Slashdot Mirror
July 6th - Website Defacement Day?
pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"
Alternate Link for Article: http://www.msnbc.com/news/934055.asp?vts=070220031 125
Yes, let's put this article on Slashdot, so a few million would be hackers can go ahead and deface a couple of hundred websites apiece.
What the hell is wrong with you? This kind of coverage only causes trouble.
Hacking into servers and defacing websites is illegal, whether you like it or not. Doing things like this costs PEOPLE money.
And don't argue back with that "well Microsoft deserves to be defaced" bullshit argument, or anything of the sort. They don't deserve it anymore than you do.
Now watch me get modded down by all the haxx0r n00bz0rz with mod points.
wonder how many millions Homeland Security is going to spend "preparing" America for this one.
. SLASHDOT: Home of the vicious nerd.
I notice the 6th is a Sunday. It would have to be, so all the children can do it without missing school.
July 7th was announced as national handcluffing day when hordes of hackers would be paraded around the streets in major cities.
Siggy Say, Siggy Do
Slashdot has little to do with the defacement. Slashdot is simply reporting this.
This is just really awful. A huge call out for Script Kiddies of the world to unite. Terrible.
*shakes head*
*looks around*
*starts researching latest exploits*
*runs*
Canadian Cynic, canadian politics is less boring than you
Government Warns of Mass Hacker Attacks
I will bring out my honeypot then!
One is reminded of the perpetual debate in security: Whether to post an exploit to a group, in order for the vendor to have incentive to patch it, or wait and hope the vendor listens to you. There are excellent arguments on both sides.
This seems to be little different than that example. The challenge is unethical, as far as I am concerned. July 6 is a Sunday, for one thing--in general businesses do not hold normal shifts on a weekend, so this is going to surely cause more grief than an attack on, say, a Tuesday. Moreover, if successful, this could seriously halt a lot of legitimate business, personal, and other transactions across the Internet.
Is this a call to deface Web sites, or generally screw over sysadmins who oftentimes are paid beans to being with? Shameful.
Page deface!
Challenge - July 6
Please stay away
From the AP article:
"The purported "prize" for participating hackers was 500-megabytes of online
storage space, which made little sense to computer experts. They said
hackers capable of breaking into thousands of computers could easily steal
that amount of storage on corporate networks."
Given that you're going to do it anyway, why not start with the RIAA, MPAA, and SCO sites. After that, any spammers anyone happens to know.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The purported "prize" for participating hackers was 500-megabytes of online storage space
WOOHOO! After all that hacking into thousands of web-sites with who knows how many terabytes of storage, I can now get almost a FULL CD of free web-storage!!!! WOOHOO!!!
Wait, can I still use that in prison?
YOU SUCK BALLS!
It's just a massive slashdotting!
(someone had to say it)
I use Macs to up my productivity, so up yours Microsoft!
Please don't feed the trolls.
But don't quote me on that.
"The holiday weekend affords us an opportunity to get away from our workplace, relax and enjoy the summer weather. However, not everyone will be outside in the sunshine. Hackers will be in front of their computer screens trying to get into all of those computers"
I think the thing that pisses me off the most is that they assume that everyone gets to take the holiday weekend. I'm a grad student, I'll be inside working. They're such insensitive jerks sometimes.
New York officials urged companies to change default computer passwords, begin monitoring Web site activities more aggressively, remove unnecessary functions from server computers and apply the latest software repairs from vendors such as Microsoft Corp.
Well it took some doing, but I managed to get that latest Microsoft service pack installed on my web server. It said that it fixed a lot of issues, so I felt it was worth it, even though I run a Slackware 9.0 Linux server. Here's to hoping it reboots alright!
"But I'm sure that some people find a way to make money (or pork) from this "announcement". *sigh*"
That gets me wondering.... do you think this whole thing was set up by some security firm(s) to boost business?
~Berj
Registrant:
;)
of, Day (TPEEWXQFBD)
11 Albert Rd
AMITYVILLE, NY 11701
US
Does that place exist? If so *deface that*
I doubt it will be a real address though, however the idiocy of some people does often suprise me!
