Attrition performs defacement mirror autopsy

And excoriates Wired 'cyberwar' journo

We owe the wittiest and most enjoyable presentation at Blackhat to attrition.org members Jericho and McIntyre, who offered a retrospective on the benefits, aggravations and pitfalls of maintaining a defacement mirror, now that they've ceased updating theirs.

In a nutshell, running a mirror is a major pain in the balls, and not everyone need apply. Those clearly unfit for the job include active defacers ('hackers' in mainstream-press parlance), security-service companies who profit from selling solutions to the holes being exploited, and anyone without an immense reserve of patience and indulgence.

And if that's insufficient discouragement, anyone inclined to maintain one should be prepared to suffer defacement attempts and DoS attacks from kiddiots who aren't getting enough attention; find reams of mail referring to the same item; weed through laughably insignificant defacements ("d00d, i like totally hacked this Geocities 'meet-the-Smiths' page"); receive individual notifications of complete subnets defaced at a stroke; receive legally-inconvenient advance notice of attacks ("check out www.r00tarded_lusers.mil in like twenty minutes d00d"); be perceived as a criminal by the FBI; disappoint twit Feds eager to know what you know in spite of legal due process whilst receiving subpoenas from slicker ones; and get investigated for the hell of it.

Nevertheless, data thus obtained can be useful enough to make it all worth the hassle. Questions remain, for example, on the relationship between the publication of a particular exploit and the number of defacements accomplished with it. For that one needs a long-term running total, of course, but data representing other trends as well.

Both attrition members cautioned that the spikes in defacements which appear to correspond to exploit releases and hole discoveries on their stats page may not be as directly representative as they appear. Since they will continue to maintain defacement stats, they plan to apply a more sophisticated interpretation, now that they've freed themselves from the drudgery of maintaining the mirror, as we reported here.

The group's commentary will also increase now that the mirror is static, and indeed it already has. During the presentation we were treated to a scathing commentary about Michelle Delio, which we found a very pleasant surprise.

Wagging the Delio

Who is Michelle Delio, and why is she a clueless dunderhead? The answer to part two is anyone's guess. The answer to part one is, she's a journo feeding words to Wired News, who invented a cyberwar between the USA and China and later denied its existence when it became painfully clear to everyone and his dog that she'd been talking bollocks from day one.

In a nutshell, Delio got word from some IRC kiddie claiming that the Chinese hacking underground was mobilizing for a massive attack against US sites in celebration of May Day and in protest of the spy-plane incident. Further evidence, such as random racist and anti-American comments on a couple of Chinese BBS persuaded the reporter that her source was solid.

She then rushed to break this 'exclusive story', no doubt flushed with pride and excitement, and in so doing persuaded a lot of American IRC kiddies that Chinese hackers were in fact bombarding the US, though in reality there had been only a few, minor incidents. The US side decided to 'retaliate' against the outrage and really did kick into gear against Chinese sites. The Chinese naturally retaliated against that, and the rest, as they say, is history.

Until, that is, Delio decided to announce that the 'cyberwar' which she inadvertently started had never occurred.

The written attrition commentary which details Delio's hacker hype has been published for some time; the new and delightful thing here was the live Jericho's dry, sacrastic delivery of the account, sweet enough to make a Reg hack well up with pride. Of course you had to be there; and of course we wish you had been. ®

Sponsored: Designing and building an open ITOA architecture