ch13.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,153 行 · 第 1/5 页

   US
   Domain Name: NETCOM.COM
   Administrative Contact:
      NETCOM Network Management  (NETCOM-NM)  dns-mgr@NETCOM.COM
      (408) 983-5970
   Technical Contact, Zone Contact:
      NETCOM DNS Administration  (NETCOM-DNS)  dns-tech@NETCOM.COM
      (408) 983-5970
   Record last updated on 03-Jan-97.
   Record created on 01-Feb-91.
   Domain servers in listed order:
   NETCOMSV.NETCOM.COM          192.100.81.101
   NS.NETCOM.COM                192.100.81.105
   AS3.NETCOM.COM               199.183.9.4
</FONT></PRE>
<P>Here, the snooping party has discovered that the provider is in the state of California.
(Note the location at the top of the WHOIS return listing, as well as the telephone
points of contact for the technical personnel.) This information will help tremendously;
the snooping party now proceeds to <A HREF="http://www.worldpages.com/"><TT>http://www.worldpages.com/</TT></A><TT>.</TT>
WorldPages is a massive database with a design very similar to the average White
Pages. It holds the names, e-mail addresses, and telephone numbers of several million
Internet users. (See Figure 13.8 for a screenshot of the top-level page of WorldPages.)</P>
<P><A NAME="08"></A><A HREF="08.htm"><B>Figure 13.8.</B></A><B><BR>
</B><I>The top-level page of WorldPages.</I></P>
<P>At WorldPages, the snooping party funnels your real name through a search engine,
specifying the state as California. Momentarily, he is confronted with a list of
matches that provide name, address, and telephone number. Here, he may run into some
trouble, depending on how common your name is. If your name is John Smith, the snooping
party will have to do further research. However, let us assume that your name is
not John Smith. Let's assume that your name is common, but not that common. So the
snooping party uncovers three addresses, each in a different California city: One
is in Sacramento, one is in Los Angeles, and one is in San Diego. How does he determine
which one is really you? He proceeds to the host utility.</P>
<P>The host utility (discussed briefly in Chapter 9, &quot;Scanners&quot;) will list
all the machines on a given network and their relative locations. With large networks,
it is common for a provider to have machines sprinkled at various locations throughout
a state. The <TT>host</TT> command can identify which workstations are located where.
In other words, it is generally trivial to obtain a listing of workstations by city.
These workstations are sometimes even named for the cities in which they are deposited.
Therefore, you may see an entry such as</P>
<PRE><FONT COLOR="#0066FF">chatsworth1.target_provider.com
</FONT></PRE>
<P>Chatsworth is a city in southern California. From this entry, we can assume that
<TT>chatsworth1.target_provider.com</TT> is located within the city of Chatsworth.
What remains for the snooper is to reexamine your Usenet post.</P>
<P>By examining the source code of your Usenet post, he can view the path the message
took. That path will look something like this:</P>
<PRE><FONT COLOR="#0066FF">news2.cais.com!in1.nntp.cais.net!feed1.news.erols.com!howland.erols.net! &#194;ix.netcom.com!news
</FONT></PRE>
<P>By examining this path, the snooping party can determine which server was used
to post the article. This information is then coupled with the value for the NNTP
posting host:</P>
<PRE><FONT COLOR="#0066FF">grc-ny4-20.ix.netcom.com
</FONT></PRE>
<P>The snooping party extracts the name of the posting server (the first entry along
the path). This is almost always expressed in its name state and not by its IP address.
For the snooping party to complete the process, however, the IP address is needed.
Therefore, he next Telnets to the posting host. When the Telnet session is initiated,
the hard, numeric IP is retrieved from DNS and printed to <TT>STDOUT</TT>. The snooping
party now has the IP address of the machine that accepted the original posting. This
IP address is then run against the outfile obtained by the <TT>host</TT> query. This
operation reveals the city in which the machine resides.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If this information does not exactly
	match, the snooping party can employ other methods to get the location of the posting
	machine. One such technique is to issue a Traceroute request. When tracing the route
	to a machine that exists in another city, the route must invariably take a path through
	certain gateways. These are main switching points through which all traffic passes
	when going in or out of a city. Usually, these are high-level points, operated by
	telecommunication companies like MCI, Sprint, and so forth. Most have city names
	within their address. Bloomington and Los Angeles are two well-known points. Thus,
	even if the reconciliation of the posting machine's name fails against the host outfile,
	a Traceroute will reveal the approximate location of the machine. 
<HR>


