Cryptome Hacked; All Files Deleted

eldavojohn writes "Over the weekend, the whistle blowing site Cryptome was hacked and vandalized, resulting in all 54,000 files being deleted and two days worth of submissions lost. Cryptome reported that its EarthLink e-mail account was compromised in ways unknown, and once the attacker was inside there, they were able to request a new password from the administration console for Cryptome at their hosting provider, Network Solutions. Once the attacker had that password, they deleted the ~7 GB of data that Cryptome hosted in around 54,000 files. Cryptome was able to eventually restore the site, as they keep backups ready for cases like this and stated that they 'do not trust our ISP, email provider and officials to tell the truth or protect us.'"

Editing!

[GuJiaXian]

Holy cow, please edit the submissions before posting them.

*sigh* I'll get modded down for having the nerve to ask for a baseline of professionalism, won't I?

Re:Editing!

[The+MAZZTer]

I'm glad they reminded me it happened on the weekend, I have a short attention span and forgot by the time I reached the end of the first line.

Re:Editing!

[siddesu]

Professionalism? How about a baseline of a spelling, grammar and general writing skills?

/ Kill me with moderation, William "B.J." Blazkowicz, I am in a Grammar Nazi mood today.

Re:Editing!

[Dishevel]

You require an editor as well.

Re:Editing!

No, because you followed Slashdot Tip for Getting Modded Up #1: "Whine about getting modded down in your post."

Re:Editing!

[Raenex]

I know I'll get modded down for saying this, but parent is right.

Re:Editing!

[mcgrew]

Over the weekend, the whistle blowing site Cryptome was hacked and vandalized this weekend

-1, redundant. Brought to you by the slashdot department of redundancy department.

Re:Editing!

[slashdotwannabe]

See? It works!

...what?

[blhack]

The real WTF here is that

A) Cryptome is running on Network Solutions
B) The email associated with the account is on *earthlink* ???
C) None of these things have been shut down.

Seriously, doesn't cryptome host some pretty shady stuff? On the same level as wikileaks, isn't it? What the hell is going on here?

Re:...what?

[Xemu]

I don't believe their Earthlink account was *hacked*.

http://www.skeptictank.org/hs/elcoslnk.htm">Earthlink is connected to the Scentology cult, which are known for hating free spech on the internet. If Cryptome had hosted anything remotely connected with Scientology, they would not hesitate to use that email account to hurt Cryptome.

Re:...what?

[curmudgeous]

...Earthlink is connected to the Scentology cult...

Man, that really stinks.

Re:...what?

[pugugly]

Nah - you'd be able to smell *their* vile stench when you came on board!

Pug

Re:...what?

[blantonl]

The owner is an old crusty guy that lives in NYC - not that there is anything wrong with that, but he's an old school guy and, well, what you see is what you get.

Re:...what?

[misexistentialist]

More likely Earthlink, like all ISPs, has a substandard email system. If Scientologists were involved they would have had to pay a $15000 education fee and been forced to run around a pole for 3 days for leaving the backups.

Re:...what?

[MadAhab]

Meaning, he's been getting away with not doing hotter backups this long, and isn't likely to change.

Re:...what?

[ls671]

Come on, give the guy a break. He is only protecting himself against potential lawsuits.

Re:...what?

[tisepti]

Is there any evidence of this? All I saw at that website was a simple assertion.

Re:...what?

[Da_Biz]

Scientology would never try to compromise anything confidential!

Well, except for that one Operation Snow White thing: http://en.wikipedia.org/wiki/Operation_snow_white

Hmmm.

[Monkeedude1212]

stated that they 'do not trust our ISP, email provider and officials to tell the truth or protect us.'"

Just like I wouldn't trust you not to pull something like this for publicity's sake, but I guess in both cases, no one will ever know, so its moot.

Re:Hmmm.

[hoggoth]

> no one will ever know, so its moot.

Oh Christ don't bring 4chan into this!

Re:Hmmm.

[interkin3tic]

I'd expect that if it were a publicity stunt, they might mention a possible motive. As it is, I'd probably guess it's something like a bored teenager who was too lazy to scratch some vulgarity on a bathroom wall. Had they made even a tenuous conspiracy theory I might be more interested. Interested enough to click on over to cryptome anyway.

Not to say that obviously this isn't a publicity stunt because it could have been done more effectively.

Earthlink? Network Solutions?

[longacre]

Basically this stuff was never safe to begin with, and you're an idiot if you post anything there expecting to be anonymous.

Re:Earthlink? Network Solutions?

[caffeinemessiah]

and you're an idiot if you post anything there expecting to be anonymous.

Why? If I really wanted to post something anonymously, I would set up a network of proxy SSH severs paid for with prepaid debit cards (purchased using cash), change the wireless MAC on a throwaway secondhand laptop (purchased using cash off Craigslist), walk down to the local Starbucks, access my proxy setup through Tor, and then be reasonably confident that I would be able to do anything anonymously. Of course, I would only post plain text files.

