The FBI sleeps when libraries burn

  • jwiggler
    link
    fedilink
    English
    arrow-up
    243
    arrow-down
    9
    ·
    2 months ago

    Hackers acting as if they’re doing a public service by bringing down a free publicly accessible tool is a new level of assbackwardness.

    If the goal really was to force IA to increase their security, they would’ve tried to consult with them. This is more about notoriety and chaos and the hackers have no moral ground to stand on.

    • zante@lemmy.wtf
      link
      fedilink
      English
      arrow-up
      101
      arrow-down
      1
      ·
      2 months ago

      Yeah look at me flexing on and underfunded non profit.

      Not at all hackers are criminals, but many are idiots.

    • Varyk
      link
      fedilink
      English
      arrow-up
      62
      arrow-down
      3
      ·
      2 months ago

      was that their stated reason for attacking the internet archive?

      to bring awareness to the security breaches?

      little fucks.

      “I stole your wallet because pockets are so vulnerable. I’m helping.”

      • far_university190@feddit.org
        link
        fedilink
        English
        arrow-up
        50
        ·
        2 months ago

        nobody know true reason

        one group claim responsibility on twitter for ddos, reason they are us company and us support genocide in gaza. but from all us company they chose ia? sound like bullshit.

        • just_an_average_joe@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          9
          ·
          2 months ago

          You know what would be good place to archive and show the coming generations how corpos were deaf to the GAZA’s plight? Internet Fucking Archive

          I just get the feel that they either are lazy for mentioning gaza or malicious to muddy the reputation of the protesters.

        • Varyk
          link
          fedilink
          English
          arrow-up
          19
          arrow-down
          1
          ·
          2 months ago

          oh good, that totally makes senseWHAT?!

          • Comment105@lemm.ee
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            2 months ago

            You see, some NATO members have been known to use the internet. Artifacts of that usage may have been archived, like their statements and voting choices. For example, if IA stored a page where Jens Stoltenberg called a polandball comic “funny and accurate” in 2019. That would be bad for Gaza.

    • switchboard_pete@fedia.io
      link
      fedilink
      arrow-up
      20
      ·
      2 months ago

      Hackers acting as if they’re doing a public service by bringing down a free publicly accessible tool is a new level of assbackwardness.

      are the zendesk hackers the same as the ones who brought down the website initially?

      • Ajen
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        No. And it’s hard to call the zendesk one a hack, even. They just used the same credentials that were leaked a couple weeks before.

    • openrain502r
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      2 months ago

      iirc some group on twitter claiming that they were the ones behind the attack mentioned it had to do with Palestine or something like that? bruh the internet archive is a non profit organisation.

      then when people pointed it out, they mentioned that since they were incorporated in the USA they were still guilty or something like that? dude wtf

    • 1984@lemmy.today
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      edit-2
      2 months ago

      Their emotional maturity is close to zero.

      They go after internet archive, such a lame move.

    • umbrella@lemmy.ml
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      5
      ·
      2 months ago

      those hackers are probably paid by the corporations wanting to bring it down

      • UnrepententProcrastinator@lemmy.ca
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        2 months ago

        As much as I probably ideologically stand with you, let’s not confirmation bias ourselves into a belief we have no evidence for.

    • huginn@feddit.it
      link
      fedilink
      English
      arrow-up
      69
      arrow-down
      27
      ·
      2 months ago

      This guy is outing the archive for terrible security posture by bringing attention to it because they received disclosures and did not fix them.

      Don’t get shit twisted - he’s the hero here. IA fucked up and has been vulnerable to manipulation by any number of corporate or national actors this entire time.

      • ComradeSharkfucker@lemmy.ml
        link
        fedilink
        English
        arrow-up
        57
        arrow-down
        2
        ·
        2 months ago

        If this was genuinely done out of love I could understand but due to the legal battles the internet archive is currently being dragged through, I harbor suspicion of their intent.

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        47
        arrow-down
        4
        ·
        2 months ago

        If they were really “the hero”, they’d follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.

          • Zagorath@aussie.zone
            link
            fedilink
            English
            arrow-up
            7
            ·
            2 months ago

            90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

            • ITGuyLevi@programming.dev
              link
              fedilink
              English
              arrow-up
              5
              ·
              2 months ago

              90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

              • Zagorath@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                I agree in general, but

                Maybe I’m over simplifying it though, I don’t know how their org operates.

                This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.

      • carpelbridgesyndrome
        link
        fedilink
        English
        arrow-up
        37
        arrow-down
        2
        ·
        2 months ago

        You don’t leak a passwords database publicly on the Internet in good faith.

            • Ajen
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              Are you saying the person who sent the zendesk email is going to try to get IA to hire them for something? I’m not sure I follow…

                • Ajen
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  Still not sure what you’re talking about… Is someone going to ask IA for payment related to the zendesk email?

        • huginn@feddit.it
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          2 months ago

          There’s never certainty when talking about hackers…

          That’s verbatim the content of the email and the email hack does not appear to be malicious (unlike the ddos or the password breach)

          It’s more likely that this is 3 different groups than it is a single group.

    • 0x4E4F
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Because none of this was random or premeditated as in to strengthen their security.