</BLOCKQUOTE>

<P>Having obtained this information (and having now differentiated you from the other
names), he returns to WorldPages and chooses your name. Within seconds, a graphical
map of your neighborhood appears. The exact location of your home is marked on the
map by a circle. The snooping party now knows exactly where you live and how to get
there. From this point, he can begin to gather more interesting information about
you. For example:

<UL>
	<LI>The snooping party can determine your status as a registered voter and your political
	affiliations. He obtains this information at <A HREF="http://www.wdia.com/lycos/voter-records.htm"><TT>http://www.wdia.com/lycos/voter-records.htm</TT></A>.<BR>
	<BR>
	
	<LI>From federal election records online, he can determine which candidates you support
	and how much you have contributed. He gets this information from <A HREF="http://www.tray.com/fecinfo/zip.htm"><TT>http://www.tray.com/fecinfo/zip.htm</TT></A>.<BR>
	<BR>
	
	<LI>He can also get your Social Security number and date of birth. This information
	is available at <A HREF="http://kadima.com/"><TT>http://kadima.com/</TT></A>.
</UL>

<P>Many users are not bothered by this. Among those people, the prevailing attitude
is that all such information is available through sources other than the Internet.
The problem is that the Internet brings these sources of information together. Integration
of such information allows this activity to be conducted on a wholesale basis, and
that's where the trouble begins.</P>
<P>It is now possible (using the techniques described here) to build models of human
networks--that is, it is now possible to identify all members of a particular class.
It is also possible to analyze the relationships between them. This changes the perspective
for intelligence agencies.</P>
<P>Years ago, gathering domestic intelligence was a laborious process. It required
some element, however slim, of human intelligence. (<I>Human intelligence</I> here
refers to the use of human beings to gather information as opposed to machines or
other, automated processes.) Thus, to get the low-down on the Students for a Democratic
Society, for example, intelligence agencies had to send agents on foot. These agents
had to mix with the crowd, record license plate numbers, or gather names at a rally.
Today, those methods are no longer necessary.</P>
<P>Today, the Internet provides a superb tool to monitor the public sentiment (and
perhaps to identify those who conspire to take up arms). In some respects, one might
concede that this is good. Certainly, if individuals are discussing violence or crime,
and they contemplate these issues online, it seems suitable that law-enforcement
agencies can take advantage of this emerging technology. However, it should be recognized
here that the practice of building models of human networks via the Internet violates
no law. It amounts to free spying, without a warrant. Put more bluntly, we Americans
do often have big mouths. Some of us would do better to keep quiet.</P>
<P>Before I continue, I want to make one point clear: Complete anonymity on the Internet
is possible, but not legally. Given enough time, for example, authorities could trace
a message posted via anonymous remailer (although, if that message were chained through
several remailers, the task would be far more complex). The problem is in the design
of the Internet itself. As Ralf Hauser and Gene Tsudik note in their article &quot;On
Shopping Incognito&quot;:

<DL>
	<DD>From the outset the nature of current network protocols and applications runs
	counter to privacy. The vast majority have one thing in common: they faithfully communicate
	end-point identification information. `End-point' in this context can denote a user
	(with a unique ID), a network address or an organization name. For example, electronic
	mail routinely communicates sender's address in the header. File transfer (e.g.,
	FTP), remote login (e.g. Telnet), and hypertext browsers (e.g. WWW) expose addresses,
	host names and IDs of their users.
</DL>

