jjones@cs.uiuc.edu (Joel Jones) (06/25/91)
I am posting this to start a new thread on the use of networking facilities.
Please post your comments to this group.
Joel Jones
jjones@uiuc.edu
---------------------------------------------------------------------------
While I was getting my MS in CS at Arizona State University, I ran into a
bit of trouble with the Engineering Computing facilities people. Over
Memorial Day weekend in 1989, I ran a shell script that went through a list
of internet sites ending in ".com" to see if those sites allowed anonymous
FTP. In my shell script, so as to not load the networks over-much, I inserted
a sleep 30 between each attempt. I also deliberately chose a holiday weekend
so as to avoid overloading this way also. During the weekend, I logged in
several times to check the progress of my script. Every time the script was
no longer running. Fixing what I thought was a problem in my understanding of
the built-in nohup in csh, I set the script running again. On Tuesday morning,
when I attempted to login, I was not given a shell prompt, but a message saying
my account had been suspended. I called an operator and was told that I needed
to make an appointment to see the assistant head of the engineering computing
facilities. I made an appointment and went to his office at the appointed
time. When I arrived there, he handed me a copy of my shell script and asked
"What is this?" I replied that it was a shell script for checking for
anonymous ftp sites. He seemed taken aback that I would be so forthright and
polite. He then told me that he didn't appreciate getting calls from Colorado
asking what was going on at his facility. (apparently the network
administration center for WestNet gave him a call) He told me not to do this
again and I said I wouldn't and he restored my account on the spot.
Here's where the questions arise. Would it have been better if he have sent
me email to stop doing this rather than suspending my account? Should I have
been using the network facilities at all? At the time there had been no
announcement from engineering computing services that off-site links were
available, but the general computing services people had. Was this particular
use an abuse of my privileges? The written policy statement was not very
specific about what constituted an overuse or abuse of computing resources. I
knew from a friend that our link to the outside world (thru University of
Arizona) was a leased line and there would be not incremental increase in costs
due to my use of the network. Does this make a difference?
Joel Jones (much happier at the University of Illinois)
jjones@uiuc.edu
this after stopping my script?
--
Joel Jones As the advertisment for an exhibition on Leonardo da Vinci said,
jjones@uiuc.edu "They called him a genius, a botanist, a demon, a philosopher, a
practical joker, an eccentric, and a visionary. No wonder he
was such a great engineer."rickert@mp.cs.niu.edu (Neil Rickert) (06/26/91)
In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: > While I was getting my MS in CS at Arizona State University, I ran into a >bit of trouble with the Engineering Computing facilities people. Over >Memorial Day weekend in 1989, I ran a shell script that went through a list >of internet sites ending in ".com" to see if those sites allowed anonymous >FTP. In my shell script, so as to not load the networks over-much, I inserted >a sleep 30 between each attempt. I also deliberately chose a holiday weekend Do you ever walk down the street, and as you do so, walk up to each house and test the front door to see if they left it open? I suspect if you ever did this, the local police would not have been as nice to you as your computer administrator. Yet, in effect, this is exactly what you did on the net. Only, worse still you didn't walk down the street to do this. You drove down the street in a car that had been provided to you for totally different purposes, thereby making the owner of the car (that is, the computer center and the university) unwitting accomplices in your activity. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
seward@CCVAX1.NCSU.EDU (Bill Seward) (06/26/91)
In article <1991Jun25.154257.7452@m.cs.uiuc.edu>, jjones@cs.uiuc.edu (Joel Jones) writes: ... details about testing for anonymous FTP sites deleted ... > Here's where the questions arise. Would it have been better if he have sent >me email to stop doing this rather than suspending my account? Should I have >been using the network facilities at all? At the time there had been no >announcement from engineering computing services that off-site links were >available, but the general computing services people had. Was this particular >use an abuse of my privileges? The written policy statement was not very >specific about what constituted an overuse or abuse of computing resources. I >knew from a friend that our link to the outside world (thru University of >Arizona) was a leased line and there would be not incremental increase in costs >due to my use of the network. Does this make a difference? Of course, this is all personal opinion. Not having seen the written, public policies at your site, I would say that you made a fair effort not to overly tie up resources and to minimize costs to your institution. However, I would say that you showed questionable judgement in running this script. Given how "hacker conscious" sites are these days, to me it seems obvious that some site security folks would get upset by this. I really think it would have been a good idea to check with some one in systems for a) a ready-made list of sites and b) is this a bright idea or what? As far as the email vs. suspension of the account, I'd say that it is a judgement call. However, I am curious about why they didn't suspend it the first time. If I deemed it a serious enough offense to suspend an account, I'd do it the first time I noticed something "funny" not the Nth time. Did you actions in terms of complete explanation etc. make a difference? Probably so. I imagine that it made the impression that you weren't out to break anyone's security, just curious and a bit lacking in judgment. ------------------------------------------------------------------------------ Bill Seward Cutaneous Pharmacology & Toxicology Center, NC State University SEWARD@NCSUVAX.BITNET SEWARD@CCVAX1.CC.NCSU.EDU ------------------------------------------------------------------------------
