21 February 2013
PRC Scraping Cryptome
This is not about another mythical, horrid Chinese cyber WMD aggression.
Since October 2012 Cryptome has been scraped daily by the IP address
211.94.xxx.xxx, which geolocates to coordinates 39.9075, 116.39723 in central
Beijing, China, near the Forbidden City and across the street from the Ministry
of Public Security which is geolocated at coordinates 39.903904, 116.399143.
As Mandiant alleges the geolocations are close enough to implicate the PRC
spooks, or some hacker genius or non-PRC spy pretending to be PRC spooks
via IP spoofing.
Log file samples:
184.108.40.206 - - [21/Feb/2013:00:00:07 -0500] "GET /0006/nrc123011.htm HTTP/1.0" 200 186076
"http://cryptome.org/nppw-series.htm" "Wget/1.12 (linux-gnu)"
220.127.116.11 - - [18/Sep/2012:00:00:00 -0400] "HEAD /2012-info/free-syria/pict116.jpg HTTP/1.0" 200 -
"http://cryptome.org/2012-info/free-syria/free-syria-05.htm" "Wget/1.12 (linux-gnu)"
The scraper runs overnight during the US Eastern Time Zone for about six
to eight hours, cycling through the entire files on the site, averaging 18
hits per second, checking for new files and downloading them as well as repeated
downloads of hundreds of random files with no discernible pattern.
Attempts to block the scraper with .htacess have been futile. Several abuse
requests the scraper's ISP have been unanswered:
descr: China United Network Communications Corporation Limited
descr: No.21 Financial Street,Xicheng District, Beijing 100140
person: Xiaomin Zhou
address: No.21 Financial Street,Xicheng District, Beijing 100140
This rude scraper is among many siphoning Cryptome but none come daily or
are as persistent. It is far less intrusive than the data gobblers with giant
capacity to exclude others when they completely take over Cryptome.
There is no objection to taking the site material, all of it, unrestricted
access and wide distribution is the purpose of Cryptome, but the bandwidth
wastage is the result of all too common stupid configuration of WGet and
WGet, with others, is an abominable pestilence for its failure to require
users to throttle down the default config of uncontrolled cycling and repeated
downloads of the same files.
If WGet and other siphons, aggregators and slurpers, most of them far from
benign, indeed are run as commercial data theft operations, were seen as
cyber attacks control of them might result in huge savings in bandwidth capacity,
even protect a mountain of mostly useless secrets and confidential business
For sure, there is nothing on Cryptome worth stealing, just take the handouts
occasionally in small bites or config it from your slobbering maw, thank
Cryptome does do not yet plant APT poison pills in its files and would appreciate
not planting them on Cryptome.
21 February 2013. A sends:
"Cryptome does do not yet plant APT poison pills in its files and would
appreciate not planting them on Cryptome."
Not yet, maybe, but you can be sure that some of the files you host most
certainly do, in the clear and clandestine hope and full expectation that
they be phished. Such is the nature of the phantom beasts in ...... well,
Great Virtual Espionage Games Play is what IT is all about these days in
CyberIntelAIgent Command and Remote Anonymous and Autonomous Control Centres,
methinks. And it is something to get used to, for it is a pioneering, exploding
industry/extremely lucrative business for those at the top of their game/height
of their fabulous fabless powers. But quite understandably, also quite an
exclusive club/cabal/network, given the irregular and unconventional skills
and/or mindset required to succeed in extremis.
Cryptome: We have assumed from the first that contaminated files would be
sent for publication. It is a standard operating procedure for spies, law
enforcement and scurrilous information manipulators to do this. Our customary
warning is to be skeptical of anything placed online (or offline), in particular
the web sites and news outlets which claim to publish controversial material
as well as those which publish the most banal -- any source can be contaminated
by those who claim highest trustworthiness. Messing with public information
is a long-standing practice of public officials and those who blame public
officials to conceal their own perfidy. Thus, we periodically remind to not
trust Cryptome, trust only yourself. The greatest hazard is ignorance cloaked
as authoritative wisdom.
Cryptome, aspiring to be a free public library, accepts that libraries are
chock full of contaminated material, hoaxes, forgeries, propaganda, cruelly
damaging autobiographies, biased biographies, bald-faced lying facts and
hypnotic fictions, official statements of affirmation and denial,
agenda-promotional vanities, planted errors and deliberate omissions, censored
and redacted documents, holy writs and devilish deceptions, concocted mysteries
and beguiling fables. Astute readers, seeking relief from manufactured and
branded information, will pick and chose, strike their own balance and
off-balance among the best and worst among thousands of libraries few of
which brag of marketing-grade trustworthiness most closely associated with
snake oil, chauvinism, nationalism, evangelism and the commerce in authoritative
owning of information by copyright aggression.
Contrarily, although not a legal entity "Cryptome" has been
in the US to avoid venal expropriation, albeit use of the term is like swallowing
an APT poison pill.
* Word Mark CRYPTOME
Goods and Services IC 042. US 100 101. G & S: Computer services, namely,
on-line scanning, detecting, quarantining and eliminating of viruses, worms,
trojans, spyware, adware, malware and unauthorized data and programs on computers
and electronic devices. FIRST USE: 19960601. FIRST USE IN COMMERCE: 19960601
[This goods and services description is by the US Patent Office not Cryptome.]