Writing viruses is also illegal...the key is not getting caught.
Website defacement -
Illegal and damaging.
Still beats going to church.
~Berj
Flame on, but, I don't think /. should be reporting this kind of story. Aside from all of us story loving, comment posting maniacs, /. does get viewed by our script kiddie "friends." There have been challenges before (as mentioned), this isn't anything new, most of which [however] have not had enough media attention to bother with. Remember the "April Fools Defacement Day" one that a few newspapers picked up on, last April? This is exactly the same thing. The more fuel we give the kiddies, the bigger mess they're going to make...
It's a sad day when replacing index.html is regarded as "hacking". The entire idea that only web servers are worthy of hacking just shows journalistic ignorance worthy of the New York Times.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Whether we like it or not, Microsoft _has_ done a better job with security now, and Windows has gotten a lot more secure nowadays. Though in my opinion, sysadmins could do a LOT more to protect their Linux systems than their Windows systems (much more stuff is configurable), it is still fact that good security dosn't mean using Open Source Software like Linux or BSD and stopping there, it requires competent sysadmins and being updated about security, as well as using patches and new versions of software.
Or, you could just use NetBSD :)
or does anyone else think that the Feds are behind this challenge, as part of a massive sting operation?
"Freedom means freedom for everybody" -- Dick Cheney
I've heard of this approach being used for people with outstanding warrants... I'd assume once they become a suspect there'll be a warrant for their arrest.
AFAIK, entrapment is when police are involved in CAUSING someone to perpetrate a crime - for instance, if they were to hold an (illegal) hacking contest, then arrest the entrants.
~Berj
right both of you have said it, please, what the hell is a handcluff?!
Gee, I'd never have known about this small-time hacker stunt if /. hadn't brought it to the attention of millions. Talk about using your powers for mayhem, /. ...
Kevin Fox
First, these activities do not cost people money, they cost corporations money. I know, I know, this is supposed to trickle down to the individual level to where it hurts consumers. I think that the statement should be that "hacked web sites costs people time". Face it, who wants to come in on a Sunday to fix a hacked web page? Most salaried people receive no overtime for this type of work, so it costs them time. If there is any expense here, it is corporations who foot the bill, which relates to the next point...
Fixing web pages does not cost tens of thousands of dollars. A simple restore of an html page should not be perceived as an activity that puts a company into the red on a balance sheet. I still do not understand how corporations say that a cracker cost them $250,000 when someone replaces their corporate logo with Domokun. Perhaps it is because in reality this money is being spent to patch the holes they should have taken care of months ago? The headlines shouldn't say, "Hacker costs company $50,000 for hacked website!" The headline should say, "Company fails to follow basic security guidelines in patching their servers, costing their mismanaged budget $50,000."
Would I be pissed if my company's website was hacked? Yes. Would I be pissed if I had to take care of massive security holes on my Sabbath day? Yes. But would I accept the idea that it monetarily hurt my employer? No. This way of thinking needs to go.
--Chag
Regarding 'Mischief Night' -
:-}>
In America, we call that 'Weekends' and 'Holidays'...
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
if i can replace your index.html..
i can probably replace or delete many other things. Yeah, still hacking.
Hmmm...july 3rd...counting down...
;)
;) Those are surely bill-able hours right?
/.'s troll ratio will drop, and IRC will become a pleasant experience....NOT! :^D
But...let's look on the positive side:
Let's say thousands of websites DO get de-faced (w00t - how very unlikely
A) Thousands of extra hours of work created to clean up the mess. (or not - y'all make backups right
And it's on the weekend, wahey! Double rates!
B) All the administrators of web-servers that WERE defaced will HAVE to examine the security of their web-servers. Improvements will HAVE to be made. If 'thousands' of web-servers are forced to improve their security...is that a bad thing?
C) Perhaps a lot of administrators (and PHB's) will notice that the most commonly defaced web-servers were (or are likely to be) those that run M$ software of some sort. Would that make them more likely to switch to OTHER software?
