Thanks (I think) to those of you who shared with me faux Internet Journalist Richard Silverstein’s latest post on the nefarious hack that took down his site back in September. No word on why it took him so long to release the information he had but what we are presented with is a 4,000 word screed that situates this “hack” and his subsequent victimisation within the context of rapidly eroding or non-existent Israeli Democratic values, ill conceived state-sponsored “cyber-terror” campaigns and the silencing of dissent. The truth is that this “hack” has nothing to do with any of that. Nothing at all. It is merely an example of a self-aggrandizing and technically incompetent individual victimized mostly by his own ignorance.
I should add that in his screed, Richard Silverstein claims that the “hacker” in question boasted to me about his exploits. He did no such thing and I never made that claim. I have never had any contact with the individual in question. Of course I laughed at Silverstein’s stupidity, but I did not approve of what was done to his site. He also claimed that I am a pro-Israel (true) right-wing (not true) blogger (true). Two out of three isn’t bad I suppose as far as Silverstein is concerned. He also claimed in a tweet that Jewlicious runs drug fueled parties and travel junkets. And that I hate the gays. And… well, I could go on and on.
This is Silverstein’s description of the hack in question:
Dreamhost, which was to be my new host, had a One-Click installation which was designed to ease the transfer of WordPress websites to their server. Little did I know there was a security vulnerability that would allow an Israeli hacker to penetrate and take down my site.
I made the mistake of beginning, but not completing the installation. This allowed him to login to my site, create his own account, and hijack the main page, which took the site down for most of those attempting to visit. The rest saw a â€œproudlyâ€ waving Israeli flag with the message: â€œI Stand for Israelâ€ emblazoned across the screen. In addition to thousands of readers finding my site down, there were substantial financial damages in restoring the site and moving it to a far more expensive host with superior security.
Iâ€™d switched my DNS (domain name servers) from my old to my new host before fully completing the transfer of my site. There are automated services that notify hackers when someone switches DNS servers. The hacker likely was monitoring my site for precisely the opportunity Iâ€™d inadvertently offered him. The combination of my WordPress installation being incomplete and knowing the DNS configuration allowed him to penetrate and deface my site. If you would like to find out more about DNS monitoring you might want to check out somewhere similar to https://www.thousandeyes.com/solutions/dns-monitoring.
Let me deconstruct that with actual facts. There is no security vulnerability in Dreamhost’s One Click installation. The only security vulnerability is the stupidity of someone who begins an install and doesn’t complete it. Why? Well if you start installing WordPress and don’t at least assign yourself a username and password, this is what any visitor to the site sees while you’re off pissing around doing God knows what:
For those of you less technically adept, what this means is that anyone visiting the site is shown a page that asks you to add a username, a password and an email address. Once that’s done, you have sole and complete control of the WordPress part of the Web site. Of course Silverstein could have gone into the database using PHPMyAdmin via DreamHost’s control panel and immediately regained control of his Web site. He could also have accessed the site via FTP, deleted the WordPress install, and started again. But, no. I can only assume he was more into playing the martyr than mitigating his damages – whatever those may have been – $2.52 in ad revenue? Who knows.
He also attempts to paint the guy that stumbled upon his Wide open web site as some kind of skilled hacker, who visited the site with the express purpose of defacing his Web site. He claims that the “hacker” “…likely was monitoring my site for precisely the opportunity Iâ€™d inadvertently offered him” by using some automated hacker notification service. If that was the case, wouldn’t our skilled master hacker have had a throwaway email address ready to use? Wouldn’t he have known that he didn’t even actually have to enter a real email address at all in order to gain control of the site?
The fact is that the hacker in question was as much a hacker as Richard Silverstein is a pro-Israel Zionist. Or the King of France. In fact, it’s a good thing that this unskilled “hacker” was the first to access the site and not some real hacker using the aformentioned notification services. They would have been able to install all manner of malware and viruses and infect the computers of every person visiting the site or they could have asked for donations and captured the credit card information of anyone dumb enough to give their hard earned cash to Richard Silverstein.
Given Richard Silverstein’s incredible incompetence, it’s actually quite likely that the shlemiel that “hacked” Silverstein’s site saved him and his visitors from a much more detructive outcome. Silverstein should actually thank him.