36 comments

[ 2.7 ms ] story [ 48.1 ms ] thread
(comment deleted)
Wow! That PRNG post from 2009 was a wild ride! Totally worth a read: https://news.ycombinator.com/item?id=639976
This is fun to read. Are there ressources where you can read stories like that, how people discovered security flaws?
You can usually find these sorts of stories in vulnerability writeups. Perhaps not as detailed as this one but it's definitely a category of blog.
I pity he who must check the security logs tomorrow as this rises.
Are you suggesting there's some sort of security issue currently? Only asking because I noticed I was logged out of HN recently and don't remember logging out myself.
Increased rate of pen testing by interested readers due to this post.
I have had nothing but good experiences reporting bugs to HN. HN doesn't work quite like any other web app I've ever audited. It's an interesting challenge.
Wasn't the last publicly-released version of Arc even stranger, with everything being a GET request and links containing a URL parameter that corresponded to a Lisp closure? I'd be interested in hearing some more up-to-date information about how HN is hosted and works today.
Yeah, that's no longer the case. If your url predated the gc run or was from before a restart, you would get a server 500 message.
How are those closures identified uniquely? I'm not super familiar with lisp, but I do get closures and memory addresses and am suspicious.
This was the case when I was poking at Hacker News. I think it may still be the case to some extent.

Here's an example of an HN password reset link:

hxxps://news.ycombinator.com/x?fnid=<long-random-value>&fnop=passwd-reset

`fnid` identifies a closure. Presumably there's a hashmap of `fnid` values to closures in memory.

It used to be that this was how any action on the site was represented. I poked around for a minute though, and it's evidently not the case for upvotes any more:

hxxps://news.ycombinator.com/vote?id=<integer>&how=up&auth=<long-random-value>&goto=<return-url>

They had to stop using GET requests for upvotes after this issue: https://news.ycombinator.com/item?id=3742902

I'm interested in whether the password reset link is a potential issue still.

Well, that URL doesn't have an `fnid` in it. It looks to me like they just guessed their `id`, which is simply an incrementing identifier. They're still using GET for upvotes, but they include a CSRF token.

Using GET to change state, like they're discussing in that thread, is really more of a style issue than a security issue. You need a CSRF token, whatever verb you use.

And that was a few years before my recollection of upvotes using an `fnid`. (I could also be misremembering.)

In the case of password resets, I don't think there's a functional difference between using a map of closures with random tokens and comparing random tokens stored in a database, as is the more conventional approach. If you can guess the random token, or if you can extract them via a side channel, then you can reset passwords. And if you can't, you can't.

Which isn't to say it's not worth having a look :)

Kinda bummed you didn't use security.txt for this.
Hard to use something before it exists.

Back when I created this we wanted to publicly credit people who had helped us out and this seemed like a good way to do so.

(comment deleted)
Fair, but now that we have a standard-ish pattern, there's value in embracing it; quite a number of others have done so as part of their vulnerability disclosure programs.

https://securitytxt.org

it's kind of hard to take your comment seriously when HN is completely out-dated in terms of web standard.

I will never forget how they rolled the [-] button (after a decade of people asking for it and using browser extensions to have it) next to comment on the _right_ side instead of the _left_ side (like reddit).

EVERYONE complained, yet they were like "we will take your feedback into account for the next upgrade in 10 years"

(comment deleted)
dang is pretty good at moderating comments and fixing bugs too when you report it to him or if he sees it in your comment
It has always struck me as strange there is no 2FA function on HackerNews along with no real delete function.

Also some of us have noticed for a while Hacker News is hosted differently than the rest of YCombinator. While YCombinator uses AWS, which makes sense, Hacker News uses a small San Diego firm called M5 Computer Security. They have commented on here from time to time.

M5 Computer Security, also known as Cloud 5 Hosting and a few other names, has popped up on other forums too. The IPs that are owned by them (at least according to WHOIS) wind up holding very strange other websites that aren't say hosting customers (like how to weld underwater, how to get a foreign visa, etc). Some of their name servers also hold data for websites that are definitely not supposed to be there, like the regional government sites of a foreign country (could be part of the Sea Turtle DNS attack we have thought [1]). Also for a security company they seem to have strangely out of date websites [2]. Copyright 2003?

A few weeks ago we wound up calling the FBI's Cyberstorm hotline after we saw something weird with a government in the United States that traced back to M5 and American Internet Services, LLC (they often appear alongside M5 in the hosting records). A week later I had someone from DHS interview me at length (they just showed up at the door) for about 30 minutes. They seemed to be around organized crime, but near the end of the conversation it was mentioned "well they also do a lot of Department of Defense stuff". Uh oh. This seems to be true as they mention it on one of their websites actually [4].

Hopefully someone a few months from now will pick up the case and find out / connect to one of the many other DNS mysteries out there.

[1] - https://blogs.cisco.com/security/talos/sea-turtle-keeps-on-s...

[2] - https://www.m5computersecurity.com/audit-private.php

[3] - www.htleng.com

[4] - https://www.m5hosting.com/about-us/data-centers/san-diego-li...

Wow. What's going on here? Is this a front for an intelligence agency?
Their employee list is...strange. According to LinkedIn, all of their employees are also CEOs of their own other companies? One of their VPs has been both CEO of a lighting firm since 2014 or something, and also full time at M5 Hosting for a decade?

Likely Scenario: M5 is a front company. There just isn't enough care put into the websites / marketing, and not enough evidence on LinkedIn, to suggest this is a real business staffed by people who are working on stuff full time. And a hosting company definitely needs people full time...

This seems like many words around "long-existing hosting company hosts all kinds of stuff", which is true about pretty much all of them.
Ok I could see this except for one thing I found out recently. "Long-existing hosting companies" have traded hands a bunch of times. Wild West Domains, Tucows, etc are like 6 different owners removed from the founders at this point. Sometimes the founders are kept on, but more as a figurehead who isn't supposed to ask detailed questions about what does and doesn't go on.

One of the better documented cases of hosting companies being a proxy for intelligence wars was the 2017 lawsuit Namecheap filed against eNom and Tucows. Long story short, Namecheap was supposed to be US intelligence, and eNom and Tucows were unknown/unnamed other intelligence group/agency [1].

[1] - https://domainnamewire.com/2017/09/01/namecheap-sues-enom-tu...

If it's "one of the better documented cases of hosting companies being a proxy for intelligence wars", can you provide any documentation of that? Your link describes a bog-standard spat between companies when one leaves a business relationship with the other.

It's also not a particular secret that hosting companies operate under multiple brands, buy others and at the same time new ones pop up regularly.

Who on here was saying front company for intelligence agency? I imagine if that is the case this is already being picked up by any number of threat intelligence solutions like Shadow Dragon [1].

Also this group looks almost cliche Cold War intelligence agency. Their UK name servers appear to host the authoritative records for half a dozen amateur radio groups / HF repeater runners in the UK. Fascinating, could someone reach out to them? cleddau-amateur-radio-society.org.uk AND tenby-radio-repeater-group.org.uk AND taffvaleradio.club with DNS records served from ns1.mhosting.co.uk.

[1] - https://shadowdragon.io/oimonitor/

:)

HN has been said for a long time to be a front by various less credibly sourced claims.

I find it impressive that the last recorded entry was in 2017. Over 3 years, and given the security-centric nature of the audience, I'd imagine if there were more flaws we'd see them reported.

Sometimes building some simple is the best way to build something secure.

Surprising not to see a PGP public key here for secure submissions... unless that’s no longer advised?