not so on the public Internet.
The apparently inept manager who failed to keep their server current and thus avoid the exploit should be held responsible. She apparently ignored this fact and failed to tell the investigating officer that fact. Let's see 'hmm, I'm too lazy to do this upgrade so go arrest this kid in NY'.
These people acted irresponsibly and abused their power. They should have known better.
Why Should He Risk All to do *US* a Favor? (Score:4, Interesting)
It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.
This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.
Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.
ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.
The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.
Re: search warrants (Score:2)
Most often, it also includes seizures (supposedly necessary because the authorities can't fully determine the purpose/value of the "suspicious items" they turn up during the search without taking them to their labs and experts). That means ORBZ would lose use of their computer equipment until the investigation was completed. (And don't think they're always quick about it. They can, and usually do, hold onto seized items for years - meaning they'll be of little to no value by the time you get them back, even if they find you completely innocent!)
Thus the problem: (Score:2)
Think for a second: You're anybody on the face of the planet who is actually sane and rational. Your first response in the same situation: Block the bits, figure out why those bits crashed your shit, and then fix the fucking problem.
If your box explodes, then you are at fault. Period. Unless you are running M$ products.
Also (Score:5, Funny)
The City also announced that it really like to be capitalized when referred to. It also notes that the word "of" is still banned when referring to stories about The City.
Nope, you missed it (Score:4, Funny)
:)
hawk, watching for californians under his bed . . .
Gee, the city manager agrees with me. (Score:4, Insightful)
-russ
Re:Gee, the city manager agrees with me. (Score:3, Interesting)
Russ, you're still wrong.
There's no reason to believe that a server that has NOT sent any spam is MORE likely to have defects in design, coding, or configuration, when compared to a server that has sent spam. In fact, if a server HAS sent spam, THAT is the server that should not be tested. The server that has sent spam is more likely to be afflicted by at least one of bad design, bad coding, or bad configuration.
There is no reason for any properly designed and managed server to crash and burn as a result of any piece of mail delivery. That some do is not a valid reason to devalue an important tool in the effort against spam. It could be of value if it is possible to identify from the SMTP banner if some server is a defective one, such as an older version of Lotus Notes. If that can be determined, then ORBZ should simply add the server to the list and not send anything there at all (except maybe a notice of why they are being listed). I suggest they be added because I do not want them to be sending my servers any mail because that mail has a risk of being spam, due to an obvious situation of inadequate or incompetent administration of that server.
From now on, the city manager will have to... (Score:2)
Re:Gee, the city manager agrees with me. (Score:2)
-russ
p.s. this is typical of the witty repartee which passes for commentary from ORBZ supporters. Honestly, if you wish to convince me that I'm wrong about how anti-spam activists shouldn't be spamming innocent servers in their holy quest to identify open relays, you're going to have to supply more of an argument than "get a life." I already have a life. What I *need* is a way to talk to the Navman iPAQ sleeve from Linux. And I doubt that you're smart enough to help me with that.
Re:Gee, the city manager agrees with me. (Score:2)
Re:Gee, the city manager agrees with me. (Score:2)
Considering that one of the core principals of spam activists used to be "content doesn't matter", it's quite arguable. Unsolicited bulk email is unsolicited bulk email, whether it is sent to make money, promote a political candidate, solicit donations to a charity,[...]
I'd agree with that
[...]or test if an alleged open relay is, in fact, open.
But not that. An open relay test is neither Unsolicited (AFAIK, ORBZ sends the emails to itself), nor Bulk (AFAIK, ORBZ sends only a few emails to test, and sends them one at a time).
The test email is clearly not authorized to be on the server, but the SMTP protocol was designed to give servers many options for handling misrouted and unauthorized emails. Any SMTP server should expect to get a few mails that aren't supposed to be there, and act accordingly. In this case, a commercial vendor sold SMTP server software for a great deal of money that apparently doesn't know what to do with a simple unauthorized email. Battle Creek should be fuming at their vendor, not at the person who sent the email.
I'm glad to see them calling off the dogs; sadly, I fear that ORBZ is mortally wounded from the bites by now.
