Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security United States Your Rights Online

Nmap Author Receives FBI Subpoenas 390

spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"." Update: 11/25 20:21 GMT by T : Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.
This discussion has been archived. No new comments can be posted.

Nmap Author Receives FBI Subpoenas

Comments Filter:
  • Seems reasonable (Score:5, Insightful)

    by Anonymous Coward on Thursday November 25, 2004 @02:31PM (#10919655)
    That seems like a legitimate investigative technique. They're probably trying to match up different pieces of evidence to find the person behind things.
    • by RonnyJ ( 651856 ) on Thursday November 25, 2004 @03:37PM (#10920066)
      That seems like a legitimate investigative technique.

      Yes, though the main concern of mine is that he says the FBI were using subpoenas that were improperly served - how many people wouldn't bother checking, and just give up information straightaway?

      • Re:Seems reasonable (Score:5, Interesting)

        by Zapman ( 2662 ) on Thursday November 25, 2004 @06:01PM (#10920757)
        Out of curriosity, how does one verify that a subpoena is served properly? I assume that you read such very carefully, and call it a day.
    • Who are they trying to catch by getting insecure.org web logs?

      Nmap can be get by a number of other sources (mirrors, linux/bsd distributions, CDs, etc). What am I missing here?
      • by Gordonjcp ( 186804 ) on Thursday November 25, 2004 @04:34PM (#10920379) Homepage
        Well, the suggestion is that they are trying to find out who downloaded the source onto a compromised machine. So - someone has cracked root on an unknown machine, visits insecure.org with the browser on their own machine, pastes the URL for the tarball into the shell on the compromised machine, and makes nmap. What it sounds like they are looking for is the IP address of the browser used to get the URL for the source.


        Personally I don't see the problem with this. They are not just sniffing around looking for "suspicious" things, they know what they are looking for and where it's likely to be. This is not randomly searching people on the street, this is going directly to the CCTV tapes.

        • by KarmaPolice ( 212543 ) on Thursday November 25, 2004 @05:33PM (#10920634) Homepage
          Well, the suggestion is that they are trying to find out who downloaded the source onto a compromised machine. So - someone has cracked root on an unknown machine, visits insecure.org with the browser on their own machine, pastes the URL for the tarball into the shell on the compromised machine, and makes nmap. What it sounds like they are looking for is the IP address of the browser used to get the URL for the source.

          Well, now they can visit slashdot instead...
    • Re:Seems reasonable (Score:5, Interesting)

      by Cylix ( 55374 ) * on Thursday November 25, 2004 @04:44PM (#10920416) Homepage Journal
      Actually, if enough people manage to read this then it won't ever be a problem again....

      Honestly, if you really wanted to make this work and just get left alone by the FBI and the kiddies...

      Download links could be generated at request with a unique identifier embedded.

      Thusly, if someone generates a dynamic link and pastes that into their term for wget... bam... you have an identifiable link with both addresses.

      just make sure everything is logged quite properly.

      It would certain ease the issue of tracking.
  • by Anonymous Coward on Thursday November 25, 2004 @02:32PM (#10919659)
    Up shit creek sans paddle.
  • by Anonymous Coward on Thursday November 25, 2004 @02:32PM (#10919668)
    the text is here

    Dear Nmap hackers,

    Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm
    hard at work on a holiday Nmap version which should be available by
    Christmas.

    But enough pleasantries -- I want to discuss a sobering topic. With
    increasing regularity this year, FBI agents from all over the country
    have contacted me demanding webserver log data from Insecure.Org.
    They don't give me reasons, but they generally seem to be
    investigating a specific attacker who they think may have visited the
    Nmap page at a certain time. If they see that an attacker ran the
    command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz"
    from a compromised host, they assume that she might have obtained that
    URL by visiting the Nmap download page from her home computer. So
    far, I have never given them anything. In some cases, they asked too
    late and data had already been purged through our data retention
    policy. In other cases, they failed to serve the subpoena properly.
    Sometimes they try asking without a subpoena and give up when I demand
    one.

