[UCIMC-Tech] Fwd: [IMC] Possible Security Audit of UCIMC?

Fri Oct 22 10:06:41 CDT 2010

I believe this is for y'all to decide.

---------- Forwarded message ----------
From: ringo <ringo at hackbloc.org>
Date: Wed, Oct 20, 2010 at 12:23 AM
Subject: [IMC] Possible Security Audit of UCIMC?
To: imc at ucimc.org

Dear UCIMC,

The Olympia Hackbloc (olyhackbloc.org), a chapter of Hackbloc
(https://hackbloc.org) is performing a large-scale security audit of
various sites that are important to anarchist and radical movements
including Indymedia sites, copwatch sites, and other independent news
sites. As an operator of such a website, you surely know the importance
these sites have for social movements.

I have worked as an administrator for a number of Indymedia collectives
and other radical websites and I am constantly disappointed by not only
the lack of server security but also the lack of concern for server
security. In the modern world, the choke point for everything has become
the wire. Using social networking, texting, cell phones, Indymedia,
blogs, and other communication methods has become a critical part of
organizing for social change. As repressive entities such as the state
try and clamp down on those changing the status quo, they have
traditionally attacked the participants and their media (among other
things). It's clear that cyber-warfare is becoming an accepted idea in
the military world and it's not going to be long before it starts being
used against us on a regular basis. If we are to build effective
communications networks, we must make sure they are secure enough from
attack to continue being effective.

As part of an effort to gain a better understanding of the security of
our communication networks, we will be auditing from several dozen to a
hundred websites for basic security problems. This audit will cover web
service vulnerabilities, basic server vulnerabilities, mis-configured
SSL, and other common security problems. We will start with no initial
knowledge of the internal workings of the servers we attack. Those
services participating in this audit will be probed for these security
holes. When vulnerabilities are discovered, they will be exploited to
their maximum potential in an attempt to gain administrator access.  Due
to the nature of the sites we are attempting to audit, we will stay away
from anything that is clearly filled with private information that would
not be of assistance to gaining further access to the server.

At the end of the audit, participating sites will receive customized
reports detailing any problems found and additional steps to increase
the security of the service and the privacy of their users. After two
months, the results of this audit will be released to the greater
community. This will include both aggregate statistics, what
vulnerabilities we found on various sites, what problems have been
fixed, and what still remain. We do this to insure honesty,
transparency, and accountability among service providers within our
movement. Participating service providers will (hopefully) gain more
trust in the community due to their willingness to put their money where
their mouth is when it comes to site security and user privacy.

You (and other services you know of) may be eligible to participate in
this audit. In order to be eligible you must meet the following criteria:

1.You must run a website/online service that disseminates information
that is of importance to radical movements. If your website distributes
news, analysis, history, or intelligence you are eligible. If your site
is solely a “look at our group and all the cool things we do” or a
personal blog, you are likely not eligible. If you are unsure if you fit
this requirement, go ahead and contact us to participate and we'll decide.

2.You must own the server your service is hosted on, the connection it
is hosted on, and any network hardware it interfaces with. If you are in
a shared hosting environment, you are not eligible for participation in
this audit. If you have a dedicated server on a connection that you do
not own, you will need to obtain signed consent from the company that
leases that connection to you. If you host on a connection you pay for
but your router is owned by your internet service provider, you are not
eligible to participate in the audit.

3.You must sign and mail a contract (which will be provided to you)
signed under penalty of perjury stating that you own the connection,
server, and networking equipment we will be routing through. If you
obtain consent from a hosting provider, you must attach it. The
statement must be signed by the person or entity who owns your server,
not the administrator (if they are different).

We're sorry that this permission-gaining part of the process may be
complicated and burdensome, but we want to make sure that we aren't
violating any federal computer crime laws while breaking into your system.

If you wish to participate in the audit, please contact
ringo at hackbloc.org. Once we determine that your site is eligible under
the first criteria (that it disseminates information that is important
to radical movements), we will email you the contract you need to sign
and mail back.

My PGP key is attached if you prefer the thrill of communicating in a
more secure manner.

Thanks for your time in considering this audit.

Ringo
Olympia Hackbloc

_______________________________________________
IMC mailing list
IMC at lists.chambana.net
http://lists.chambana.net/mailman/listinfo/imc

-- 
Austin McCann, Development Adviser
Urbana-Champaign Independent Media Center
Digital Arts Service Corps <http://www.digitalartscorps.org>
202 S. Broadway Ave.
Urbana, IL 61801
austinmccann[at]ucimc[dot]org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/imc-tech/attachments/20101022/788892be/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xC4D024F7.asc
Type: application/pgp-keys
Size: 3212 bytes
Desc: not available
URL: <http://lists.chambana.net/pipermail/imc-tech/attachments/20101022/788892be/attachment.bin>