[linux-security] Re: WARNING: Break-in attempts

["Paul D. Robertson" <proberts clark net>]

On Thu, 18 Jun 1998, Shaun Hedges wrote:

> It is nice being paranoid, but what that person did is *not* illegal and would
> not hold and water in a court of law.

I don't know the laws in .ca, but here in the US, it would be possible 
under a number of circumstances to gain a conviction from the evidence 
presented.  One doesn't have to be successful in breaking in for it to be 
illegal in this country.  In general, it would be difficult to get a 
prosecutor to handle the criminal case, but could be done in some 
circumstnaces, depending on the machine, prosecutor, and jurisdiction in 
question.  Any attack crossing a state boundry in the US, by default is 
an attack on a "federal interest computer", and whilst the DOJ has 
guidlines of loss, it's no less legal than attempting to break into 
Dockmaster.

> He caused no loss of money, no denial of service, nothing.

Not relevent, at least in a number of US jurisdictions.  Attempted murder 
doesn't always produce a victim either BTW, but you're not allowed to 
keep shooting until your aim improves.

> How can you deduce that the attacks were made by root user?  ident is easily
> spoofable.
> How do you know that inu.net was not infacted 0wned first and he was using
> that host for some sort of diversion mechanism?
> How do you know that he is not reading your e:mail right now and laughing at
> you because he knows nothing happened?

So, you'd ignore all incidents until the person had successfully 
compromised a machine, but since the packets could maybe possibly be 
spoofed, perhaps you'd ignore that too?  This accomplishes what exactly?

> It is nice being paranoid, but really.  What this person did is not illegal,

I'm no more of a lawyer than you, but I'd say that this statement is pure 
hogwash.  If you need a fair parallel, Intel vs. Schwartz would be a good 
starting point for an instance where this is completely untrue.  Did no 
harm by admission of both parties, caused no loss of services, caused no 
loss of money, gained a felony conviction.

> and you should just forget about it.  This happens to me everyday, if I really
> wanted to threaten them then I would send email to their admins, but there is
> no use.

If you ignore them, they will keep at it until (a) they get your sytem, 
or (b) they get soemone elses system.  This serves *nobody* other than 
the attacker.

> They would rather have people doing bad stuff and paying  money, than have no
> money at all.

That's not true of a number of ISPs, who are good "citizens", or who would 
rather not be liable for the actions of their users, especially once warned of 
a potential bad user.  

IANAL, but if warned of an abusive user, and that's ignored, the ISP stands 
to lose some defenses (the "bad apple" defense, disassocating itself from 
the actions of its user, for one), especially in civil cases (again in the US 
depending on jurisdiction).  ISPs in this country have yet, that I'm 
aware of, to successfully employ a "common carrier" defense which might 
offer them some protections from their user's actions, but even in that 
case, a common carrier who ignores reports of an abusive customer stands 
to lose in court.

Having no idea what the attacker's motives are, complacency seems to be 
rather silly.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280