Re: Vigilanteism [was: Re: Re: intrusion via ssh]

To: debian-user@lists.debian.org
Cc: Ralph Katz <ralph.katz@rcn.com>
Subject: Re: Vigilanteism [was: Re: Re: intrusion via ssh]
From: Gene Heskett <gene.heskett@verizon.net>
Date: Fri, 01 Apr 2005 22:01:48 -0500
Message-id: <[🔎] 200504012201.48244.gene.heskett@verizon.net>
In-reply-to: <[🔎] 424DD9B6.3000508@rcn.com>
References: <[🔎] 873buae06d.fsf@toncho.dhh.gt.org> <[🔎] 424DD9B6.3000508@rcn.com>

On Friday 01 April 2005 18:31, Ralph Katz wrote:
>John Hasler wrote:
>> Gene Heskett writes:
>>> Real justice is served more often than not by those limits.
>>
>> I wouldn't bet on it.  The law involved is the Federal "Computer
>> Fraud and Abuse Act" (violation of which is a felony), not local
>> law and violations are investigated by the FBI.  The computers
>> involved are probably zombies under remote-control, and may belong
>> to large organizations of the sort that always press charges.
>> --
>> John Hasler
>
>John gets it; we can't have a community where vigilanteism is
> permitted.
>
>In addition to being illegal, what if your retribution against an
>attacking zombie:
>
>1) disables a US government honey pot?  Maybe you've thwarted a
> federal investigation, and if the box belonged to homeland
> security, now you're liable for charges under one of the many
> over-reaching anti-terrorism laws.
>
>2) destroys critical cancer research, or causes loss of life from
>disrupting a process control system in a chemical manufacturing
> plant?

All are good reasons not to, I agree.  In that case, and if your 
tracks can be covered (they probably cannot) then I'd at least look 
around, and possibly, if the rootkit is identifiable, nuke the 
rootkit.  But the chances of getting away with an access lasting long 
enough to do that are somewhere between point double ought shit and 
zilch & we both know it.  Besides, not knowing what let that 
particular kit in and fixing that too, just means the perp will 
reinstall it 10 minutes after you disconnect.  Murphy's Law you know.

>But more importantly, it's wrong.  Let's set a higher standard.

Well, the only machine I ever logged into with a rootkit, got cleaned 
up via no further reboots after we'ed done one as the perp was logged 
in, but before he could cover his tracks.  It was also prior to the 
federal computer crimes thingy being passed.  I logged into the 
machine the attack came from, and like you, came to the conclusion it 
also was an owned zombie.  It deserved to be, it answered to a telnet 
session!

>Regards,
>Ralph

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Reply to:

References:
- Re: intrusion via ssh
  - From: John Hasler <jhasler@debian.org>
- Vigilanteism [was: Re: Re: intrusion via ssh]
  - From: Ralph Katz <ralph.katz@rcn.com>

Prev by Date: Re: intrusion via ssh
Next by Date: Re: intrusion via ssh
Previous by thread: Re: Vigilanteism
Next by thread: Re: intrusion via ssh
Index(es):
- Date
- Thread