  • orca@orcas.enjoying.yachts
    link
    fedilink
    English
    arrow-up
    65
    arrow-down
    10
    ·
    2 months ago

    This strikes me as state-funded or state adjacent hacking. Kind of like how the destruction of Twitter eliminated a source of on-the-ground, 24/7 information for the working class on all of the events our governments would prefer we not see so that their propaganda can be produced more lazily. Destroying the Internet Archive acts as another hindrance to the working class when it comes to staying informed and enriched.

    • B0rax@feddit.org
      link
      fedilink
      English
      arrow-up
      28
      ·
      2 months ago

      This message here in particular is not looking state funded if you ask me. Gaining access to zendesk tickets is a vulnerability which was published a few weeks/months ago and is not difficult at all.

      • 0x4E4F
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 months ago

        Yes, and IA was super prompt at patching that, because they have such a big team, who also get paid corporate wages and get all sorts of benefits. And, of course, all of them have nothing better to do… because maintaining that infrastructure and code is a piece of cake and is super easy.

    • winterayars
      link
      fedilink
      English
      arrow-up
      19
      ·
      2 months ago

      I don’t know about state funded, but corporations really, really hate IA for a lot of reasons.

      • 0x4E4F
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        2 months ago

        Like keeping old versions of their software for one… or source code leaked or deleted for one reason or another… and other info of course.

        I use it regularly to link to source files or packages long deleted, but I still use them for one thing or another.

  • Nexy@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    41
    arrow-down
    2
    ·
    2 months ago

    Why they don’t try to ddos and hack ChatGPT instead or something?

    • UlyssesT [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      2
      ·
      2 months ago

      Because they’re corporate bootlickers, paid or otherwise.

      Look at the people that participate in “Hacker News.” corporate-art bootlicker

    • zarkanian
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      2 months ago

      Hey, instead of picking on that little kid, why don’t you go harass that huge bodybuilder guy with all the knives attached to his belt?

    • 0x4E4F
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Because no one has offered any money regarding that.

  • Arcturus@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    2
    ·
    2 months ago

    The FBI sleeps when libraries burn

    This dumbass is probably being paid by them in the first place lol

  • BonerMan@ani.social
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    7
    ·
    2 months ago

    Doesn’t seem to be ill intended, not a good way to point out a problem, but the problem is there.

    • 0x4E4F
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      There are other ways to point out a problem. What this person did could have been done as a POC, discussed privately with IA and published publicly later on, when the problem was patched.

      This was deliberate and probably paid for.

      • Ajen
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Deliberate? If someone was paying for it, wouldn’t they have done something more harmful?

        • 0x4E4F
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Maybe that was the only thing that was easily exploitable… or maybe it’s a warning… or maybe not enough pay for something more sinister… or maybe all of the above.

          • Ajen
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            None of those theories sound very plausible. It’s far more likely that an amateur who didn’t understand responsible disclosure decided to check if the keys that were leaked 2 weeks ago are still valid, got excited when they were, and chose a slightly-irresponsible way to share their findings.

            They didn’t exploit or hack anything. They just tried to log in with credentials that were leaked 2 weeks ago.

            • 0x4E4F
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              2 months ago

              It’s still an exploit if he/she didn’t rightfully have access to those parts of IA.

              And what was written in that screenshot doesn’t say “script kiddie” to me, it says that this person knew full well what he/she was doing. Script kiddies lack confidence. That is not what I’m getting from the screenshot.

              It may also be a plan that was in the making for a long time, but the party was just waiting for an easy opportunity to make a good hit on IA.

              Most people into security knew they were leaked a few weeks ago and everyone (including myself) thought that, yes, they are probably still working, but they’re understaffed, so they’ll probably get to it, but it’ll take a few more weeks. It never occured to me that anyone in their right mind would deliberately do harm to IA. There’s honor, even amongst thieves. I know for certain at least one group looked at those keys and didn’t do anything. Why bite the very thing that you rely on… there is no point. All of us use IA for various things, including long gone packages and source code. It would be dumb to actually do this. Unless there is a financial incentive, of course… I’m sorry, but that’s the only thing that makes sense in my mind.

              • Ajen
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                Being “into” security doesn’t make you an expert. Why wouldn’t you expect rotating the leaked keys to be one of the first steps of their incident response plan?

                And script kiddies lack confidence? I don’t know why you’d think that - from what I’ve seen they tend to be over-confident and act like they know more than they actually do.

                • 0x4E4F
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  Rotating the keys was my first thought as well, I just thought they were busy with something else and couldn’t get this done at the time. Though, yes, I would make it my no.1 priority as well and drop everything else. But I guess they learned their lesson now. When you’re that well known, you’re a huge target and you’ve also managed to piss off some of the world’s largest corps… you better make security your no.1 priority.

                  Script kiddies act like that only when bragging online. Put them in a real world scenario and most of them don’t know what to do and just bail. The might get into the system, but then realize what they’ve done and start unplugging things from outlets. And script kiddies just brag around and leave notes like “you’ve been hacked loozer”, or something similar. This is a well thought of response, this has nothing to do with bragging or a challenge, this was intentional.