Slashdot Mirror
Harvard's response to the Packet Storm incident
Harvard University News Office wrote in with their response to the whole Packet Storm ordeal.
Hit the link below to read more, but it looks as if Harvard is returning the backups, but no longer hosting the site.
As a service to the Internet community, Harvard agreed to host a Packet Storm Security Website for security-related materials only. Without Harvard's knowledge, unrelated content was put on the Harvard server, including sexually-related material and personal attacks on an individual not affiliated with the University. A Harvard administrative site focused on security issues is not the forum for this type of material. We are returning the content on the site and hope that Packet Storm will make its security tools available through its own Website.
Joe Wrinn
Director, Harvard News Office
1350 Massachusetts Ave., Rm. 1060
Cambridge, MA 02138
Phone: 617-495-1585
Fax: 617-495-0754
joe_wrinn@harvard.edu
It is understandable that there are misunderstandings.
Conflicts will persist.
The truth is out there.
Perpetuating FUD is BAD!
Kevin and those who rally around him like a circle of vultures should take a breather and try to understand how they were indeed libelous and displaying sexually explicit content at the expense of others. It is understandable that these actions may have seemed innocent and in good fun at the time, but really, everyone needs to grow up and respect people as people. At risk of sounding moralistic: learn to forgive! Open development is based on people's willingness to recognize faults and work towards fixing them. The random emotional outbursts from people like 'kevlar' are a bit reactionary and not based on anything but rage.
AntiOnline needs to do a little bit more of the same type of constructive forgiveness. A polite message to Kevin before going to Harvard would have been more appropriate. This can be tough. But, if Kevin couldn't be taught to provide a little more respect, then further action could ensue. Strongarming is not allowed in football, and it shouldn't be in used in general.
To the rest of the community: learn from all of this--you never know when you'll step on somebody else's toes. If you do know, learn how to minimize it. Also, learn to read the content behind the emotion. My use of 'strongarming' above could be considered by some as 'exagerated', and by others as 'too weak' (and to still others, an odd reference).
Try walking in someone else's shoes. --To Kill a Mockingbird (paraphrased?)
The General Debugger
http://www.genocide2600.com/jp/
They "lost" all backups of the security archive but managed to keep that directory! My new formula:
Antionline=Packetstorm
PacketStorm Is Shut Down
An AntiOnline Editorial
Thursday , July 01 1999
Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of
materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP.
On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public
surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company.
While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents
about another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm
Website, and requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge,
on their own. Below is a copy of that letter:
Greetings:
May I first say that I did my best to see that this letter got sent to the appropriate individuals. I had some difficulty determining who those individuals may be, so if I
have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s).
My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA.
Earlier today, one of my colleagues forwarded me the following URL:
http://packetstorm.harvard.edu/jp/
Needless to say, I was shocked and outraged at what I saw. This page contains a large archive of libelous and, to put it bluntly, sick material. Everything from archives
of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people engaged in homosexual
activities, to a nun that appears to be covered in seminal fluid.
I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material. It is my hope that the University Administration
was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly.
I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear violation
of that policy.
It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded.
I hope to hear from you soon about this matter, and what you may have done regarding it.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part:
Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and work I
invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about criminal activity
and bullshit I never did, and effectively ruin years of work, my education, my career, my life.
Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I
could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you,
and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy,
will admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the
best of success in all that you do.
Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and
began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken
against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However,
I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious
hackers.
People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
Here's the story as I heard it from Harvard's unofficial side of things.
/jp directory, so someone cruised over there, saw what was there and shut down HTTP access until things could get straightened out.
They received an email about this
Remember, Harvard was hosting the site as a favor to the creator and the community. It WAS an extremely popular site and was sucking up huge amounts of bandwidth, but it was deemed worthwhile.
So, while the issue was being investigated, (and from what I understand, the assumption was that there'd be some discussion about removing the offending material and hopefully PacketStorm would be back up shortly) Ken started this flame attack on Harvard, and communities such as this one completely accepted what he said at face value.
Suddenly Harvard, which was trying to do a Good Thing by hosting the site, was turned into the bad guy and being flamed across the net.
So they figured "Screw this" and told Ken to take his files and find somewhere else to host the site.
There was NEVER any intention of destroying the files, and with a bit of thought you should understand why. Even if Harvard was some malicious beast in this event, they'd still want the files to back up their allegations, right?
------
I know you won't believe this, since I'm not one of you. But that's the 'unofficial' story.
This event triggered my first visit to the slashdot forums, and frankly I was stunned by how many people took Ken's letter as total truth (ie, the big organization is stomping the poor little guy angle) but when the big organization responds, they're clearly lying.