    One can argue whether helping the FBI is good or bad. Remember that
    they might be going after spammers, cyber-extortionists, DDOS kiddies,
    etc. In this, I wish them the best. Nmap was designed to help
    security -- the criminals and spammers put my work to shame! But the
    desirability of helping the FBI is immaterial -- I may be forced by
    law to comply with legal, properly served subpoenas. At the same
    time, I'll try to fight anything too broad (like if they ask for
    weblogs for a whole month). Protecting your privacy is important to
    me, but Nmap users should be savvy enough to know that all of your
    network activity leave traces. I'm not the only one who gets these
    subpoenas -- large ISPs and webmail providers receive them daily.
    Most other major security sites probably do too. Most of you probably
    don't care if someone finds out that you downloaded Nmap, Nessus,
    Hping2, John the Ripper, etc. Nothing on Insecure.Org is illegal.
    But for those of you who do care, there are plenty of mechanisms
    available to preserve your anonymity. Remember this security mantra:
    defense in depth.

    Cheers,
    Fyodor
    • by ralphus ( 577885 ) on Thursday November 25, 2004 @03:06PM (#10919870)
      One major point to pay attention to here is that if you have a data retention policy that is written that says for example, "I don't keep logs older than 1 hour" and you follow it, you can't respond to subpoenas for any data that falls outside your retention period.
      • One major point to pay attention to here is that if you have a data retention policy that is written that says for example, "I don't keep logs older than 1 hour" and you follow it, you can't respond to subpoenas for any data that falls outside your retention period.

        A very, very good point. I work at two competing ISPs. Once logs everything and keeps logs for months, the other (on my advice) keeps them for as short as reasonable. (30 days)

        You can guess which one got caught up in a nasty discovery distract
  • Seems valid (Score:5, Insightful)

    by Staplerh ( 806722 ) on Thursday November 25, 2004 @02:35PM (#10919686) Homepage
    Even the Nmap Author seems to agree that it could help in the fight against these undesirable script kiddies, etc. However, I think it is great that this author has brought this to public attention, and will hopefully increase oversight of these cyber-investigations.

    Of course, we do need law enforcement and this is a legitimate field to investigate so that we can have protected web commerce. With eyes on their activities, we can hopefully keep the Internet free and safe. Thoughts?
  • She? (Score:4, Funny)

    by product byproduct ( 628318 ) on Thursday November 25, 2004 @02:35PM (#10919687)
    Are we talking about Trinity?
    • Re:She? (Score:4, Funny)

      by ravenspear ( 756059 ) on Thursday November 25, 2004 @02:41PM (#10919727)
      Could be, but only if someone was using Nmap to try to get her out of the Matrix and ran afoul of phone phreaking laws.

      What with all the new Gov. VoIP regulations being debated about, it's only reasonable that the FBI would want to prevent unauthorized access to the Matrix.
  • Reasonable (Score:3, Insightful)

    by SorcererX ( 818515 ) on Thursday November 25, 2004 @02:35PM (#10919691) Homepage
    Well, I'm pretty sure that if a person downloaded nmap to a compromised host that person most likely visited the nmap website some time. The problem is that a lot of people visit that site, and it is nearly impossible to weed out the false positives from the person they are seeking. Furthermore, the FBI approach would only work if the person visisted the site recently, which might not be the case. It'd be impossible to figure it out if the person last visisted the namp website several months ago forexample.
    • Re:Reasonable (Score:2, Insightful)

      by tomhudson ( 43916 )
      So whats next - subpoenas for all the linux distros that include a copy of nmap? It's not like you have to even do an install to extract nmap from an iso.
    • Re:Reasonable (Score:3, Insightful)

      by Leebert ( 1694 )
      The problem is that a lot of people visit that site, and it is nearly impossible to weed out the false positives from the person they are seeking.

      Suppose that the FBI is investigating a largeish case that involves multiple sites, but they have a reasonable idea it's all the same guy.

      Now, request the nmap logs for the time window that nmap was downloaded at each site. Presto, if you're lucky there will be a correlating netblock (or IP) prior to the download for each event.
  • FBI spies (Score:5, Interesting)

    by Anonymous Coward on Thursday November 25, 2004 @02:36PM (#10919697)
    Do you know that Google searches are subpoenable?

    So Googling your victim, for example, before committing the crime is not very smart.

    Unless of course you can randomly change your ip
    in a pretty large range of course, heh heh.
    • Re:FBI spies (Score:5, Interesting)

      by MikeFM ( 12491 ) on Thursday November 25, 2004 @03:01PM (#10919842) Homepage Journal
      Smart hackers never hack from an IP traceable to them anyway. That's why unprotected WiFi points are so useful. There is no way in heaven or hell to trace the connection back to the source. Of course there are lots of places you can jack in for a unlogged wired connection too. It's just to easy to keep from being traced.

