Hacking tool 'draws FBI subpoenas'

R.A. Hettinga rah at shipwright.com
Fri Nov 26 09:12:00 EST 2004


The Register

 Biting the hand that feeds IT

The Register » Security » Network Security »

 Original URL:

Hacking tool 'draws FBI subpoenas'
By Kevin Poulsen, SecurityFocus (klp at securityfocus.com)
Published Thursday 25th November 2004 10:42 GMT

The author of the popular freeware hacking tool Nmap warned users this week
that FBI agents are increasingly seeking access to information from the
server logs of his download site, insecure.org.

"I may be forced by law to comply with legal, properly served subpoenas,"
wrote "Fyodor," the 27-year-old Silicon Valley coder responsible for the
post scanning tool, in a mailing list message. "At the same time, I'll try
to fight anything too broad... Protecting your privacy is important to me,
but Nmap users should be savvy enough to know that all of your network
activity leave traces."

Probably the most widely-used freeware hacking tool, Nmap is a
sophisticated port scanner that sends packets to a machine, or a network of
machines, in an attempt to discern what services are running and to make an
educated guess about the operating system. An Nmap port scan is a common
prelude to an intrusion attempt, and the tool is popular both with security
professionals performing penetration tests, and genuine intruders with
mischief in their hearts.

Last year Nmap crept into popular culture when the movie the Matrix
Reloaded depicted Carrie-Anne Moss's leather-clad superhacker Trinity
performing an Nmap portscan
(http://www.theregister.co.uk/2003/05/16/matrix_sequel_has_hacker_cred/) on
a power grid computer prior to hacking in.

But success comes with a price, and on Tuesday Fyodor felt the need to
broach the "sobering topic" of FBI subpoenas with his users. He advised his
most privacy conscious users to use proxy servers or other techniques when
downloading the latest version of Nmap if they want to ensure their

In a telephone interview, Fyodor said the disclaimer wasn't prompted by any
particular incident, and that he'd received "less than half-a-dozen"
subpoenas this year. "It's not a huge number, but I hadn't received any
before 2004, and so it's a striking new issue," he said.

None of the subpoenas produced anything, Fyodor says, either because they
sought old information that had already been deleted from his logs, or
because the subpoenas were improperly served. In every case the request has
been narrowly crafted, usually directed at finding out who visited the site
(http://www.insecure.org/) in a very short window of time, such as a five
minute period. "They have not made any broad requests like, 'Give me anyone
who's visited insecure.org for a certain day,'" he says.

Fyodor theorizes the FBI is investigating cases in which an intruder
downloaded Nmap directly onto a compromised machine. "They assume that she
might have obtained that URL by visiting the Nmap download page from her
home computer," he wrote.

He confesses mixed feelings over the issue. "The side of me that questions
authority is skeptical of these subpoenas," he told SecurityFocus. "The
other side says, this may be a very serious crime committed ... and if I
were the victim of such a crime I would probably want people to cooperate"

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list