TR EMERITUS

[Read our latest rebuttal to Mr Geoffrey Pereira's second article on 13 November 2009 here]

Last week, we published an article about a SPH IP address caught “grabbing” content from our site. (read article here)

SPH has since published a reply to our article by Geoffrey Pereira on his ST blog here

Read our latest updated article on the Freudian slip made by Mr Geoffrey Pereira here

First of all, before we began, we must thank Mr Geoffrey Pereira for giving us such extensive publicity on the Straits Times.

We are sorry that he was “arrowed” by his superiors to draft a reply to us with the aim of putting us down and demolishing our credibility altogether.

We have nothing personal against Mr Geoffrey Pereira and we understand he is merely an employee of SPH.

It is most disingenuous of Mr Geoffrey to distort the version of events, put words into our mouths and throw a smokescreen to obfuscate the matter and to confuse and mislead readers into thinking that we have hurled a false accusation at them.

Let us correct the three FACTUAL INACCURACIES in Mr Geoffrey’s article:

FACT #1: We did not accuse SPH of launching a DDOS attack against our site.

In the first place, Mr Geoffrey’s choice of the title of his article – “Attack on Temasek Review: not SPH” is completely off the tangent because the article was never about any “attack”.

Nowhere in the article did we ever accuse SPH of launching a DDOS attack to bring down our site. Mr Geoffrey wrote an entire section on IP sproofing which is totally irrelevant because its was not about DDOS at all.

The server log we published showed an IP address belonging to SPH “grabbing” content from our site. It is easily understood by a layman that “content grabbing” is not equivalent to a DDOS attack which is the point we are trying to get across.

In fact, we took pains to explain what a DDOS attack means in the beginning of our article to prevent readers from getting the wrong idea because it occurred only a day after our site was down by a DDOS attack.

Unfortunately, Mr Geoffrey deliberately misquoted us to create the impression that we are accusing SPH of being culprits of his imaginary “DDOS attack”.

We find it amusing that SPH actually asked a staff of its Network Intrusion Protection Services (NIPS) vendor to check 7 days worth of data who found no DOS activity originating from SPH before reaching the conclusion:

“My opinion of the situation is Temasek Review released the article with very little research into what happened on its server.”

It is SPH who did not bother to do any “research” on our original article.

Mr Geoffrey should read through our entire article carefully again and emailed us for clarifications first before publishing his article.

Had SPH bothered to ask us if we had accused them of launching a DDOS against Temasek Review, we would have told them straight in the face:

“NO, we are fully aware of the fact that SPH DID NOT launch any DDOS attack on us at all. What we are keen to know is whether SPH did “grab” our content”.

FACT #2: Timing of the incident occurred between 31st October 2200 hours to 1st November 0100 hours.

As our article had stated clearly, the flurry of network communication requests from the SPH IP took place on 31st October 2009,  around 2200 hours to 1st November 0100 hours.

Our correspondent first received the call from the system administrator on 1st November 2009 at around 12.10am.

He typed the article on the spot which explained why the initial date was published as 1 November.

The exact dates were subsequently amended to between 31st October and 1st November after the relevant portion of the server log is printed out by the system administrator and forwarded to us together with cPanel’s Apache access snapshot.

Mr Geoffrey wrote:

“In fact, from midnight on Nov 1 to about 6 am, (covering a period of the alleged attack) no one from SPH accessed the TR site.”

Of course nobody from SPH accessed the TR site during this period of time because our server log did not show otherwise! This period was not even stated in the initial draft of our article, so where did Mr Geoffrey get it from? Another figment of his imagination?

The key question is, did anybody from SPH access the TR site from 31st October 2200 hours to 1st November 0100 hours? This is the critical time period when the “grabbing” was proven to have taken place by our data center and ISP in China.

Mr Geoffrey got the timing of the incident completely wrong and therefore how can he use it as a basis to disprove our claims about the SPH IP address “grabbing” content from our site?

He should get his facts check first before making such an embarrassing mistake which cast doubts on the logic, consistency and accuracy of his article.

We understand that Mr Pereira is probably not acquainted with IT issues like us, but surely there must be an appropriate person from such a big organization like SPH to proof-read his article before it went to publication?

FACT #3 The “grabbing” has the potential to slow and overload our server

Mr Pereira wrote in his article that nobody in SPH try to “grab” content from our site which will load our server:

“Neither did anyone in SPH try to “grab” TR material in a way that would load its server; nor did any SPH staffer launch any attack on the server.”

