this post was submitted on 18 Jun 2023
332 points (100.0% liked)

Technology

37746 readers
55 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 
top 50 comments
sorted by: hot top controversial new old
[–] narc0tic_bird 97 points 1 year ago (2 children)

So they "broke into Reddit" back in February and contacted Reddit in April. After Reddit didn't react they contacted them again a few days ago at this very opportunistic time.

They never specified exactly what kind of data they stole, nor did they prove it by providing samples.

For all we know this story could be entirely made up and they actually have nothing.

But even if they have something, them trying to come across as the good guys in this is so weird to me. No, you're not the good guys. You are criminals.

[–] Stumblinbear@pawb.social 34 points 1 year ago (1 children)

They may be the bad guys, but they're not necessarily bad guys

[–] Kaldo@kbin.social 26 points 1 year ago* (last edited 1 year ago)

“I believe you find life such a problem because you think there are good people and bad people. You're wrong, of course. There are, always and only, the bad people, but some of them are on opposite sides.”

load more comments (1 replies)
[–] Th4tGuyII@kbin.social 96 points 1 year ago (9 children)

I want the API changes reverted as much as any other Reddit refugees here, but I can't stand behind this kind of malfeasant extortion.

Not only is it blatantly obvious they're using the API change rhetoric as a means of irritating Reddit into giving them their hush money, it also avts towards delegitimising all protest efforts made by the Subreddits thus far

load more comments (9 replies)
[–] redcalcium@c.calciumlabs.com 63 points 1 year ago (2 children)

Ransomware operators are scum and should not be trusted, let alone paid.

[–] cowvin@kbin.social 42 points 1 year ago (3 children)

This isn't ransomware. This is standard blackmail.

[–] YMS@kbin.social 16 points 1 year ago (1 children)

Correct, but done by ransomware operators.

[–] zalack@kbin.social 19 points 1 year ago* (last edited 1 year ago) (1 children)

Not that this isn't scummy but my understanding is that "ransomware" refers to software that locks a user or organization out of their systems until a fee is paid, generally my encrypting the disk.

This seems like a more traditional "hack" of a system where you get in and download data. Which makes threatening them is traditional blackmail.

[–] red@feddit.de 16 points 1 year ago (1 children)

The point is that Alphv is an operator of ransomware as a service (RaaS), specifically BlackCat, independent of whether they used ransomware in this specific attack (which it indeed doesn't sound like).

load more comments (1 replies)
load more comments (2 replies)
[–] gds@kbin.social 18 points 1 year ago (2 children)

Agreed they definitely shouldn’t pay these guys.

unfolds chair

load more comments (2 replies)
[–] neo@lemmy.comfysnug.space 62 points 1 year ago (1 children)

Is it weird that I kind of want both groups to lose out here?

[–] gk99@kbin.social 34 points 1 year ago (2 children)

The enemy of my enemy is also my enemy.

[–] BLAMM67 18 points 1 year ago

Maxim 29: The enemy of my enemy is my enemy's enemy. No more. No less.

-The Seventy Maxims of Maximally Effective Mercenaries

[–] Steeve@lemmy.ca 14 points 1 year ago (1 children)

It's enemies all the way down

load more comments (1 replies)
[–] iAmTheTot@kbin.social 43 points 1 year ago

Nah you're not going to catch me rooting for a ransomware attacker

[–] bumbly@readit.buzz 42 points 1 year ago

If it hurts the IPO, I'm all for it. My data on reddit is worthless anyway...

[–] totorohno@lemmy.one 40 points 1 year ago (2 children)

Fuck spez, but this is not the way. Why even ask for money if they don’t expect Reddit to pay? That cheapens their cause.

load more comments (2 replies)
[–] Laille@kbin.social 39 points 1 year ago* (last edited 1 year ago)

lol, fuck reddit, but do they expect us to cheer for them when they're holding user data hostage? They can fuck right off too.

[–] primbin@lemmy.one 31 points 1 year ago (5 children)

Is there any way to validate these claims?

[–] cowvin@kbin.social 42 points 1 year ago (1 children)

Usually what happens is that these sorts of blackmailers will leak small, verifiable pieces of data so people know they really got something. We don't see that here, so for now there's no reason to take them seriously yet.

load more comments (1 replies)
[–] red@feddit.de 22 points 1 year ago

No. If Reddit would negotiate with them, they'd probably leak small subsets as proof that they have actual data that isn't available publicly. But with no negotiations, there's not really any need for that.

[–] vandrw@mander.xyz 22 points 1 year ago (2 children)

No, haha. They also didn't bother to check what was stolen, so they could have very well gotten 80G of memes.

[–] AtomicPurple@kbin.social 33 points 1 year ago (3 children)

I took that to mean no one at Reddit bothered to check what was stolen.

[–] blahaj 25 points 1 year ago

Likewise, to me I interpreted as "There was no attempt (from reddit) to find out what we took."

load more comments (2 replies)
[–] waz@feddit.uk 18 points 1 year ago

I read that to mean Reddit didn’t try to identify the stolen data, rather than the exploitists. Is that right?