de5@ornl.gov (Dave Sill) (06/26/91)
In article <1991Jun25.173013.3784@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: > > Do you ever walk down the street, and as you do so, walk up to each house >and test the front door to see if they left it open? Aaarrgghh! If I *never* see another use of analogy in computer security it'll bee too soon. It's very, very rare that one discovers an analogy that's truly appropriate and complete. This one certainly isn't. Attempting to anonymous ftp to random sites is, in my opinion, rude at worst. But any site admin that freaks out over the occasional attempt hasn't got a firm grasp on reality. > Yet, in effect, this is exactly what you did on the net. Only, worse still >you didn't walk down the street to do this. You drove down the street in >a car that had been provided to you for totally different purposes, thereby >making the owner of the car (that is, the computer center and the university) >unwitting accomplices in your activity. What he did wasn't illegal, and wasn't "totally different" from the expected usage of the net: communicating and sharing information. -- Dave Sill (de5@ornl.gov) Tug on anything in nature and you will find Martin Marietta Energy Systems it connected to everything else. Workstation Support --John Muir
rickert@mp.cs.niu.edu (Neil Rickert) (06/26/91)
In article <1991Jun25.192914.23335@cs.utk.edu> Dave Sill <de5@ornl.gov> writes: >Attempting to anonymous ftp to random sites is, in my opinion, rude at >worst. But any site admin that freaks out over the occasional attempt >hasn't got a firm grasp on reality. Attempting to anonymous ftp to my site is rude at worst. Using my site to do something rude to another site is an abuse of privileges. If he wants to pay for his own computer and connection, the rudeness is his problem. Put it another way. I am pretty tolerant of users doing a lot of experimentation including some pretty dumb things, providing they have respect for other users. But when a user puts me in the position of having to explain to the administrator of some other site that he "was only experimenting and doing dumb things" he has gone too far. Yet, even then, if a user on my system tries to manually ftp to one or two other sites, and the administrator of those sites complains, I will defend my user to the hilt, even though he may have shown poor judgement. But when my user repeatedly makes a nuisance of himself or, worse still, automates the process his actions become indefensible. >What he did wasn't illegal, and wasn't "totally different" from the >expected usage of the net: communicating and sharing information. There are a lot of rude and offensive things people can do which are not illegal. And as far as I am concerned, they can do them as much as they like in their own house or on their own computer. If they do them in someone elses house or on someone elses computer they should expect to be kicked out. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
koreth@twitterpater.Eng.Sun.COM (Steven Grimm) (06/26/91)
In <1991Jun25.173013.3784@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > Do you ever walk down the street, and as you do so, walk up to each house >and test the front door to see if they left it open? .... > Yet, in effect, this is exactly what you did on the net. I'd say it was more like walking down the street and knocking on each front door to see if anyone inside wants to talk to you. Slightly annoying to the residents, perhaps, but hardly morally bankrupt -- especially if you know that there are a large number of people on the street who ARE willing to talk to you, but you don't know which ones they are. --- Steven Grimm koreth@eng.sun.com Moderator, comp.{sources,binaries}.atari.st "We must be brave, and not let them know how frightened we really are." -- OPEN LOOK Graphical User Interface Functional Specification
sean@ms.uky.edu (Sean Casey) (06/26/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: |In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: |> While I was getting my MS in CS at Arizona State University, I ran into a |>bit of trouble with the Engineering Computing facilities people. Over |>Memorial Day weekend in 1989, I ran a shell script that went through a list |>of internet sites ending in ".com" to see if those sites allowed anonymous |>FTP. In my shell script, so as to not load the networks over-much, I inserted |>a sleep 30 between each attempt. I also deliberately chose a holiday weekend | Do you ever walk down the street, and as you do so, walk up to each house |and test the front door to see if they left it open? | Yet, in effect, this is exactly what you did on the net. Ahem. Bullshit. What he did was analogous to using a company phone to call up people and ask if they offer any free software. That's what the "anonymous" FTP login is for. On most systems, it must be explicitly enabled, and on no system I have ever heard of does it give free roam of the system as an unlocked front door would[1]. Anyone getting upset because someone tried anonymous FTP is either network ignorant (in which case what are they doing on the Internet), or unreasonably paranoid. It appears the local sysadmin involved was network ignorant. It makes me wonder what he was doing administrating Internet systems. Sean [1] Anonymous FTP can be setup to have free roam of the system. But one has to do it explicitly. -- ** Sean Casey <sean@s.ms.uky.edu> ** Recent subject line in comp.sys.handhelds: Printing BIG GROBS
