being starved of money for years by advertisers, payment providers, and service providers
Given the language in this announcement that lays blame at everyone else's feet except the people responsible for maintaining the platform, I'm pretty sure that no lessons were learned, and that the security is not likely to improve beyond whatever bandaids that were needed to address this hack.
Even when talking about themselves in the article they mostly focus on some hardware server business.
In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.
If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.
Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. The only difference is they put out a vague generic corpospeak statement whereas this one admitted it was caused by a skeleton crew on a shoestring budget getting caught out. Given the nature of their user base and how many others would love to see 4chan go down, if things were as bad as you imply then hackers would be taking the site down weekly.
I have never heard of a bank’s core mainframes being hacked in the last decade (outside of pen tests), even for mid size banks outside the global top 100.
How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.
I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.
Does 4chan contain anything worth checking nowadays?
I remember visiting the site as a teenager to check rage comics, and even for the abrasion of the internet of the time it was too shocking for anything beyond an occasional look - random gore, pictures of underage girls, racist tirades and the like.
I know some people enjoy that Wild West, lack of rules environment for some reason, but is there any content that’s worth it for those who don’t?
I think it’s kind of funny but also entirely unsurprising that 4chan’s post about getting hacked is one of the most honest posts about this topic I’ve seen.
I agree. It is interesting how much they focus the hardware servers in the article.
I'd be more interested knowing which package was vulnerable?, was it a known exploit?, and what systems were/are in place to alert on vulnerable dependencies?. Instead they are focused on the new servers just taking too long and not enough money because of advertiser pressures.
They do mention their OS being out of date. One possible interpretation is they are using packages provided by a Linux distro, and getting up to date may have required a full OS update.
If that's were case, it would be easy to see how they might want to tie their OS upgrade to a hardware refresh rather than taking servers offline for a reinstall.
>One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files.
Wow, this is a pretty incredible level of incompetence. Server-side SWF exploits are easily mitigated, unless they are using some sort of server-side SWF interpreter, which is absolutely not needed if you implement client-side Ruffle (or just require people to install the browser extension).
They can complain all they want that advertisers and payment processors refuse to work with them, but it's clear that no competent engineers want to work with them either if they're saying stuff like this.
It seems that you're thinking about the SWF content in terms of playback, which is not what they were doing. They were looking inside the bundles for ZIP files and malware (4chan users to shove horrible things into the files they upload), and extracting metadata from the SWF. We'll never know the exact details unless they share the source code. It is possible to write a secure SWF parser, but I think they decided to stop supporting this relic instead.
Absolutely not. Free speech exists just fine on the Internet, evidenced by the fact that a site like 4chan is capable of existing in the first place. We don't have to financially support repulsive communities just to protect their ability to exist.
If 4chan were taken down by government action, I might be inclined to speak up for them in some capacity, as I don't consider that anything 4chan is currently doing illegal, but that's not the situation here. If 4chan dies because it's a poorly-managed shithole with no allies, then we can and should let it die, and rest easy knowing that it wasn't censored, it collapsed under it's own debt.
As a long time ACLU financial supporter, I could not disagree more. 4chan is not and never was a bastion of free speech. Comparing 4chan to the ACLU is like comparing a toddler smearing shit on a wall to art. To practice free speech requires an intent to express a point of view. 4chan had to point of view and was just a shithole.
There will always be places devoid of normies, thankfully. They exist in every platform, new and old. Knowledge of dog whistles will be necessary though…
I think it’s moreso that when a normal person enters 4chan they either decide to get out while they still can or stay and become whatever the opposite of a “normie” is.
Wouldn’t say the latter sounds like it would be worth it at all though.
Keeping a website that has openly catered to pedophiles and nazis online is hardly "good news", unless you are a pedophile or a nazi.
It won't matter for long though. The userbase has had its trust shattered, and this blogpost makes it clear that 4chan has no ability to defend itself from future attacks, which are absolutely coming.
Imaging dedicating hundreds or thousands of unpaid hours of your life to protect and preserve what amounts to a truck stop toilet. What a total fucking waste.
They should, in fact, give up and use the time for literally anything else.
being starved of money for years by advertisers, payment providers, and service providers
Given the language in this announcement that lays blame at everyone else's feet except the people responsible for maintaining the platform, I'm pretty sure that no lessons were learned, and that the security is not likely to improve beyond whatever bandaids that were needed to address this hack.
Even when talking about themselves in the article they mostly focus on some hardware server business.
In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.
If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.
Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. The only difference is they put out a vague generic corpospeak statement whereas this one admitted it was caused by a skeleton crew on a shoestring budget getting caught out. Given the nature of their user base and how many others would love to see 4chan go down, if things were as bad as you imply then hackers would be taking the site down weekly.
Source?
I have never heard of a bank’s core mainframes being hacked in the last decade (outside of pen tests), even for mid size banks outside the global top 100.
1 reply →
How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.
I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.
So…it sounds like typical 4chan?
