I guess it's all over now. Given how many people they bothered over the years, and how badly Josh fudged his Infinity Next software, I am surprised it took this long.
That people wanted accounts with emails and persistent identity on a forum dedicated to harassment is also bizarre.
It's not hard to keep persistent identity pretty much "anonymous", just use a throwaway e-mail and generated password, and if the website's owner message is to be believed that was the majority of people. They did have a leak back in 2019 so i'm inclined to believe him on that.
Kiwi Farms reminds me of Something Awful forums in its prime, a forum I was a part of in my teens. We were making fun of internet celebrities but also talking about politics and Xbox vs PS2 vs Gamecube, same as Kiwi Farms.
Just because we made unsavory posts doesn't mean we wouldn't want to register a pseudonym.
For those like me who had never heard of Kiwi Farms until recently, the podcast Blocked and Reported (https://www.blockedandreported.org/) has a couple recent episodes that do deep dives into the site and controversy around it.
Eh, the "random mean girls gossip at a middle school" was a Twitter pressure campaign so powerful that it was able to sway an internet backbone megacorp (and others incl the Internet Archive) to drop a website. And drop it days after the megacorp doubled down on its decision to not drop the website.
With the only smoking gun, as far as anyone can tell (but you can't look anymore because the pressure campaign got it removed from the Internet Archive), being two posts in a thread of 50,000 posts that were made from sleeper accounts that were deleted immediately.
And only a few people cared to look into it rather than echo exactly what the pressure campaign claimed to be true.
That should be very concerning.
I definitely recommend the linked podcast. I found it surprisingly fair to the parties involved.
Find it quite weird how there was no database dump yet, can't see a reason to hold on to it, it would be pretty funny to get access then getting blocked by php being php. Owner claims there was not much to leak due to good opsec from users after the 2019 leak so we'll see.
> In my access logs, they attempted to download all user records at once. This caused an error and no output was returned. I shut everything off soon after. If they scraped information through some other mechanism, I cannot say with any confidence either way.
Anyone with a large phpbb/vbulletin/xenforo install can tell you that the built-in GUI tools fail with even modest userbases. They just run mysql queries in a php request and hit the php.ini timeout, so you have to use CLI tools.
If all the attacker had access to was the forum front-end (rather than the machine) and they weren't particularly prepared, it wouldn't be surprising if they didn't achieve anything.
Yep. In general, most server infrastructure logs IPs by default. The whole concept that doing so shouldn't be best practice is very Internet-young and post-dates the invention of most servers.
Aside from the site breach there's also been a successful campaign to get the administrator's mail forwarding and phone service terminated. They're now going after his lawyer.
> Cloudflare not only provided DDoS protection, they also accounted for many popular exploits like this. As I've worked for weeks to combat the endless flow of attacks from every conceivable angle I have spread myself very thin and hurridly[sic] replaced old systems with new ones that are not properly vetted.
This is the counterpoint to the argument people should self-host and not use the Cloud. It turns out the Internet never got less server-hostile at the infrastructure layer, and weaknesses in various commonly-used systems are still there. When you're on the Cloud, the tradeoff is that you're a guest in someone's house, but the cleanliness of the house is someone else's problem.
Assuming kiwi doesn't return the next target will be 4chan, TOR, telegram since no way lucas will allow anyone to repost his crimes. And governments have expressed desire to pull the same tactics to take down pirate sites and with this shitshow its guaranteed we'll see a repeat.
26 comments
[ 17.8 ms ] story [ 1604 ms ] threadThat people wanted accounts with emails and persistent identity on a forum dedicated to harassment is also bizarre.
What's the purpose of being a master troll if you can't get meaningless internet points for it?
Just because we made unsavory posts doesn't mean we wouldn't want to register a pseudonym.
With the only smoking gun, as far as anyone can tell (but you can't look anymore because the pressure campaign got it removed from the Internet Archive), being two posts in a thread of 50,000 posts that were made from sleeper accounts that were deleted immediately.
And only a few people cared to look into it rather than echo exactly what the pressure campaign claimed to be true.
That should be very concerning.
I definitely recommend the linked podcast. I found it surprisingly fair to the parties involved.
Find it quite weird how there was no database dump yet, can't see a reason to hold on to it, it would be pretty funny to get access then getting blocked by php being php. Owner claims there was not much to leak due to good opsec from users after the 2019 leak so we'll see.
Anyone with a large phpbb/vbulletin/xenforo install can tell you that the built-in GUI tools fail with even modest userbases. They just run mysql queries in a php request and hit the php.ini timeout, so you have to use CLI tools.
If all the attacker had access to was the forum front-end (rather than the machine) and they weren't particularly prepared, it wouldn't be surprising if they didn't achieve anything.
Where does it end?
> Cloudflare not only provided DDoS protection, they also accounted for many popular exploits like this. As I've worked for weeks to combat the endless flow of attacks from every conceivable angle I have spread myself very thin and hurridly[sic] replaced old systems with new ones that are not properly vetted.
This is the counterpoint to the argument people should self-host and not use the Cloud. It turns out the Internet never got less server-hostile at the infrastructure layer, and weaknesses in various commonly-used systems are still there. When you're on the Cloud, the tradeoff is that you're a guest in someone's house, but the cleanliness of the house is someone else's problem.