Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
556 lines (532 sloc)
26.7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <HTML> | |
| <HEAD><TITLE>Mirror Notes</TITLE> | |
| </HEAD> | |
| <BODY BGCOLOR="#000000" TEXT="#FFFFFF" LINK="#FF0000" VLINK="#C0C0C0" ALINK="#FF0000"> | |
| <p> | |
| <p> | |
| <div align="center"><FONT SIZE="6"><B>General Information and Disclaimer</B></FONT></div> | |
| <hr noshade> | |
| The Attrition mirror strives to archive defaced sites with no change. When viewing the mirror, it is | |
| important to understand a few things about it. This page serves to provide all the details | |
| about the mirror, give warnings, and a general disclaimer.<br> | |
| <p> | |
| <font size="+1"><center> | |
| <a href="#read_me_script_kiddy">Warning and General Disclaimer</a><br> | |
| <a href="#how">How do you mirror? How do you hear of defacements?</a><br> | |
| <a href="#who">Who gets notified of defacements?</a><br> | |
| <a href="#why">Why do you notify those people?</a><br> | |
| <a href="#stats">Statistics</a><br> | |
| <a href="#mass">What is a 'mass hack'?</a><br> | |
| <a href="#comments">Hidden Comments in Defacements</a><br> | |
| <a href="#vuln">Why don't you report the vulnerability?</a><Br> | |
| <a href="#other">Other Flags</a><br> | |
| <a href="#articles">Articles Accompanying Mirrors</a><br> | |
| <a href="#lamer">Redefacing</a><br> | |
| <a href="#abbrev">Operating System Abbreviations</a><br> | |
| <a href="#linking">Linking To Us</a><br> | |
| <a href="#linking">Dynamic linking to last 10 defacements</a><br> | |
| <a href="#remove">Will you remove a site from the mirror?</a><br> | |
| <a href="#ref">Who References This Mirror?</a><br> | |
| <a href="#contact">Contacting Us</a><br> | |
| </center></font> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="read_me_script_kiddy"><u>Warning and General Disclaimer</u><br></a> | |
| <br> | |
| What is a defacement?<br> | |
| <br> | |
| A web defacement is when the content of a public web page is altered by someone other | |
| than the legitimate person responsible for the machine or pages. This is regardless | |
| of reasons or motivation. In simple terms, if someone types a URL into their browser | |
| and sees anything but the legitimate page, this is a defacement. One factor that is | |
| often forgotten by some (defacers) is that the page must be seen by legitimate users | |
| for it to be a defacement. Web surfers do not view IP addresses, obscure named servers | |
| that had nothing but a default IIS or Apache page, etc. We make the decision of what | |
| to mirror based on whether we think there is already legitimate traffic to the machine | |
| that has been reported to us. Therefore, s3k128nsdl39.state.home.com type machines will | |
| not be mirrored. People simply do NOT type that into their browser. Just the same, | |
| people do not type in 208.225.201.200 into their browser either. So if an IP does | |
| not resolve, it isn't a valid defacement.<br> | |
| <br> | |
| Defacing is not about getting your name up on this mirror as often as possible. If that | |
| is your intent, we may refuse to post your mirrors on our page. We will keep track | |
| of them for statistics, but we will not help you use us as a glory board. Running precanned | |
| scripts against thousands of hosts an hour is NOT hacking. You are NOT cool. No one is | |
| impressed with you. It is sad enough that most defacements are done with skills exhibited | |
| in zoo trained monkeys. <br> | |
| <br> | |
| How we work: | |
| <ul> | |
| <li>Mail defacement notification to <strike>hacked-at-attrition.org</strike>, <b>NOT</b> defaced@.</li> | |
| <li>Send ONE mail with all the domains if it is a mass hack. Do NOT mail us once per domain. Do not send multiple | |
| copies of the same mail reporting the same defacement, we only need ONE copy. Do not blame whatever crappy mail | |
| system you are using either. If it is that bad, switch providers.</li> | |
| <li>Do not tell us who hacked it, the web server version, or what operating system it was. We can figure that out all by ourselves.</li> | |
| <li>Mirrors are taken and left 'as is'. <a href="stupid.html">Broken links and broken images</a> stay broken. | |
| We will not fix sloppy HTML coding. We verify in lynx, so ALT tags do wonders.</li> | |
