Notifying user of open Internet access

I was using some IP discovery tools, and found an IP addres on my providers
subnet with multiple open shares. This person is definitely open to
problems. It took no effort to map a share, and see all their files.
Ethically, it is wrong, but feel bad this person is exposed. How would YOU
handle this situtaion. If I send an anonymous email, then that person could
search the ISP log, and trace back. It is like watching someone in a car
crash bleeding to death, and not helping. Should I inform the user of their
vulnerabilities? Contact the ISP??

What would you do.

Ready for the "FLAME" war...but I am seriious...I would want to know, if I
was that vulnerabile.

 

I would report you to the local ISP for scanning my computer and hope
they yank your service.

What you did is a direct violation of most ISP's terms of service and
AUP.

As noble as you think your action are/were, you are no different than
the countless number of hackers in your actions. Since you have no
permission to scan the ISP's network, no permission to access the users
shares, you are in violation of many ethics rules and possibly could
loose your service.

 

##########################
That wasn't his question. He asked if he should inform them about the
hole. I don't think he should. They might try to blame him for the
problem which is the usual response. Don't try to be a hero. Pretend
you never even saw it.
donnie.

 

An analogy I've heard ... it's perfectly legal to walk around in an
apartment building, just not legal to walk into someone's apartment, even if
the door is open. I once did basically the same as you ... I was amazed at
the information available ... I stopped. My recommendation ...do nothing ...
it's their property, their responsibility. And stay off other peoples PCs.

 

In answer to what you did, the answer is would you "tell" someone you
downloaded a FTP file? HTTP?

Some have criticized your activity. If the share was open and you
retrieved files, not even sure to the illegality (not talking ethics) of
the question. If the computer had services exposed, without even
minimal security in place, I am not sure of a legal issue. The patriot
act defines the law as being broken when the threshold of damage exceeds
$500. If I remember right the telecommunications act threshold is
2500$. If the user was on a current WinX system they had to bypass many
warnings not to to expose the share.

If the browser of data did not use the information to personal or
detrimental gain, didn't transfer pornography, didn't upload data files,
didn't damage the remote system, didn't download copy write materials,
I suspect it would be difficult to be prosecuted. If this were a
commercial server doing interstate commerce there are other laws that
might come into play. If the user was on a Win9x system, well, they are
pretty much exposed with no firewall.

Scanning of systems is not a violation of law nor of many ISP rules,
unless it causes a denial of service condition, shaking a door handle is
not a violation, though entering a door might be an issue if the user
could prove the damage threshold.

There are several reasons this might occur:

1. User is an idiot. Possible and no amount of informing will
persuade/fix this user because the light bulb probably isn't on. It may
be some sort of malware has exposed his system so and the user wouldn't
understand the issue. Any file you retrieved could not be trusted, and
you prolly have better stuff on your own computer.

2. The hole is a honey pot. Good reason not to play.

3. The individual is purposely and deliberately sharing the shares
openly for a number of legitimate reasons. Sharing LDAP to host Net
meeting session(example).

4. Several p2p tools will do the behavior described if the user does
not constrain them properly, in fact they share the entire computer to
the world. This is probably the highest probability. The user is
probably a KAZZA user who installed the program with defaults sharing
c:\. I have seen this with several popular music file sharing programs.
This user probably already has more issues than he can handle and
probably belongs to paragraph 1.

Many applications will tell you the OS, computer name, every account on
the computer and whether or no a password is required to access the
account on the system, what shares are available, and other information
about the system (I didn't say properly configured systems). Exposed
NETBIOS is always informative. This is a common functionality of many
legitimate tools (Microsoft Visio for example). This is done by just
checking the door handle and never entering the system. This, in
itself, is not illegal.

As I write this I keep coming up with more reasons so I'll just stop let
y'all come with more reasons of your own.

