FC: More on Taliban website hack, apparently not a hoax

From: Declan McCullagh (declanat_private)
Date: Sat Sep 15 2001 - 00:03:06 PDT

  • Next message: Declan McCullagh: "FC: Debate over warrantless Carnivore bill with Stu Baker"

    **********
    
    From: Jonathan Byron <geodigestat_private>
    Reply-To: geodigestat_private
    Organization: geodigest
    To: Declan McCullagh <declanat_private>
    Subject: Re: Taliban Website Hack - A Hoax ??
    Date: Fri, 14 Sep 2001 19:54:37 -0400
    In-Reply-To: <5.0.2.1.0.20010914172037.00a86070at_private>
    
    As pointed out by several people, at some point in my analysis, I confused
    the sites at taleban.org and taleban.com.  The logic in my previous letter is
    severely flawed, and I apologize for the oversight.  I withdraw my previous
    conclusions, and have no reason to believe the hack was a hoax.
    
    Jonathan Byron
    
    **********
    
    From: [name removed by request --DBM]
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Was Taliban website "hack" a hoax?
    In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00at_private>
    
    Hello,
    
    I don't know if it's important to know this, but through friends of mine
    who work for Interland (the hosting company that hosted taleban.com), they
    have disabled the site intentionally.  Internal emails from the CEO (Joel
    Kocher) indicate they violated the Interland AUP.  Looking at their AUP, I
    don't know what, in particular, they could have been doing in violation.
    
    I looked at the google.com cache and saw the evidence of the hack, so I
    had assumed they really disabled it to avoid embarrassment over being
    hacked.  Too late :)  It's not uncommon practice in big hosting companies
    and ISPs to simply disable a site that has been hacked until you can patch
    it or address the insecurity.
    
    Personally, I do not like the precedent of disabling a site simply because
    its content or its owners is somehow offensive.  Interland is free to do
    business--or not to do business--with whomever it wants, but denying
    business to a group of people based on political affiliation, that kind of
    scares me.
    
    However, if they really only disabled the site because of a security
    concern, that's another story.
    
    Again, this probably isn't of much interest.  However, if you do wish to
    quote me, could you not use my name?  I used to work for HostPro before
    they merged with Interland.  I resigned in good terms with them several
    months ago but I'm worried they might not like me emailing you...
    
    **********
    
    Date: Fri, 14 Sep 2001 18:22:37 -0400
    To: declanat_private
    From: Brian McWilliams <brian@pc-radio.com>
    Subject: Re: FC: Was Taliban website "hack" a hoax?
    In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00at_private>
    
    Declan,
    
    Kudos to Jonathan for questioning whether taleban.com is registered by a 
    Taliban, but I don't think there's any question the site was hacked 
    repeatedly since March by someone using the handle RyDen.
    
    Mirrors of from Safemode's archive pulled from Google's cache (Safemode & 
    Alldas are being DDoS'ed):
    
    March 24:
    
    http://www.google.com/search?q=cache:s-5qD7hQTMM:www.safemode.org/mirror/2001/03/24/www.taleban.com/++%22www.taleban.com%22+site:safemode.org&hl=en
    
    July 14:
    
    http://www.google.com/search?q=cache:cldJ9wiutlM:www.safemode.org/mirror/2001/07/14/www.taleban.com/++%22www.taleban.com%22+site:safemode.org&hl=en
    
    Note also that in his analysis he seems to have inadvertently switched 
    between discussing  taleban.ORG and talenban.com. The two appear to be 
    registered to different people and are hosted by different ISPs.
    
    Brian
    
    **********
    
    Date: Sat, 15 Sep 2001 08:28:25 +0200
    From: Pawel Krawczyk <kravietzat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Was Taliban website "hack" a hoax?
    Message-ID: <20010915082825.C345at_private>
    References: <5.0.2.1.0.20010914171935.00a9da00at_private>
    Mime-Version: 1.0
    Content-Type: text/plain; charset=iso-8859-2
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit
    In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00at_private>
    
    On Fri, Sep 14, 2001 at 05:20:36PM -0400, Declan McCullagh wrote:
    
     > Recent claims that the official Taliban website was hacked should be met
     > with
     > suspicion.   The page at www.taleban.com has changed frequently over the
     > past
     > few days, but I have cached it a few times at: <a
     > 
    href="http://64.128.176.121:80/nuke/html/article.php?sid=10&mode=&order=0">The
     > Pacific Rim Weblog</a>.
    
    Declan, explanation for this is quite simple:
    
    $ dig a www.taleban.com
    
    www.taleban.com.        900     IN      A       127.0.0.1
    
    So everyone will see something different every time they look at
    the page, but it won't be any Taleban page definitely, until you
    are Taleban yourself...
    
    -- 
    Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/>
    security: <http://ipsec.pl/>  *** fidonet: 2:486/23
    
    **********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Sep 15 2001 - 00:23:28 PDT