| <li>We will not 'remirror' a defacement after changes have been made to it.</li> | |
| <li>Do not tell the staff about hacks in advance. We are obligated <b>by law</b> to share that information | |
| with the appropriate agency. We don't want or need to know in advance.</li> | |
| <li>Credit is given based on what the defaced page says. Do not mail us saying you defaced the domain. | |
| Not only are you admitting to a felony, we will only go by what the page says.</li> | |
| <li>We do not mirror hacks unless <b>WE</b> verify them. If we don't see it in some fashion, | |
| it didn't happen as far as this mirror goes.</li> | |
| <a name="breakout"><li>Do not ask for group or individual breakout pages. Those are done at <b>OUR</b> convenience, or at | |
| the request of journalists, security types or law enforcement.</li></a> | |
| <li>Changing one line on 10 domains is not a mass hack, even if it is ten different machines. <b>WE</b> determine what is | |
| considered a mass hack and what is not.</li> | |
| <li>We only mirror main page defacements. If the defacement doesn't show after we put "www.defaced.com" | |
| in our little browser thingy, then it isn't defaced. We do not mirror: | |
| <ul> | |
| <li>hacked personal pages (domain.com/~username). | |
| <li>vanity domains such as the ones provided by 8m.com, dyndns.org, tzo.com or other vanity redirects. | |
| <li>free site pages (sitename.freeservers.com). | |
| <li>'signature' files (domain.com/hacked.txt). | |
| <li>IP Addresses. The IP must resolve. | |
| <li>"always on" machines | |
| <ul> | |
| <li>cable modems (cx123456-a.abc1.bamd.home.com, cpe-012-123-234-234.phoenix.speedchoice.com, etc) | |
| <li>DSL boxes (adsl-92-101-102-103.dsl.snfc21.pacbell.net, jdoe1.dsl.concentric.net, etc) | |
| <li>student machines (e1234.sn.mit.edu, com00-123.medicine.some.edu, etc) | |
| <li>employee machines (user-200b8m.biz.mindspring.com, pc123.company.co.jp, etc) | |
| </ul> | |
| <li>message board hacks (including PHP-Nuke) | |
| <li>servers that previously did not offer http (dns.site.com, mail.co.com, ftp.our.com, etc) | |
| </ul></li> | |
| <li>If you deface sites just to appear on this mirror, grow up and get a life.</li> | |
| </ul> | |
| <p> | |
| Disclaimer:<br> | |
| <ul> | |
| <li>ATTRITION does not support or endorse any product. For those of you who have received <b>BLATANT SPAM</b> | |
| from WANNABE security companies that prey on sites listed on the mirror, we have nothing to do with them. | |
| They are spamming based off our mirror without our consent. If you wish to talk with the staff about | |
| security consulting, we are more than willing to talk. Mail <a href="mailto:bmartin-at-attrition.org">Brian | |
| Martin</a> for more information.</li> | |
| <li>These mirrors are preserved for posterity and history. There is no reason to debate semantics of | |
| archiving these. We do NOT encourage this activity any more than criminal psychologists condone the | |
| activities of the ones they study. ATTRITION.ORG does <b>NOT</b> condone hacking, compromising system | |
| security, or the defacement of web pages.</li> | |
| <li>Various <a href="/stats/neat_government_visitors.txt">government</a>, | |
| <a href="/stats/neat_military_visitors.txt">military</a>, and law enforcement groups visit this site | |
| religiously. Some have said this site is a *valuable* resource for their investigations. We have also | |
| been informed that information from this mirror has been used in court as evidence against hackers.</li> | |
| <li>This is NOT a "hacker" server. This is an "information" server. How YOU choose to view or use this | |
| information determines what the server is. For those of you misguided souls that ask "What side of the | |
| fence are they on?", we are a security site. Just because we don't use obnoxious graphics and 'holier | |
| than thou' wording doesn't mean we are hackers.</li> | |
| <li>ATTRITION staff wants secure hosts on the internet. Therefore we provide security information to | |
| assist admins reach that goal. We even answer email and help them out before AND after they have been | |
| compromised.</li> | |
| <li>We are not in league with the people who hacked your site. We receive email about the hacks and we | |
| verify them. Once verified we use 'wget' to archive the hack. Sometimes this happens quickly if the | |