So I don't really understand why you would be an idiot for expecting anonymity if you went to the pains of taking care of it.

Re:Earthlink? Network Solutions?

[MadAhab]

Oh it's much easier than hiding behind 7 Boxxys.

Have an account on your laptop that you never use anything. Have it clean your webserver - and flash - cookies on logout.

cybercafe, post, blah blah.

Re:Earthlink? Network Solutions?

[hairyfeet]

Or if you really wanted to be paranoid just use a Linux that can run in RAM like Puppy with a throw away wireless card, or even just use XP and DBAN the drive afterward. Then simply go to any coffee shop and use Tor and you simply restore the OS from image (depending on the drive 10-45 minutes) and toss the wireless card in the dumpster when done. Tada! And this way if anybody did manage to come looking they would be welcome to take the laptop as all they'd find on it was your bog standard boring everyday web surfing habits. Hell you wouldn't even have to waste the laptop as there is nothing to find on the drive and the MAC wouldn't match any records at the coffee shop for the day in question.

That is why we geeks can be dangerous little critters, give us a problem we WILL find a way to solve it!

Re:Earthlink? Network Solutions?

[arth1]

The problem is that if you post something that's supposed to be a secret, all those in know have to ask is "who knew and had the opportunity?", and take it from there.
They don't need to trace you back, they can get you from the other end, and then the CCD showing you walking in to Starbucks with a laptop under your hand combined with your ATM withdrawals is enough to put the focus on you instead of the others.

The only way to truly be anonymous is to keep it all in your head. Personally, I opt for the better solution of working for a future society where you don't have to be anonymous.

Re:Earthlink? Network Solutions?

[Nethead]

Don't forget to wipe the security cameras.

You think they can't just find out when the pre-paid debit card was activated/used and look at the store videos?

It's very hard to do a taxable transaction these days without it ending up on video somewhere.

Re:Earthlink? Network Solutions?

[internettoughguy]

Don't forget to wipe the security cameras.

You think they can't just find out when the pre-paid debit card was activated/used and look at the store videos?

It's very hard to do a taxable transaction these days without it ending up on video somewhere.

Wear a Burqa; unless of course you're in France.

Re:Earthlink? Network Solutions?

[L4t3r4lu5]

You'll be on CCTV in Starbucks. Best to wardrive in the carpark behind.

Re:Earthlink? Network Solutions?

[BlueStrat]

Or if you really wanted to be paranoid just use a Linux that can run in RAM like Puppy

Even more hardcore, pull the hard drive and use a locked-down & encrypted/proxied OpenBSD live CD along the lines of AnonymOS plus the other measures mentioned. Then torch and send to a watery grave both the laptop and the live CD in different locations. Be sure to do this all underground because of satellites/drones, avoid store/bank security cameras, don't carry a cellphone, and don't let the tinfoil hat get too tight.

And I don't care how hot that chick at the bar is, you don't brag about it, or...oooo...wait, what am I thinking!?!? This is Slashdot! Never mind, carry on!

Strat

Re:Earthlink? Network Solutions?

[inKubus]

They would instantly have your MAC and then track down the person who you bought the laptop from who would describe you, and possibly still have some of the cash you gave them with your fingerprints. Tor is useless if they can watch both ends, and they can and are. U.S. Mail is far more secure than anything you can do on the internet...

Re:Earthlink? Network Solutions?

[NeMon'ess]

Video backup systems don't store the feed forever. Waiting a month to use the activated cards should be enough time.

Re:Earthlink? Network Solutions?

[RockDoctor]

Best to wardrive in the carpark behind.

Don't forget to use fake plates on the car.

Backups for the win!

[Local+ID10T]

Seriously, back up your data. Multiple copies in multiple locations.

These guys were smart enough to keep backups (hopefully up-to-date backups) so this is nothing more than an annoyance to them, but if they hadn't it would be what we refer to around here as a resume-generating-event.

If it's worth keeping, its worth backing up.

Re:Backups for the win!

[erroneus]

But they weren't smart enough to mirror submissions to other servers and so two days of submissions were lost. Those two days could easily have been the target. If so, then mission accomplished.

Re:Backups for the win!

[phyrexianshaw.ca]

Apparently they were not smart enough to host using their own hardware with no administrative access for anyone else.

Apparently you don't quite understand how the majority of small sites on the internet work.

the above would make a LOT more sense if it had said:

Apparently they didn't have enough money to host using their own hardware with no administrative access for anyone else.

Re:Backups for the win!

[Facegarden]

Seriously, back up your data. Multiple copies in multiple locations.

