How do we deal with offensive Web sites?
Remember that the Internet is voluntary. There is no law that forces an ISP to serve people they don’t like.
As the spam kings Jeff Slayton, Crazy Kevin, and, oh, yes, the original spam artists Cantor and Siegal have
learned, life as a spammer is life on the run. The same holds for Web sites that go over the edge.
The reason I bring this up is that a Happy Hacker list member has told me he would like to vandalize kiddie
porn sites. I think that is a really, really kewl idea -- except for one problem. You can get thrown in jail! I
don’t want the hacker tools you can pick up from public Web and ftp sites to lure anyone into getting
busted. It is easy to use them to vandalize Web sites. But it is hard to use them without getting caught!
*****************
YOU CAN GO TO JAIL NOTE: Getting into a part of a computer that is not open to the public is illegal. In
addition, if you use the phone lines or Internet across a US state line to break into a non-public part of a
computer, you have committed a Federal felony. You don’t have to cause any harm at all -- it’s still illegal.
Even if you just gain root access and immediately break off your connection -- it’s still illegal. Even if you
are doing what you see as your civic duty by vandalizing kiddie porn -- it’s still illegal.
***************
Here’s another problem. It took just two grouchy hacker guys to get the DC-stuff list turned off . Yes, it
*will* be back, eventually. But what if the Internet were limited to carrying only stuff that was totally
inoffensive to everyone? That’s why it is against the law to just nuke ISPs and Web servers you don’t like.
Believe me, as you will soon find out, it is really easy to blow an Internet host off the Internet. It is *so*
easy that doing this kind of stuph is NOT elite!
So what’s the legal alternative to fighting kiddie porn? Trying to throw Web kiddie porn guys in jail doesn’t
always work. While there are laws against it in the US, the problem is that the Internet is global. Many
countries have no laws against kiddie porn on the Internet. Even if it were illegal everywhere, in lots of
countries the police only bust people in exchange for you paying a bigger bribe than the criminal pays.
*******************
They can go to jail note: In the US and many other countries, kiddie porn is illegal. If the imagery is hosted
on a physical storage device within the juris diction of a country with laws against it, the person who puts
this imagery on the storage device can go to jail. So if you know enough to help the authorities get a search
warrant, by all means contact them. In the US, this would be the FBI.
*******************
But the kind of mass outrage that keeps spammers on the run can also drive kiddie porn off the Web. *We*
have the power.
The key is that no one can force an ISP to carry kiddie porn -- or anything else. In fact, most human beings
are so disgusted at kiddie porn that they will jump at the chance to shut it down. If the ISP is run by some
pervert who wants to make money by offering kiddie porn, then you go to the next level up, to the ISP that
provides connectivity for the kiddie porn ISP. There someone will be delighted to cut off the b*****ds.
So, how do you find the people who can put a Web site on the run? We start with the URL.
I am going to use a real URL. But please keep in mind that I am not saying this actually is a web address with
kiddie porn. This is being used for purposes of illustration only because this URL is carried by a host with
so many hackable features. It also, by at least some standards, carries X-rated material. So visit it at your
own risk.
http://www.phreak.org
Now let’s say someone just told you this was a kiddie porn site. Do you just launch an attack? No.
This is how hacker wars start. What if phreak.org is actually a nice guy place? Even if they did once display
kiddie porn, perhaps they have repented. Not wanting to get caught acting on a stupid rumor, I go to the
Web and find the message “no DNS entry.” So this Web site doesn’t look like it’s there just now.
But it could just be the that the machine that runs the disk that holds this Web site is temporarily down.
There is a way to tell if the computer that serves a domain name is running: the ping command:
/usr/etc/ping phreak.org
The answer is:
/usr/etc/ping: unknown host phreak.org
Now if this Web site had been up, it would have responded like my Web site does:
/usr/etc/ping techbroker.com
This gives the answer:
techbroker.com is alive
*************************
Evil Genius Note: Ping is a powerful network diagnostic tool. This example is from BSD Unix. Quarterdeck
Internet Suite and many other software packages also offer this wimpy version of the ping command. But in
its most powerful form -- which you can get by installing Linux on your computer -- the ping-f command will
send out packets as fast as the target host can respond for an indefinite length of time. This can keep the
target extremely busy and may be enough to put the computer out of action. If several people do this
simultaneously, the target host will almost certainly be unable to maintain its network connection. So --
*now* do you want to install Linux?
*************************
*************************
Netiquette warning: “Pinging down” a host is incredibly easy. It’s way too easy to be regarded as elite, so
don’t do it to impress your friends. If you do it anyhow, be ready to be sued by the owner of your target and
kicked off your ISP-- or much worse! If you should accidentally get the ping command running in assault
mode, you can quickly turn it off by holding down the control key while pressing the “c” key.
*************************
*************************
You can go to jail warning: If it can be shown that you ran the ping-f command on purpose to take out the
host computer you targeted, this is a denial of service attack and hence illegal.