bagchi@eecs.umich.edu (Ranjan Bagchi) (06/26/91)
In article <1991Jun25.173013.3784@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: >In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: >> While I was getting my MS in CS at Arizona State University, I ran into a >>bit of trouble with the Engineering Computing facilities people. Over >>Memorial Day weekend in 1989, I ran a shell script that went through a list >>of internet sites ending in ".com" to see if those sites allowed anonymous >>FTP. In my shell script, so as to not load the networks over-much, I inserted >>a sleep 30 between each attempt. I also deliberately chose a holiday weekend > >Do you ever walk down the street, and as you do so, walk up to each house >and test the front door to see if they left it open? > >I suspect if you ever did this, the local police would not have been as >nice to you as your computer administrator. > >Yet, in effect, this is exactly what you did on the net. Only, worse still >you didn't walk down the street to do this. You drove down the street in >a car that had been provided to you for totally different purposes, thereby >making the owner of the car (that is, the computer center and the university) >unwitting accomplices in your activity. > On the other hand, if you want to go into a McDonalds, do you ask Ronald? Anonymous ftp is a lot more like a corner store (or more to the point a booth giving away free samples) than a private residence. Do you contact the sysadmins of the sites on the anonymous ftp list on comp.misc before attempting to use them? Just because everyone else uses prep.ai.mit.edu for GNU software, have you ever contacted the sysadmins there to ask if they KNOW that "hackers have been putting their warez there"? I don't think anything was wrong with attempting an anonymous ftp to a list of sites. Is anyone being hurt? Compared to NNTP and Mail traffic, ftp has miniscule effect upon the net speed. If security can be compromised, then the sysadmin's got some problems. Frankly, I'm curious that there was any backlash. If all the script did was ftp to a site, and attempt to login once as anonymous with some password, nothing is being tied up, in fact the transaction should take less than a minute. And only happen once per site. Why anyone would be upset by that is weird. -rj -- -------------------------------------------------------------------------------- Ranjan Bagchi - asleep...... | v,i,j,k,l,s,a[99]; bagchi@eecs.umich.edu | main() { ------------------------------- for(scanf("%d",&s);*a-s;v=a[j*=v]-a[i],k=i<s,j+=(v=j<s&&(!k&&!!printf(2+"\n\n%c"-(!l<<!j)," #Q"[l^v?(l^j)&1:2])&&++l||a[i]<s&&v&&v-i+j&&v+i-j))&&!(l%=s),v||(i==j?a[i+=k]=0:++a[i])>=s*k&&++a[--i]) ; } /* Osovlanski and Nissenbaum */ --------------------------------------------------------------------------------
nyet@nntp-server.caltech.edu (n liu) (06/26/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: >In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: >>[stuff about looking for anonymous accounts, etc] > Do you ever walk down the street, and as you do so, walk up to each house >and test the front door to see if they left it open? > I suspect if you ever did this, the local police would not have been as >nice to you as your computer administrator. > Yet, in effect, this is exactly what you did on the net. Only, worse still >you didn't walk down the street to do this. You drove down the street in >a car that had been provided to you for totally different purposes, thereby >making the owner of the car (that is, the computer center and the university) >unwitting accomplices in your activity. I thought we all agreed that these "house" analogies were misleading. See, what he was really looking for was the sign that says "we are open" on the front doors of buildings that allow public access... and was using the publicly subsidized transportation system provided by the city by taxes and for a small fee dependent on the individual's usage. $1 per cpu unit, mile, hour, etc. I can make a huge number of these real world "this is my house, it's mine, go away" analogies to backup ANY position I feel like taking. In fact, nothing substantial about "ownership" in "c-space" has been agreed upon at all, while everyone does agree that breaking and entering is a felony here in California. So to make another analogy, its not even like comparing apples an oranges. More like apples and love/reality/color (pick your favorite abstraction). nye
jmcarli@PacBell.COM (Jerry M. Carlin) (06/26/91)
In article <1991Jun25.201915.1434@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >What he did was analogous to using a company phone to call up people >and ask if they offer any free software. That's what the "anonymous" >FTP login is for... The key difference is what someone does when they get on. I've seen unfriendly uses of anonymous ftp such as attempting to delete files and snarf ~ftp/etc/passwd (hoping that ftp had been set up wrong). Of course, the same script could be used to try telnet with such things as 'root' as the ID which is something almost completely different. -- Jerry M. Carlin (415) 823-2441 jmcarli@srv.pacbell.com To dream the impossible dream. To fight the unbeatable foe.
