All web traffic should be encrypted, regardless of purpose. This increases the work that nation-state level adversaries must do to effectively spy on the population. And it's cheap and easy to do these days.
Fair enough. I don't think this is a "shady" practice either. But I think it's an old, out-dated practice to charge extra money for a feature that should be on by default.
If you might need to make edits in the future, then a temporary account. Like a burner prepaid cell phone. HTTPS is for API users. The majority of pastes are anonymous.
Why not ask the archive.org guys to publish it somewhere? The research already relies on their data and they seem to be pretty good at defusing shady legal requests.
As I understand it, it's actually worse: the thing you swear under penalty of perjury is not "this content infringes a copyright", but rather "I am the copyright holder or authorized to act on the copyright holder's behalf". So even if you know beyond doubt something doesn't infringe, you're not committing perjury unless you misrepresent yourself as a copyright holder or authorized agent of a copyright holder.
I don't know enough about these kinds of situations yet to form a reasonable argument for-or-against. Is what was done considered a kind, favourable thing for the developers behind those sites or is it something that shouldn't have been displayed?
How exactly does publishing a list of malware-infected stores fall under the DMCA? I always thought DMCA was meant to be for copyright infringement cases.
I didn't see the list, but did it by any chance contain the logos of the online stores? If it did, the DMCA notices make sense.
Compilations can be copyrighted. There's a long legal history on the topic. Also, logos are generally a topic for trademark laws, not so much copyright.
Actually, you're wrong. The DMCA was used as a premise for takedown on the basis of purported copyright infringement. I was pointing out that such a claim, however spurious you may think it is, would likely hinge on the claimant's exclusive rights in the compilation. I can't see any other theory that would support a DMCA takedown. Again, it's irrelevant to the question whether or not you think the claim had merit. Also, the question conflated trademark with copyright.
That's all well and good if this case ever goes to court, which it almost certainly won't. Most service providers will pull down any content that's included in a takedown notice. The alternative is for each service provider to make a legal decision about each takedown notice. That won't happen. If they don't respond in good time, they risk their safe harbor status.
It's smarter (under the seriously f'ed up DCMA system) to pull it down and wait for a counter notice, at which point they put it back up, and they aren't responsible any more — the person filing the counter notice is responsible because a false counter claim counts as perjury.
At that point, the original issuer of the takedown notice can sue.
Of course, it almost never gets that far when the takedown notices are spurious, as in this case. That's what makes the DMCA such a bad idea — it's a perfect tool for censorship.
> I was pointing out that such a claim, however spurious you may think it is, would likely hinge on the claimant's exclusive rights in the compilation.
I don't think it is that simple. Yes, you may claim a copyright on whole compilation. But you could as well claim a copyright on some parts within that compilation. Since the compilation is a single document, claiming copyright on some part of it would also be sufficient for a takedown.
it falls under the DMCA because the DMCA mandates a takedown-first and check the validity later workflow. To be in compliance, a site must respond to any DMCA takedown notice as quickly as reasonably possible, regardless of how fraudulent it might be.
As long as you're okay being found guilty of perjury by a US court, or have no plans to enter a US jurisdiction in the near future, you can get any content you want taken down from any site that's required to follow the DMCA.
DMCA is a copyright law. It requires a takedown for alleged copyright violation. That doesn't apply here. The stores don't have copyright over their domain names on a list.
Yes. So to get something taken down, all you have to do is allege copyright violation. If you're not concerned about perjury in the US courts, the claim doesn't have to have merit.
Service providers have a choice:
a) follow the DMCA takedown process and be shielded from all liability, whether or not the claim has actual merit
b) evaluate each takedown notice to decide if the material falls within the scope of copyright, ignore takedowns where in the service provider's opinion the material is outside the scope of copyright, and should it go to court, be forced to defend that position on its merits instead of having an automatic liability shield
What sensible service provider is going to choose option b?
The claims probably have little to do with DMCA violations themselves, but it has become an easy way to get content removed quickly from sites without very much review from the host service.
The claims are probably from the malware perpetrators as a way to censor discussion and keep the gravy train rolling. It's possible also that the embarrassed commerce sites would file a DMCA claim to keep the public in the dark about how insecure their sites are/were.
Indeed, this is one of many cases where the DMCA is almost an invitation for abuse - which was, if I remember correctly, also one of the main points of criticism when the DMCA was created.
And get DDoSed by the malware guys who don't want their victims know they are in the list and fix their site. It would be an altruistic offer but I would think twice about it.
However it's a problem and we need a solution.
A torrent? Yes but Google won't index it.
A file on S3 wouldn't work because they could just download it as many times as needed to make the bill skyrocket. Better than a DCMA.
Anything that is unaffected by DDoS, costs no money, can be indexed?
