Harvard's response to the Packet Storm incident

Harvard University News Office wrote in with their response to the whole Packet Storm ordeal. Hit the link below to read more, but it looks as if Harvard is returning the backups, but no longer hosting the site.

As a service to the Internet community, Harvard agreed to host a Packet Storm Security Website for security-related materials only. Without Harvard's knowledge, unrelated content was put on the Harvard server, including sexually-related material and personal attacks on an individual not affiliated with the University. A Harvard administrative site focused on security issues is not the forum for this type of material. We are returning the content on the site and hope that Packet Storm will make its security tools available through its own Website.

Joe Wrinn
Director, Harvard News Office
1350 Massachusetts Ave., Rm. 1060
Cambridge, MA 02138
Phone: 617-495-1585
Fax: 617-495-0754
joe_wrinn@harvard.edu

The full Jp packetstorm FUD letter

PacketStorm Is Shut Down
An AntiOnline Editorial
Thursday , July 01 1999

Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of
materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP.

On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public
surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company.

While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents
about another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm
Website, and requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge,
on their own. Below is a copy of that letter:

Greetings:

May I first say that I did my best to see that this letter got sent to the appropriate individuals. I had some difficulty determining who those individuals may be, so if I
have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s).

My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA.

Earlier today, one of my colleagues forwarded me the following URL:

http://packetstorm.harvard.edu/jp/

Needless to say, I was shocked and outraged at what I saw. This page contains a large archive of libelous and, to put it bluntly, sick material. Everything from archives
of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people engaged in homosexual
activities, to a nun that appears to be covered in seminal fluid.

I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material. It is my hope that the University Administration
was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly.

I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear violation
of that policy.

It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded.

I hope to hear from you soon about this matter, and what you may have done regarding it.

Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline


Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part:

Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and work I
invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about criminal activity
and bullshit I never did, and effectively ruin years of work, my education, my career, my life.

Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I
could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you,
and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy,
will admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the
best of success in all that you do.

Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and
began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken
against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However,
I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious
hackers.

People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous.

Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline

An outsider's view

Here's the story as I heard it from Harvard's unofficial side of things.

They received an email about this /jp directory, so someone cruised over there, saw what was there and shut down HTTP access until things could get straightened out.

Remember, Harvard was hosting the site as a favor to the creator and the community. It WAS an extremely popular site and was sucking up huge amounts of bandwidth, but it was deemed worthwhile.

So, while the issue was being investigated, (and from what I understand, the assumption was that there'd be some discussion about removing the offending material and hopefully PacketStorm would be back up shortly) Ken started this flame attack on Harvard, and communities such as this one completely accepted what he said at face value.

Suddenly Harvard, which was trying to do a Good Thing by hosting the site, was turned into the bad guy and being flamed across the net.

So they figured "Screw this" and told Ken to take his files and find somewhere else to host the site.

There was NEVER any intention of destroying the files, and with a bit of thought you should understand why. Even if Harvard was some malicious beast in this event, they'd still want the files to back up their allegations, right?

------

I know you won't believe this, since I'm not one of you. But that's the 'unofficial' story.

This event triggered my first visit to the slashdot forums, and frankly I was stunned by how many people took Ken's letter as total truth (ie, the big organization is stomping the poor little guy angle) but when the big organization responds, they're clearly lying.

Weird

Flame away.

Huh?

[Fastolfe]

I think I've done more than enough research into this whole fiasco.

The fact is that Williams e-mailed Slashdot with his whiny story, and Slashdot went with it. They simply thought to themselves, "Wow, the evil guy with money destroyed a valuable resource!" They made no effort to look at the "other" side of the story or validate any of the things Williams said. They simply assumed that what he said was FACT. For things like factual articles, where people are offering links to *real* news sites, this is a PERFECTLY FINE way to run a news site like Slashdot, but when you get into personal things like this, you're basically posting an editorial, not objective news.

That's what I was objecting to.

I don't expect Slashdot to do its own reporting and investigating, but I DO expect them to at least TRY not to be biased or partisan when they do post things like this. The instant I read the abstract I *knew* there was a lot more to this story than what was being said. Everyone else should have been smart enough to realize this as well.

FYI I've probably read more Slashdot articles and posted more informative Slashdot comments than you ever will. Don't go tell me to "Try reading" before I post, and *especially* don't do it as an AC.

I'll have a W.O.P.R. with fries and a coke.

[Psarchasm]

Harvard took the site down because it became to controversial for them to take the time to deal with. They were doing the security community a favor and the intelligent people in the community would never fault Harvard for doing what it felt had to be done at the time.

Sure, they would be praised if they had simply contacted Packet Storms admin and told him that the offensive material would have to go or they would be forced to shut down the site. But then they would have become censors. Censoring content just doesn't seem very Harvard to me.

