×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cryptome Hacked; All Files Deleted

CmdrTaco posted more than 3 years ago | from the hate-when-that-happens dept.

Security 170

eldavojohn writes "Over the weekend, the whistle blowing site Cryptome was hacked and vandalized, resulting in all 54,000 files being deleted and two days worth of submissions lost. Cryptome reported that its EarthLink e-mail account was compromised in ways unknown, and once the attacker was inside there, they were able to request a new password from the administration console for Cryptome at their hosting provider, Network Solutions. Once the attacker had that password, they deleted the ~7 GB of data that Cryptome hosted in around 54,000 files. Cryptome was able to eventually restore the site, as they keep backups ready for cases like this and stated that they 'do not trust our ISP, email provider and officials to tell the truth or protect us.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

170 comments

And their users... (0, Interesting)

Anonymous Coward | more than 3 years ago | (#33800398)

And their users should apparently not trust them, either.

Editing! (4, Insightful)

GuJiaXian (455569) | more than 3 years ago | (#33800400)

Holy cow, please edit the submissions before posting them.

*sigh* I'll get modded down for having the nerve to ask for a baseline of professionalism, won't I?

Re:Editing! (5, Funny)

The MAZZTer (911996) | more than 3 years ago | (#33800438)

I'm glad they reminded me it happened on the weekend, I have a short attention span and forgot by the time I reached the end of the first line.

Re:Editing! (3, Insightful)

siddesu (698447) | more than 3 years ago | (#33800614)

Professionalism? How about a baseline of a spelling, grammar and general writing skills?

/ Kill me with moderation, William "B.J." Blazkowicz, I am in a Grammar Nazi mood today.

Re:Editing! (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33801124)

No, because you followed Slashdot Tip for Getting Modded Up #1: "Whine about getting modded down in your post."

Super secret password (0)

Anonymous Coward | more than 3 years ago | (#33800414)

Oh No! Someone figured out that my password was "passw0rd"! Nobody shoulda figured that one out...

Re:Super secret password (2, Insightful)

maxwell demon (590494) | more than 3 years ago | (#33800458)

Didn't they tell you to use both uppercase and lowercase letters? Had you used "Passw0rd" instead, nobody would have found out!

...what? (3, Interesting)

blhack (921171) | more than 3 years ago | (#33800422)

The real WTF here is that

A) Cryptome is running on Network Solutions
B) The email associated with the account is on *earthlink* ???
C) None of these things have been shut down.

Seriously, doesn't cryptome host some pretty shady stuff? On the same level as wikileaks, isn't it? What the hell is going on here?

Re:...what? (5, Interesting)

Xemu (50595) | more than 3 years ago | (#33800684)

I don't believe their Earthlink account was *hacked*.

http://www.skeptictank.org/hs/elcoslnk.htm [slashdot.org]">Earthlink is connected to the Scentology cult, which are known for hating free spech on the internet. If Cryptome had hosted anything remotely connected with Scientology, they would not hesitate to use that email account to hurt Cryptome.

Re:...what? (4, Funny)

curmudgeous (710771) | more than 3 years ago | (#33800882)

...Earthlink is connected to the Scentology cult...

Man, that really stinks.

Re:...what? (0)

Anonymous Coward | more than 3 years ago | (#33801204)

Didn't Anonymous protest them by hurling "Beano" at them while wearing clothespins on their masks nose?

Re:...what? (2, Insightful)

misexistentialist (1537887) | more than 3 years ago | (#33801364)

More likely Earthlink, like all ISPs, has a substandard email system. If Scientologists were involved they would have had to pay a $15000 education fee and been forced to run around a pole for 3 days for leaving the backups.

Re:...what? (1)

blantonl (784786) | more than 3 years ago | (#33801186)

The owner is an old crusty guy that lives in NYC - not that there is anything wrong with that, but he's an old school guy and, well, what you see is what you get.

Re:...what? (1)

MadAhab (40080) | more than 3 years ago | (#33802006)

Meaning, he's been getting away with not doing hotter backups this long, and isn't likely to change.

Re:...what? (0)

Anonymous Coward | more than 3 years ago | (#33801754)

Seriously, doesn't cryptome host some pretty shady stuff? On the same level as wikileaks, isn't it? What the hell is going on here?

In the US we have this thing called the first amendment. Despite all the noise people make about fraudulent DMCA take downs (which providers execute out of an abundance of caution in not wanting to lose their safe harbor and having to defend a first amendment case on behalf of their users instead of just getting summary judgment if they get sued after following the take down procedure) or various other things, you actually can't constitutionally use the law to get a site shut down because of its content unless that content is unprotected speech (libel, copyright infringement that a court determines isn't fair use, etc.). What unprotected speech can you find on cryptome? What court order to remove something have they violated?

