Anonymous strikes again, this time with a well known web registration company with a decade of data. This is a blatant example how poor security management leads to the hardship of thousands if not millions of regular people. Now their private details have a risk of being public and fully open to scrutiny. And its not just some simple data breach they allegedly stole domain purchases and transfers, account credentials of pretty much all their clients. Unacceptable. Embarrassing. They should be held accountable for all this if it comes out to be true.
Could you share something damning instead of referring people to search, as we probably will find different information.
As far as I can tell, Epik focused on hosting and DNS management for marginalized/excluded groups on the internet, so naturally they attract a lot of groups. Not sure why that'd be bad though.
Things like this also makes me actually like the company more:
> Pharmaceutical watchdog website LegitScript reported in 2018 that they had alerted Epik to the sale of illegal drugs and counterfeit medications on websites registered by Epik, and that Epik had refused to act upon the information without a court order
That's exactly how I want my hosting company to act, and any that don't are actively fragile.
Sure, this dude sound like nuts from comments describing him here (I can’t even be bothered to look this shit up myself) and I’m glad I dodged a bullet. However, the private info of all their customers from their inception are allegedly exposed; and lots of people here seem to be cheering the hackers on.
Does this mean we need — actually, needed — to do research on the political standings of every founder, CEO, CXO of every service we use? And somehow predict they won’t do abhorrent things in the future even if they appeared harmless at the time? Otherwise we deserve it when we get doxxed for being a customer of a disgraced person?
I believe the answer is no, that’s unreasonable. These hackers are just criminals illegally doxxing a huge number of people. They don’t deserve cheers. I hope everyone of them gets arrested, which is highly unlikely.
(This is really not a direct response to your comment; not saying you were cheering them on.)
> These hackers are just criminals illegally doxxing a huge number of people. They don’t deserve cheers.
Fully agree. First and foremost the rule of law must be blind. However, spectators need not be similarly blind.
I am not cheering on the hackers. I am merely accepting the Newtonian forces at work here. I doubt that there are many (any?) Epik customers who I would consider good people (there’s simply no logical reason to host with them otherwise). That doesn’t mean they aren’t entitled to their rights, under the law.
But it does mean that I definitely don’t sympathize with them like I might someone else. Much like I wouldn’t sympathize with a drug lord who gets robbed by a rival drug lord. A crime is a crime, and the law should be applied accordingly.
Buuut I am only human. And I only have so much sympathy.
Naw there’s a ton of fine and good people using their services.
For example, I inherited a domain 12 years ago using it. At one point I tried to move to my personal host, but my personal host has bad DNS features and I couldn’t get my site configured. I was able to move it back (panicked I just went back to the service that I knew worked). And then I was stuck in a six month period where I couldn’t transfer it again. And then life happened and it’s three years later.
That might not fit into your logical conceptions of how people make choices. But I think it’s very very safe to assume that many customers are upstanding people.
> I doubt that there are many (any?) Epik customers who I would consider good people (there’s simply no logical reason to host with them otherwise)
This is an incredibly shortsighted / insular perspective. We live in a world where conservative orthodox Jews (e.g. Ben Shapiro) are called Nazi's and conservative Black folks (Larry Elder) are being called white supremacists, simply for being conservative. Likewise, progressives and other left leaning individuals that dare utter criticism of the left are met with the milder insult of being called conservative (e.g. Tim Pool, Glenn Greenwald, Bill Maher). People are deliberately shifting the overton window to a ridiculous degree and the scary thing is that they are getting away with it.
I can imagine a lot of regular conservatives worry about censorship and may find Epik to be a safer bet than, say, Google who blocks pro-life ads [1]. I can understand that maybe from your perspective (assuming you're left leaning) you are not aware of how hostile society has become to mainstream conservatism, but you should try to see things from the perspective of a regular conservative who sees prominent mainstream conservatives being slandered, lied about, and cancelled all around them.
Aside from that, Epik did have a few differentiating features like offering single purchase lifetime Domain ownership that I haven't seen elsewhere, which by itself could be sufficient motivation for people to host with them, without the necessarily knowing anything about potential controversy surrounding the business.
Remember when a guy murdered 11 people in a Pittsburgh synagogue? When it was revealed the shooter had posted about it on Gab beforehand, every service powering the social network pulled the plug. Epik was who brought them back online.[0]
The hero of hate speech is not exactly a sterling reputation to have.
I actually agree with the comment above: good speech doesn’t usually need defending…it’s almost always bad speech that does. But then again, I tend to side with free speech maximalists.
Rob Monster and crew are bad people because they actually believe this rhetoric, that’s why they defend it. They aren’t taking on a noble cause of defending free speech. They are defending speech with which they agree, and tends to be pretty shitty…that’s why they’re bad.
I don’t think they should be forced to stop, in fact I really hope the 1A is never diluted to that level. But the 1A cuts both ways: we get to sit back and talk about how awful Rob Monster is.
What makes you think Gab is any different from Facebook in this regard (referring to the platforms' role in the examples of violence in the ancestor comments)? Gab wasn't created to host illegal content, but to allow all strictly legal content. Neither Facebook nor Gab is willingly participating in anything that is published on their platform, because they are platforms, not publishers.
Eventually the cloud is going to burst and everyone’s data will be public. The motive will be similar to this one, where a huge blast radius of collateral damage is accepted in the name of harming bad people. Seeing people eagerly download this data that surely includes countless amounts of personal info of non-Nazis shows this clearly.
> Eventually the cloud is going to burst and everyone’s data will be public
Why? This was Epik being hacked not AWS or Azure. It’s just a domain registrar. And a shady one at that. Their lack of security is not indicative of the rest of the cloud.
Microsoft bundling a super-insecure root daemon in all their Linux VMs. They developed it, published it on Github, embedded it everywhere, but when it turned out to be a security nightmare blamed "open source supply chain".
Fortunately, given the purported scope of the hack, it seems we'll be able to actually quantify that. How many of the websites weren't hosting violent or extremist content? If this is real, we should be able to get an exact percentage.
I would assume given any hosting provider, that most content would not be deemed "violent" or "extremist". But of course, it depends on your interpretation.