What they did was right. The actions they took, and the preliminary FUD they spewed merely gave them the time they needed to weigh thier options, without bringing about the wild accusations and rumors that would have flown in the face of silence.

An odd sense of right and wrong

[FreeUser]

So, let me get this strait. You contend:

1) Intelligent people will support Harvard, ergo anyone criticizing their action must be intelligence challenged(tm).

2) Censoring isn't very "Harvard", so rather than "censor" by requesting the removial of controversial materials, it is somehow more ethical and less "censorous" to go off half-cocked and delete EVERYTHING the site offered with no due process, no notification, and no opportunity for the web page maintainer to copy his material to an offsite location (their belated agreement to give him the backups after being subjected to a storm of public criticism hardly counts).

3) What harvard did was right. It was OK for them to spew FUD (untruths) because they needed "time."

4) Finally, of course, we see the success of their strategy, in the resoundling lack of accusations and outrage their lack of silence has engendered.

If I understand your arguments correctly, burning entire libraries and spreading FUD about the personal lives and actions of the libraries is OK, even noble, as to do anything less (like lock up an objectionable book) would be "censorship." Anyone objecting to the burning of said libraries would clearly be stupid, as any intelligent person in the security community would support burning the entire library over the censorship the removal of one controversial book would imply. Interesting definitions.

My My My...

[JohnnyCannuk]

Well, I've just spent the last 2 hours "hacking" through the Ken vs JP stories here on /. and I must say its really quite amusing. One group Says "yay..us HaXor doodz will destroy anti-online" and other says "hey, that's a violation of free speech! You can't do that!" another says "Yes they can!" Blah blah blah....

For me it boils down to who owns the computers - Harvard. Just as I don't have to have any program on MY computer that I don't want (are you listening MS?) Harvard doesn't have to have ANYTHING on THEIR computers that they don't want, irregardless of free speech or who owns the content. So Harvard did the right thing.

As for the rest, well, it reminds me of two 10 year olds fighting. Personally I don't thing either is telling the whole truth. JP may well just be a "wannabe" who is pumping himself up. But I have also seen some of the "evidence" published by a great many other sources that are, to say the least, laughable and and insult to the intelligence of anyone on /. It seems to me these two kids did something along time ago to each other so they now hate each other and they will battle it out anytime and in any forum. And often in war, truth is the first causalty.

Is JP a rogue bastard who is selling snake oil, making up "hacks" so he can ride in and save the day? Sure, its possible.
Its also possible that Ken has enginieered a great many of these so-called "evidence" logs and irc sessions as a disinformation/smear campaign. Either scenario is just as plausible as the other.

Frankly I don't care who is right or wrong. Both sides are indulging in Ad Homenem attacks, which is the least logical, poorly premised and misguided of all arguement. If you can't attack the aguement attack the arguer...

This is incredibly childish. I don't beleive either side. The sad part is that two fairly decent sites for getting security information (anti-code that is, not antionline) are gone (for now) and we are all losing out on information.

Now, when the teenagers are done with the pissing contest, perhaps us adults can get down to the business of discussing some REAL issues...

Re:I'll do yours first because it was scathing and

[remande]

3) What harvard did was right. It was OK for them to spew FUD (untruths) because they needed "time." Welcome to the real world. It isn't a pretty place and it hasn't been for as long as I've been alive. Harvard did what needed to be done at the time, yes.

Survey says...XXX!

Living in the real world is no excuse for doing the Wrong Thing. Spreading untruth is almost always the Wrong Thing, and it is more so for Harvard.

Not only is Harvard a college, it has a valid (though disputable) claim of being the best college in the world. Harvard is in the business of education. They are in the business of dissemenating knowledge. They are in the business of dissemenating truth.

Every lie, every piece of FUD that Harvard puts out attacks their own credibility, their own reputation. Where are they without that?

Verbal agreements and Phantom Machines

[PapaZit]

Most colleges and "academic environments" have official rules that cover things like this. Hackers and 3133t war3z d00dz have been around for long enough that almost every university with an internet connection has policies in place for appropriate content.

Colleges also tend to have a high level of trust. If you work for the college in any sort of technical capacity, you can get away with a lot of things, because it's assumed that you have a good reason for breaking the rules.

It's pretty common for people around here (CMU) to have vanity domains and private web servers on their work machines. It's also pretty common for people to create accounts on their machines for friends, or even put machines on the network for outside friends to play with. This is all strictly against policy, but so long as nobody complains, we don't worry about it too much.

If we were to get a letter from someone who was threatening to sue us because of the actions of someone who isn't even affiliated with the university, we'd stomp on them hard and fast. Covering our collective ass is more important than looking the other way while someone breaks the rules.

I don't know if this was the situation between Harvard and Packetstorm, but it does sound that way. Universities run on paper, and there's no way that they'd officially permit an outsider to run a machine on their network with only a verbal agreement.