Hmmm. (1, Redundant)

Monkeedude1212 (1560403) | more than 3 years ago | (#33800424)

stated that they 'do not trust our ISP, email provider and officials to tell the truth or protect us.'"

Just like I wouldn't trust you not to pull something like this for publicity's sake, but I guess in both cases, no one will ever know, so its moot.

Re:Hmmm. (2)

interkin3tic (1469267) | more than 3 years ago | (#33800620)

I'd expect that if it were a publicity stunt, they might mention a possible motive. As it is, I'd probably guess it's something like a bored teenager who was too lazy to scratch some vulgarity on a bathroom wall. Had they made even a tenuous conspiracy theory I might be more interested. Interested enough to click on over to cryptome anyway.

Not to say that obviously this isn't a publicity stunt because it could have been done more effectively.

i do not trust cryptome to run a secure service (1)

Michael D Kristopeit (1887500) | more than 3 years ago | (#33800428)

their infrastructure requires them to rely on people they do not trust. 2 days worth of submissions would not be lost if they did in fact "keep backups".

Earthlink? Network Solutions? (3, Insightful)

longacre (1090157) | more than 3 years ago | (#33800440)

Basically this stuff was never safe to begin with, and you're an idiot if you post anything there expecting to be anonymous.

Re:Earthlink? Network Solutions? (4, Insightful)

caffeinemessiah (918089) | more than 3 years ago | (#33800656)

and you're an idiot if you post anything there expecting to be anonymous.

Why? If I really wanted to post something anonymously, I would set up a network of proxy SSH severs paid for with prepaid debit cards (purchased using cash), change the wireless MAC on a throwaway secondhand laptop (purchased using cash off Craigslist), walk down to the local Starbucks, access my proxy setup through Tor, and then be reasonably confident that I would be able to do anything anonymously. Of course, I would only post plain text files.

So I don't really understand why you would be an idiot for expecting anonymity if you went to the pains of taking care of it.

Re:Earthlink? Network Solutions? (0)

Anonymous Coward | more than 3 years ago | (#33801856)

But how did you access Craigslist anonymously? If they get the thrown-away laptop, they could find out the IP address of the person who enquired about it on Craigslist. Hmm? Hmm?

Re:Earthlink? Network Solutions? (1)

MadAhab (40080) | more than 3 years ago | (#33802040)

Oh it's much easier than hiding behind 7 Boxxys.

Have an account on your laptop that you never use anything. Have it clean your webserver - and flash - cookies on logout.

cybercafe, post, blah blah.

Re:Earthlink? Network Solutions? (0)

Anonymous Coward | more than 3 years ago | (#33800682)

Only idiots have never used TOR. That'll be you then.

Backups for the win! (1)

Local ID10T (790134) | more than 3 years ago | (#33800444)

Seriously, back up your data. Multiple copies in multiple locations.

These guys were smart enough to keep backups (hopefully up-to-date backups) so this is nothing more than an annoyance to them, but if they hadn't it would be what we refer to around here as a resume-generating-event.

If it's worth keeping, its worth backing up.

Re:Backups for the win! (5, Insightful)

erroneus (253617) | more than 3 years ago | (#33800492)

But they weren't smart enough to mirror submissions to other servers and so two days of submissions were lost. Those two days could easily have been the target. If so, then mission accomplished.

Re:Backups for the win! (3, Insightful)

gman003 (1693318) | more than 3 years ago | (#33801378)

Quite likely, any important submissions will be resubmitted. Not all, of course, but if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Re:Backups for the win! (4, Interesting)

taucross (1330311) | more than 3 years ago | (#33801742)

Of course the important submissions will be resubmitted. Unless the submitter died from a suicide, or heart attack.

Laundry day (3, Funny)

zooblethorpe (686757) | more than 3 years ago | (#33801748)

...if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Why am I suddenly worried for the state of your laundry?

Cheers,

Re:Backups for the win! (0)

Anonymous Coward | more than 3 years ago | (#33800808)

Apparently they were not smart enough to host using their own hardware with no administrative access for anyone else. The most getting to their hoster should have given an attacker is the power to cut them off. If their hoster had access to the system: Massive Security FAIL.

Re:Backups for the win! (1)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#33801058)

Apparently they were not smart enough to host using their own hardware with no administrative access for anyone else.

