lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1101266365.3138.1.camel@anduin.pentest.ae>
From: shash at etisalat-nis.ae (Shashank Rai)
Subject: [Fwd: FBI Subpoenas]

FYI....

cheers
shashank

-----Forwarded Message-----
From: Fyodor <fyodor@...ecure.org>
To: nmap-hackers@...ecure.org
Subject: FBI Subpoenas
Date: Tue, 23 Nov 2004 17:41:49 -0800

Dear Nmap hackers,

Let me first wish you Americans a happy Thanksgiving.  Meanwhile, I'm
hard at work on a holiday Nmap version which should be available by
Christmas.

But enough pleasantries -- I want to discuss a sobering topic.  With
increasing regularity this year, FBI agents from all over the country
have contacted me demanding webserver log data from Insecure.Org.
They don't give me reasons, but they generally seem to be
investigating a specific attacker who they think may have visited the
Nmap page at a certain time.  If they see that an attacker ran the
command "wget http://download.insecure.org/nmap/dist/nmap-3.77.tgz"
from a compromised host, they assume that she might have obtained that
URL by visiting the Nmap download page from her home computer.  So
far, I have never given them anything.  In some cases, they asked too
late and data had already been purged through our data retention
policy.  In other cases, they failed to serve the subpoena properly.
Sometimes they try asking without a subpoena and give up when I demand
one.

One can argue whether helping the FBI is good or bad.  Remember that
they might be going after spammers, cyber-extortionists, DDOS kiddies,
etc.  In this, I wish them the best.  Nmap was designed to help
security -- the criminals and spammers put my work to shame!  But the
desirability of helping the FBI is immaterial -- I may be forced by
law to comply with legal, properly served subpoenas.  At the same
time, I'll try to fight anything too broad (like if they ask for
weblogs for a whole month).  Protecting your privacy is important to
me, but Nmap users should be savvy enough to know that all of your
network activity leave traces.  I'm not the only one who gets these
subpoenas -- large ISPs and webmail providers receive them daily.
Most other major security sites probably do too.  Most of you probably
don't care if someone finds out that you downloaded Nmap, Nessus,
Hping2, John the Ripper, etc.  Nothing on Insecure.Org is illegal.
But for those of you who do care, there are plenty of mechanisms
available to preserve your anonymity.  Remember this security mantra:
defense in depth.

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help@...ecure.org . List archive: http://seclists.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