<P>Indeed, the process starts at the very moment of connection. For example, workstations
connected to a network that is directly wired to the Net all have permanent addressing
schemes. Certainly, an Ethernet spoof will not carry when crossing the bridge to
IP; therefore, fixed stations permanently strung to the Internet will always have
the same IP. And, short of the operator of such a workstation getting root access
(and altering the routing tables), there is little that can be done in this regard.</P>
<P>Similarly, the average user's IP is dependent solely upon his server. Consider
the exchange that occurs in a dial-up account. (See Figure 13.9.)</P>
<P><A NAME="09"></A><A HREF="09.htm"><B>Figure 13.9.</B></A><B><BR>
</B><I>A little case study: dynamic IP allocation.</I></P>
<P>Most servers are now running some form of dynamic IP allocation. This is a very
simple but innovative system. Examine the Ethernet arrangement to the right of Figure
13.9 (a garden-variety rack of headless workstations). Each machine on that network
can allocate a certain number of IP addresses. Let's make it simple and say that
each workstation can allocate 254 of them. Think of each address as a spoke in a
bicycle wheel. Let's also assume that the IP address for one of these boxes is <TT>199.171.180.2</TT>
(this is an imaginary address). If no one is logged on, we say that the available
addresses (on that box) range from <TT>199.171.180.3</TT> to <TT>199.171.180.255</TT>.</P>
<P>As long as only a portion of these address are occupied, additional addresses
will be allocated. However, what if they are all allocated? In that case, the first
one to be disengaged will be the next available IP. That is, suppose they are all
allocated and you currently occupy <TT>199.171.180.210</TT>. As soon as you disconnect
(and if no one else does before the next call), the very next customer will be allocated
the address <TT>199.171.180.210</TT>. It is a free slot (left free because you have
disconnected), and the next caller grabs it. The spokes of the wheel are again fully
occupied.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>In practice, the process is more
	complex, involving more hardware and so forth. However, here we are just concerned
	with the address allocation, so I have greatly simplified the process. 
<HR>


</BLOCKQUOTE>

<P>This demonstrates that in dynamic IP allocation, you will likely have a different
address each time you connect. Many individuals who run illegal BBS systems on the
Internet take advantage of this phenomenon.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The term <I>illegal</I> here refers
	to those BBS systems that distribute unlawful software. This does not have to be
	<I>warez</I> (pirated software) either. Certain types of cellular cloning software,
	for example, are unlawful to possess. Distribution of such software will bring the
	authorities to your door. Likewise, &quot;illegal&quot; BBS activity can be where
	the operator and members engage in cracking while logged on. Lastly, those BBS systems
	that distribute child pornography are, quite obviously, illegal. 
<HR>


</BLOCKQUOTE>

<P>The dynamic allocation allows users to perform a little parlor trick of sorts.
Because the IP is different each time, an illegal BBS can be a moving target. That
is, even if law-enforcement officials suspect the activity being undertaken, they
are not sure where it is happening without further research.</P>
<P>Typically, this type of setup involves the perpetrators using a networked operating
system (almost always Linux or FreeBSD) that allows remote logins. (These logins
may include FTP, Telnet, Gopher, and so on. It is also fairly common to see at least
sparse HTTP activity, although it is almost always protected using <TT>htpasswd</TT>.)
It is also common for the operator of such a board to request that users use SSH,
S/Key, or some other, secure remote-login software so that third parties cannot snoop
the activity there.</P>
<P>Typically, the operator connects using the networked operating system and, after
having determined the IP for the night, he mails out the network address to the members
of the group. (This is usually an automated process, run through a Perl script or
some other shell language.) The mailed message need be no more than a blank one,
because all that is important is the source address.</P>
<P>For the brief period that this BBS is connected, it effectively serves as a shadowed
server in the void. No one would know of its existence unless they scanned for it.
Most often, the operator will kill both finger and the <TT>r</TT> services, therefore
blocking the prying eyes of third parties from determining who is logged to the server.
Moreover, the operator has usually gained some privileged access to his provider's
network and, having done so, can obscure his presence in system logs.</P>
<P>For the individuals in these groups, relative anonymity is realized because, even
if an outside party later questions the sysad of the provider, the logs may be very
sparse. Most system administrators are reluctant to kill an account without adequate
proof. True, the logs at any outside network would show some activity and the IP
it originated from, but that is not enough. If the syst