July 6th - Website Defacement Day? 483
pabl0 writes "According to an article from SFGate.com (San Francisco Chronicle), a challenge has been posted, inviting web-site defacers to alter the content of as many web sites as possible on July 6th, with an apparent limit of 6,000 websites per contestant. Looks like this would be a good time to make sure all those web-server security patches are applied!"
frosty piss (Score:3, Insightful)
What the hell is wrong with you? This kind of coverage only causes trouble.
Hacking into servers and defacing websites is illegal, whether you like it or not. Doing things like this costs PEOPLE money.
And don't argue back with that "well Microsoft deserves to be defaced" bullshit argument, or anything of the sort. They don't deserve it anymore than you do.
Now watch me get modded down by all the haxx0r n00bz0rz with mod points.
Our tax dollars at work... (Score:3, Insightful)
NOOOO!!!! (Score:0, Insightful)
Just think of all the very bad things that could happen if this is:
1. Sucessfull
2. Very unsucessful
If the former think of all the good laws that will be inacted. If the later, people will have a who cares attituce about network security.
Both are bad.
Stop posting articles like this... Don't feed the trolls.
what are you talking about? (Score:4, Insightful)
Slashdot has little to do with the defacement. Slashdot is simply reporting this.
Re:I notice... (Score:5, Insightful)
Crossing the line? (Score:5, Insightful)
This seems to be little different than that example. The challenge is unethical, as far as I am concerned. July 6 is a Sunday, for one thing--in general businesses do not hold normal shifts on a weekend, so this is going to surely cause more grief than an attack on, say, a Tuesday. Moreover, if successful, this could seriously halt a lot of legitimate business, personal, and other transactions across the Internet.
Is this a call to deface Web sites, or generally screw over sysadmins who oftentimes are paid beans to being with? Shameful.
Re:frosty piss (Score:5, Insightful)
It's a bit like Mischief Night in the UK - I don't like it, but I don't bury my head in the sand and pretend people will forget about it. Instead I take precautions - move the car out of the way, make sure my windows and doors are locked and keep the cats in. It doesn't hurt to have a security test now and then.
Let them start with the **AA sites (Score:4, Insightful)
Given that you're going to do it anyway, why not start with the RIAA, MPAA, and SCO sites. After that, any spammers anyone happens to know.
Re:what are you talking about? (Score:5, Insightful)
Nah, the San Francisco Chronicle is reporting it [sfgate.com].
Slashdot is just giving a bunch of tech-minded people a forum in which to talk about it.
Re:I notice... (Score:5, Insightful)
~Berj
Re:what are you talking about? (Score:5, Insightful)
=( Blah (Score:2, Insightful)
sad (Score:2, Insightful)
Re:troubling (Score:1, Insightful)
No, for the millionth time, no. Either system has hundreds of vulnerabilities, with sysadmins too lazy to patch fully. A properly up to date MS, Linux, Unix, BSD, OSX server will be fairly free from vulnerabilites to the same extent.
If you think you're running any more secure than an MS system just because you use one of the alternatives, you're living in a "security by obscurity" dreamworld.
MS systems get attacked more as they have the critical mass worldwide to a) have more people know their faults well, and b) ensure spread of trojans.
Think
Re:frosty piss (Score:3, Insightful)
Not Necessarily (Score:3, Insightful)
Whether we like it or not, Microsoft _has_ done a better job with security now, and Windows has gotten a lot more secure nowadays. Though in my opinion, sysadmins could do a LOT more to protect their Linux systems than their Windows systems (much more stuff is configurable), it is still fact that good security dosn't mean using Open Source Software like Linux or BSD and stopping there, it requires competent sysadmins and being updated about security, as well as using patches and new versions of software.
Or, you could just use NetBSD :)
Is it just me... (Score:3, Insightful)
Re:what are you talking about? (Score:5, Insightful)
Re:frosty piss (Score:3, Insightful)
Censorship?
Or, could it be, that you are assuming that
Personally, I appreciate this information. I can now ensure that my networks are fully prepared, and monitored during the event.
I'd rather view this as a PSA.
I'd bet that any cracker that intends to participate, already knows about this.
Re:frosty piss (Score:4, Insightful)
Any company should be able to swiftly and easily restore their site from backups. If they don't have backups, they are STUPID and DESERVE what they get.
It's technological darwinism, curtailing harmless hackers just helps loopholes survive for malicious hackers to exploit. Security flaws should be pointed out and if it takes a rude awakening like a website redesign, then so be it.
Better than having your box end up participating in a worldwide DOS a year or two down the line.
Costs people money? (Score:2, Insightful)
First, these activities do not cost people money, they cost corporations money. I know, I know, this is supposed to trickle down to the individual level to where it hurts consumers. I think that the statement should be that "hacked web sites costs people time". Face it, who wants to come in on a Sunday to fix a hacked web page? Most salaried people receive no overtime for this type of work, so it costs them time. If there is any expense here, it is corporations who foot the bill, which relates to the next point...
