back to article Cryptome pulled OFFLINE due to malware infection: Founder cries foul

Whistle-blowing site Cryptome has been left temporarily unavailable after its service provider NetSol stopped routing traffic towards the site following the discovery of a suspect and probably malicious PHP file. Cryptome's John Young criticised NetSol's decision on to pull the plug on the whistle-blowing site as an …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. Anomalous Cowturd
      Thumb Up

      Re: It's back...

      Yep.

      Welcome back John.

      1. Anonymous Coward
        Anonymous Coward

        Attack of the cryptome snatcher

        That's what THEY want you to think....

        It's not the REAL cryptome.org but a malicious pod substitute from planet NSA....

        How's that for a slow wed afternoon conspiration theory?

      2. Anomalous Cowturd
        Black Helicopters

        Re: It's back... No it isn't... Site update.

        25 June 2015. Update:

        Via Twitter @cryptomeorg:

        NetSol rushed to reactivate Cryptome. No deal. Henceforth only SM will be used to exchange information. To hell with arrogant dirty ISPs.

        Cryptome has been dispersed. Files will appear expectedly and unexpectedly at diverse locations online and off.

        Besides pastes, drops, torrent, implants, hides, Cryptome has over a dozen sites for dispersed distribution, more coming. Got means-methods?

        By sites and outlets is not meant only online, current leader of dirty work posing as clean.

        :o(

        1. Robert Carnegie Silver badge

          Question

          2015?

          Are you anticipating next year's Cryptome takedown - or, just conceivably, publicity stunt? I'm just saying it's possible.

  2. Ben Burch

    My provider does the same

    When one of my users gets attacked and some malware gets on, they block the site until it is fixed.

    How is this an attack???

    I admit it is bloody annoying.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    How the hell does "malware get on cryptome"

    It's not like it will just decide to flutter down and land like a bat.

    Also, time to move a Cryptome copy to S3, innit?

  4. Empty1
    FAIL

    Forgot his backup site?

    From the last time (or earlier) when access was lost??

    http://cryptomeorg.siteprotect.net/

  5. RobHib
    Black Helicopters

    Bit worring.

    It's a bit worrying knowing a site one's visited might be suss. But then I'm an infrequent visitor and the last time was several months ago.

    Cryptome must take the cake for the plainest site on the Web but its articles are riveting. I find it endlessly fascinating. Once there, I can spend hours jumping from one government scandal to another. It's quite addictive really.

    Nevertheless, when visiting Cryptome, I've always the nagging feeling that the NSA, GCHQ and DSD are logging my IP and every single article/PDF I flip through.

    But perhaps I'm just paranoid.

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: Bit worring.

      But perhaps I'm just paranoid.

      We can reassure you, citizen! The govnmt-appointed healthcaring doctor is on call today and has already been dispatched to your address with the appropriate calming serum. There is no need to resist.

      1. RobHib
        Big Brother

        Re: Bit worring. -- @ Destroy All Monsters

        I hope they're here soon, I've run out of pills and the dog's chewing my internet modem again!!

    2. Pascal Monett Silver badge

      Re: But perhaps I'm just paranoid

      You are.

      That doesn't mean you're wrong.

  6. Someone Else Silver badge
    Holmes

    NetworkSolutions is owned by web.com. We've put in a query to web.com inviting it to say when Cryptome.org is likely to be restored as well as inviting it to comment of Young's criticism of its actions. We'll update this story as and when we hear back from the internet service firm.

    Don't you mean "if and when"?

    /me is not holding my breath.

  7. Anonymous Coward
    Anonymous Coward

    Shutting sites down because of a suspect file is a classic sign of a wanky webhost; and is a sign that you should change hosts immediately. It's perfectly possible to shut down a particular file or URL; and contact the owner of the site with a deadline for fixing it. Shutting a whole site down is a sign that the host is phoning it in.

    Happened to me twice on 2 different hosts; and in one case they buggered off for a week (one external hack; one disgruntled subcontractor on a client's site). Of course shutting the site down often impedes the owner of the site from finding out what's wrong and fixing it as well.

    1. RobHib

      @ moiety

      Sure, I agree (in normal circumstances anyway).

      But have you ever visited Cryptome? It mightn't take much of an excuse in Cryptome's case, as I'm sure it's high on the reading list of many government officials and often they won't like what they read (hence my earlier facetious comment re NSA et al).

      1. Anonymous Coward
        Anonymous Coward

        Re: @ moiety

        I'm pretty sure that it wasn't censorship; purely because they were back within 48 hours. Sure the site's content is a probable motivating factor for the malware to be there in the first place (although it could just have well been an unfixed hole in the site picked up by an automatic scan for that vulnerability).

        When malware is detected -especially email-spewing malware- things begin to happen...Search engines posting warnings; adding to blackhole lists and so on. This affects not only the site in question; but anyone on the same shared server; their hosts; the upstream providers of their hosts; the owners of that IP address parcel and so on. Action has to be taken and quickly...which action is taken sorts out the men from the boys, webhost-wise and NetSol's is kinda lazy but reasonable. They can (in order of wankiness, most to least):

        1) Shut down the account and wait for the site's owner to come to them asking where their site went. This has happened to me. Needless to say, we were out of there that same day (and by the way, this is why you should ALWAYS keep your hosting and domains separate...having to extract the domains first would add considerable time to getting back in the game). Also shuts down any sites on that same account.