These guys were smart enough to keep backups (hopefully up-to-date backups) so this is nothing more than an annoyance to them, but if they hadn't it would be what we refer to around here as a resume-generating-event.

If it's worth keeping, its worth backing up.

Yeah, seriously. I work at a small (10 people) company, and I still have us set up with an Ubuntu server with nightly incremental backups to a second machine, as well as weekly full backups to the second machine and the server itself that go back 6 weeks. Every month I do the same thing, and keep those for 6 months. I also backup manually to an external USB drive once every month or so.

It took a bit of time out of my schedule to setup, but now it just goes, and damn if having backups isn't amazing. Our issue here is usually not one of drive failure, but of users accidentally erasing a file. They come running to me, and I can grab the most recent copy in 30 seconds.

I feel like most small businesses aren't that well-prepared, but I encourage anyone else that can to do it.
-Taylor

Re:Backups for the win!

[gman003]

Quite likely, any important submissions will be resubmitted. Not all, of course, but if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Re:Backups for the win!

[taucross]

Of course the important submissions will be resubmitted. Unless the submitter died from a suicide, or heart attack.

Re:Backups for the win!

[fenix849]

Well obviously.. /sarcasm

Re:Backups for the win!

[Lehk228]

well if scientology was involved the suicide was probably carried out with a shotgun to the back of the head, twice for good measure

Re:Backups for the win!

[Thing+1]

Quick! Report all suicides and heart attacks around the time that this happened!

Re:Backups for the win!

[elucido]

well if scientology was involved the suicide was probably carried out with a shotgun to the back of the head, twice for good measure

Why would it be scientology? While I do not put it past them, since when did they have this sort of capability?

Re:Backups for the win!

[White+Shade]

Since scientology (and, indeed, any large organization) probably has at least 1 person in its member pool who is crazy enough to shoot someone if they were convinced to...

I'm sure they're more than capable, as, again, is pretty much any large organization, but somehow I doubt even with all the paranoia around scientology that they're really killing people.

A little paranoid.

[LWATCDR]

Your high profile site got hacked and you blame everyone else.
Well you did pick your ISP and email provider. Honestly folks might I suggest RackSpace? We use them and they have been great if a little expensive but you get what you pay for.

Re:A little paranoid.

There's whistle-blowers and whistle-blowers. Cryptome are the better sort; they are open about their agenda and show some integrity, unlike Wikileaks, who alternately demand journalistic privileges and refuse to exercise journalistic discretion, all while pursuing an explicitly anti-American agenda.

(Wikileaks fanboys: I will take that comment back the day Wikileaks releases a document that seriously hurts Russia, China, or Iran. Or pretty much anyone else other than the USA and her allies. Or indeed any country that is not a western democracy. Not holding my breath here.)

Re:A little paranoid.

I basically agree with you. The post I was replying to was clearly talking about Cryptome, not Wikileaks. You clearly haven't looked at the various Wikileaks leaks regarding Iran and China, though.

Re:A little paranoid.

Good work soldier! Wikileaks is obviously a Soviet cover operation to rape our baby seal sand sabotage the fourth of july, blow up over the woods so that to grandmothers house we can't go.

Re:A little paranoid.

Just throwing this out there. Could it be that they just never get information from Russia, China and Iran? Or if they do, they're unable to test it's validity?

Re:A little paranoid.

[russotto]

(Wikileaks fanboys: I will take that comment back the day Wikileaks releases a document that seriously hurts Russia, China, or Iran. Or pretty much anyone else other than the USA and her allies. Or indeed any country that is not a western democracy. Not holding my breath here.)

It's easier and safer to leak documents from western democracies. And there's also the issue of news. The US or a European country does something bad, it's news. Russia, China, and Iran do something bad... well, what did you expect? They're totalitarian countries bent on world domination.

ObCarAnalogy: A Yugo breaking down on the way home from the dealership, versus your Honda doing the same.

Anyway, has Wikileaks really seriously hurt ANY country? They overestimate their own impact.

Re:A little paranoid.

[Peeteriz]

Wikileaks doesn't harm western democracies - they do inconvenience the administrations, but the whole concept of leaks are great for the society, citizens, and especially the democracy part; silencing leaks would harm western democracy and destroy the whole meaning of it. I don't care about Chinese government cheating their citizens - that's their problem, I want to be informed about the failures and lies of *my* officials that I elected and that affect my country. I don't want to improve country reputation by simply hiding unflattering things, I want to improve the reputation by fixing the faults. Lying to ourselves about bad stuff not happening is the domain of North Korea, not the western world.

And what do you mean about "journalistic discretion" ? The big newspapers that are following your so-called "journalistic discretion" shouldn't be allowed to call themselves journalists because of this anymore. In earlier times they did proper journalism, dug up the dirt themselves, interviewed informants, cared about their reputation of protecting the anonymity of their sources and fought for the right of publishing facts for the society, even and especially if the goverment claims to be harmed by the facts - for example, the Pentagon papers case. Now wikileaks has picked up the slack where the "journalists" are failing their role in society, and it's a shame - but a shame for the publishing industry.