Apparently you don't quite understand how the majority of small sites on the internet work.

the above would make a LOT more sense if it had said:

Apparently they didn't have enough money to host using their own hardware with no administrative access for anyone else.

Re:Backups for the win! (0)

Anonymous Coward | more than 3 years ago | (#33801444)

I'm sorry, I was under the impression that we were discussing CRYPTOME, not my aunt's web site of cat pictures.

Re:Backups for the win! (1)

Facegarden (967477) | more than 3 years ago | (#33801156)

Seriously, back up your data. Multiple copies in multiple locations.

These guys were smart enough to keep backups (hopefully up-to-date backups) so this is nothing more than an annoyance to them, but if they hadn't it would be what we refer to around here as a resume-generating-event.

If it's worth keeping, its worth backing up.

Yeah, seriously. I work at a small (10 people) company, and I still have us set up with an Ubuntu server with nightly incremental backups to a second machine, as well as weekly full backups to the second machine and the server itself that go back 6 weeks. Every month I do the same thing, and keep those for 6 months. I also backup manually to an external USB drive once every month or so.

It took a bit of time out of my schedule to setup, but now it just goes, and damn if having backups isn't amazing. Our issue here is usually not one of drive failure, but of users accidentally erasing a file. They come running to me, and I can grab the most recent copy in 30 seconds.

I feel like most small businesses aren't that well-prepared, but I encourage anyone else that can to do it.
-Taylor

Re:Backups for the win! (0)

Anonymous Coward | more than 3 years ago | (#33802658)

Ubuntu server eh? I guess you don't care much for your company.

A little paranoid. (1)

LWATCDR (28044) | more than 3 years ago | (#33800446)

Your high profile site got hacked and you blame everyone else.
Well you did pick your ISP and email provider. Honestly folks might I suggest RackSpace? We use them and they have been great if a little expensive but you get what you pay for.

Re:A little paranoid. (0)

Anonymous Coward | more than 3 years ago | (#33800496)

Not a big fan of whistle-blowers?

Re:A little paranoid. (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33800722)

There's whistle-blowers and whistle-blowers. Cryptome are the better sort; they are open about their agenda and show some integrity, unlike Wikileaks, who alternately demand journalistic privileges and refuse to exercise journalistic discretion, all while pursuing an explicitly anti-American agenda.

(Wikileaks fanboys: I will take that comment back the day Wikileaks releases a document that seriously hurts Russia, China, or Iran. Or pretty much anyone else other than the USA and her allies. Or indeed any country that is not a western democracy. Not holding my breath here.)

Re:A little paranoid. (1)

Anonymous Coward | more than 3 years ago | (#33800870)

I basically agree with you. The post I was replying to was clearly talking about Cryptome, not Wikileaks. You clearly haven't looked at the various Wikileaks leaks regarding Iran and China, though.

Re:A little paranoid. (3, Informative)

Anonymous Coward | more than 3 years ago | (#33800910)

Good work soldier! Wikileaks is obviously a Soviet cover operation to rape our baby seal sand sabotage the fourth of july, blow up over the woods so that to grandmothers house we can't go.

Re:A little paranoid. (1)

Anonymous Coward | more than 3 years ago | (#33801550)

Just throwing this out there. Could it be that they just never get information from Russia, China and Iran? Or if they do, they're unable to test it's validity?

Re:A little paranoid. (1)

russotto (537200) | more than 3 years ago | (#33801608)

(Wikileaks fanboys: I will take that comment back the day Wikileaks releases a document that seriously hurts Russia, China, or Iran. Or pretty much anyone else other than the USA and her allies. Or indeed any country that is not a western democracy. Not holding my breath here.)

It's easier and safer to leak documents from western democracies. And there's also the issue of news. The US or a European country does something bad, it's news. Russia, China, and Iran do something bad... well, what did you expect? They're totalitarian countries bent on world domination.

ObCarAnalogy: A Yugo breaking down on the way home from the dealership, versus your Honda doing the same.

Anyway, has Wikileaks really seriously hurt ANY country? They overestimate their own impact.

Re:A little paranoid. (2, Insightful)

Peeteriz (821290) | more than 3 years ago | (#33801774)

Wikileaks doesn't harm western democracies - they do inconvenience the administrations, but the whole concept of leaks are great for the society, citizens, and especially the democracy part; silencing leaks would harm western democracy and destroy the whole meaning of it. I don't care about Chinese government cheating their citizens - that's their problem, I want to be informed about the failures and lies of *my* officials that I elected and that affect my country. I don't want to improve country reputation by simply hiding unflattering things, I want to improve the reputation by fixing the faults. Lying to ourselves about bad stuff not happening is the domain of North Korea, not the western world.