D) Hundreds of lamo script-kiddies prosecuted, jailed and/or permanently disallowed from using the internet. Excellent. Perhaps
I don't think your average web-site defacer has ever been too concerned about the positive repercussions of his or her actions before, and I find it highly unlikely that a competition with their peers is going to jump start their sense of ethical responsibility.
A lot of people in this thread will say that a benefit of roving defacement groups is that it helps to highlight poor security. Sure - In the same way that setting peoples houses alight helps to highlight the importance of changing your smoke detector batteries.
I call shennanigans. This might be a happy side-effect, but if your happy haquer was really concerned with improving security, how hard would it be to find the hole, and then mail the site admin from inside the network boundary, or leave a message somewhere apart from the frontpage and then tip off the administrator?
They could do this. But there's no bragging rights there - and that's what this is all about when you get right down to it:
- Bragging rights and a sense of importance within their peer group ( look at the 'shout outs' that accompany many defacements ).
- Mean spirited embarassment for the victim
and in some rare casesTo answer your question, and echo a sentiment that will probably be seen in numerous other posts in this thread nothing positive will come from this that could not have been achieved by less disruptive, upsetting or destructive means.
As to those who said "Great, MS will bear the brunt of it", grow up. Your mean spirited and childish attitude does you zero credit. Cracker attacks are a menace that have to be faced by all sectors of the computer community, and wishing them upon your rivals smacks of extreme poor taste ( not to mention the fact that most of the actual victims are likely to be non-technical clients of hosting companies who do not understand, wish to understand, or control their hosting solution ).
One god, one market, one truth, one consumer.
Is this a call to deface Web sites, or generally screw over sysadmins who oftentimes are paid beans to being with? Shameful.
Maybe if hundreds of corporate websites get defaced so easily, they'll actually wake up and START hiring more qualifed sys admins for a decent salary, and STOP over working those they have now.
Sometimes what a problem needs is a good exposing in order for someone to start fixing it. If everythings going along AOK where's the incentive for a business to change the status quo?
Coincidence? I think not!
~S
About 2 weeks ago I was running RedHat. I would have been running around frantically trying to track down any patches I might have missed, version-checking my RPM's...etc etc.
d uper-new-version" of any of my daemons, so there's no problem at all with Deb, despite the arguements of many.
Once I read this I was like "crap crap crap, a whole lotta patching to do"
Then I SSH'ed to my server...
And remembered I was running debian...
apt-get update && apt-get upgrade...
I suddenly feel a lot better about the few hours it took me to make the switchover.
If I were running an MS server I would probably have had a near heart-attack by now. I've never needed the
"newest-most-spectacular-greatest-ever-super
The domain was registered on June, 21st. As of now, the official DNS servers don't know that domain and I think they never have in the past one and a half weeks. Maybe it's about to come up (a bit close then). It's certainly not /.ed, slashdotting doesn't remove domains from name servers (yet :)).
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
1. Most everyday people have no idea how much 500mb of storage is. Saying something like that is an insult to the real hackers online.
2. The more stories the govt security groups cook up about the Phantom Menace the more they
can represent themselves in a useful light.
3. There are rumors going around that FBI undercovers could be training underaged script kiddies to cause havoc, since they are easier to corrupt. (unfounded rumor/speculation dept)
4. The govt will use any means necessary to spread FUD about the internet so they can gain more control over it policing. The black boxes that were installed the day after 9/11 are a testament to that. Its taken them how long to catch up to just a fraction of what most people do online? Think about it.
5. If somebody wants to a group to deface 6000 web sites, they aren't going to put a target on their own heads by advertising it. The isp might not disclose who it is but they don't need their disclosure to get the info because of the Homeland Security Act. so why bother advertising that.
Cold-War tactics still apply people. Look how easy it is to spread FUD these days. Internet Security has only come into focus since the dot-com boom & decline. I could say more but this post would last forever. People easily forget the past. And sensationalizing articles like this is just adding more fuel to the fire.
Slashdot has become a media-hog now, get with the program people. Mod me down suckaz.. You know u want to.
this sig is classified..how about yours?