      Fortunately most hackers are dumb and lazy so they aren't that hard to trace.
      • I had a friend bring his computer into the office one day, and to our surprise, when he booted it up, it connected to the network without incident. Only thing is, it wasn't OUR network. He has a wireless connection, and interestingly, someone in the area was running completely unprotected wireless access point. Seems like battening down the hatches is a very smart choice- if the IP belongs to your network, it's you the feds will be talking to.
        • Re:About wireless (Score:5, Informative)

          by MikeFM ( 12491 ) on Thursday November 25, 2004 @04:22PM (#10920324) Homepage Journal
          I'm all for public access points but I do think that you should know what you're getting yourself into when you run a public AP. Most businesses especially should make sure they are covered.

          A little off topic of the FBI but related to public APs.. Something I like to do is run a public AP that doesn't have access to the Internet. It just acts as something of a localized BBS system. Anyone within reach can message each other, trade files, participate in the forums, or check out the wiki. It's not hard to make it so that someone connecting will get you're entrace page anytime they try to connect to something other than your system. With a decent antenea you can reach a fairly large group of people in a crowded metro area. An interesting way to meet your neighbors.
      • Re:FBI spies (Score:3, Insightful)

        by retro128 ( 318602 )
        That's why unprotected WiFi points are so useful. There is no way in heaven or hell to trace the connection back to the source.

        I wouldn't say it's impossible. If I had the investigative resources of the FBI the first thing I would do when I found out an attack happened from a "borrowed" WiFi point is get the MAC addresses of recently connected cards. Then all you have to do is go back to the manufacturers and find out who the cards were sold to and what their serial numbers are, and follow the trail of
  • Of course.... (Score:2, Informative)

    by Anonymous Coward
    If they used Tor [freehaven.net], subpoenas wouldn't really have given any useful information away. Then again, it's so sloooow perhaps they'd still be downloading ;).
  • by oostevo ( 736441 ) on Thursday November 25, 2004 @02:37PM (#10919706) Homepage
    From the posted article ...

    Let me first wish you Americans a happy Thanksgiving. Meanwhile, I'm hard at work on a holiday Nmap version which should be available by Christmas.

    I suppose this new version will give a new meaning to the Xmas scan, no?

  • Bad joke... (Score:5, Funny)

    by gowen ( 141411 ) <gwowen@gmail.com> on Thursday November 25, 2004 @02:37PM (#10919708) Homepage Journal
    No wonder he's reticent about providing information.
    Fyodors are supposed to remain closed at all times.

    (Sorry)
  • by Dogun ( 7502 ) on Thursday November 25, 2004 @02:42PM (#10919730) Homepage
    Seriously, that is the dumbest thing I ever heard.

    Nmap is popular as hell - unless they already have a suspect, this isn't going to be useful for them, all it will do is give them a scapegoat 9 times out of 10 - lets say they do get Fyodor's webserver log - which I doubt he'll be keeping in the future, assuming he does now - all that would give them is the IP addresses of a few dozen nmap users - one or two of which may be script kiddies of some sort.

    And if they can verify that a script kiddy A downloaded nmap in their window of interest, what are they going to do? Assume they're responsible for the wrong crime and charge him or her. It's stupid and its a witchhunt and it's a shot in the dark.

    Of course, if the FBI has already got a suspect, they might be able to strengthen their case, but that's still pretty circumstantial evidence. Not exactly a smoking gun.

    Just my $0.02US
    • by Restil ( 31903 ) on Thursday November 25, 2004 @02:52PM (#10919791) Homepage
      In any large investigation, law enforcement typically questions hundreds of people, some of whom may be suspects, some potential witnesses, and some who are just shots in the dark. Yes, having 50 different ip addresses, only one of which MIGHT be a potential suspect might seem like a long shot, but if the IP address they're looking for IS in there, they might be able to match it up with other evidence. Considering the fact that Fyodor has yet to actually submit requested logs to an agent, in spite of numerous requests, means that this IS a long shot, a time consuming one to aquire, with a very short lifespan, and likely not really worth the effort to aquire. But it's still a legitimate source of evidence, and if it shuts down a spammer or script kiddy, I'm not going to fault them for trying.