jrm@stegosaur.cis.ohio-state.edu (John R. Mudd) (06/26/91)
In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: > Here's where the questions arise. Would it have been better if he have sent >me email to stop doing this rather than suspending my account? Should I have >been using the network facilities at all? Please ask yourself what would have had a greater effect--getting email asking you to cease and desist, or having to go talk to someone about your actions? I'll argue that in nine cases out of ten, the latter has more effect. Now, whether your actions violating some policy or not is another issue. ... John
jona@iscp.Bellcore.COM (Jon Alperin) (06/26/91)
Hey..these were .com not .edu sites.....with all the proprietary and sensitivie information which may be contained therein, some sites take security to extreme's. Furthermore (if I read the original post correctly) everytime the script was restarted it would break in again. I for one would be concerned if I saw more than 1 attempt to get into my private commercial system. -- Jon Alperin Bell Communications Research ---> Internet: jona@iscp.bellcore.com ---> Voicenet: (908) 699-8674 ---> UUNET: uunet!bcr!jona * All opinions and stupid questions are my own *
wjb@cogsci.cog.jhu.edu (06/26/91)
In article <1991Jun25.213406.18977@cis.ohio-state.edu> jrm@stegosaur.cis.ohio-state.edu (John R. Mudd) writes: >In article <1991Jun25.154257.7452@m.cs.uiuc.edu> jjones@uiuc.edu writes: >> Here's where the questions arise. Would it have been better if he have sent >>me email to stop doing this rather than suspending my account? Should I have >>been using the network facilities at all? > >Please ask yourself what would have had a greater effect--getting email >asking you to cease and desist, or having to go talk to someone about >your actions? I'll argue that in nine cases out of ten, the latter has >more effect. John's original posting stated that he restarted his script several(?) times after it "died". He seemed to be uncertain whether or not it had actually died or it had been killed. If his administrator did in fact kill it, then it would have also have been appropriate at that time to inform John via email that such activities were inappropriate. Now, if John had continued his activities after being warned that would have been a different situation and would have obviously warranted a face to face meeting. At the worst, the way this situation could be interpreted is that you are allowed N mistakes, but you aren't told when you done something wrong and when you reach N you get nailed to the wall. If so, I don't think it is fair to the user, nor do I think it is an efficient use of the sys admin's time. By not sending John mail, his sys admin ended up having to deal with administrator's at other sites and have a face to face meeting with John. Bill Bogstad
jgreely@morganucodon.cis.ohio-state.edu (J Greely) (06/26/91)
In article <1991Jun25.192914.23335@cs.utk.edu> de5@ornl.gov (Dave Sill) writes: >Attempting to anonymous ftp to random sites is, in my opinion, rude at >worst. But any site admin that freaks out over the occasional attempt >hasn't got a firm grasp on reality. Actually, they may have a firmer grip than you. Older versions of ftpd had holes big enough to drive a truck through. If I spotted someone out at bfe.edu attempting to connect to each of our machines in turn, I'd be more than a little suspicious, and would probably send mail to the admins there asking them to check it out. If you were running a site, and you got mail from an administrator on the other side of the country (or the world) saying "someone at your site is trying to get into *all* of our machines", what would you do? It sounds like the actions taken by the original sysadmins were quite reasonable. -- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely)
smoot@woodstock.berkeley.edu (Stephen [Steve] R Smoot) (06/26/91)
This seems to be partially the same issue as whether randomly trying "guest" accounts is abuse. The problem is that some people offer services to the rest of the community, and there must be a way to get to them. Thus guest and anonymous ftp were created (Necessity being the mother of invention and all that.). There seem to be three kind of sites: 1) ones with *publically* available stuff they want *anyone* to use. 2) ones which want to export to *certain known users*. 3) ones with no interest in others contacting them/using their resources. The only way to serve group 1 is to have well known ways for the resources to be requested. Thus guest and anonymous. The way to serve group 2 is to alert the intended audience and either supply them with a password for guest, or some such. The problem with group 3 is they view being contacted as if they were in group 1 as an invasion, not as an inquiry. IMHO, the guest/anonymous access must be maintained to support group 1. IMHO, people in group 3 should chill about the whole thing. IMHO, people in group 2 should use mechanisms other than guest/anonymous (in a recent thread people from group 2 complaind about users using their sites as if in group 1, when they were *intended to be group 2*, though the group 2 people used just the guest/anonymous (group 1 mechanisms) instead of *bothering* to do something more complex.) The complication, of course, is "the evil hackers" who pretend to look for sites of type 1, but actually want to maliciously steal information/processing power/"just to do it" or etc. reasons. Stopping them yet permitting group 1 sites, is left an an exercise for the reader. -s PS. Returning to the orig. issue. It seems that John was searching for sites of group 1, and was accosted by a group 3 site. This was then complicated by his admin. not dealing with the situation in a straightforward manner (such as emailing a request to stop), but instead by assuming malicious intent and taking unwarranted action. Personally I'm more interested in the deeper question of how to support group 1 and yet keep group 3 happy.