Re:A little paranoid.

[moortak]

Kenya, Somalia, and the Ivory Coast are not exactly western democracies and have all been exposed for various things. Oh and as for Iran http://www.telegraph.co.uk/news/worldnews/asia/afghanistan/7910926/Wikileaks-Afghanistan-Iran-accused-of-supporting-Taliban-attacks.html

Re:A little paranoid.

[c_forq]

He didn't say anything about the news picking it up, but of Wikileaks releasing it. Or are you suggesting Wikileaks should just sit on anything that isn't worthy of mainstream media attention?

Re:A little paranoid.

[c_forq]

Did you seriously just cite the leak of AMERICAN documents as Wikileaks publishing whistleblower documents damaging to Iran?

Re:A little paranoid.

[moortak]

Yes, when they include Iran performing actions that hurt their image.

Re:A little paranoid.

[c_forq]

It's American documents ALLEGING Iran is interfering. America has a vested interest in hurting Iran's image. Who in their right ming would give that any credibility, especially after all the American documents saying Iraq had weapons of mass destruction.

Re:A little paranoid.

[LWATCDR]

Actually I have no problem with Cryptome at all.
I have a problem with blaming people and cooking up conspiracy theories.
Cryptome was blaming the host and says they can not trust them. Why did they pick them?
They are blaming their email provider. Well you picked those as well.
When you run a site the ultimate responsibility for security is you. You choose your hosting.
Maybe they should pick a better host and move on.

Re:A little paranoid.

[LWATCDR]

Depends on what you mean by controversial. They did take down the Church that was going to burn the Koran site which I have at best mixed feelings over.
Rackspace does have strict polices on hate speech, child porn, and wares.
I have no problem with that at all.
I do not know how they would feel about Cryptome. I would not put that site in any of those categories.
I do know that they have good service and support.

Re:A little paranoid.

[moortak]

So, you give credibility to the parts of the same documents that hurt the US image, but the parts that hurt Iran must clearly be fabrications.

Re:A little paranoid.

[c_forq]

Think of it as a report by Microsoft. Anything negative about Microsoft in it I would beleive. Anything negative about Apple or Linux I would take with a grain of salt.

Re:A little paranoid.

[moortak]

Whether you believe it or not Wikileaks reported it ,which is what he asked about. Wikileaks may have gotten most of its press for reports pertaining to the US and its allies, but those aren't all that they have disclosed.

Re:A little paranoid.

[c_forq]

Wikileaks does not matter. It is the source that matters. The reports aren't authored by Wikileaks, they are authored by the US military. What he (the original poster) was asking about is Wikileaks documents by whistleblowers in other countries. This is currently lacking. Please make a good argument, otherwise I am afraid I will mark you as a foe and your comments will not be moderated up by me.

Re:A little paranoid.

[moortak]

Their first leak was from within Somalia. That is both an origin and a target from outside of the US and its allies.

Not hacked!

[kju]

The controversy about hacker vs. cracker is old and unsolved. But this case really does not warrant the use of the word "hack/hacked" under any meaning of the word whatsoever. This is a act of pure vandalism, nothing more.

Re:Not hacked!

[zzsmirkzz]

Cryptome reported that it's EarthLink e-mail account was compromised in ways unknown

Sounds like hacking to me. The rest was exploiting the trust all providers build around your email being secure. All to pursue the end of simple vandalism.

Re:Not hacked!

[hedwards]

It's not unsolved, what's unsolved is the mystery of how to get people to get it right. Hacking is the generalized practice of modding things and coming up with clever technical solutions. Cracking on the other hand is applied hacking, as in applied to the practice of breaking into people's stuffs.

Re:Not hacked!

And to the general public cracking is what you do with nuts. Get over it.

Re:Not hacked!

[zzsmirkzz]

You may have been right about that at one time (even possibly now). But language evolves, words adopt new meanings based on the way people use them and understand them. Hacking has always been referred to in both connotations in my experience and I would say in the experience of most people they have only heard it refer to the Bad Guy. The spoken word defines the dictionary, not the other way around.

Re:Not hacked!

[LordOfTheNoobs]

I get it now. Slashdot swapped the Insightful and Troll tags at some point. I'd say you're mostly correct. Except I would say hacking is creating a hack, where a hack is something ( ( unexpected or unforeseen ) and ( useful or technically interesting ) and ( impressive or amusing, to include schadenfreude ) ).

