A curious occurrence has been pointed out in yesterday’s Gun Rights Examiner account of the Mexican newspaper El Diario reporting on “Project Gunwalker.”
As comment poster “Henry Bowman” noted:
Wanting to read the original Spanish-language version of the page, I attempted to directly access
http://www.eldiariodechihuahua.com/notas.php
without all the fancy hoopla that came after it, figuring it was probably not needed, or if it was, I could just walk my way down to the article. Imagine my surprise when I was IMMEDIATELY redirected to a page about cyber-crime at www.fbi.gov.
Why would a Mexican newspaper redirect any of its links to the FBI?
Are you being played, David?
He’s right, it currently redirects to this FBI url:
http://www.fbi.gov/about-us/investigate/cyber/cyber
Anticipating they may change that, I’ve taken a screenshot and posted it as the photo accompanying this article. Before they do, try it out for yourself and record the results.
From Mr. Bowman via a follow-up email:
There's only one reason I can see for a site to redirect a "not found" URL to the FBI... and that's if it's an FBI site to begin with.
It's more reasonable to assume a mistake or habit by an FBI coder in directing the "404" processing to a common page he's used to using than it is to assume that a Mexican newspaper is trying to frighten potential hackers with a bogeyman that has absolutely no jurisdiction in the newspaper's territory (or probably the hackers' either).
Is it reasonable for a Mexican website to use name servers in Pennsylvania?
No, it is not. But the thing is, El Diario is the fourth largest newspaper in Mexico.
The question should be put to them, and I will send the publishers a link to this article asking for an explanation, because I don’t have one. I could speculate on an intelligence-gathering operation where the hacker goofed and left evidence of his handiwork, but that’s pure guessing. All I can observe is this story has been noticed, and considering what it’s about, this redirect hardly appears innocuous.
It, and the reasons behind it, should be part of the ongoing "Project Gunwalker" investigation. So far, a reader like Mr. Bowman has done more of that than all "official" U.S. media outlets combined--and doesn't that tell us something?
Also see:
UPDATE: My email asking for their explanation of the redirect from their site to the FBI website came back with a "Delivery Notice (Failed)" message. Sent to:
Comments
Sounds like a hi-jacking ... will be interesting to see how this plays out.
An interesting web of intrigue - smoke 'em out!
Interestingly, http://www.diario.com.mx/notas.php doesn't forward, but I can confirm that http://www.eldiariodechihuahua.com/notas.php forwards to the FBI page like you describe.
It could just be that someone at the news paper thought it would be funny to forward on a 404 to the FBI.
Confirmed, the El Diario link redirects to FBI as of 11:30 AM on Monday, 1/31/2011
Why bother with an "internet kill switch" when government is a virus that already infects your computer and everything else? Maybe this is just confirmation of that theory.
Don't see any 404 page, but continue to reach the FBI thing. Unable to reach the original page by using the https protocol either. Just get an error message there.
Here's the original in Spanish:
http://www.eldiariodechihuahua.com/notas.php?IDNOTA=228626&IDSECCION...
Very interesting. I just tried it also and got the FBI site. Wonder what's up.
Yup found it after a search on the site:
http://www.eldiariodechihuahua.com/notas.php?IDNOTA=228626
I've created websites myself for personal projects, usually video gaming-related. I know in one instance where I was maintaining a website for a group of gamers, I set up password authorization failures to redirect to http://www.cybercrime.gov/ It's possible something similar is happening here, and that it's not malicious... Looking at the source for ElDiarioDeChihuahua.com's main page, it looks like notas.php is basically a "worker" object that pulls up stories based on the ID's passed to it. It's possible it was written the same way, a malformed request goes to the FBI's Cyber Crime site. I'm not saying it is, I'm just saying it's highly possible. ;-)
But you didn't code it to go to Interpol, or the British Home Office cyber crime site, did you? Because that wouldn't have made any sense. So why would a Mexican firm choose the FBI instead of the Mexican equivalent?
Directed to Henry below, maybe the web geek who put the page together was a US citizen and it didn't cross his mind to put anything other than the FBI there.
I'm reminded of the old saying, "Never attribute to malice that which can be adequately explained by stupidity."
I think there's plenty out there for us to be suspicious of, but I wouldn't start jumping at shadows before at least checking with the ElDiarioDeChihuahua webmaster.
David, why would the editor and editor-in-chief of a Mexican newspaper have a diarioUSA.com (emphasis on USA) email domain?
If I were the suspicious type, I might think the Feebs are running a (damned clumsy, but that tracks with my personal experience with Feebs) disinformation/distraction operation.
For those concerned with privacy, I suggest not visiting that site/page except through a proxy. Or they could be tracking user data in hopes of IDing the whistleblowers.
Actually, that last sounds fairly likely.
PROXIES, guys.
http://www.diario.com.mx/notas.php?f=2011/01/30&id=a9c5e380ff5d04885...
