[HN Gopher] A Gov.uk site dedicated to porn?
___________________________________________________________________
A Gov.uk site dedicated to porn?
Author : asadhaider
Score : 143 points
Date : 2021-11-25 17:12 UTC (5 hours ago)
(HTM) web link (thecrow.uk)
(TXT) w3m dump (thecrow.uk)
| arpa wrote:
| A great read in a tongue-in-cheek british style, a welcome change
| of pace for mind and eyes!
| [deleted]
| Firefishy wrote:
| Sub-domain takeover attack. The sub-domain was CNAME'ed to a S3
| bucket and the S3 bucket had likely been deleted. The porn
| purveyor, re-created a new S3 bucket with pr0n.
|
| A scanner that would have caught the vulnerability:
| https://tech.ovoenergy.com/how-we-prevented-subdomain-takeov...
|
| Or a grey hat scanner for finding sub-domains vulnerable to
| takeover: https://github.com/m4ll0k/takeover
| qeternity wrote:
| > This site is hosted on a Raspberry Pi 4B in the author's living
| room (behind the couch).
|
| Holding up quite well despite HN frontpage. I love what a bit of
| caching can do.
|
| EDIT: appears I jinxed it. I get the allure of hosting something
| in your home, but these days when you can get a decent VPS for
| $10/yr it doesn't really make sense.
| mandis wrote:
| Indeed, I would love to get more details on what all went into
| it, and how far can we stretch such a SBC.
|
| EDIT: evidently, not far
| a012 wrote:
| Unless they host their images themselves, but a Pi could handle
| traffic very well for a static website.
| Sephiroth87 wrote:
| Sorry for the ot, but do you have any recommendation for $10
| vps?
| hvgk wrote:
| I'm using a Linode $5 running nginx for static here.
| iso1631 wrote:
| $5 a year?
| qeternity wrote:
| $5/mo - but there are plenty of decent VPS for $5/yr -
| the catch is they will be IPv6 only for port 80 so you
| chuck it behind Cloudflare (carrying static load as
| well).
|
| The low end world will shock anyone who has only ever
| seen AWS pricing.
| pydry wrote:
| Look on lowendbox
| [deleted]
| konart wrote:
| You can get Oracle Cloud Free for ... free.
| laurent92 wrote:
| Anything with the name "Oracle" sound like the steps of a
| thousand lawyers entering your building...
| andrewmackrodt wrote:
| I used to browse lowendbox which occasionally has good deals
| from smaller companies who've been around for at least a few
| years but there's always a risk one day they'll sell, shut
| down operations or worse just disappear. However, if budget
| is your number one priority, you can get a years VPS hosting
| for low double digit dollars a year.
|
| Nowadays a host personal projects on scaleway and netcup (EU
| based). I've been with the first for a could of years and the
| second for 6 months now, good service from both.
|
| If you're mainly hosting static* or cacheable content, you
| may even get by with a raspberry pi running behind
| cloudflare's free plan with cache enabled. If you don't mind
| all traffic to your site being served by such a third party
| of course.
|
| * If you only have static content, GitHub pages can be
| considered too.
| lol768 wrote:
| Given it's timing out for me, I'm not sure I'd agree it's
| holding up quite well :P
| denton-scratch wrote:
| Thecrow.uk is timing out for me; but not the DfT site.
| Waterluvian wrote:
| Unfortunately this looks like a mistake for this context given
| it isn't loading now.
|
| Otherwise, for a well-known average traffic load suitable to a
| Pi, a Pi is a great idea.
| tazjin wrote:
| HN traffic isn't that large, maybe a few requests per second.
| jacquesm wrote:
| You're a decade behind the times. HN can be formidable in the
| amount of traffic it generates, it all depends on the content
| and the time of day though.
| WithinReason wrote:
| Spoke too soon!
| baobabKoodaa wrote:
| > I get the allure of hosting something in your home, but these
| days when you can get a decent VPS for $10/yr it doesn't really
| make sense
|
| When you're hosting static content (like presumably this
| content is; it's down so I can't say for sure), you should
| distribute it on a CDN for $0/year. A single VPS can be
| overwhelmed by traffic just as your Raspberry Pi can.
