You Can’t Fire Me, I Don’t Work In This Van

(In advance I will apologize, some images go outside the margins on this entry.)

For those who don’t know, a “hacker” who goes by Malcor is supposedly taking down Mac related notes. I’ll let you read his blog here for the whole story, the basics are that he has supposedly taken down several Mac related sites for being too shallow.

When you look at it, something just doesn’t add up. Malcor’s first target was http://www.glennwolsey.com/ , a site dedicated to misc Macintosh guides and news entries as far as I can tell. His reasoning for taking down the site is because he is supposedly a angry PC user who is mad at people mocking his PC hardware (remember this, it will be key later.)

It is infected with smugness, and more and more, the symptoms are starting to show, whether it’s the eye roll at the non-iPod music player, or the snide comments about my laptop’s lack of curves.

It ends up http://www.glennwolsey.com/ is on a shared host, Media Temple to be specific. Again, this is odd. If Glenn Wolsey’s site is at risk, this should mean everyone on Media Temple is at risk, and you would think Media Temple would be rushing to apply whatever security policy needs to be done to stop attacks like this on the future. A stroll over to Media Temple’s site shows no security warnings, no response at all to the attacks. In addition, Media Temple runs on Linux, which is pretty gosh darn secure. This simply wouldn’t be a spur of the moment attack.

Strangely enough, visits to Gleen Wolsey’s site went up right after the attacks. The next posted article, a guide on something as mundane as upgrading your RAM, is currently on Digg.com with 1001 Diggs. Sounds like the “hack” did more harm than good.

At this point, one has to ask why http://glennwolsey.com or today’s newly hacked http://www.macapper.com didn’t simply restore from backup their html/php content. It’s extremely unlikely their SQL database was attacked, that would be hosted in a separate service. It’s extremely unlikely a hacker managed to hack both services.

But let’s do some Digging into our friend Malcor. He claims to be a disgruntled PC user targeting Mac sites, but he’s left digital fingerprints on the stuff he’s posted to his web site.

Let’s back up and talk about something else first. ColorSync is a technology created by Apple that only works on Macintoshes. It basically tags your image files with what kind of hardware your image was created on, so that your computer can better calibrate the colors of the image for your kind of display.

Given that, I decided to look at the images that Malcor had pasted on his site. First up is the image of rotten Apples he posted today in his Macapper takedown notice.

Now let’s go look at the ColorSync information on this image. Keep in mind, if this image was created on a PC, it should not have any ColorSync information attached to it. We’ll use Preview.app’s inspector to get the ColorSync information.

Huh? The angry PC user created this image on a Mac it would seem. As you can see, his rotten Apple’s image has a ColorSync profile. But, we’ll give our friend the benefit of the doubt. It’s possible he ripped this image from Google Images, and the original author made it on a Mac. But where could we find an original image we know got created on his machine. If only he posted some sort of screenshot taken from his machine… Oh wait! He did!

Now we take a look at the ColorSync profile on this image to see if it exists…. (The image is named Picture+5.png, implying that it was taken from a Mac, but we’ll ignore that for now…)

So, we have an image we know came from his machine. Not only that, but it has a ColorSync profile. Even better, the profile attached implies that he uses an Apple Cinema Display. He is actually owns the hardware he supposedly mocks. Now as much as I love Apple, it takes a special sort of Mac user who actually pays Apple’s outrageous LCD prices.

At the very least, Malcor is a fraud and a hypocrite. I think “Malcor” is working in conjunction with Mac sites to stage hackings, and then the sites go back up with much fan fair and a bunch of free publicity. All this “hacking” makes much more sense if it’s an inside job. If this is true, whoever is organizing this should be ashamed of themselves.

Of course, this is always the chance that Malcor is a real hacker, with superhuman abilities to take down multiple kinds of servers on multiple kinds of platforms. At the very least, he is not the person he claims to be. Hey, if he is a real hacker, maybe he’ll hack me. Then I can gather more evidence on who he is. : grin :

Edit:

Some additional thoughts on the Macapper “hacking”:
• The site had 24 hours notice but they didn’t do anything about it? No backups? No plan? Nothing?
• Macapper runs a different platform, either FreeBSD or Mac OS X (Glenn’s site ran on Linux). We’d have to assume Malcor was able to hack two different platforms… Plausible but…
• Macapper is just letting their site sit with the defaced page? C’mon now. Any admin worth his salt would at least take that page down. Macapper either has physical access to the server or they pay someone who does. They can very easily pull the plug to the server or just reset the default page…