Comments on: Bright future for counter-attacks

By: Nate Lawson

Nate Lawson — Thu, 12 Apr 2007 17:20:04 +0000

Bob, nice thoughts. I didn't notice that this was a 7 year+ battle. The biggest hole in the case for the electronic/physical search being necessary to protect the email server is that the admin demonstrated he had the ability and means to block the attack. Changing IP addresses within a class C is still well within the range of IP filtering. The attacker could then just log into a middle box outside the school to get around it. So patching the hole(s) would be a smart parallel activity. The nice thing about it being an email (and not shell) server is it's likely the permitted services would only be SMTP and POP/IMAP (maybe +SSL, but not likely). This gives a lot of flexibility in filtering and patching to keep the system running while locking out an ongoing attack. UW-Madison staff should be sentenced to play CTF at Defcon every year.

By: Bob Plankers

Bob Plankers — Thu, 12 Apr 2007 02:18:47 +0000

One thing to remember is that this was quite a while ago. I am certainly not defending anybody’s actions (not at all, don’t even think that I am), but network security has come quite far since this whole thing started. Firewalls? Yeah, a reality now, not as common then. The server itself was AIX, and AIX didn’t have host-based firewalling until last year (2006). There were certainly other methods available, though, like blackhole routes, ACLs, wait for the FBI, etc.

Another thing to consider is common carrier law. The UW-Madison, as with many institutions, walks a narrow line between the pressures of keeping an orderly, useful network and losing their defense as a “common carrier” for policing their network. The UW-Madison is doing some good anti-RIAA work in this regard (despite what the Wired article implies), and the policy is a lot more clear now. When Heckenkamp was terrorizing servers at the UW the policy was a lot less clear. Even law enforcement was relatively clueless about electronic issues back then, as compared to now. Getting them to do something was very, very hard, because they just didn’t understand.

In this particular case both sides are equally dumb, for the lack of a better word. Heckenkamp couldn’t be bothered to use common sense, like any of the points you outline above. Jeff Savoy gave Heckenkamp’s defense attorneys enough ammunition for years of appeals. I don’t like the idea that anybody was lucky with this judge. Justice isn’t about luck, it is about proof (yeah, yeah, I know how it goes sometimes). Heckenkamp left a massive trail of electronic destruction, though, and it isn’t hard to imagine that there was enough of it to point to him definitively. It was the collection of some of it that was in question, and almost ruined it.

I can imagine that there are a lot of folks, law enforcement and others, that breathed a sigh of relief at this ruling. Many people put a lot of time into collecting evidence only to have it jeopardized by a vigilante. That’s why I have a hard time believing this will be a precedent. It worked this time, barely, but when you work hard on something you don’t want your time to be wasted. I can envision future situations where the vigilante finds themselves fighting both the hacker and the law enforcement, with the vigilantes ending up in jail, too. Vigilantism will certainly not be a corporate policy, either. People want convictions, not eight year protracted legal battles.

By: Pete Rittwage

Pete Rittwage — Wed, 11 Apr 2007 13:15:57 +0000

They obviously have a “good” lawyer and were very lucky with this judge. If they logged onto his computer remotely instead of just blocking the port when it could be proven that they can, then their argument does not stand up. He should have a chance at a civil case against the University.

Now, if they can prove they have no way to block the port or the traffic with any manner of security measures, then they should be held partially responsible for the intrusion as well.

Now the other problem is… This is now a precident.