************************
OK, now we have established that at least right now, http://phreak.com either does not exist, or else that the
computer hosting it is not connected to the Internet.
But is this temporary or is it gone, gone, gone? We can get some idea whether it has been up and around
and widely read from the search engine at http://altavista.digital.com. It is able to search for links embedded
in Web pages. Are there many Web sites with links to phreak.org? I put in the search commands:
link: http://www.phreak.org
host: http://www.phreak.org
But they turn up nothing. So it looks like the phreak.org site is not real popular.
Well, does phreak.org have a record at Internic? Let’s try whois:
whois phreak.org
Phreaks, Inc. (PHREAK-DOM)
Phreaks, Inc.
1313 Mockingbird Lane
San Jose, CA 95132 US
Domain Name: PHREAK.ORG
Administrative Contact, Billing Contact:
Connor, Patrick (PC61) pc@PHREAK.ORG
(408) 262-4142
Technical Contact, Zone Contact:
Hall, Barbara (BH340) rain@PHREAK.ORG
408.262.4142
Record last updated on 06-Feb-96.
Record created on 30-Apr-95.
Domain servers in listed order:
PC.PPP.ABLECOM.NET 204.75.33.33
ASYLUM.ASYLUM.ORG 205.217.4.17
NS.NEXCHI.NET 204.95.8.2
Next I wait a few hours and ping phreak.org again. I discover it is now alive. So now we have learned that
the computer hosting phreak.org is sometimes connected to the Internet and sometimes not. (In fact, later
probing shows that it is often down.)
I try telnetting to their login sequence:
telnet phreak.org
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
______________ _______________________________ __
___ __ \__ / / /__ __ \__ ____/__ |__ //_/____________________ _
__ /_/ /_ /_/ /__ /_/ /_ __/ __ /| |_ ,< _ __ \_ ___/_ __ `/
_ ____/_ __ / _ _, _/_ /___ _ ___ | /| |__/ /_/ / / _ /_/ /
/_/ /_/ /_/ /_/ |_| /_____/ /_/ |_/_/ |_|(_)____//_/ _\__, /
/____/
;
Connection closed by foreign host.
Aha! Someone has connected the computer hosting phreak.org to the Internet!
The fact that this gives just ASCII art and no login prompt suggests that this host computer does not
exactly welcome the casual visitor. It may well have a firewall that rejects attempted logins from anyone who
telnets in from a host that is not on its approved list.
Next I finger their technical contact:
finger rain@phreak.org
Its response is:
[phreak.org]
It then scrolled out some embarrassing ASCII art. Finger it yourself if you really want to see it. I’d only rate
it PG-13, however.
The fact that phreak.org runs a finger service is interesting. Since finger is one of the best ways to crack into
a system, we can conclude that either:
1) The phreak.org sysadmin is not very security-conscious, or
2) It is so important to phreak.org to send out insulting messages that the sysadmin doesn’t care about the
security risk of running finger.
Since we have seen evidence of a fire wall, case 2 is probably true.
One of the Happy Hacker list members who helped me by reviewing this Guide, William Ryan, decided to
further probe phreak.org’s finger port:
“I have been paying close attention to all of the "happy hacker" things that you have posted. When I tried
using the port 79 method on phreak.org, it connects and then displays a hand with its middle finger raised
and the comment "UP YOURS." When I tried using finger, I get logged on and a message is displayed
shortly thereafter "In real life???"”
Oh, this is just *too* tempting...ah, but let’s keep out of trouble and just leave that port 79 alone, OK?
Now how about their HTML port, which would provide access to any Web sites hosted by phreak.org? We
could just bring up a Web surfing program and take a look. But we are hackers and hackers never do stuph
the ordinary way. Besides, I don’t want to view dirty pictures and naughty words. So we check to see if it is
active with, you guessed it, a little port surfing:
telnet phreak.org 80
Here’s what I get:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
HTTP/1.0 400 Bad Request
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 18:54:20 GMT
<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY><H2>400 Bad Request</H2>
Your request '' has bad syntax or is inherently impossible to satisfy.
<HR>
<ADDRESS><A HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
Now we know that phreak.org does have a web server on its host computer. This server is called thttpd,
version 1.0. We also may suspect that it is a bit buggy!
What makes me think it is buggy? Look at the version number: 1.0. Also, that’s a pretty weird error message.
If I were the technical administrator for phreak.org, I would get a better program running on port 80 before
someone figures out how to break into root with it. The problem is that buggy code is often a symptom of
code that takes the lazy approach of using calls to root. In the case of a Web server, you want to give readonly
access to remote users in any user’s directories of html files. So there is a huge temptation to use calls
to root.
And a program with calls to root just might crash and dump you out into root.
************************
Newbie note: Root! It is the Valhalla of the hard -core cracker. “Root” is the account on a multi-user
computer which allows you to play god. You become the “superuser”! It is the account from which you can
enter and use any other account, read and modify any file, run any program. With root access, you can
completely destroy all data on boring.ISP.net or any other host on which you gain root. (I am *not*
suggesting that you do so!)