Re:Gee, the city manager agrees with me. (Score:3, Interesting)
No. Ian forged addresses intended to trick the SMTP server into forwarding the email. Ian also used a false envelope sender (blah@localhost) which is unusable for returning a bouncing email.
-russ
Re:Gee, the city manager agrees with me. (Score:2)
maybe deep down it really hits close to home, eh?
No, actually it's because I really *do* want to figure out how to access the UART on the Navman sleeve. Unfortunately, ARM Linux seems to either be caching that section of RAM (which is shouldn't be, given that that memory was allocated using ioremap), or else it's not pointing the memory at the actual hardware address of the UART.
-russ
Re:Gee, the city manager agrees with me. (Score:2)
But as you admitted, you're too stupid to help me with this. BTW, I was only pulling sudog's leg about "stalking" Ian. Man oh man did ever go ballistic. But he and I have made up. Now if you were only as mature as him....
-russ
Re:Gee, the city manager agrees with me. (Score:2)
By the way, the host which was scanned was one that is listed in the MAPS RSS. That host NEVER contacts anybody under any circumstances except one: because somebody sent email to that server. So even *if* you are correct and that ORBZ tested only because an SMTP client on that host contacted somebody's SMTP server, it could only have been by that person's request. I didn't initiate the contact; they did. They cannot then claim that "[I] initiated contact that led to the scan".
Stopping people from continuing ORBZ abuse is being productive. There are enough fanatics (e.g. you) who think that ORBZ has done no wrong that one of you will likely re-implement it.
-russ
Re:Gee, the city manager agrees with me. (Score:3, Insightful)
This English lesson was brought to you by letters P and Q.
Re:Gee, the city manager agrees with me. (Score:2)
An open relay is more like a syphilis-infected slut. She may be sleeping now, but when she's awakened, she's going to make someone regret being screwed by her. Asking for an STD test before hopping in the sack with someone is now considered an unfortunate but justifiable state of affairs, not an insult.
Incompetent Sysadmin (Score:3, Insightful)
Note to Battle Creek city managers: hire competent IT professionals, and this won't happen.
Re:Incompetent Sysadmin (Score:2)
Parent was modded flaimbait, but I agree with it. There really isn't an acceptable excuse for the email server being down for as long as it was. I can just imagine the sysadmin panicking after bouncing the box for the third time and *still* not having the problem "fix itself".
Even a lazy/incompetent Domino admin should know how to clear the mail queue and reboot.
Re:Incompetent Sysadmin (Score:2)
Anyone that wants to be able to eat,live will never work for a City gov position. Then you are stuck working inside a ruleset that is made by the biggest pool of retards possible (City management and the City council/mayor.).
I have yet to meet a IT person from a small/medium sized city that isnt a complete moron.,, Granted I only met them here in Michigan, and I am sure that there are some smart ones out there, but they usually dont work for cities... they find jobs with a real pay-scale.
Re:Incompetent Sysadmin (Score:2)
Sensible enough, but when I worked in BC, we had a heck of a time finding people. The few that we found either relocated or commuted more than an hour each way. Apparently it's not an IT talent rich area.
Re:Incompetent Sysadmin (Score:2)
Kalamazoo and Grand Rapids are much more desirable places to live. The school systems in Battle Creek are mediocre at best, and the people, for the most part are depressing drones, and the employers, for the most part, treat them as such. There's little culture to speak of - I don't call the BC Symphony Orchestra great culture, not to mention all those nice little fetuses in jars in the Kingman Museum
Sanity restored. (Score:2)
All is forgiven Michigan IMHO.
Wait until they get /. 'ed... (Score:3, Funny)
The email test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's email network for about a day on February 25, 2002.
The
-jim
Shooting people to tests for vests (Score:5, Informative)
From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:
This analogy is flawed. Here's why:
Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.
A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.
My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).
It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.
I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:
Also, get the reverse DNS fixed on your mail server.
Re:Shooting people to tests for vests (Score:3, Interesting)
Recently, my mail server stopped accepting messages from my "boss" at the courthouse, because they'd managed to get listed in SpamCop, ORBZ, and ORDB, with MAPS listing them with "we have spam on file from this site".
