Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Spam Your Rights Online

Battle Creek, Michigan Settles Dispute with ORBZ 259

Peter Sachs, Esq. writes: "According to a press release that now appears on its official website, the City of Battle Creek, Michigan has 'settled"' its dispute with ORBZ.ORG. The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server. In fact, the Assistant to the City Manager said, '...we recognize that [ORBZ.ORG] has done us a service. We are going to be taking a close look at our policies regarding Lotus security updates and how we can avoid the issue in general'"
This discussion has been archived. No new comments can be posted.

Battle Creek, Michigan Settles Dispute with ORBZ

Comments Filter:
  • by nurightshu ( 517038 ) <rightshu@cox.net> on Friday March 22, 2002 @12:56AM (#3205831) Homepage Journal

    A government entity thinking clearly and levelly, and actually thanking geeks for trying to help them? Astounding.

    Okay, everyone, it's time to pack up and go. Would the last one out of the server room please hit the BRS?

    • No, I think this is still scary. They launched an investigation because *someone sent an email that locked up their server*. Not flooded the server, not spammed ... just sent an email.

      They should be investigating the marklars at lotus who apparently are not great programmers. No email should *ever* be able to bring down an e-mail server.
      • It was just an investigation.

        Uh, there is no such thing as "just an investigation."

        I worked for a government agency. It was absurd because all of the policies would go through these weird legal distortions. If they wanted a simple policy, say changing from a 15 to 20 minute break, they would pass a law, and it would be illegal to take an 15 minute break. They lost the ability for people to communicate with people as people.

        ORBZ may have been a bit cavalier in its testing of security holes in servers, but was altruistically trying to perform a service. Instead of trying to communicate, however, the legal system immediately jumps into litigation confrontation and threats. It is really a screwed up system.
        • They weren't making laws. They were making rules. Congress makes laws, agencies enforce them.
          • by treat ( 84622 )
            They weren't making laws. They were making rules. Congress makes laws, agencies enforce them.

            The rules/regulations that agencies make have the force of law, however. That is, you can be imprisoned for not following them, with the full force of the US government behind them.

      • It's not so much a problem that they launched an investigation. Investigating an action that brought your server down for a day is probably a good thing.

        The problem was that their 'investigation' was a bit on the "shoot first and question the cadaver later" nature. Their first step should have been to spend some time figuring out what happened and the nature of the apparent 'attack'. Had they done that, I think that they would have realized that the 'attack' was quite possibly a mistake and/or the result of a problem with the configuration of their box.

        In this case, it appears that one of the first things they did was to issue a search warrant. As far as I'm concerned, a search warrant should not be issued lightly. I think that both the police department and the judge who signed the warrant should get a (virtual) public flogginh over their actions under these conditions.

        As for analogies, I think that a closer one of someone going around the neighbourhood checking for unlocked doors and informing the owner of the insecure box...
        then one day, you find a house where the door is unlocked, and the house is armed.

        • then one day, you find a house where the door is unlocked, and the house is armed.

          Er, um.. that should have been "and the house (door) is alarmed. This actually happened to me once, when I was trying to find my way out of a place where I was doing some late night admin work.. I tried a door that turned out to be an entrance to a neighbor's space. The door was unlocked, but had a chain on it and an alarm (which was set up).

          It was kinda half-amusing the conversation I had with the police when they arrived...

          • Are you authorized to be in there?
          • yes.
          • then can you come out and talk to us for a while?
          • no.
          • why not?
          • I don't have a key.
          • are you sure you're authorized to be there?
          • Yes. I've called the owner, he's on his way. . . . .
    • Unfortunately when we could no longer use Orbz we switched to using another database. I wonder how many other people switched and will not switch back. Quite a few I should imagine.
    • by caferace ( 442 )
      Would the last one out of the server room please hit the BRS?

      Not so fast there Bucko... From the press release: "Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server."

      Seems to me like they still have a few things to learn...

  • by asackett ( 161377 ) on Friday March 22, 2002 @12:57AM (#3205834) Homepage
    My personal boycott of Kellogg's products continues at least until they repay Ian for his legal expenses incurred as a result of the need to defend against the city's stupidity.

    I understand that Kellogg's has nothing to do with the stupidity of the city, but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me. As an American, collateral damage means nothing to me!
    • Wait, is this a joke? What legal expense? Dude took down his site almost immediately.

