232 comments

[ 4.9 ms ] story [ 231 ms ] thread
"however, they made one of the most comedic mistakes you can still make while setting up jenkins (im actually not sure which misconfiguration leads to this): the build information for each past build contains a link to the git repository, including the bitbucket credentials in the url. genius."
The most horrible thing Jenkins does to devs is it encourages bad practice. Good practice is so cumbersome to do properly (create a secret, load secret in env through Groovy code, setup git configuration in a shell script) that, unless someone is actively monitoring them, devs are always in a temptation to just put the credentials in the git URL, we'll remove them after testing. Then one out of N times they forget and you get a security hole.
Uh, no, you just pick credentials from list in the repo config.

If you wanted to download additional repo in the jenkins script sure, but Jenkins Git plugin just accepts credential (whether its password or pub/priv key pair), just paste URL and select one from the list

It's 2023, it's far past the time that open-source projects should be made without security being the #1 concern, even above the basic functionality of the app. But Jenkins has been around since 2011, so it's understandable that the security posture is obtuse and tacked-on. It's time for some other CI project to surpass Jenkins. I won't be sorry to see it go. Security should be front and center, the first thing the user sees. The defaults should be secure out of the box, and if the user does something stupid, it should be painfully clear to everyone, even the least technical user who looks at it, that something is wrong.

That said, I doubt that what happened here was a Jenkins configuration problem, and instead something to do with the build scripts they're running on Jenkins. You can't solve every class of stupid, sadly.

No, the most comedic mistake is to have a public-facing Jenkins running. I mean in general you wouldn't make your CI accessible from the outside, but especially not Jenkins. That software has probably more CVEs every year than all of our other tooling combined.
Given the frequency with which I seem to update nokogiri on a rails instance, i assumed libxml2 would hold that award: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libxml2

But sure enough, jenkins FAR outweighs it: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jenkins

And that's just the ones that get reported. Since core Jenkins is pretty bare-bones, most instances also have many plugins installed, and most of those aren't properly reviewed at all.
The vast majority of those Jenkins CVEs seem to be for a wide variety of plugins, so it seems someone is putting in quite a bit of work to review them.
Yes, to give credit, they do monitor the most important ones which almost everybody uses and which are usually also maintained by developers from Cloudbees. But there are over 1800 plugins for Jenkins, so at least quantitatively, most of them are not monitored.
The most comedic mistake is to have a running jenking in 2023
The vast majority of gigs/jobs I've had which involved touching Jenkins were for the purpose of migrating elsewhere - Gitlab, GitHub Actions, Drone, Harness...
Highly customizable CI tool.
..written in Java.

In case anyone needs reminding, Java developers, on purpose, put a line in a logging library that can fetch and execute code when given a url string for a log statement.

Nobody should be touching anything Java in 2023.

Yes, we all sat down and unanimously agreed that we should perform JNDI lookups to execute arbitrary code stored in an LDAP directory.

No regrets.

I remember that meeting. It was the one where we all wore togas and drank the java kool aid from goblets before we voted on that. All 5,000,000 of us.
You joke, but that code made it through rounds of reviews, and nobody saw anything wrong with having a logging library able to make network requests in the first place.

I honestly don't even blame the developers of Log4J that much, because after all its open source, and nobody is paying them to use it despite the idiocy surrounding shit like that.

I do however blame the developers that use Java, see things like this happen, and then continue to use it with Log4j after the patch like nothing ever happened.

Since developers can just decide to rewrite a code base because Java is not a shiny new language.
JNDI is an obscure feature from the Java Enterprise Edition days that nobody really uses nowadays.
Java, Not Even Once.
(comment deleted)
(comment deleted)
What's the most comparable alternative to use for self-hosted CI in 2023? Curious.
Public facing AND without any sensible auth.
An externally accessible Jenkins instance is just asking to get pwned.

I worked for a company a couple years ago that had Jenkins running on a Windows EC2 with a bare public IP, no TLS, and a single set of admin credentials shared by everyone. Also, the host did double duty as some sort of DBA jump box and had every possible credential.

It was like in-defense in depth. I tried to explain how crazy it was. They weren’t interested in fixing it. I moved on.

Some companies just don’t care… soc 2 btw.

Why the heck would anyone create an externally accessible Jenkins?
(comment deleted)
Who makes their Jenkins instance world accessible!
Anyone setting up a honey pot. Half of 4chan posts are 3 letter agencies trying to bait people into violence.
But what's the trap here? Checking who downloads the file? I don't see how they can get any actionable info out of this
1. post link to jenkins job in a 4chan thread relating to something nefarious

2. see who clicks it

3. now you have IP addresses of possibly nefarious people without needing to subpoena 4chan

Something like that.