For example, some people consider radical servers from the anarchist scene to be hosting violent/extremist material, while i personally consider governments and big corporations to be pretty violent and extremist themselves in how they ruthlessly dominate the world.
Actions and speech are not neutral. It's all a matter of (political) perspective.
> In fact, there’s no reason to use them unless you fall into the “unhostable” category elsewhere.
False. Even if your present day content is not currently censorable but you expect it will be censorable one day as cultural norms shift or speech authoritarians gain power, it is wise to put it somewhere that is censorship resistant, Epik or otherwise.
Twitter hosts violent and extremist contents. Now please give me jack Dorseys address, phone number, and social security card so we can exact justice /s
That there are people on this forum advocating for vigilantism is frightening. We are quickly approaching the point of lawlessness as a society.
There you go. Vigilantism is OK only if it doesn’t affect them. But when it does, the outrage is everywhere. To them, it seems that unauthorised access and leaking personal information even if innocents are involved is suddenly OK then?
That activity seems very extreme doesn't it over just reporting directly to the authorities.
This is best left to the authorities to deal with such issues rather than resorting to such extreme and illegal activities, no matter the cost or innocents affected.
well, we do have u.s. state governments putting vigilantism into law, and making sure the victims of this vigilantism pay the legal bills of the vigilantes, so at this point, i’m not sure we can clutch our pearls over something which after all these years has become routine (i.e., leaks)
- Register.com is an annoying cesspool of value-add upsells and is extremely expensive in the process, with added cost to not have your personal info attached directly to your domain whois.
- GoDaddy, other than the creepy ads, has shown plenty of willingness to remove domains hosting content that they don't like, even if it's legal.
- I think Google is a registrar, but I'm not at all comfortable with how easy it might be to move my domain out of their grasp if I care to host my content somewhere else. I'm sure it's possible, I'm sure it has weird issues, and I'm certain there's zero support to talk to.
- Epik has, at least as far as I can tell, a reputation for simply hosting domain registrations, not asking questions, and ignoring just about every request for information.
Of those options, I'm fine with the last. I tend pretty hard towards the "free speech" side of the spectrum, and a registrar that will ignore anything short of a legitimate legal request from the authorities of the nation(s) they operate in is perfectly fine with me. Even if they host domains I consider distasteful, I'd rather support that than someone who will bow to public outrage and go snooping around domains looking for reasons to remove their registration (GoDaddy and Arfcom come to mind here).
There are probably other options, but those are the ones I know of, and why I'm intending to register future domains with Epik. I don't particularly care if a founder of a service is a scumbag in their personal life, as long as they reliably do what they promise to do.
Epik "ended its relationship" with The Daily Stormer because of content hosted on the site and the "entanglement" (meaning PR issues). If you're not ok with that, then I don't think Epik is what you're looking for. If you are ok with it, then you can accept service providers disassociating themselves with "distasteful" clients, it's just a matter of exactly how distasteful they have to be.
If the only ethical way to engage with modern consumer tech is to do a full analysis of the positives and negatives of every aspect of it (which is a position I think has some merit), then the only reasonable conclusion is to simply avoid all of it, because it's all corrupted, at some point or some level, by something someone will find distasteful or worse.
I honestly haven't delved deeply into the list of domains each registrar has removed, decided if I agree or disagree with it, sat down to evaluate the severity of each violation, etc. And I fundamentally don't want to, either.
If you've got a better domain registrar suggestion that isn't full on "bulletproof hosting Bitcoin only" stuff ending in .ru, I'm open to it, but... otherwise, at the end of the day, my goal is to register a domain.
Though, don't get me wrong, I'm seriously considering ending my entire involvement in modern consumer tech and going back to a 1900s tech level once I retire...
I had an extremely bad experience with Namecheap with an extremely high value domain (5 letters, dictionary word.) They had a fault on their backend and dropped my domain where it got picked up by a parking service. This happened despite me having paid in advance on time for over a decade.
After weeks of going back and forth with Namecheap management I contacted an attorney. Some research hours later we find out Namecheap has absolutely 0 western presence other than some extremely low value holdings companies. In the event you have an issue with Namecheap you would need to go through the Ukrainian court system which isn’t feasible for westerners. I had to write off a domain with a 5 figure valuation due to their incompetence.
High value domains use Mark Monitor. It is their entire businesss and most importantly they’re US based.
I'm not familiar with this particular case and I'm sorry that you had a bad experience but most of you what have said here is incorrect and frankly absurd. We're a US-based company and most of our executives and owners are US/UK citizens. After over a decade with the company, I've never seen a domain "drop" because of a "backend fault." There are certainly quirky edge cases with obscure registries where bugs can occur but if we're talking a major TLD then it is highly unlikely. Feel free to email me if you want me to dig into it though: ted [at] namecheap.com.
This is what I was told by an attorney. That in (the attorney) doing an asset check they revealed that NameCheap simply has a virtual office in a Regus office space with little to no US assets. Further, that even if we went through the struggle of getting a judgement against NameCheap's US entity that getting cash out might be impossible. If anyone reading this wants to verify you can look at Namecheap's site where they list their US address as "4600 E Washington St". If anyone has ever interfaced with any staff at Namecheap it's very clear that 100% of the support and middle management is located in the Ukraine. Just because you have some executives living in the US with a virtual office somewhere doesn't make you a US organization.
I've been all up and down the contact chain with Namecheap and quite frankly every time I make a stink about it in a public forum it's always the same playbook. "Yes a mistake was made, no we can't compensate you." Here is the reply from your support where you admit a fundamental systems flaw resulted in my domain being dropped:
"My name is Oksana and I am the Shift Leader of Domains Department.
I would like to follow-up with you with regard to the issue you have faced with your domain name.
We are very sorry that such unpleasant situation happened. We have reported it to our Technical team and they are doing their best to fix the issue that affected your domain renewal so that similar situations would not occur again. While we cannot change what has happened, we are planning to take steps to ensure that similar incidents and misunderstandings will not occur in the future. Unfortunately, we do not have any ETA on the fix implementation.
