I believe this is for y'all to decide.<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">ringo</b> <span dir="ltr"><<a href="mailto:ringo@hackbloc.org">ringo@hackbloc.org</a>></span><br>
Date: Wed, Oct 20, 2010 at 12:23 AM<br>Subject: [IMC] Possible Security Audit of UCIMC?<br>To: <a href="mailto:imc@ucimc.org">imc@ucimc.org</a><br><br><br>Dear UCIMC,<br>
<br>
The Olympia Hackbloc (<a href="http://olyhackbloc.org" target="_blank">olyhackbloc.org</a>), a chapter of Hackbloc<br>
(<a href="https://hackbloc.org" target="_blank">https://hackbloc.org</a>) is performing a large-scale security audit of<br>
various sites that are important to anarchist and radical movements<br>
including Indymedia sites, copwatch sites, and other independent news<br>
sites. As an operator of such a website, you surely know the importance<br>
these sites have for social movements.<br>
<br>
I have worked as an administrator for a number of Indymedia collectives<br>
and other radical websites and I am constantly disappointed by not only<br>
the lack of server security but also the lack of concern for server<br>
security. In the modern world, the choke point for everything has become<br>
the wire. Using social networking, texting, cell phones, Indymedia,<br>
blogs, and other communication methods has become a critical part of<br>
organizing for social change. As repressive entities such as the state<br>
try and clamp down on those changing the status quo, they have<br>
traditionally attacked the participants and their media (among other<br>
things). It's clear that cyber-warfare is becoming an accepted idea in<br>
the military world and it's not going to be long before it starts being<br>
used against us on a regular basis. If we are to build effective<br>
communications networks, we must make sure they are secure enough from<br>
attack to continue being effective.<br>
<br>
As part of an effort to gain a better understanding of the security of<br>
our communication networks, we will be auditing from several dozen to a<br>
hundred websites for basic security problems. This audit will cover web<br>
service vulnerabilities, basic server vulnerabilities, mis-configured<br>
SSL, and other common security problems. We will start with no initial<br>
knowledge of the internal workings of the servers we attack. Those<br>
services participating in this audit will be probed for these security<br>
holes. When vulnerabilities are discovered, they will be exploited to<br>
their maximum potential in an attempt to gain administrator access. Due<br>
to the nature of the sites we are attempting to audit, we will stay away<br>
from anything that is clearly filled with private information that would<br>
not be of assistance to gaining further access to the server.<br>
<br>
At the end of the audit, participating sites will receive customized<br>
reports detailing any problems found and additional steps to increase<br>
the security of the service and the privacy of their users. After two<br>
months, the results of this audit will be released to the greater<br>
community. This will include both aggregate statistics, what<br>
vulnerabilities we found on various sites, what problems have been<br>
fixed, and what still remain. We do this to insure honesty,<br>
transparency, and accountability among service providers within our<br>
movement. Participating service providers will (hopefully) gain more<br>
trust in the community due to their willingness to put their money where<br>
their mouth is when it comes to site security and user privacy.<br>
<br>
You (and other services you know of) may be eligible to participate in<br>
this audit. In order to be eligible you must meet the following criteria:<br>
<br>
1.You must run a website/online service that disseminates information<br>
that is of importance to radical movements. If your website distributes<br>
news, analysis, history, or intelligence you are eligible. If your site<br>
is solely a “look at our group and all the cool things we do” or a<br>
personal blog, you are likely not eligible. If you are unsure if you fit<br>
this requirement, go ahead and contact us to participate and we'll decide.<br>
<br>
2.You must own the server your service is hosted on, the connection it<br>
is hosted on, and any network hardware it interfaces with. If you are in<br>
a shared hosting environment, you are not eligible for participation in<br>
this audit. If you have a dedicated server on a connection that you do<br>
not own, you will need to obtain signed consent from the company that<br>
leases that connection to you. If you host on a connection you pay for<br>
but your router is owned by your internet service provider, you are not<br>
eligible to participate in the audit.<br>
<br>
3.You must sign and mail a contract (which will be provided to you)<br>
signed under penalty of perjury stating that you own the connection,<br>
server, and networking equipment we will be routing through. If you<br>
obtain consent from a hosting provider, you must attach it. The<br>
statement must be signed by the person or entity who owns your server,<br>
not the administrator (if they are different).<br>
<br>
We're sorry that this permission-gaining part of the process may be<br>
complicated and burdensome, but we want to make sure that we aren't<br>
violating any federal computer crime laws while breaking into your system.<br>
<br>
If you wish to participate in the audit, please contact<br>
<a href="mailto:ringo@hackbloc.org">ringo@hackbloc.org</a>. Once we determine that your site is eligible under<br>
the first criteria (that it disseminates information that is important<br>
to radical movements), we will email you the contract you need to sign<br>
and mail back.<br>
<br>
My PGP key is attached if you prefer the thrill of communicating in a<br>
more secure manner.<br>
<br>
Thanks for your time in considering this audit.<br>
<font color="#888888"><br>
Ringo<br>
Olympia Hackbloc<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</font><br>_______________________________________________<br>
IMC mailing list<br>
<a href="mailto:IMC@lists.chambana.net">IMC@lists.chambana.net</a><br>
<a href="http://lists.chambana.net/mailman/listinfo/imc" target="_blank">http://lists.chambana.net/mailman/listinfo/imc</a><br></div><br><br clear="all"><br>-- <br>Austin McCann, Development Adviser<br>Urbana-Champaign Independent Media Center<br>
<a href="http://www.digitalartscorps.org" target="_blank">Digital Arts Service Corps</a><br>202 S. Broadway Ave.<br>Urbana, IL 61801<br>austinmccann[at]ucimc[dot]org<br><br>