HELP - moral dilema

HELP - moral dilema

Post by stringer » Tue, 21 Jul 1998 04:00:00



Hey all,

    Recently I discovered major security hole in the web server of a big
american ISP, that was meant to contain the user pages of all it's 9000
users. It did this but also contained the passwd file, world readable, in
www.foo.net/etc/passwd. Later when i travelled to their main page and read
all their pro-privacy claims, i couldn't believe that a sysadmin could be so
stupid.
    It was obvious the ISP didn't even bother running a cracker on thier
password file, because i ran Crack with a minimal dic. and discovered a
plethora of passwords, which all seemed to be valid. These passwords provide
access to the users mail and web files, also allowing one to change and view
their account payment method.

Anyway nuff said....

I need some advice on what action, if any I should take, to notify the
sysadmin. Or should i just let him learn from his mistakes....

thanx,
s.t.r.i.n.g.e.r.s

 
 
 

HELP - moral dilema

Post by voi » Tue, 21 Jul 1998 04:00:00


Just mail the sysadmin -- you might want to do it anonymously, in case
s/he gets pissed.


>Hey all,

>    Recently I discovered major security hole in the web server of a big
>american ISP, that was meant to contain the user pages of all it's 9000
>users. It did this but also contained the passwd file, world readable, in
>www.foo.net/etc/passwd. Later when i travelled to their main page and read
>all their pro-privacy claims, i couldn't believe that a sysadmin could be so
>stupid.
>    It was obvious the ISP didn't even bother running a cracker on thier
>password file, because i ran Crack with a minimal dic. and discovered a
>plethora of passwords, which all seemed to be valid. These passwords provide
>access to the users mail and web files, also allowing one to change and view
>their account payment method.

>Anyway nuff said....

>I need some advice on what action, if any I should take, to notify the
>sysadmin. Or should i just let him learn from his mistakes....

>thanx,
>s.t.r.i.n.g.e.r.s

--

 Ben



 
 
 

HELP - moral dilema

Post by elxs » Tue, 21 Jul 1998 04:00:00


I'd say mail the sysadmin and tell them specifically what you did and
didn't do, but don't do it too anonymously, because you want a reply from
them to find out what actions they took. Bascially there's two types of
admins in a situation like this, one that learns from their mistakes and
will thank you for pointing it out and patch it, or the type that feels
violated from something like this, and they'll do whatever they can to
track you down.

Good luck,
elxsi


> Hey all,
>     Recently I discovered major security hole in the web server of a big
> american ISP, that was meant to contain the user pages of all it's 9000
> users. It did this but also contained the passwd file, world readable, in
> www.foo.net/etc/passwd. Later when i travelled to their main page and read
> all their pro-privacy claims, i couldn't believe that a sysadmin could be so
> stupid.
>     It was obvious the ISP didn't even bother running a cracker on thier
> password file, because i ran Crack with a minimal dic. and discovered a
> plethora of passwords, which all seemed to be valid. These passwords provide
> access to the users mail and web files, also allowing one to change and view
> their account payment method.
> Anyway nuff said....
> I need some advice on what action, if any I should take, to notify the
> sysadmin. Or should i just let him learn from his mistakes....
> thanx,
> s.t.r.i.n.g.e.r.s

 
 
 

HELP - moral dilema

Post by Bill Unr » Wed, 22 Jul 1998 04:00:00



Quote:>I'd say mail the sysadmin and tell them specifically what you did and
>didn't do, but don't do it too anonymously, because you want a reply from
>them to find out what actions they took. Bascially there's two types of
>admins in a situation like this, one that learns from their mistakes and
>will thank you for pointing it out and patch it, or the type that feels
>violated from something like this, and they'll do whatever they can to
>track you down.

And if they are in Oregon ( and probably other states), you could open
 yourself up to a criminal charge.
Some people don;t like you pointing out their stupidity to them. They
would rather shoot the messenger than listen to them.
 
 
 

HELP - moral dilema

Post by Christian Trembla » Wed, 22 Jul 1998 04:00:00


Be careful, be *very careful* Kevin Mitnick has been rotting in jail for
three years without a trial for doing exactly that.

