From jericho@dimensional.com Fri Jun 20 23:17:43 1997 Date: Fri, 20 Jun 1997 23:17:02 -0600 (MDT) From: jericho@dimensional.com To: Sean Kelly Cc: z3ns , root@sekurity.org Subject: Re: recent publicity about the.art.of.security.org (fwd) > > I am the owner and primary admin of sekurity.org, and do not appreciate > > your slander, especially on a public mail list. > > The slander being "repository of cracking information", I assume? Yes. You posted that to a public mail list full of people interested in security. So now, I will have people coming to my site thinking it is full of "cracking code", when it has a very small percentage of it. My site is not here to draw hackers, but to draw security professionals that need utils to do their job. > Perhaps you'd be more specific---and less insulting at the same time? > As a representative for the sekurity.org domain (the administrative and > billing contact, to be specific), a modicum of professionalism will > smooth our relations greatly. I will be more than happy to exhibit the same respect you do, which so far has been non-existant. You automatically assumed there was no one here to contact, and that it would do no good to do so. Why is that? What about "sekurity.org" stuck out in your mind as a group of unhelpful people? Whatever it is, I would be more than happy to give you a list of people I have done free security consulting for in my spare time. > I realize I can complain to you, or to root, or to your ISP/NAP. (I'm > even familiar with tools like traceroute!) I could even send a letter > to you in Littleton, or send a fax to Dimensional. So why your questions and insulting tone that you couldn't do that? Please remember, I have seen only the single post to the list (which I responded to), and no followup. > The reason I was asking was not to determine to whom I could complain, > but if such a complaint would be productive---and if so, which would be > best. Firing off a single letter saying "hey, whats up with this", or maybe even CCing me in on the original post would have been helpful. It would have given me a chance to prepare for this, and to prepare for the traffic that ensued as a result of it. > "Slander" is a strong term, here. I made an appraisal of files > available at the.art.of.sekurity.org which I feel is as accurate as can > be based on the limited amount of time I could stay connected. If the On that customer machine. But you did not call it "the.art.of" in that sentence. You called it "sekurity.org" which represents my entire domain. If you "ftp sekurity.org", you go to *my* machine, with more security material than hacker material. Thus my concern. > files at that server aren't wholly a collection of cracking tools and > information, then there should be some kind of login banner or READMEs > provided that state their true intent. There is no law that says he (or anyone else) has to put banners up. I put banners up where I feel they are appropriate. > Furthermore, the owner of that system, zen@sekurity.org, said nothing > about slander. In fact, he AGREES with my appraisal of the files. In > his own words: For the last time, you did NOT slander him.. you slandered MY system. > Let's drop this "slander" terminology since I think it's pretty clear it > doesn't apply here. It sure as hell does. Had you been talking about "the.art.of", and been consistant in using that machine name, I would have no problem. But you didn't.. you dropped that name and used my entire domain name. > > That machine is not the > > primary FTP server on this network. "obscure.sekurity.org" is. > > That I surmised by using (ta-da) nslookup! :-) ftp.sekurity.org is a > CNAME entry for obscure.sekurity.org. So why slander MY ftp server? That is the point I am making. > I'm aware of this argument, and I don't have any qualms against it. For > the most part. And I too can debate the pros and cons of this approach. I am glad you agree there. > I was able to make one successful FTP connection to > the.art.of.sekurity.org and was able to make some directory listings. I was talking about *my* server. You apparently did not check out obscure.sekurity.org at all. And to head your reply off, yes, *.gov is banned from the system because of past incidents of abuse from government (and military sites). However, as my banner says, I can make arrangements to let *.gov users in if they request it. > Furthermore, I have the evidence of the break-in showing a number of > files transferred from there, all of which were clearly used to > compromise security. Looking at the log, it doesn't appear that ANY of those files compromised security. By your own words, you didn't think root had been compromised. That means the intruder gained illegal access to your machine some how, and THEN transferred those files. From the logs, that is technically what happened. Now, it is true that they MAY have gotten files from that system (or my ftp server) that aided in remotely breaking in to your machine, but that can't be determined from the logs you posted. > > 2) didn't know how networks operate and catch the fact that > > ftp.sekurity.org is aliased to "obscure", not "the.art.of", > > NOWHERE in my message did I even mention "ftp.sekurity.org". You DID mention "sekurity.org", which aliases to "ftp.sekurity.org" when a user FTPs here. > Perhaps you're referring to this part of my message: > > | Is anyone aware of > | "sekurity.org" and what their purpose is? Is there someone there to > | whom I should complain? (Doubtful, as it appears the reason that ftp > | site exists is to provide a repository of cracking code.) > > Here, when I say "that ftp site" I'm referring to > the.art.of.sekurity.org, and not the main ftp server at sekurity.org. I LOOK at it. In that paragraph, you don't say "the.art.of" once. The only thing you say is "sekurity.org", which is MY server. I feel I am being very clear on this. > can see why there would be confusion. If you wish, I'll offer a public > clarification in the same forum in which I originally posted this > message. If YOU feel that is warranted, feel free. I will not ask you or demand it or anything like that. I simply want it clear that my server is different from the other, and that my server is not a place for hacker tools only. I actually concentrate on classical art in .jpg or .gif format more than security recently. The only time I work on hacker tools is when they are put in my incoming directory. > > or 3) were an > > 'idiot' as you call your attacker. > > Hmmmm. I would like to apologize for the repeated insulting. It is just very unerving to see posts like that which could potentially hurt the image of my system. I am known as a security site, not a hacker site. I wish it to remain that way. Recently I have been working long hours on various contracts and admittedly, my patience is near gone. So once again, I am sorry for the insults. > > If you have any further questions about ANYTHING on this server, ANY of my > > customers, or ANYTHING else security related, I will be more than happy to > > assist you in whatever way I can. > > Thank you for your sudden kindness. Like I said, I am only here to help people. I repay kindness with kindness. That is why I wished you had contacted me first, so that I could assess the situation without having all of the other publicity involved. Your post to the mailing list has generated a considerable amount of traffic to David's box (zen@). In the past two days, my machine has monitored nearly 400 connects to his system, which is roughly 350 more than he has had in the past *3 months together*. I run this system on a 128K connection, so traffic like that drastically affects our bandwidth. Part of him co-locating his system here, is that I have root access on his system. Had I been warned as soon as you found out, I could have checked his logs and attempted to track down more of what happened. If the intruder had used that system from other domains, it may help give a clear path of where the intruder went before and/or after your system. If you would like help on this end, I am still more than willing to help in any way I can. Damien > Sean Kelly