• Create interthreading a switch statement and do while loop to manually unroll loops where useful? clever hack.
• Using a "Pringles" can for storing chips? cartridge snack.
• Using a "Pringles" can mounted to a rifle stock as a long distance phone hacking antenna? clever hack.
• Processing an xml file into a sql statement to derive a json element that parses to an HTML widget? boring, that
• Write a program that blasts the stack on a remote process, opens a shell and calls home to hand you the box? clever hack.
• Download a VBScript program that takes a server and room option and floods an IRC room? kiddy crap.
• Use a mostly ignored holdover feature of the x86 processor to create a sandbox environment for native compiled apps? clever hack.
• Use a gyroscope to carefully balance a two side-by-side wheeled vehicle steered by leaning? clever hack
• Drive one of the damned things off a cliff? Holy crap

et cetera.

Re:Not hacked!

[TheVelvetFlamebait]

Maybe the word "sacked"?

Re:Not hacked!

[X3J11]

I've heard the "language evolves" argument before, but in this case I disagree. The word "hacker" did not evolve, it is a misnomer. It is not evolution, it is ignorance. It bothers me in an OCD way because so many of my idols are/were hackers, and to me the title is one of borderline reverence for the things they have accomplished.

I am also surprised at my post being moderated flamebait. I was aiming for informative or insightful. I would have thought that on /. of all places my comment would have been appreciated and agreed with. Oh well, the times they are a changin'.

Re:Not hacked!

[zzsmirkzz]

I agree that it's evolution may be an insult to its foundation but that is just how language is and has always been. Words and symbols are misunderstood and their meanings changed, their original intent lost. To you this meaning will never change, and your idols will always be revered but, unfortunately, for the rest of society they will be mislabeled and misremembered in history. Personally, I believe this to be true of much of history, and why I sensibly apply the axiom: Believe nothing of what you hear and only half of what you see.

As far as flame-bait, didn't seem like it to me, either. Perhaps, off-topic, lol.

Re:Not hacked!

[sgt_doom]

Thank you kju for your wise comments. Although I fear Cryptome and Wikileaks were both the victims of state-sponsored terrorism cracking.

Just as that stuxnet was the product of state-sponsored sabotage, which will now allow corporate criminal organizations to promote corporate espionage against any smaller competitors, making it effectively impossible to trace back the origin of future stuxnets since it has been public domained.

Re:Super secret password

[maxwell+demon]

Didn't they tell you to use both uppercase and lowercase letters? Had you used "Passw0rd" instead, nobody would have found out!

Hack

[Stargoat]

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

Re:Hack

[zarozarozaro]

Mod parent up. A company I used to work for used Earthlink as their provider for everything (web, email, ISP). I pretty much had to take on the IT admin role there. They had lost all of their passwords and logins. I could not believe how easy it was for me to take control of everything in ONE DAY without even getting my boss on the phone with the support guy at Earthlink. Security at Earthlink is a joke. The support people there seem to choose one piece of your information at random to verify that you are the account holder. They will often ask you to tell them your password over the phone and other similar nonsense.

Re:Hack

[BobMcD]

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

FYI - 'Hacking' never is, never has been, and likely never will be. The kind of amazing tricks you're imagining under that term lie within the realm of security research, espionage, etc. 'Hackers' are, by definition, hobbyists, and hobbyists are generally doing it for the love of the game, for the fun of it, etc. The guys doing the stuff that might actually amaze you are being PAID to do so. Otherwise they'd give it up and move on to something easier, until such time as nothing easier actually exists. So you say that exploiting a social gap isn't '1337' enough to make the grade? How is utilizing a published Windows exploit any better? SQL injection? Nobody buy nobody is divining their own security-breaking code from tiny mystical oracles found at the bottom of Mountain Dew cans.

In short, the movie 'Hackers' bears zero resemblance on reality.

Re:Hack

[fostware]

In short, the movie 'Hackers' bears zero resemblance on reality.

Huh?

The bulk of the leadup to a hack involved sifting through logs, dumpster diving, and social engineering (like the eidetic memory delivery guy or asking A/H guy what the phone number was on the label).
The fancy graphics and the ZOMG! 486! were all Hollywood, but there were some moments the scriptwriters didn't screw up beyond recognition.

Besides, I still own my 'Man in a pink shirt' book ^_^

Re:Hack

[inKubus]

That movie is a great metaphor for the hacking scene in the 90's--a metaphor for how you might have seen it from your computer. Sure, the roller blades and VR goggles might be cheesy, but it really captures the essence of the scene, kids vs. the corporate hackers, money vs. punk liberalism. Still brings a smile to my face 10 years later.

Ownership

[Demonantis]

If "they" have the physical machine, they own your data. You have to live with the consequences of relying on that third party. Unfortunately that is how the internet and most of society works. We hope that there are mechanisms and governing bodies in place that are trustworthy and reliable.

Re:Ownership

[AHuxley]

Yes unless you go for something like
http://www.macminicolo.net/facility.html
Send in x number of Mac Minis and load them with OpenBSD, Linux ect.