When I pointed this out to the IT department, and gave them pointers to where to find at least a partial fix for GroupWise, I was told that they KNEW they were running an open relay for more than 6 months before the RBLs found out, but had no idea where to look to find the "cure". (Getting rid of GroupWise wasn't an option, apparently, even though this is the only way to secure a GroupWise installation... B-)
They still haven't addressed the fact that they run the only non-encrypted wireless networks in town...
Re:Shooting people to tests for vests (Score:5, Interesting)
Interesting that the latest banner I get is....
220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.
I had a run in that went a slightly different way with a member of the school board for the Spencer Wisconsin school district. I got spam from them. I reported the problem to them, noting also that this was an inappropriate way for tax dollars to be spent. I got this response:
Dear Phil,
We have talented people working hard to keep our system clean. Somehow
it seems that criminals and crackers are better funded than public school
systems. Figure that out. Meanwhile, if you would spend less time
criticizing honest hard working people and more time helping put a stop to
this sort of thing, we'd all be better off.
You sir, are a Prick.
Sincerely,
Jeff Darga [mailto]
VP-Spencer Board of Education [k12.wi.us]
What I'd like to know is why honest hard working people are incompetent and leave a mail server open to spamming abuses. Of course Mr. Darga doesn't really seem to care.
Re:Shooting people to tests for vests (Score:3, Insightful)
The "you are a prick" part caught me off guard. If Mr. Darga needs some help, he is NEVER going to get it with that kind of attitude (even from his co-workers and underlings).
I think that Mr. Darge needs a vacation, a good course in stress management and another course in dealing with the public.
Re:Shooting people to tests for vests (Score:3, Insightful)
Nah. The local paper needs a copy of the letter. It does wonders for political careers when the paper has to note that it cannot include the entire letter sent from a school board member to a citizen because "he wrote things that can't be printed in a family newspaper" . .
hawk
Re:Shooting people to tests for vests (Score:2)
Re:Shooting people to tests for vests (Score:4, Insightful)
Re:Shooting people to tests for vests (Score:3, Interesting)
verbal moderation: +1 interesting.
Re: (Score:2)
Re:Shooting people to tests for vests (Score:2, Insightful)
I don't remember any such relay that wasn't fixed within a couple of days...
Re:Shooting people to tests for vests (Score:2, Interesting)
As the IT Director for the Bishop Union Elementary school district, I'd probably send you a similar response if you sent a bitchy message as yours to Spencer, WI.
The bottome line - you were whiny, you didn't actually help (or offer to help) him, and you were rude. Just precisely how did you *expect* him to react? School administrators have enough work to do without having to deal with annoying strangers.
Sheesh.
Joe Griego
Dir., I.T.
Bishop Union Elementary, and Bishop Joint Union High School Districts
Bishop Elementary [k12.ca.us]
Bishop High [k12.ca.us]
Re:Shooting people to tests for vests (Score:3, Informative)
Here is the letter I sent, sans the spam itself (typical relayed spam). As you can see, I didn't focus on the spam, and I didn't subject them to my usual "block first, ask questions later" approach (else how would I have gotten his response).
The following is a complaint regarding SPAM from the Spencer
Public Schools.
Spam is bad enough for some company on the internet sends it
out to you. But it can be stopped easily by recording the
location it comes from in a list of places to reject mail from.
Thousands of Internet Service Providers and other companies
are now doing this.
Now spam is coming from the Spencer Public Schools. I don't
think this is what the tax dollars of your community are for.
Yet it is paying for helping some spammer on the internet to
send his junk mail to millions of people. It not only costs
you money, but it also costs other people money.
I have been seeing this kind of thing happen in many many
places throughout the Internet. Mail servers are set up on
the Internet, and they are either set up incorrectly, or they
are set up with bad software. One or the other of these did
happen at Spencer Public Schools. That's how the spam came
through.
When a mail server is set up, if the person who sets it up is
not specifically thinking about making sure others cannot relay
their spam through it, they might as well accept the fact that
it is going to happen. The same thing applies to security.