They were shut down by their ISP (Affinity), but I still have the English version in my cache from an earlier viewing:
http://www.insecure.org/tmp/defacers-challenge/
Note that Insecure.Org DOES NOT in any way condone or promote this so-called challenge. I'm just providing the link so people can see what the fuss was about. I'm planning to add a note to that effect to the top of the page in a few minutes. What I found most humorous is that they ask people to register in advance by sending in their contact info. That is a really great idea :).
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
Sometimes people have to be burned before they will respect fire extinguishers.
;)
Our main webserver got hacked just last weekend. It was a RedHat 7.2 that was up for about 450 days straight and was kept pretty well patched. Unfortunately, some custom Apache stuff kept us held back on patching httpd. I guess it really does only takes one weak link in the chain. Once they got in, they put in a rootkit called ZK and started setting up a hidden webserver where they were trying to sell web space on MY box.
Lucky for me, I had a couple of cron jobs in place that used a hidden copy of tripwire and chkrootkit to check for intrusion and shutdown the network interfaces after they mucked around with sshd and the known hosts file. A cheap trick, but it worked.
I'm actually glad it happened. My boss and all of upper management are finally taking security seriously, and I'm milking it for all its worth. Its basically a blank check to lock down the fort. We've eliminated 75% of static NATs, shoved things off the LAN and onto the DMZ, closed dozens of ports, sprung for RHN subscriptions, eliminated several old NT4 servers, and generally did away with all the "convenient hacks" our engineers insisted on.
After seeing this submission published, I noticed several folks who mentioned the very good point that by posting this, I may very well be drawing the attention to the contest that would make it a "success". I essentially responded to this via a newly posted article on my site, but thought it was worth posting here as well, so that hopefully my reasoning will make more sense. (Article Follows.)
Thanks,
Paul Robinson
gotclue.net
1) Register domain with a discount webhoster
...
2) Upload a stupid hacking-contest website written in bad english
3) Make frontpage news, trigger homeland security defense program
4)
5) Profit?!?!
--- Eat my sig.
After all, we know Micro$oft servers are a lot easier to crack than Linux or BSD servers, so they'll probably take the brunt of this.
:D
It's asinine thinking like this that causes people to get hacked!
According to this article, 76% of boxes hacked in May were Linux boxes! Only 15% were Windows machines. It's just the simple thought that "oh it's open source, so it's gotta be secure!" that gets people to not update their stuff and get hacked.
Open source security vulnerabilities are just as frequent as Msft's, even moreso. Regardless of what you're running, you need to friggin update and stay on top of the game.
Or, you could just run chroot'ed Apache on OpenBSD.*
*The above statement shows the equal tradeoff between security and speed.
Slashdot may have informed a bunch of hackers about Defacement day, they are also informing a large number sysadmins who will check their weekend back ups and prepare for a Sunday in the office.
Of course, the smart thing to do is to deface your own web site, then you can take the weekend off 'cause the hackers will think you've already been tagged.
"The FBI is taking this very seriously," FBI spokesman Bill Murray said. "Hacking is a crime and those who participate in this activity will be investigated and brought to justice."
Bill then claimed that July 6th would never arrive for him as he is forever stuck on Groundhog Day. He then shot himself in front of reporters.
Need Free Juniper/NetScreen Support? JuniperForum
I don't have my own hosting, I just use the space verizon gives me, but I am not all that confident in the security that they provide, so I just make sure I have an up to date back of my web site, so if it is defaced I can put it back up.
Well, I also thought Defacement Day could be a good income opportunity. Web Admins could charge something like a hundred bucks then put whatever marks a hacker wants on the site. It would be a good way for cashed strapped sites to make a few bucks. The hacker could brag. If you play the game right, the might get some free publicity.
The only real problem I see is that I don't know if I would trust that the hacker I am dealing with gave me a legit credit card (it is really easy to steal credit card numbers at the local restaurant). Oh well, too many good ideas fall apart when you get down the the actual exchange of cash.
Return To Fetch Assholes? Rudely Tickle Free Apples? Regulate Three Fat Americans? Rummage Through Farting Anglos? Relocate The Fighting Armies? Reestablish Trouble For All? Resolve To Forget Anything? Rimjob Titties Farthead Assmaster?