IPFS links are immutable, whereas IPNS links are a mutable pointer to an IPFS hash. They can be updated at will, making them ideal for changing content with a stable hash.
Does the author need a git repo with a web UI, as github/gitlab provide, at all? Or were they just using github.com and gitlab.com as convenient free cloud-hosted publishing platforms?
To be fair, maybe some automated method that hub/lab owners have not vetted the data overall. I hope your list stays up/public personally as long as you are willing to take responsibility for its upkeep. I wish there was some format to submit this list (and your responsibility for keeping up with it) to vendors on the lookout for this kinda stuff (up to them to decide inclusion).
>Only limited DDoS protection and mitigation is provided to domains on a free or Pro plan through "I'm Under Attack" mode. If you are looking for advanced DDoS protection and mitigation and frequently suffer sizable DDoS attacks, please consider looking at our Business or Enterprise plans.
After briefly looking at https://github.com/github/dmca/tree/master/2016 there doesn't appear to be any DMCA request for gwillem's content, so maybe it wasn't removed through the DMCA process?
> I understand that Github doesn’t have the resources to investigate each and every DMCA notice. However, it still took me by surprise that Github censors data so easily.
Send a counter-notification asserting that the data is not under copyright and have it put back up. Assuming this is really DMCA.
You should host the list and post a high visibility link (i.e. news article). You'll probably discover real quick the pressures that caused GitHub and GitLab to buckle so quickly.
And just like that, we discover how helpless the average Joe is against corporate money.
Let's crowdfund an AWS s3+CloudFront hosted site. DDosing that is no easy feat, and if corps do try it, the logs can prove their complicity, which has legal implications I presume
It's an endless cycle. The Man keeps you down, so you throw together resources and collaborate to have a crowdfunded solution. It becomes successful, grows, hires some employees to maintain things, keeps growing, and becomes The Man.
We at GitLab believe the author did not responsibly disclose this security information in a proper manner, and today we removed the list of hosts in accordance with our terms of service (https://about.gitlab.com/terms/).
The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
Don't you feel uncomfortable in making it harder for users to avoid websites with malicious software? It's definitely worth mentioning and explaining if you do.
These sites are actively participating in harming their users with their negligence. Users should have the ability to know which site is safe and which isn't.
According to the article, the stores were running malicious javascript which grabs people's credit card info. This obviously means they are vulnerable in some kind of way, but I fail to see how this is reasonably likely to be exploited. Even if it was, you also have to consider the benefit of warning the users.
I am not a security expert though, and I might be missing out on something.
The responsibility of GitLab and GitHub is not to investigate if those 1000 sites are indeed running malware and how dangerous the malwares on these sites are, and who could be harmed by these malwares.
The responsibility of GitLab and GitHub is also not to judge if it's "more important" to protect the site owners' businesses or the people going to the sites.
If some sites are running malware, the site owners are responsible for fixing it and not harming the people using their sites, not GitLab or GitHub.
On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
So GitLab and GitHub are just acting on what they are held responsible for according to the law.
Disclaimer: I am working as a contractor for GitLab and I am not a lawyer. I took no part in GitLab's decision to censor the list and this is just my own opinion.
> On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
Nope. DCMA is about copyright, and we have not gotten to the point where someones URL is copyrighted.
> It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
What about the consumers who are being put at risk of being defrauded? Do they not have a right to protection? Malware infected ecommerce sites could be stealing credit card info and robbing consumers. Merchants who endanger consumers by failing to provide a secure platform for digital transactions do not have any right to be protected from having their negligence exposed.
A 'normal consumer' won't be helped by such a technical list on github/gitlab. Do you really believe they would look there? If they wanted protection they could have installed Ad-blockers etc. long time ago already. (Or use more reputable shops)
Lots of people google the name of a webshop to check if it's legit.
Not all, but some non-tech people do that..
And lots of webshop owners google their own shop. Shaming sites that are hosting malware seems perfectly reasonable.
On topic: I assume github/gitlab both completely misunderstood what is going on, and thought this was a disclosure of security holes that could be exploited.
I wouldn't be surprised if they do a lot of these.
Perhaps try to throw it up on a few different CDNs where you pay for the service and can contact support. Like S3 or dreamhost (they have decent support too). Arguably github/gitlab isn't the best hosting platform for misunderstood journalists.
How long is the author going to check and update that list of compromised websites? Right now they are broken but in 6 months when the site gets upgraded it will be a knock against them unless the author updates the list. This is the real problem.
This is completely unacceptable. You're treating this as though the author was publishing a list of vulnerabilities about sites. That's not what the author did. The author published a list of sites that are already infected with malware and thus are dangerous for users to visit. This is a public service and there is zero expectation of "responsible disclosure" to the sites. The only thing that disclosing to the sites without telling the public does is protect the reputation of the site, but there's no expectation for anyone to try and protect the reputation of sites that are serving malware.
