People with solid info sec knowledge: this is a good opportunity to offer your expertise pro-bono for a good cause!
The Library of Congress should be archiving the Internet and it should have the budget required to do so.
This is in line with its mission as the "Library of Congress". Being able to have an accurate record of what was on the Internet at a specific point in time would be helpful when discussing legislation or potential regulation involving the internet.
We need archives built on decentralized storage. Don't get me wrong, I really like and support the work Internet Archive is doing, but preserving history is too important to entrust it solely to singular entities, which means singular points of failure.
Does anyone know who is targeting the Internet Archive, and why? I get the impression the attacks are too sophisticated for it to just be vandal punks.
I don't know what their funding model looks like but if they have some cash I'd say hiring a security team would be on top of the list of things to invest in.
What kind of vandal attacks a library? We really need to find the people responsible.
I'd like to imagine a world where every lawyer, when their case is helped by a Wayback Machine snapshot of something, flips a few bucks to IA. They could afford a world-class admin team in no time flat.
I sent them a resume almost a year ago, and got nothing back in response until yesterday. Looks like they are going through their backlog right now to find more hands.
To everyone who wants a better alternative to IA, who thinks they have a different solution, who thinks it should be run by a different organization, etc.
Nobody has ever stopped a competitive alternative from existing. Feel free to give it a shot. You have a head start with all the work that they've done and shared.
Ouch. Once can happen, twice in a row...
Is it the same email spoofing attack vector of zendesk which was disclosed last week?
The Internet Archive had legal gems such as the Jamendo Album Collection, a huge CC haven. Yes, most of it under NC licenses, but for non-commercial streaming radio with podcasts, these have been invaluable.
Do you know Nanowar? They began there.
Also, as commercal music has been deliberately dumbed down for the masses (in paper, not by cheap talking), discovering Jamendo and Magnatune in late 00's has been like crossing a parallel universe.
Somebody is trying hard to change the history of the internet.
Waiting for trufflehog and gitguardian vendors to come up with article, tweets on how their tools would have stopped this incident :sweatsmile:
Is there any way IA could be mirrored in read-only mode, while security concerns are addressed?
It's Matt Mullenweg trying to erase the vast records of his deranged megalomania.
Do any organizations have a mirror of this?
Even if it's not publicly available...
Honestly I'm totally on the side of the hackers in all this. The IA is the most important thing on the internet and the fact it has such bad security is absolutely inexcusable. Thank you to the hackers for bringing attention to this
How do you donate to them?
The Internet Archive has a management problem. They seem to be more comfortable disrupting libraries than managing an online, publicly accessible database of disputed, disorganized material.
Despite all of the positive self-talk, I don't know if they realize how important they are, or how easy it would be for them to find good help and advice if their management were transparent and everything was debated in public. That may have protected it to some extent; as a counterexample, Wikipedia has been extremely fragile due to its transparency and accessibility to everyone. With IA being driven by its creator's ideology, maybe that ideology should be formalized and set in stone as bylaws, and the torch passed to people openly debating how IA should be run, its operations, and what it should be taking on.
I don't mean they should be run by the random set of Confucian-style libertarian aphorisms that is running the credibility of Wikipedia into the ground, but Debian is a good model to follow. Or maybe do better than both?
Qui bono?
> "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor.
This is quite embarrassing. One of the first things you do when breached at this level is to rotate your keys. I seriously hope that they make some systemic changes, it seems that there were a variety of different bad security practices.
Restating my love for Internet Archive and my plea to put a grownup in charge of the thing.
Washington Post: The organization has “industry standard” security systems, Kahle said, but he added that, until this year, the group had largely stayed out of the crosshairs of cybercriminals. Kahle said he’d opted not to prioritize additional investments in cybersecurity out of the Internet Archive’s limited budget of around $20 million to $30 million a year.
> "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor.
With everything that’s going on, it’s highly suspicious that this is happening right after they upset some very rich rent seekers.
A genuine question to commenters asking to "put a grownup in charge of the thing" and saying that "Kahle shouldn't be running things": he built the thing, why exactly he can't run it the way he sees fit?
It’s incredibly sad to see threat actors attack something as altruistic as an internet library. Truly demoralizing to see such degeneracy.