Internet Archive's support email has now been compromised - eviltoast

The FBI sleeps when libraries burn

    • apotheotic (she/her)@beehaw.org
      link
      fedilink
      English
      arrow-up
      54
      arrow-down
      6
      ·
      1 month ago

      I mean this person seems to be not doing it maliciously. As they say, if it wasn’t them, it would be someone else. Pushing archive to improve their security is great for everyone. As long as this person doesn’t do anything actually malicious, they’re in the clear as far as I’m concerned.

    • huginn@feddit.it
      link
      fedilink
      English
      arrow-up
      70
      arrow-down
      27
      ·
      1 month ago

      This guy is outing the archive for terrible security posture by bringing attention to it because they received disclosures and did not fix them.

      Don’t get shit twisted - he’s the hero here. IA fucked up and has been vulnerable to manipulation by any number of corporate or national actors this entire time.

      • ComradeSharkfucker@lemmy.ml
        link
        fedilink
        English
        arrow-up
        65
        arrow-down
        2
        ·
        1 month ago

        If this was genuinely done out of love I could understand but due to the legal battles the internet archive is currently being dragged through, I harbor suspicion of their intent.

      • Zagorath@aussie.zone
        link
        fedilink
        English
        arrow-up
        52
        arrow-down
        4
        ·
        1 month ago

        If they were really “the hero”, they’d follow the bare minimum of responsible disclosure best practices, and allow 90 days between privately alerting them of the issue and going public with it. Two weeks is absurd.

          • Zagorath@aussie.zone
            link
            fedilink
            English
            arrow-up
            8
            ·
            29 days ago

            90 days is just the standard timeframe for responsible disclosure. And normally that’s just a baseline with additional time being given if there’s genuine communication going on and signs they’re addressing the problem.

            • ITGuyLevi@programming.dev
              link
              fedilink
              English
              arrow-up
              4
              ·
              29 days ago

              90 days is standard for “you’re code is fucked when someone presses this…”; if the issue is Dave left the keys in the parking lot and someone copied them, two weeks is more than enough time for them to recieve the notice, create a ticket to rotate the keys and a ticket to trigger an investigation (gotta document anytime an org fucks up so it doesn’t happen again, right?). Maybe I’m over simplifying it though, I don’t know how their org operates.

              • Zagorath@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                29 days ago

                I agree in general, but

                Maybe I’m over simplifying it though, I don’t know how their org operates.

                This is exactly why just sticking to the 90 day standard is better. For the supposed security researcher it’s a CYA move at worst.

          • LukácsFan1917@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            27 days ago

            It’s not uncommon for hackers to sell cures for problems they cause. This includes law enforcement, which can have broader goals like promoting their own cybersecurity outfits, even just promoting deoendency on HIBP if it’s a fed thing would be useful here, making the joke they left on the page telling people to check out the site itself suspect. The internet archive is a large and beloved outlet for piracy and depaywalling, maybe the security enhancements being billed to them could help the industry bring them to heel a bit. Just speculating.

        • huginn@feddit.it
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          1 month ago

          There’s never certainty when talking about hackers…

          That’s verbatim the content of the email and the email hack does not appear to be malicious (unlike the ddos or the password breach)

          It’s more likely that this is 3 different groups than it is a single group.

    • LukácsFan1917@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      27 days ago

      I have to say that the way they are advertising “HAVE I BEEN PWNED” makes this look like law enforcement selling cures to problems they create. The owner has that CIA front company type CV. It makes my head shudder uncontrollably. 🐙🌕🤕