        2) Shut the account down and message the owner explaining why. Also shuts down any sites on the same account.

        3) Shut the domain down and contact the owner. This is not uncommon; but leaves the unfortunate catch-22 that the (remote) owner is unable to access anything and therefore can't see or solve the problem.

        4) (As happened in Cryptome's case) Shut HTTP down and simultaneously message the owner.

        5) Leave the site running; contact the owner; but move the site somewhere else where it's not going to interfere with other clients of the service. This takes time, and is more risky for the webhost. Give the owner a deadline to fix the problem.

        In any of the above cases, the webhost may or may not tell the customer where the problem is.

        The issue seems to be the 48-hour delay before the site was reinstated. Netsol is a big host and it could be due to something as simple as them switching to a new support system. Or a new policy. Or revenge if the guy has been a bit of a tosser in the past. Blaming everything on a conspiracy seems a little entitled to me.

        Certainly if I had a site that was mission-critical or as guaranteed to piss people off as Cryptome; I'd have a plan B site waiting in the wings; then it's just a case of flicking the domains over...20 minutes tops until you're back on the air. If the domains (on a separate provider) get sanctioned then you can start moaning about conspiracies.

        1. RobHib

          Re: @ moiety -- @ moiety

          Yes, I'm sure you're correct about it not being censorship. Unlike Snowden, Cryptome is an annoying pimple rather than a gangrenous leg. If anything, it probably acts as a reliable, all-in-one-place updater for second/third-line public servants.

          As the site is and has been accessible to US authorities for years, it's probably tolerated on the basis that weighing up the noise of closing it down/free-speechers etc. versus propagation of potential damage a la Snowden-level leaks, they've let things lie (it's what those in power are prepared to put up within a democracy). It seems to me that most of the stuff leaked was already available elsewhere.

          Again, total supposition on my part, but I'd reckon it'd be a good assumption that John Young and Deborah Natsios have been spoken to in the past and they've a red line they will not cross. The stuff on the site is fascinating (I can read it for hours--it's more entertaining than whodunnits on TV) but, to me, it doesn't seem to be the stuff that'd bring out the Apaches and support crews.

          Nevertheless, it's a warts-and-all, in-your-face, site that would annoy many and I'm sure it is monitored by the powers-that-be on a regular basis. Moreover, I'd reckon the site would regularly come under attack, even if not from government.

          As a visitor to the site (albeit last time some months ago), I'd love to know what PHP code was suss--what does it do etc. After all, the site is designed not to be a script haven, plain as it is.

          What NetSol and likes have been up to is anyone's guess (and a lot of what's happened is probably based on internal politics / perceptions etc.).

          Again, any/all of those options you mention could come into play--even the duty IT staff may have played a 'political' hand given an opportunity, who knows. Perhaps Cryptome might be able to eventually leak that too.

          ;-)

  8. Anonymous Coward
    Anonymous Coward

    What is wrong with taking the whole site down? How did that 1 file get on there to start with? Deleting that file should not be enough to get the site put back up as the hole that allowed it to get there in the first place is most likely still around. Taking the whole site down was sensible. Down vote away.

    1. Donn Bly

      Agreed

      Since I host web sites for other people, more than once I have had to deactivate a website because they were compromised (generally because they used old versions of joomla or wordpress and didn't keep up with patches). If they didn't hire me to take care of their site, then I am not going to go into the site and muck around looking for what is there or how it got there. The ONLY action I can take is to give the site owner notice that there is a problem, explain what the problem is and how it was detected, and take the site offline to the public until it is fixed. If it is a dedicated server or virtual machine and spewing outbound traffic I just isolate the instance or box to its own vlan and give them instructions how how to vpn into the vlan to work it. Of course, I also offer "remediation services" at extra cost, but I'm not going to do it for free.

  9. John Savard

    Appropriate

    If the malware can't be removed immediately, of course the site must be pulled until it is removed. No chance of infecting people's computers can be tolerated. Some complaint about how long it took might have made sense, but this reaction just makes the guy look like a loose cannon.

    And, of course, I suppose the NSA would love to infect the computers of the people who visit Cryptome...

  10. Anonymous Coward
    Anonymous Coward

    so?

    All he has to do is find a single website hosted by NetSol that contains an ?equally? infected file, and keep checking it for a week or so. If, in the end, NetSol doesn't take that site off-line, then he has a case and should be able to crucify them.

  11. redwolfe_98

    i think it is BS.. i have never heard of a website taken down due to malcious content being detected on one of its webpages..

    i have seen websites taken down by their owners, temporarily, due to malicious content being detected on one of their webpages, while the website was being cleaned up..

    i doubt "web.com"/"netsol" would have many customers if they took down websites every time something malicious was detected on one of their webpages.. i am going to try to look to see if "web.com"/"netsol" has ever taken down any other website due to something malicious being detected on one of its webpages..

    my guess is that someone with some clout reported the issue to "web.com"/"netsol" and they just had a "knee-jerk reaction" and took down the site without due diligence..

This topic is closed for new posts.