> We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
The sites were already exploited. That's the thing. At best I can see the argument you're making being "we don't want the sites to get exploited a second time", but that really shouldn't be a concern. The sites were already exploited, there's nothing left to protect. And publishing a list saying "this site has malware on it" doesn't actually tell anybody how the site was vulnerable anyway, unlike disclosing security vulnerabilities which by their very nature informs people how to take advantage of them.
I'm not sure if GL is trying to protect themselves against something and are making up some excuse to justify it but the reasons given for taken down the list don't hold water.
GL would be far better stating the real reason for taking the info down (surely there must be one).
So far what they've done is seemingly to protect the merchants reputation and perhaps protect GL from some imagined legal backlash? The backlash would have no basis is court or other services like Google's own SafeBrowing would not be viable.
Are we to assume the GL cares more about that than users/visitors to these sites?
The real reason is almost certainly something along the lines of 'it's possible we could get sued for libel' or 'we have been threatened with a libel suit'. Not that such a case would ever go anywhere, but I imagine they figure that it's more trouble than it's worth.
I agree. GitLab's reputation has taken a pretty big hit in my opinion. I kind of expected GitHub's reaction, but had hoped for something better from GitLab (if nothing else, just to differentiate themselves from their opposition).
I'm not sure if responsible disclosure applies here. This isn't an unannounced 0-day that could in theory be in the hands of criminal elements. Responsible disclosure only works because there is a reasonable chance that an exploit is not already widespread.
> an open invitation for malicious users to exploit.
Malicious entities have already exploited these websites. This problem is widespread - over 1000 merchants. The author has not put the cart before the horse.
If I wanted to protect my family against this by installing uBlock Origin on their machines, could uBlock possibly be hosted somewhere where they wouldn't face this censorship? They have in the past temporarily blocked websites (e.g. Sourceforge adware) but have rapidly unblocked them when the issue is resolved; this has saved my bacon on numerous occasions.
I really appreciate the transparency here - kudos. You have your facts wrong.
So when GitLab finally bothers to respond they do so from a new account? Any proof this comes from GitLab?
Which terms specifically does it violate? The terms page you linked to is 10k words long.
As others have mentioned, this is not about responsible disclosure. If those merchants have the good of their customers to heart, they will act to cleanup their sites and disclose the breach themselves. If not they will move to censor this to avoid losing face, maybe not even bothering to remove the malware. And you're just helping them with this.
I don't believe it is your place to do so. You have the right to, but you have no real reason to. You will suffer no consequences from removing that list.
Responsible disclosure works because companies are responsive to disclosure.
Full disclosure works because companies are negligent and they've been outed.
The author did contact said websites, it is their responsibility to fix the issue in a timely manner. Removing the content was akin to a newspaper removing stories relating to certain politicians to protect them. It is censorship.
You still screwed up handling things. Did you very they are actually vulnerable? Or are you hoping you got it right? Cause if the later you really shouldn't remove something you don't know anything about
I don't even believe that. One or more merchants on that list threatened you with legal action so you took it down.
Even if your cover story is true, you are basically throwing users and banks under the bus to help merchants with dirty card readers continue business as usual. Meanwhile users will continue to be defrauded, and banks will have to take the hit when users complain about charges they didn't make.
I have to confess, when GH did something offensive I did cancel my paid account there but I still use it, so I guess I didn't care that strongly about it after all...
GL sent me this statement. For the record, I didn't publish vulnerable systems, I published stores that have malware.
---
Willem,
GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it.
While GiLab reserves the right take further action, up to and including termination (https://about.gitlab.com/terms/), we have chosen not to terminate or lock your account.
Please know this decision was not reached lightly and we appreciate your understanding on the matter.
And even if it were (a list of vulnerable systems, that is), why the fuck do they think that they should censor serious journalism? If you operate a public venue, then it is an important societal role of journalism to report on it if that public venue poses a risk to the public, whether that might also have negative consequences for the people operating it is completely irrelevant.
Lots of people are saying "But the sites are already exploited" ... they are probably still exploitable further also, and GH/GL don't want to be at that party.
No, they would not be required - they are a private business and set their own terms.
As for being responsible - that is their motivation.
Should I assume that now you have access to this list that you will be contacting the site owners to notify them their sites are infected & exploitable? Would that be responsible on your part?
I really hate this trend of journalism leaking into services like Github. We have secure ways to share files with high redundancy, why put a service like Github/Gitlab in the line of fire when their primary goal is to enable open collaboration, vs open information.
Torrents are what in mind really, low barrier of entry for viewing, and someone in an oppressed state who can get arround a website block can probably get the torrent anonymously. To me not being easy to edit is an upside, additional data should require the initial trusted party to share a new magnet
There is a right of free speech in many countries (I assume you are in one of them), but that right does not force anyone else to distribute or publish your speech.