Can you be sure that your servers (all of them) are really so
secure if the person who sets them up is so careless as to let
spam come through a mail server? Do you know that when they
set up the other servers they thought carefully about all the
security issues when they did it to make sure no one can access
things like confidential records? Have you audited the security
of the Spencer Public Schools computers?
So you're running Windows 2000. That doesn't make it secure.
Obviously it doesn't if a simple thing like using your computer
to send spam throughout the world for some con artist can be
done. Setting up ANY computer requires that the person who
sets it up realizes that it is NOT secure until they do all the
steps necessary to make it secure.
You are sure to get many complaints due to this spam. The first
thing that will happen is someone will quickly go make changes
to the mail server to prevent this one security leak. That may
seem fine at first. But what about all the other security holes?
Will they also be plugged up? Do you even know what they are?
And what about your computer operating procedures and policies?
Did they cover this kind of situation? They obviously failed
to prevent it. But were they even written to prevent it or did
they just not even address the issue at all?
You clearly need to get some competent computer help involved
in making sure your computers are secured. Perhaps you can get
this help from WiscNet. But you definitely need to get that
help, and get it soon. And don't ask one of the students who
might seem to be very bright with computers. They might be
good at cracking into computers or writing nifty programs, but
what you need is a professional analysis of your procedures and
security policy. And you need to get it done before the fall
school term begins. If not, you are almost certain to become
a victim again, and again; if not from spammers, then maybe
even from one of your own students.
As for this spam incident, normally my very first action after
sending a formal complaint is to totally cut off the offenders
network from our network. If I did that here, you'd have to
make a request to me to restore that access by some means other
than through your own mail server. It's usually inconvenient,
but it gets a serious message across to Internet scofflaws.
In this case, I'm not going to do this. I won't be blocking
your network. If the problem repeats, I'll change my mind.
I have over 21,000 networks blocked right now (over 3,000 of
them are in China). And those are the ones where the people
running them just don't care.
Normal spam complains include a copy of the spam that caused the
complaint to be made. So I'm including that below. Each line
of the original is intended with a "|" character at the left
side of each line. Here it is:
Re:Shooting people to tests for vests (Score:2)
In addition, by using all caps for the word "spam", you are abusing Hormel's very reasonable and good-natured policy [spam.com] regarding the use of the term "spam" for junk email.
They ask that you use all lowercase for spam. All uppercase is a Hormel tradmark for the meat product.
Re:Shooting people to tests for vests (Score:2)
It is capitalized for emphasis, not for being an acronym (which it isn't). If there was a way to do bold text in plain ascii, I would have used that. I prefer not to send HTML mail.
Re:Shooting people to tests for vests (Score:2)
It was actually running Windows 2000 at the time. I checked through the site back then. This was 9 months ago. They apparently have changed things.
Re:Shooting people to tests for vests (Score:2, Funny)
Is that something you do with your boyfriend?
Re:Shooting people to tests for vests (Score:2)
I'm so .... scared!
That's very unlikely to happen in normal circumstances. Perhaps it would have been prudent for ORBZ to suspend testing for a few days after 9/11, as that was an abnormal time.
Re:Shooting people to tests for vests (Score:2)
This is a very good question. Of course, IANAL (and I'd wish that more L's would offer hypothetical opinions here, not to be construed as legal advice), so don't construe this as legal advice... that said, my understanding is as follows.
There is a principle that you have to accept people as they come. This means that, if you sneak up behind someone, shout "Boo!" and they drop dead of a heart attack, you are responsible for their death. You may or may not be criminally negligent or liable as well.
If the victim was participating in an activity, where sneaking up on people and shouting "Boo!" was expected, you are genererally in the clear, even if they had a weak heart. The organizers of such an activity do have a responsiblility to explain the potential risks though, lest they be found negligent.
But, if unexpectedly, and for no other reason than to frighten, you cause someone to die this way, you are in a heap of trouble. The reasoning is that you had no justification, other than your amusement, for the action, and so must bear the consequences for the results.
