Changes and Clarifications
There has been a lot of interesting rumors floating around since the departure of Power2All as a netadmin from AnonOps. We would like to offer our side of the story, facts rather than rumors. This is not meant to attack anyone, cause drama, start fights over details or anything else stupid. We just feel that its fair that we get to share our side.
I'm terrible with timelines but that is kind of irrelevant, since we all know when this happened. Going back to where this all started we have Power2All with his old strato server belldandy linked, belldandy provided numerous services for the network including webchat, a private pad, and of course an IRCd. On all of our servers there is a general standard that any logs related to user activity are /dev/nulled, in fact we make a promise to our users that this happens. We do not log our users activities, we do not scrutinize the traffic that passes through our servers, and we do not ever want to be responsible for logs being turned over to Police. This is true for all our servers now. This was not true of Belldandy. When SSH'd in one evening to check an unrelated issue the discovery of multiple log files taking up GB's of disk space was made. These were not system logs, these were logs that contained users IP's, connection times, disconnect times, and anything else contained in snotices. Beyond the ircd log there was 16GB (yes 16GB) of access.log from the webchat httpd. These logs dated back months, probably to when belldandy first came around. Both of these logs endangered not only our users but our opers, the secrecy of our hub servers, and many other things. When this discovery was made immediate action was taken against the server owner (Power2All) to suspend his access to both his normal oline, hubs, or other leafs he did not own. This was a precautionary measure as we were unsure what the motive was behind the logging.
After much raging, sitting waiting for shred to chew through the logs, yelling and other pleasantries Power2All stated that he simply did not see the logs. For me and I'm sure others this caused complete loss of confidence in Power2All and his access remained limited until he left the network. If I had endangered thousands of users by logging on a server that I own, I would expect people to hang me and completely remove my access. I would also not expect it back within weeks.
Put yourself in our shoes; if a law enforcement agency ever imaged that disk the entire history of AnonOps would be freely available for them to see. This to us is unacceptable, hence our actions.
We would also like to address the rumor that since Power2All is gone AnonOps has been taken over by the feds. Read the first few paragraphs. If that doesn't change your tune than nothing will.
It would be wrong to say that there has not been changes since Power2All left, we have stepped up our security again and we are now crosschecking servers to make sure that there is no logs to be found on any boxes.
We hope that this clears some things up, don't believe everything you hear, and watch out for people trying to herd you to various IRC networks, especially ones run by careless admins.
We Figured it Would Come to This
Some may call this damaging, I call it the truth. People deserve the truth. Believe what you want, read this and come to your own conclusion.
This log was sent by Power2All to pi. pi was not in the channel when this discussion took place.
Power2All wanted pi to know what had transpired before he got there. Note: this is a complete log, unedited in any way. -Cody_Norris- [#help] Please read the topic on entry, or else you will be raped. We are happy to accept tor additions again! <Power2All> (error) Permission Denied - Oper type derp does not have access to command REHASH <Power2All> Wtf is this. <Power2All> What is that oper type shit <&Poke> I'll let shitstorm handle this one -NickServ- Your nickname is now being changed to AnonGuest38883 your nick is now AnonGuest38883 <&Beer> maybe best to wake up pi <~shitstorm> well... <~shitstorm> if I had 20GB of logs <~shitstorm> dating back to december joins: Jupiler ([email protected]) [11 users] clones: &Beer & AnonGuest38883  &Token sets mode: +ao Jupiler Jupiler <~shitstorm> and if I had added radiobot as a services oper <~shitstorm> and if I had said buttersuace didnt have access to bell when he has key in user radio <~shitstorm> #js <AnonGuest38883> I cant <AnonGuest38883> SSH <AnonGuest38883> into shit <&Beer> ofc <~shitstorm> lkike what <AnonGuest38883> It gives me auth method error <~shitstorm> what are you trying to get into even <&Poke> inb4 ryan <AnonGuest38883> ryan <AnonGuest38883> remote <AnonGuest38883> both Im unable <&Beer> becaus ur axx has been disabled <&Beer> you have some explaining todo first <&Beer> i think <AnonGuest38883> ... <AnonGuest38883> About what <~shitstorm> <shitstorm> well... <~shitstorm> <shitstorm> if I had 20GB of logs <~shitstorm> <shitstorm> dating back to december <~shitstorm> * Jupiler ([email protected]) has joined #opers <~shitstorm> * Token sets mode +a #opers Jupiler <~shitstorm> * Token gives channel operator status to Jupiler <~shitstorm> <shitstorm> and if I had added radiobot as a services oper <~shitstorm> <shitstorm> and if I had said buttersuace didnt have access to bell when he has key in user radio <&Beer> read what ss just typed <AnonGuest38883> buttersauce doesnt have access. <&Beer> the 20gb of logs then <~shitstorm> then why was there a commentedkey labelled buter@bt <AnonGuest38883> ? <~shitstorm> under daio <AnonGuest38883> About what ? <~shitstorm> radio* <AnonGuest38883> Cause I was planning to give him only access to the radio account. <AnonGuest38883> But disabled it <AnonGuest38883> after spoking to pi <AnonGuest38883> *speaking <&Poke> and the radio acc has sudo privs <AnonGuest38883> For myself it did yes your nick is now Power2All [%] identifying for your nick [Power2All] -NickServ- This nickname is registered and protected. If it is your -NickServ- nick, type /msg NickServ IDENTIFY password. Otherwise, -NickServ- please choose a different nick. -NickServ- Password incorrect. [%] mode changed: +r [+iwor] (error) Power2All You are now logged in as Power2All: Power2All![email protected] -NickServ- Password accepted - you are now recognized. [%] mode changed: +h [+iworh] &Token sets mode: +ao Power2All Power2All <&Power2All> Back then, I told butter I wouldnt give him access cause of possible conflicts. <~shitstorm> fair enough there <&Power2All> Aka, seeing the above blattering. <~shitstorm> but thers no excuse for 20GB of logs <~shitstorm> dating back like <~shitstorm> 5 months <&Power2All> you mean ssh logs or what ? <~shitstorm> including ricds logs <~shitstorm> webchat logs <~shitstorm> all our users ips <&Power2All> or ircd logs >? <~shitstorm> and our ips <~shitstorm> when we used the pads <~shitstorm> yes. <&Power2All> mmm <&Power2All> Thought I disabled that... <~shitstorm> ... <~shitstorm> you put us <&Beer> #fail <~shitstorm> and the enture user base <&Poke> u had _everything_ logged <&Poke> ... <~shitstorm> at risk <&Power2All> ehhh <&Poke> there's no excuse for that <~shitstorm> no <~shitstorm> there is no excuse <~shitstorm> not when there is <~shitstorm> 16GB of <~shitstorm> access.log <~shitstorm> alone <&Beer> im so cooking <~shitstorm> aer you kidding me <&Power2All> Meh, it was a mistake that I didnt notice. <~shitstorm> 16GB of text <&Poke> MISTAKE? <&Poke> it's more thena fucking mistake <&Beer> come on, 20gb of disk space gone <&Beer> and not even noticing <&Beer> bs <&Poke> This is not just a days worth of logs Power2All <&Poke> this is fucking 16GB of text <&Poke> that's more thena few months <&Power2All> Well, you can swear at me whatever you want and ruling your stick around my ear.. I didnt notice it was logging everything, normally it logs via rotation with 7 days max. <&Beer> you should not log at all!!!!!!!!!!!!!!! <&Poke> >normally <&Poke> IT DIDN'T <&Beer> "("jkpdfklbc <&Power2All> Yah, so it was something I didnt notice. <&Poke> ................. <&Power2All> What about the "didnt notice" didnt you get ? <&Poke> that's like the first thing u do when u set up a new server <&Poke> clean the logs and /dev/null them <&Poke> Didn't notice for several months? <&Poke> up to half a year <&Poke> that's just bullshit <&Poke> are u really that stupid <&Beer> can you even run a server? <&Poke> you're supposed to be a programmer <&Poke> I really thought u had something in your brain <~shitstorm> ya Power2All I mean... I get mistakes happen <~shitstorm> but... <&Poke> but turns out.. yeah <~shitstorm> this <~shitstorm> I mean <~shitstorm> :F <~shitstorm> one log sure <~shitstorm> but this was luike <~shitstorm> 9001 l;ogs <~shitstorm> twistd logs <~shitstorm> access logs from httpd <&Power2All> (shitstorm): I never bothered looking at the httpd logs for a long time. So I didnt notice. <~shitstorm> ircd logs <&Poke> This was all the services running on his box being logged <&Beer> i dont trust you anymore <&Poke> for months <&Power2All> twistd I did null-dev <&Poke> Obviously not as there were several ol twistd logs <&Power2All> Yah it seems, you can only disable twistd logs <&Power2All> when running the qweb <&Power2All> at a certain command line <&Poke> u can also make a cron that deletes them <&Power2All> If you normal start it, it logs anyhow <&Poke> like I had on my webirc box <&Poke> .... <~shitstorm> <shitstorm> root@belldandy:/var/websites/webirc# ls -l twistd.log*|wc -l <~shitstorm> <shitstorm> 2505 <&Poke> Oh lawd <~shitstorm> those werent nulled <&Power2All> Yah, I disabled it that last time, but it seems with a