      He rolled over like a puppy getting patted on the belly precisely *because* he wanted to avoid legal expenses.

      Of course, kelloggs does make Smacks [kellogs.de]. Maybe that's what I'm smelling.
    • I understand that Kellogg's has nothing to do with the stupidity of the city,

      HAH!! I grew up in the town! You have NO idea how wrong you are about that. They ran the town so effectively that they blackmailed a surrounding township to merge with the city and then had the city tear down several blocks of downtown for a research center and a high class hotel that wouldn't make visiting VIPs feel like they were in No-Tell Motel Hell. Millions in taxpayer money went to this while the surrounding neighborhoods turned into run down rat infested crack houses. Eventually, Kellogg's laid off so many people that they've lost some of their influence.

      but they're the biggest taxpayer/employer in Battle Creek, and that's close enough for me.

      Actually, Nippondenso and Battle Creek Health Systems are bigger nowadays. Also, you should know that Post and Ralston Purina have factories there.

      As far as a boycott goes, I've been doing that ever since the day I saw how corn flakes were actually made ... And you've no idea what it's like when the sickly sweet smell of Sugar Frosted Flakes or Sugar Pops floats over the city like the sugar hangover from hell. Sour, sweet and totally nauseating.

      The Battle Creek Police would be ill equipped to investigate a case like this. They have more trouble than they can handle in that town as it is.

      Don't be too tough on BC - hell, they JUST got cable modem service two months ago and the geek population is just about zero as the few who grew up there either moved out or got buried under a football field somewhere by the team ...

      Do you know how pathetic the place is? They have an army base named after Gen. Custer. Need I say more?

      I love living in Kalamazoo ...
  • by Bonker ( 243350 )
    "...we recognize that [ORBZ.ORG] has done us a service."

    It's about fucking time that someone pulled their heads out of their asses and realized that it wasn't necessary to start filing lawsuits and criminal charges to punish *smart* tech behavior!

    Unfortuneately, it may already be too late for ORBZ. Here's hoping that ORBZ comes back up in light of this statement.
  • by Nethead ( 1563 ) <joe@nethead.com> on Friday March 22, 2002 @12:58AM (#3205837) Homepage Journal
    First the boss makes a stink about ORBZ an then they get slashdotted. Glad I don't work there.
  • by Astral Jung ( 450195 ) on Friday March 22, 2002 @01:01AM (#3205846) Homepage
    The good news: For once, a government entity came to communicate with someone who wasn't really doing it harm, but actually good, and managed to realize that.

    The bad news: They still haven't quite understood the situation yet, based on the article taken from the City of Battle Creek page:

    Spam refers to a computer prank that causes multiple duplicate emails, sometimes several hundred at once, to clog up the recipient's mail server.

    They are getting better, though.
  • Pity that their first reply was to sue, before even considering the case. It's a pity that ORBZ let itself be SLAPP [google.com]ed out of existance first.

    Unfortunately, there really isn't any way to stop this sort of behaviour apart from instuting very harsh penalties for threatening to sue and not following through with the threat or reaching an adequate mediated position with all affected parties.

    A$#*holes I say - even if they have recanted now, it's too late to fix the damage. For example the mail-filters plugin for Squirrelmail [squirrelmail.org] has had orbz removed - even if it comes back up, people running that code won't be using it.
    • by legLess ( 127550 ) on Friday March 22, 2002 @01:18AM (#3205896) Journal
      Breath into a paper bag for a minute before you hyperventilate. First, this wasn't a SLAPP, it was a court order. It wasn't even a criminal charge yet. More to the point, it was justified. Here's what the press release (which you obviously didn't read) says:
      "The purpose of the search warrant was to determine the identity of the person who sent the email that caused our system to fail so we could then determine whether further investigation would be necessary."
      Think for a second: you're a government agency, and you notice someone sending bits to your server that make it crash. What's your first response? What's anyone's first response? Find out who did it, and search warrants are very good at that.

      Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

      I'm going to resist drawing any parallels between your hysterical and incorrect assessment of the situation and Ian's similar reaction, except to say: pay attention. Life is hard enough without going off half-cocked on incomplete information.
      • by flamingcow ( 153884 ) on Friday March 22, 2002 @08:16AM (#3206648) Homepage
        "The purpose of the search warrant was to determine the identity of the person who sent the email that caused our system to fail so we could then determine whether further investigation would be necessary."
        The search warrant cited our domain no less than 7 times. Had the detective taken the time to read the website, the situation would have been quite clear to him.
        Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.
        Having more knowledge here of what went on than you, please trust me. In my opinion, this 'settlement' wouldn't have been nearly as forthcoming if a certain Wired.com article didn't cause major embarassment. I believe that this 'settlement' is much more public relations damage control than an actual realization that a mistake was made.
      • by FreeUser ( 11483 ) on Friday March 22, 2002 @09:33AM (#3206908)
        Second, this all could have been avoided if Ian Gulliver hadn't freaked when he got the order. If he'd waited a bleeding 24 hours this would have been resolved and ORBZ could have gone on its merry way.

        It's very easy to be an armchair general from the peanut gallary, especially since you have nothing at risk.

        This was a (relatively rare) instance of a government excersizing some common sense. There was no guarantee that this would be the outcome.

        Imagine if it had gone the other way (they pressed charges) and he had continued operating as before. Going in front of a judge and being forced to admint that "yes, I engaged in the same activity for which I was being prosecuted after having been served notice," is the kind of thing that results in penalties that tend toward the harsh, rather than linient, if convicted.

        ORBZ was a service being provided for our benefit, for the "greater good" if you will (yes, I know how alien that phrase sounds in our Money Ueber Alles culture, but there do still exist people who spend their energy trying to better all of humankind, rather than merely themselves. They may be endangered, but they aren't extinct just yet). It is not at all reasonable to expect someone to risk fines, seizure of equipment, and possibly even jail time simply so they can go on doing everyone else a favor.

        The government body in question may be contrite now, but the damage is done, and they are, ultimately, the cause of that damage. Whitewashing their responsiblity now behind the argument that "that's just how investigations are done" does nothing to alleviate their responsiblity, though it does underscore just how aggressive, flawed, and Orwellian many of our "standard investigative procedures" have become. Not that we needed any more examples, we seem to have been getting hit in the face with that fact every day lately.
      • Think for a second: you're a government agency, and you notice someone sending bits to your server that make it crash. What's your first response? What's anyone's first response? Find out who did it, and search warrants are very good at that.

        Think for a second: You're anybody on the face of the planet who is actually sane and rational. Your first response in the same situation: Block the bits, figure out why those bits crashed your shit, and then fix the fucking problem.

        If your box explodes, then you are at fault. Period. Unless you are running M$ products. ;-)
  • Also (Score:5, Funny)

    by NiftyNews ( 537829 ) on Friday March 22, 2002 @01:10AM (#3205873) Homepage
    "The City concluded that ORBZ.ORG had no criminal intent to cause the City harm by testing the 'open relay' status its server.

    The City also announced that it really like to be capitalized when referred to. It also notes that the word "of" is still banned when referring to stories about The City.
    • by hawk ( 1151 ) <hawk@eyry.org> on Friday March 22, 2002 @08:40AM (#3206725) Journal
      "The City" is known to mean San Francisco by all educated persons. The *real* question is why SF is involved in this. Was it infiltrating Battle Creek? Having dealt with California agencies while practicing law in Nevada, and being aware of their imperial pretensions, I want to know (and so should the residents of Battle Creek!).


      :)


      hawk, watching for californians under his bed . . .

  • by Russ Nelson ( 33911 ) <slashdot@russnelson.com> on Friday March 22, 2002 @01:16AM (#3205889) Homepage
    I told Ian, time and time again, that he shouldn't be testing innocent servers. Test servers that have sent spam, yes, by all means. But you can't go around invading innocent servers.
    -russ
    • Russ, you're still wrong.

      There's no reason to believe that a server that has NOT sent any spam is MORE likely to have defects in design, coding, or configuration, when compared to a server that has sent spam. In fact, if a server HAS sent spam, THAT is the server that should not be tested. The server that has sent spam is more likely to be afflicted by at least one of bad design, bad coding, or bad configuration.

      There is no reason for any properly designed and managed server to crash and burn as a result of any piece of mail delivery. That some do is not a valid reason to devalue an important tool in the effort against spam. It could be of value if it is possible to identify from the SMTP banner if some server is a defective one, such as an older version of Lotus Notes. If that can be determined, then ORBZ should simply add the server to the list and not send anything there at all (except maybe a notice of why they are being listed). I suggest they be added because I do not want them to be sending my servers any mail because that mail has a risk of being spam, due to an obvious situation of inadequate or incompetent administration of that server.

