[HN Gopher] Internet Archive: Security breach alert
___________________________________________________________________
Internet Archive: Security breach alert
Author : ewenjo
Score : 230 points
Date : 2024-10-09 20:54 UTC (2 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| ewenjo wrote:
| Just noticed the site now alerts this:
|
| > Have you ever felt like the Internet Archive runs on sticks and
| is constantly on the verge of suffering a catastrophic security
| breach? It just happened. See 31 million of you on HIBP!
| uticus wrote:
| Is it a genuine alert, or hacking artifact?
|
| Sometimes with friendly / attempt-at-humorous error messages
| it's difficult to tell
| n_i_k_h_i_l wrote:
| It's a literal window.alert()
| PLenz wrote:
| But was that code placed there by IA or by the malicious
| party?
| seanw444 wrote:
| Sounds snarky to me. I'll bet it was the malicious party.
| abracadaniel wrote:
| Verge reports someone has taken credit for an ongoing
| DDOS against IA. "An account on X called SN_Blackmeta
| said it was behind the attack and implied that another
| attack was planned for tomorrow"
| https://www.theverge.com/2024/10/9/24266419/internet-
| archive...
| dang wrote:
| Ok, let's switch to that link. Thanks!
|
| Submitted URL was https://archive.org/.
| jrochkind1 wrote:
| I feel like it's safe to assume the official Internet Archive
| would not write a "friendly"/attempt-at-
| humurous/unprofessional/confusing/delivered-by-popup message
| advertising a devastating security breach. Oh also while
| announcing that nowhere else.
|
| Obv an attackers ability to insert a message does imply a
| breach beyond a DoS. But I am pretty confident that message
| was not from the IA.
| mendym wrote:
| I assume that if this is a bad actor, then account email/name
| will be leaked?
| mewpmewp2 wrote:
| Jokes on them... I'm already on HIBP countless of times...
| jsheard wrote:
| It's all good, as long as you're not in that recent AI
| Girlfriend breach which exposed a ton of users who were
| trying to coax it into generating CSAM images.
|
| https://x.com/troyhunt/status/1843788319785939422
| mrkramer wrote:
| "I went to the site to jerk off (to an _adult_ scenario, to
| be clear) and noticed that it looked like it [the Muah.ai
| website] was put together pretty poorly," the hacker told
| 404 Media. "It 's basically a handful of open-source
| projects duct-taped together. I started poking around and
| found some vulnerabilities relatively quickly. At the start
| it was mostly just curiosity but I decided to contact you
| once I saw what was in the database."
|
| What a nice guy.
| haha112 wrote:
| Damn I get the notice too
| haha112 wrote:
| I saw it too
| Nathans220 wrote:
| Strange I just received this message when going to the
| archive.org website I thought I might have misspelled the url
| pityJuke wrote:
| This thread is looking like it'll be one of the first places this
| incident will be documented (seems to be on the top of Google).
|
| Already there are two new users just for this.
| ewenjo wrote:
| Yeah, I was looking around, but saw no mention of it anywhere
| until I realized it just happened.
| mendym wrote:
| i see more than 2
| meow_catrix wrote:
| Bet it's just a stored XSS alert from a poisoned cache.
| 19h00 wrote:
| They reported a DDOS attack yesterday, wonder if this is their
| alert as they manage the fallout?
| Nathans220 wrote:
| After this error 504 Gateway Time-out Now 503 Service Unavailable
| No server is available to handle this request. Not looking good
| Krasnol wrote:
| This is why humanity can't have nice things.
| EKSolutions wrote:
| It looks like someone has compromised one of their subdomains for
| Polyfill
|
| Update: Subdomain seems to be returning normal responses again
| now.
| Aachen wrote:
| You mean the IA included some JS polyfill from a subdomain and
| that's what's compromised / where the alert is coming from?
| mendym wrote:
| Yup.
|
| https://news.ycombinator.com/item?id=41792651
| EKSolutions wrote:
| Correct. The source subdomain of the popup seems to be
| hxxps[:]//polyfill[.]archive[.]org
| qnsc wrote:
| yes, "https://polyfill.archive.org/v3/polyfill.min.js?feature
| s=fet..." is the URL with the malicious code
| Shadow1337 wrote:
| It looks like it is running the service that was part of
| the supply chain attacker earlier this year.
| https://github.com/polyfillpolyfill/polyfill-
| service/issues/...
| abracadaniel wrote:
| That was a DNS hack of polyfill.io though right? This
| looks like it was/is self hosted.
| jsheard wrote:
| The service was fine, it was the "official" hosted
| instance of the service which was compromised. IA appears
| to be running their own instance.