And what do you mean about "journalistic discretion" ? The big newspapers that are following your so-called "journalistic discretion" shouldn't be allowed to call themselves journalists because of this anymore. In earlier times they did proper journalism, dug up the dirt themselves, interviewed informants, cared about their reputation of protecting the anonymity of their sources and fought for the right of publishing facts for the society, even and especially if the goverment claims to be harmed by the facts - for example, the Pentagon papers case. Now wikileaks has picked up the slack where the "journalists" are failing their role in society, and it's a shame - but a shame for the publishing industry.

Re:A little paranoid. (0)

Anonymous Coward | more than 3 years ago | (#33801994)

Good luck convincing anyone.

Wikileaks, like Cryptome is known as a place to out corruption. What you would call hurting America their fans call hurting the cancer that's actually hurting America. Still, which is the worse offense.
a: making a dangerous document available (shame on the reporter)
b: creating the situation that leads to that possibility (shame on the reportee)
If what's being covered up is worse than the danger from the released documents, keep releasing.

Some documents are possibly too dangerous to release, but who can they trust to tell them which? Certainly not the people currently in a position of power with a vested interest in derailing oversight of their own activities.

That said, I've heard wiki-leaks released 1 or more documents without redacting names of agents whose lives were then endangered. This was followed by a response that of those names, some were double agents working for Iran and others were already dead. In the end I think there was still a released name that was a problem (loyal American) but I expect their misdeeds are blown out of proportion by a government that's made it plainly clear both that they hate wikileaks specifically and oversight (of their actions) in general.

What we need is a well-supported Cryptome, Wikileaks and preferably several other such sites all well known. If any one gets too much "market share" it will be corrupted or destroyed in such a way as to look like an accident. This is too important to have all the eggs in one basket.

As for Russia, China and Iran, what can be said about them that lowers your opinion of them beyond what's already on the news? Russia used to be an insane police state and is quickly going right back to it. China is known for being a police state, plus a number of scams on businesses trying to sell to their markets. (Refusal to pay for items, stealing expensive new factories foreigners build, per the state department their government holds that any contract a Chinese citizen enters into outside of China is invalid.) Iran, crazed theocracy that routinely calls for the deaths of those who draw Mohammed. The US government is pretending to be "good guys" and gets a fair amount of help from the "legitimate" media in that regard. The other countries you mentioned already have reputations damaged seemingly beyond all repair. What should wikileaks do to embarrass them, report that the communist party leader refrained from kicking a puppy?

Wikileaks may be more self-promoting, but that is a good thing. We need corruption on everyone's mind. That's what free speech is for, specifically to bring such issues to light. As long as people are content to think "MY party wants what's best for America, that other party is trying to **** things up" and are allowed to keep deluding themselves as such, nothing changes. We need blatant examples of where both parties have done wrong paraded enough to make people consider a third party. Right now no one will vote for a non-R or D since it's not an option. The third party stands no chance. We need revelations that show that under no circumstance is either an R or a D an option.

(The above comment is meant on a national level, on the local level where less is at stake, you'll find good Rs and Ds, given the non-stop scandals on the national level though, you'd think you weren't ALLOWED to run nationally unless you had at least 3 verifiable skeletons in your closet.)

Re:A little paranoid. (0)

Anonymous Coward | more than 3 years ago | (#33800788)

But what is RackSpace's track record on controversial materials being hosted on their network. Just because they're good for some things (albeit expensive) doesn't mean they wouldnt fold the second a big company or government makes a threat of legal action. At least NetSol will not do shit without a court order. Either way, NetSol did nothing wrong. They have password recovery for a reason and is it needed for idiots. The problem comes from how the people who did this got into the earthlink account.

Not hacked! (2, Insightful)

kju (327) | more than 3 years ago | (#33800454)

The controversy about hacker vs. cracker is old and unsolved. But this case really does not warrant the use of the word "hack/hacked" under any meaning of the word whatsoever. This is a act of pure vandalism, nothing more.

Re:Not hacked! (1)

zzsmirkzz (974536) | more than 3 years ago | (#33800512)

Cryptome reported that it's EarthLink e-mail account was compromised in ways unknown

Sounds like hacking to me. The rest was exploiting the trust all providers build around your email being secure. All to pursue the end of simple vandalism.

Re:Not hacked! (0, Flamebait)

X3J11 (791922) | more than 3 years ago | (#33801524)

Sounds like hacking to me.

I do not think this word means what you think it means.