Rest assured that as soon as there are any updates on this improvement, we will inform you via the ticket.
Regretfully, we will not be able to recover your domain name, as it expired and later was re-registered by another Registrant.
As a compensation for this negative experience you have faced, we can offer you the XXXX coupon code. You can use it to receive a 20% discount for registration, renewal, and transfer of domains."
To add some circumstantial evidence, Namecheap currently has 52 job openings, of which 47 are in Ukraine, 1 each are in Portugal and India, and 3 are remote: https://www.namecheap.com/careers/openings/
I was simply saying it is incorrect to say that we are not a US-based company. We have a large support team in Europe but we were founded in the US and remain a US entity. We have always been a distributed company with remote teams all around the world. It is indeed absurd that their attorney suggested that they would have to through the "Ukraine court system."
Many domain registries allow you to send domains directly to the pending delete status (or drop them entirely.) It's how domain tasting used to work about 10 years ago before ICANN/Verisign changed up the rules.
> Epik has, at least as far as I can tell, a reputation for simply hosting domain registrations, not asking questions, and ignoring just about every request for information.
Actually they revealed a few months ago that if you aren't politically aligned with them at nearlyfreespeech.net, they treat you differently as a customer.
They will "*not* lift one finger to help you [host your site here]" (emphasis theirs)
If you are not politically to their taste, they will look for a reason to kick you off as opposed to their other customers, "we *will* kick you off the instant you give us a reason".
In that same post, they revealed they will cooperate with police requests without any court documents or warrants being provided, putting them in the 'fragile' class of hosting providers.
Not sure of either of their policies, but I usually buy my domains from Dynadot then transfer the eligible ones to CloudFlare after the first year. Both are cheap, and I'm pretty sure CloudFlare tends to not divulge much information.
All my ICANN addresses are fake though so that's never been a concern for me.
They also have a reputation for securing your important PII behind unsalted md5 password lookups. Im not sure about the rest of their security, but if they screw up something as basic as storing passwords it does not imply good things about the rest of their infosec.
If you are concerned about getting your name off google because their systems are wierd, why wouldn't you be concerned with someone just stealing your domain from the insecure site by (e.g.) just logging in as you and initiating the transfer?
I moved quite a few of my domains from GoDaddy to Epik because of a) the pricing and b) the option of having "forever" domains, or at least very long term registrations as a potential choice.
...but that decision was made without knowing much about Epik. Ignoring the fact that they've potentially shielded some, uh, unsavory individuals (doxers, DDoSers, etc), the absolute stupidity in the design of their system, insecurity, and the fact that it looks now that Rob Monster tried to negotiate with the hackers to not release unhashed CC#s assuming they'd be happy with him removing the people they wanted removed...
Yeah, no. I'm moving my domains at this point. I don't want to be associated with that anymore than I already am at this point. The system "security" itself was bad enough, but having a CEO try to negotiate with the attackers? This is almost funny if it weren't so idiotic.
Maybe take a look at Gandi. GoDaddy has always been a terrible registrar. People used to recommend Namecheap because of that, but I think namecheap has limits on the length of certain records (which may be annoying for dkim).
In general there are a dozen registrars that are better than GoDaddy or Google without having to choose a right wing nutjob with bad security.
I've quite literally never heard of them, and wouldn't click that link if it came across an email... :/
Also...
> When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.
Njalla is Peter Sunde's project. It's a very high credential, the only possible better thing would be if Edward Snowden ran a registrar.
The ownership is a hack to workaround for some legal issues (e.g. for .es domains you're not allowed WHOIS privacy). Although post-GDPR most whois servers dramatically restricted public access, so maybe it's less important now.
Sunde gives it some credibility, but still the idea that you're not the real owner of a domain is horrible. It seems only useful for domains you believe never to get a large audience.
Google Domains incorrectly banned me. I filed an appeal showing how I was indeed authorized to perform the actions I had performed, that I was not in violation of their Terms of Use, and included the contact information of the various parties that Google could contact in order to confirm my claims. None of these individuals were contacted and my appeal was rejected with their standard "unfortunately kindly go fuck yourself" message.
When they banned me, I simply lost access to the entire domains.google.com page. As such, I was unable to transfer any of my domains out. The only thing I could do was let them lapse, wait for them to become available to the general public again, and re-buy them on a different registrar.
Their UI works great, most of the time, but I would not recommend Google Domains to anybody, ever, under any circumstances.
It's really not as exciting as all that. As a regular user, I suspect you're unlikely to have an experience like mine.
As part of my job, I perform (authorized) phishing simulations for employees of my employer. Typically this involves registering domains that look like my employer's domain (with permission), or domains that look like those of our vendors (again, with permission). I suspect one too many people clicked Gmail's "report phishing" button and their automated system took it from there. So I wasn't at all surprised that the account eventually got suspended, but I was surprised that my appeal was rejected, and closed with zero investigation. Perhaps I shouldn't have been.
Thankfully the only domains I lost were domains used for that purpose. At the time, I did use Google Domains for my personal domains as well, but thankfully I had those associated with my personal Gmail address and not my work account so I could still control them. Needless to say, though, I moved them off onto another registrar immediately.
The experience has also led me to slowly move off of Google products as a whole, with the notable current exceptions of Android and Google Fi.
--
* before the inevitable "phishing is a violation of their terms of service", it actually isn't. The related section forbids use that violates any laws or regulations, and lists phishing as an example. Authorized phishing simulations do not violate any laws or regulations. Unfortunately, Google failed to follow up with any of the individuals or evidence showing that it was authorized, and just rejected the appeal.
I posted the story on a sibling comment. It's not as exciting as all that.
Overall it was a net positive experience, really. It led me to perform a personal Disaster Recovery exercise where I modeled losing my Google account, which was very interesting and informed a significant shift in my online behavior. If it ever happens, it'll be a bother, but not much more than that.
I receive email on my domain, which means that it is the root of all of my security. If you steal my domain or tweak my DNS, you can get my email, and you can reset my passwords.
I have some domains at Namecheap still. I have a FIDO2 key set up for their website, which is good, but I’m not sure that I trust their security. I trust Google more.