| __jonas wrote:
| Yeah I'm getting this exact response from the above URL
| now:
|
| https://sourcegraph.com/github.com/polyfillpolyfill/polyf
| ill...
|
| Seems like they self hosted that service
| jrochkind1 wrote:
| That would perhaps explain how they managed to inject the JS
| alert popup, right?
| carloslfu wrote:
| "You are all cooked" vibes from that message hahaha
| mendym wrote:
| Now it shows a 'Temporarily Offline' message
| Aachen wrote:
| Should we be linking to the site that is very likely to be
| breached? Could start to host any type of malware until the
| access can be definitively revoked
| btown wrote:
| This - dang/mods is there a policy for this?
| abracadaniel wrote:
| Verge article as possible replacement:
| https://www.theverge.com/2024/10/9/24266419/internet-
| archive...
| Nathans220 wrote:
| Why go for the Internet Archive go for something else not the
| fucking archive!
| mewpmewp2 wrote:
| We all need our easily accessible decentralized archive of some
| sort...
| nioj wrote:
| Related submission: https://news.ycombinator.com/item?id=41792614
| Wowfunhappy wrote:
| Archive.org is now down. Could anyone explain what it used to
| show?
| Mr-Hyde wrote:
| A pop-up that said,
|
| "Have you ever felt like the Internet Archive runs on sticks
| and is constantly on the verge of suffering a catastrophic
| security breach? It just happened. See 31 million of you on
| HIBP!"
| ks2048 wrote:
| I had to look it up, but I guess HIBP refers to
| https://haveibeenpwned.com/
| Aachen wrote:
| Yes. Not the hacker but as _a_ hacker, that 's what hibp
| refers to
| msephton wrote:
| I just got a Discord "breaking news" notification about this from
| a server I am, said it may not show on Have I Been Pwned as it is
| so new.
| tomrod wrote:
| That's a shame.
|
| We need not one but many internet archives. Just one and we will
| repeat the outcome of the Library of Alexandria.
| kiba wrote:
| The Library of Alexandria wasn't that significant and likely
| wasn't destroyed in one cataclysmic event, but rather centuries
| of neglect.
| eikenberry wrote:
| The metaphor takes precedence over the fact.
| Arnt wrote:
| If an attractive story takes precedence over fact, then we
| will repeat the story of a James Bond film. Maybe the one
| with that bikini scene, bikinis are attractive after all.
| hammock wrote:
| https://archive.today/ is another one
| jacooper wrote:
| More like the library of Baghdad.
| AdmiralAsshat wrote:
| Well this should be fun.
|
| Now I'll have to dig through my IA account and remember if I
| donated to them directly via credit card (and if they stored it),
| or if it was through PayPal.
| gaudystead wrote:
| Good point and thank you for the reminder. Time to go check my
| email archives...
| KerrAvon wrote:
| they use Stripe
| steve_taylor wrote:
| If you're a blackhat and you want to be annoying, you can
| use Stripe tokens to charge your target's customers. The
| target is the payee, so you won't make any money, but it'll
| add to the chaos.
| zelse wrote:
| HaveIbeenpwnd says it was just passwords/usernames/emails, so
| seemingly not. (My company just got an email from them about
| the breach and I confirmed I'm in there with a quick search on
| their website.)
| midnight_shaman wrote:
| I hope it will be back again soon
| pastureofplenty wrote:
| Maybe this will make Google reconsider relying on them for cached
| versions of webpages.
| joshchernoff wrote:
| What an asshole, honestly this is a good public service they
| offer.
| accrual wrote:
| Yeah, I can't understand why anyone would attack IA. The
| service is a gift to the whole internet.
| rnd0 wrote:
| Because in the main, people are vicious, blind, narcissistic
| brutes.
| marviel wrote:
| https://www.reddit.com/r/DataHoarder/comments/h02jl4/lets_sa...
|
| I found this reddit thread from /r/DataHoarder about backing up
| the internet archive particularly interesting, given the
| circumstances
| numpad0 wrote:
| 50 PB * $0.014/GB = $0.7M. $0.014/GB is from[1], bare drive
| cost without chassis, power, or redundancy.
|
| 1: https://www.backblaze.com/blog/hard-drive-cost-per-gigabyte/
| Aachen wrote:
| How long does an average hard drive last? You'd have to spend
| that 700k every that many years (plus the extra bits you
| mentioned). Quite an operation actually
| nikisweeting wrote:
| It's been tried several times, but it's hard because it's such
| a massive quantity of data. The IPFS backup never really got
| off the ground.
