Cryptome Accidentally Leaks Its Own Visitor IP Addresses (dailydot.com) 40
An anonymous reader writes with this Daily Dot story about an accidental leak of user info from Cryptome. Cryptome, the Internet's oldest document-exposure site, inadvertently leaked months worth of its own IP logs and other server information, potentially exposing details about its privacy-conscious users. The data, which specifically came from the Cartome sub-directory on Cryptome.org, according to Cryptome co-creator John Young, made their way into the wild when the site logs were included on a pair of USB sticks sent out to a supporter.
Surely, you can't be serious... (Score:2)
Re: (Score:3)
I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...
Good luck TLA, I'm behind SEVEN PROXIES whenever I access Cryptome.
Re: (Score:1)
Seven proxies might slow down the FBI or the Secret Service. The NSA can't even tell the difference: they automate that shit and pipe it straight in to their TIA farm.
Re:Surely, you can't be serious... (Score:5, Interesting)
It makes me wonder why a site so concerned about Internet privacy is keeping logs in the first place.
Re: (Score:1)
Given that they are premised on exposing secrets why would you conclude that they're interested in your privacy? That seems a strange assumption to make.
Why do they even store IP addresses? (Score:5, Insightful)
Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?
Re: (Score:1)
Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?
Absolutely! And on top of it, why would these logs ever get anywhere "close" to the outside world--to just a supporter?
Re: (Score:1)
John Young is a good man who has been doing good things for Americans for a long time. He's never been the most computer-savvy person, though (and maybe his age is interfering with his judgment). It would appear in this case that he kept logs in order to parse them with awstats, gathering his own intelligence on who his visitors were. Frankly, I'd do similar if I were running such a site. Unfortunately he had the awstats installation within the document root of cartome and he neglected to sanitize the logs
Re: (Score:1)
John Young says since 2013, blames ISP
As long as the world is turning and spinning, (Score:2)
Why log (Score:1)
WTF!? Why would a privacy conscious website even keep logs? DuckDuckGo for example doesn't keep logs so that privacy can actually be maintained.
Re:Why log (Score:4, Insightful)
Honest question from my ignorance: how can you be sure they don't keep logs? Did they make pinky promises?
Re: (Score:1)
Yes, yes they did.
I wonder if they have to install monitor recording software in response to a warrant or seciruty letter. Can they be forced to?
"dedicated to revealing secrets" privacy consciou? (Score:3)
I see that the site is dedicated to spreading information that some people would prefer to keep private. They publicize things that they think should not be private, "violate the privacy" of those whom they think should have their information revealed and publicized (rightly or wrongly).
So in some sense, it's an anti-privacy site, for better or worse. I don't immediately see any indication that the operator is "privacy conscious ". Do you? Or is it more like "I think he -should- be privacy consc
Re: (Score:2)
Re: (Score:1)
Sigh (Score:2)
That should be "months' worth".
goes to show (Score:5, Insightful)
the robustness of any security is based on the stupidest person
Re: (Score:2)
the robustness of any security is based on the stupidest person
Sadly, this is very, very true. :(
"Pathetic" -level security (Score:2)
Seriously, this data should not even be recorded on such a site. And it it is, it should not even be written locally and immediately exported to a machine that is specially protected and not reachable from the Internet. So that is _two_ massive screw-ups right there.
Was a time every post of yours had ur IP address (Score:3)
Up until just a few years ago (when Google claimed the Usenet) a posters IP address was always displayed in the headers. It was no big deal.
Ha! (Score:1)
Cryptome is hosted on web.com, formerly Network Solutions, it's a shared platform with like 750k other sites on it all run wild hair PHP applications and 8 year old WP installs on a giant NFS mount. It's all horribly insecure.