| mirror admins are reading their email. That only shows we are quick, <b>NOT</b> in league with anyone. | |
| Do not mail us asking for copies of the mail sent to us. We will provide it with a subpoena only. Why? | |
| If we provide it without question, people stop notifying us of defaced servers. Our statistics and | |
| mirror lose potency and more people than yourself lose out. The needs of the many...</li> | |
| <li>Please see the general ATTRITION <a href="http://www.attrition.org/attrition/warn.html">DISCLAIMER | |
| AND WARNING</a>.</li> | |
| <li>If you have a problem or question, mail <b>US</b> first. Give us a chance to respond before you go | |
| whining to our upstream. In case you weren't aware, there is a sort of | |
| <a href="http://www.attrition.org/~jericho/works/misc/chain_of_command.html">Chain of Command</a> | |
| for complaints.</li> | |
| </ul> | |
| <br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="how"><u>How do you mirror? How do you hear of defacements?</u><br></a> | |
| Many people ask how we learn of the defacements, especially so quickly. In most cases, the person(s) | |
| responsible for the defacement send mail to hacked@attrition.org with a domain name and sometimes | |
| a piece of the page. The staff members of Attrition receive this mail and take the mirror as soon as | |
| we can. Sometimes this comes seconds after the defacement occured. To take the mirror, we use a custom | |
| utility called <i>aget</i> that utilizes NMAP, wget, and other tools to copy the information needed. | |
| <i>aget</i> will use three methods to determine the remote operating system and web server, take | |
| a copy of the hacked page, and immediately post to the <a href="/security/defaced.html">defaced mail list</a>. | |
| Between once and several times a day, one of the staff members updates the actual mirror most people are | |
| familiar with.<br> | |
| <br> | |
| Timeline of events:<br> | |
| <ul> | |
| <li>We receive warning of a defaced site, usually by e-mail or IRC.<br> | |
| <li>We verify that the site is defaced.<br> | |
| <li>We run our custom utility 'aget' that mirrors the defacement.<br> | |
| <li>The 'aget' utility <a href="letter.txt">mails</a> the Internic contacts of the domain warning them of the defacement.<br> | |
| <li>We post the mirror to the archive later in the day.<br> | |
| </ul> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="who"><u>Who gets notified of defacements?</u><br><a> | |
| Our <i>aget</i> utility automatically sends <a | |
| href="http://www.attrition.org/mirror/attrition/letter.txt">notification</a> of the | |
| defacement to the Internic contacts of the defaced site. <i>aget</i> also | |
| sends <a href="http://www.attrition.org/mirror/sample.html">email</a> to | |
| the <a href="http://www.attrition.org/security/defaced.html">defaced | |
| mailing list</a>. The email sent to the defaced mailing list includes | |
| publically available information, such as the name that was tagged on the | |
| defaced page, the operating system and server software of the defaced | |
| site, and other such information that was available on the defaced page | |
| itself. That same mail is also sent to the National Infrastructure | |
| Protection Center (NIPC), a division of the FBI, as well as to the | |
| appropriate Computer Emergency Response Team (CERT), based on country. | |
| The email sent to <strike>defaced-at-attrition.org</strike> (and also to NIPC and the relevant | |
| CERT) does -not- contain personal information, the email address or email | |
| headers of the person who notified us of the defacement, information on | |
| how we were contacted or informed of the defacement, or any other data | |
| that was not already public information at the time of the defacement. In | |
| order for law enforcement to obtain that information, we must receive a | |
| federal subpoena. | |
| <p> | |
| <p> | |
| If you are a defacer and are concerned about this, simply take privacy matters | |
| into your own hands. Don't mail us from providers that report your IP | |
| address in the mail headers. Don't include anything in the mail that claims | |
| you were responsible -- we do not ever make the assumption that the person who | |