I bought a domain name from a domain squatter who used Epik and there's a 60 day waiting period before I'm allowed to transfer the domain away.
Their site is one of the buggiest I've ever used (no, really), so this hack doesn't surprise me at all. Now I'm trying to remember how much personal information I would have given them.
If you truly believe in freedom of speech, it makes sense to support companies who enable those ideals. I'm not familiar enough with the company/drama/story here, but if Epik does not do anything "problematic" other than allow "problematic" speech, then I would consider them. A certain quote often mis-attributed to Voltaire comes to mind [0]. It appears they do have some lines drawn in the sand for free speech, they cancelled service for 8chan.
I wouldn't support this borderline nutjob. Making employees watching a video of christchurch shooting and saying it was fake? Yeah, no. He has a lot of ties to extremist right wing too.
This message to epik customers about this "alleged security incident" ends with:
> You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good. Blessings to you all.
I don't think anyone really supports unlimited freedom of speech other than as a strategic rhetorical lip service. It's a very unreasonable position. What people mean is that they draw the line at different places, usually while ignoring the law.
People disagree about the definitions of crimes involving publication. For example, almost everyone is against the freedom to disseminate child porn under the excuse of "free speech." Then, some people are against free dissemination of ISIS propaganda, especially when it contains concrete calls for violence. Then again, disseminating Neonazi propaganda with similar calls for violence is not more legal than ISIS propaganda in most countries. Revenge porn and sites dedicated to slander and libel are prohibited in most jurisdictions, too.
The US has lax application of laws against right-wing calls for violence but is well-known to enforce against free speech if other groups like Islamists are involved. In the past, communists and civil rights advocates were also not too welcome. Other countries apply laws more stringently. In various modern and democratic countries content hosted by Stormfront is simply illegal and various posters on their forums commit crimes. Their servers would be raided and shut down by the police if they were under the country's jurisdiction. The US was never governed or occupied by full-blown Nazis, so it is only natural that people tend to be more liberal about these matters there, but that's more of a historical coincidence than an argument.
Yup. The same republicans proud of their party history saw no issue with dragging people in front of congress for interrogation because they might be a communist (thought crime).
I almost picked them a while back because I searched for "domain registrars" and they came up. Nowhere on the website did it say anything about neo-nazis, fascism, conspiracy theories, etc. Just seemed like a simple registrar with no GoDaddy-esque sleaziness, and a neat, memorable domain name.
So so happy that I ended up not signing up. I just wanted a domain for my personal site and email, but I would've ended up on a public list next to nazis.
I registered an account with Epik in 2017 before any notoriety over Gab or whatever (though I did not ultimately end up using their services). Apparently this justifies doxxing and slandering me as a neo-nazi.
Considering that Epik have been in operation for almost a decade before a pivot to extremist hosting, I would assume that the vast majority of this """noble""" hack concerns innocent people.
Find me a service open to the public and I’ll find you “nazi” customers by someone’s definition. Hell, people were and probably still are “boycotting” GitHub (as in, they put feel-good slogans in their profile while still using it) a while ago for having U.S. Immigrations and Customs Enforcement as a customer. I’m sure if someone manages to completely hack GitHub, they will post everyone’s private repos and billing info, and it’s a just cause because GitHub hosts code for horrible people.
I’ve ran a website non-stop for over twenty years. I intend to keep it up as long as the internet exists. It’s not really had any major changes since 2008, but it’s a major source of nostalgia in my life. Beyond that it hosts my email address.
I was curious about prepaying for years of my domain in advance, and stumbled upon Erik.
Epik offers a “forever registration” where you get a domain “forever” for something like $500. I was seriously considering it before I heard about all the negative shit associated with them.
I suspect they’ve sold that service to at least a few average Joe’s.
I’m a regular folk that currently uses epik (just as a domain host). We (actually a volunteer who donated our domain name to us) registered with them like 12 years ago.
I tried to move off of them a couple years ago, but I moved to lunarpages and they didn’t have enough dns options for my service. So then I had to move back to epik.
Um, can anyone recommend another domain host? EDIT: transfer initiated.
I know your question was already answered at this point, but I'm using Namecheap for the domains I didn't have on Epik (mostly personal and some parked that I'm planning on building out eventually).
I've nothing but good things to say about Namecheap. Some of their employees post here from time to time and seem responsive to issues.
Ugh, I did. I was unaware of Epik’s “reputation”, I’d just heard the brand name before so I thought it must be alright. I would have gone with someone else, but most registrars don’t offer the TLD I wanted, and Epik seemed to have the best price amongst the registrars that did. Obviously regretting that decision now.
You're not alone. I wanted an alternative to GoDaddy whose prices perpetually increased to the point of ridiculousness and their removal of mostly innocuous sites (ar15.com comes to mind) without prior notice was a bit ridiculous. Which, is fine honestly, because their ads left a lot to be desired over the years.
I liked Epik's offerings because of the option of "forever" domains. So, I moved a bunch over there from GoDaddy; and as a Christian, I felt it wouldn't hurt to support a Christian business owner. Had I known a bit more about Epik, I likely would've picked a more reasonable registrar.
Unfortunately, it looks as though any purchases prior to Feb 21st may infer that your payment info is in a new leak. Contemplating having my card changed at this point.
What really irritates me is that there's been zero communication from Epik. Either they own up to it, or they ruin their business and what's left of their reputation anyway. I'm already bailing, because I don't want to have my domains associated with that degree of stupidity (though, it's probably moot at this point).
I signed up a few days ago on a friend's recommendation. I have nothing to do with whatever else. It sounded good that they weren't a fragile host (hosts that mess with your stuff without court orders or warrants or whatever).
Sometimes they have the cheapest renewal rate for some of the TLDs, so if you're deal hunting on sites like tld-list.com you could end up registering via Epik.
Before today the only thing I knew about them was that they were the registrar for a few controversial domains. I didn't realize they were soliciting that market.
I had one domain there in 2017-2018 due to some generic domain forum promo codes making them the cheapest. Didn't know of reputation or it wasn't obvious then, predates Parler existence, etc.