Weird
Flame away.
Yeah, the rest of the incident shows them to be completely spineless. So? Hey, as an ISP they have a right to yank anybody's web site if they want too; in this case, at least Packet Storm can go back up.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
traceroute uses UDP packets by default I believe. Though it does have an ICMP ECHO option. Of course UDP and the default traceroute ports can always be blocked too.
that someone hacked into and planted a new directory on the server for a security site . . .
Permission was granted to use a machine to run a security site, and the maintainer used it for other purposes. I'm not a member of the bar in that state, but in several others, this additional use would be theft of compter services--by a security site . . .
Apparently you don't seem to be aware of the "extra" stuff Williams posted on his web site. It was all sorts of rather nasty comments, pornographic imagery, etc. Very very bad stuff.
Remember, Harvard agreed to host this site as a FAVOR, and Williams abused their trust by using the site for rather scandalous personal reasons. I think Harvard was perfectly justified in doing what they did.
An institution's belief in the "facts" has nothing to do with this.
Thank God there are still some people with a clue on this sorry planet.
On one hand I'm really glad Slashdot is as popular and has so many posters as it does, but on the other hand, it's really quite embarassing how many people here go off on what OBVIOUSLY little information that's been provided.
The Slashdot authors are just as guilty as anybody else. Read the headlines/abstracts for some of these stories. It's very easy to believe just one side of an obviously partisan story instead of trying to get the full range of facts.
No offense to Williams, but in this case I'm more inclined to believe the contents of the original complaint e-mail sent to Harvard over Williams' "statement".
Why would he send a letter to Harvard describing pornographic content when Harvard would just be able to look for themselves and see that he was just blowing a lot of hot air? The fact that Harvard DID act quickly and finally lends credence to the original complaint.
That's my opinion, anyways.
It was probably their position all along -- Somebody else above posted a reply to a comment that I think summed up Harvard's side of things perfectly.
Remember, this entire Slashdot thread was started by a message from Williams (the "victim"), and included only his side of the story. It's quite possible he embellished quite heavily.
Well whatever, I'm not going to get into an argument over this stupid little topic. I'm amazed it's gotten this much attention.
I'm just annoyed by everyone labeling one person's side of things as gospel truth before even hearing the other side of the story. When you do hear things from all THREE parties (including Harvard), stuff starts to make a LOT more sense.
I think I've done more than enough research into this whole fiasco.
The fact is that Williams e-mailed Slashdot with his whiny story, and Slashdot went with it. They simply thought to themselves, "Wow, the evil guy with money destroyed a valuable resource!" They made no effort to look at the "other" side of the story or validate any of the things Williams said. They simply assumed that what he said was FACT. For things like factual articles, where people are offering links to *real* news sites, this is a PERFECTLY FINE way to run a news site like Slashdot, but when you get into personal things like this, you're basically posting an editorial, not objective news.
That's what I was objecting to.
I don't expect Slashdot to do its own reporting and investigating, but I DO expect them to at least TRY not to be biased or partisan when they do post things like this. The instant I read the abstract I *knew* there was a lot more to this story than what was being said. Everyone else should have been smart enough to realize this as well.
FYI I've probably read more Slashdot articles and posted more informative Slashdot comments than you ever will. Don't go tell me to "Try reading" before I post, and *especially* don't do it as an AC.
Ken Williams, author of packet strorm, claims that there never was any sexual explicit contents on his site. You can find his statement here.
The moral of this story is, keep a copy of everything you've got. Harvard gave this guy back his data, but certainly didn't have to.
When you put data on a server that's not yours, you're assuming that there's reliable hardware and the ISP is doing regular backups. From experience, those are both assumptions that aren't good to make. Harddrives are cheap, CD-Burners are cheap. Keep a copy of your site. Even if it was four gig of data, that's five, maybe six CD's. Its not like all of it changes all the time.
Hell even if it IS your server, you should always keep copies of the data separate from your backups and the server. The government has been known to inappropriately seize servers at ISP's and things like that.
Harvard took the site down because it became to controversial for them to take the time to deal with. They were doing the security community a favor and the intelligent people in the community would never fault Harvard for doing what it felt had to be done at the time.
Sure, they would be praised if they had simply contacted Packet Storms admin and told him that the offensive material would have to go or they would be forced to shut down the site. But then they would have become censors. Censoring content just doesn't seem very Harvard to me.