reboot <&Power2All> it came up again <&Power2All> and logged shit again. <&Poke> How come it didn't do that for me? <&Power2All> How the fuck should I know poke <~shitstorm> idk what to do with this even <~shitstorm> beyond the logs <~shitstorm> which is retarded stupid <~shitstorm> why was autobot <~shitstorm> on the serice oper list <~shitstorm> services* <~shitstorm> why in gods name <~shitstorm> does radiobot needs that <&Jupiler> ist derp aftr derp after moar derp <&Power2All> (shitstorm): I forgot to remove it, since it was suppose to "global"-command when a DJ went online, but I disabled it in autobot. <&Poke> You're bot doesn't need _ANY_ oper class at all <~shitstorm> seriously... <&Poke> that's just <&Poke> You shouldn't use global for your radio shit <&Power2All> I know, thats why I disabled it in autobot. <&Power2All> Duh <&Jupiler> . <~shitstorm> I dont even know what to say <&Poke> but u still had the services oper for the bot <&Power2All> Ahhh whatever.. I you guys want to keep on pointing fingers about some things, fine... Keeping logs, yeah, big mistake on my side. <&Poke> This isn't just something tho <&Power2All> I should have looked better at the logs. <&Poke> This is a fucking serious matter <&Jupiler> big mistake is a understatement <&Poke> You've put everyone passing through your box at risk <&Poke> That's not just something u can overlook <~shitstorm> no <&Jupiler> you just failed <~shitstorm> everyone passing through the network <~shitstorm> not just his box <&Poke> Oh yeah <&Poke> that's true <~shitstorm> every command we did as an oper too <~shitstorm> was logged int he ircd log <~shitstorm> _everything_) <&Power2All> well, the ircd logs should have been nulled, so I wonder why it didnt. <~shitstorm> evberything you ever asw <&Jupiler> and stop being ignorant now because im pissed off <~shitstorm> in snotice <~shitstorm> was logged <~shitstorm> from dec25 <~shitstorm> >on <&Poke> jesus <~shitstorm> there was <~shitstorm> 85 million <&Poke> Yeah.. so yeah we're just gonna overlook this <~shitstorm> ips in that log <~shitstorm> 85... <~shitstorm> milion <&Jupiler> waa zijt ge in godsnaam mee bezig <~shitstorm> including our ips <&Poke> Jupiler's mad <&Poke> :3 <&Power2All> (Jupiler): Geen idee, wist ik veel. Ik heb er niet echt op gelet. <&Jupiler> echt ik kook echt over van zoveel crap <&Power2All> Heb het druk zat met andere zooi, ik had een null gegooid op ircd logs <&Power2All> blijkbaar is die weg gegaan. <&Power2All> of zo. <&Power2All> Geen idee waarom hij anders logde. <&Jupiler> in mijn ogen zou je beter geen server meer hebbn hier <&Jupiler> djeezes <&Power2All> Mja, ik vind het best als jullie me weg willen hebben.. <&Power2All> Ik heb veel gedaan voor het nerwerk, maar ja, als door een foutje van mijn kant ik eruit getrapt word, tja, so be it. <&Jupiler> foutje?????????? <&Poke> There's no way u can justify what has happend Power2All <&Jupiler> you call this a small erro on your side? <&Power2All> (Jupiler): Het is een foutje, je kan er hoog en laag over springen. <&Power2All> Ik heb het niet in de gaten gehad. <&Jupiler> ............... <&Jupiler> bbl, too much derp <&Power2All> Zoals ik ook al lang zei, ik heb geen reden gehad in de logd van lighttpd te kijken. * &Poke hugs Jupiler <&Power2All> Dus ook niet gezien dat hij alles logde <&Power2All> (shitstorm): Ill disable all the logging, unless you alrdy did.. <&Power2All> You can discuss with pi what happens. <&Power2All> If I get kicked out, so be it... I accept the consequences. <&Poke> there's nothing to dicuss <&Poke> *discuss <&Poke> u can't justify what has happend <&Poke> this isn't something we can overlook <&Power2All> (Poke): I dont care what you think, I've had issues with you before. <&Power2All> Ill let the decission on shitstorm and pi <&Poke> u don't think the others think that? <&Poke> are u really that stupid <&Poke> you do know that you not just put our users at risk <&Poke> but you put every oper at risk aswell <&Power2All> (Poke): Im trying to stay cool <&Poke> IDGAF <&Power2All> Do you think Im not shaking like a bitch right now ? <&Poke> U still _CAN'T_ justify what has happend <&Power2All> (Poke): AM I TRYING TO JUSTIFY IT ? <&Poke> >a small error <&Power2All> STFU IM PISSED AT MY STUPIDITY TOO <&Poke> why are u even arguing against us if you're ot trying to justify it? <&Poke> huh <&Poke> *not <~shitstorm> yes I already disabled all the logging <&Power2All> Not all <&Power2All> But ill fix that joins: Isis ([email protected]) [12 users] clones: &Power2All & &jc & &Jupiler & &disappointedimpatientcody & &Beer  &Token sets mode: +ao Isis Isis <&Jupiler> hey Isis <&Power2All> Well, seeing I will get fired anyhow cause of this issue, I guess a delink will be coming as well... Thanks for all the love and hate from the past, and all the time I pulled into