How to waste your time tracking down 20000 wanna be script kiddies?
No, but having a list of easy targets to pull from when your performance quotas get low could be useful (I wish I was joking)
Here is how lawyers in Germany do it. They ask ISPs for the person behind the IPs (cough, cough, carrier grade NAT) and then they send cease and desist letters demanding 800€. If you sign their letter you are considered guilty but avoid further consequences, similar to a plea bargain.

It only takes a dozen people having money and fearing court for this to be profitable. The lawyer doesn't want to go to court because that costs money, he just wants you to confess and get paid.

I think we're safe, anyone being half serious would be using a good vpn hopefully, it's likely to be a lot of false positives I would guess!
>anyone being half serious would be behind seven proxies
Or any and every security researcher / infosec company?
>3. now you have IP addresses of possibly nefarious people without needing to subpoena 4chan

ahahah 4chan is almost as mainstream as Reddit. ahahahahahahaaaaaaa you really think they would waste time like this for IP addresses to "keep track of"

Several people have been arrested based on 4chan posts recently, after 'threatening' a law enforcement official in florida.

So...yes. Yes I do.

The "bait" this comment is referring to is that a Sheriff publicly denounced in a press conference a bunch of neo-nazi messaging spread around his town during a racecar event.

https://www.jta.org/2023/04/27/united-states/a-florida-sheri...

The sheriff's parents' house was swatted. These are the 4chan posts which were included in the various news articles.

https://sports.yahoo.com/4chan-2-men-used-online-170958670.h...

> "It's too bad Mike Chitwood isn’t safe now that I'm planning to kill him. I'm going to shoot Mike Chitwood. I'm going to kill him by shooting him to death."

> "Just shoot Chitwood in the head and he stops being a problem. They have to find a new guy to be the problem. But shooting Chitwood in the head solves an immediate problem permanently. Just shoot Chitwood in the head and murder him."

https://www.clickorlando.com/news/local/2023/04/20/3rd-4chan...

> “I WILL KILL CHITWOOD, MARK MY WORDS.”

Yes for specific threatening posts. You cannot see a difference, I guess?
"This comment" is referring to lbatross13, not to you. I'm uninterested in talking to lbatross13; I was adding context for other readers.
Because threatening a law enforcement officer is actually illegal. and your scare quotes don't make it less of a crime.
(comment deleted)
Do not attribute to NSA conspiracy what can more simply be explained by the company being fucking stupid and not caring about walking the walk of infosec
[flagged]
Odd, what was particularly boomerish about that comment?
Who still uses Jenkins? It's an abomination of an obsolete system that is just a pain to use, manage, maintain, setup, etc. while there are much better, more featured, easier to use and maintain alternatives out there. And it has been like this for close to ten years now. It should have been ripped out in favour of either the "native" CI/CD (e.g. GitLab CI if GitLab is used for VCS, GitHub Actions if GitHub, etc.) or a modern one like Drone/Concoure/etc. years ago in any place that isn't ~two decades behind (so legacy airlines and banks?).
“Who still uses Jenkins?”

I think you may have perhaps misjudged just how entrenched Jenkins is in corp/enterprise.

The older I get, the more systems I learn are only around because they've been around.
A lot of the time when old things are still around, it's not because through all the years nobody has had the idea to replace them, but because the benefit of replacing them hasn't at any point in history outweighed the hassle.

This is true for X11 and this is true for the QWERTY layout. The benefit of switching must outweigh the enormous hassle of doing so. It's easy to find something that's a little bit better, but that's simply not good enough to merit a switch.

Often they're around because when it comes around, they do a such a decent job and it's difficult to actually produce something that has that sort of advantage.

X11 is finally, finally on the way out. I have a lot of gripes with Wayland, but the day I stop needing to dive into xrandr and figure out why the screen is rotated but the mouse coordinates aren't or some other 1990s level problem will be a happy one.

QWERTY seems to be too embedded even for that, but I wonder if it gets closer to replacement the higher the percentage of software keyboards climbs vs physical ones.

> but the day I stop needing to dive into xrandr and figure out why the screen is rotated but the mouse coordinates aren't or some other 1990s level problem will be a happy one.

I'm sympathetic to wanting legacy mindhorrors replaced with modern stuff, but genuine question:

When do you ever have such problems xD

I've multimonitored on X11 for like 4 years and never experienced that.