Their servers, and their decision on what data is on them.
Want to make it available for every to read? Run your own server and host it there.
tl;dr - you have the right to say what you want, but you cant force anyone to listen.
And that's why no one is talking about forcing GitHub and Gitlab to do anything. They're merely complaining. Just because someone complains about something doesn't mean they think it is illegal or ought to be illegal.
Yes, but one by one the word "censorship" loses it's meaning. It used to mean preventing people from publishing their work. Now all it means is disagreeing about what should get shown prominently on social networks.
Anyone suppressing a work based on ethical judgments is practicing censorship. They could be acting on the authority of a state or religious institution, they could be removing immodest young adult fiction from the shelves at a children's library, or they could be moderating the content of a web site. Web sites are new, but the concept is the same as it's always been.
Did you ask them for permission to publish a private communication? Probably not, bad of you! -
Github/-lab is for projects imho and not a publishing platform. Why don't you publish it on your blog or something? All power to Github/-lab, kick out such stuff!
As you said: to some extent! Have a look at the "What is Github Pages" [1] and one clearly feels that Pages is meant for software, projects, manuals etc. And NOT to publish documents to shame 3rd party misbehaviour and hopefully attract publicity and quarrel. Such content should go to other places (imho).
Why are you so angry? This is not about shaming, but protecting customers - first thing I did even before reading the full article was to click the link to see if I have given my CC to fraudsters, then I was gifted with a 404 from GitLab.
This is not a CVS, so you would still need to run something like git locally on your own server, but the idea of self-hosted modules will solve for the censorship of central authorities.
>For the record, I didn't publish vulnerable systems, I published stores that have malware.
This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!
For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.
Sorry for our mistake Willem, we reinstated the snippet. Also see our blog post about this on https://about.gitlab.com/2016/10/15/gitlab-reinstates-list-o... TLDR; The owners of web stores have a responsibility to their users. And it is in the users interest to have the list published so owners. We currently think that the interest of the user weights heavier.
I think the fastest way to get sites fixed is to run a script that crawls sites in the list, parses their Twitter and posts a warning there with link to original article.
So it seems the real bug here is that a site that is hosting malware is doing so because its actually vulnerable to being hacked, was hacked, and malware was installed. So posting the site name identifies a vulnerable site (which is wrong) and stops informing people that those sites have malware on them (which is an issue as well).
That is quite the catch 22. And of course many of the sites owners are clueless and don't even know how to patch or fix their systems.
I'm kind of with Gitlab on this one, just publishing a list of broken sites isn't going to help them get fixed. Most of the owners probably barely know the Googles from the Facebooks, so even if you email them saying 'you have this JavaScript thing that's bad' they won't understand and will blow you off.
OP doesn't go into details of how they check the stores, but I'd assume they have some sort of script as they checked 255k. If that's the case it would be trivial to send an automated email if malware is detected, and include links explaining how to fix it.
It won't resolve everything but it's a lot nicer than naming&shaming businesses who have effectively done nothing wrong. What I mean is they probably hired a developer or team to build their website, and assumed that they would build a secure website - they didn't go out purposely and find someone to build them a site that would be hacked.
So, you don't think that if you operate something that is a risk to other people, it's your obligation to reduce the risk? You can just say that you are incompetent at what you are doing, and therefore you shouldn't be shamed for putting other people at risk?
I edited my post, but I don't think that's really fair. The business most likely outsourced the development of their site to someone who probably assured them that they would build a secure site. The business probably trusted them (maybe the developer was even recommended) yet here we are. The business didn't know enough about building a secure website, so hired someone they assumed did.
What's even your analogy here? Because sometimes people have bad luck and you can make up a completely unrealistic scenario of how bad luck someone possibly could have, we should not hold anyone responsible for anything?
To give you an idea of how unrealistic your scenario is: In reality, yes, the owner of the damaged property could force you to pay for the repair, but also, you could force the plumber to reimburse you for that, and they in turn probably will have insurance for that sort of thing that will reimburse them in turn. Noone would be kicked out of anything, except for the plumber by the insurer if they had that happen a bit too often.
A solution to this is to hire a pentester for your site. You can find them for ~$5k, with followup tests for new features being around $2k. A professional, world-class pentest runs around $50k, but a lot of smaller sites can't afford that.
You can't really hire someone with the expectation that they'll develop secure code. Finding flaws in code people thought was secure is a pentester's job, and it's a completely different skillset.
Yes. A lot of them also respond with threats when you try to contact them to tell them about vulnerabilities. It's not really up to the author to shoulder that kind of responsibility.
No I don't agree that it should be allowed to continue, but how is naming&shaming people going to fix anything? Nothing is going to come of this, other than maybe some other hackers will see them as weak targets. Do you expect this list to be read on prime time CNN or something? People who want to buy something online aren't going to search through GitLab to check if the site has been hacked (maybe they should though), they just look for the green padlock and assume it's safe.