Re:Ownership

[X0563511]

That's called colocation, and it doesn't mean shit.

Joe random tech can yank your drive, boot with an external kernel with init=/bin/sh or whatever, do nefarious things, put it all back up, and claim a power outage or whatever.

Unless it's sitting in your facility or your access control (locked cage with no raised floor, you have only keys) then it isn't secured.

Unless you use full disk encryption, in which case driving in to boot your servers will get old. IPKVMs or other workarounds = keylogger = pointless.

I like your Mac bullshit too. Nobody uses Macs for hosting... they are too expensive for what you get. I think I've seen probably one, ever. I didn't even realize Apple made rackmount equipment before that. As well, anyone who knows what they are doing isn't going to put desktop-type equipment into a datacenter role... any time I've ever seen this it spelt nothing but trouble, and when trouble eventually came around, it was made evident the owner didn't have a damn clue as we had to do -everything- for them.

Re:Ownership

[Demonantis]

I didn't know they made servers either. I looked it up and almost choked on my laughter when the specs are a 2.66 duo and 4 GB of RAM at $1000 for the Mac Mini. They definitely just shoehorned the server software onto the hardware.

Professional vs. Amateur Hour

[cdrguru]

A professional organization that knows its web presence is its life is going to have a bit better setup than a server that someone else (Network Solutions in this case) has control over. The right solution is a co-located server that is controlled exclusively by the organization. The hosting company doesn't need to have any passwords. They are also going to have their email processed by their own server and not be relying on an ISP for anything at all except connectivity.

However, a completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords. And all other security. Oh, and using a non-domain based email setup from an ISP.

I guess it is pretty obvious into which category Cryptome falls, right?

Yes, it would cost $2000 a year or more for a co-located server whereas shared virtual hosting is dirt cheap.

Re:Professional vs. Amateur Hour

[twoallbeefpatties]

[A] completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords... I guess it is pretty obvious into which category Cryptome falls, right?

Being a non-profit organizatino, Cryptome's status as a professional organization or an amateur organization probably depends on the size of their donation base. For a website group trying to get by on a shoestring budget... well, maybe this little stunt will help them raise awareness to get the donations for a better server setup. (Not that I actually know the size of their donation base, and maybe they do have enough money for that sort of setup and they're just stingy/stupid.)

Re:Professional vs. Amateur Hour

[c]

Using virtual hosting might be intentional. A lot of people don't particularly like them. Including agencies of the US government. By running their site on a shared box with hundreds (thousands?) of others, they're a little more protected against the infamous "just take the whole server" attack. Also, it gives them more money to allocate to bandwidth costs, which as I understand it are pretty high.

Re:Professional vs. Amateur Hour

[ducomputergeek]

Or in between. We have our servers managed by our hosting company. We don't have root control, but they maintain the PCI compliance and honestly we've not had a problem in years that wasn't solved in less than 10 minutes via phone. We have RAID 5, they do back ups, but we have back ups of the db and critical files done nightly and SFTPed to a box back at the office, which is then backed up to tape once a week and every monday morning that tape is taken to a safe deposit box at our bank. Every month we pull out a random tape and see if we can restore on a test system.

But trusting your backups only to your hosting company is stupid.

Re:Professional vs. Amateur Hour

[Fulcrum+of+Evil]

What makes you think the cops would care? They haven't shown much restraint in the past.

Re:Professional vs. Amateur Hour

[c]

I said "a little more protected", not invulnerable. If it makes them think twice or is enough for a judge to hold up a warrant or, heck, it's enough to generate some publicity over it, then it's better than nothing.

More likely, Young just doesn't give a shit. The kinds of people he's afraid of are just going to sniff his passwords from his brain through a weak point in his tinfoil hat, so why pay extra for security or reliability.

Re:Professional vs. Amateur Hour

[RAMMS+EIN]

``we've not had a problem in years that wasn't solved in less than 10 minutes via phone''

Sounds like eagerness to solve problems via phone was one of the things that burned Cryptome here.

Old school

[0xdeadbeef]

Cryptome was cool before Wikileaks made it mainstream. And John Young is the original gangsta, so you know he got backups. Bitches don't know about all the backups he has.

Re:Old school

[metrometro]

best post ever.

Re:Old school

[Rogerborg]

anon.penet.fi 4 life, homie.

Thank your damned admin!

[tqk]

And give him a raise! If you're back up, he did his job, superlatively.

Demmit.

EarthLink? They're still alive?

[commodore64_love]

I once had an account with them, back in the 33k days. Also Erols. I guess these old services never truly die..... they just fade away.

Wired Reporter to be Subpoenaed

[savanik]

And Cryptome is now saying that a Wired reporter contacted them after having spoken with a hacker claiming responsibility for the attack.