Don't feel bad, though. Thanks to popular (if technically incorrect) culture, the uninformed masses just lump everything to do with the extreme ends of computing, both good and bad, under the title "hacking".

cracking /n./

The act of breaking into a computer system; what a cracker does. Contrary to widespread myth, this does not usually involve some mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers.

hacker /n./

[originally, someone who makes furniture with an axe] 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker.

The term `hacker' also tends to connote membership in the global community defined by the net (see network, the and Internet address). It also implies that the person described is seen to subscribe to some version of the hacker ethic (see hacker ethic).

It is better to be described as a hacker by others than to describe oneself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. There is thus a certain ego satisfaction to be had in identifying yourself as a hacker (but if you claim to be one and are not, you'll quickly be labeled bogus). See also wannabee.

The Jargon File [catb.org]

The New Hacker's Dictionary [outpost9.com]

The too long, didn't read version: hackers are Good Guys, crackers are (generally) Bad Guys. Calling crackers hackers is giving them unintentional, and often unwarranted, praise. Also, stop watching crappy movies.

Re:Not hacked! (1, Troll)

hedwards (940851) | more than 3 years ago | (#33800766)

It's not unsolved, what's unsolved is the mystery of how to get people to get it right. Hacking is the generalized practice of modding things and coming up with clever technical solutions. Cracking on the other hand is applied hacking, as in applied to the practice of breaking into people's stuffs.

Re:Not hacked! (1, Informative)

Anonymous Coward | more than 3 years ago | (#33801116)

And to the general public cracking is what you do with nuts. Get over it.

vandalism, nothing more? (1)

hAckz0r (989977) | more than 3 years ago | (#33800922)

Possibly. But lets not forget that erasing all files and logs is also a good way to cover ones tracks. If the intent was to do a DoS then it was quite effective, for a while.

Its not as difficult as many might think to breach the security of a large ISP. Ask any Red Team. The IT personnel working there is probably mired by the tribulations of just trying to keep up with the little stuff, and haven't the time to build security in. Having a security 'plan' has little effect if your forward facing defence boundaries look like a piece of IP protocol Swiss cheese. It only takes one foothold inside that defence perimeter to make all the efforts of the entire IT organization look totally ineffective.

The slash and burn technique serves to cover up all sources of incriminating evidence, and better yet, hides the true motivation of the attacker unless they actually take the time to leave a message behind. You are not likely to find a trail of breadcrumbs laying around if their intent was business rather than pleasure.

Hack (5, Insightful)

Stargoat (658863) | more than 3 years ago | (#33800472)

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

Re:Hack (5, Interesting)

zarozarozaro (756135) | more than 3 years ago | (#33800648)

Mod parent up. A company I used to work for used Earthlink as their provider for everything (web, email, ISP). I pretty much had to take on the IT admin role there. They had lost all of their passwords and logins. I could not believe how easy it was for me to take control of everything in ONE DAY without even getting my boss on the phone with the support guy at Earthlink. Security at Earthlink is a joke. The support people there seem to choose one piece of your information at random to verify that you are the account holder. They will often ask you to tell them your password over the phone and other similar nonsense.

Re:Hack (2, Insightful)

BobMcD (601576) | more than 3 years ago | (#33800876)

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

FYI - 'Hacking' never is, never has been, and likely never will be. The kind of amazing tricks you're imagining under that term lie within the realm of security research, espionage, etc. 'Hackers' are, by definition, hobbyists, and hobbyists are generally doing it for the love of the game, for the fun of it, etc. The guys doing the stuff that might actually amaze you are being PAID to do so. Otherwise they'd give it up and move on to something easier, until such time as nothing easier actually exists. So you say that exploiting a social gap isn't '1337' enough to make the grade? How is utilizing a published Windows exploit any better? SQL injection? Nobody buy nobody is divining their own security-breaking code from tiny mystical oracles found at the bottom of Mountain Dew cans.

In short, the movie 'Hackers' bears zero resemblance on reality.

Re:Hack (2)

fostware (551290) | more than 3 years ago | (#33801298)

In short, the movie 'Hackers' bears zero resemblance on reality.

Huh?

The bulk of the leadup to a hack involved sifting through logs, dumpster diving, and social engineering (like the eidetic memory delivery guy or asking A/H guy what the phone number was on the label).
The fancy graphics and the ZOMG! 486! were all Hollywood, but there were some moments the scriptwriters didn't screw up beyond recognition.

Besides, I still own my 'Man in a pink shirt' book ^_^

In b4... (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33800506)

In before Julian Assange releases yet another paranoid statement about how the US government is clearly out to smear him by hacking Cryptome and then somehow blaming it on him. Because he's not suggesting they did that, but... you know, the timing is awful suspicious.