If I were you, I would erase everything concerning this from my system
and would not tell anybody about it.

OK the sysadmin for that ISP is an incompetent, but If you start pointing
fingers at incompetent people around you, you won't have enough of 24hres.
in a day to pursue your crusade and you will make a lot of enemies.

Incompetent people don't want their incompetence exposed to everybody and
they will try everything to get back at you if you expose them, even
calling the cops on you.

Just don't do any business with that particular ISP.

Chris


> I'd say mail the sysadmin and tell them specifically what you did and
> didn't do, but don't do it too anonymously, because you want a reply from
> them to find out what actions they took. Bascially there's two types of
> admins in a situation like this, one that learns from their mistakes and
> will thank you for pointing it out and patch it, or the type that feels
> violated from something like this, and they'll do whatever they can to
> track you down.


> >     Recently I discovered major security hole in the web server of a big
> > american ISP, that was meant to contain the user pages of all it's 9000
> > users. It did this but also contained the passwd file, world readable, in
> > www.foo.net/etc/passwd. Later when i travelled to their main page and read
> > all their pro-privacy claims, i couldn't believe that a sysadmin could be so
> > stupid.
> >     It was obvious the ISP didn't even bother running a cracker on thier
> > password file, because i ran Crack with a minimal dic. and discovered a
> > plethora of passwords, which all seemed to be valid. These passwords provide
> > access to the users mail and web files, also allowing one to change and view
> > their account payment method.

> > Anyway nuff said....

> > I need some advice on what action, if any I should take, to notify the
> > sysadmin. Or should i just let him learn from his mistakes....

 
 
 

HELP - moral dilema

Post by Urie » Wed, 22 Jul 1998 04:00:00


I've already found some holes on web servers, mostly the
old phf-hole. One time I found even a link which provided
the passwd file of a web server. In all cases I mailed
the webmaster, and they were quite happy to heard of this
misconfiguration. I did it because I would appreciate that
an anonymous user mailed me such things. No one is error-proof !

  But maybe I was lucky to find such friendly admins :-)
--
    Uriel

 
 
 

HELP - moral dilema

Post by Randy M Bowi » Wed, 22 Jul 1998 04:00:00


I think the golden rule applies here.  Would you want someone to tell
you if you were the sysadmin of this site?  

If I were you I would tell him.  If he doesn't heed your warning then he
deserves what he gets.

Hope this is helpful.

Randy Bowie

 
 
 

HELP - moral dilema

Post by Ian Stirlin » Thu, 23 Jul 1998 04:00:00



: I think the golden rule applies here.  Would you want someone to tell
: you if you were the sysadmin of this site?  

"and do you trust them not to be *enough to report you to the police,
and take you to court over it"

: If I were you I would tell him.  If he doesn't heed your warning then he
: deserves what he gets.

: Hope this is helpful.

: Randy Bowie

--
See http://www.veryComputer.com/;  |Linux PDA, cheap electronics/PC bits sale.
See_header,_for_UCE_policy___________|_____________________________Ian_Stirling.
He who lives in a glass house should not invite he who is without sin.

 
 
 

HELP - moral dilema

Post by Ian Stirlin » Thu, 23 Jul 1998 04:00:00



: On Wed, 22 Jul 1998 09:07:11 +0100, in article


:>: I think the golden rule applies here.  Would you want someone to tell
:>: you if you were the sysadmin of this site?  
:>
:>"and do you trust them not to be *enough to report you to the police,
:>and take you to court over it"

: If it's available from their web or ftp site, then ANYONE can find it. Nothing
: to sue or prosecute over in that sense.  Now, if he had to go out of his way
: to get the info, then that MAY be another story.

So, it's all right if I pick a mobile phone off a car seat, because the window
was open?

It's all right if I kill someone, because I only had to push a button...

It was easy is rarely a defense in law.

IMO, the person originating this thread is more guilty than mitni[ck]*
as they had no relation to the company, and they diddn't even ask
him to do anything.
running crack on the resultant file just makes prosecution more likely IMO.

Yes it sucks, but it's probably an offence, whether it's convictable, is
another matter.