As I said, and GitLab suggested, OP should at least contact them. If you contact them and they say they won't do anything, now that's a different story...
Well, from the responses he's got it's pretty obvious some shop owners just don't care. I can imagine if they're being publicly shamed about it, they might start caring and actually do something about it. So yeah, it helps.
Sites will always continue to carry malware. Naming and shaming without looking at all the parties involved is a crude and ineffective way of changing things.
Change the browser, change the payment system, educate the user by using plugins, propose enhanced security methods in ECMAscript. Write about how easy it is to make missteps on the net. These are all alternatives which might help in a more permanent fashion.
Actually, yes, I did read the article. When I read 'Javascript malware', I understand this to be ECMAScript which is executing on the clients machine but delivered by the origin site. The ECMAscript has access to the keyboard while the window has focus, so could do a MITM. Like I said, there are various ways to prevent this from happening:
1. Instruct users never to enter card details directly into a website, but rely on a redirect to the card provider. This would change the origin. When properly setup, this should catch 99% of the problems.
2. Provide stricter browser controls, so third-party ECMAscript is not loaded into the browser by CORS. Again, instruct the user or have us make better browsers.
3. Lobby for better payment services. Here in the Netherlands, payment is done using iDEAL, on a separate origin (using redirects) and the payment is validated using a separate device.
The secondary problem is with the websites, the primary problem is with the supporting technology.
That's like saying "corruption will always exist, investigative journalism is crude and ineffective - instead educate people to spot corruption and live with better morals".
There's nothing ineffective about uncovering a problem and using transparency to create an incentive to fix it. Crude, yes, but not ineffective at all.
What GL did might be considered complicit in skimming users, especially if they acted under pressure from fraudulent shops or even the skimmers themselves (how do we know?).
Whenever a business hires a contractor to do something for them, the customers will blame the business first if anything is wrong in their product or service. It is up to the business to take the damages in reputation and lost business opportunities to the contractor. Why should we handle this differently for software running online shops?
> naming&shaming businesses who have effectively done nothing wrong.
Aren't they actively running malware as a result of their own laziness not to upgrade their Magento[1] Site?
This malware is being used to steal customer credit cards (at the very least) - perhaps identity theft as well. They are the very agents of 3rd-party hackers. This list[2] should be sent to the proper authorities and have the stores closed immediately.
Customers who have made purchases at these stores can and should be looking at lawsuits.
If you're going to run a 3rd-party solution for your ecommerce needs and patches have long been made available, you patch. If you can't even do this one simple thing - you get run off the internet for criminal negligence.
> Most of the owners probably barely know the Googles from the Facebooks, so even if you email them saying 'you have this JavaScript thing that's bad' they won't understand and will blow you off.
So, because you expect the owners of the affected websites to be dumb, users should not be protected from malware?
But I'll give you an example of how such sites would get fixed: I used to own and work for a CSE, where thousands of stores are listed. If I had easy access to this list, I'd take a quick look at it for possible clients and ask my former company to contact them. They'd first delist the affected shops from the comparison shopping website, then spend enough time with the owners to make sure they understand and can fix the problem.
Github in their ignorance prevented this, but thankfully archive.org exists...
On the other hand, the safe browsing feature of modern browsers usually creates enough pressure on affected shops that they are fixed quickly - so if some shops don't seem to act quickly, they're probably fraudulent themselves.
I have a list of major sites with currently active phishing pages.[1] This is basically a join of PhishTank and DMOZ. Nobody seems to be upset by that.
Google is at the top of the list because of their hosting business. It's not just Google Sites. You can put a web site in a Google Spreadsheet cell, which Google doesn't seem to check as a possible phishing site.
If you host for others, or offer a URL shortening service, you need automated checking against all available phishing lists or you will be exploited.
Well there is Frantech / BuyVM. We had a VM we used as a proxy for about $15 a year + the $3 IP DDoS filtering. We had several proxies on top of our Limestone Networks server (they didn't offer protection at the time - still this is cheaper).
Game servers become hot targets by kids who just don't care and do anything to get your server taken down, whether it be competition or a user got banned or just about any reason they can sum up to try and find any given approach to take your service down.
Edit:
Forgot to mention the free CloudFlare option as well (unless they stopped doing this, haven't had to deal with these things in a few years, but I have a feeling it's still about the same, there's likely even more offers now out there).
So your recommendation for people who have material that might incite a DDoS is let Github/Gitlab/another free hosting service deal with the expense/inconvenience?
Well, if it's true journalism, you sign up for project shield for free and laugh at the kiddiots banging their collective heads against the immovable mountain that is Google.