And, in before a thousand idiot Slashdotters proclaim that it's probably the government shutting down Cryptome as a test run to kill WikiLeaks, and stating that "The Afghan War Diaries" contain all the evidence they need to show that this is just more nefarious government activity to anybody who's not a complete, you know, sheeple LOL.

Re:In b4... (0)

JonySuede (1908576) | more than 3 years ago | (#33801250)

sheeple LOL sheeple LOL sheeple LOL sheeple LOL sheeple LOL

Re:In b4... (1)

JonySuede (1908576) | more than 3 years ago | (#33801584)

always lock your workstation before leaving ....

Re:In b4... (0)

Anonymous Coward | more than 3 years ago | (#33802584)

always lock your workstation before leaving ....

What would be the least embarrassing; explaining to your boss that you weren't the one who just sent that e-mail to him, or explaining to your boss that the names you just called him is merely a statement of opinion rather than a statement of fact?

Ownership (1)

Demonantis (1340557) | more than 3 years ago | (#33800528)

If "they" have the physical machine, they own your data. You have to live with the consequences of relying on that third party. Unfortunately that is how the internet and most of society works. We hope that there are mechanisms and governing bodies in place that are trustworthy and reliable.

Re:Ownership (1)

AHuxley (892839) | more than 3 years ago | (#33801350)

Yes unless you go for something like
http://www.macminicolo.net/facility.html
Send in x number of Mac Minis and load them with OpenBSD, Linux ect.

Re:Ownership (1)

X0563511 (793323) | more than 3 years ago | (#33802734)

That's called colocation, and it doesn't mean shit.

Joe random tech can yank your drive, boot with an external kernel with init=/bin/sh or whatever, do nefarious things, put it all back up, and claim a power outage or whatever.

Unless it's sitting in your facility or your access control (locked cage with no raised floor, you have only keys) then it isn't secured.

Unless you use full disk encryption, in which case driving in to boot your servers will get old. IPKVMs or other workarounds = keylogger = pointless.

I like your Mac bullshit too. Nobody uses Macs for hosting... they are too expensive for what you get. I think I've seen probably one, ever. I didn't even realize Apple made rackmount equipment before that. As well, anyone who knows what they are doing isn't going to put desktop-type equipment into a datacenter role... any time I've ever seen this it spelt nothing but trouble, and when trouble eventually came around, it was made evident the owner didn't have a damn clue as we had to do -everything- for them.

Professional vs. Amateur Hour (4, Insightful)

cdrguru (88047) | more than 3 years ago | (#33800602)

A professional organization that knows its web presence is its life is going to have a bit better setup than a server that someone else (Network Solutions in this case) has control over. The right solution is a co-located server that is controlled exclusively by the organization. The hosting company doesn't need to have any passwords. They are also going to have their email processed by their own server and not be relying on an ISP for anything at all except connectivity.

However, a completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords. And all other security. Oh, and using a non-domain based email setup from an ISP.

I guess it is pretty obvious into which category Cryptome falls, right?

Yes, it would cost $2000 a year or more for a co-located server whereas shared virtual hosting is dirt cheap.

Re:Professional vs. Amateur Hour (4, Insightful)

twoallbeefpatties (615632) | more than 3 years ago | (#33800816)

[A] completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords... I guess it is pretty obvious into which category Cryptome falls, right?

Being a non-profit organizatino, Cryptome's status as a professional organization or an amateur organization probably depends on the size of their donation base. For a website group trying to get by on a shoestring budget... well, maybe this little stunt will help them raise awareness to get the donations for a better server setup. (Not that I actually know the size of their donation base, and maybe they do have enough money for that sort of setup and they're just stingy/stupid.)

Re:Professional vs. Amateur Hour (2, Interesting)

c (8461) | more than 3 years ago | (#33801016)

Using virtual hosting might be intentional. A lot of people don't particularly like them. Including agencies of the US government. By running their site on a shared box with hundreds (thousands?) of others, they're a little more protected against the infamous "just take the whole server" attack. Also, it gives them more money to allocate to bandwidth costs, which as I understand it are pretty high.

Re:Professional vs. Amateur Hour (1)

Fulcrum of Evil (560260) | more than 3 years ago | (#33802554)

What makes you think the cops would care? They haven't shown much restraint in the past.

Re:Professional vs. Amateur Hour (1)

c (8461) | more than 3 years ago | (#33802668)

I said "a little more protected", not invulnerable. If it makes them think twice or is enough for a judge to hold up a warrant or, heck, it's enough to generate some publicity over it, then it's better than nothing.