[–] stu@lemmy.pit.ninja 16 points 1 year ago

If Reddit were to reach out privately to this group, the first thing they'd probably do is ask for proof. It's trivially easy to provide proof you've carried out a hack; you just present some specific information that was not public and describe what all else you have in specific enough terms they know you're not bluffing. (Or, I suppose you could just send them your whole dump if you really want to make it clear what all you have). The only way the rest of us will be able to validate these claims is if they leak and it either matches users' own private account info or Reddit issues a disclosure about the hack (which I'm pretty sure they're supposed to do regardless).

load more comments (1 replies)
[–] Otome-chan@kbin.social 26 points 1 year ago (1 children)

>reddit fucks over users

>hackers fuck over users

why do this?

Money lol. If they do have it and reddit negotiates then they'll probably expect to be offered a higher price for dropping the API demand. They are just upping the ante.

[–] sourcery@lemmy.one 22 points 1 year ago* (last edited 1 year ago) (2 children)

I wouldn't give them a cent or negotiate at all either, and the public aren't going to give a shit about how they're being tracked.

[–] tal@kbin.social 16 points 1 year ago (1 children)

I kind of assumed that everything that could be logged was, and that it would be data-mined insofar as value could be extracted from it down the line.

load more comments (1 replies)
load more comments (1 replies)
[–] JWBananas@kbin.social 22 points 1 year ago

john-oliver-cool-sarcastic.gif

Put up or shut up

[–] Rachel@derp.foo 19 points 1 year ago (3 children)

Is there any information on what kind of data they stole? It’s a public forum with a lot of public data, it makes no sense that they negotiate about data that is already public.

[–] tal@kbin.social 27 points 1 year ago* (last edited 1 year ago) (1 children)

Well, assuming that this is even directly related to the forum, as opposed to, say, email logs from the Reddit internal email server or something, things that might not be public:

  • Private messages between users.

  • Browsing data. I mean, maybe a user only posts on /r/politics, and that's public, but spends a lot of time browsing /r/femdom or whatever.

  • IP addresses of users. Might be able to associate multiple accounts held by a user.

  • Passwords. While hopefully stored in a salted and hashed format, so they can't be simply trivially obtained, they can still be attacked via dictionary attacks, which is why people are told not to use short and predictable passwords.

  • Email addresses (if a user registered one)

  • Reddit has some private chat feature that I've never used, which I imagine is logged.

[–] redcalcium@c.calciumlabs.com 15 points 1 year ago

Reddit used to be open source and the password was hashed using bcrypt.

[–] cowvin@kbin.social 14 points 1 year ago (1 children)

Well they mention Github artifacts in that message so it sounds like it's more like they may have obtained source code and that sort of non public stuff.

[–] mobyduck648 12 points 1 year ago

Their code was open source until 2017 and it’s got progressively more dogshit for the end user since, I suspect if this is real it’s probably a bit juicier.

load more comments (1 replies)
[–] HisNoodlyServant 17 points 1 year ago (2 children)

80gb? That isn't too much but guess if it's internal information and docs could be damaging to a public offering.

[–] heartlessevil@lemmy.one 28 points 1 year ago

For context, based on historical pushshift data:

  • 80gb zipped decompresses to ~1100GB of text data
  • 80gb zipped would only be the most recent ~4 months of comments

They do indicate that the data they have is more valuable though, particularly pointing out how users are being tracked (GDPR alarm bells ringing) or censored.

[–] maynarkh@feddit.nl 11 points 1 year ago

Might be a single weird Bee Movie video meme as well.

[–] grehund 16 points 1 year ago

Oooo, juicy. I'm looking forward to seeing how this goes down.

[–] asjmcguire@kbin.social 15 points 1 year ago (4 children)

Reddit has been going for like a billion years, and you only got 80GB - I mean even zipped, that can't even be a fraction of the data surely?

[–] ddnomad@infosec.pub 19 points 1 year ago* (last edited 1 year ago)

Depends on what kind of data, if it’s mostly internal documents / dumps of whatever communication systems they use etc, it would not be too large (mostly because of retention policies on that software).

If it is actually the data straight from Reddit’s production databases, then 80GB does sound questionable. But then what kind of data are we talking about? Is it actually valuable?

Anyways, this is big (if true).

[–] eighty@lemmy.one 12 points 1 year ago

I'd be surprised if the data was just content. Memes and texts aren't particularly valuable.

However, data that can be used for tracking/developing user profiles such as what they're subscribed to, how active they are, and how they all link to one another is especially useful for conpetetitors and marketers. Plus any personal data such as emails and profiles. I wouldn't be surprised if you managed to get a huge amount of data under 80gb if it's just text (think how big a 80gb excel sheet would be)

load more comments (2 replies)
[–] BrooklynMan@lemmy.ml 15 points 1 year ago* (last edited 1 year ago)

lol, ok. i mean, even if this is true (which, eh, maybe it is), I'm not really sure it's worth what they're asking for it. if this threat is genuine, and they follow through, it will certainly be publically embarrassing for spez at a really bad time. but there's zero chance he's going to give in to their demands.

i don't expect the data dump would contain anything particularly juicy, or these demands would have been made months ago. it's just that it would be embarrassing for reddit (and spez) if it happened, particularly right now.

[–] kosmicpulse@kbin.social 14 points 1 year ago (2 children)

Whether the data is with Reddit or the hackers, what difference does it make lol

load more comments (2 replies)
load more comments
view more: next ›