mickelp@prism.cs.orst.edu (Paul M. Mickel ) (06/26/91)
In article <JGREELY.91Jun25172338@morganucodon.cis.ohio-state.edu> J Greely <jgreely@cis.ohio-state.edu> writes: >In article <1991Jun25.192914.23335@cs.utk.edu> de5@ornl.gov (Dave Sill) writes: >>Attempting to anonymous ftp to random sites is, in my opinion, rude at >>worst. But any site admin that freaks out over the occasional attempt >>hasn't got a firm grasp on reality. > >Actually, they may have a firmer grip than you. Older versions of >ftpd had holes big enough to drive a truck through. If I spotted >someone out at bfe.edu attempting to connect to each of our machines >in turn, I'd be more than a little suspicious, and would probably send >mail to the admins there asking them to check it out. [some deleted for brevity] > > It sounds like the actions taken by the original sysadmins were >quite reasonable. >-- >J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) In reading all of the articles on this subject, I have reached some conclusions: 1. That the justification for this action really depends on the site. As this poster pointed out, if there are some problems with security via anomyous ftp, then maybe the sysadmin at that site is justified in making a ruckus. 2. As far as I understand it, that anomyous ftp is provided as a courtesy to others. If only one user is causing the problem, then an email request to that person is in order requesting a discontinuance of the action. However, this person should not lose their account for trying to access an ftp site that is public. If the sysadmin *really* doesn't like it, then maybe he should cosider removing the anomyous ftp from his site, but not ask for the offending user's head on a platter, so to speak. I guess that the moral to this story is that the sysadmin at the anomyous ftp site should consider his policy toward anomyous ftp, and act according- ly. He should also remember that there are always unforseen problems associated with anomyous ftp and use his judgement before acting. #include <stddisclaimer.h> Paul M. Mickel mickelp@prism.cs.orst.edu Oregon State University Corvallis, OR 97331 -------------------------------------------------------------------- "Where there's life and food, there is hope." - own saying
ben@wri.com (Ben Cox) (06/26/91)
jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: >>worst. But any site admin that freaks out over the occasional attempt >>hasn't got a firm grasp on reality. >Actually, they may have a firmer grip than you. Older versions of >ftpd had holes big enough to drive a truck through. If I spotted >someone out at bfe.edu attempting to connect to each of our machines >in turn, I'd be more than a little suspicious, and would probably send >mail to the admins there asking them to check it out. Once, I had to install a UUCP connection. I tried to test it out. I got mail from Rick Adams (!) telling my that my attempts at "testing" security of UUNET were not considered friendly. It turns out that the thing I used to test our UUCP connection used to be a bug and would have, in the olden days, allowed me access, but had since been fixed. UUNET had assumed I was testing for the presence of this bug, when in fact, I was totally unaware of the bug, and was simply trying to test our connection (I had been expection a message back telling me my uux failed, but never got it). The moral of the story: sometimes your actions look much more suspicious than you think they do. -- Ben Cox ben@wri.com
sean@ms.uky.edu (Sean Casey) (06/26/91)
jona@iscp.Bellcore.COM (Jon Alperin) writes: |Hey..these were .com not .edu sites.....with all the proprietary |and sensitivie information which may be contained therein, some |sites take security to extreme's. Furthermore (if I read the |original post correctly) everytime the script was restarted |it would break in again. I for one would be concerned if I saw |more than 1 attempt to get into my private commercial system. Yes, and all the public info that might be contained therein. Which is the *only* thing an anonymous FTP access would gain. Anonymous FTP doesn't "break in". You either let them in or they don't get in. Many .COM sites have public offerings that aren't available elsewhere, and of those that are duplicated by edu sites, they may be more recent. Sean -- ** Sean Casey <sean@s.ms.uky.edu> ** Recent subject line in comp.sys.handhelds: Printing BIG GROBS
sean@ms.uky.edu (Sean Casey) (06/26/91)
wjb@cogsci.cog.jhu.edu writes: | At the worst, the way this situation could be interpreted is that |you are allowed N mistakes, but you aren't told when you done something wrong |and when you reach N you get nailed to the wall. Exactly. I don't think that the user was making a mistake, but if I were, I'd use email or "write" to say "Uh, what are you doing?". If (a) the script restarted itself and (b) I got no answer within a reasonable amount of time, I'd have then taken stronger action. This <BANG> "Stop or I'll shoot." mentality isn't very mental. Sean -- ** Sean Casey <sean@s.ms.uky.edu> ** Recent subject line in comp.sys.handhelds: Printing BIG GROBS