What would be extremely funny is if a different group of fake hactivists did a similar hack elsewhere but deliberately added junk data as a way to discredit all hactivism.
There are some Nazis here. If you do not stop posting here you are associating with Nazis. Since you post here you are either a Nazi or Nazi sympathizer.
Did anyone download it and look? This is huge if it's true isn't it? I don't want to download it because I don't know what the laws are, but I'm really interested to know if it's true. Rob Monster is a really big domain investor, right?
This is really big news if it's true.
Edit: I looked it up. Rob started Epik [1]. I wonder if that's really his password. Lol.
Edit 2: I wasn't aware of Epik's reputation either. I just knew they're a big (ish) registrar.
The torrent is on her website, a few people tweeted that they finally had seeders, but I'm unsure if they got the entire archive.
I'm currently trying to download it now, but the torrent file is so large that it's crashing most torrent software (pico, deluge, webtorrent) I throw at it, on 2 machines!
How big is it? I had similar issues downloading danbooru2020 (3.4TB), but rtorrent did the job with only ~5G RSS. Every other client used 4x the memory and never completed the download.
it's not the size of the data that's the problem, it's the size of the metadata and the sheer number of files in the data. Torrents suck for lots of tiny files, and we have that here in spades.
It's possible that the source sharded the torrent payload and then distributed the shards among multiple "seeds" that are brought online/offline on a rolling schedule, to avoid being identified as the lone seed. Since none of the "seeds" have the entire payload, they are identified as peers (specifically, leechers) in the torrent client.
This 30+ MB torrent file is choking ruTorrent and Deluge clients on my seedbox. Not sure how to fix it. Do you know of some alternative way to process such a large file? I have never seen such a large torrent file like this before.
Not available on my server unfortunately. Otherwise qBitorrent is the client of choice. I have found magnet links from DdosSecrets here: https://ddosecrets.com/wiki/Epik
Edit: Turns out I didn't give enough attention to Transmission as it handled the file. Very impressive.
As a side note: this has got me pondering about testing edge cases on open source software. Wonder how much of that actually gets done.
Lest anyone be confused, this is Epik the web hosting company[1], not Epic Games the videogame company[2], or Epic Systems the healthcare software company[3].
Nor is it Epic! the digital reading platform for kids[1], not EPIC the Electronic Privacy Information Center[2], or EPIC Provisions the company behind high protein meat snacks[3].
The whole site looks like it's parody information ("epic" with a K, "Rob Monster", nazi stuff, etc) but it becomes weirder when you realize they aren't parodying anything and all of it is accurate.
Very interesting that Anonymous went after them. I guess it just goes to show you that Anonymous is nobody's puppet, however much any given cause would like to consider them its personal army.
The linked .torrent file is ~30MB, and appears to be ~180GB of data with ~190,000 files. It's split into ~689,000 pieces of ~256KB, hence the comparatively large .torrent file overall.
Just a few days ago a Russian web host was hacked as well, with a similar statement. I guess they're all exploiting some recently discovered bug in web hosting software.
Not infrastructure related, but on monday the german anonymous collective managed to get a former IT admin of one of the largest covid conspiracy theorists to hand over his credentials, transferred all domains (he had ~ 10 aliases) and deleted his telegram channels
I tested on my machine and nano swap files contain the nano version (5.4), the username (anonymous), the hostname (datahound) and the filename (whois.sql).
The ethical thing to do when you find a security breach is to report it to them. If you support people who are willing to commit crime to get into power then I really hope that you take some time to think about your political convictions.
> The ethical thing to do when you find a security breach is to report it to them.
Do you hold secret services and private hacking companies (Hacking Team, Cellebrite..) to the same standards? If not, why are you complaining about this instance of small-scale hacking for the lulz, and not about the actual insecurity industry who derives power/authority and money from hacking?
> If you support people who are willing to commit crime to get into power
I certainly don't. I despise power in all forms, unless you're talking power as in "empowerment" or "power to the people". I will however, defend and help anyone committing crimes to abolish power and injustice, because "justice" is not something that can be measured or achieved with the oppressors's tools, namely laws and repression.
If you don't support people who break unjust laws and help make those abusing power accountable, I really hope that you take some time to think about your political convictions, and what you would have thought of the Resistance movement against nazi occupation during WWII.
I'm saying they are very confident and happy to host actual fascists and other stripes of neo-nazis and white supremacists. I have no clue about their own personal opinions, although some people further down this thread suggested they had such affiliations.
Providing material support to people is never neutral. I'm happy some sysadmins and community managers are taking a stand against abuse and harassment. On the other hand i'm also concerned State-mandated censorship is detrimental to human rights and will in fact be used more (as it already is) against anarchists, queers and other minorities and not against actual fascists because our governments are much closer to the historical definitions of "fascism" than they'd like to admit. So i'm clearly against censorship, but i agree with XKCD that kicking assholes out of our communities is not a "free speech" issue: https://xkcd.com/1357/
I can't say i'm very comfortable with these "free speech" hosts who would certainly turn away any opinions they disagree with. I much prefer radical servers like riseup/autistici who have clear policies on where they stand politically and what kind of activities they're ready to fight for and what kind of activities they'll fight off.
Contrary to Protonmail and their millions of dollars, Riseup is a self-organized non-profit (born of the altermondialist/internationalist movement) who had servers seized rather than rat on their users [0]... unless some people/activities directly contradict their ethical principles in which case they reserve the right to collaborate with law enforcement [1] instead of risking the infrastructure needed by all their users (as in a seppuku pledge, like Lavabit did).
Expect this hack wasn't "showing the door to the assholes in your community" this was hacking and trying to doxx another community you don't agree with.
They had already left your community and made their own, but as was expected that wasn't enough and never was the actual point of that XKCD. The actual message behind the stance is that speech you hate should be removed.
As with most things people are for removing speech as long as it is speech of people they disagree with. We just have to hope the pendulum never again swings back to the other side.