More likely, Young just doesn't give a shit. The kinds of people he's afraid of are just going to sniff his passwords from his brain through a weak point in his tinfoil hat, so why pay extra for security or reliability.

Re:Professional vs. Amateur Hour (0)

Anonymous Coward | more than 3 years ago | (#33801202)

Co-location if you claim to not trust anyone? Meh. What about physical security?

No, you buy three bunkers, one in an independent country with strong civil liberties tradition, one in the US, one in Iran. You hook up via satellite and optical cable to a host of kidnapped proxies. Then you setup a VPN to copy data between them. Then you host the anti-US stuff in Iran and serve it to the proxies outside of the US, the anti-Iran stuff in the US and serve it to proxies outside of Iran, your business server in the independent country and don't serve that via proxy.

Zombified Russian ex-specnaz military guards everywhere for security, custom-built computers from custom-built chips are also essential.

$2000 a year you say? More like $20,002,000.

You can never be too safe if you're cryptome.org.

Re:Professional vs. Amateur Hour (1)

ducomputergeek (595742) | more than 3 years ago | (#33801978)

Or in between. We have our servers managed by our hosting company. We don't have root control, but they maintain the PCI compliance and honestly we've not had a problem in years that wasn't solved in less than 10 minutes via phone. We have RAID 5, they do back ups, but we have back ups of the db and critical files done nightly and SFTPed to a box back at the office, which is then backed up to tape once a week and every monday morning that tape is taken to a safe deposit box at our bank. Every month we pull out a random tape and see if we can restore on a test system.

But trusting your backups only to your hosting company is stupid.

Old school (5, Informative)

0xdeadbeef (28836) | more than 3 years ago | (#33800610)

Cryptome was cool before Wikileaks made it mainstream. And John Young is the original gangsta, so you know he got backups. Bitches don't know about all the backups he has.

Re:Old school (0)

Anonymous Coward | more than 3 years ago | (#33800718)

Cryptome was cool before Wikileaks made it mainstream. And John Young is the original gangsta, so you know he got backups. Bitches don't know about all the backups he has.

Word!

Re:Old school (0)

Anonymous Coward | more than 3 years ago | (#33801336)

> Word!

Big or little-endian?

Re:Old school (0)

Anonymous Coward | more than 3 years ago | (#33801612)

And, he handed many a legal and corporate punk his and her a** on several, probably many, occasions.

Thank your damned admin! (1)

tqk (413719) | more than 3 years ago | (#33800618)

And give him a raise! If you're back up, he did his job, superlatively.

Demmit.

EarthLink? They're still alive? (1)

commodore64_love (1445365) | more than 3 years ago | (#33800708)

I once had an account with them, back in the 33k days. Also Erols. I guess these old services never truly die..... they just fade away.

Re:EarthLink? They're still alive? (1)

jimmydigital (267697) | more than 3 years ago | (#33802688)

Yes earthlink is still alive.. and when time warner rolls out consumption based billing (as they are doing right now) you will probably end up a customer of earthlink since by paying them for the same internet service over cable.. you can avoid the extra charges that cbb will cost you.

Wired Reporter to be Subpoenaed (3, Interesting)

savanik (1090193) | more than 3 years ago | (#33800746)

And Cryptome is now saying that a Wired reporter contacted them [cryptome.org] after having spoken with a hacker claiming responsibility for the attack.

Which they responded to with a threat of a subpoena, and publishing news about it before the reporter, after they told the reporter they wouldn't? ... er. Way to burn bridges, guys? Seriously, I understand free speech and using reporters as sources, but I don't think reporters are going to be too gung-ho about reporting your findings later after this.

Re:Wired Reporter to be Subpoenaed (4, Interesting)

RapmasterT (787426) | more than 3 years ago | (#33800862)

Well, if someone told me they had knowledge of a person who had committed a very serious crime against ME, but were refusing to share that information with me, then I wouldn't honestly feel the slightest obligation towards them either. I'd tell them whatever they wanted to hear to get the maximum information out of them.