7. I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.
205 comments
[ 4.3 ms ] story [ 248 ms ] threadAlso, Pastebin has some shady practices. One example: they offer HTTPS support as a premium feature.
BUT! the point here is the op claims this is a shady practice to provide https to their paying customers.
A shady practice is if they take your personal information and sell it to another without telling you. Shady is when companies lie to their customers.
And this situation is not.
Also, are they actually using DMCA to get these lists taken down? If so, isn't there some penalty for filing a false DMCA?
Only if you get caught, which I don't think will be the case if they did anything to cover up their tracks
I didn't see the list, but did it by any chance contain the logos of the online stores? If it did, the DMCA notices make sense.
This is true, but totally irrelevant as it misses the point of the question.
It's smarter (under the seriously f'ed up DCMA system) to pull it down and wait for a counter notice, at which point they put it back up, and they aren't responsible any more — the person filing the counter notice is responsible because a false counter claim counts as perjury.
At that point, the original issuer of the takedown notice can sue.
Of course, it almost never gets that far when the takedown notices are spurious, as in this case. That's what makes the DMCA such a bad idea — it's a perfect tool for censorship.
I don't think it is that simple. Yes, you may claim a copyright on whole compilation. But you could as well claim a copyright on some parts within that compilation. Since the compilation is a single document, claiming copyright on some part of it would also be sufficient for a takedown.
As long as you're okay being found guilty of perjury by a US court, or have no plans to enter a US jurisdiction in the near future, you can get any content you want taken down from any site that's required to follow the DMCA.
Service providers have a choice:
a) follow the DMCA takedown process and be shielded from all liability, whether or not the claim has actual merit
b) evaluate each takedown notice to decide if the material falls within the scope of copyright, ignore takedowns where in the service provider's opinion the material is outside the scope of copyright, and should it go to court, be forced to defend that position on its merits instead of having an automatic liability shield
What sensible service provider is going to choose option b?
The claims are probably from the malware perpetrators as a way to censor discussion and keep the gravy train rolling. It's possible also that the embarrassed commerce sites would file a DMCA claim to keep the public in the dark about how insecure their sites are/were.
https://news.ycombinator.com/item?id=12707860
I'm pretty sure someone here has a GitLab instance that is willing to share for this purpose.
However it's a problem and we need a solution.
A torrent? Yes but Google won't index it.
A file on S3 wouldn't work because they could just download it as many times as needed to make the bill skyrocket. Better than a DCMA.
Anything that is unaffected by DDoS, costs no money, can be indexed?
Edit. One more requirement: not easy censorship.
IPFS links are immutable, whereas IPNS links are a mutable pointer to an IPFS hash. They can be updated at will, making them ideal for changing content with a stable hash.
https://web.archive.org/web/20161014133252/https://gitlab.co...
https://support.cloudflare.com/hc/en-us/articles/200170186-D...
https://ipfs.io/docs/getting-started/
I'm especially disappointed by GL. GH is already too big to care about such things.
Send a counter-notification asserting that the data is not under copyright and have it put back up. Assuming this is really DMCA.
Let's crowdfund an AWS s3+CloudFront hosted site. DDosing that is no easy feat, and if corps do try it, the logs can prove their complicity, which has legal implications I presume
The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
Do you think Google should "responsibly" disclose and wait for webmaster's response before putting websites into Safe Browsing list?
Can I host a project which includes a list similar to Google Safe Browsing, or an adware remover where I list software I consider to be adware?
I am not a security expert though, and I might be missing out on something.
The responsibility of GitLab and GitHub is also not to judge if it's "more important" to protect the site owners' businesses or the people going to the sites.
If some sites are running malware, the site owners are responsible for fixing it and not harming the people using their sites, not GitLab or GitHub.
On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
So GitLab and GitHub are just acting on what they are held responsible for according to the law.
Disclaimer: I am working as a contractor for GitLab and I am not a lawyer. I took no part in GitLab's decision to censor the list and this is just my own opinion.
Nope. DCMA is about copyright, and we have not gotten to the point where someones URL is copyrighted.
> It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
So no the DMCA is not just about copyright.
as was noted, 600 sites have already cleaned up their act
> Update Oct 14: 631 stores have been fixed, good work everybody!
So is it really as useless as you claim?
The 631 stores have likely been fixed b/c of the publicity (thanks to kicking the list out;)
I think I just don't like when this shame & name business happens on github/gitlab servers. Somewhere else, it's fine.
What about "technical" users?
Not all, but some non-tech people do that.. And lots of webshop owners google their own shop. Shaming sites that are hosting malware seems perfectly reasonable.
On topic: I assume github/gitlab both completely misunderstood what is going on, and thought this was a disclosure of security holes that could be exploited. I wouldn't be surprised if they do a lot of these.
