I'll address the points brought up related to Attrition as best I can. > > Alldas staffers believe that the U.S. military is trying to cover up > > defacements of its websites by blocking Alldas' access to the greater > > part of the military's network. > > I'm sure they are. Why not block Attrition? Attrition provided several > services to alert administrators via email or alpha pager. AFAIK Alldas > does not. I could be wrong as I haven't visited in a while, and am > composing this offline. This is very likely one reason we would have remained in 'good grace' with the military and others. There were dozens of subscribers from .mil addresses to each of our mailing lists. One of our most frequent visitors to the mirror (religiously, 4 - 6am my time) was one of the military CERT teams. > > Security consultant Ian Davies, of Britain-based security firm > > TechServ said that it was more likely that the U.S. military's > > attention was drawn to the defacement mirrors last week when the news > > of Attrition's stoppage hit the media. > > Nope...I'm sure the gang at Attrition can review their logs and debunk > that theory. The mirror page at Attrition was one of the most frequently I don't agree with that. The military has long been aware of not only the Attrition mirror, but the Safemode and Alldas mirrors as well. Us dropping the daily updates to the mirror likely had no bearing on their change. > > I think it's quite likely that someone, some top level person, may > > have suddenly become alerted to the existence of defacement mirrors > > when all the media ran stories on Attrition last week, checked it out, > > discovered that plenty of military sites had been defaced and hung in > > the hall of shame, and decided to call a total cease fire on > > archiving." > > This is entirely possible...probable even. One difference between Alldas and Attrition was the method each used to remotely identify the operating system of the defaced web site. Attrition would do a few checks, one of which was an NMAP scan with the -O flag. It would ONLY scan a few ports to make this guess: 22,23,25,53,80. These are all ports that would likely pass traffic through various firewalls and not raise too much alarm. From our understanding, Alldas currently (or previously) did a full NMAP portscan on each defaced system. To the military, this could easily flag as a possibly 'attack' where our scan might have been labeled 'suspicious' or even 'normal' traffic. If so, the block could easily be explained. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 04:17:29 PDT