this post was submitted on 20 Oct 2024
405 points (99.0% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54781 readers
533 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

The FBI sleeps when libraries burn

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 147 points 1 month ago (3 children)

This person could be damaging corporate infrastructure but he goes after internet archive

[–] [email protected] 46 points 1 month ago

I mean this person seems to be not doing it maliciously. As they say, if it wasn't them, it would be someone else. Pushing archive to improve their security is great for everyone. As long as this person doesn't do anything actually malicious, they're in the clear as far as I'm concerned.

[–] [email protected] 40 points 1 month ago (3 children)

This guy is outing the archive for terrible security posture by bringing attention to it because they received disclosures and did not fix them.

Don't get shit twisted - he's the hero here. IA fucked up and has been vulnerable to manipulation by any number of corporate or national actors this entire time.

[–] [email protected] 54 points 1 month ago

If this was genuinely done out of love I could understand but due to the legal battles the internet archive is currently being dragged through, I harbor suspicion of their intent.

[–] [email protected] 49 points 1 month ago (1 children)

If they were really "the hero", they'd follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.

[–] [email protected] 3 points 1 month ago (1 children)

90 days to cycle private tokens/keys?

[–] [email protected] 8 points 1 month ago (1 children)

90 days is just the standard timeframe for responsible disclosure. And normally that's just a baseline with additional time being given if there's genuine communication going on and signs they're addressing the problem.

[–] ITGuyLevi 5 points 1 month ago (1 children)

90 days is standard for "you're code is fucked when someone presses this..."; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn't happen again, right?). Maybe I'm over simplifying it though, I don't know how their org operates.

[–] [email protected] 1 points 1 month ago

I agree in general, but

Maybe I'm over simplifying it though, I don't know how their org operates.

This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it's a CYA move at worst.

[–] [email protected] 35 points 1 month ago (1 children)

You don't leak a passwords database publicly on the Internet in good faith.

[–] [email protected] 17 points 1 month ago (1 children)

Not necessarily the same hacker.

[–] [email protected] 1 points 1 month ago (1 children)

It's not uncommon for hackers to sell cures for problems they cause. This includes law enforcement, which can have broader goals like promoting their own cybersecurity outfits, even just promoting deoendency on HIBP if it's a fed thing would be useful here, making the joke they left on the page telling people to check out the site itself suspect. The internet archive is a large and beloved outlet for piracy and depaywalling, maybe the security enhancements being billed to them could help the industry bring them to heel a bit. Just speculating.

[–] [email protected] 1 points 1 month ago (1 children)

Are you saying the person who sent the zendesk email is going to try to get IA to hire them for something? I'm not sure I follow...

[–] [email protected] 0 points 1 month ago (1 children)

No I think it's about "context creation" as they call it. Like a protetection racket where payment is made in dependence on certain tools, that is intended to be used later. Good way to popularize leaks themselves

[–] [email protected] 1 points 1 month ago (1 children)

Still not sure what you're talking about.. Is someone going to ask IA for payment related to the zendesk email?

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

I said it was about fostering dependence on the cybersecurity community. To what end, I do not kniw. But getting people to cloudflare their sites is great for surveillance. Cybersecurity outlets are intensely political and pro west.

Private security contractors have noted that leftists use the internet archive more than anyone. I have been reading their papers about online extremism. Very bad people

[–] [email protected] 1 points 1 month ago (1 children)
[–] [email protected] 1 points 1 month ago

I'm a vague motherfucker and sometimes I just get the feeling if I try to explain my three-quarters baked understanding of how intelligence works in academia and the tech or culture industry in an overtly benign way, I'm going to be tedious due to my lack of expert knowledge ᕕ( ᐛ )ᕗ like I should learn more first, to avoid being tedious

[–] [email protected] 2 points 1 month ago

I have to say that the way they are advertising "HAVE I BEEN PWNED" makes this look like law enforcement selling cures to problems they create. The owner has that CIA front company type CV. It makes my head shudder uncontrollably. 🐙🌕🤕