rickert@mp.cs.niu.edu (Neil Rickert) (06/26/91)
In article <1991Jun26.043640.19539@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: > >This <BANG> "Stop or I'll shoot." mentality isn't very mental. Where did you get this "stop or I'll shoot" business. It certainly was nowhere stated. What was stated was that initially the automated attempts were killed. No other actions is reported until they were started up again. We don't know whether the administrator sent email. From the report it is quite possible that he did send email, but this student is not in the habit of reading his mail. We don't know that. We do know that on the restart the student account was suspended in such a way that he saw the message when he logged on. You apparently treat this as punishment. I don't. It is a very effective way of getting the user's attention. If I have a user causing problems who has ignored email messages, my next step is to do exactly that. (I give a restricted shell which prints the message.) From the report it seems that the administrator reinstated the account after the student had been in to discuss the matter. This would seem to confirm my view that the admin wanted to get the student's attention, but was not punishing him provided he agreed not to resume this activity. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
sean@ms.uky.edu (Sean Casey) (06/26/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: |In article <1991Jun26.043640.19539@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: |> |>This <BANG> "Stop or I'll shoot." mentality isn't very mental. | Where did you get this "stop or I'll shoot" business. It certainly was |nowhere stated. They turned off his account! In computer terms, that's the same as shooting someone. There are plenty of ways of getting a user's attention. How about a phone call? Or email. Or "talk", or "write"? Or how about renaming the script to "call_us__please_before_you_run_this...the_staff"? (Remember Monty Python's "The Meaning of Life" ? "How about a kiss, boy?") Hair trigger reactions to remote administrations are uncalled for, unprofessional, counterproductive, and inflammatory. Be thoughtful. Investigate. Understand. Take reasonable action. Maybe we need a guide for handling things like this. "DON'T PANIC: The Internet Administrator's Guide" Sean -- ** Sean Casey <sean@s.ms.uky.edu> ** Recent subject line in comp.sys.handhelds: Printing BIG GROBS
jb3o+@andrew.cmu.edu (Jon Allen Boone) (06/26/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: > What was stated was that initially the automated attempts were killed. What was stated was that the automated attempts died. Not that they were killed. It wasn't explictly stated whether they died from some sort of sytem limitation or an intentional kill by the sys admin. Stop jumping to conclusions. Ask if you really want to know if they were intentionally killed or if it was a system-resource limitation which caused them to die. (Hell, maybe the ethernet was flaky and THAT's why it died!). ----------------------------------|++++++++++++++++++++++++++++++++++++++++ | "He divines remedies against injuries; | "Words are drugs." | | he knows how to turn serious accidents | -Antero Alli | | to his own advantage; whatever does not | | | kill him makes him stronger." | "Culture is for bacteria." | | - Friedrich Nietzsche | - Christopher Hyatt | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
dpassage@soda.berkeley.edu (David G. Paschich) (06/27/91)
In article <1991Jun26.134621.15275@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: In article <mumble>, rickert@mp.cs.niu.edu (Neil Rickert) writes: |In article <1991Jun26.043640.19539@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: |> |>This <BANG> "Stop or I'll shoot." mentality isn't very mental. | Where did you get this "stop or I'll shoot" business. It certainly was |nowhere stated. They turned off his account! In computer terms, that's the same as shooting someone. No, in computer terms, that's the same as turning off his account. Let's remember that there's more to real life than the net. The only thing I disagree with about the administrator's actions in the original post is that he didn't send mail first. (Or, at least, the user never read mail.) That to me is crucial: make sure that the person knows that what he's doing isn't kosher before you zorch him. Pulling something and stopping when you're told it's bad is one thing. Continuing on is quite another. BTW, at my site, whenever I'm forced to turn off a user's account, I always do it by changing their shell to a program that tells them why their account has been turned off, and I always make them able to extract their files via FTP, or some other solution if they don't have other net access. I consider that information their property and I don't have the right to keep them from accessing it. -- David G. Paschich Open Computing Facility UC Berkeley dpassage@ocf.berkeley.edu Go Colorado Rockies -- Opening Day, Mile High Stadium, April 1993
