The FBI sleeps when libraries burn
This person could be damaging corporate infrastructure but he goes after internet archive
this post was submitted on 20 Oct 2024
353 points (100.0% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
1443 readers
18 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
 |
 |
|---|---|
| Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
This guy is outing the archive for terrible security posture by bringing attention to it because they received disclosures and did not fix them.
Don't get shit twisted - he's the hero here. IA fucked up and has been vulnerable to manipulation by any number of corporate or national actors this entire time.
If this was genuinely done out of love I could understand but due to the legal battles the internet archive is currently being dragged through, I harbor suspicion of their intent.
If they were really "the hero", they'd follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.
90 days to cycle private tokens/keys?
90 days is just the standard timeframe for responsible disclosure. And normally that's just a baseline with additional time being given if there's genuine communication going on and signs they're addressing the problem.
90 days is standard for "you're code is fucked when someone presses this..."; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn't happen again, right?). Maybe I'm over simplifying it though, I don't know how their org operates.
I agree in general, but
Maybe I'm over simplifying it though, I don't know how their org operates.
This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it's a CYA move at worst.
I mean this person seems to be not doing it maliciously. As they say, if it wasn't them, it would be someone else. Pushing archive to improve their security is great for everyone. As long as this person doesn't do anything actually malicious, they're in the clear as far as I'm concerned.
I have to say that the way they are advertising "HAVE I BEEN PWNED" makes this look like law enforcement selling cures to problems they create. The owner has that CIA front company type CV. It makes my head shudder uncontrollably. 🐙🌕🤕
This strikes me as state-funded or state adjacent hacking. Kind of like how the destruction of Twitter eliminated a source of on-the-ground, 24/7 information for the working class on all of the events our governments would prefer we not see so that their propaganda can be produced more lazily. Destroying the Internet Archive acts as another hindrance to the working class when it comes to staying informed and enriched.
This message here in particular is not looking state funded if you ask me. Gaining access to zendesk tickets is a vulnerability which was published a few weeks/months ago and is not difficult at all.
Why they don't try to ddos and hack ChatGPT instead or something?
FFS, that whole hack has left the IA a shambles.
The FBI sleeps when libraries burn
This dumbass is probably being paid by them in the first place lol
Ok, but no need to be bitchy towards the good librarians.
Doesn't seem to be ill intended, not a good way to point out a problem, but the problem is there.