--
See http://www.veryComputer.com/;  |Linux PDA, cheap electronics/PC bits sale.
See_header,_for_UCE_policy___________|_____________________________Ian_Stirling.
'Terror is the most effective political instrument.... I shall spread terror by
the surprise employment of all my measures.
The important thing is the sudden shock of an overwhelming fear of death.'
Adolf Hitler.

 
 
 

HELP - moral dilema

Post by Barry Margoli » Thu, 23 Jul 1998 04:00:00





>: If it's available from their web or ftp site, then ANYONE can find it. Nothing
>: to sue or prosecute over in that sense.  Now, if he had to go out of his way
>: to get the info, then that MAY be another story.

>So, it's all right if I pick a mobile phone off a car seat, because the window
>was open?

The difference is that people are *expected* to visit public web sites.
People install web servers with the intent of allowing people to access
the files they contain.  If they want to restrict the files that should be
accessed, they should make use of the server's mechanisms for this.  In
fact, in many cases you have to go out of your way to allow access to files
outside a special server root directory; default configurations usually
don't permit this.

On the other hand, everyone knows that the contents of a car are private
property, regardless of the state of the window or door locks.  Some people
ignore this and steal from the car anyway, but they know they're doing
something wrong.

Stumbling across some inappropriate files on a public web server is no more
wrong than finding a wallet on the street.  A good person will return the
wallet with the money intact or notify the webmaster of their configuration
problem, but I don't think it's considered stealing or hacking if you
don't.  On the other hand, if you posted the URL for the inappropriate file
to a hacker board, that would be wrong.

--

GTE Internetworking, Powered by BBN, Cambridge, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.

 
 
 

HELP - moral dilema

Post by Brian Hamps » Thu, 23 Jul 1998 04:00:00


: Stumbling across some inappropriate files on a public web server is no more
: wrong than finding a wallet on the street.  A good person will return the
: wallet with the money intact or notify the webmaster of their configuration
: problem, but I don't think it's considered stealing or hacking if you
: don't.  On the other hand, if you posted the URL for the inappropriate file
: to a hacker board, that would be wrong.

How do people "stumble" across "/etc/passwd"?  They LOOK for it.  I get
requests to our web server for all kinds of things like phf, /etc/passwd
regularly.  I ALSO send mail to the admin of the domain for the system
that made the request.  People don't STUMBLE across files that aren't part
of your regular web heirachy, as leads from your "front page"

my 0.02 (at current exchange...that should be about .001 <frown>)

--

UNIX *is* user-friendly, just picky about who it chooses for friends!

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
   ----------------- http://www.asl-labs.bc.ca/ ----------------------------

These opinions are MINE I tell you ....all mine!!! (nobody else wants them)

 
 
 

HELP - moral dilema

Post by Bob Bec » Thu, 23 Jul 1998 04:00:00



Quote:> >How do people "stumble" across "/etc/passwd"?  They LOOK for it.  I get
> >requests to our web server for all kinds of things like phf, /etc/passwd
> >regularly.  I ALSO send mail to the admin of the domain for the system
> >that made the request.  People don't STUMBLE across files that aren't part
> >of your regular web heirachy, as leads from your "front page"

> They ARE part of a regular ftp hierarchy so ftp://yoursite/etc  would show the
> passwd file used for ftp. Commonly, it's pared down to near nothing and even
> then doesn't carry passwords.  Sounds like someone simply copied the
> /etc/passwd to the ftp base directory's etc/passwd file without modifying it.

        Commonly yes, but some people also just love putting a bogus
one in there with gobs and gobs of crackable passwords in it.

        -Bob
--
Bob Beck                                   Computing and Network Services

True Evil hides its real intentions in its street address.

 
 
 

HELP - moral dilema

Post by chris burge » Fri, 24 Jul 1998 04:00:00




>: Stumbling across some inappropriate files on a public web server is no more
>: wrong than finding a wallet on the street.  A good person will return the
>: wallet with the money intact or notify the webmaster of their configuration
>: problem, but I don't think it's considered stealing or hacking if you
>: don't.  On the other hand, if you posted the URL for the inappropriate file
>: to a hacker board, that would be wrong.