dhesi@cirrus.com (Rahul Dhesi) (06/27/91)
Disabling the account in this case was probably overkill. An email message or phone call would have been better. However, in the past I have had occasion to disable a student account, and the reason then was not malice: It was to preserve evidence until the student's side of the story was heard and everything could be investigated. This seems about as fair as you can get. As soon as the student gets in touch with the sysadmin, they can both consider what he was actually doing, and if it proves to be innocuous, the acount can be re-enabled with (hopefully) no lasting negative effect on anybody. If the student *was* doing something truly malicious, and if serious action is needed, then it is important that the state of the student's account be preserved, so that any incriminating evidence isn't lost before the investigation is complete. But to disable an account for some ftp attempts over one quiet weekend seems excessively paranoid to me. -- Rahul Dhesi <dhesi@cirrus.COM> UUCP: oliveb!cirrusl!dhesi
emv@msen.com (Ed Vielmetti) (06/28/91)
> script to find anonymous FTP sites in 1989 got jjones@cs.uiuc.edu in > trouble; it FTP'd to a list of internet sites ending in ".com" to > see if those sites allowed anonymous FTP. As I remember, the state of the art in 1989 of finding anonymous FTP sites was pretty bad. There was no "archie", comp.archives was not running up to speed, and what was left was a couple of attempts at compiling an anonymous FTP site list (doomed to failure because there was no effective verification). x.500 stuff was just not there (not that they're much of any use now). Brute force was an appropriate technology, and I'd almost argue that it's not completely inappropriate now, I'd say that if you ran a script now that walked down the nameservers for *.com and looked for A and CNAME records for sites like "ftp.mighty.com", you'd be doing a reasonable bit of network research. You'd catch cisco, solbourne, tcs, apple, vitalink, and cayman, that I'm aware of. There might be others. You wouldn't actually have to do any FTP'ing at all, just name server traffic. (in fact, banging around a little bit, I find an "ftp.mips.com" which has reasonable stuff, so I think you'd find a lot of these.) "abuse" means you didn't write a proposal and get grant money, otherwise it's "research". -- Edward Vielmetti, MSEN Inc. moderator, comp.archives emv@msen.com "often those with the power to appoint will be on one side of a controversial issue and find it convenient to use their opponent's momentary stridency as a pretext to squelch them"
levy@Daisy.EE.UND.AC.ZA (David Levy) (06/28/91)
In <ben.677904030@dragonfly.wri.com> ben@wri.com (Ben Cox) writes: >jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: >>Actually, they may have a firmer grip than you. Older versions of >>ftpd had holes big enough to drive a truck through. If I spotted >>someone out at bfe.edu attempting to connect to each of our machines >>in turn, I'd be more than a little suspicious, and would probably send >>mail to the admins there asking them to check it out. >Once, I had to install a UUCP connection. I tried to test it out. I got >mail from Rick Adams (!) telling my that my attempts at "testing" security >of UUNET were not considered friendly. It turns out that the thing I used to >test our UUCP connection used to be a bug and would have, in the olden days, >allowed me access, but had since been fixed. UUNET had assumed I was testing >for the presence of this bug, when in fact, I was totally unaware of the bug, >and was simply trying to test our connection (I had been expection a message >back telling me my uux failed, but never got it). >The moral of the story: sometimes your actions look much more suspicious than >you think they do The network software is horribly full of holes, bugs and other problems, but is in heavy use by a wide variety of people, which has led to well-known disasters, so administrators become paranoid, and dump on users who try to do reasonable things because the network goes wrong. Examples abound of things like 50 (or 500) copies of a file being shipped by a mail server for no obvious reason (to the user), etc etc. The moral - fix the software, dont nail users, and take a tranquilliser if your paranoia gets out of control! Dave Levy -- David C Levy, Dept of Electronic Eng, Univ of Natal, King George V Ave, Durban, South Africa, levy@ee.und.ac.za, levy%ee.und.ac.za@saqqara.cis.ohio-state.edu m2xenix!quagga!levy%undee@uunet.uu.net, levy.undee@f4.n7104.z5.fidonet.org
emv@msen.com (Ed Vielmetti) (06/29/91)
In article <EMV.91Jun27180850@bronte.aa.ox.com> emv@msen.com (Ed Vielmetti) writes:
I'd say that if you ran a script now that walked down the nameservers
for *.com and looked for A and CNAME records for sites like
"ftp.mighty.com", you'd be doing a reasonable bit of network research.