All these recent hacks. Cant any of these companies use proper security experts? I mean they have the funds, why skip this and avoid all the backlash that comes with this. Its expensive but not as much as letting everyone know you messed up hard
Implementing security guidelines is not as easy as paying a security expert. You then have to follow their advice, which means security practice for all employees. It can be costly and cumbersome.
Of course, it would have reduced damaged, such as pointing out that unhashed or unsalted MD5 passwords in a database is... what we've stopped doing 20 years ago for good reasons? :)
But well, if you're a big hosting provider tailoring to white supremacist content, you usually don't need so much security, since apart from anonymous-adjacent antifascists pretty much everyone is licking your boots, including law enforcement. The biggest neonazi forums have been around for decades, and their biggest proponents are well hidden behind the walls of our police stations, banks and parliaments.
That's the opportunity cost of defending. It's like walking through treacle at times, but you have to visualize the worst case scenario in your head and act as if you're gonna get breached. You need to essentially enact the situation in your head so that it gives you the momentum you need to keep defending.
Yup. Security is a lot of time an after-thought and a burden to quiet a few companies since security is something that is not of immediate value. Last spring we had a speaker from northrup-grunman who talked about the need to push for a DevSecOps strategy.
> security is something that is not of immediate value
Yeah exactly. It's a huge cost upfront and zero immediate benefits. The investment is worth it to prevent losing value due to a breach, but unfortunately it seems pretty OK for for-profit companies to "loose" data from millions of their customers without facing any sort of consequences.
I'm not exactly saying it should be entirely okay for non-profits, but these generally don't have the resources/budget to ensure any form of security so i don't have the same standards. In my book, a for-profit business leaking user data due to preventable mistakes should be dissolved instantly by law for endangering uselessly their customers.
> we had a speaker from northrup-grunman
Uh. Sorry for you. These military industrial complex people have the best security advice, but they're the worst kind of humans.
For the northrup-grunman, his advise made sense, but as vet I agree with you on the characterization.
As for the for-profit companies. For some reason there is not enough value placed on security in the eyes of the public. Sony is still a major player in the gaming industry, even though the massive hack years ago. Not saying Sony should not be in business, but I don't think it made any major impact on their ability to sell consoles. Security compromises don't seem to have nearly the same impact as other kinds of compromises.
> Cant any of these companies use proper security experts?
I can't speak for all of them. But I worked at a very large company known on a global scale. They thought they had proper security experts, but the people that hired them didn't know security very well. When issues were brought up, instead of them asking "how do we resolve this?" they would ask "why would someone do that?" This raised so many red flags in my head the first time I heard this, I didn't even know how to respond.
I came to them with various issues, one of them could've had very serious consequences. I proposed step by step solutions that were simple and would've patched up issues behind the scenes and only impacted people that were violating security policies. They never seemed to care about protecting what they had. It was very sad.
I'll give two examples of the issues they faced:
1. They left doors unlocked and open to the building during working hours, anyone could enter and witness highly classified work on someone's machine, or use someone's machine if they had left their desk without locking it, which happened frequently.
2. Their shared document service, which contained many classified, and highly classified documents had an authz vulnerability which would allow any logged in user to view (and in some cases edit) any document in the company that was stored on their document storage service.
I think my conclusion is that a lot of companies don't even know what their issues are, don't know what experts they need (or if they need them at all), and don't care because nothing bad has happened yet.
I may be uninformed on this topic, but i believe this line to be tongue-in-cheek (like much of the announcement). How best to announce something for a very informal/anonymous collective?
Hello, I am an OFFICIAL representative of Anonymous and neither OFFICIAL ANONYMOUS and Anonymous Officials are not official Anonymous representative. Officially. I think.
Why can't politics be fun? Also, do you remember a time when Anonymous wasn't about politics? I clearly remember some strong political positions against the Church of Scientology, against the surveillance apparatus, etc..
I don't disagree with what you wrote, but as far as 4chan has developed a style/brand, the tone of the page felt surprisingly non-edgy to me. Anons usually aren't known for unironically repeating media slogans, are they? ("Abortion is a human right!")
The mudkipz catchphrase was also very forced. Reminded me of the "hello fellow young people" meme. Of course, it might all be intentional.
I believe Anonymous claimed to do a DOS on the DOJ website because of the arrest of Kevin Dotcom (2012). Operation Ferguson (2014). Operation Saudi (2013). Operation KKK (2015). Operation Avenge Asange (2011).
Quiet a few operations under the name of anonymous have had some sort of political or social motivation.
Sorry but i have no idea what any of you are saying, nor do i have any idea where to direct this question, but can someone/anyone plz listen to my (probably useless) idea, and/or share with whoever takes requests? In just tired of all of the kids around here following all these self-destructing and mindless 'trends' from all of these social media sites! Its just so embarrassing, i wish these younger generations would stop copying bad examples probably started by some evil genius that works for the govt of a country who hates us and wants to see what stupid tricks they can make us do.
ANYWAYS.... i sure would like to know what would happen if everyone who has youtube, tiktok, facebook (etc) account had their personalized results/preferences changed so that all of the suggestions and 'similar' results would consist of 'Restoring Faith in Humanity' type videos. Thank you for listening, sorry its probably a dumb idea.
Sorry but i have no idea what any of you are saying, nor do i have any idea where to direct this question, but can someone/anyone plz listen to my (probably useless) idea, and/or share with whoever takes requests? In just tired of all of the kids around here following all these self-destructing and mindless 'trends' from all of these social media sites! Its just so embarrassing, i wish these younger generations would stop copying bad examples probably started by some evil genius that works for the govt of a country who hates us and wants to see what stupid tricks they can make us do.
ANYWAYS.... i sure would like to know what would happen if everyone who has youtube, tiktok, facebook (etc) account had their personalized results/preferences changed so that all of the suggestions and 'similar' results would consist of 'Restoring Faith in Humanity' type videos. Thank you for listening, sorry its probably a dumb idea.