the beginning of AnonOps after Ryan-dissaster. <~shitstorm> dont say that <~shitstorm> just relax <&Power2All> I cant relax man. <&Power2All> It was all my fault. <&Power2All> I cant chat is right anyhow. <&Power2All> *it <~shitstorm> nothing happened that we can see but its what COULD haver happened <~shitstorm> that scares us <&Power2All> I was in the middle of Aion dungeon run when I noticed something was up. <~shitstorm> just go take your time and come back nothing has been deicded <&Power2All> And, I donno, but im getting dizzy with all the stress right now. <&Power2All> Ill take a break, brb <~shitstorm> ok <~shitstorm> i meant dont expect hugs for this but its not like im thinking of publically exposing this or something <&Isis> http://www.bbc.co.uk/news/uk-17713582 <+Egg> Title: BBC News - Youth charged over terror hotline hoax calls (at www.bbc.co.uk) <~shitstorm> its if anyone did this same thing <~shitstorm> they would be nutted <&Power2All> Back, thank god I live with stress on a daily basis. <&Power2All> Yah, shitstorm, I know the deal. It was indeed a big risc. <&Power2All> My new server that I was getting upcoming may (or earlier actually), I was going to fully jailkit and truecrypt (as much as possible). <&Power2All> Since there has not been DDoS's on bell for a long time, I didnt had any reason to check on the logs anymore. <&Power2All> I think that partly has something go to do on that, but sadly I should have taken more action on monitoring my box. <&Power2All> Was planning to get a cheap box at leaseweb, and another box specially for autobot and my other websites. quits: &Beer ([email protected]) (Quit: .) <&Power2All> Anyhow, thats a questionmark I guess right now. <~shitstorm> well <~shitstorm> guess ita up to everyone to decide whts up idk <~shitstorm> at work right now so ill be in and out <&Power2All> no problem. <&Power2All> I disabled syslog too btw. <&Power2All> It logged a lot of junk as well tbh. <~shitstorm> yes it generally does most of it is useless but generally doesnt contain ips <&Power2All> It does since the fact of rsyslog picking up iptables log <&Power2All> Although, it only logs dropped IP's though. <&Power2All> But I only need that incase for a DDoS <~shitstorm> ya well if somsone is portscanning or doing something outside normal operation then thats their problem if they get themselves logged <~shitstorm> desu does the same thing if you portscan it <&Poke> so does brat <&Power2All> Yah, for the rest, from what I know, qweb, ircd and lighty only logs. <&Power2All> mm and icecast <&Power2All> but icecast is of no concern sofar I know <&Poke> that's like all services u have running <~shitstorm> if you look in /etc/contab theres a cron that clears the qweb logs evbery minute <&Poke> all of em logging.. <&Power2All> well <&Power2All> I figured out a command <&Power2All> when you start run.py <&Power2All> you can give it a command <&Power2All> to force send logs to /dev/null <~shitstorm> ok as long as its verified to work whatever works <&Power2All> I did test it, it did work. <&Power2All> But I guess I didn apply it in my bash script <&Power2All> to start it. <&Power2All> Normally when I rebooted, I start a bash that auto-start all the services at ones. <&Power2All> Still, its weird... Im not blaming you shitstorm, since at start it was my fault, but didn't you notice the logs after a "possible" hack on my server, when you checked my box for possible hack attempts ? <&Jupiler> its your server, your responsibility, security auditing != checking if something is logging too much <&Jupiler> we will wait when pi is back to discuss this <&Power2All> (Jupiler): "since at start it was my fault" if you didn't notice. I never said its not my responsibility. <&Jupiler> you understand that I and some others are pretty pissed about this? <&Jupiler> i just dont get it <&Jupiler> im trying to understand what has gone wron <&Power2All> I've overlooked something that I shouldn't have overlooked. <&Jupiler> i just cant <&Power2All> Nothing else could be said. <&Power2All> THere is not much to get that you overlook something. You either do or don't. <&Power2All> And in this matter, I did. <&Jupiler> for months your logs were like growing,i dont get the fact you did not notice that <&Jupiler> come on, 20gb <&Power2All> I didnt look at the logs for a reason. THe machine didnt got DDoS"t or attacked for that fact. <&Power2All> And secondly, things runned fine, so there was no reason for me to look, except that I should have made a reason like your saying , auditing. <&Jupiler> you just failed for me as an admin/ower for servers <&Power2All> (Jupiler): I understand, it's not like I didn't learn from this fault. <&Poke> u need it to get ddosd to check for logs? <&Poke> That's the _FIRST_ thing u /dev/null on a server <&Poke> I check my boxes daily...