| notified us was responsible for the defacement. Use some common sense, take | |
| some basic protective measures. Alternately, don't deface web pages if you | |
| don't want people knowing you've owned their server. | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="why"><u>Why do you notify those people?</u><br><a> | |
| Various reasons. We notify the Internic contact of the defaced domain | |
| because we feel it's the ethical thing to do. We notify NIPC to help with | |
| their crime statistics, and because we are obligated by law to do so, lest we | |
| be implicated in the crime as well. We notify the relevant CERT for similar | |
| reasons. | |
| <p> | |
| <p> | |
| The crux of this, however, comes back to the same reason we won't <a | |
| href="http://www.attrition.org/mirror/attrition/notes.html#remove">remove</a> | |
| a site from the mirror. Attrition's mirror does not exist for the | |
| glorification of defacers or the ridicule of administrators. Attrition's | |
| mirror is a service for historical understanding of trends in defacements | |
| and a tool for statistical gathering. A defacement is a public incident. | |
| By defacing a web page, a system intruder makes it public knowledge that | |
| the server in question is owned. Attrition disseminates and records | |
| public information about a web site's defacement. | |
| <p> | |
| <p> | |
| What happens from there comes down to the skills of the defacer, the | |
| administrator, and law enforcement...and does not pertain to us. | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="stats"><u>Statistics</u><br></a> | |
| One purpose of this archive is to help generate useful and interesting statistics on hacker activity. | |
| As time progresses, we will begin to track more and more statistics. These range from how many domains | |
| are defaced a day, how many each group has done, how many use obscenity, and more. If you have | |
| suggestions for statistics we can generate to help you, feel free to mail us.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="mass"><u>Mass Hack</u><br></a> | |
| Many systems virtually host other domains. Some large companies host thousands of | |
| domains on a single machine. Often times when intruders compromise the machine, they will | |
| change not only the main corporate page, but all hosted pages as well. This is known as a | |
| 'mass hack' and involves two or more domains. Typically, these defacements occur so the | |
| same altered page is found on each virtually hosted domain.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="comments"><u>Hidden Comments</u><br></a> | |
| HTML allows you to embed comments into the code. This is done with a special tag that looks like | |
| <!-- comment -->. Hackers often use this to leave a 'hidden' message. To see these, use your | |
| browser to "view source".<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="vuln"><u>Why don't you report the vulnerability?</u><br></a> | |
| People often ask why we don't list the vulnerability in the site. While it is true that we often | |
| have a good idea what was vulnerable and exploited based on the operating system and pattern of | |
| the hackers, we absolutely will <b>NOT</b> provide this information on the mirror. If we post this | |
| information after a defacement, it gives anyone viewing our mirror the site and vulnerability, | |
| with no guarantee the hole has been patched. In essence, we would effectively be pointing out | |
| <b>STILL</b> exploitable vulnerabilities in a system. The liability and legal implications of | |
| this are obvious. This combined with the the vulnerability still being <b>speculation</b> is | |
| plenty of reason not to include it. However, administrators contacting us from the defaced domain | |
| (or from NIC contact addresses) are welcome to, and we will be glad to share our speculation and | |
| offer advice on fixing the problem.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="other"><u>Other Flags</u><br></a> | |
| <br> | |
| <b><u>K</u></b> - Kevin: Many defaced pages include some sort of reference to the 'Free Kevin' movement. For more information | |
| on this, visit <a href="http://www.freekevin.com/">www.freekevin.com</a>.<br> | |
| <br> | |
| <b><u>B</u></b> - Banking Institution<br> | |
| <br> | |
| <b><u>S</u></b> - Computer Security related<br> | |