But as far as the law is written I doubt you would have many legal
issues unless it happened to be a commercial or government host (While
they may not prosecute you, they might make life fun for awhile, there
are ways to hurt you even if they can't put you in jail (priced lawyers
lately?)) I don't know of any laws that prohibit foot printing ... yet.

Ethics on the other hand....

Winged

 

Even a ping _could_ be used to give you a hard time.

Just a few state selections.

http://www.capitol.state.tx.us/statutes/pe.toc.htm
Read 33.01. Definitions (1) "Access"
then 33.02. Breach of Computer Security (a)


http://www.umpqua.cc.or.us/policy/oregon-law.htm
Read 1 (a) then (4)

 

Actually, scanning ISP networks is a violation of MOST ISP's acceptable
use policies. The violator can have their service terminated for it.

 

"Effective consent" is a key issue of both the Texas and the Oregon laws
cited. If one has exposed (open access) services be it ftp, http, etc.
one has granted "effective consent" for anyone to access a system. Every
bot on the net has legal right to crawl your system. If one requires a
logon and password to acess a service "effective consent" is not
present. If one has ping services turned on one has granted "effective
consent" under the Oregon and Texas provisions cited. Unless you lock
the door, you provide "effective consent" under both of the laws cited.
If you have ping services turned on and exposed you have provided
"effective consent" for others to use those services.

This is why if you have an exposed computer in a public area one would
not be violation of the law (Texas example) to walk by a computer. If
that computer were secured where aceess would be restricted, walking by
that same computer "could" make you in violation of the law because
"effective consent" was not granted. If a company representative
granted you access to the same area under non fraudulent conditions
(access to the restricted area), you could not be prosecuted for the
same act of walking by the same computer in the same area because they
provided "effective consent" for you to walk by the computer.

Tricky little clause.

Winged

 

##########################
I agree w/ that 100%.
donnie

 

Your right!

Most ISP's don't pursue that clause unless it creates a problem (DOS) or
sufficient complaint. A properly performed scan will probably never be
noticed. In reality, they can deny service for almost no reason if they
choose IAW the agreement. Of course if service is denied, payment for
non-service is usually waived. Most ISPs work on credit and therefore
seldom invoke this clause. If a user is sufficiently worried about
their activities and their ISP reaction they should probably learn how
to do things differently, so not to raise the ire of the ISP
administrators. Afraid I don't worry much about scanners from a security
perspective(as long as they are not on "MY" network assets). Ethically
one should only scan "ones own owned" assets.

Winged

 

Texas escapes the consent with _or defect_ in (c)

Oregon did not even bother with consent.

They did that on purpose. Oregon was tired of the lawyers indicating
the same kind of logic you proposed.

Your "exposed computer in a public area" is not consent just like my
public exposure of my house's front door is not consent for you to
"communicate with the door knob" by twisting it.

 

"Effective Consent" does allow me to knock on the door. If you leave
the door open effective consent is implied. Effective consent may also
apply to a login on the system if it does not have a password, for
example some services may require a login (door closed) depending on the
generally accepted use of the service. A service with a login password
does not have effective consent to use that specific service (door
locked) unless effective consent was given to me by the system owner by
providing a login password. To make matters worse their are "some"
cases where a login password also provides "effective consent"
(anonymous FTP servers that require a mail addy for password comes to mind).

Effective consent does apply to the Oregon law. Effective consent is a
principle in law. It does not "have" to be specifically stated.

If a service is exposed and the service has no warnings on the specific
service, "effective consent" is implied under either states statutes.
If you exploit a service (for example using a buffer overrun) to gain
access that was not otherwise exposed, you are in violation of the
"effective consent" principle.

Under your argument any HTTP server I accessed in Texas or Oregon could
be considered illegal because did not have specific permission to access
the site.

"Effective consent" does not allow me to do any damage the system in
question, but if a service is open and exposed, one has implied consent
to access the system.

Exposed ICMP does provide effective consent under the law. If I pound
the ICMP port enough to impede or significantly impact the devices
normal operation I have lost effective consent because that can not be
considered reasonable use.