|
| They have their own backups which I think is good enough for
| now unless someone plans on donating a few hundred million.
| vincentpants wrote:
| Oh no! I didn't know their IPFS initiative didn't pan out.
| What happened to it? I am surprised how hard it is to google.
| I remember interviewing for a role on that team at the
| archive to help move it to filecoin. Was so happy to hear
| that the effort was underway to decentralize their datastore.
| We need this more than ever.
| pbhjpbhj wrote:
| Perhaps you can persuade Elon that it owns the libs?
| adfm wrote:
| They're hiring, if you're looking for a job.
|
| https://www.indeed.com/viewjob?jk=3bb8222ccd9a88ea
| Aachen wrote:
| > Software Engineer, Archiving & Data Services (Remote) [...]
| Preliminary duties of the role will primarily focus on
| developing Archive-It
|
| That is. Paying over 100k at the lower end of the range for 3y
| experience as software engineer
| adfm wrote:
| Not even in the 10th % for the area per
| https://www.levels.fyi/heatmap/
| jjice wrote:
| It's a non profit. You're probably not choosing to work for
| the IA for high compensation.
| Aachen wrote:
| The undertone was intended to be: that's an insane amount
| of money, something one with quadruple that amount of
| experience would _maybe_ earn in a for-profit organisation,
| but I guess your reaction further proves it 's different
| where you're from
| Narhem wrote:
| Security breach, we intended to make this guy homeless so when we
| stole his ex girlfriend she wouldn't get jealous. Quickly destroy
| his career and reputation!!
| RGamma wrote:
| Let's hope it was someone dumb enough to be extraditable.
| popcalc wrote:
| No one gets extradited when the attack aligns with US interests
| abroad.
| bawolff wrote:
| What weird conspiracy is this? US interests dont involve
| taking down archive.org
| markus_zhang wrote:
| There is no US, there are just a bunch of interest groups.
| Some interest group definitely wants IA down. I wouldn't be
| surprised this is a paid attack.
| jrochkind1 wrote:
| People in other parts of the thread say it's Israel. (Which
| certainly is "aligned with US interests abroad", as the
| powerful see it anyway). I think it is ridiculous
| conspiracism, right now anything anyone doesn't like they
| think Israel is behind it.
|
| The crazy rise of conspiracism in our society in general,
| combined with Israel _really is_ doing some nasty stuff
| (but not controlling everything you don 't like), combined
| with the latent antisemitism in most conspiracism.
|
| And I say this as a strong supporter of and activist on
| Palestinian rights and liberation. Free Palestine. (But
| there is no reasonable reason to think Israel is behind an
| IA hack. Or the fact that your mail came late, or anything
| else except what they're actually doing which is bad
| enough. Call your senators and tell them to vote for
| Bernie's JRD resolutions).
| LinuxBender wrote:
| Just for completeness sake and my own opinion based on my
| own witnessing of history, every political party of every
| government of every country would love to see all the
| archives gone. It's easier to twist the truth if one can
| memory hole reports and make the original source go offline
| or pressure them to change their words. There will always
| be individuals that archive stories they find interesting,
| but many stories are uninteresting until people learn what
| more may have been left out at a later time as part of a
| much bigger story. That is when the archives become a
| treasure trove and big archives sites are the first that
| people turn to for the original reporting. As a generic
| example, many news sites will redact what they knew to be
| false after the vast majority saw their misinformation but
| they can't redact an archive of their twisted truth. The
| internet has made it a little harder to control a
| narrative. It was so much easier to control when it was
| just a few big newspaper publishers that owned the smaller
| ones and a few big cable companies that owned most of the
| smaller ones. They would all literally parrot the same
| lines.
|
| Curious to see if they go after archive.is next.
| msephton wrote:
| They seem to roll out the we're being DDOS'd every time there's
| some other thing happening.
| Mr-Hyde wrote:
| https://x.com/Sn_darkmeta/status/1844080692772401399?t=j3xDz...
|
| Annoying
| Aeolun wrote:
| What are they looking for here? Negative karma?
| navigate8310 wrote:
| Probably want it wants to purge incriminating documents
| against a nation state?
| ErikAugust wrote:
| "According to their twitter, they're doing it just to do it. Just
| because they can. No statement, no idea, no demands."
|
| A special place in Hell...
| smashah wrote:
| >No statement, no idea, no demands
|
| Sure.
|
| They're probably doing this because it's filled with evidence
| of war crimes to be used as evidence in the ICJ/ICC cases
| against Israel. Luckily most of the evidence gathering projects
| have backups of backups.