Which they responded to with a threat of a subpoena, and publishing news about it before the reporter, after they told the reporter they wouldn't? ... er. Way to burn bridges, guys? Seriously, I understand free speech and using reporters as sources, but I don't think reporters are going to be too gung-ho about reporting your findings later after this.

Re:Wired Reporter to be Subpoenaed

[RapmasterT]

Well, if someone told me they had knowledge of a person who had committed a very serious crime against ME, but were refusing to share that information with me, then I wouldn't honestly feel the slightest obligation towards them either. I'd tell them whatever they wanted to hear to get the maximum information out of them.

AND I'd try to get that subpoena too. The First Amendment guarantees freedom of the press, but it doesn't guarantee freedom from subpoena. An ethical journalist would go to jail in contempt of court before giving up a confidential source, but since journalism has abandoned most of the principles of old, I wouldn't count on that happening.

Re:Wired Reporter to be Subpoenaed

[russotto]

The way Young reports it, he had the conversation with Zetter and _at the end_ she asked him to not report it. He responded "sure" but didn't say what tone of voice he used. She then pointed out that he always reported interviews, so it's clear she didn't really expect him to keep it quiet. I'm not sure why Young is so pissed at Wired. Just because the vandal went and bragged to them after the fact doesn't make Wired "complicit" as he claims.

Re:Wired Reporter to be Subpoenaed

[siddesu]

Cryptome.org's SOP is to report on all interviews, he's been doing that for ages now.

From the interview, even the Wired clueless bimbo was aware of this.

Knowing the SOP before you call a site about them being defaced, and still asking for exceptions while you hide the perpetrators of the defacement doesn't come across as building bridges to me.

Re:Wired Reporter to be Subpoenaed

[arth1]

I'd try to get that subpoena too. The First Amendment guarantees freedom of the press, but it doesn't guarantee freedom from subpoena. An ethical journalist would go to jail in contempt of court before giving up a confidential source, but since journalism has abandoned most of the principles of old, I wouldn't count on that happening.

This is Wired, who had no qualms ratting out the Wikileak's army informant.
I'll be surprised if they haven't already finked on this guy too, unless it was one of their own or their chummies.

SSH FTW

[MichaelSmith]

Its the only CMS I use on my servers. Mercurial for version control over ssh. Update my sites with hg push. Hooks on the receiving side to run hg up and rebuild if required. SSH can be configured to require certificates only for authentication. Desktop environments all integration with ssh-askpass or similar.

vandalism, nothing more?

[hAckz0r]

Possibly. But lets not forget that erasing all files and logs is also a good way to cover ones tracks. If the intent was to do a DoS then it was quite effective, for a while.

Its not as difficult as many might think to breach the security of a large ISP. Ask any Red Team. The IT personnel working there is probably mired by the tribulations of just trying to keep up with the little stuff, and haven't the time to build security in. Having a security 'plan' has little effect if your forward facing defence boundaries look like a piece of IP protocol Swiss cheese. It only takes one foothold inside that defence perimeter to make all the efforts of the entire IT organization look totally ineffective.

The slash and burn technique serves to cover up all sources of incriminating evidence, and better yet, hides the true motivation of the attacker unless they actually take the time to leave a message behind. You are not likely to find a trail of breadcrumbs laying around if their intent was business rather than pleasure.

Re:vandalism, nothing more?

[azrider]

The slash and burn technique serves to cover up all sources of incriminating evidence, and better yet, hides the true motivation of the attacker unless they actually take the time to leave a message behind. You are not likely to find a trail of breadcrumbs laying around if their intent was business rather than pleasure.

Oh, really? See The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (by Clifford Stoll).

Re:vandalism, nothing more?

[azrider]

And for those who don't want to read the book, he used whatever dot matrix printers he had available. Remote syslog to a machine with WORM media works too.

If you can't afford such writers, mount /var/log (or /var/adm depending on your system) on a remote with a different authentication with the directories as 500(-r-x------) and files as 300(--wx------) with a specific user for whichever syslog variant you use. Then chattr -i on the remote system so that the directory is immutable. On the remote system (if using rolling logs) don't forget to change the logrotate (or other appropriate cron configuration files)

Works every time for system security stuff.

You can tailor the logs for as much or as little as you need. Until the cracker can compromise your remote logging system (which should have different root passwords, no sudo/ssh credentials and no other rot access than the physical console), everything is recorded. Once it is cracked, you will know when it happened, because without the proper credentials on the logging system nothing can be erased.

Tripwire/dnotify/inotify are your friends if you take the time to learn them and if you take the time to set them up properly.

