The following is McIntyre's response to the AntiOnline FAA article posted on April 29, 1999. In this case, the article does not contain as much errata as it represents a serious lack of ethics on the part of John Vranasevich and AntiOnline. The original article: http://www.antionline.com/cgi-bin/News?type=antionline&date=04-26-1999&story=faa.news From: McIntyre (McIntyre@attrition.org) Date: Fri, 30 Apr 1999 18:05:26 -0400 Subject: JP is at it again Skimming the AntiOnline "news" site, I couldn't help but wonder a few things. I can understand writing an article about a cracking group because they're causing havoc across the Web but this is ridiculous: Read this article in it's entirety and consider the following points and consider the questions (emphasized with a * so they can't be missed.) 1) * If the group that comromised these pages is "low profile", why write an entire article about them? 2) Why do you write about a Web site hack....just to say it was hacked?? Talk about lacking content, anyone could have found this out. It was posted to two mail lists I was on, well before your article. In fact, it was Thu, 29 Apr 1999 22:08:56 before I received mail from the AntiOnline news letter stating the article was up. In that mail, you show the posting of the article at "Thursday, April 29, 1999 at 20:40:55". * So you posted the article 32 minutes after mailing out about it? 3) You failed to mention that all of the most recent team spl0it hacks were the result of a Cold Fusion exploit that has recently surfaced and reared it's ugly head. Your article is useless to the computer security industry. All it says is that the FAA site was cracked and who it was cracked by. Not only was there no mention of the way these sites were compromised, you don't link to Phrack who posted about the bug in December, or the l0pht(1) who recently made it more public. Worse, you don't give any information on how to fix this bug, yet you claim AntiOnline's "primary role" is "To educate the public on computer security related issues."(2) * How do you expect to educate the public when you withold information like that? 4) Do your own research. Below are two lists. The first is a list of team spl0it hacks from JP's article. The second, a list from Attrition's hack mirror. It also is a list of team spl0it hacks updated twice daily. I can understand if someone used Attrition for research purposes and wrote the results in their own fashion. Obviously the mirrored information and web hacks we keep is not trademarked or copyrighted. However, if you compare the two lists, it appears JP just lifted it with no editorial changes. While some of the content is not copyrighted, the ATTRITION web pages and collection is. This can be seen in the mirror web pages. "(This page and all applicable content is Copyright 1999 Brian Martin)" (3). JP's hack list: Recreation GOV (www.recreation.gov) Brooks AFB (xre22.brooks.af.mil) Power Manager (www.powermanager.com) FL State Legislature (www.leg.state.fl.us) Health Resources and Services Administration (www.hrsa.dhhs.gov) LA CA US (www.ci.la.ca.us) Tay (UK) (www.tay.ac.uk) [snip..] [99.04.29] [spl0it] NASA GSFC Information Systems Center (this.gsfc.nasa.gov) [99.04.29] [spl0it] Federal Aviatiation Administration (www.faa.gov) [99.04.29] [spl0it] Recreation.GOV (www.recreation.gov) [99.04.28] [spl0it] Brooks AFB (xre22.brooks.af.mil) [99.04.28] [spl0it] Power Manager (www.powermanager.com) [99.04.28] [spl0it] FL State Legislature (www.leg.state.fl.us) [99.04.28] [spl0it] (www.hrsa.dhhs.gov) [99.04.27] [spl0it] LA CA US (www.ci.la.ca.us) [99.04.27] [spl0it] Idaho State (www.state.id.us) Why did JP miss "Idaho State (www.state.id.us)"? Probably because it was added a few hours AFTER the AntiOnline article went up. Another point, Jericho enjoys writing shorthand to speed up the process of mirroring. He listed the City of LA hack as "LA CA US" instead of writing it out. And look at JP's list same thing. Also, we haven't found a title yet for www.hrsa.dhhs.gov. Gee, JP doesn't have a title either. This points to blatant theft of work from the individuals maintaining the ATTRITION Hack Mirror. While we work to present a complete mirror for public viewing, we ask for little in return. Common courtesy or an attempt to appear to respect that work would have been shown by a link to the ATTRITION mirror. Instead, links to the Antionline Mirror of the FAA hack, the AntiOnline web hack mirror, and the original FAA site. At no point do you credit ATTRITION for its work in cross referencing the hacks, mirroring them, and making them available to the masses. 5) Attrition's Web logs(4) show your visit to the site 25 minutes before your article was posted. Consider that along with the original mail notifying us of the hack, and that they apparently did NOT inform you of it (5). The web logs show four hits from 209.166.186.129 right before your article went up. That IP is: Name: dgw-vp08.sgi.net Address: 209.166.186.129 Which is registered to: Stargate Industries Inc (SGI2-DOM) RD 3, Box 319B Belle Vernon, PA 15012 Administrative Contact, Technical Contact, Zone Contact: Stargate Industries Hostmaster (SIH-ORG) hostmaster@STARGATE.NET (412) 316-7827 Checking who AntiOnline gets its service from, we see: forced ~$ traceroute www.antionline.com traceroute to antionline.com (209.166.177.37), 30 hops max, 40 byte packets [snip...] 18 h5-1.br-0.ppp.cc.pa.stargate.net (208.195.209.26) 149.095 ms 214.889ms 157.63 ms 19 f0-0.cr-1.lan.cc.pa.stargate.net (209.166.164.164) 144.933 ms 163.207 ms 153.984 ms Stargate Industries LLC (STARGATE16-DOM) The Crane Building Suite 300, 24th Street Pittsburgh, PA 15222 Administrative Contact, Technical Contact, Zone Contact: Stargate Industries Hostmaster (SIH-ORG) hostmaster@STARGATE.NET (412) 316-7827 I think it is fair to say this was you or another AntiOnline staff member hitting the ATTRITION site less than an hour before posting your article. Tsk, tsk, tsk. Even mediocre journlists give credit where credit is due. Mcintyre ATTRITION Web Thug :) -- References (1) www.l0pht.com (2) www.antionline.com/information/introduction/antionline_overview.html (3) www.attrition.org/mirror/attrition/ (4) 209.166.176.129 - - [29/Apr/1999:17:13:15 -0600] "GET /mirror/attrition/sploit.html HTTP/1.1" 200 3760 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" 209.166.176.129 - - [29/Apr/1999:17:13:18 -0600] "GET /mirror/attrition/image/spl0it.gif HTTP/1.1" 200 14447 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" 209.166.176.129 - - [29/Apr/1999:17:13:40 -0600] "GET /mirror/attrition/www.powermanager.com/ HTTP/1.1" 200 1975 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" 209.166.176.129 - - [29/Apr/1999:17:13:49 -0600] "GET /mirror/attrition/www.leg.state.fl.us/ HTTP/1.1" 200 2055 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" (5)Fwd: Subject: www.faa.gov hacked From: To: jericho@attrition.org Cc: webmaster@2600.com Date: Thu, 29 Apr 1999 15:07:28 PDT