Perhaps try to throw it up on a few different CDNs where you pay for the service and can contact support. Like S3 or dreamhost (they have decent support too). Arguably github/gitlab isn't the best hosting platform for misunderstood journalists.
> We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
The sites were already exploited. That's the thing. At best I can see the argument you're making being "we don't want the sites to get exploited a second time", but that really shouldn't be a concern. The sites were already exploited, there's nothing left to protect. And publishing a list saying "this site has malware on it" doesn't actually tell anybody how the site was vulnerable anyway, unlike disclosing security vulnerabilities which by their very nature informs people how to take advantage of them.
I'm not sure if GL is trying to protect themselves against something and are making up some excuse to justify it but the reasons given for taken down the list don't hold water.
GL would be far better stating the real reason for taking the info down (surely there must be one).
So far what they've done is seemingly to protect the merchants reputation and perhaps protect GL from some imagined legal backlash? The backlash would have no basis is court or other services like Google's own SafeBrowing would not be viable.
Are we to assume the GL cares more about that than users/visitors to these sites?
The statement from GP is frankly pathetic.
Nope - corporate suits - and they give us a response which doesn't even make logical sense. Do they think we're idiots?
businesses who have insurance for things like this, and possibly have software to reduce any issues that they would be directly affected by
or users who could lose a significant (and damaging) amount of money if they arn't careful with checking their statements?
It seems silly to support the scammers in this case?
> an open invitation for malicious users to exploit.
Malicious entities have already exploited these websites. This problem is widespread - over 1000 merchants. The author has not put the cart before the horse.
If I wanted to protect my family against this by installing uBlock Origin on their machines, could uBlock possibly be hosted somewhere where they wouldn't face this censorship? They have in the past temporarily blocked websites (e.g. Sourceforge adware) but have rapidly unblocked them when the issue is resolved; this has saved my bacon on numerous occasions.
I really appreciate the transparency here - kudos. You have your facts wrong.
Which terms specifically does it violate? The terms page you linked to is 10k words long.
As others have mentioned, this is not about responsible disclosure. If those merchants have the good of their customers to heart, they will act to cleanup their sites and disclose the breach themselves. If not they will move to censor this to avoid losing face, maybe not even bothering to remove the malware. And you're just helping them with this.
That does seem quite odd.
Responsible disclosure works because companies are responsive to disclosure.
Full disclosure works because companies are negligent and they've been outed.
The author did contact said websites, it is their responsibility to fix the issue in a timely manner. Removing the content was akin to a newspaper removing stories relating to certain politicians to protect them. It is censorship.
How can we even tell this is an official statement from GitLab?
Even if your cover story is true, you are basically throwing users and banks under the bus to help merchants with dirty card readers continue business as usual. Meanwhile users will continue to be defrauded, and banks will have to take the hit when users complain about charges they didn't make.
This list could prevent people from getting their card skimmed, and you take it down.
I'm moving away from gitlab.
I have to confess, when GH did something offensive I did cancel my paid account there but I still use it, so I guess I didn't care that strongly about it after all...
---
Willem,
GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it. While GiLab reserves the right take further action, up to and including termination (https://about.gitlab.com/terms/), we have chosen not to terminate or lock your account.
Please know this decision was not reached lightly and we appreciate your understanding on the matter.
Regards, GitLab
GitLab Support Team GitLab, Inc.
Lots of people are saying "But the sites are already exploited" ... they are probably still exploitable further also, and GH/GL don't want to be at that party.
This is not about whether they are legally required to do anything, but whether what they are doing is responsible behavior.
As for being responsible - that is their motivation.
Should I assume that now you have access to this list that you will be contacting the site owners to notify them their sites are infected & exploitable? Would that be responsible on your part?
You may exercise freedom of speech but not on server that belongs to a private company - it is their right to limit what kind of content they like.
But in an essence you are right - companies should exist to benefit society, but it is not how it exactly works right now.
Their servers, and their decision on what data is on them.
Want to make it available for every to read? Run your own server and host it there.
tl;dr - you have the right to say what you want, but you cant force anyone to listen.
Github/-lab is for projects imho and not a publishing platform. Why don't you publish it on your blog or something? All power to Github/-lab, kick out such stuff!
https://pages.github.com/ https://pages.gitlab.io/
[1] https://pages.github.com/
https://github.com/prettydiff/biddle
This is not a CVS, so you would still need to run something like git locally on your own server, but the idea of self-hosted modules will solve for the censorship of central authorities.
This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!
For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.
It's list after all, right?
:)
I think the fastest way to get sites fixed is to run a script that crawls sites in the list, parses their Twitter and posts a warning there with link to original article.
Can someone help with that?
That is quite the catch 22. And of course many of the sites owners are clueless and don't even know how to patch or fix their systems.
My isn't that that a mess?
