To whoever is in charge of hosting...

[Frinkahedron]

Hello,

I am a member of a message board community called Life, The Universe and Everything. We just started up about a week ago as a social board and gained thousands of users very quickly.

One of the webistes hosted by Jaguar has repeatadly hacked and messed with our board coding and databases, banning users and taking the message boards offline. They use their message boards to plan and execute these attacks. Myself and others at our board were disscussing ways to deal with the hackings but we just got hacked again today before we could decide on anything.

The website in question, hosted by Jaguar, is www.theoutboards.com (Note: Offensive material)

Our message boards
http://www.lue.olddh.com/boards/index.php (Note: Offensive due to hackings)

They also use their message boards for other illigal activities such as warez distribution and sharing hacked website logins.

We ask you to do something about the outboards as we have not provoked or threatened them in any way.

Thank you.

[mattsiegman]

You need to secure your board software. Depending on what you use, you can take different approaches to this.

Please make sure that you follow all security guidelines posted by the company/group that created the board.

I can't help you with anything else, only Jag can.

[Vin DSL]

LoL! Guess you justed learned a lesson about Life, The Universe and Everything...

[iGenesis]

Thanks Frinkahedron. I am the co-owner of the LU&E boards. I've already written to abuse@jaguarpc.com on 1/1 but received no response. Here are a few more things I would like to add:

1. The boards' source is a based off a free, GNU GPL-released board system called "Mediarchive". It is relatively old, and contains several security holes, many of which I have patched up. Although I have made several modifications to the code, none can truly be exploit free. A group of Outboard users were able to take advantage of them. In no way, however, should that make them free of guilt.

2. The attacks are fully admin-sanctioned, which is why their site, as a whole, violates JaguarPC's Acceptable Use Policy. The administrator himself offered "Outboards Currency" (Virtue) to reward his users for "hijacking" of accounts from my board or, better yet, taking them down completely.

3. The attack today (roughly 12-4 PM PST) marks the fourth in a 13 day period during which damage was done. In three of the four attacks, including today's, hackers from the Outboards (and personally rewarded by the Outboards administrator for it), SQL injection was used to run database commands. In the first attack (dated Jan. 6), a group of Outboard users DOS'ed attacked the site, causing every single SQL-integrated site on the Olddh networks to be unavailable for nearly 36 hours.

[iGenesis]

The Outboards are planning more invasions; they are a serious threat to other online communities:

http://theoutboards.com/boards/messa...10&topic=68570

Outboards users took down six communities on Sunday Jan 11.

[Connie]

Seems to me like the problem is on your end. I don't think you can expect
Jag to protect you from hackers when you admit your board has security
holes in it.

[iGenesis]

If the FBI website has security holes, is it right to trash it?

I admit that my board has security holes; however, none of them have been known until recently. The Outboards users are congregating there to find exploits. If you would look at their topics from 1/5 and before, no one knew any.

[gerilya]

Originally posted by iGenesis
If the FBI website has security holes, is it right to trash it?

I admit that my board has security holes; however, none of them have been known until recently. The Outboards users are congregating there to find exploits. If you would look at their topics from 1/5 and before, no one knew any.

If the FBI site would be hacked, I doubt they would file a formal complain with Jag as a way to remedy this problem

Of course, it is not right to trash your site, more than that, it is illegal. You can fight it technically or legally or both - what course of action you take is entirely up to you, but if you want to stop them from doing something without any effort on your part, you better contact their power supplier asking to cut the electricity off.

BTW, although 'hacking' your site is illegal, I do believe that sharing information on how to do that (for educational purposes, of course ) does not violate any law.

[iGenesis]

Illegal or not, the site theoutboards.com violates JaguarPC's AUP:

Attacks and Exploits : Any activity which affects the ability of other people or systems to use any services or other internet services. This includes "denial of service" (DOS) attacks against another network host or individual user. Interference with or disruption of other network users, services or equipment is prohibited. It is the client's responsibility to ensure that their server is configured in a secure manner. A client may not, through action or inaction, allow others to use their network for illegal or inappropriate actions. Unauthorized entry and/or use of another company and/or individual's computer system will result in immediate account termination. We will not tolerate any subscriber attempting to access the accounts of others, or penetrate security measures of other systems.