    • ...stay very current on his Lotus Notes patches. Indeed, from now on, whenever news of a Lotus Notes security hole pops up on Securityfocus or elsewhere, guess who the script kiddies will try it out against first?
  • by Anonymous Coward on Friday March 22, 2002 @01:17AM (#3205892)
    What this boils down to is the city's system administrator saw the system go down, and didn't know how to fix it. It took her 24 hours to get the system back up, and to protect her job she cried wolf to the police, shifting the blame from her incompetence to an evil "hacker".

    Note to Battle Creek city managers: hire competent IT professionals, and this won't happen.

    • Blockquoth the parent:

      What this boils down to is the city's system administrator saw the system go down, and didn't know how to fix it. It took her 24 hours to get the system back up, and to protect her job she cried wolf to the police, shifting the blame from her incompetence to an evil "hacker".

      Note to Battle Creek city managers: hire competent IT professionals, and this won't happen


      Parent was modded flaimbait, but I agree with it. There really isn't an acceptable excuse for the email server being down for as long as it was. I can just imagine the sysadmin panicking after bouncing the box for the third time and *still* not having the problem "fix itself".

      Even a lazy/incompetent Domino admin should know how to clear the mail queue and reboot.
    • they cant... The city of Batle Creek is just like the city of Muskegon.. They hire incompetence. why?? well for first, the TOP pay is $35,000.00 starting pay is $28,000.00 and the Water Filtration plant operators, people who have the lives and health of the entire residents and have the most important job in the entire city get paid a maximum of $41,000.00

      Anyone that wants to be able to eat,live will never work for a City gov position. Then you are stuck working inside a ruleset that is made by the biggest pool of retards possible (City management and the City council/mayor.).

      I have yet to meet a IT person from a small/medium sized city that isnt a complete moron.,, Granted I only met them here in Michigan, and I am sure that there are some smart ones out there, but they usually dont work for cities... they find jobs with a real pay-scale.
    • Note to Battle Creek city managers: hire competent IT professionals, and this won't happen.

      Sensible enough, but when I worked in BC, we had a heck of a time finding people. The few that we found either relocated or commuted more than an hour each way. Apparently it's not an IT talent rich area.

      • Sensible enough, but when I worked in BC, we had a heck of a time finding people.

        Kalamazoo and Grand Rapids are much more desirable places to live. The school systems in Battle Creek are mediocre at best, and the people, for the most part are depressing drones, and the employers, for the most part, treat them as such. There's little culture to speak of - I don't call the BC Symphony Orchestra great culture, not to mention all those nice little fetuses in jars in the Kingman Museum ... There's something wrong with a town where the hottest spot on Friday night is Green's Tavern ... (country & western bar).
  • This is a very good development. It is refreshing to see people admit their mistake and back down. It is even more refreshing to see them confess that they realize that ORBZ has actually done them a service, the problem was theirs in the first place and they will try and do better in future.

    All is forgiven Michigan IMHO.
  • by buff_pilot ( 221119 ) on Friday March 22, 2002 @01:52AM (#3205981) Homepage
    for a better link... [battle-creek.mi.us]

    The email test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's email network for about a day on February 25, 2002.

    The ./test triggered a weakness in the version of Lotus Domino software used by the City and caused a major slowdown of the City's network for about a day on March 22, 2002.

    -jim
  • by Skapare ( 16644 ) on Friday March 22, 2002 @01:57AM (#3205991) Homepage

    From the press release by Michelle Reen, Assistant to the City Manager, Battle Creek, Michigan:

    "But, if I can draw the analogy that just because everyone should wear a computerized bulletproof vest doesn't mean that shooting people to find out who isn't wearing one is the best answer. If Mr. Gulliver chooses to do this, he perhaps shouldn't be surprised that he will occasionally be confused with the type of individual he is fighting against."

    This analogy is flawed. Here's why:

    Shooting people is something where, if a vest is not worn, can be expected to cause serious injury or death. Even if a vest is worn, the outcome can be injury, and death has been known to happen.

    A more accurate analogy would be tapping someone on the shoulder to see if they are alive. But you don't expect that one in tens of thousands happens to have a very sore shoulder, and this tapping causes great pain.