The fashion by which contents are being accessed is consistent with search robots or a web grabber – ie – a website is archived so that a string search can be made. While this is perfectly legal, some software uses multiple sockets when downloading content, and CAN potentially hog resources from the web server and slow other user’s access.

It WILL HOG the server’s resources but in this incident, it didn’t because the software firewall on the server itself banned the offending IP address minutes into the action after the IP address exceeded 60 connects per minute, the threshold set by the system administrator.

Technically, if the server were to be not protected by firewall and had been configured poorly, a multiple of requests in excess of 60 connects per minute WOULD HAVE brought the server down and that would technically be classified as an attack.

FACT #4: Our log shows SPH’s IP address accessing material from 2008

As we can see from a snapshot of our log, the IP address 203.116.232.234 which was traced back to SPH by our data center and showed it getting our content from as early as 2008.

Mr Geoffrey claimed that SPH logs showed otherwise:

“SPH logs also determined that no one from the company tried to access material from 2008, as claimed by TR.”

There can only be three possibilities:

1. The SPH logs somehow omitted the period between 31st October 2009, 2200 hours and 1st November 2009, 0100 hours.

2. Our system administrator, who is a Chinese national, had either falsified the server log or made a mistake about it but that is quite impossible as we use cPanel on our servers and can see for ourselves under its GUI that the said IP was indeed registered as accessing our site on the date and time in question.

3. The engineers at China Telecoms, the largest ISP in China who owns and runs the Data Centre where our server is located had falsified both the network and firewall logs as well.

Our servers are hosted with RTG (Asia) Network in a China Data Centre. Our system administrator had double checked and verified the logs with their Data Centre before we decided to publish the article.

The said IP address was registered on our server’s Apache log, cPanel’s access logs and even at Data Centre level.

Frankly, we don’t see any reason why someone will go through all the trouble to spoof an IP address to incriminate SPH instead of launching a DDoS attack if that someone has anything against us, as claimed by SPH. Besides, the Data Centre we use has hardware firewall to detect and drop spoofed IPs and Packets.

[Read why IP sproofing is technically IMPOSSIBLE in this case here]

Furthermore, the company’s staff are all Chinese and have NO vested interests in TR or SPH and stand to gain NOTHING by hurling false accusations against SPH.

There is a discrepancy between what SPH said and what was revealed on our log.

None of us are technical people and it will be unfair for us or Mr Geoffrey himself to continue the exchange online.

We propose a simple solution to get to the bottom of the matter to resolve the impasse:

1. Get the system administrator of SPH to contact our hosting company RTG (Asia) Network for our full server log as well as China Telecoms Data Centre for the network and firewall logs. (Obviously we cannot reveal them here for security reasons)

2. Conduct an investigation to find out why our log showed SPH IP addresses “grabbing” our content at the stated time frame on 31 October 2009, 2200 hours to 1 November 2009, 0100 hours.

If the system administrator at RTG somehow made a mistake or gave us wrong information, request RTG to publish it on its site.

We will follow suit with an unreserved apology immediately under our “TOP NEWS” section continuously for 3 days.

However, if it is indeed true that the perpetuator is a SPH staff, we hope SPH can give us an explanation of what really happened.

SPH should realize that they cannot afford to ride roughshod over us like what they did to others before.

Though their sites still dominate Singapore’s blogosphere, we are no pushovers either and we have a sizable readership to reckon with as they must have realized which explained why SPH felt there is a need to reply to our article.

Unfortunately, Mr Geoffrey’s ill-thought article now leaves us with more questions than answers.

We are more than happy to cooperate with SPH to find out the truth as we are really concerned about the content of our site being “grabbed” in such a covert manner.

IT idiots like us have to depend on our system administrators to provide us with the facts relating to server matters. We will greatly appreciate SPH’s assistance in this matter because based on the resources they have at their disposal, they should be able to find out who the real culprit is (assuming if it’s not a SPH staff).

In fact, since SPH has now blown the matter out of proportions by implicating RTG and China Telecoms, they have to pursue it to the end because the reputations of two companies are at stake.

Mr Geoffrey or any SPH staff can contact us at [email protected]. They are advised to consult us first to have their facts checked before publishing another embarrasing article like this to shoot themselves in the foot.

Related articles:

>> A Freudian slip by Mr Geoffrey Pereira?

>> Attack on Temasek Review: not SPH

>> SPH IP caught grabbing “content” from Temasek Review

>> Debunking Mr Geoffrey’s claims on “IP spoofing”

62 Responses to “Demolishing SPH’s claims in Mr Geoffrey’s misleading article: “Attack on Temasek Review – not SPH””