Domain Name: ROB.MONSTER
Registry Domain ID: D98633729-CNIC
Registrar WHOIS Server: whois.psi-usa.info
Registrar URL: https://www.internetx.com/
Updated Date: 2021-06-05T01:19:43.0Z
Creation Date: 2019-04-01T14:00:01.0Z
Registry Expiry Date: 2022-04-01T23:59:59.0Z
Registrar: InternetX GmbH
Registrar IANA ID: 151
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization:
Registrant State/Province: nrw
Registrant Country: DE
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this
output for information on how to contact the Registrant, Admin, or Tech contact of the queried
domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this
output for information on how to contact the Registrant, Admin, or Tech contact of the queried
domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output
for information on how to contact the Registrant, Admin, or Tech contact of the queried domain
name.
Name Server: NS1.WESELLTHISDOMAIN.COM
Name Server: NS2.WESELLTHISDOMAIN.COM
Name Server: NS3.WESELLTHISDOMAIN.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this
output for information on how to contact the Registrant, Admin, or Tech contact of the queried
domain name.
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Speaking to Gizmodo, Epik said they were unaware that they had been hacked, but would investigate.
What's interesting here is that if you are an ICANN accredited registrar there is a window in which you must report a breach to them, may be interesting to find if they have/have not reported said breach.
I don't get it, didn't anonymous start on 4chan? Why are they attacking this company which is hosting similar content? I thought anonymous used to only attack megacorps
Parts of the anonymous trend started on 4chan. However not everyone involved with anonymous is/was involved with 4chan, and it was also at a time when 4chan was more of an anonymous meme board and less of a pedo/nazi aggregator.
Anonymous doesn't only attack megacorps. First because anonymous is not a group so there's no central leadership to decide who to attack. Second because they're overall involved with fighting injustices of all kinds. It's not the first nazi-friendly site to get hacked by anonymous, but to my knowledge the first nazi-friendly webhost.
Also, depending on your understanding of what a megacorp is, Epik may very well qualify.
> and it was also at a time when 4chan was more of an anonymous meme board and less of a pedo/nazi aggregator.
I will have to disagree here. The amount of illegal pedo content has dramatically decreased over the years. You would see people spamming it all the time around ~2008-2013 in /b/, while nowadays it is much more likely that you will see such content while browsing facebook.
As for nazi content, there are a lot more things that are considered nazi these days that were common back (such as calling people slurs as a generic insult), although since around the time of gamergate the amount of unironic actual nazis skyrocketed (as part of a wider social radicalization) and they stopped being shamed as much when posting in unrelated boards.
> Also, depending on your understanding of what a megacorp is, Epik may very well qualify.
I think that this is stretching the definition. I believe that most people would consider something of the size and reach of cokecola and mcdonalds as megacorps.
One of the saddest and most effective media coups of the last decade has been the far right convincing the public that 4chan was always theirs. It started as an anonymous image board, one that an incredible number of people left when it became apparent that neo-Nazis had Poe’s Lawed themselves into the dominant user base.
> I thought anonymous used to only attack megacorps
Various individuals or groups labeling themselves “Anonymous” have operated during the Arab Spring, and after the murders of Tamir Rice and Michael Brown.
Very much this. I'm a bit surprised it took this long to see a backlash. Since /pol/, 4chan and Anonymous have spent far too much time as someone's personal army, despite that being always the disclaimer.
Scorpion and Pepe story… except strangely reversed. This would be the frog dumping the scorpion, after having been stung and used ruthlessly to serve the scorpion's selfish purposes for years. Very 4chan-like, to be able to survive a scorpion sting, but you can't poison poison, or meaningfully piss in an ocean of piss :)
Sure. But the site took a distinctly reactionary turn around 2010, and the community that’s on there now bears little resemblance to the one that occupied it from 2003 to 2013[1].
Put another way: it’s always been a cesspit, but it was a cesspit of a community. What passes for conversation on 4chan in 2021 appears to be neo-Nazis riling each other up.
[1]: On the bigger boards. The smaller ones are basically what they’ve always been, which lends further evidence to the point about the overwhelming majority of hate content coming from opportunistic reactionaries.
As I said 4chan has always been about being counter culture. During early days 4chan was more liberal and Left leaning, then when government changed it switched. Had the Right held the office for longer 4chan would have again shifted more towards Left.
As for hacking and doxxing people you don't politically agree with just because of that, that sure wasn't the original "hacker known as 4chan" mentality. That was called "moralfagging" back in the day.
Anyone can claim to be part of Anonymous, that's kind of the point. It's not an official group with representatives or any kind of official viewpoints. All you need to do is say you're part of Anonymous and that's it, no 'larping' required.
But nevertheless, in the real world, Apple employees don’t care much about Epic Games. A lot of them probably have a personal account on Epic Games Store to get their free games. Like the random people they are.
Pay attention to not mix up the marketing bullshit drama of those companies around this trial with the humans working for theses companies. I doubt anyone working in there is bothered with this trial (appart from legal departments).
> OFFICIAL ANONYMOUS (not to be confused with 'Anonymous Official' grifters)
They should sign an ethereum address to reduce ambiguity
(Any crypto asset address is fine, even PGP is good enough for this but PGP had 25 years to make that user friendly and common but failed, and cryptocurrencies made signing software more prevalent and uniform wayyyyy faster)
"PGP" is an algorithm, not an organization or movement, so you can't really say it failed. The algorithm is pretty good, though some implementations are really bad, and most programs who embed it have bad UX.
However, there's still some very good programs with good UX making use of PGP (for example delta.chat), and to this day no cryptomoney scam wallet has ever been as useful as PGP has over the years.
I’ve never heard PGP described as an algorithm before. I think it’s more accurate to describe it as a signing and encryption envelope standard, which internally supports a whole bunch of common encryption standards.
More generally, there’s broad consensus in the cryptographic community that PGP’s intended uses and design are fundamentally flawed/mismatched against modern actual uses.
Don’t get me wrong! Cryptocurrency is filled with shysters and I don’t use any of them. But we should probably be encouraging users to stop treating PGP over email as if it does anything and instead encourage them to switch to E2EE systems (since that’s what the majority actually want.)