    My analogy is more correct because the kinds of tests ORBZ does is not one where a reasonable person doing this kind of activity (reasonable in this case meaning someone who understands the SMTP protocol, and related standards like RFC822, TCP, etc) would expect to cause serious problems. At most, this should trigger an alarm in more secure servers, which can then be filtered for this known testing source. ORBZ is not including codes intended to damage or destroy computer systems in these tests just to see if they would be destroyed (as Ms. Reen's analogy would suggest).

    It seems to me that the city of Battle Creek perhaps acted a bit hasty in the way they reacted. I'm not saying that they shouldn't have the police involved in the investigation, and I'm not saying they shouldn't pursue acquiring information to further that investigation. However, such an investigation should be tempered by the understanding that defective software, especially that which has not been properly maintained, or properly configured, can, and very frequently does, fail on account of that defect simply as the result of a properly formed standards defined computer or network activity. We all know PC systems (especaily, but not exclusively, Windows) can fail at times even though only normal activity is taking place. Just because an activity can come from outside, from the internet, does not mean that it can only be malicious.

    I recommend the City of Battle Creek Michigan, and any other government or business in like circumstances, operate under the following suggestions:

    • Whenever something causes a system to fail, include in any investigation of the cause an analysis of why it failed, including the protocols and software codes involved. Don't just hand it over to the police after the first jump to conclusion. Gain an understanding of exactly why the system failed, especially if the failure repeats.
    • Whenever a problem is tracked to some source, don't jump into threatening mode on initial contact, unless you have a reason to believe the communication would fail any other way. Serious intent to investigate and followup on real crimes does not mean aggression in legal procedures gains anything. Were this a real internet cracker, there wouldn't have been any useful information from this first step, anyway.
    • Place stronger protection between office LANs and city WANs and the internet itself. But do more than just a simple firewall that allows raw TCP streams to pass. Use a strong secure server with proxying where possible. Systems like Lotus Notes are Microsoft Exchange are too likely to be vulnerable, and too mission critical for staff operations, to be expected to also serve as the shield facing the internet. Run an OpenBSD server with something like Postfix to forward mail, and Squid to cache web accesses both in and out.
    • Institute new procedures that outline standard timeframes for keeping computer systems up to date, especially with the latest security alerts. All security patches should be installed within 7 days of availability or a report made to the top official regarding why that patch cannot be applied, describing alternative steps to deal with the risk. All other systems should be upgraded to the latest version within 90 days, if free. If not free, an analysis of the benefits (if any) of purchasing such an upgrade should be provided to the person in charge of making system software purchasing decisions, within 90 days.

    Also, get the reverse DNS fixed on your mail server.

    • As the person responsible for email at a small ISP, and a volunteer for our local Emergency Services, the thing I find amazing and disconcerting is that government agency computer departments have some of the worst security you can imagine. And a lot of it is because they won't spend the money to hire competent people... because that can't be "justified".

      Recently, my mail server stopped accepting messages from my "boss" at the courthouse, because they'd managed to get listed in SpamCop, ORBZ, and ORDB, with MAPS listing them with "we have spam on file from this site".

      When I pointed this out to the IT department, and gave them pointers to where to find at least a partial fix for GroupWise, I was told that they KNEW they were running an open relay for more than 6 months before the RBLs found out, but had no idea where to look to find the "cure". (Getting rid of GroupWise wasn't an option, apparently, even though this is the only way to secure a GroupWise installation... B-)

      They still haven't addressed the fact that they run the only non-encrypted wireless networks in town...

      • by Skapare ( 16644 ) on Friday March 22, 2002 @03:17AM (#3206129) Homepage

        Interesting that the latest banner I get is....
        220 battlecreek.org GroupWise Internet Agent 5.5.3.1 Ready (C)1993, 1999 Novell, Inc.

        I had a run in that went a slightly different way with a member of the school board for the Spencer Wisconsin school district. I got spam from them. I reported the problem to them, noting also that this was an inappropriate way for tax dollars to be spent. I got this response:

        Dear Phil,
        We have talented people working hard to keep our system clean. Somehow
        it seems that criminals and crackers are better funded than public school
        systems. Figure that out. Meanwhile, if you would spend less time
        criticizing honest hard working people and more time helping put a stop to
        this sort of thing, we'd all be better off.
        You sir, are a Prick.