What they did was right. The actions they took, and the preliminary FUD they spewed merely gave them the time they needed to weigh thier options, without bringing about the wild accusations and rumors that would have flown in the face of silence.
http://windows.scares.us
I hate it when I hear about a (potentially) useful website only when it is shut down. By many accounts, Packetstorm was a valuable security reference. The published words and acknowledged actions of AntiOnline's owner makes me averse to having my IP in their server logs.
So, what good security resources are left out there? If Packetstorm were still up, I would undoubtedly have scoped it out for usefulness, and bookmarked it as a resource if it met my needs. Is there anyplace else comparable I can check out?
phil
So, let me get this strait. You contend:
1) Intelligent people will support Harvard, ergo anyone criticizing their action must be intelligence challenged(tm).
2) Censoring isn't very "Harvard", so rather than "censor" by requesting the removial of controversial materials, it is somehow more ethical and less "censorous" to go off half-cocked and delete EVERYTHING the site offered with no due process, no notification, and no opportunity for the web page maintainer to copy his material to an offsite location (their belated agreement to give him the backups after being subjected to a storm of public criticism hardly counts).
3) What harvard did was right. It was OK for them to spew FUD (untruths) because they needed "time."
4) Finally, of course, we see the success of their strategy, in the resoundling lack of accusations and outrage their lack of silence has engendered.
If I understand your arguments correctly, burning entire libraries and spreading FUD about the personal lives and actions of the libraries is OK, even noble, as to do anything less (like lock up an objectionable book) would be "censorship." Anyone objecting to the burning of said libraries would clearly be stupid, as any intelligent person in the security community would support burning the entire library over the censorship the removal of one controversial book would imply. Interesting definitions.
The Future of Human Evolution: Autonomy
Is it an encrypted checksum or cyclic redundancy check code? If it's just a checksum, you can fiddle with the altered message to produce the same sum. It's far more difficult to produce the same CRC code (I think), but which is being used here?
The most secure way that I know of to encode a message to verify that it's from you is to encrypt the whole thing with your private key. The receiver runs it through your public key as if they were sending it as a reply to you, and the plaintext pops out.
OTOH, this requires you to encode the entire message with RSA, which PGP doesn't.
I don't see how Harvard can be expected to host a site from an individual who is in NO way associated with Harvard. Not even a damn student!
Would your little University admins host a non-students web site? I freaking doubt it...
(as I assume well over 50% of you are still students) Hell, for those of you in the "real"
world (sic:jargon file) would your company in ANY
way wish to associate itself with hosting a non-involved site if you were not an ISP? Doubtfull at best.
Not returning the backups WAS out of line, however
they have returned what some courts have held up to be personal property, as an author. (web content) Harvard has distanced itself from a
controversial situation that their academic
charter has nothing to do with. (the anti-online
vs. anyone who objects thang)
Where did Harvard REALLY go wrong? Allowing their admin to host the site in the first place. Anyone
wanna bet he/she was severely reprimanded? Possibly threatened with release? A little birdie tells me he was getting his resume' together over this one...
da' fly
I think the content that is in question should never have been posted in the first place. If harvard had gone ahead and destroyed everything without giving kevin a chance to recover his data that would have been wrong, but since they are giving him his data back, he really isn't at any personal loss. I doubt he'd have any trouble finding a new place to host the site, most likely w/o the JP content. Most importantly he has his school work back. I don't know if harvard actually was going to delete everything in the first place, or if the publicity around the event made them change their mind, but the important thing is they are doing the right thing now. The only thing I can see them doing that would be even better would be allowing him to open the site up again on harvard's network w/o the jp content, but I doubt that would happen.
-matt
That letter at hackernews.com is not PGP Signed, as his first, highly publicized letter was.
Just a thought.
There's a reason for PGP.
Zeitgeist
perl -e 'print "zj5GuPW9b.sEiQQVgvL1Tr." ^ pack("H48","000f5c3312353e4a166e12311d363d3905172
When you "sign" a message with PGP, it uses your personal "Private" key to build the signature from. This signature is actually a checksum. Anyone that Ken has given his public key to can ask pgp to verify his signature, in the case above where you just added it to your message it will definetly fail. Also because it's a checksum of all the data between the --Begin PGP and --End PGP lines, if you were to download a copy of Ken's message and change the message in anyway and re-upload it, it would again fail.
Of course PGP relies on the ability for the user doing the verification that the "public" key they have actually came from the party in question. Look up PGP and web of trust for more information.
Well, I've just spent the last 2 hours "hacking" through the Ken vs JP stories here on /. and I must say its really quite amusing. One group Says "yay..us HaXor doodz will destroy anti-online" and other says "hey, that's a violation of free speech! You can't do that!" another says "Yes they can!" Blah blah blah....