| Mr-Hyde wrote:
| 100%. https://x.com/Sn_darkmeta/status/1844080692772401399?t=
| j3xDz...
|
| This Twitter account is suspicious and odd. I don't think
| anyone doing this is stupid enough to actually believe that
| they're doing it to "help Palestine." Seems like a job by
| Israel or supporting countries pretending to be supporters of
| Palestine.
| portaouflop wrote:
| What is the connection? I don't understand how this would
| help either Isreal or Palestine?
| odo1242 wrote:
| We have no idea, that's just what they said
| philwelch wrote:
| We have an entire generation of activists who have
| somehow been programmed into believing that disruptive,
| moronic, antisocial acts of "protest" are a way to effect
| change, whether it's vandalizing historic artwork or
| blockading a freeway. And the Internet Archive is even a
| museum of sorts, so you can see how the rationale would
| track.
| navigate8310 wrote:
| Are you suggesting something similar along the lines of
| murdering your own citizens and showcasing them as victims?
| Something akin to 911 being an insider job?
| bawolff wrote:
| Is there any reason to think this? (Honestly asking). It
| seems like quite a stretch to me unless there is some reason
| to connect the two.
| Aachen wrote:
| That's a strange thing to read on Hacker news. Isn't that
| description the definition of hack value? As in
| http://www.catb.org/jargon/html/H/hack-value.html
|
| Now, it depends what the "it" is referring to here, but so far
| all I've heard is about an alert() message saying the usernames
| will be sent to a breach alerting site. If they're doing it
| just for the heck of it, it's still costing a lot of people a
| lot of time that they could have spent doing better things, but
| I'd reserve special places in hell for the people who _do_ plan
| this out carefully and make malicious demands
| jonahx wrote:
| There is a big difference between doing something for pure
| curiosity, love, or exploration and doing something directly
| harmful to other people for the same reasons. One is art; the
| other is sadism.
| Aachen wrote:
| I'm not sure that placing free long distance calls isn't
| harmful to the org whose infrastructure you're using for
| your own benefit, but 2600 (Hz) is a respected hacker
| magazine and phreaking and Cap'n crunch whistles are seen
| as cool
|
| Hacking the Internet Archive and only placing an alert with
| a provocative message, I could see my teenage self do that.
| My judgment of the character is going to depend on what it
| turns out they've actually done
|
| Of course, my grown up self (or late teen also, as I've
| done responsible disclosures back then as well) would
| rather have seen them do a coordinated vulnerability
| disclosure, but alas, I just meant to remark upon the
| "special place in hell" for not having a plan or motive bit
|
| *Edit:* wait, I just saw in the article (I opened the
| thread before the link was changed) that this quote refers
| to a DDoS, not the alert() message that the thread was
| initially about
|
| > the site was experiencing a DDoS attack, posting on
| Mastodon that "According to their twitter, they're doing it
| just to do it.
|
| That's indeed just destructive and not related to (hacker)
| curiosity...
| jonahx wrote:
| There's a spectrum and case by case judgement. I'd agree
| your examples are harmless even if technically they harm
| the phone company. Taking down the internet archive just
| for the hell of it has a distinctly less "cool" or "fun"
| flavor, to my eye.
| snvzz wrote:
| Doing the internet equivalent of burning the largest
| library in the world is not exactly a good person's
| behavior.
| mlyle wrote:
| > I'm not sure that placing free long distance calls
| isn't harmful to the org whose infrastructure you're
| using for your own benefit,
|
| If there's a call you wouldn't make unless it was free,
| the infrastructure isn't at capacity, and you're not
| acting otherwise in a detrimental fashion to other users
| of the infrastructure-- there's no harm to that
| organization.
| Aachen wrote:
| Certainly a fair point, but it also costs a lot of
| person-hours to patch up that infrastructure's security
| and trace who's placing the calls when one could just
| choose not to do this fraud in the first place. I am not
| old enough to know whether carriers also charged each
| other back then, but at least nowadays it could also
| incur charges for the originating party; costs which the
| caller isn't covering
|
| Toying with the system, learning how it works and finding
| what you can make it do, there's a certain art to it and
| I'd encourage anyone to _at least_ tinker with the
| systems they own (and everything else within reason and
| ethics), but there 's two sides to nearly everything
| LastTrain wrote:
| We have lost the ability to meaningfully compare the
| magnitude of things.
| lolinder wrote:
| Is it better to deface a website for ransom or to support a
| scam than it is to deface a website because you're bored?
|
| The action is reprehensible either way, but if this is
| truly just an old-fashioned Anonymous attack with no
| ulterior motive beyond just being bad that's honestly kind
| of refreshing.
