FC: More on Taliban website hack, apparently not a hoax

[Declan McCullagh <declan () well com>]

**********

From: Jonathan Byron <geodigest () telocity com>
Reply-To: geodigest () telocity com
Organization: geodigest
To: Declan McCullagh <declan () well com>
Subject: Re: Taliban Website Hack - A Hoax ??
Date: Fri, 14 Sep 2001 19:54:37 -0400
In-Reply-To: <5.0.2.1.0.20010914172037.00a86070 () mail well com>

As pointed out by several people, at some point in my analysis, I confused
the sites at taleban.org and taleban.com.  The logic in my previous letter is
severely flawed, and I apologize for the oversight.  I withdraw my previous
conclusions, and have no reason to believe the hack was a hoax.

Jonathan Byron

**********

From: [name removed by request --DBM]
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Was Taliban website "hack" a hoax?
In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00 () mail well com>

Hello,

I don't know if it's important to know this, but through friends of mine
who work for Interland (the hosting company that hosted taleban.com), they
have disabled the site intentionally.  Internal emails from the CEO (Joel
Kocher) indicate they violated the Interland AUP.  Looking at their AUP, I
don't know what, in particular, they could have been doing in violation.

I looked at the google.com cache and saw the evidence of the hack, so I
had assumed they really disabled it to avoid embarrassment over being
hacked.  Too late :)  It's not uncommon practice in big hosting companies
and ISPs to simply disable a site that has been hacked until you can patch
it or address the insecurity.

Personally, I do not like the precedent of disabling a site simply because
its content or its owners is somehow offensive.  Interland is free to do
business--or not to do business--with whomever it wants, but denying
business to a group of people based on political affiliation, that kind of
scares me.

However, if they really only disabled the site because of a security
concern, that's another story.

Again, this probably isn't of much interest.  However, if you do wish to
quote me, could you not use my name?  I used to work for HostPro before
they merged with Interland.  I resigned in good terms with them several
months ago but I'm worried they might not like me emailing you...

**********

Date: Fri, 14 Sep 2001 18:22:37 -0400
To: declan () well com
From: Brian McWilliams <brian () pc-radio com>
Subject: Re: FC: Was Taliban website "hack" a hoax?
In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00 () mail well com>

Declan,

Kudos to Jonathan for questioning whether taleban.com is registered by a 
Taliban, but I don't think there's any question the site was hacked 
repeatedly since March by someone using the handle RyDen.

Mirrors of from Safemode's archive pulled from Google's cache (Safemode & 
Alldas are being DDoS'ed):

March 24:

http://www.google.com/search?q=cache:s-5qD7hQTMM:www.safemode.org/mirror/2001/03/24/www.taleban.com/++%22www.taleban.com%22+site:safemode.org&hl=en

July 14:

http://www.google.com/search?q=cache:cldJ9wiutlM:www.safemode.org/mirror/2001/07/14/www.taleban.com/++%22www.taleban.com%22+site:safemode.org&hl=en

Note also that in his analysis he seems to have inadvertently switched 
between discussing  taleban.ORG and talenban.com. The two appear to be 
registered to different people and are hosted by different ISPs.

Brian

**********

Date: Sat, 15 Sep 2001 08:28:25 +0200
From: Pawel Krawczyk <kravietz () aba krakow pl>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Was Taliban website "hack" a hoax?
Message-ID: <20010915082825.C345 () aba krakow pl>
References: <5.0.2.1.0.20010914171935.00a9da00 () mail well com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5.0.2.1.0.20010914171935.00a9da00 () mail well com>

On Fri, Sep 14, 2001 at 05:20:36PM -0400, Declan McCullagh wrote:

> Recent claims that the official Taliban website was hacked should be met
> with
> suspicion.   The page at www.taleban.com has changed frequently over the
> past
> few days, but I have cached it a few times at: <a
> 
href="http://64.128.176.121:80/nuke/html/article.php?sid=10&mode=&order=0";>The
> Pacific Rim Weblog</a>.

Declan, explanation for this is quite simple:

$ dig a www.taleban.com

www.taleban.com.        900     IN      A       127.0.0.1

So everyone will see something different every time they look at
the page, but it won't be any Taleban page definitely, until you
are Taleban yourself...

--
Pawe³ Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

**********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------