Have you tried to multimonitor different combinations of HiDPI + regular DPI on x11? Last time I tried to make different scaling displays work together on x11 the experience was so nightmarish that I went back to windows.
Doing so literally as I type this. I can confirm it works and has for at minimum 5+ years for me.
I run into problems like that a lot; I guess I do edge case things. That particular example was on an Intel Atom Bay Trail tablet (garbage architecture) I resurrected with a lightweight distro. It was a huge improvement, but there was no support for auto rotation, and manual rotation turned the screen but not the mouse coordinates sent by the digitizer. This meant touch inputs were mirrored or flipped or both.

This wasn't an old-school problem, either, it was three months ago.

Yes? do you know the cost of moving big systems?
Do you know the cost of maintening big old systems ?

There are hundreds of people here for that I'm not in HR, but I guess that's a lot of money spent each year, just to get the same issues we had last year

It takes a lot of money to not improve the situation

Oh they have come up with some new trash I have to learn? Great...

Say you were developing inn Angular and Python. Which one of these "alternatives" should I look in to? ie. Which is most requested by typical requiters?

People doing embedded testing use Jenkins still. Not that I would, but some people do.
Embedded people are pretty pragmatic and tend not to chase fads for the sake of change or resume engineering. If it works, it's good enough for them.

Switching away from Jenkins would cost effort and offer no competitive advantage to your end product, so then why do it?

jenkins is old and crusty, but it works and works well. if the UI for a build tool looks too fancy, my faith in it drops to 0 almost immediately.
It doesn’t work well. It’s the JIRA of CI/CD: it is entrenched and does multiple things but doesn’t do any one thing well, and the people that decide what to buy aren’t the people who are forced to use it so they don’t care about its quality so much
Jira sucks, but I have yet to see a tracking tool which sucks less.
Jenkins is what I want to use, because for all its clunkiness it has a better deep integration with my actual build tools than any other CI tool I've ever seen. It's a pain for the admin but it's great for the user, so if anything it's the opposite of JIRA.
It's not great CD bit you need entirely different system just to display code coverage in near-every other CI

Near-every other CI also can't just browse which tests failed and with what message without digging directly into logs

Genuine question: what would you recommend instead of JIRA?
(comment deleted)
What is a better alternative, if you want to self-host?
You can self-host:

- Woodpecker CI: https://woodpecker-ci.org/

- Buildbot: https://buildbot.net/

- GitLab Runners: https://docs.gitlab.com/runner/

- Gitea Actions: https://docs.gitea.io/en-us/usage/actions/overview/

- Forgejo Actions: https://forgejo.org/2023-02-27-forgejo-actions/

- Drone CI: https://www.drone.io/

- CircleCI (not free nor open-source, but self-hosted): https://circleci.com/pricing/server/

- GitHub Runners (same deal as CircleCI): https://docs.github.com/en/actions/hosting-your-own-runners/...

Why change something that mostly works fine? I don't like to change set of known issues for a set of unknowns.

Also those who want to avoid vendor lock in. Git repo might be moved around, do you like changing CI/CD scripts every time you change your git hosting service?

GHA work really well for simple stuff. For more complex in a larger organization there is no clear winner.

Is there an F/OSS alternative to Jenkins that I’m not aware of?
- Woodpecker CI: https://woodpecker-ci.org/

- Drone CI: https://www.drone.io/

- Buildbot: https://buildbot.net/

- Gitea Actions: https://docs.gitea.io/en-us/usage/actions/overview/

- Fogejo Actions: https://forgejo.org/2023-02-27-forgejo-actions/

- GitLab Runners: https://gitlab.com/gitlab-org/gitlab-runner

You could also use Ansible playbooks/roles to run your build, although that's going to be a bit more manual: https://www.ansible.com/

Not necessarily endorsing any of the alternatives, just pointing them out.

How did Apache Maven make it onto this list? Seems like Maven is a build tool that one would invoke _from_ Jenkins or Drone.
That is correct, I removed it from the comment. It's more of an alternative to Apache Ant/make/whatever really.
Which one tells you which test failed and what your code coverage is on one page ?
ssh & Make
Well sure, but ssh and make run from what?
A crontab?
I guess that works if you want your jobs to run on a schedule; I prefer push-based (you make a commit, you push it to the central copy of the repo, and it automatically triggers jobs).
That's what you took away from the question?

Jenkins still lives in legacy, and probably will for some time.

Big companies with data restrictions that can't have anything so much as look at the cloud, and they don't have the skills or money to set up something nicer on prem.

Bitbucket is also a big part of this story.

That results in seeing Jenkins all over the ding-darn place at Boeing, LockMart, RC, L3, NGA, etc.

