Security Scene Errata



From: jericho@attrition.org
To: paulf@cnet.com
Date: Mon, 9 Aug 1999 21:31:49 -0600 (MDT)
Subject: points regarding recent article


Hi Paul,
	I wanted to bring up a few points with your article here.

http://technews.netscape.com/computing/technews/newsitem/0%2C290%2C40293%2C00.html?pt.netscape.fd.hl.ne
   Former hacker site changes course, gets hacked
   By Paul Festa

   AntiOnline late last week suffered one of its first successful attacks, which automatically
   redirected visitors to the hacker's site. Prior to that, AntiOnline claims it succumbed only once to
   its online attackers, when a denial of service attack brought the site offline for a few hours. In a
   denial of service attack, the attacker jams the system with a large volume of bogus queries or
   requests.


[This is false. AntiOnline has received several DoS attacks. This is clear
 from repeated complaints by users and associates who clearly noticed the
 site down, often for hours on end. During the worst of the attacks, the
 site was unreachable for almost 12 hours, not 3. Worse, it is impossible 
 to say with 100% certainty that they (or anyone) has not been hacked.
 As we know, clever hackers will intrude without a sign.]
   
   But this pair of successful attacks is no indication of the volume of hacking activity AntiOnline
   has been fending off recently, according to founder and general partner John Vranesevich.
   
   "This month so far we averaged around 475 hack attempts an hour," said Vranesevich. "That's up from
   about 30 an hour two months ago."


[False. Have you seen the logs they provide to the users? 
 http://www.AntiOnline.com/NetworkOperations/hacks.html  From the small
 amount they make public, it is clear these figures are completely
 inaccurate. One day this page reported that 80% of the attacks they
 listed came from antionline.com itself, while another dozen came
 from fbi.gov, which we know did not happen. Because of their ammature
 logging and software, they interpret these results incorrectly. Another 
 example (from today): 000:24:46 on 8/6/1999    Nmap Scan Attempt
 AntiOnline.com Webserver	attrition.org. Yes, my site. Did we attack
 him? No. We ran NMAP to determine the OS of his web server so that we
 could add it to the mirror since we now track OSs. Any claims of such
 high numbers with little to no backing are just that. Unfounded claims.]
   
   Now it's personal
   Indeed, Vranesevich has become one of the most controversial and widely reviled figures in the
   hacking world. He said he has received threats to his family and himself both online and off.


[All claims of these threats are unverified. ALL claims.]
   
   Earlier this summer, Harvard University found itself at the center of an AntiOnline controversy
   after Vranesevich successfully prevailed on the school to evict from its servers a Web security site
   called Packet Storm that Vranesevich alleged featured defamatory attacks against him and family
   members, including his image superimposed on pornographic images and a page with his 17-year-old
   sister's photo, name, and address.


[False. The page in question had a picture of his sister that was taken
 from another public site (http://192.204.74.15/highschool/shingas/).
 The image has her public picture and her name. No address. Care to 
 see for yourself? This is the same image PacketStorm had:
 http://www.attrition.org/negation/image/vran.jpg .. clearly not what
 he claimed. Having these already public images up do not constitute
 a threat. Further, Ken Williams (nor anyone from PSS) had ever had
 a dialogue with JP, let alone threaten them.]

   Harvard's decision to pull Packet Storm created an uproar among hackers. In much of the debate in


[This is a very unprofessional and biased statement. More security
 professionals were in an uproar over the site. Shortly after going
 down, Ken was flooded with mail from hundreds of security consultants
 and administrators offering support.]

   newsgroups and on news and discussion site Slashdot.org, Vranesevich was portrayed as siding with
   the establishment against the grassroots hacker community.


[History. Not so long ago, the same thing was done to AntiOnline while
 he was hosted at PITT. When it happened, JP made a big deal about
 freedom of speech and rights. Yet when PSS does it, it isn't ok?
 Worse, Vranesevich was expelled from PITT for illegal hacking
 attempts and DoS attacks.]
   