        Sincerely,
        Jeff Darga [mailto]
        VP-Spencer Board of Education [k12.wi.us]

        What I'd like to know is why honest hard working people are incompetent and leave a mail server open to spamming abuses. Of course Mr. Darga doesn't really seem to care.

        • When I was first reading that letter, I was expecting it to be a (badly written) lead-in to a request for volunteer support. This could have been a good thing.

          The "you are a prick" part caught me off guard. If Mr. Darga needs some help, he is NEVER going to get it with that kind of attitude (even from his co-workers and underlings).

          I think that Mr. Darge needs a vacation, a good course in stress management and another course in dealing with the public.

          • >I think that Mr. Darge needs a vacation,


            Nah. The local paper needs a copy of the letter. It does wonders for political careers when the paper has to note that it cannot include the entire letter sent from a school board member to a citizen because "he wrote things that can't be printed in a family newspaper" . . .


            hawk

        • by Anonymous Coward on Friday March 22, 2002 @06:25AM (#3206449)
          So why didn't you send this information to the local newspaper? Seems to me the voters would love to see what a foul-mouth guy this "Jeff Darga" allegedly is.
        • Comment removed based on user account deletion
        • When I find a school or church organization that is relaying for spammers, I include words like these in the message to whomever:

          This time it was just a stock scam; who's to say that the next time won't be a child pornographer? Until you fix this, YOU can't!

          I don't remember any such relay that wasn't fixed within a couple of days...

        • Wow. Read your original letter, and I must admit - you ARE a prick. Your letter was condescending, self-aggrandizing (what was up with your bragging about the number of mail servers you block - does that get you chicks or something?), and rude.

          As the IT Director for the Bishop Union Elementary school district, I'd probably send you a similar response if you sent a bitchy message as yours to Spencer, WI.

          The bottome line - you were whiny, you didn't actually help (or offer to help) him, and you were rude. Just precisely how did you *expect* him to react? School administrators have enough work to do without having to deal with annoying strangers.

          Sheesh.

          Joe Griego
          Dir., I.T.
          Bishop Union Elementary, and Bishop Joint Union High School Districts
          Bishop Elementary [k12.ca.us]
          Bishop High [k12.ca.us]
  • "But, if I can draw the analogy that just because everyone should wear a computerized bulletproof vest doesn't mean that shooting people to find out who isn't wearing one is the best answer. ..."

    Oh, no, you can't. People who don't wear bulletproof vests (unlike badly configured mail-servers) harm only themselves, not others.

  • One of the main issues here is whether ORBZ should be punished for checking a domain for SPAMing with authorization from that domain. There are several pros/cons for doing it this way:

    PROS:
    -SPAMing domain administrators aren't likely to respond to an email asking if they can be
    -Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done.
    -Some administrators will simply delete it by mistake, not ever finding out they have an open relay.
    -Also more reasons which I haven't thought of because I'm dead tired.

    CONS:
    -Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway.
    -Probably some that I haven't thought of here too.

    I think the positives far outweigh the
    We were using their service for about 12,000 customers, and it worked quite well. Ah well.

    ---

    It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
    Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.
  • by billstewart ( 78916 ) on Friday March 22, 2002 @04:26AM (#3206274) Journal
    I've been thinking about the spam problem and how to discourage attacks from open relays. Are there mail systems that don't do loop detection, or aren't good at detecting if mail is really addressed to their machine? For instance, what do the popular mailers do if they get mail for spambait.example.com and dns resolves the name to 127.0.0.1 or 127.0.0.2 or 255.255.255.255? Do they decide it's for them, or do they think it's for somebody else and send it back to themselves? Or if you set your DNS to tell spam-relay-1.com.kr that spambait.example.com's IP address is the address of spam-relay-2.com.kr and vice versa - will they end up in an endless mail loop the next time somebody sends mail to harvestme@spambait.example.com, or will they decide (at least after one or two iterations) that they've seen the message twice so they'll drop it or try to send bouncemail to the original (presumably fake) spammer's address?

    Of course, even if you can't get the spammers in a strict loop, telling relay1 to that your machine's ip address is that of relay 2, relay2 that it's relay3, relay3 that it's relay4, ..., should at least leave the Korean Spam Relays talk to each other and slowing down the number of messages they can send to real people.