[gerilya]

I doubt that the hosting server was used to hack your board and merely storing the information that allows to hack it doesn't look like AUP violation to me

Besides, AUP is a part of contract between a hosting company and a hosting client. You are not a part of this contract and consequently has no way of enforcing it.

[iGenesis]

Darn loose constructionist...

I'm no legal expert, but if one can get a hosting account from JaguarPC, set up a message board community, and use that community to incite his members to attack my boards by posting images from goatse.cx (offensive website), the n-word (racial term for blacks), and other sexual preference oriented insults, all the while in compliance with all US federal laws (where the outboards are based), then something's seriously wrong with the justice system.

I will be writing to individual ISPs, but the fact that the boards are being used as a base to devise attack plans is a threat to the online community, and must be dealt with.

[gerilya]

I wonder why they choosed your board. You look like a nice guy

Seriously, if you think something wrong with the justice system you can write to your congressman, but I found that sometimes people tend to generalize their own private conflicts in the hope it would help them. My experience shows that it helps as much as self pity does, but you are welcome to learn it on your own.

[jason]

Originally posted by iGenesis
Darn loose constructionist...

I'm no legal expert, but if one can get a hosting account from JaguarPC, set up a message board community, and use that community to incite his members to attack my boards by posting images from goatse.cx (offensive website), the n-word (racial term for blacks), and other sexual preference oriented insults, all the while in compliance with all US federal laws (where the outboards are based), then something's seriously wrong with the justice system.

As gerilya already pointed out, launching or participating in an attack against your site is illegal and unethical. You have every right to be angry, and I wish you the best of luck in tracking the perps down. Your statement above has one fundimental flaw in it, though. One of the most basic rights of US citizens, the First Amendment to our Constitution, the very basis of our justice system, gives every citizen the right to freedom of speech. The owners of the site you mention have every right to post whatever they want on their website and JPC really has no right to censor that. There are other laws that relate to inciting violence, harm, or other illegal activity that you could persue against the owners of the site, but JPC is only a conduit in the flow of information. If someone sent you a package containing something offensive or dangerous, who would you go after--the sender or the post office?

I subscribe to security listservs where lots of information is passed around that talks about how to exploit various software programs. This isn't done to give members the oppertunity to attack other systems, but rather to enable them to test and protect their own systems. If you were to force JPC to remove the content from the site you have a problem with you would also force them to remove similar information from sites that are providing legitimate security information.

Again, I am sorry that you are having problems with the operators of a site that is hosted with JPC. I hope you are able to find a resolution as quickly as possible. I'm sorry if this post came across as somewhat harsh, that's not my intention. As I'm sure is the case with gerilya and others who have replied, I just wanted to explain to you that I think you may be "barking up the wrong tree" so to speak. I'm not a lawyer, but I honestly don't believe JPC has any leagal right to do anything to satisfy you.

You're best bet is to find other avenues to persue, such as going after the ISP's that host the people that attacked your site. Even then, though, you may not find the relief you are looking for. If the ISP bans the client they can just move to a new ISP. Ultimately, you are going to have to find the names of the persons who are involved with all of this and go after them in court. If you are serious in persuing this matter, you really ought to consult a lawyer to find the best course of action to take.

--Jason

[lookout]

Be aware the views that have expressed here so far are personal ones, not necessarily the official ones of JaguarPC. It seems to me perfectly reasonable to expect some kind of official Jaguar response to your concerns. As Matt mentioned (one of the outside mods here), Jag is the fellow you want to contact (or possibly Les) for the official company position. You can email or PM him directly through the forums. Might take a bit for a response, he seems a busy fellow.

Not sure why you didn't receive a response to your email to abuse@jaguar.com as you should have. Can't say I'm surprised though. I've found emails to Jaguar often seem to end up in a black hole. Very frustrating. One begins to wonder whether anyone actually checks these mail accounts, or if the emails are not getting routed properly. Fortunately as a customer, I don't need to contact them much in this manner because I can use their much more reliable support ticket system instead. Unfortunately, as a non-customer, that method is not available to you.

Note to Jag if he sees this:
Your method of non-customers only being able to contact Jaguar via email needs an overhaul. It would be helpful if the ticket system was extended to accommodate them, perhaps thru some kind of guest account.

[Frinkahedron]

Even if they are allowed to say what they want, using their site to carry out illigal attacks on other users' networks and databases while reciving rewards from the site administrator ARE illigal and against Jaguar's AUP.