This material is Copyright © by Richard Johnson <Richard.Johnson@colorado.edu>.
In "TBTF for 1996-04-14: All Greek to me <http://www.atria.com/People/dawson/tbtf/archive/1996-04-14.html>" firstname.lastname@example.org (Keith Dawson) wrote: >||| Anatomy of a protracted Net attack ||| > >Fred Cohen <email@example.com> is president of Management Analytics in Hudson, >Ohio, a consulting firm specializing in Net security. The firm operates >the Info-Sec Heaven site at <http://all.net/> and publishes a monthly >series of essays called "Internet Holes"  on information-security >topics. The March essay  espoused a policy of "zero tolerance" for >Net attacks: >... I find it almost amusing how Cohen has taken you in. Cohen went overboard with his "zero tolerance" stance. Like other absolutists, he soon discovered that the world really was against him, but only because of his absolutism. Many systems and security administrators (myself included) find Cohen's attitude very disturbing. He was originally automatically sending 'your user so-and-so is attempting to crack my system' messages to systems administrators. These messages far overstated the case. After all, telnetting to a system is the easy way to see if it offers some kind of responder service, and is common practice. Also, many new Internet users simply don't know the difference between telnet and lynx and... To top it off, Cohen's complaints weren't even sent by a human who had reviewed the situation and found them necessary--they were generated automatically for every "incident". Cohen's alarmist messages had the potential to cause harm (loss of accounts, financial losses, disciplinary actions) to innocent people. This was incredibly irresponsible of him. It was also hypocritical of Cohen to send the complaints. Before sending his alarmism, he would attack the machine the connection was coming from in an attempt to discover the identity of the user responsible. This is actually a serious security violation at one of my sites. Finger service is disabled because it offers, among other things, a way of determining valid user names for password guessing attempts. Of course, we log such violations, but because finger (like telnet) is a common protocol, we don't send alarming messages to the sysadmin at the originating site unless we have harder info of a break-in attempt. Unlike Cohen, we are responsible. [However, note that we are seriously considering sending alarming messages to the administrator (and CERT) if we receive any kind of connection from any host in the "all.net" domain...] As a direct result of Cohen's bombastic irresponsibility, a number of civic-minded admins and users tried out Cohen's system. I did so because: 1) I wanted to see what kind of lies he'd be telling about my users--I didn't want to be blind-sided by a baseless complaint, and 2), more importantly, I was required to see what kind of "attack" signature his system generated so I could factor it out when deciding whether I was under a real attack. I thus triggered his irresponsible system from a number of the machines I control. Others who were irritated with Cohen's irresponsiblity, in a wonderfully done melding of protocols, set up web pages to increase the load on Cohen's system. Still others send email to the humor mailing lists and newsgroups they were on, saying 'after you've read about this kook's response to telnets, you might want to try it out.' Perhaps they were attempting to show Cohen how his irresponsibility could be met with distributed social control. Perhaps they were attempting to show Cohen that automatic "telnet/finger" complaint wars were, like Canter and Seigel's spam, a lose-lose proposition. Cohen, in his absolutism, of course appears to have misinterpreted this. He began squalling about hackers trying to hide their break-in attempts by duping innocents into telnetting to his site. You seem to have fallen for it all, just as the mainstream press at first fell for Canter and Seigel's whining. Basically, Cohen needs to get a clue. He needs to realize that if someone attempts to talk a machine via telnet or finger or..., it's most likely an innocent hello, not a "hey, kid, hop into my car" situation. He should certainly watch, but not make unfounded alarmist accusations until he actually has something more solid. He should especially not _automatically_ make unfounded alarmist accusations. In the end, it is only Cohen's irresponsibility and overreactions that have caused his woes. Any siege he was under was of his own making, brought on by his absolutist and bombastic attitude. A little reasonableness and moderation on his part would have gone a long way towards enhancing his reputation as a security practitioner, rather than enhancing his reputation as a self-promoting net.kook. Enough for now, I have to go 'telnet all.net' to see how Cohen has changed his attack system. I have an obligation to my clients and employers to ignore such Cohen-crap while still detecting and stopping real attacks. Having to periodically recalibrate my warnings to handle the fallout from net.kooks like Cohen really sucks. Richard Johnson -- Disclaimer: This message has been carefully scrutinized and found to contain not a whit of indecent material. If you disagree, SCREW THE CDA. See <http://www.cdt.org/cda.html>.