| <br> | |
| <b><u>N</u></b> - News Outlet</br> | |
| <br> | |
| <b><u>P</u></b> - Police or law enforcement<br> | |
| <br> | |
| <b><u>R</u></b> - Church or religious institution<br> | |
| <br> | |
| <b><u>X</u></b> - Adult Oriented Site<br> | |
| <br> | |
| <b><u>Y</u></b> - Youth Organizations (Scouts, etc)<br> | |
| <br> | |
| <b><u>*</u></b> - <a href="/security/commentary/">Attrition Commentary</a><br> | |
| <br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="articles"><u>Articles Accompany Mirror</u><br></a> | |
| As we learn about news articles that cover defacements, we include them along with the mirror. This | |
| column indicates we link to more information on the defacement. If you find any articles that you | |
| feel we missed, please don't hesitate to mail us about them.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="lamer"><u>Redefacing</u><br></a> | |
| The act of redefacing domains is probably the most pathetic thing that can be done in the | |
| script kiddy world. Because of our concerns that people use our mirror to find vulnerable | |
| domains and redeface pages shortly after they are reported here, we are no longer | |
| reporting redefaced domains. We <b>WILL</b> continue to mirror them and factor them | |
| into our statistics, but they will not be listed on our main mirror.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="abbrev"><u>Operating System Abbreviations</u><br></a> | |
| The OS column indicates what OS was being used during the time of defacement. If an abbreviation | |
| isn't listed here, then it has not been encountered to date. Monthly | |
| <a href="http://www.attrition.org/mirror/attrition/os.html">stats</a> have been generated.<br> | |
| <p> | |
| <table align="left" cellpadding="5" cellspacing="0" border="0"> | |
| <tr> | |
| <td>Ax</td> | |
| <td width="200"><a href="http://www.ibm.com/servers/aix/">AIX</a></td> | |
| <td>Bf</td> | |
| <td><a href="http://www.freebsd.org/">FreeBSD</a></td> | |
| </tr> | |
| <tr> | |
| <td>Bo</td> | |
| <td><a href="http://www.openbsd.org/">OpenBSD</a></td> | |
| <td>Bn</td> | |
| <td><a href="http://www.netbsd.org/">NetBSD</a></td> | |
| </tr> | |
| <tr> | |
| <td>BI</td> | |
| <td><a href="http://www.bsdi.com/">BSDI</a></td> | |
| <td>HP</td> | |
| <td><a href="http://www.hp.com/">HPUX</a></td> | |
| </tr> | |
| <tr> | |
| <td>Ir</td> | |
| <td><a href="http://www.sgi.com/">IRIX</a></td> | |
| <td>So</td> | |
| <td><a href="http://www.sun.com/solaris/">Solaris</a></td> | |
| </tr> | |
| <tr> | |
| <td>NT</td> | |
| <td><a href="http://www.microsoft.com/">Windows (NT/Win95/98)</a></td> | |
| <td>OS</td> | |
| <td><a href="http://www.digital.com/products/operating_systems.html">Digital OSF1</a></td> | |
| </tr> | |
| <tr> | |
| <td>Sc</td> | |
| <td><a href="http://www.sco.com/">SCO</a></td> | |
| <td>MO</td> | |
| <td><a href="http://www.apple.com">MacOS</a></td> | |
| </tr> | |
| <tr> | |
| <td>DG</td> | |
| <td><a href="http://www.digital.com/products/operating_systems.html">Digital UNIX</a></td> | |
| <td>MX</td> | |
| <td><a href="http://www.apple.com/macosx/server/">MacOSX</a></td> | |
| </tr> | |
| <tr> | |
| <td>Bp</td> | |
| <td><a href="http://www.powerbsd.org">Power BSD</a></td> | |
| <td>Li</td> | |
| <td><a href="http://www.linux.org">Linux (unknown distribution)</a></td> | |
| </tr> | |
| <tr> | |
| <td>Lr</td> | |
| <td><a href="http://www.redhat.com">Linux (RedHat)</a></td> | |
| <td>Ls</td> | |
| <td><a href="http://www.slackware.org">Linux (Slackware)</a></td> | |
| </tr> | |
| <tr> | |
| <td>Lu</td> | |
| <td><a href="http://www.suse.org">Linux (SuSE)</a></td> | |
| <td>Lc</td> | |
| <td><a href="http://www.caldera.com">Linux (Caldera)</a></td> | |
| </tr> | |
| <tr> | |
| <td>Lm</td> | |
| <td><a href="http://www.linux-mandrake.com">Linux (Mandrake)</a></td> | |
| <td>Lb</td> | |
| <td><a href="http://www.cobalt.com">Linux (Cobalt)</a></td> | |
| </tr> | |
| <tr> | |
| <td>La</td> | |
| <td><a href="http://www.alzzalinux.com/">Linux (ALZZA)</a></td> | |
| <td>Ld</td> | |
| <td><a href="http://www.debian.org/">Linux (Debian)</a></td> | |
| </tr> | |
| <tr> | |
| <td>NW</td> | |
| <td><a href="http://www.novell.com">NetWare</a></td> | |
| <td>C6</td> | |
| <td><a href="http://www.unix.digital.com/">Compaq Tru64 Unix</a></td> | |
| </tr> | |