Colo vs Home Server vs Virtual Machine, and backup

[m.dillon]

Well, it just goes to show you get what you pay for. From the point of view of security Colo is probably the best, but running a server on a static IP from home is likely the most cost effective. Virtual hosting is dirt cheap but worthless for any serious operation. VMs tend to be configured minimally and ISPs mash them all together using shared resources so performance is all over the place. It's pretty easy to brick an OS running in a VM due to the minimal memory configuration it is typically given.

And backups... well, there are lots of choices there. There is no need to lose more than the most recent 60 seconds worth of modifications if you run a near-real-time streaming backup off the site. Something like DragonFly + HAMMER can do just that (and here is my unashamed advertising of DFly :-)).

Also... only 8G of data? That's it?

-Matt

Re:Colo vs Home Server vs Virtual Machine, and bac

[phyrexianshaw.ca]

Also... only 8G of data? That's it?

how much data do you expect them to host? it's not like they store multi GB long videos of events or anything.

Re:maybe this motivates the admins to do their job

[zerro]

not really familiar with Cryptome, so I'll go ahead and start bashing! It's hard to imagine that they didn't have something as basic as 2-factor auth on admin/shell/etc if they are touting that they host sensitive data of any kind... just reeks of "doing it wrong"

Re:In b4...

[JonySuede]

always lock your workstation before leaving ....

Laundry day

[zooblethorpe]

...if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Why am I suddenly worried for the state of your laundry?

Cheers,

Re:Laundry day

[LS]

dammit where are my mod points! +1 funny

Back 'n up

[erica_ann]

textbook perfect example of why everyone should make a backup.

Hard to say where to draw the line though.. every day, every two days? ever 12 hours?? To each their own.

I just like seeing that there WAS a backup used here. I see too many people without backups used at all. Two days would be a miracle for so many people.

Re:EarthLink? They're still alive?

[jimmydigital]

Yes earthlink is still alive.. and when time warner rolls out consumption based billing (as they are doing right now) you will probably end up a customer of earthlink since by paying them for the same internet service over cable.. you can avoid the extra charges that cbb will cost you.

and so you will chase away the information source

[circletimessquare]

and the crime against you will go unpunished

i'm not saying that you have no right to seek out the information source about the crime against you, i'm saying your tactics suck

what you do is you let the information source speak, and you ask the reporter for more information. you make up false reasons for why the information source is wrong, forcing the information source to prove they actually are genuine. or you keep them talking, until they make a mistake, and they reveal themselves

you set a fire, and you smoke them out, THEN you pounce

but if you run into the initial situation yelling subpoena, the source clams up, and your strong arm tactics only wind up hurting yourself, because now you can't hunt down the criminal

Seems like the government at work.

[elucido]

And if it's the government they wouldn't have to actually hack the email account password, they'd already know it. They'd simply log in and do the work and nobody would suspect them. It's a very convenient time, considering what was being posted on Cryptome, it was very explosive stuff involving Julian Assange, Wikileaks, etc.

Any site can be shut down.

[elucido]

If the government wants to shut down a site they can probably do it. They'll just have one of their assets at earthlink or whereever handle it.

Wired? Figures.

[elucido]

Who would have guessed? This isn't a surprise at all.

EarthLink?

[Arancaytar]

Why not use Hotmail while you're at it.

John Young is alleged to be paranoid as hell; no idea how something like this can happen.

Network Solutions?

[mrobinso]

You mean... there's still people out in the world that do business with that outfit?

Excuse my lack of sympathy.

Mike

Encyclopedia Dramatica?

[Logic]

ComputerWorld actually linked to Encyclopedia Dramatica? Yeah, this is going to go well. :)

Re:Colo vs Home Server vs Virtual Machine, and bac

[ImprovOmega]

Also... only 8G of data? That's it?

I have to appreciate that 20 years ago the same amount of data would have elicited a response more like "8G of data? What on earth are they storing that would require that much?!?"

Re:Colo vs Home Server vs Virtual Machine, and bac

[mcgrew]

Well, it just goes to show you get what you pay for.

Are you in marketing by chance? "You get what you pay for" is what somebody trying to sell crappy products at a quality price says. The fact is, you DON'T always get whet you pay for, although you usually pay for what you get.

Any time someone tells me "you get what you pay for" I hold on to my wallet extra tightly.

Re:Super secret password

[mcgrew]

No, you need uppercase, lowercase, numbers, and punctuation. "Pass-w0rd" is unbreakable!

Re:and so you will chase away the information sour

[RapmasterT]

and the crime against you will go unpunished

i'm not saying that you have no right to seek out the information source about the crime against you, i'm saying your tactics suck

I didn't advocate any particular tactic or timeline. What I said was I would do whatever it took, including outright lie and/or threaten prosecution against the reporter who was protecting the identity of the person who committed the crime against me.

Hiding the identity of a criminal is an accessory after the fact offense. I'd work that angle until the cows came home.

That doesn't mean you have to go in all guns blazing, there's no requirement that you be stupid about it.