OP doesn't go into details of how they check the stores, but I'd assume they have some sort of script as they checked 255k. If that's the case it would be trivial to send an automated email if malware is detected, and include links explaining how to fix it.
It won't resolve everything but it's a lot nicer than naming&shaming businesses who have effectively done nothing wrong. What I mean is they probably hired a developer or team to build their website, and assumed that they would build a secure website - they didn't go out purposely and find someone to build them a site that would be hacked.
Edit - Poor analogy removed.
To give you an idea of how unrealistic your scenario is: In reality, yes, the owner of the damaged property could force you to pay for the repair, but also, you could force the plumber to reimburse you for that, and they in turn probably will have insurance for that sort of thing that will reimburse them in turn. Noone would be kicked out of anything, except for the plumber by the insurer if they had that happen a bit too often.
You can't really hire someone with the expectation that they'll develop secure code. Finding flaws in code people thought was secure is a pentester's job, and it's a completely different skillset.
https://news.ycombinator.com/item?id=12309035 is informative. For what it's worth, it changed my mind on the matter.
So the malware should be allowed to continue stealing credit card numbers just because the site owners don't know any better?
Is that really a position you wish to defend?
As I said, and GitLab suggested, OP should at least contact them. If you contact them and they say they won't do anything, now that's a different story...
Someone will make a browser extension that uses this list to warn users?
So it sounds like does a pretty good job of fixing things
[0] https://gwillem.gitlab.io/2016/10/14/github-censored-researc...
Change the browser, change the payment system, educate the user by using plugins, propose enhanced security methods in ECMAscript. Write about how easy it is to make missteps on the net. These are all alternatives which might help in a more permanent fashion.
There is nothing a client can do when the server is compromised.
1. Instruct users never to enter card details directly into a website, but rely on a redirect to the card provider. This would change the origin. When properly setup, this should catch 99% of the problems.
2. Provide stricter browser controls, so third-party ECMAscript is not loaded into the browser by CORS. Again, instruct the user or have us make better browsers.
3. Lobby for better payment services. Here in the Netherlands, payment is done using iDEAL, on a separate origin (using redirects) and the payment is validated using a separate device.
The secondary problem is with the websites, the primary problem is with the supporting technology.
There's nothing ineffective about uncovering a problem and using transparency to create an incentive to fix it. Crude, yes, but not ineffective at all.
What GL did might be considered complicit in skimming users, especially if they acted under pressure from fraudulent shops or even the skimmers themselves (how do we know?).
Twitter is better. Warned users are the best motivation to fix.
They are putting their users at risk through negligence. Many would argue that's wrong.
This had been empirically proven false. As noted in an addendum to the post, 631 broken sites got fixed in just 2 days after the list got published.
Aren't they actively running malware as a result of their own laziness not to upgrade their Magento[1] Site?
This malware is being used to steal customer credit cards (at the very least) - perhaps identity theft as well. They are the very agents of 3rd-party hackers. This list[2] should be sent to the proper authorities and have the stores closed immediately.
Customers who have made purchases at these stores can and should be looking at lawsuits.
If you're going to run a 3rd-party solution for your ecommerce needs and patches have long been made available, you patch. If you can't even do this one simple thing - you get run off the internet for criminal negligence.
[1] https://magento.com/ [2] https://www.magereport.com/page/about
So, because you expect the owners of the affected websites to be dumb, users should not be protected from malware?
But I'll give you an example of how such sites would get fixed: I used to own and work for a CSE, where thousands of stores are listed. If I had easy access to this list, I'd take a quick look at it for possible clients and ask my former company to contact them. They'd first delist the affected shops from the comparison shopping website, then spend enough time with the owners to make sure they understand and can fix the problem.
Github in their ignorance prevented this, but thankfully archive.org exists...
On the other hand, the safe browsing feature of modern browsers usually creates enough pressure on affected shops that they are fixed quickly - so if some shops don't seem to act quickly, they're probably fraudulent themselves.
I have a list of major sites with currently active phishing pages.[1] This is basically a join of PhishTank and DMOZ. Nobody seems to be upset by that.
Google is at the top of the list because of their hosting business. It's not just Google Sites. You can put a web site in a Google Spreadsheet cell, which Google doesn't seem to check as a possible phishing site.
If you host for others, or offer a URL shortening service, you need automated checking against all available phishing lists or you will be exploited.
[1] http://sitetruth.com/reports/phishes.html
Now what? I'll give you a budget of $100 a year.
Game servers become hot targets by kids who just don't care and do anything to get your server taken down, whether it be competition or a user got banned or just about any reason they can sum up to try and find any given approach to take your service down.
Edit:
Forgot to mention the free CloudFlare option as well (unless they stopped doing this, haven't had to deal with these things in a few years, but I have a feeling it's still about the same, there's likely even more offers now out there).
https://projectshield.withgoogle.com/public/
7. I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.