The results of this network research:
ftp.3Com.COM. 120 CNAME gatekeeper.3Com.COM.
ftp.APPLE.COM. 93918 CNAME bric-a-brac.apple.com.
ftp.CAYMAN.COM. 14400 A 143.137.50.5
ftp.CISCO.COM. 43200 CNAME dirt.cisco.com.
ftp.FTP.COM. 120 CNAME vax.ftp.com.
ftp.LGC.COM. 21600 CNAME guest.lgc.com.
ftp.MIPS.COM. 78084 CNAME spim.mips.com.
ftp.MMMG.COM. 43200 CNAME web.mmc.mmmg.com.
ftp.PACBELL.COM. 172800 CNAME ns.PacBell.COM.
ftp.POWERMINDS.COM. 86400 CNAME powerminds.com.
ftp.PSI.COM. 86400 CNAME uu.psi.com.
ftp.SOLBOURNE.COM. 172800 CNAME solbourne.Solbourne.COM.
ftp.SOPHIA.COM. 172800 CNAME java.SOPHIA.COM.
ftp.SPRINT.COM. 14400 A 35.1.1.62
ftp.STD.COM. 86400 CNAME world.std.com.
ftp.TCS.COM. 144546 CNAME titan.tcs.com.
ftp.TELEBIT.COM. 33250 CNAME apache.telebit.com.
ftp.VITALINK.COM. 120 CNAME iggy.gw.vitalink.com.
ftp.XYLOGICS.COM. 86400 CNAME xylogics.com.
Looks pretty fruitful -- several of these are new to me.
--
Edward Vielmetti, MSEN Inc. moderator, comp.archives emv@msen.com
"abuse" means you didn't write a proposal and get grant money,
otherwise it's "research".dave@jato.jpl.nasa.gov (Dave Hayes) (07/01/91)
de5@ornl.gov (Dave Sill) writes: >In article <1991Jun25.173013.3784@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: >> >> Do you ever walk down the street, and as you do so, walk up to each house >>and test the front door to see if they left it open? >Aaarrgghh! If I *never* see another use of analogy in computer >security it'll bee too soon. It's very, very rare that one discovers >an analogy that's truly appropriate and complete. This one certainly >isn't. I'll say. IT would be more appropriate to have him driving the car, knocking on every door asking for a handout. I think only certain over-zealous policemen or extremely touchy citizens would be the problem. Personally, I don't know why someone so touchy about anon FTP just doesn't disable it and log the attempt. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh "It is a dragon, destroyer of all," cried the ants. Then a cat caught the lizard.
dave@jato.jpl.nasa.gov (Dave Hayes) (07/01/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: > There are a lot of rude and offensive things people can do which are not >illegal. And as far as I am concerned, they can do them as much as they like >in their own house or on their own computer. If they do them in someone >elses house or on someone elses computer they should expect to be kicked out. Now if your site was owned by YOU, I could get to that. If you are running a university installation, however, I'd say that even though it's a service provided by you and your group...to the students those are public computers. IS the notion of "public access" (even if the public space is small) dead? -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh "It is a dragon, destroyer of all," cried the ants. Then a cat caught the lizard.
dave@jato.jpl.nasa.gov (Dave Hayes) (07/01/91)
jgreely@morganucodon.cis.ohio-state.edu (J Greely) writes: > It sounds like the actions taken by the original sysadmins were >quite reasonable. Your points are well taken except for the last quoted one. If it had been me, I would have sent mail after I found the *first* script running. Further, having investigated what it was doing, I would have removed it from my system. Finally, I would have given the guy the "anon_ftp" list that comes over alt.sources every so often. That way, no "negation with no replacement". 8) Calling "Foul" after you let the guy continue to foul you is pretty bogus. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh "It is a dragon, destroyer of all," cried the ants. Then a cat caught the lizard.
rickert@mp.cs.niu.edu (Neil Rickert) (07/01/91)
In article <1991Jul1.014426.5808@jato.jpl.nasa.gov> dave@jato.jpl.nasa.gov writes: >rickert@mp.cs.niu.edu (Neil Rickert) writes: > >> There are a lot of rude and offensive things people can do which are not >>illegal. And as far as I am concerned, they can do them as much as they like >>in their own house or on their own computer. If they do them in someone >>elses house or on someone elses computer they should expect to be kicked out. > >Now if your site was owned by YOU, I could get to that. > >If you are running a university installation, however, I'd say that even >though it's a service provided by you and your group...to the students >those are public computers. I suppose it is alright for a student to make annoying 'phone calls too, as long as he makes them from a university owned phone? Now before you rush and say that the analogy is bad, let me point out that there are organizations on Internet who send strongly worded complaints when someone on my host makes an unsuccessful attempt to login. And they don't always send the complaints to me or to anyone else on this host. In at least one case the complaints were sent to someone who controls our network connection, and could prevent ALL attempts at anonymous ftp. To serve the best interest of all users of this system, I will do what is necessary to prevent such a shut off. >Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA >dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh Your from nasa.gov. Yep. That is the organization which has been so quick to complain. If you want me to completely ignore users on my system who make unwelcomed attempts at ftp, telnet, rlogin, etc, to other sites, you should start by persuading your organization to ignore those attempts. Then start persuading the other government labs that are so highly sensitive. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940