>How do people "stumble" across "/etc/passwd"?  They LOOK for it.  I get
>requests to our web server for all kinds of things like phf, /etc/passwd
>regularly.  I ALSO send mail to the admin of the domain for the system
>that made the request.  People don't STUMBLE across files that aren't part
>of your regular web heirachy, as leads from your "front page"

There's no m*dilemma here. Mail them, tell them that their password file
(and other files foo bar gazonk) are world-readable. If you want an excuse,
say you clicked on a link from an anonymous mail which you've deleted but

I'd access the file again using a browser which doesn't give a REFERER field
or cookies, or get the address again from an anonymous web gateway. Bear in
mind that they can get /etc/passwd requests from their webserver logs, and
one of those will be you already. By doing this you can claim the second
access only was yours, and deny the first access which will have to be
someone probing for /etc/passwd and which maybe will be trackable to various
other attempted CGI holes etc?

No blame, no culpability. They damn well should be grateful anyway. Brian is
right, though: you didn't stumble across this file, did you? Regardless,
they are broadcasting this information to a public medium, so the onus is on
them to not broadcast their users personal data.

Don't tell them you ran crack on it and they won't prosecute you for running

Cheers,

Chris
--
chris burgess
http://www.veryComputer.com/

 
 
 

HELP - moral dilema

Post by Regular Admin log » Fri, 24 Jul 1998 04:00:00


:       Commonly yes, but some people also just love putting a bogus
: one in there with gobs and gobs of crackable passwords in it.

:) There's something I hadn't thought of :)...then put a trace on a dummy
account :)

B.

--
UNIX *is* user-friendly, just picky about who it chooses for friends!

   Brian P. Hampson                  ASL Analytical Service Laboratories Ltd
   System Administrator,             Vancouver, BC (604)253-4188
   ----------------- http://www.asl-labs.bc.ca/ ----------------------------

These opinions are MINE I tell you ....all mine!!! (nobody else wants them)

 
 
 

HELP - moral dilema

Post by Christian Trembla » Fri, 24 Jul 1998 04:00:00



> On Tue, 21 Jul 1998 10:23:44 -0400, in article


> >Be careful, be *very careful* Kevin Mitnick has been rotting in jail for
> >three years without a trial for doing exactly that.

> That is NOT why he's rotting in jail without a trial.  He's rotting in jail
> without a trial because of CA's stupid laws. He's IN jail for hacking into
> systems he didn't own.

What I meant by "doing exactly that" was not to warn people of lack of
security in their systems but to, like you say: "hacking into systems he
didn't own" and that is what the original poster did when he
retrieved the passwd file from the ISP.  

Chris

 
 
 

1. Setting up Redhat 4.2 with NT, 95, and Dos 6.22: tips, help, and moral support

After a year or so of passing it on and not seriously considering it,
I finally dove in and read up on it (the Wired Magazine article in the
August Issue also swayed me a bit) and decided that it was so
attractive, that I would center my system around it.  But considering
I'm not familiar with the operating system (or Unix in general) I am
going to load NT (as my primary network OS), '95 (to run the stuff NT
can't), and MS-DOS 6.2x (to run Dos games to their full potential).

I know this setup is possible; the NT/95 part is considerably easy - i
have set it up before; as well as the dos part..

My drives are as follows: C: 525 m, D: 3.5 g (both IDE)

But I am asking everybody in here for advice on how to stick Linux
into this mess:  Which operating system should I start with?  How
should I partition my drives?  Which operating system is going to
control the bootup?  How do I get through that sticky process of
partitioning?

Finally, even though I have the RedHat Pro 4.2 cds, is there another
distribution is just as good or better?

Thank you in advance for your help.

Mark

**********************************************
"One man's bile is another man's meal"  -Tom Tolbert
**********************************************

2. Starting cron job from script

3. Moral question

4. quoting quotes withion a (bourne shell) script line

5. Moral Equivalent of /dev/null

6. Postscript problem w/ Deskjet 520

7. OSS Capitalism moral crisis

8. Q: ProxyPass by file?

9. Moral Question for the group

10. moral(?) dilemma

11. a permisions dilema, what to do ??

12. Linux Netscape Comm 4.75 username problem - better explanation of dilema

13. Two SCSI disk's dilema