In the case of tapping someone on the shoulder to see if they're alive there's good reason for the action: you're looking for survivers of some tragedy (for example). If anything, you are trying to be helpful, and while this sometimes results in unfortunate accidents, helping others is an activity that is generally encouraged. Many jurisdictions have "good samaritan" laws for this reason: if you injure someone in a good-faith effort to help them, you can't be found legally liable (though, I'd limit that to criminal charges only because you are still responsible: "Judge: you paralized them while saving their life -- they're entitled to $1,000,000 compensation if they're willing to die for it (as they otherwise would)").
In this case, ORBZ was performing a social service, albeit taking the "law" into its own hands in policing servers. So the situation is unclear. Their "victims" certainly weren't in dire need of this "assistance". However, was what they were doing reasonable? They were simply sending standards-complient mail to servers that clearly were set up to accept it. An analogy would be sending a letter to someone to see if they send nasty, annoying mail back. Is it your fault if they go into fits of apoplexy instead because they have an epileptic seizure due to the particular shade of blue of the envelope of your letter? When they provide the mailbox?
The clincher, though, is that the mail server software was probably licensed without warranty from Lotus. So, here you have an organization taking on the risk of potentially buggy software and then trying to foist that responsibility on people who accept their invitation (I'd consider an MX publication an invitation) to use it.
I think that prosecution was dropped in this case, not because the city had a change of heart, but because legal council adviced them that they had a weak case. That would explain the flip-flopping tone of their press-release: "we don't have a case against you but you caused us grief because we used buggy code".
Wrong analogy? (Score:2, Funny)
Oh, no, you can't. People who don't wear bulletproof vests (unlike badly configured mail-servers) harm only themselves, not others.
Service checking vs. collateral damage (Score:2, Interesting)
PROS:
-SPAMing domain administrators aren't likely to respond to an email asking if they can be
-Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done.
-Some administrators will simply delete it by mistake, not ever finding out they have an open relay.
-Also more reasons which I haven't thought of because I'm dead tired.
CONS:
-Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway.
-Probably some that I haven't thought of here too.
I think the positives far outweigh the
We were using their service for about 12,000 customers, and it worked quite well. Ah well.
---
It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.
Do other mail servers have similar flaws? (Score:4, Interesting)
Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.
Prosecution - the Gov't Game (Score:2)
The various parts of the US Government tend to be oblivious to Information Security issues. But they do know prosecution. And that they persue with gusto.
We were constantly told that there was no budget to support infosec activity. But when the inevitable compromise was discovered, in came the big investigation. Infosec meetings included management's gleefull discussion of FBI involvement, followed by an FBI agent's discussion of "lessons learned" (rarely touching on real issues and always tech-light) and what equipment had been taken as evidence. Of course, the lab loosing the IT resource rarely had the budget to replace the missing hardware. Everyone paid.
Of course, a bit of money up front to secure the environment from the beginning would probably avoid the whole investigation and enable the lab to continue using its hard-faught-for resources.
Back to Battle Creek. Sudden revisions on updating their infrastructure. Lots of grave concern over people running around doing damage to them, indestinguishable from all those Evil hackers. And prosecution talk.
Looks like the City of Battle Creek will be paying the high cost of ignoring infosec too.
Score one for common sense, for a change. (Score:4, Funny)
~Philly
Re:Score one for common sense, for a change. (Score:2)
Better yet, send them to the Kellogg Sanitarium. Getting 5 gallon oatmeal enemas daily might give them an inkling of how their customers will feel if $MEDIA_WHORE laws are passed.
No "unannounced" tests? (Score:3, Interesting)
But if sending a mail to a server could cause it to crash, how else could you contact someone to get permission to test? Phone calling?
