When nonprofit security site Attrition.org decided in late May to stop mirroring Web site defacements, the group blamed the volume of defacements and said their hobby had become a "thankless chore." On Thursday, members of Attrition gave a talk at the Black Hat Briefings conference in Las Vegas and dispensed hard-earned wisdom -- and some bitterness -- to those who might follow in their footsteps.
During the two years the group ran the mirror -- a Web site which offers copies of defaced sites -- they encountered numerous obstacles. Despite never having a day in which more than 100 sites matching the group's exacting criteria for a defacement were hit, they frequently received as many as 250 e-mails a day about defacements, according to Brian Martin, who goes by the nickname "Jericho." Of the 250 e-mails they would receive, as many as 66 percent of them would be repeated messages from defacers seeking glory, said. B.K. DeLong, a.k.a. McIntyre, another Attrition member. ("Cancer Omega," a third member, also participated in the discussion.)The group also faced more serious problems, some involving federal law enforcement agencies, the panelists said. On one hand, many would-be defacers would notify Attrition prior to their actions, or those who had already defaced sites would include personally-identifying information when attempting to claim the defacement for themselves. Both situations left the group, which tried to remain neutral, in the difficult position of having to report these activities to the U.S. Federal Bureau of Investigation so as to avoid prosecution themselves.
To make matters worse, many law enforcement agencies were initially distrustful of the group, thinking them to be involved in the defacements, the group said. A number of defacement victims even reported the group to federal agencies for perpetrating defacements, something the Attrition staff members maintain they never did.
Even after the site had gained grudging acceptance in the security industry, other problems arose, Martin said. Some security companies took the information on Attrition's mirror, which they claim is covered by copyrighted, did not credit its source and even resold it as their own, Martin said. Some media organizations did the same, he said, and while they did not resell the information, they frequently misquoted Attrition members and misused their data, Martin and DeLong said.
So in the face of all this, why did they continue their work for two years?
"We're pessimistic masochists. We love what we do, but we take a lot of abuse," Martin said.
Nonetheless, the group stopped mirroring Web site defacements, leaving the job to other sites such as Alldas.de and Safemode.org. Others who want to open a mirror site should examine closely how they will proceed and why they want to undertake the task, Martin said.
Hackers cannot run a mirror, he said. "If you're an active hacker, you're not fit to run a mirror" because hackers would have an incentive to deface Web sites, defeating the impartiality needed to run such a site.
Security companies also should not run a mirror, because they may profit from it or use it as a marketing tool to sell their security wares, also a conflict of interest, he said. In fact, when Attrition announced that it would be ending its mirror, both hackers and security firms approached them with offers to fund the group, but it declined the offers on ethical grounds, Martin said.
Instead, hobby sites like Attrition, which claim to have no vested interest other than curiosity and commitment, are best suited to the task, he said.
If other hobbyists do pick up where Attrition left off, perhaps they can tackle some of the things that Martin said the group would like to have done but didn't. They include studying the motivations of defacers and their relationships with each other, opening a limited dialog with the defacers, and exchanging information with similar groups such as the HoneyNet Project.
As for Attrition and its members, though they will no longer be maintaining the defacements mirror, they plan to stay busy. Martin and another member of the group plan to publish papers based on data gathered by the group, and the site will continue to be updated with commentary, analysis and other material, Martin said.
"Two years ago we were evil hackers. One year ago, depending on who quoted us, we were a mix of hacker group and security site," Martin said, commenting on the site's growth and the growing acceptance of it among the media and mainstream computer community. "In the last six months, (we were called a) respected security site."