21 February 2013

PRC Scraping Cryptome

This is not about another mythical, horrid Chinese cyber WMD aggression. See: http://www.cryptome.org/cuw.htm

Since October 2012 Cryptome has been scraped daily by the IP address 211.94.xxx.xxx, which geolocates to coordinates 39.9075, 116.39723 in central Beijing, China, near the Forbidden City and across the street from the Ministry of Public Security which is geolocated at coordinates 39.903904, 116.399143. As Mandiant alleges the geolocations are close enough to implicate the PRC spooks, or some hacker genius or non-PRC spy pretending to be PRC spooks via IP spoofing.

Log file samples:

211.94.163.68 - - [21/Feb/2013:00:00:07 -0500] "GET /0006/nrc123011.htm HTTP/1.0" 200 186076 
"http://cryptome.org/nppw-series.htm" "Wget/1.12 (linux-gnu)"

211.94.162.151 - - [18/Sep/2012:00:00:00 -0400] "HEAD /2012-info/free-syria/pict116.jpg HTTP/1.0" 200 - 
"http://cryptome.org/2012-info/free-syria/free-syria-05.htm" "Wget/1.12 (linux-gnu)" 

The scraper runs overnight during the US Eastern Time Zone for about six to eight hours, cycling through the entire files on the site, averaging 18 hits per second, checking for new files and downloading them as well as repeated downloads of hundreds of random files with no discernible pattern.

Attempts to block the scraper with .htacess have been futile. Several abuse requests the scraper's ISP have been unanswered:

UNICOM
descr: China United Network Communications Corporation Limited
descr: No.21 Financial Street,Xicheng District, Beijing 100140 ,P.R.China
person: Xiaomin Zhou
address: No.21 Financial Street,Xicheng District, Beijing 100140 ,P.R.China
country: CN
phone: +86-10-66259626
fax-no: +86-10-66259626
e-mail: zhouxm@chinaunicom.cn

This rude scraper is among many siphoning Cryptome but none come daily or are as persistent. It is far less intrusive than the data gobblers with giant capacity to exclude others when they completely take over Cryptome.

There is no objection to taking the site material, all of it, unrestricted access and wide distribution is the purpose of Cryptome, but the bandwidth wastage is the result of all too common stupid configuration of WGet and like.

WGet, with others, is an abominable pestilence for its failure to require users to throttle down the default config of uncontrolled cycling and repeated downloads of the same files.

If WGet and other siphons, aggregators and slurpers, most of them far from benign, indeed are run as commercial data theft operations, were seen as cyber attacks control of them might result in huge savings in bandwidth capacity, even protect a mountain of mostly useless secrets and confidential business trash.

For sure, there is nothing on Cryptome worth stealing, just take the handouts occasionally in small bites or config it from your slobbering maw, thank you.

Cryptome does do not yet plant APT poison pills in its files and would appreciate not planting them on Cryptome.

21 February 2013. A sends:

"Cryptome does do not yet plant APT poison pills in its files and would appreciate not planting them on Cryptome."

Not yet, maybe, but you can be sure that some of the files you host most certainly do, in the clear and clandestine hope and full expectation that they be phished. Such is the nature of the phantom beasts in ...... well, Great Virtual Espionage Games Play is what IT is all about these days in CyberIntelAIgent Command and Remote Anonymous and Autonomous Control Centres, methinks. And it is something to get used to, for it is a pioneering, exploding industry/extremely lucrative business for those at the top of their game/height of their fabulous fabless powers. But quite understandably, also quite an exclusive club/cabal/network, given the irregular and unconventional skills and/or mindset required to succeed in extremis.

Cryptome: We have assumed from the first that contaminated files would be sent for publication. It is a standard operating procedure for spies, law enforcement and scurrilous information manipulators to do this. Our customary warning is to be skeptical of anything placed online (or offline), in particular the web sites and news outlets which claim to publish controversial material as well as those which publish the most banal -- any source can be contaminated by those who claim highest trustworthiness. Messing with public information is a long-standing practice of public officials and those who blame public officials to conceal their own perfidy. Thus, we periodically remind to not trust Cryptome, trust only yourself. The greatest hazard is ignorance cloaked as authoritative wisdom.

Cryptome, aspiring to be a free public library, accepts that libraries are chock full of contaminated material, hoaxes, forgeries, propaganda, cruelly damaging autobiographies, biased biographies, bald-faced lying facts and hypnotic fictions, official statements of affirmation and denial, agenda-promotional vanities, planted errors and deliberate omissions, censored and redacted documents, holy writs and devilish deceptions, concocted mysteries and beguiling fables. Astute readers, seeking relief from manufactured and branded information, will pick and chose, strike their own balance and off-balance among the best and worst among thousands of libraries few of which brag of marketing-grade trustworthiness most closely associated with snake oil, chauvinism, nationalism, evangelism and the commerce in authoritative owning of information by copyright aggression.

Contrarily, although not a legal entity "Cryptome" has been trademarked* in the US to avoid venal expropriation, albeit use of the term is like swallowing an APT poison pill.

* Word Mark CRYPTOME

Goods and Services IC 042. US 100 101. G & S: Computer services, namely, on-line scanning, detecting, quarantining and eliminating of viruses, worms, trojans, spyware, adware, malware and unauthorized data and programs on computers and electronic devices. FIRST USE: 19960601. FIRST USE IN COMMERCE: 19960601

[This goods and services description is by the US Patent Office not Cryptome.]