| Iolaum wrote:
| Why doesn't it make sense? After 6 months your Rpi4 will be
| costing less than the VPS. Plus you get the fun of actually
| doing it.
|
| P.S. Getting weird RPi errors because of power supply makes
| you appreciate the value proposition of a good VPS :p
| qeternity wrote:
| > After 6 months your Rpi4 will be costing less than the
| VPS.
|
| No, $10 per year, not per month. That means the rPi payback
| is 5-6 years, and for inferior hardware and bandwidth.
| qeternity wrote:
| BuyVM, RamNode, FDC, Virmach (probably in that order).
| killingtime74 wrote:
| Only if power is free
| qeternity wrote:
| Properly cached, a single core on a low end VPS should be
| able to carry some serious weight.
|
| But yeah, I agree. This is static content, and should be
| hosted on any of the gazillion free tier CDNs. But then you
| don't get that warm fuzzy feeling of watching the rPi behind
| your couch melt into the floor.
| tentacleuno wrote:
| > Visit [redacted], and you'll be redirected to a subdomain for
| EU exit hauliers - except the site isn't there. Instead it's a
| WordPress login page. There's no username field and we feel
| confident that a brute force attack would be super effective!
|
| > Elsewhere we have the Department for Transport careers page,
| which sort of does what it says. Clicking on the 'see all
| vacancies' button will redirect you to the civil service jobs
| site. This isn't weird in itself, what is weird is that it uses
| t.co - Twitter's redirection and domain obscuring tool to do it.
| Don't ask us why, we have no idea why they would do this.
|
| This sounds like someone inexperienced with the system is somehow
| managing it. How can you use a t.co link for... this? I'm
| surprised this edit got past anyone.
|
| EDIT: Redacted the link just to be on the safe side. It's in the
| article if anyone's curious.
| pxeger1 wrote:
| In fact, it's a t.co link that redirects to a bit.ly link that
| redirects to the actual site!
| londons_explore wrote:
| This is probably just someone who copied the link from
| twitter straight into the governments content management
| system.
|
| The content on this page isn't written by tech people - it's
| written by policy experts and other civil servants whose
| expertise isn't exactly how URL's work...
| wutbrodo wrote:
| > The content on this page isn't written by tech people -
| it's written by policy experts and other civil servants
| whose expertise isn't exactly how URL's work...
|
| It doesn't just take a lack of expertise: it takes an extra
| level of apathy about the quality of your work and general
| incuriousness about the world. They can see the url they're
| pasting, and the majority of web users have some intuitive
| sense of the difference between domains: they are, after
| all, human-readable.
|
| I can imagine the tail of "confused grandparent"
| stereotypes that are completely blind to the difference
| between t.co/622ahdvdj and charts.tf.uk.gov, but people
| that are that technically illiterate should be nowhere near
| computers in a professional context.
| mlaretallack wrote:
| I am now taking bets on how long it will last.
|
| 'This site is hosted on a Raspberry Pi 4B in the author's living
| room (behind the couch)'
| yannoninator wrote:
| spoke too soon!
| matbatt38 wrote:
| Longer than the porn site it's talking about at least
| chx wrote:
| The OP site is down, the porn site is up right now...
| [deleted]
| max1cc wrote:
| Hug of death! https://archive.md/tCgnL
| aj7 wrote:
| Hacker News crashed the website.
| iso1631 wrote:
| British Government Porn? That the one where we all get screwed by
| Rishi in the budget?
| BoxOfRain wrote:
| I've seen that one, it's a bit too sadomasochistic for my
| taste.
| nneonneo wrote:
| The site in question is charts.dft.gov.uk (VERY NSFW). It
| resolves to the CNAME charts.dft.gov.uk.s3-website-eu-
| west-1.amazonaws.com, which is quite clearly hosting a porn site
| of some kind.
