(A Javascript-enabled browser is required to email me.)



Opinions on Zero Tolerance -- Richard Johnson



This material is Copyright © by Richard Johnson <Richard.Johnson@colorado.edu>.


In "TBTF for 1996-04-14: All Greek to me <http://www.atria.com/People/dawson/tbtf/archive/1996-04-14.html>"
dawson@world.std.com (Keith Dawson) wrote:

>||| Anatomy of a protracted Net attack |||
>
>Fred Cohen <fc@all.net> is president of Management Analytics in Hudson,
>Ohio, a consulting firm specializing in Net security. The firm operates
>the Info-Sec Heaven site at <http://all.net/> and publishes a monthly
>series of essays called "Internet Holes" [1] on information-security
>topics. The March essay [2] espoused a policy of "zero tolerance" for
>Net attacks:
>...


I find it almost amusing how Cohen has taken you in.

Cohen went overboard with his "zero tolerance" stance.  Like other
absolutists, he soon discovered that the world really was against him, but
only because of his absolutism.

Many systems and security administrators (myself included) find Cohen's
attitude very disturbing.  He was originally automatically sending 'your
user so-and-so is attempting to crack my system' messages to systems
administrators.  These messages far overstated the case.

After all, telnetting to a system is the easy way to see if it offers some
kind of responder service, and is common practice.  Also, many new Internet
users simply don't know the difference between telnet and lynx and...  To
top it off, Cohen's complaints weren't even sent by a human who had
reviewed the situation and found them necessary--they were generated
automatically for every "incident".  Cohen's alarmist messages had the
potential to cause harm (loss of accounts, financial losses, disciplinary
actions) to innocent people.  This was incredibly irresponsible of him.

It was also hypocritical of Cohen to send the complaints.  Before sending
his alarmism, he would attack the machine the connection was coming from in
an attempt to discover the identity of the user responsible.  This is
actually a serious security violation at one of my sites.  Finger service
is disabled because it offers, among other things, a way of determining
valid user names for password guessing attempts.  Of course, we log such
violations, but because finger (like telnet) is a common protocol, we don't
send alarming messages to the sysadmin at the originating site unless we
have harder info of a break-in attempt.  Unlike Cohen, we are responsible.

[However, note that we are seriously considering sending alarming messages
to the administrator (and CERT) if we receive any kind of connection from
any host in the "all.net" domain...]

As a direct result of Cohen's bombastic irresponsibility, a number of
civic-minded admins and users tried out Cohen's system.  I did so because:
1) I wanted to see what kind of lies he'd be telling about my users--I
didn't want to be blind-sided by a baseless complaint, and 2), more
importantly, I was required to see what kind of "attack" signature his
system generated so I could factor it out when deciding whether I was under
a real attack.

I thus triggered his irresponsible system from a number of the machines I
control.  Others who were irritated with Cohen's irresponsiblity, in a
wonderfully done melding of protocols, set up web pages to increase the
load on Cohen's system.  Still others send email to the humor mailing lists
and newsgroups they were on, saying 'after you've read about this kook's
response to telnets, you might want to try it out.'

Perhaps they were attempting to show Cohen how his irresponsibility could
be met with distributed social control.  Perhaps they were attempting to
show Cohen that automatic "telnet/finger" complaint wars were, like Canter
and Seigel's spam, a lose-lose proposition.  Cohen, in his absolutism, of
course appears to have misinterpreted this.  He began squalling about
hackers trying to hide their break-in attempts by duping innocents into
telnetting to his site.  You seem to have fallen for it all, just as the
mainstream press at first fell for Canter and Seigel's whining.

Basically, Cohen needs to get a clue.  He needs to realize that if someone
attempts to talk a machine via telnet or finger or..., it's most likely an
innocent hello, not a "hey, kid, hop into my car" situation.  He should
certainly watch, but not make unfounded alarmist accusations until he
actually has something more solid.  He should especially not
_automatically_ make unfounded alarmist accusations.

In the end, it is only Cohen's irresponsibility and overreactions that have
caused his woes.  Any siege he was under was of his own making, brought on
by his absolutist and bombastic attitude.  A little reasonableness and
moderation on his part would have gone a long way towards enhancing his
reputation as a security practitioner, rather than enhancing his reputation
as a self-promoting net.kook.

Enough for now, I have to go 'telnet all.net' to see how Cohen has changed
his attack system.  I have an obligation to my clients and employers to
ignore such Cohen-crap while still detecting and stopping real attacks.
Having to periodically recalibrate my warnings to handle the fallout from
net.kooks like Cohen really sucks.


Richard Johnson


--
Disclaimer: This message has been carefully scrutinized and found to
contain not a whit of indecent material.  If you disagree, SCREW THE
CDA.  See <http://www.cdt.org/cda.html>.

[ TBTF for 1996-04-21 ]