What an embarrassment! (Score:4, Funny)
Let me guess (based on pure speculation):
There are always exceptions, but the average municipality is not stealing the top minds from NASA to run their IT operations. Every once in a while, I peruse IT job listings. When I see a huge list of unrelated requirements combined with a pitiful salary, it's usually (a) municipal gov't, (b) school systems (same thing), or (c) retail. Before I get flamed by an army of municipal IT workers, I will clarify this sweeping generality: Municipalities hire too few people, they overcommit their resources, and the salaries encourage turnover. Surely, any reasonably qualified sysadmin (certified or not) would have detected & fixed the Lotus vulnerability (even if after-the-fact). The press release tells a story that makes it look like they have no dedicated IT staff whatsoever. I could be wrong on this, but if they spent less on lawyers and more on IT, this problem would have been prevented or quickly resolved.
According to Netcraft, the website at ci.battle-creek.mi.us is running "Microsoft-IIS/5.0 on Windows 2000." The prosecution rests. This Battle Creek operation must have been a real bundle of joy when they discovered the "Code Red" worm.
Page listing 800 numbers of SPAMMERS (Score:2)
Can we get the database? Lets go P2P ! (Score:2)
I think if ORBZ was run on a patching basis we could choose to upgrade our databases on a daily basis.
Or better yet, use a P2P protocol among build a distributed network so that we don't have to suffer with the "READY-FIRE!-AIM" mentality of the technologically challenged
Great! (Score:2)
Re:more info? (Score:3, Insightful)
One of the known exploits for spammers to use open relays also happens to overlap with an old flaw in Lotus Notes, causing it to go into an infinite loop.
Battlecreek got whammied by ORBZ, unintentionally, and filed criminal charges.
Re:more info? (Score:5, Informative)
The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.
So ORBZ isn't out of the woods yet.
Re:more info? (Score:2)
Then what needs to be done is to recognize the versions of Lotus that are defect, and just don't send any tests to those. Do go ahead and list them as a "spam risk due to incompetent administration" (e.g. because they have not yet been upgraded).
Re:more info? (Score:2)
Re:more info? (Score:2)
It's a config setting, and Domino Administrators are (or bloody should be) prepared to tweak these settings.
I don't know if you're aware of this, but every Domino server, by default, installs as an open relay. Unless you lock it down with a setting in the server's configuration document (Router/SMTP - Restrictions and Controls - SMTP Inbound Controls - Inbound relay controls), you are going to have problems anyway.
It's a configuration issue.
Lotus are famous for leaving configurations wide open, and leaving it for the the Administrator to tweak. I admit that they completely missed this issue coming, but fixing it is a 20 second job. I suppose now their problem is letting admins know....
Re:more info? (Score:2)
Re:more info? (Score:2)
Actually, it's now running....
220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.
Nope. (Score:4, Informative)
-russ
Latest News Story - Battle Creek Enquirer (Score:2, Funny)
Oh, my. These folks need Tech Help in just the worst way - won't someone write them with a set of correct definitions?
Re:A day too late? (Score:2, Informative)
Re:Spam? (Score:2)
Re:Spam? (Score:2)
This is more of a "crash the server exploit", or as many have already said, "DoS attack".
Re:A better analogy... (Score:4, Insightful)
I'm not into reasoning by analogy but if you feel the need in future here are some alternatives you might try, at the very least they betray your disgusting attempts to impugn ORBZ:
ORBZ is squeezing the fruit in the supermarket to see if it's ripe.
Another:
ORBZ is playing a tune to see if they approve of the melody.
Now go scurry under your rock and stop implying that what ORBZ did is anything other than a public service, or worse; equating it to selling coke to kids. These things are not morally equivalent you dolt.
Re:But what about Slashdot's intent (Score:2)
No. But they might get a court order to turn over all the account information. Maybe then we can find out who the real Anonymous Coward is :-)
Re:Hey! Its 'Made You Look Day' (Score:2)
Why wait? (Score:2)
I for one could care less about an open relay getting a grace period to fix their problem.
It was only when a bunch of them were blacklisted did it get their attention to fix the problem.
Have you ever tried getting a response from a "postmaster" account?
The fact is until their users are impacted, it won't matter.
Now that ORBZ is offline, we have notice a SIGNIFICANT increase in the amount of crap flowing into our systems.
Re:ORBZ bears some responsibility (Score:2)
Re:Is it just me or..... (Score:2)
No, Battle Creek's been looking for a new police chief for quite some time - it's a thankless job