|
| I suppose there's a few possible explanations here: (1) the
| original site was hosted on S3, and at some point the bucket was
| dropped and someone else picked it up, (2) it was originally
| hosted on S3 and the bucket got hacked, (3) someone with access
| to the DNS has decided to go rogue and point it at a somewhat-
| legit-looking but fake domain. If there are historical DNS
| records floating around it might help to narrow down what
| happened here.
| tgv wrote:
| I don't think it was #3: Amazon owns and resolves it for
| amazonaws.com. If you could hack that, you could do much more
| serious damage. I'm assuming it's #1. Bucket names are global.
| Kwpolska wrote:
| I believe scenario #3 would be as follows:
|
| 1. gov.uk's DNS server used to point charts.dft.gov.uk to
| something legitimate 2. Someone hacked gov.uk's DNS server,
| and changed this one specific domain to CNAME
| charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com 3. That
| same someone set up their porn thing at AWS in a bucket that
| maps to charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com
| tgv wrote:
| But why such a specific bucket name? Perhaps the
| perpetrator did it because he knows how the gov.uk DNS is
| maintained, but then it would be an inside job. If only the
| process were as tight and clean as in peppa pig land!
| globular-toast wrote:
| How was this discovered and do we know how long it was in this
| state?
| [deleted]
| globalise83 wrote:
| Hope Hacker News didn't set fire to the couch!
| dddavid wrote:
| Both my own site (on a Pi behind the couch) and the gov site were
| subjected to the hug of death. I've moved thecrow.uk onto a VPS
| for now and it's back up. Hurray!
| bongoman37 wrote:
| It seems to have been taken offline now. Here's the archive[1]
| link for uh.. research. Obviously, NSFW.
|
| [1]:
| https://web.archive.org/web/20211125154944/http://charts.dft...
| benbristow wrote:
| Since the site is down - https://archive.ph/tCgnL
| belval wrote:
| The title should be changed to reflect that the article is
| actually about .gov.uk domain being used for non-governmental
| websites.
| lima wrote:
| ...without permission, that is - probably a subdomain takeover,
| not a disgruntled employee.
| belval wrote:
| Right, my point was more that I clicked the link thinking
| that the UK was launching a government-owned porn website.
| osrec wrote:
| Looks like someone forgot to delete a DNS entry after
| decommissioning a server. Bad on behalf of gov.uk, however you'd
| think AWS would at least auto-delete the CNAME
| (charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com) after the
| server was released, so that it points to nothing...
| 2-718-281-828 wrote:
| american of course, russian always, japanese, chinese and thai -
| sure why not, heck, even danish or swedish ... but british or
| english - no way - not even once
| user5994461 wrote:
| For reference, it's 5 hours later now and it's still online.
| Terry_Roll wrote:
| I don't know if this is laziness and ineptitude on the govt's
| part or not. You see the design team for UK gov websites have
| been getting a lot of attention and praise for their efforts, the
| most recent being here just ten days ago on the subject of check
| boxes: https://news.ycombinator.com/item?id=29238968 .
|
| Now anyone with a rudimentary handle of the English language
| would probably have noticed the misspelling of carcasses on the
| blogpost https://designnotes.blog.gov.uk/2021/11/15/letting-
| users-tic... and Yorwba highlighted this on 17 November 2021 as
| seen in the comments. The team duly acknowledge this as seen with
| the updated image here https://designnotes.blog.gov.uk/wp-
| content/uploads/sites/53/... and the original misspelling can
| still be seen here https://designnotes.blog.gov.uk/wp-
| content/uploads/sites/53/...
|
| Anyway, it would seem their commenting system will not allow
| links to be posted to them or they choose to ignore links or
| didn't understand the comment posted when comments like
| "https://www.bing.com/search?q=plural+of+carcass" come through to
| them which is metadata for the type of filtering being employed
| on their comments section.
|
| I think its worth looking at their design principles which can be
| seen here https://www.gov.uk/guidance/government-design-
| principles "#1 Start with user needs Service design starts with
| identifying user needs. If you don't know what the user needs
| are, you won't build the right thing. Do research, analyse data,
| talk to users. Don't make assumptions. Have empathy for users,
| and remember that what they ask for isn't always what they need."