*************************
Oh, this is just too tempting. I do one little experiment:
telnet phreak.org 80
This gives:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
Because the program on port 80 times out on commands in a second or less, I was set up ready to do a paste
to host command, which quickly inserted the following command:
<ADDRESS><A HREF="http://www.phreak.org/thttpd/">thttpd/1.00</A></ADDRESS</BODY></HTML>
This gives information on phreak.org’s port 80 program:
HTTP/1.0 501 Not Implemented
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 19:45:15 GMT
<HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD>
<BODY><H2>501 Not Implemented</H2>
The requested method '<ADDRESS><A' is not implemented by this server.
<HR>
<ADDRESS><A HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
All right, what is thttpd? I do a quick search on Altavista and get the answer:
A small, portable, fast, and secure HTTP server. The tiny/turbo/throttling HTTP server does not fork and is
very careful about memory...
But did the programmer figure out how to do all this without calls to root? Just for kicks I try to access the
acme.org URL and get the message “does not have a DNS entry.” So it’s off-line, too. But whois tells me it is
registered with Internic. Hmm, this sounds even more like brand X software. And it’s running on a port.
Break-in city! What a temptation...arghhh...
Also, once again we see an interesting split personality. The phreak.org sysadmin cares enough about
security to get a Web server advertised as “secure.” But that software shows major symptoms of being a
security risk!
So what may we conclude? It looks like phreak.org does have a Web site. But it is only sporadically
connected to the Internet.
Now suppose that we did find something seriously bad news at phreak.org. Suppose someone wanted to
shut it down. Ah-ah-ah, don’t touch that buggy port 80! Or that tempting port 79! Ping in moderation, only!
********************************
You can go to jail note: Are you are as tempted as I am? These guys have notorious cracker highway port 79
open, AND a buggy port 80! But, once again, I’m telling you, it is against the law to break into non-public
parts of a computer. If you telnet over US state lines, it is a federal felony. Even if you think there is
something illegal on that thttpd server, only someone armed with a search warrant has the right to look it
over from the root account.
********************************
First, if in fact there were a problem with phreak.org (remember, this is just being used as an illustration) I
would email a complaint to the technical and administrative contacts of the ISPs that provide phreak.org’s
connection to the Internet. So I look to see who they are:
whois PC.PPP.ABLECOM.NET
I get the response:
[No name] (PC12-HST)
Hostname: PC.PPP.ABLECOM.NET
Address: 204.75.33.33
System: Sun 4/110 running SunOS 4.1.3
Record last updated on 30-Apr-95
In this case, since there are no listed contacts, I would email postmaster@ABLECOM.NET.
I check out the next ISP:
whois ASYLUM.ASYLUM.ORG
And get:
[No name] (ASYLUM4-HST)
Hostname: ASYLUM.ASYLUM.ORG
Address: 205.217.4.17
System: ? running ?
Record last updated on 30-Apr-96.
Again, I would email postmaster@ASYLUM.ORG
I check out the last ISP:
whois NS.NEXCHI.NET
And get:
NEXUS-Chicago (BUDDH-HST)
1223 W North Shore, Suite 1E
Chicago, IL 60626
Hostname: NS.NEXCHI.NET
Address: 204.95.8.2
System: Sun running Unix
Coordinator:
Torres, Walter (WT51) walter-t@MSN.COM
312-352-1200
Record last updated on 31-Dec-95.
So in this case I would email walter-t@MSN.COM with evidence of the offending material. I would also email
complaints to postmaster@PC.PPP.ABLECOM.NET and postmaster@ ASYLUM.ASYLUM.ORG.
That’s it. Instead of waging escalating hacker wars that can end up getting people thrown in jail, document
your problem with a Web site and ask those who have the power to cut these guys off to do something.
Remember, you can help fight the bad guys of cyberspace much better from your computer than you can
from a jail cell.
*************************
Netiquette alert: If you are just burning with curiosity about whether thttpd can be made to cras h to root,
*DON’T* run experiments on phreak.org’s computer. The sysadmin will probably notice all those weird
accesses to port 80 on the shell log file. He or she will presume you are trying to break in, and will complain
to your ISP. You will probably lose your account.
*************************
*************************
Evil Genius note: The symptoms of being hackable that we see in thttpd are the kind of intellectual challenge
that calls for installing Linux on your PC. Once you get Linux up you could install thttpd. Then you may
experiment with total impunity.
If you should find a bug in thttpd that seriously compromises the security of any computer running it, then
what do you do? Wipe the html files of phreak.org? NO! You contact the Computer Emergency Response
Team (CERT) at http://cert.org with this information. They will send out an alert. You will become a hero and
be able to charge big bucks as a computer security consultant. This is much more phun than going to jail.
Trust me.
************************
No comments:
Post a Comment