AND I'd try to get that subpoena too. The First Amendment guarantees freedom of the press, but it doesn't guarantee freedom from subpoena. An ethical journalist would go to jail in contempt of court before giving up a confidential source, but since journalism has abandoned most of the principles of old, I wouldn't count on that happening.

and so you will chase away the information source (1)

circletimessquare (444983) | more than 3 years ago | (#33802738)

and the crime against you will go unpunished

i'm not saying that you have no right to seek out the information source about the crime against you, i'm saying your tactics suck

what you do is you let the information source speak, and you ask the reporter for more information. you make up false reasons for why the information source is wrong, forcing the information source to prove they actually are genuine. or you keep them talking, until they make a mistake, and they reveal themselves

you set a fire, and you smoke them out, THEN you pounce

but if you run into the initial situation yelling subpoena, the source clams up, and your strong arm tactics only wind up hurting yourself, because now you can't hunt down the criminal

Re:Wired Reporter to be Subpoenaed (0)

Anonymous Coward | more than 3 years ago | (#33801400)

They also published her number with the email. Leak!

Re:Wired Reporter to be Subpoenaed (1)

russotto (537200) | more than 3 years ago | (#33802256)

The way Young reports it, he had the conversation with Zetter and _at the end_ she asked him to not report it. He responded "sure" but didn't say what tone of voice he used. She then pointed out that he always reported interviews, so it's clear she didn't really expect him to keep it quiet. I'm not sure why Young is so pissed at Wired. Just because the vandal went and bragged to them after the fact doesn't make Wired "complicit" as he claims.

SSH FTW (2, Interesting)

MichaelSmith (789609) | more than 3 years ago | (#33800762)

Its the only CMS I use on my servers. Mercurial for version control over ssh. Update my sites with hg push. Hooks on the receiving side to run hg up and rebuild if required. SSH can be configured to require certificates only for authentication. Desktop environments all integration with ssh-askpass or similar.

Colo vs Home Server vs Virtual Machine, and backup (1)

m.dillon (147925) | more than 3 years ago | (#33800928)

Well, it just goes to show you get what you pay for. From the point of view of security Colo is probably the best, but running a server on a static IP from home is likely the most cost effective. Virtual hosting is dirt cheap but worthless for any serious operation. VMs tend to be configured minimally and ISPs mash them all together using shared resources so performance is all over the place. It's pretty easy to brick an OS running in a VM due to the minimal memory configuration it is typically given.

And backups... well, there are lots of choices there. There is no need to lose more than the most recent 60 seconds worth of modifications if you run a near-real-time streaming backup off the site. Something like DragonFly + HAMMER can do just that (and here is my unashamed advertising of DFly :-)).

Also... only 8G of data? That's it?

-Matt

Re:Colo vs Home Server vs Virtual Machine, and bac (3, Insightful)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#33801160)

Also... only 8G of data? That's it?

how much data do you expect them to host? it's not like they store multi GB long videos of events or anything.

Re:Colo vs Home Server vs Virtual Machine, and bac (0)

Anonymous Coward | more than 3 years ago | (#33802284)

I'll plug some more; here's the entry on Wikipedia [wikipedia.org]

If you're an old timer who used to get Fish library disks (yes mailed out on 3.5" floppies!) on the Amiga I'm sure you'll remember who Matt Dillon is.

YUO FAILc It (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33801018)

the top. Or were, if *BSD is to notwithstanding, This post brought it a break, if for the record, I are about 7000/5 many of us are While the project

Can't you write properly? (0)

Anonymous Coward | more than 3 years ago | (#33801094)

Why you Americans can't write?

"Cryptome reported that it's EarthLink e-mail account..."

it's? It is???

maybe this motivates the admins to do their job (0)

Anonymous Coward | more than 3 years ago | (#33801230)

"two days worth of submissions lost" .lame. The 'hackers' did crytome a favor - I hope the cryptome admins are embarrassed enough by this to fix it, they have no one to blame but themselves.

Re:maybe this motivates the admins to do their job (1)

zerro (1820876) | more than 3 years ago | (#33801548)

not really familiar with Cryptome, so I'll go ahead and start bashing! It's hard to imagine that they didn't have something as basic as 2-factor auth on admin/shell/etc if they are touting that they host sensitive data of any kind... just reeks of "doing it wrong"

horrible grammar in summary (0)

Anonymous Coward | more than 3 years ago | (#33801872)

"Cryptome reported that it's EarthLink e-mail account was compromised..."

I'd expect this sort of thing in the comments, but in the summary? Really?

Back 'n up (1)

erica_ann (910043) | more than 3 years ago | (#33802254)

textbook perfect example of why everyone should make a backup.

Hard to say where to draw the line though.. every day, every two days? ever 12 hours?? To each their own.

I just like seeing that there WAS a backup used here. I see too many people without backups used at all. Two days would be a miracle for so many people.

YOu FAIL IT (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33802622)

Love of two is it a break, if the above is far '*BSD Sux0rs'. THis sure that I've hooby. It was all
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...