It is key, if one works in the computer security field, to understand
this concept. You must lock the computer doors with reasonable
precautions to prevent "effective consent".

Winged

 

Was not open, just not locked.

The law did not say so. That is my main point. The law was made that loose
because of the same kinds of arguments you have provied.

Some of the arguments by cracker's lawers were
How was my client to know the sys op was not giving consent because
the sys op failed to secure his machine correctly.

As for what computer industry thinks and what the lawyer provied is
just word twisting. What comes to mind whas the @home ads showing
unlimited internet access and the cutomers complaing of
throttled cablem modems and download quotas. Seems the unlimited
access meant you did not have to login to access the internet.

 

Holy S..T!!!!!
I may never use my computer again!!!! Just kidding.
I guess my only thought is, I have had a hacked Web Site (Chinese hackers,
by tracing back logs and IP numbers), and had a virus attack, that the ISP
said that I was sending out Viruses. If I received a note/letter/email
stating that my firewall was WIDE OPEN, I would first close it, and second,
thank whomever told me.

It is hard for me to believe that someone shouldn't do anything....I think
we are all "CLOSET HACKER". I would bet everyone on this list has used an
IP discovery tool. So, I will let the FOOL go down into the abyss of hacker
hell!!!

Thanks for the reply's!!!

 

At one time or another, before being information of it being against the
TOS for my ISP at the time (not the current one), I use to look/help
people that were exposed. When I use to get probed from SQL servers I
would open a session with them and send a NET SEND to their entire LAN
from the SQL Server telling everyone that the SQL server was fully
exposed (without a password) to the internet. In all that time, I never
saw one SQL server fixed or one computer fixed.

People that are exposed just don't get it, they don't really care, and
if they did care they would already have learned something about it.

What would be great is if the ISP's blocked ports 135~139 and 445
internally as well as externally, then we would have a lot less problems
with Windows based systems.

 

On this idea of "effective consent", the person has no password control,
allowing anyone to "MAP" effective drives to it. You use the usual FTP, and
HTTP rule. Are these exclusive to the rule.? Mapping a drive, using a NET
USE or NET VIEW command, and then viewing the contents, without a password,
would be considered "effective consent". I don't see the difference. The
WEB is made up of Clients (Browsers) and Servers (Web Hosts). So, basically
I can use my "BROWSER" i.e. Windows "Net View" command (Port 139 Scan) to
look for hosts.
This idea of Public or Private is confusing, If I set up an FTP Server for
myself, with "anonymous" as a user, have I given consent? Why is HTTP or
FTP (protocols) any different than from NET VIEW (Port 139) protocol scans.

I guess the idea is, if we see a car on fire, with people in it...Don't
help, because they might blame you for starting the fire!!!

 

No, there are laws to protect you from civil suites in cases of
emergency assistance, unless you are a medical type, then you are not
protected.

In the case of probes, looking for exposed systems, the users are
unaware that their systems are exposed, so no consent was intended or
provided.

 

############################
Unfortunately, when it comes to computer and telephone systems, that
is the case. They will blame you for the security holes or at least
exploiting them. Only once, did I tell someone that their computer
had files sharing enabled. The reason I notified them (and I say them
because it was a family network) was because they had wingate running
and someone was using their PC to post bad thinngs to usenet. I looked
up their # and called using a pre-paid calling card. The guy was very
appreciative but that's not always the case.
As an update to computers w/ file sharing enabled, it's almost down to
none. There was a time when one could find 40 opened PCs on a class C
subnet but now if there are 4 opened PCs on a class C subnet, it's a
lot. People have become a little more savvy either blocking it
manually or running firewalls.
donnie.

 

AMEN

Winged

 

######################
ISPs can't block those ports. There are people who want to share files
and they have the right to do that. Passwds are free, let them pick
one. That could be part of the TOS.
donnie.