| hexage1814 wrote:
| >No statement, no idea, no demands. A special place in Hell...
|
| I mean... would it be better if the hackers had asked for money
| or did it to protest global warming or something?
| kibwen wrote:
| "Say what you will about the tenets of National Socialism,
| but at last it's an _ethos_. "
| xproot wrote:
| I don't know who this is but a lot of people are linking them:
| https://x.com/Sn_darkmeta/status/1844080692772401399
|
| DDoSed Archive because "the archive belongs to the USA, and as we
| all know, this horrendous and hypocritical government supports
| the genocide that is being carried out by the terrorist state of
| "Israel"."
| Mr-Hyde wrote:
| Which is bullshit. This is someone who supports Israel trying
| to make Palestine supporters look bad and/or trying to get rid
| of the evidence of Israel's crimes that exist on IA
| anigbrowl wrote:
| They have a Telegram channel and there's some blurb about it
| being pushback on US support of Israel, but it reads as bullshit.
| Probably a script kiddie.
| n3uman wrote:
| https://blog.archive.org/2021/02/04/thank-you-ubuntu-and-lin...
| "The Internet Archive is wholly dependent on Ubuntu and the Linux
| communities that create a reliable, free (as in beer), free (as
| in speech), rapidly evolving operating system. It is hard to
| overestimate how important that is to creating services such as
| the Internet Archive." Maybe CUPS?
| bawolff wrote:
| Reporting on security issues is always so terrible. Is it a data
| breach or is it a DDoS? (Or both). Those are opposite things. One
| is trying to release secret information one is trying to make the
| site inaccessible.
| Aachen wrote:
| That's like complaining the reporting on the weather forecast
| channel is so often wrong. This news broke about an hour ago
| and the IA is down, what witchcraft do you expect news media to
| practice! Nobody yet has the answers you're looking for, give
| it some time and log files will be audited and the reporting
| becomes useful :)
| bawolff wrote:
| Actually figure out what is happening, or at least say how
| confident they are in what they know.
|
| They aren't predicting the future, they are reporting on an
| ongoing event.
| Aachen wrote:
| > or at least say how confident they are in what they know
|
| This I can very much underwrite. Error bars or rough
| confidence indicators are missing far too often, also from
| sites reporting on e.g. benchmark values of hardware
| they've been testing... such professional organisations yet
| such basic omissions
| odo1242 wrote:
| It is both. They got attacked by a DDOS after the security
| breach.
| 999900000999 wrote:
| A pulled an old friends website down from Internet Archive.
|
| He's moved on the next stage, but I was glad I was able to put
| his site back up.
|
| It'll be a shame if IA goes down permanently, but we need a
| decentralized solution anyway.
|
| Having a single mega organization in charge of our collective
| heritage isn't a good idea.
| gabeio wrote:
| I have always thought about this. It would be interesting to
| have users actually store small amounts of redundant info on a
| device connected to the internet. Very similarly to what a
| torrent does but with more peers (more data shards than full
| copies) and less seeds. And try and keep a huge database for
| everyone. Obviously open source and it would end up something
| like tor where they just assist the network with security
| patches but they don't actually have any real "control" (admin
| dashboard control) over the network at large. We already do
| something smaller but like that with website static file
| caching, but at much smaller scale. Obviously security
| implications of this would be very hard but maybe not
| impossible to overcome. ipfs comes close but it again does more
| seeds then peers.
|
| if anyone knows something like what I'm suggesting, I'd love to
| hear about it!
| aucisson_masque wrote:
| It's called torrent protocol and it doesn't work, no one wants
| to spend money and bandwidth hosting a god forsaken movie or
| book that only a handful of people care about.
| 0x1ch wrote:
| It does work, when you don't notice it. We need sane limits
| and permanent seeders. This is why so many regular people get
| hit with ISP notices, they don't know they've seeded Captain
| America for the last six months every time they started their
| PC.
| markus_zhang wrote:
| Wouldn't be surprised if the service was purchased by some
| publishing empires. This kind of things usually costs some $$$.
| sirolimus wrote:
| Truly unnecessary
| steffanA wrote:
| More details here about the data breach. Stolen database contains
| 31 million records.
|
| https://www.bleepingcomputer.com/news/security/internet-arch...
| Aachen wrote:
| A few minutes ago (22:48 UTC), I got three emails from HIBP about
| accounts of mine breached on the Internet Archive. Troy is quick!
| And I'm surprised the author of that alert() actually had the
| data as well as followed through
___________________________________________________________________
(page generated 2024-10-09 23:00 UTC)