| <tr> | |
| <td>UN</td> | |
| <td>Generic Unix</td> | |
| <td>2k</td> | |
| <td><a href="http://www.microsoft.com/windows2000/">Windows 2000</a></td> | |
| </tr> | |
| <tr> | |
| <td>Su</td> | |
| <td>SunOS</td> | |
| <td>Lv</td> | |
| <td><a href="http://www.vinelinux.org/">Vine Linux</a></td> | |
| </tr> | |
| <tr> | |
| <td>Lt</td> | |
| <td><a href="http://www.conectiva.com.br/">Conectiva Linux</a></td> | |
| </table> | |
| <br clear="left"> | |
| <br> | |
| <p> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="linking"><u>Linking To Us</u><br></a> | |
| You may have seen sites like <a href="http://www.hackernews.com/">HNN</a>, | |
| <a href="http://www.securityfocus.com/">SecurityFocus</a>, or | |
| <a href="http://www.ntsecurity.net/">NTSecurity Net</a> linking directly to the mirrors here. | |
| We offer no front end to do this. The sites doing this have implemented their own front end solutions | |
| to offer their viewers the links. We fully encourage sites to do this, but we only offer | |
| third party utilities to do this. Media outlets, feel free to link to us to support your story. Link directly | |
| to the mirror and/or to our main site. Direct credit is not required, but appreciated. | |
| <p> | |
| Other sites that utilize 'recent' links: <a href="http://www.mindsec.com/">MindSec</a>, | |
| <a href="http://portal.cyberarmy.com/">Cyber Army</a>, | |
| <a href="http://www.antionline.com/eye/">AntiOnline Eye</a>, | |
| <a href="http://www.interrorem.com/news/">Interrorem News</a><br> | |
| <br> | |
| <a href="/tools/src/nph-attrition1.pl">nph-attrition1.pl</a> by webmaster-at-cyberarmy.com<br> | |
| <a href="/tools/src/nph-attrition2.pl">nph-attrition2.pl</a> by bansh33-at-r00tabega.com<br> | |
| <a href="/tools/src/nph-attrition.cgi">nph-attrition.cgi</a> by webmaster-at-cyberarmy.com<br> | |
| <a href="/tools/src/nph-attrition.php">nph-attrition.php</a> by Max-at-Wackowoh.com<br> | |
| <a href="/tools/src/nph-attrition.py">nph-attrition.py</a> by mystik-at-twoteeth.net<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="remove"><u>Will you remove a site from the mirror?</u></a><br> | |
| On several occasions, Attrition has been asked if we will remove a | |
| mirrored defacement. In many cases, a site's administrator feels that | |
| since the defacement has been removed from the original site and the | |
| security hole has been patched, it's only appropriate that the mirror of | |
| the site come down as well.<br> | |
| <br> | |
| While this is certainly understandable, Attrition will not remove mirrors | |
| of legitimately defaced web pages. There are several reasons for this -- | |
| primarily, Attrition's mirror is a service to the security community, just | |
| as a news outlet is. We report on defaced sites. As part of our | |
| reporting, we gather statistics, serve as a record, and even act as | |
| evidence.<br> | |
| <br> | |
| Attrition's statistics, for instance, are a very valuable part of the | |
| service we provide. Our staff are widely quoted in news media on the | |
| subject of web page defacement and current trends in intrusion, and we | |
| have been invited to speak at security conferences on the subject. We are | |
| the most comprehensive and widely-known source for reporting web page | |
| defacements, and not surprisingly the statistics we generate are valuable. | |
| To remove a legitimate defacement at the admin's request compromises the | |
| integrity of our statistics, as we are no longer preserving the original | |
| data on which our statistical conclusions are drawn...and through such | |
| action, that part of our service becomes worthless.<br> | |
| <br> | |
| Attrition's defacement mirror also acts as a historical record of | |
| defacements over time. It can only serve its function if it remains an | |
| unadultered, unabashed, and unalterable historical record. By making an | |
| exception for one site, we would open ourselves to doing the same for all | |
| sites -- we would allow any mirror to be removed by simple request, and | |
| the historic nature of this database and the information it preserves | |
| would be irrevocably meaningless.<br> | |
| <br> | |
| Moreover, our defacement mirror is often utilized by law enforcement | |
| agencies during the course of an investigation. Not only could the | |
