Much has been written this week on the sad story of Aaron Swartz and the Anonymous hack executed in his name. This story has affected many people in the IT community.
Anonymous hackers, hacked & defaced two subdomains of MIT (Massachusetts Institute of Technology) site and left it defaced, with a tribute and justice for the Internet activist, Aaron Swartz. They criticized certain US laws and call for the government to reform the laws that led to the Aaron’s suicide.
Hacked domains:
According to a doc from anonymous on pastebin.com, hackers ask the government to “reform” computer crime, copyright and intellectual property laws.
- We call for this tragedy to be a basis for reform of computer crime laws, and the overzealous prosecutors who use them.
- We call for this tragedy to be a basis for reform of copyright and intellectual property law, returning it to the proper principles of common good to the many, rather than private gain to the few.
- We call for this tragedy to be a basis for greater recognition of the oppression and injustices heaped daily by certain persons and institutions of authority upon anyone who dares to stand up and be counted for their beliefs, and for greater solidarity and mutual aid in response.
- We call for this tragedy to be a basis for a renewed and unwavering commitment to a free and unfettered internet, spared from censorship with equality of access and franchise for all.
They concluded their statement by apologizing to MIT administrators for temporarily taking over the website.
MIT has ordered an internal investigation into the case of Swartz. Furthermore, JSTOR – the digital library that accused him of illegally downloading content – has released its own statement regarding Swartz’s death.
About Aaron Swartz
Aaron Swartz, 26, early member of Reddit and major contributor to the site. He was a commenter on RSS specifications, and Internet activist. He committed suicide in his Brooklyn apartment, last Friday. He was accused of stealing nearly 500 million articles from an MIT archive and was set to be trialed in February. These stupid laws and the aggressive penalties which are randomly applied appear to have been part of the reason that Aaron committed suicide rather than suffer unfair treatment of the sort that others such as Kevin Mitnick lived through.
Note about Media overhype
Aaron did not co-develop RSS. Netscape and Dave Winer created RSS 0.9. Aaron helped write a proposed update to RSS as version 1.0 that failed to gain any hold, and eventually Dave Winer and a few others did some updates that they called RSS 2.0, which is what we use today. (See blog, “Setting the record straight…” on Boing Boing)
About the attack
It isn’t yet clear which vulnerability Anonymous exploited, but some of the MIT sites run on Cold Fusion which has multiple known vulnerabilities including:
- Cold Fusion XSS – There are several known Cross-site scripting vulnerabilities in various versions of Cold Fusion. Cross-site scripting is a hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user which will execute in their browser
- Cold Fusion Directory traversal – Directory traversal vulnerability in Adobe ColdFusion 9.0.1 allows an attacker to access sensitive information. This vulnerability allows an attacker to read the content of the files that are not supposed to be readable.
- Cold Fusion Path Disclosure – Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/.
- fckeditor arbitrary file upload – FCKeditor contains functionality to handle file uploads and file management. A remote attacker could use this functionality to upload malicious executable files On the system.
Its possible that Anonymous leveraged one of the listed known vulnerabilities, or found their own zero day attack.
Leave a Reply