|
| It would seem Grant Shapps Secretary of State for Transport is
| perhaps actually meeting the public's needs or maybe its what he
| thinks of the public. Are we solitary handy manipulators of parts
| of the body?
| necovek wrote:
| December 2018 snapshot refers to Department of Transport:
| https://web.archive.org/web/20181227091013/http://charts.dft....
|
| The CNAME of charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com
| still works, but the reverse DNS of that IP is simply s3-website-
| eu-west-1.amazonaws.com: I am not sure how does one gain control
| of an s3-website subdomain when "abandoned" (bucket name only?),
| but someone did.
|
| So the scenario someone described below is pretty likely: DoT
| drops it, and drops AWS use of the name, but leaves the DNS
| record in. I wouldn't attribute this to anyone in the DoT.
|
| It would still require intentional action to do so, though, so I
| wonder if anyone has any clue how do people find out about
| spurious, unused S3 subdomains that still have DNS pointing at
| them? Scan the entire internet for domains pointing to
| s3-website, and check AWS API to see if it's available? Or did
| someone run into this by accident and decided to poke fun at it
| while earning some cash along the way?
| mh- wrote:
| What sometimes happens is someone points a CNAME to a non-
| existent bucket. Either because they were planning ahead, or
| someone typo'd a bucket (and thus DNS) name.
|
| There are bots that scan for this. Then someone creates the
| bucket on S3 and boom, subdomain hijack.
| Datagenerator wrote:
| The most logical to me is, they registered some AWS IPv4
| address for one project. Bill didn't get payed and now
| another customer has been appointed to the same address but
| now with totally different content. DNS admins at the
| government forgot about it and here we are.
| necovek wrote:
| This is very obviously just an S3 bucket-name takeover, so
| no IP address was hijacked (the IP is the same for all S3
| eu-west-1 buckets, I am guessing).
| necovek wrote:
| That's what I suggested with
|
| >> Scan the entire internet for domains pointing to
| s3-website, and check AWS API to see if it's available?
|
| What I wonder is how do you scan all the DNS records with
| their subdomains? Unlike IPv4 address space, which is very
| decidedly finite and not-too-big, the space of all the
| subdomains is basically infinite.
|
| Other than using AXFR (zone-transfer DNS request) which is
| usually restricted, you are searching an unbounded space.
|
| I guess you don't need an AWS API calls since hitting a non-
| existing bucket with HTTP will let you know:
| http://something.that.does.not.exist.s3-website-eu-
| west-1.am...
|
| IOW, how would _you_ write such a bot? :D
| toast0 wrote:
| There are size and character limits on DNS, so it's not
| infinite, although it may still be a pretty large space.
| Charts.(something well known) could have been a dictionary
| check though.
|
| AXFR makes it a lot easier though.
| necovek wrote:
| Ah, I totally forgot about the domain name (255) and
| label (63) length limits: thanks!
|
| Still, we are looking at roughly 38*255 possible options
| (a-z, 0-9, a hyphen and dot to separate labels; "roughly"
| because each label between periods can be up to 64
| characters, labels must be non-empty, and hyphens can't
| start a label).
|
| As you said, it's pretty large: compared to 2*32 of IPv4
| or even 2*128 of IPv6, this is more than (2*5)*255 =
| 2*1275 options.
| tialaramex wrote:
| > how do you scan all the DNS records with their
| subdomains?
|
| You needn't do this for stuff that would work in these
| "Hijack" situations.
|
| Your target is any link that gets visited, maybe following
| a bookmark somebody made in 2018, maybe it's linked from
| some page that was never updated, maybe it's in an email
| somebody archived. If you're phishing you have one set of
| preferences, if you're doing SEO you have different
| preferences (you want crawlers to see it but not too many
| humans).
|
| When anything follows that link, a DNS lookup happens. Most
| of the world's DNS queries and answers (not who asked, but
| what is looked up and the answer) are sold in bulk as
| "passive DNS". You buy a passive DNS feed from one of a
| handful of big suppliers, or if you're cheap you hijack
| somebody with money's feed.