"cryptomoney scam wallets" have likely secured many more deals with offline verification signatures over the past 5 years than PGP has over 25 years. no need to conflate that with transactions and value transfer. its just public and private key cryptography and inherits everything that PGP offers.
this algorithm has failed to proliferate outside of thin security conscious niches for an entire generation of internet users, and has been leapfrogged.
Signing in this context would be debatable, in that it may call into question of how much one would (personally) be willing to risk ownership claims of a crypto asset or content.
Remember when satellite.earth "pioneered" this idea for their platform? (not ragging on them but some of the content posted on there were insightful and unique)
I dont remember and I have no idea what you are alluding to
You can literally generate any public key / address hash that conforms with a blockchain and sign it and anyone can verify that you therefore control it
This has zero crypto assets involved and has no trail of assets so what are you talking about? If anyone sends funds to the address hash the owners can just tornado.cash it and withdraw it somewhere else with an instruction sent over the relay with no prior link to the funds or address. Its perfect right now. But what do you perceive?
> They should sign an ethereum address to reduce ambiguity
^I'm responding to this
_If_.
I am still openly questioning the nature of blockchain and open ledgers: trivial associations with transaction activity and address history can be had or via more complex analysis with clustering, modeling, etc (ie: Chainalysis). I used to think that a simple signature confirmation claiming "this is my email address" would be okay for solicited communications but what would happen if the channel used becomes adversarial?
Apologies but I'm failing at framing my own argument here as I'm confusing the intersection and implications of the current "NFT art" craze that's been happening. For example, some Tezos-based art projects are in reality minting your signature on the blockchain with an asset they host on an external source, eg: ipfs. You own the signature but do you really want to publicly "own" something controversial and perhaps illegal within your country's jurisdiction?
Yes, you are confusing and conflating a lot of topics simply because you saw the word Ethereum or blockchain (or maybe "signature" if I'm reading this correctly). A lot of people do it. I've been in plenty of circumstances where people go on incoherent jumbles of words in response to the word blockchain.
Signing an address has nothing to do with linkability or transaction history, or even blockchains, as this is not a transaction and requires no funds. It requires having generated the private key, client side. Signing proves you control the private key, public key and address hash. A signature allows other people to verify that you in fact do have control of that address. When looking at the address on a blockchain, it can be empty, no funds, and simply relegated to being a unique identifier for the person that signed the address.
Okay, so let's assume this is confusing because it conflicts with something else you thought you experienced regarding blockchains. Well just erase all that from your mind, and read on:
Blockchains use a namespace of address hashes. Private keys to generate those address hashes are only generated client side by the user, and there is enough randomness and entropy for no other user to generate the same private key, public key and address hash. But within the namespace, all public keys and address hashes already exist. I think this is the fundamentally different paradigm than account numbers like at a bank. At banks, for example, accounts numbers are incremental. ie. When an account is created new row is added to the account database it has an ID that goes up by one, and all the attributes of the account did not exist until the point in time that the server was instructed to create the account. In blockchains using a designated cryptographic namespace, all accounts therefore already exist and access must be generated client side by the user. The namespace is extremely large, which allows for assurances that nobody generates the same private keys, public keys and address hash. The other countintuitive thing to understand is that these accounts don't exist "on" the blockchain until someone sends funds to them. An empty address means it has never been seen on the blockchain, as this record only occurs after a digital asset or message references them in a prior transaction. GUI's for browsing blockchains smooth this over by letting you look at empty addresses simply by nature of them complying with the namespace, but an address that has never previously received funds or any other message is not in the blockchain at all, yet. The reason this is important is because if you have the private key to that address, you can still convey that you have control of that address via signing and there is no prior link to any other address or funds. There is no linkability or privacy issue. Signing just lets you have a unique identifier.
Using all that, to go back to what I said earlier, cryptocurrency wallets just makes public and private key cryptography so prevalent that signing is also more prevalent and available. Whereas PGP and GPG Suites had 25 years to do so and have not been successful outside of much much much smaller niches, that have not seem to have grown at all and the user experience arguably has gotten worse.
What you mentioned about NFT art signatures is a different topic. Address signing is about offchain signatures. All transactions and onchain metadata are onchain signatures.
One step closer to anarcho-tyranny.
Anonymous has become the Antifa of the Internet.
Basically a far-left strike force, cloaked but public, with enough plausible deniability that the 3 letter agencies allow to exist because they can do things beyond the law - as long as they dont go after the gov...
One has to wonder why they are so focused on [Combating far right extremism and misinformation] when it's clearly designed to benefit the overall establishment system status-quo. Even _if_ this whole Operation Jane anti anti-abortion-law texas hacktivism politics made sense to someone, it now has a much larger effect on the internet as a whole. Epik - one of the last hosting providers on the internet in favor of absolute free speech (within the law) that still exists. The risk/reward equation doesnt add up.
More innocent rights are being violated with this hack alone compared to saving womens abortion rights.
>One has to wonder why they are so focused on [Combating far right extremism and misinformation] when it's clearly designed to benefit the overall establishment system status-quo
Far right extremism is a threat to the status quo of open and tolerant liberal democracy, yes, you are correct.
What's the difference between an anti-fascist and a fascist if they use the same tactics? Two weeks ago "anti-fascists" opened fire into a crowd of peaceful demonstrators in my state's capitol.
I can't believe [What do they have to hide?] was even seriously spoken here.
Im not the only one who believes this glows exactly like a state-sanctioned hitjob. This was cyber-warfare.
https://www.youtube.com/watch?v=f5a42XuzPLk
An average fair video on the hack - but Read the comments.
Anonymous is not bashing the fash, they now do the bidding of the far-left Establishment, enforce state-approved Censorship and Cancel Culture of any dissidents against the monoculture cathedral regime - who now just are your average regular independents, libertarians, and freedom loving populists.
Anyone who still falls for "but they're nazis and fascism is bad mmk" is either dishonest or not following this subject matter. Just because you don't like someone doesnt mean they're nazis.
I doubt this is even Anonymous. The real Anonymous would not be hacking companies providing free speech (no matter how bad the security).
I love how this is a tongue-in-cheek reference to the "hackers on steroids" piece from 2007 https://www.youtube.com/watch?v=DNO6G4ApJQY