/. It seems to me these two kids did something along time ago to each other so they now hate each other and they will battle it out anytime and in any forum. And often in war, truth is the first causalty.
For me it boils down to who owns the computers - Harvard. Just as I don't have to have any program on MY computer that I don't want (are you listening MS?) Harvard doesn't have to have ANYTHING on THEIR computers that they don't want, irregardless of free speech or who owns the content. So Harvard did the right thing.
As for the rest, well, it reminds me of two 10 year olds fighting. Personally I don't thing either is telling the whole truth. JP may well just be a "wannabe" who is pumping himself up. But I have also seen some of the "evidence" published by a great many other sources that are, to say the least, laughable and and insult to the intelligence of anyone on
Is JP a rogue bastard who is selling snake oil, making up "hacks" so he can ride in and save the day? Sure, its possible.
Its also possible that Ken has enginieered a great many of these so-called "evidence" logs and irc sessions as a disinformation/smear campaign. Either scenario is just as plausible as the other.
Frankly I don't care who is right or wrong. Both sides are indulging in Ad Homenem attacks, which is the least logical, poorly premised and misguided of all arguement. If you can't attack the aguement attack the arguer...
This is incredibly childish. I don't beleive either side. The sad part is that two fairly decent sites for getting security information (anti-code that is, not antionline) are gone (for now) and we are all losing out on information.
Now, when the teenagers are done with the pissing contest, perhaps us adults can get down to the business of discussing some REAL issues...
Never by hatred has hatred been appeased, only by kindness - the Buddha
Why didn't they simply ask that the content to which they objected be removed?
Since there were no written agreements between the creator of the site and Harvard (according to the creator of the site), I find it hard to believe that Harvard had set up any rules prior to this incident regarding site content. If they want to create rules after the fact, then they should have, at the very least, given the guy an opportunity to remove whatever they objected to before permanently revoking his ability to access the server and shutting it down. It would have been *very* simple to just temporarily turn off http and ask the site creator to remove the content that they didn't like.
Harvard overreacted in an extreme way that reflects very poorly on them.
It's called mob mentality, and /. is full of it (myself included). Just follow any holy war on here. When ignorant people get religious you end up with crusades.
/. reader only made half informed emotional posts 1% (reasonable) of the time, the sheer volume of traffic on /. makes mob mentality a painful reality.
Even if every
--- A Jesus Fish eating a Darwin Fish only proves Darwin's point.
Survey says...XXX!
Living in the real world is no excuse for doing the Wrong Thing. Spreading untruth is almost always the Wrong Thing, and it is more so for Harvard.
Not only is Harvard a college, it has a valid (though disputable) claim of being the best college in the world. Harvard is in the business of education. They are in the business of dissemenating knowledge. They are in the business of dissemenating truth.
Every lie, every piece of FUD that Harvard puts out attacks their own credibility, their own reputation. Where are they without that?
--The basis of all love is respect
Most colleges and "academic environments" have official rules that cover things like this. Hackers and 3133t war3z d00dz have been around for long enough that almost every university with an internet connection has policies in place for appropriate content.
Colleges also tend to have a high level of trust. If you work for the college in any sort of technical capacity, you can get away with a lot of things, because it's assumed that you have a good reason for breaking the rules.
It's pretty common for people around here (CMU) to have vanity domains and private web servers on their work machines. It's also pretty common for people to create accounts on their machines for friends, or even put machines on the network for outside friends to play with. This is all strictly against policy, but so long as nobody complains, we don't worry about it too much.
If we were to get a letter from someone who was threatening to sue us because of the actions of someone who isn't even affiliated with the university, we'd stomp on them hard and fast. Covering our collective ass is more important than looking the other way while someone breaks the rules.
I don't know if this was the situation between Harvard and Packetstorm, but it does sound that way. Universities run on paper, and there's no way that they'd officially permit an outsider to run a machine on their network with only a verbal agreement.
Forward, retransmit, or republish anything I say here. Just don't misquote me.
http://www.zdnet.com/zdnn/stories/news/0,4586,2287 456,00.html
"Never ascribe to malice that which can be adequately ascribed to incompetence." - Some Dead Guy ;)
-- The meek shall inherit the Earth. In very small plots, about 6 feet by 3.
... In cases like this? What with the malleability of electronic information, both parties could present "evedence" to prove their own cases and no one would be the wiser? I myself believe Packetstorms side of things, but hey...
-Heckler
P.S. Pardon my newness, but whats the "FUD" in a "FUD Letter"?