  • Its nice to see a government body finaly get a general idea of reality. But this press release is littered with examples of continued ignorance. One specific nugget reminds me of my time working for NASA.


    The Detective had no reason not to believe he was pursuing a hacker when he issued a search warrant.

    ...

    ...we have also sent a message to hackers that we will pursue online activity that we feel may be maliciously intended.


    The various parts of the US Government tend to be oblivious to Information Security issues. But they do know prosecution. And that they persue with gusto.


    We were constantly told that there was no budget to support infosec activity. But when the inevitable compromise was discovered, in came the big investigation. Infosec meetings included management's gleefull discussion of FBI involvement, followed by an FBI agent's discussion of "lessons learned" (rarely touching on real issues and always tech-light) and what equipment had been taken as evidence. Of course, the lab loosing the IT resource rarely had the budget to replace the missing hardware. Everyone paid.


    Of course, a bit of money up front to secure the environment from the beginning would probably avoid the whole investigation and enable the lab to continue using its hard-faught-for resources.


    Back to Battle Creek. Sudden revisions on updating their infrastructure. Lots of grave concern over people running around doing damage to them, indestinguishable from all those Evil hackers. And prosecution talk.


    Looks like the City of Battle Creek will be paying the high cost of ignoring infosec too.

  • Must be something in the air in Battle Creek. I don't know what Kellogg's is belching out of their smokestacks these days, but I wish the RIAA and MPAA assholes would get a whiff of it.

    ~Philly
  • by mgkimsal2 ( 200677 ) on Friday March 22, 2002 @08:17AM (#3206649) Homepage
    In turn, however, we have asked him to reconsider his policy of making unannounced tests on servers.

    But if sending a mail to a server could cause it to crash, how else could you contact someone to get permission to test? Phone calling?
  • by dcavanaugh ( 248349 ) on Friday March 22, 2002 @09:27AM (#3206875) Homepage
    First, the writer [of the press release] describes spam as a "computer prank" instead of unsolicited commercial e-mail. The comment proves they don't know what spam is! Then we have the unmentioned IT person who somehow traced back the activity to ORBZ without realizing their Lotus server was a sitting duck for a DOS attack (intentional or not).

    Let me guess (based on pure speculation):
    • Lotus sever set up by the "consultant du jour", who handles support on a pay-as-you-go basis
    • City calls for support, consultant quickly scans the log & points finger to ORBZ
    • City mgmt. goes bezerk; legal dept. goes to DEFCON 1; unleashes nastygrams vs. ORBZ
    • ORBZ explains cluelessness involved in having unpatched Lotus server; makes consultant look like idiot
    • City finds new consultant; recommends upgrade to Linux+Sendmail+Amavis+Sophos

    There are always exceptions, but the average municipality is not stealing the top minds from NASA to run their IT operations. Every once in a while, I peruse IT job listings. When I see a huge list of unrelated requirements combined with a pitiful salary, it's usually (a) municipal gov't, (b) school systems (same thing), or (c) retail. Before I get flamed by an army of municipal IT workers, I will clarify this sweeping generality: Municipalities hire too few people, they overcommit their resources, and the salaries encourage turnover. Surely, any reasonably qualified sysadmin (certified or not) would have detected & fixed the Lotus vulnerability (even if after-the-fact). The press release tells a story that makes it look like they have no dedicated IT staff whatsoever. I could be wrong on this, but if they spent less on lawyers and more on IT, this problem would have been prevented or quickly resolved.

    According to Netcraft, the website at ci.battle-creek.mi.us is running "Microsoft-IIS/5.0 on Windows 2000." The prosecution rests. This Battle Creek operation must have been a real bundle of joy when they discovered the "Code Red" worm.
  • My one and only printed Slashdot story was an item at Slashback: 640K, Pioneer, Payback [slashdot.org] that tells about a site that already has a list of the 800 numbers used by SPAMMERS.
  • Does anyone know if its possible to get the last snapshot of the reverse DNS database IAN had?

    I think if ORBZ was run on a patching basis we could choose to upgrade our databases on a daily basis.

    Or better yet, use a P2P protocol among build a distributed network so that we don't have to suffer with the "READY-FIRE!-AIM" mentality of the technologically challenged ;)
  • I'm glad to hear this, even if Ian doesn't bring back ORBZ. Kudos to the Battle Creek people for recognizing the truth and doing the right thing.

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...