| removal of a site's defacement in our mirror conceivably be construed as | |
| destruction of evidence, it would also render our mirror an unreliable | |
| source of information for law enforcement in general. This also ties into | |
| the historical and statistical value of the mirror, since both facets of | |
| this service are valuable to law enforcement.<br> | |
| <br> | |
| Most importantly, though, is our ethical stance on the subject -- what our | |
| mirror means to us. We feel that the security of the Internet itself is | |
| the responsibility of those who use it, and each individual server that is | |
| open to attack is a liability to the Internet as a whole. Too many | |
| web sites, for fear of bad public relations, go to great lengths to keep | |
| security incidents secret...often greater lengths than are taken to | |
| actually secure their servers. This has far-reaching consequences if the | |
| site is a commercial one with paying customers whose data may be at risk | |
| to unauthorized access. If a site has been compromised and defaced, we | |
| feel it is irresponsible to sweep the incident under the carpet as if it | |
| had not happened. To remove a defacement would, we feel, violate our own | |
| ethical stance regarding this tendency to hide or deny security incidents.<br> | |
| <br> | |
| That said, we do understand and sympathize with the administrators of | |
| defaced servers. If we can assist in any way with the recovery or | |
| security of a defaced site, we're glad to help; simply notify | |
| <a href="mailto:staff-at-attrition.org">staff-at-attrition.org</a>.<br> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="ref"><u>Who References This Mirror?</u><br></a> | |
| A number of news organizations utilize this mirror for statistics, reference, and articles: | |
| <a href="http://www.abcnews.go.com/">20/20</a>, | |
| <a href="http://www.ap.org/">Associated Press</a>, | |
| <a href="http://www.news.com/">CNet News.com</a>, | |
| <a href="http://singapore.cnet.com/">Singapore CNet</a>, | |
| <a href="http://www.boston.com/">Boston Globe</a>, | |
| <a href="http://www.cnn.com/">CNN</a>, | |
| <a href="http://www.currents.net/">Currents/Newsbytes</a>, | |
| <a href="http://www.dallasnews.com/">Dallas News</a>, | |
| <a href="http://www.deandreis.it/">Deandreis (IT)</a>, | |
| <a href="http://www.ecommercetimes.com/">E-Commerce Times</a>, | |
| <a href="http://www.geeknews.net/">Geek News</a>, | |
| <a href="http://www.heise.de/">Heise (DE)</a>, | |
| <a href="http://www.ireland.com/">Irish Times</a>, | |
| <a href="http://www.c4i.org/isn.html">ISN</a>, | |
| <a href="http://www.maximumpc.com/">Maximum PC</a>, | |
| <a href="http://www.msnbc.com/">MSNBC</a>, | |
| <a href="http://www.nettavisen.no/">Nettavisen (NO)</a>, | |
| <a href="http://www.networkcomputing.com/">Network Computing</a>, | |
| <a href="http://www.newsbytes.com/">Newsbytes</a>, | |
| <a href="http://www.newstrolls.com/">News Trolls</a>, | |
| <a href="http://nit.nikkeibp.co.jp/">Nikkei Business Publication</a>, | |
| <a href="http://www.zdnet.com/">ZDNet PCWeek</a>, | |
| <a href="http://www.planet.nl/">Planet (NL)</a>, | |
| <a href="http://www.prosieben.de/">Prosieben (DE)</a>, | |
| <a href="http://www.theregister.co.uk/">The Register</a>, | |
| <a href="http://www.sun.com/">Sun Microsystems</a>, | |
| <a href="http://www.tecchannel.de/">Tec Channel (DE)</a>, | |
| <a href="http://www.usatoday.com/">USA Today</a>, | |
| <a href="http://www.usnews.com/">US News</a>, | |
| <a href="http://www.winmag.com/">WinMag</a>, | |
| <a href="http://www.wired.com/">Wired</a>, | |
| <a href="http://dailynews.yahoo.com/">Yahoo News</a>, | |
| <a href="http://www.zdnet.com/zdtv/">ZDTV</a>, | |
| <a href="http://www.zdnet.com/">ZDNet</a> | |
| <p> | |
| <hr noshade> | |
| <p> | |
| <a name="contact"><u>Contacting Us about the Mirror</u></a> | |
| <ul> | |
| <li><strike>hacked-at-attrition.org</strike> - To report defaced servers.</li> | |
| <li>staff-at-attrition.org - All other <b>friendly</b> mirror inquiries.</li> | |
| <li>jericho-at-attrition.org - All other <b>hostile</b> mirror inquiries.</li> | |
| <li>comega-at-attrition.org - All other <b>hostile</b> mirror inquiries requiring armed response.</li> | |
| </ul> | |
| <br> | |
| </BODY> | |
| </html> |