Fixing web pages does not cost tens of thousands of dollars. A simple restore of an html page should not be perceived as an activity that puts a company into the red on a balance sheet. I still do not understand how corporations say that a cracker cost them $250,000 when someone replaces their corporate logo with Domokun. Perhaps it is because in reality this money is being spent to patch the holes they should have taken care of months ago? The headlines shouldn't say, "Hacker costs company $50,000 for hacked website!" The headline should say, "Company fails to follow basic security guidelines in patching their servers, costing their mismanaged budget $50,000."
Would I be pissed if my company's website was hacked? Yes. Would I be pissed if I had to take care of massive security holes on my Sabbath day? Yes. But would I accept the idea that it monetarily hurt my employer? No. This way of thinking needs to go.
happy! (Score:4, Insightful)
if i can replace your index.html..
i can probably replace or delete many other things. Yeah, still hacking.
Re:Crossing the line? (Score:4, Insightful)
No there aren't. There is no reasonable argument for not bringing the exploit to the vendor's attention first. There is meaningful debate over the question of what to do if the vendor chooses to ignore you or bully you, but I really don't see a good argument for alerting the world before alerting the vendor.
Re:Good idea? (Score:2, Insightful)
I don't think your average web-site defacer has ever been too concerned about the positive repercussions of his or her actions before, and I find it highly unlikely that a competition with their peers is going to jump start their sense of ethical responsibility.
A lot of people in this thread will say that a benefit of roving defacement groups is that it helps to highlight poor security. Sure - In the same way that setting peoples houses alight helps to highlight the importance of changing your smoke detector batteries.
I call shennanigans. This might be a happy side-effect, but if your happy haquer was really concerned with improving security, how hard would it be to find the hole, and then mail the site admin from inside the network boundary, or leave a message somewhere apart from the frontpage and then tip off the administrator?
They could do this. But there's no bragging rights there - and that's what this is all about when you get right down to it:
To answer your question, and echo a sentiment that will probably be seen in numerous other posts in this thread nothing positive will come from this that could not have been achieved by less disruptive, upsetting or destructive means.
As to those who said "Great, MS will bear the brunt of it", grow up. Your mean spirited and childish attitude does you zero credit. Cracker attacks are a menace that have to be faced by all sectors of the computer community, and wishing them upon your rivals smacks of extreme poor taste ( not to mention the fact that most of the actual victims are likely to be non-technical clients of hosting companies who do not understand, wish to understand, or control their hosting solution ).
Re:frosty piss (Score:1, Insightful)
Of course, if you believe the pundits, every second a popular website is down they lose millions. Bullshit. My supermarket closes for an hour at midnight every night for computer inventory. If I want to eat, this doesn't make me any less hungry. I wait until 1:15, then bike over.
Re:What sort of prize is 500mb?? (Score:3, Insightful)
Possibility 2: The script kiddies who pull defacements are not, in fact, capable of stealing a shell account.
Probably both.
Re:frosty piss (Score:1, Insightful)
Preparations? You mean like installing all those patches and updates and locking down those open ports? In other words, stuff you should have done allready anyway?
Makes me think of when the slammer hit and the patch for the exploit was months old already...
Re:Costs people money? (Score:3, Insightful)
Re:Our tax dollars at work... (Score:3, Insightful)
That would, of course, be followed by hackers (real and wanna-be's alike) being arrested and thrown in prison on non-specific charges. As long as you throw in a "cyber-terrorism" somewhere in the charges, you can jail them indefinately.
Good luck on the battle kids. Do something worth while, while you're in there. Copy the real WMD documents to the front of whitehouse.gov. Grab the Area51 documents and let the UFO knows know so they're nuts. (everyone knows aliens really drive Cadillac's)
And, if you do nothing else, show your phone phreakin' roots. Make the whitehouse red phone ring the Kremlin, just like in the old days.
Re:Wrecklessness (Score:3, Insightful)
OS/Distro means a lot (Score:4, Insightful)
Once I read this I was like "crap crap crap, a whole lotta patching to do"
Then I SSH'ed to my server...
And remembered I was running debian...
apt-get update && apt-get upgrade...
I suddenly feel a lot better about the few hours it took me to make the switchover.
If I were running an MS server I would probably have had a near heart-attack by now. I've never needed the
"newest-most-spectacular-greatest-ever-super
Re:Costs people money? (Score:5, Insightful)
If anything, it'll hit the "personal site" maintainer hardest, because they are the least likely to have backups, etc. If some prick hacks into a web site, deletes the original content, and puts up an "owned" site, that not only costs someone time, but also may cost them the content if they can't recover it. It's not like these script kiddies will differentiate between corporate and personal websites. Thinking that they would is just naieve.
I also take particular issue with the implied concept that "my time doesn't cost anything".