"We are still standing..." with our pants around our ankles, running around headless, seamless, breathless, brainless.
"I'm pretty sure that no lessons were learned." I would bet that was the case.
Does 4chan contain anything worth checking nowadays?
I remember visiting the site as a teenager to check rage comics, and even for the abrasion of the internet of the time it was too shocking for anything beyond an occasional look - random gore, pictures of underage girls, racist tirades and the like.
I know some people enjoy that Wild West, lack of rules environment for some reason, but is there any content that’s worth it for those who don’t?
[dead]
I think it’s kind of funny but also entirely unsurprising that 4chan’s post about getting hacked is one of the most honest posts about this topic I’ve seen.
they were clearly focused on purchasing hardware over writing secure code
I agree. It is interesting how much they focus the hardware servers in the article.
I'd be more interested knowing which package was vulnerable?, was it a known exploit?, and what systems were/are in place to alert on vulnerable dependencies?. Instead they are focused on the new servers just taking too long and not enough money because of advertiser pressures.
They do mention their OS being out of date. One possible interpretation is they are using packages provided by a Linux distro, and getting up to date may have required a full OS update.
If that's were case, it would be easy to see how they might want to tie their OS upgrade to a hardware refresh rather than taking servers offline for a reinstall.
According to a Firebase video [0], the outdated and exploited package was called GhostScript.
[0] https://youtu.be/XNratwOrSiY?si=dxfD8Y7-wfOi0XcJ
1 reply →
Probably didn't even need to change their code, just get on current versions.
>One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files.
Wow, this is a pretty incredible level of incompetence. Server-side SWF exploits are easily mitigated, unless they are using some sort of server-side SWF interpreter, which is absolutely not needed if you implement client-side Ruffle (or just require people to install the browser extension).
They can complain all they want that advertisers and payment processors refuse to work with them, but it's clear that no competent engineers want to work with them either if they're saying stuff like this.
It seems that you're thinking about the SWF content in terms of playback, which is not what they were doing. They were looking inside the bundles for ZIP files and malware (4chan users to shove horrible things into the files they upload), and extracting metadata from the SWF. We'll never know the exact details unless they share the source code. It is possible to write a secure SWF parser, but I think they decided to stop supporting this relic instead.
> Ruffle
Yes, they used that. Take a look at the board.
You can always volunteer to help "the incompetents".
I wonder if 4chan would benefit from open sourcing their website. Reddit used to be this way. Outsource the dev work to the open web.
Hopefully, not for long.
Curious as to the basis for animus.
4chan is controversial and often very ugly, but it is one of the few old school message boards that allows free speech left.
Like the ACLU used to do, we should help them stay online and exercising their free speech, even if it is annoying and gross.
Absolutely not. Free speech exists just fine on the Internet, evidenced by the fact that a site like 4chan is capable of existing in the first place. We don't have to financially support repulsive communities just to protect their ability to exist.
If 4chan were taken down by government action, I might be inclined to speak up for them in some capacity, as I don't consider that anything 4chan is currently doing illegal, but that's not the situation here. If 4chan dies because it's a poorly-managed shithole with no allies, then we can and should let it die, and rest easy knowing that it wasn't censored, it collapsed under it's own debt.
As a long time ACLU financial supporter, I could not disagree more. 4chan is not and never was a bastion of free speech. Comparing 4chan to the ACLU is like comparing a toddler smearing shit on a wall to art. To practice free speech requires an intent to express a point of view. 4chan had to point of view and was just a shithole.
> To practice free speech requires an intent to express a point of view
Excellent, now we can ban speech we don’t like by just saying it doesn’t actually express a point of view
7 replies →
One of the pillars of the old, non-infested-by-normies Internet, still stands. Good news.
I remember when that site came about. It was a shithole then, and it's even worse of a shithole now.
Yeah, it's never really been a place I'm interested frequenting but I'm also oddly pleased that we live in a world where it can still exist.
There will always be places devoid of normies, thankfully. They exist in every platform, new and old. Knowledge of dog whistles will be necessary though…
lol.
I think it’s moreso that when a normal person enters 4chan they either decide to get out while they still can or stay and become whatever the opposite of a “normie” is.
Wouldn’t say the latter sounds like it would be worth it at all though.
Keeping a website that has openly catered to pedophiles and nazis online is hardly "good news", unless you are a pedophile or a nazi.
It won't matter for long though. The userbase has had its trust shattered, and this blogpost makes it clear that 4chan has no ability to defend itself from future attacks, which are absolutely coming.
[flagged]
Since when has 4chan had an official blog?
This is a worthwhile read. Don't trust user input and try your damnest not to feed it into third party components. If you do, keep them up to date.
Imaging dedicating hundreds or thousands of unpaid hours of your life to protect and preserve what amounts to a truck stop toilet. What a total fucking waste.
They should, in fact, give up and use the time for literally anything else.
Wonder what they were feeding that pdf into. Ghostscript perhaps?
[dead]