   In general, Vranesevich does not deny the trend. In fact, Vranesevich said much of his time these
   days is devoted to working out deals to collaborate with firms on proposals for the U.S. military's
   research and development arm.


[Much like his claims that AO and himself supported and helped NASA?
 Those claims were proven to be patently false with a single call
 to NASA.]
   
   "Some of the changes we've made have made the underground unhappy," Vranesevich said. "For example,
   we're forming new alliances with corporations on some contracts for DARPA," the Defense Advanced
   Research Projects Agency.


[Business does not make the underground happy. The public statement that
 he would turn in the hackers he had days before offered to help and
 protect did. And the Knowledge Base which we will get to.]

   Dangerous knowledge?
   If proposing projects for the military--another favorite target among hackers--isn't enough to raise
   hackers' ire, Vranesevich is also causing controversy with his Knowledge Base for use by military
   and law enforcement personnel. A free subscription to the Knowledge Base lets subscribers access
   information including profiles on individual hackers and their activities.


[This is illegal activity, thus the uproar. Maintaining any commercial
 database on citizens of the US subjects it to laws that govern the 
 disclosure of it. One of which the credit reporting agencies must
 abide by, and that is providing the people with copies of their own
 information/credit report. Vranesevich does not allow this. Further,
 there is no guarantee what information is witheld in there. Given 
 his past at errata, faked logs, and other mistakes, a legitimate
 concern of the validity of such information occurs.]

   Subscribers, who have to apply for a Knowledge Base subscription on government letterhead, include
   members of the Army, Navy, Federal Incident Response Capability, Air Force, and Congress, according
   to Vranesevich.


[I have personally spoken with 3 people who subscribed to the database.
 They were accepted and authorized. They are STILL waiting for access to
 the information. To the best of anyone's knowledge, it is vaporware.]
   
   "When we posted the Knowledge Base application form online, the hacking attempts started to rise,"
   Vranesevich said. "There is this notion that we've sold out to other side, that we're selling
   information about people and they should have the right as individuals to address that information.
   People have called us a clandestine society forming a blacklist that the government could go after
   in an info-war."

 
[The concern isn't about selling since he claims to give it away to
 authorized persons. The real concerns are outlined above.]

   And Vranesevich is not winning any popularity contests. One site, Attrition.org, maintains a site
   wholly devoted to criticizing Vranesevich and his enterprise.


[Thanks for the link ;)]
   
   To the consternation of some critics, AntiOnline has become a fairly legitimate business for
   Vranesevich and his investors. Since securing venture funding six months ago, AntiOnline has lined


[Fairly legitimate? An FBI investigation into their practice of hiring
 and funding hackers is not legitimate.
 http://www.attrition.org/negation/special/  This was one of *twelve* 
 reported cases to the Attrition staff (between us).]

   up an impressive array of advertisers to keep its staff of two full-time employees and dozen
   freelance writers paid and keep its T-1 line and network up and running. These advertisers include
   VeriSign, ISS, GoTo.com, and Microsoft.


[Dozen freelance writes? Count the articles and unique writer names.
 Twelve is probably pushing it.]
   
   Meanwhile, even Vranesevich's harshest critics are discovering that the hacking experience can be
   not only contentious, but lucrative.
   
   "There are plans to bring back Packet Storm," Williams said. "There's corporate funding by a large
   corporation where I have accepted a full-time job."


[Discovering? This is very misleading. Ken Williams has been working 
 in the networking/IT/security field for some time now. Far longer
 than Mr. Vranesevich has.]


In closing, it would be appreciated if you would talk to more parties
before writing articles like this. Talking with anyone from attrition,
neutral parties familiar with both sides, or more in depth with Ken would
have brought several of my points to light. If you have any questions in
the future, please don't hesitate to mail. We (the Attrition staff) are
more than willing to assist you with information.

Brian Martin