Re:Costs people money? (Score:4, Insightful)
I don't know about you, but I get paid money for my time. And if I have to fix my companies web site, then it's costing my employer (who happens to be a person, not a corporation) money.
Re:frosty piss (Score:5, Insightful)
Also, I have heard rumblings of yet another MS worm run scheduled to run rampant over the 4th of July holiday weekend. (Prepare for pager meltdown MS and network admins.)
I totally appreciate the heads up. In fact I did an external port scan of my Class B today and found out that the firewall monkeys had opened incoming ftp from anywhere to key servers. If it wasn't for this new threat I probably wouldn't have bothered to rattle the door knobs before the holiday.
I'd say that everyone has fair warning. Make sure your backups are up to date and that you don't have any easily hackable services exposed. Now the only question is, "Who will be embarrassed?"
Remember folks, it's not just about defacing, it's about defacing creatively.
Re:frosty piss (Score:2, Insightful)
I wish people would stop saying this, it only enocourages mods to mod up, but that's why people continue to do this. It's simple: a person rants and says, "ok mod me down now" or something similar, and they're modded way up. It's karma whoring pure and simple.
And it usually works every time. Sad.
Re:Costs people money? (Score:5, Insightful)
Let's say that just 6,000 websites are defaced. How many of those, do you think, will be Fortune 1000 corporations? And how many of them will be small businesses that may or may not be incorporated? Is it somehow evil to run a business as a corporation rather than a sole proprietership or general partnership?
And you seem to want to have it both ways; on the one hand, large corporations somehow exaggerate what it costs to recover from a hack, and on the other hand anyone who *is* hacked is incompetent and deserves what they get.
In fact, in the unlikely event that IBM's site is defaced, it would certainly cost them hundreds of thousands of dollars.
There's a lot more to recovering from defacement than you seem to think. Hint: you are not done when you copying the original HTML page back in place.
For a large company, it means doing a massive project to determine what other systems could have been accessed using the defaced server as a middleman. And then examining those systems for signs of intrusion.
In the much more likely and frequent instances of a small business being defaced, it may or may not be financially ruinous, but it's certainly a lot more than the minor and greatly exaggerated inconvenience that you paint it as. These businesses don't have large IT staffs, and/or the technical know-how to slap themselves on the head and say "Damn! We should have installed that latest IIS hotfix."
It's an ugly situation, but it is absolutely an expensive one and has far wider repercussions than you seem to think.
Cheers
-b
Re:frosty piss (Score:5, Insightful)
Website defacements cost companies real money. It may or may not be in the oft-quoted "millions" mark, but it is certainly a non-trivial figure.
For the benefit of those not in the SysAdmin/ITAdmin/Computer Security industries, I'll give you a quick rundown as to WHY they cost money.
Any form of system compromise is a major incident. Even compromises of Bastion hosts, which we expect to be compromised at some point, cost businesses money. Your opinion stems from ignorance of the issues involved and is exactly the sort of opinion most skiddiots have - although that doesn't make you one.
Re:what are you talking about? (Score:3, Insightful)
Look at the graphic at the top of the page.
aha! (Score:4, Insightful)
It's asinine thinking like this that causes people to get hacked!
According to this article, [globetechnology.com] 76% of boxes hacked in May were Linux boxes! Only 15% were Windows machines. It's just the simple thought that "oh it's open source, so it's gotta be secure!" that gets people to not update their stuff and get hacked.
Open source security vulnerabilities are just as frequent as Msft's, even moreso. Regardless of what you're running, you need to friggin update and stay on top of the game.
Or, you could just run chroot'ed Apache on OpenBSD.*
*The above statement shows the equal tradeoff between security and speed.
Re:frosty piss (Score:5, Insightful)
Well guess what. They put the thing out there before I was hired and put a bunch of twitchy-clueless web hosting customers on it.
I got a new set of servers, got to design how it all works, all patched and good and ready to go. Know what I am waiting for? Server brackets. The boss's dad is makin em in his garage. Until then, I can't put the new ones up in the rack.
Then I get to migrate all of them-there sites to the shiney new servers and answer stupid phone calls to explain how DNS works, and explain how their ISP proxy server is fucking broken.
You think any of this is my choice? (Aside from the shiney new stuff.) Think anybody is going to stop and think "Gee, this might be patched tomorrow and it won't be a threat to anybody as a zombie then!" Nope. They won't think at all.
Your justification for web site defacement sucks. You might as well ass-rape your sister cuz she's not wearing a chastity belt. If I run across your mom, you'd better hope I don't use the same logic you do.
It's not Darwinism, it's vandalism.
I agree that there are a lot of lousy sysadmins out there, causing lots of problems by letting their machines get hacked. But you should think about how you think things should go a little bit. Maybe it would be better if you concentrated on educating those around you how to set up a web site properly, hmm?
(As for me, I hope the Spanish-speaking nitwits organizing this end up in Colombian-Federal-pound-you-in-the-ass Prison. They deserve it.)
Re:I notice... (Score:4, Insightful)