The following is McIntyre's response to the AntiOnline FAA article posted on
April 29, 1999. In this case, the article does not contain as much errata
as it represents a serious lack of ethics on the part of John Vranasevich
and AntiOnline.
The original article:
http://www.antionline.com/cgi-bin/News?type=antionline&date=04-26-1999&story=faa.news
From: McIntyre (McIntyre@attrition.org)
Date: Fri, 30 Apr 1999 18:05:26 -0400
Subject: JP is at it again
Skimming the AntiOnline "news" site, I couldn't help but wonder a few
things. I can understand writing an article about a cracking group
because they're causing havoc across the Web but this is ridiculous:
Read this article in it's entirety and consider the following points and
consider the questions (emphasized with a * so they can't be missed.)
1) * If the group that comromised these pages is "low profile", why
write an entire article about them?
2) Why do you write about a Web site hack....just to say it was hacked??
Talk about lacking content, anyone could have found this out.
It was posted to two mail lists I was on, well before your article.
In fact, it was Thu, 29 Apr 1999 22:08:56 before I received mail from
the AntiOnline news letter stating the article was up. In that mail, you
show the posting of the article at "Thursday, April 29, 1999 at
20:40:55".
* So you posted the article 32 minutes after mailing out about it?
3) You failed to mention that all of the most recent team spl0it hacks
were the result of a Cold Fusion exploit that has recently surfaced and
reared it's ugly head. Your article is useless to the computer security
industry. All it says is that the FAA site was cracked and who it was
cracked by.
Not only was there no mention of the way these sites were compromised,
you don't link to Phrack who posted about the bug in December, or the
l0pht(1) who recently made it more public. Worse, you don't give any
information on how to fix this bug, yet you claim AntiOnline's "primary
role" is "To educate the public on computer security related issues."(2)
* How do you expect to educate the public when you withold information
like that?
4) Do your own research. Below are two lists. The first is a list of
team spl0it hacks from JP's article. The second, a list from Attrition's
hack mirror. It also is a list of team spl0it hacks updated twice daily. I
can understand if someone used Attrition for research purposes and wrote
the results in their own fashion. Obviously the mirrored information and web
hacks we keep is not trademarked or copyrighted. However, if you compare
the two lists, it appears JP just lifted it with no editorial changes.
While some of the content is not copyrighted, the ATTRITION web pages
and collection is. This can be seen in the mirror web pages. "(This page
and all applicable content is Copyright 1999 Brian Martin)" (3).
JP's hack list:
Recreation GOV (www.recreation.gov)
Brooks AFB (xre22.brooks.af.mil)
Power Manager (www.powermanager.com)
FL State Legislature (www.leg.state.fl.us)
Health Resources and Services Administration
(www.hrsa.dhhs.gov)
LA CA US (www.ci.la.ca.us)
Tay (UK) (www.tay.ac.uk)
[snip..]
[99.04.29] [spl0it] NASA GSFC Information Systems Center (this.gsfc.nasa.gov)
[99.04.29] [spl0it] Federal Aviatiation Administration (www.faa.gov)
[99.04.29] [spl0it] Recreation.GOV (www.recreation.gov)
[99.04.28] [spl0it] Brooks AFB (xre22.brooks.af.mil)
[99.04.28] [spl0it] Power Manager (www.powermanager.com)
[99.04.28] [spl0it] FL State Legislature (www.leg.state.fl.us)
[99.04.28] [spl0it] (www.hrsa.dhhs.gov)
[99.04.27] [spl0it] LA CA US (www.ci.la.ca.us)
[99.04.27] [spl0it] Idaho State (www.state.id.us)
Why did JP miss "Idaho State (www.state.id.us)"? Probably because it was
added a few hours AFTER the AntiOnline article went up.
Another point, Jericho enjoys writing shorthand to speed up the process
of mirroring. He listed the City of LA hack as "LA CA US" instead of
writing it out. And look at JP's list same thing. Also, we haven't found
a title yet for www.hrsa.dhhs.gov. Gee, JP doesn't have a title either.
This points to blatant theft of work from the individuals maintaining
the ATTRITION Hack Mirror. While we work to present a complete mirror
for public viewing, we ask for little in return. Common courtesy or an
attempt to appear to respect that work would have been shown by a link
to the ATTRITION mirror. Instead, links to the Antionline Mirror of the FAA
hack, the AntiOnline web hack mirror, and the original FAA site. At no
point do you credit ATTRITION for its work in cross referencing the hacks,
mirroring them, and making them available to the masses.
5) Attrition's Web logs(4) show your visit to the site 25 minutes before
your article was posted. Consider that along with the original mail
notifying us of the hack, and that they apparently did NOT inform you of
it (5).
The web logs show four hits from 209.166.186.129 right before your
article went up. That IP is:
Name: dgw-vp08.sgi.net
Address: 209.166.186.129
Which is registered to:
Stargate Industries Inc (SGI2-DOM)
RD 3, Box 319B
Belle Vernon, PA 15012
Administrative Contact, Technical Contact, Zone Contact:
Stargate Industries Hostmaster (SIH-ORG)
hostmaster@STARGATE.NET
(412) 316-7827
Checking who AntiOnline gets its service from, we see:
forced ~$ traceroute www.antionline.com
traceroute to antionline.com (209.166.177.37), 30 hops max, 40 byte
packets
[snip...]
18 h5-1.br-0.ppp.cc.pa.stargate.net (208.195.209.26) 149.095 ms
214.889ms 157.63 ms
19 f0-0.cr-1.lan.cc.pa.stargate.net (209.166.164.164) 144.933 ms
163.207 ms 153.984 ms
Stargate Industries LLC (STARGATE16-DOM)
The Crane Building Suite 300, 24th Street
Pittsburgh, PA 15222
Administrative Contact, Technical Contact, Zone Contact:
Stargate Industries Hostmaster (SIH-ORG)
hostmaster@STARGATE.NET
(412) 316-7827
I think it is fair to say this was you or another AntiOnline staff
member hitting the ATTRITION site less than an hour before posting your
article.
Tsk, tsk, tsk. Even mediocre journlists give credit where credit is due.
Mcintyre
ATTRITION Web Thug :)
-- References
(1) www.l0pht.com
(2) www.antionline.com/information/introduction/antionline_overview.html
(3) www.attrition.org/mirror/attrition/
(4) 209.166.176.129 - - [29/Apr/1999:17:13:15 -0600] "GET
/mirror/attrition/sploit.html HTTP/1.1" 200 3760
"Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
209.166.176.129 - - [29/Apr/1999:17:13:18 -0600] "GET
/mirror/attrition/image/spl0it.gif HTTP/1.1" 200 14447
"Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
209.166.176.129 - - [29/Apr/1999:17:13:40 -0600] "GET
/mirror/attrition/www.powermanager.com/ HTTP/1.1" 200
1975 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
209.166.176.129 - - [29/Apr/1999:17:13:49 -0600] "GET
/mirror/attrition/www.leg.state.fl.us/ HTTP/1.1" 200
2055 "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
(5)Fwd: Subject: www.faa.gov hacked
From:
To: jericho@attrition.org
Cc: webmaster@2600.com
Date: Thu, 29 Apr 1999 15:07:28 PDT