This works too.
Ugh, Examiner has added a bunch of nasty popups, including one that goes to a "you've won a free iPad scam". This may reduce my readership.
As of 6:50 PM MST the link works properly with no redirect.
Is it possible there was a clumsy attempt to hack the Diario site to relay visitor IP logs to the FBI?
And, if this server is in the U.S., was there some coercion on the part of the .gov?
I must take back my previous statement. The link does indeed redirect, I clicked on the wrong one.
Mea culpa.
At least they have my IP address from that link now. :)
It is in fact quite common to have domain name servers in various parts of the world, regardless of where the owners of the website reside. In fact, failing to have redundant, geographically separated name servers may well be grounds for a geek to get fired for incompetence.
Also, just because a site has a TLD of .mx doesn't mean that it is hosted in Mexico. If the server that hosts the domain physically resides in the U.S. it would make sense that possible attempted hacks be redirected to the FBI.
By way of example, I live in Bellevue, WA. The server that hosts my personal website is located outside of New York City, and for all the domains I own, through multiple registrars, I have name servers throughout the country.
As an American, I am lucky to live in a country with a very large, diverse, and reliable Internet infrastructure. Were I a Mexican (or some other 2nd-3rd world country) I would absolutely choose to run my systems in America or Europe.
As to all that 'crap' after the URI: it is actually part of the URI, and as HTTP is a stateless protocol, some* of it is actually required (as in this case) if you want the web application to function.
There is nothing to see here, except maybe an insight into how us geeks make this Internet stuff work.
*Yes, some of that info could be used to track you from from site to site in conjunction with tracking cookies.
HTH
--Mark
I would just add that, when you go to http://www.eldiariodechihuahua.com/notas.php, you are performing the same action a cybercriminal would in probing the web application in order to determine its vulnerabilities. So, when you perform the sames actions as a criminal, albeit for non-nefarious reasons, don't be alarmed when you get reported to the authorities.
It'd be like getting pulled over at night in a residential neighborhood, and the cop finding common burglary tools in your trunk. Don't be surprised if the cop questions you about burglary, even though you have no dishonorable intentions.
Ok, that's a serious stretch... let's dissect the examiner link I'm seeing for the moment...
http://www.examiner.com/gun-rights-in-national/why-does-link-for-mexican...
On the old examiner page instead of the ?CID=examiner_alerts.... I would see something referring to comment#s and if I had made a comment and wanted to refresh the page I would have to remove that or risk a double post. Needless to say, in this case it won't double post but it removes extraneous info. http://www.examiner.com/gun-rights-in-national/why-does-link-for-mexican... still leads to this article just fine.
http://www.examiner.com/gun-rights-in-national/ now takes me to the index for Mr. Codrea's articles. and finally http://www.examiner.com/ takes me to the examiner home page.
Removing the portions of the url has nothing to do with criminal actions and is sometimes a speedier and less confusing way to browse, ie. taking me to the article index a step back.
Usually, you'll find that any pages other than the desired article have their permissions modified, such as here, http://www.cnn.com/2011/OPINION/ And with the Mexican news page I suspect it's much to do about nothing. Instead of a nice page not found they just forwarded to somewhere they thought of quickly and have long since forgotten about.
I did some more light digging.
diariousa.com is the Spanish language paper in El Paso, TX.
eldiariodechihuahua.com is a Spanish language paper for the State of Chihuahua, Mexico. The former may be owned by the latter, but I doubt it. I wouldn't think the New York Times was owned by the Washington Times just because they both have 'Times' in their name.
Email addresses for eldiariodechihuahua.com are available via Google translate at: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=...
eldiariodechihuahua.com is registered via a private domain company in Florida since 2005, while diariousa.com is regeistered via Yahoo in El Paso, TX, to Editora Paso del Norte, Inc., since 2001.
Oh, and the eldiariodechihuahua.com server is physically located in Dallas, TX, hosted by SoftLayer Technologies. Meanwhile, diariousa.com is physically hosted in Tampa, FL by webmasters.com.
HTH
Darn it! Examiner.com butchered the link! Here is the Spanish link (read directly, or feed into google translate).
http://www.eldiariodechihuahua.com.mx/directorio.php
It seems to be only notas.php that is redirecting. fuego.php and alcohol.php both yield normal 404 pages. It therefore may be something in the notas.php code itself that is causing the re-direct when people play with the arguments, not a nefarious plot.
Your link has been jacked. Here is the actual link to the original Spanish article.
http://www.diario.com.mx/notas.php?f=2011/01/31&id=2390375984852968b...
As mentioned by the last poster, notas.php does not return a 404 Not Found code, but rather a 302 Found code with a redirect - in other words is it most definitely intentionally redirected to the FBI page.
Got something to say?
Examiner.com is looking for writers, photographers, and videographers to join the fastest growing group of local insiders. If you are interested in growing your online rep apply to be an Examiner today!