      -Restil
      • Since when are fishing expeditions effective? It sounds like a whole lot of wasted effort for something that, most likely, will never return useful results. How many times do these fishing expeditions result in the accusation or conviction of innocent parties? Sorry, but being lazy isn't something that I would want to cooperate with if I could at all prevent it.
      • At what point does it become harrasment of fyodor? If they want logs one a month, once a week, several times a day?

        It seems like there ought to be some limits someplace.

        Also legally can fyodor simply log to /dev/null? Wouldn't that get the FBI off his back? He could simply say "I don't keep webs erver logs.
      • Fair enough.

        What I meant though was that the FBI definitely shouldn't be seeing Fyodor's site logs indicating suspect 56 visited his site about 30 seconds before the compromised host visited the site as an indication of guilt - certainly, they should follow up on it as a lead. But they should attempt to get some sort of hard link between the suspect and the compromised host. And they don't always get it.

        And that doesn't stop people from getting convicted without any hard evidence.

      • Yes, having 50 different ip addresses, only one of which MIGHT be a potential suspect might seem like a long shot

        Compared to the hit rate of spam, that would be pretty bloody good.

        rj

  • Thanks for author (Score:3, Interesting)

    by Mariukenas ( 824757 ) on Thursday November 25, 2004 @02:47PM (#10919754)
    I wish more webmasters put such letters on their websites. More people would get aware of that surfing the net leaves traces and all of us would have more clear picture of how many subpoenas are served to webmasters.
    • Many subpoenas and such of that type have a Thou Shalt Not Tell restriction. It's seriously bad mojo if they leak news of an investigation.

      Meanwhile, those helpful popups do tell people that their computer is broadcasting an IP address.

      • I would guess that the "Do not tell" restriction is on information specifics. To say that you recieved a supoena requestion information on IP addres X in this time window could get you in deap shit. Saying that you have been given a few Subpoenas over the last 6 months is probably no big deal.

        IANAL
  • by pented_rage ( 556061 ) on Thursday November 25, 2004 @02:47PM (#10919767)
    The FBI has tracked down a perpetrated hacker after a slip-of-tongue by Fyodor in a recent nmap-hackers list posting, relating a female hacker using wget command to get nmap. After searching the homes of the 3 females known by Fyodor, they have identified and captured the assailant.
  • Impressive (Score:2, Interesting)

    by Anonymous Coward
    I'm not a script kiddie or a cracker, but I have done some interesting things out there. It sends chills up my back to think of the number of times I'd have been caught if a third party download site like this had had a five minute window opened in their logs. I'm impressed by the FBI's request, it's a technique that has a negligible chance of walking over someone's privacy (he even states that there were no results), yet has a good shot of working. I'm surprised that they didn't get anybody. But then a
  • by severed ( 82501 ) on Thursday November 25, 2004 @02:54PM (#10919799) Homepage
    My first thought when I got that e-mail was that the feds wanted to know who was downloading Nmap pr0n.

    Of course, I'm the one who wrote the script and shot the video, so it's only natural.

    I think Fyodor is doing the right thing, and I think the feds are just using standard intimidation tactics... but then again, I've always been about state powers as opposed to federal powers. At least with state powers, you can always choose to move to a different state...
    • Perhaps you were not paying attention eariler this month. They showed lots of maps of the states on TV. They were all either red states or blue states. Kind of like pick your poison, But there were no green states. Just different types of evil.
  • by man_ls ( 248470 )
    Purely for paranoia's sake, the log-to file on my Apache is nul: (Windows system)
  • by mobiGeek ( 201274 ) on Thursday November 25, 2004 @03:00PM (#10919838)
    Only real webmasters get subpoenaed by the FBI. If you haven't been subpoenaed lately, take a good hard look at your website...it has become meanlingless.

    :-)

    • "Only real webmasters get subpoenaed by the FBI. If you haven't been subpoenaed lately, take a good hard look at your website...it has become meanlingless."

      More like, my website-hosts are hemorrhaging information, and there's no way to find out, nor to delete logs more frequently.

