Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54698 readers

387 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

💰 Please help cover server costs.


Ko-fi	Liberapay

founded 1 year ago

MODERATORS

[email protected]

422

Internet Archive's support email has now been compromised (lemmy.dbzer0.com)

submitted 1 month ago by [email protected] to c/[email protected]

54 comments fedilink hide all child comments

The FBI sleeps when libraries burn

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 42 points 1 month ago (4 children)

This guy is outing the archive for terrible security posture by bringing attention to it because they received disclosures and did not fix them.

Don't get shit twisted - he's the hero here. IA fucked up and has been vulnerable to manipulation by any number of corporate or national actors this entire time.

[–] [email protected] 55 points 1 month ago

If this was genuinely done out of love I could understand but due to the legal battles the internet archive is currently being dragged through, I harbor suspicion of their intent.

[–] [email protected] 43 points 1 month ago (1 children)

If they were really "the hero", they'd follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.

[–] [email protected] 4 points 1 month ago (1 children)

90 days to cycle private tokens/keys?

[–] [email protected] 7 points 1 month ago (1 children)

90 days is just the standard timeframe for responsible disclosure. And normally that's just a baseline with additional time being given if there's genuine communication going on and signs they're addressing the problem.

[–] [email protected] 5 points 1 month ago (1 children)

90 days is standard for "you're code is fucked when someone presses this..."; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn't happen again, right?). Maybe I'm over simplifying it though, I don't know how their org operates.

[–] [email protected] 1 points 1 month ago

I agree in general, but

Maybe I'm over simplifying it though, I don't know how their org operates.

This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it's a CYA move at worst.

[–] carpelbridgesyndrome 35 points 1 month ago (1 children)

You don't leak a passwords database publicly on the Internet in good faith.

[–] [email protected] 18 points 1 month ago (1 children)

Not necessarily the same hacker.

[–] [email protected] 14 points 1 month ago (1 children)

You sure about that, or are you hypothesizing?

[–] [email protected] 11 points 1 month ago

There's never certainty when talking about hackers...

That's verbatim the content of the email and the email hack does not appear to be malicious (unlike the ddos or the password breach)

It's more likely that this is 3 different groups than it is a single group.