|
| So, you're working from a pile like:
| www.google.com A 142.250.200.4 www.bigbank.com CNAME
| www1.bigbank.com www1.bigbank.com A 10.20.30.40
| charts.dft.gov.uk CNAME charts.dft.gov.uk.s3-website-eu-
| west-1.amazonaws.com
|
| Obviously you can grep out all those S3 buckets and _then_
| you ask S3, hey, does charts.dft.gov.uk exist? And it says
| of course not, so you create charts.dft.gov.uk as an S3
| bucket and you win.
| rbanffy wrote:
| > Best of British Porn? Not Quite
|
| That's not a very fair assessment. The same way as it's difficult
| to find British dishes better than, say, minced beef and onion
| pie, it's challenging to find authentically British porn that's
| better than this govermnent office provides its people. We should
| commend the Tory government for its dedication.
| ClumsyPilot wrote:
| "authentically British porn"
|
| That's a concept I have not pondered before.
| rbanffy wrote:
| There are things we regret not doing and things we regret
| doing.
|
| I'm sorry.
| notatoad wrote:
| Wow.
|
| I thought this was going to be about some sneaky exploit where
| they'd manage to get a gov.uk to forward links to porn or
| something. But no, it's really a whole subdomain just taken over
| by some sketchy porn site.
|
| I'm wondering if the porn site operators even know it's
| happening? Seems the most likely thing is the DfT had a site at
| that URL, hosted on AWS. And then they shut it down without
| removing the DNS record and Amazon assigned that IP to somebody
| else.
| tialaramex wrote:
| The thing where IP 10.20.30.40++ is in the DNS for
| thing.mycorp.example and later nobody cares about
| thing.mycorp.example and they give up control without removing
| the DNS entry - is why you can't get Let's Encrypt certificates
| by just running a HTTPS web server and you need either plain
| HTTP, a custom TLS server (it can also do HTTPS but it needs to
| know about ACME as well) or else DNS.
|
| Lots of bulk hosts will let you pick (or randomly be assigned)
| a shared IPv4 address like 10.20.30.40 and then - either by
| luck or often alphabetical order - your
| aaardvark.mydomain.example gets to be the "default" host which
| shouldn't exist for HTTPS but does in many popular half-arsed
| HTTPS web servers including Apache. So now web clients connect
| to 10.20.30.40, they send SNI to the bulk host's server - "I'm
| here to talk to thing.mycorp.example" and it _ignores what they
| said_ and gives them aaardvark.mydomain.example because that 's
| the "default" now. And if Let's Encrypt accepted that, you
| could buy some bulk host accounts, impersonate all these
| abandoned sites and get certificates for them. So, they had to
| knock that on the head.
|
| The custom TLS server trick works by (ab)using ALPN, lazily
| made servers like Apache don't ignore ALPN at least unlike SNI,
| and so the client learns this server wasn't the one with the
| ALPN it needed to talk to after all and the certificate isn't
| issued.
|
| ++ 10.20.30.40 isn't a real public address it's just for
| example purposes here
| q3k wrote:
| > ++ 10.20.30.40 isn't a real public address it's just for
| example purposes here
|
| There's an RFC for that :)
|
| https://datatracker.ietf.org/doc/html/rfc5737
| ornornor wrote:
| They're not particularly memorable. I have already
| forgotten 2/3 just aftee closing the rfc.
| tialaramex wrote:
| I know, but I'd have to go look them up, so I keep using
| 10.20.30.40. But do keep badgering me, sooner or later
| it'll stick in my head.
| notatoad wrote:
| (as per the other comment, my guess is incorrect. I didn't
| actually look at the DNS. No porn site operator is going to
| accidentally pick the s3 bucket name 'charts.dft.gov.uk')
| necovek wrote:
| Btw, it would have been hilarious if the site owner had set up
| LetsEncrypt SSL certificate for the charts.dft.gov.uk domain :)
___________________________________________________________________
(page generated 2021-11-25 23:01 UTC)