      Now if only an XS4ALL website [xs4all.nl] website didn't cost 9 times as much as the current solution [PHP+MySQL], we might be gettting somewhere...
  • Hmmm...
    Perhaps they might catch the odd Script Kiddie (provided their "press button to h4X0r" tool doesn't download Nmap automatically, and if they do know that Nmap exists).
    But on the large, they won't catch any serious hacker - first of all, they gonna run through anonymous proxies, secondly they already know the URL (probably in a txt file or something), and thirdly, if they use some kind of tool to help them, self-made or not, it will have a "get Nmap or similar" button.
    All in all, nice try, no cigar
  • Log Retention (Score:3, Interesting)

    by mordors9 ( 665662 ) on Thursday November 25, 2004 @03:03PM (#10919857)
    Personally I would like to encourage everyone, escpecially ISPs to not maintain logs. That way they can answer every subpeona as unable to comply. But that is just me.
  • seem to be being fairly reasonable. Short extracts of of logs, apaprently realted to specific offences they are investigating. With a bit of luck they will catch a stupid script kiddie or two. There are plenty of examples of law enforcement agencies abusing there powers, I can not see why anyone thinks this is one of them.
  • by antic ( 29198 ) on Thursday November 25, 2004 @03:19PM (#10919953)

    So, this girl that has been downloading... are there photos of her? Huh? Huh?

  • There must be huge amount of traffic on the Internet - and I guess if the FBI (and ilk) can tie a download to within five minutes of a person downloading a file (albeit a few months later), then it 95% of traffic MUST be 'big brother' monitoring stations [Y'all hear me, FBI guys!!! -> STOP IT!]
  • I would have cooperated with the FBI. Most likely, the person they're going after has done something evil (I'd bet my money they're investigating a spammer..). ..
    And who uses wget to download something from a website, anyway?
    • Re:Personally.. (Score:3, Insightful)

      by benna ( 614220 )
      The problem is that when we start trusting the government like that they can take it to far and then we are screwed. It may well be that they had a legitamate reason to want to see the logs but we can't trust that that is always the case. As for wget, I use it all the time to download things onto my shells.
    • Um... lots of package management systems use wget. And if someone emailed me a link to the latest version, or a site had a link to it, I might perhaps use wget instead of the browser if it is faster (don't have to specify download location, etc...)

  • Uh. Yeah. (Score:2, Insightful)

    by jcuervo ( 715139 )
    There are so many things wrong with this.

    Can you challenge subpoenas?
  • I know who it was! (Score:2, Interesting)

    by jcuervo ( 715139 )
    They're looking for these chicks [haxxxor.com]!
  • Fyodor is lucky... (Score:5, Insightful)

    by nusratt ( 751548 ) on Thursday November 25, 2004 @03:46PM (#10920132) Journal
    ...that it wasn't a Patriot Act subpoena:
    he could be prosecuted merely for revealing that he'd RECEIVED it, even AFTER it became defunct.
    Welcome to John Ashcroft's post-Constitution USA.

    (and why in God's name has he continued preserving logs, after having received even ONE approach from the government?!)
  • How they use this (Score:4, Insightful)

    by ca1v1n ( 135902 ) <snook@noSPam.guanotronic.com> on Thursday November 25, 2004 @03:47PM (#10920138)
    Some people here seem to think that they'd have to be snooping lots and lots of net traffic in order for this to be any good to them. Not so. If you strongly suspect that the perpetrator comes from some small set, like, say, employees of a certain corporation, students at a certain school, etc., then a 5-minute window of logs will likely show only one hit from that IP range. That, along with what they have that leads them to suspect that IP range in the first place could be enough to execute a warrant.
  • by Bob Bitchen ( 147646 ) on Thursday November 25, 2004 @05:28PM (#10920608) Homepage
    not be saving our web logs. At least not the ones that keep track of visitors. They can't see what doesn't exist. But I wonder if they could force us to keep web logs?

    FBI == Fucking Ballbusting Imbeciles
    How many FBI agents do you know?
  • by augustz ( 18082 ) on Thursday November 25, 2004 @05:31PM (#10920620)
    This is I think the perfect type of narrowly targeted investigative technique that I would support. The FBI KNOWS a crime has been committed, and is following and building an evidence trail.

    The problem is, the FBI has squandered a lot of their social capital in the IT space by pulling all sorts of ugly students in trolling the net to harasss or intimidate folks or prosucte crimes that folks don't consider serious to merit such strong persuit.

    Now, when they take an appropriate approach, folks are still skeptical.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...