Of course, all that is thrown right out the window if you wire up the Jenkins instance to the goddamn internet.

People who have convinced their boss that GitHub downtime means they should create their own shoddy self-hosted CI platform.
Jenkins is one of those things you configure and forget about...until you need to do it again.

Over time, there's so much stuff that it does that replacing it is a ton of work. And by work I mean verification and communication. Many developers have no idea how stuff gets built, or how dependencies are managed in the build system. You forget one thing and the build is toast. Hunting this info down takes a ridiculous amount of time.

Now expand that to X number of projects, and you're looking at a year of work...and a delay while QA checks everything again.

For what?

Good luck getting that prioritized.

Switched from a company using Jenkins to one using GitLab CI, and while GitLab CI is obviously "better" in the sense that it has less historical baggage, there are actually quite a few things I'm missing. Jenkins has a plugin for pretty much every obscure thing you can imagine, which is a blessing for the user and a curse for the administrator, as Jenkins quickly becomes Frankenstein's monster. But every time I have to wade through tons of log ouput on GitLab I miss Jenkins' warnings plugin, every time no runner is picking up my job I miss the nice runner overview of Jenkins which quickly showed you what runners are actually busy with, and every time that old slow runner is grabbing all the jobs I miss the runner prioritization... I could go on here, but really, there's a lot of things that Jenkins could do through nifty plugins that GitLab CI cannot do yet. I even wrote one plugin myself for supporting our in-house Linter, really wasn't that difficult and you could hook into pretty much every little detail (which, again, can also be a curse because every plugin had the power to simply crash your Jenkins...).

EDIT: So to be clear, I'm not saying "Jenkins is better than GitLab". I would say GitLab CI is better designed, more robust and stable, but Jenkins is more configurable, extendable and has more features through it's plugin ecosystem. So personally, I wouldn't go back to Jenkins, but I also don't find it ridiculous that people still use it.

I like that with Jenkins you can use groovy, which gives you some extra power as far as writing commands is considered. You don't have to do everything via shell. Equivalent shell commands can be a bit messy sometimes.

It was a bit painful to write the same stuff in GitHub actions. Jira's groovy script made loops, storing variables very easy compared to GitHub actions' YAML.

Jenkins is still inherently more full-featured than anything that just runs random docker images and commands. Any replacement would need to do the hard work of actually integrating with a bunch of different language build tools in a deep way, and so far no-one's stepped up.
Builtin code coverage and test display (not just "your build failed") is still not a thing in Gitlab/Github CI

And that's like the fucking basic feature every CI/CD should have.

github has had service issues at least for the last 3 days.

Fun times.

This page reminds me of the old web. I kind of miss it, auto-playing MIDI songs and custom cursors and all.

I'll take that over having to wade through Reddit 12 times out of 10.

It's been a long time since I had the sensation of going from a site with a brightly/strongly coloured background to another on white/beige and my eyes not being able to handle it. I really quite enjoyed it.
0 times out of ten for me. First I blocked the annoying cat, then I got to the bottom, was assaulted by blinking buttons and decided I didn’t need to know what else they were saying anyway.
You would not have enjoyed the late 90s.
It was okay back then, I was young and didn’t know you could design websites that are easier on the eyes.
Oh man, never visit Tumblr
That’s actually not as bad, as it’s usually just some big meme gifs that I can disable with my animation blocker extension.
Oh my, assaulted? By that single blinking icon? I hope you're ok.
Interestingly, had this complaint been about an ad, parent would have been upvoted with hundreds of comments agreeing with them.

In other words, what OP is trying to say is that websites should be designed with the users goals in mind, and IMO it's fair to say that this website wasn't designed that way.

If anything this just shows that people don't hate ads because they're obnoxious, they hate ads because they're ads.
Yet everyone on HN complains about ads

Yes I blocked it with ublock

Because at the end of the day, the problem with ads isn't that they're annoying, or get in the way, or are garish, or whatever else. The problem with ads is that they are ads. They're an overt attempt to hijack your attention implant ideas in your head, ideas that are antithetical to your own wellbeing.

A little cat chasing my cursor is just plain fun. No malice involved.

> A little cat chasing my cursor is just plain fun. No malice involved.

There’s a browser setting, "prefers reduced motion" for accessibility reason. And yes, I have that enabled.

I decide what is annoying or not for myself.
"assault on the senses" is a well-known idiom. Or so I thought. Apparently it’s offensive to quite a few of you, I’m sorry.
Have you tried Firefox Reader Mode? It renders this website (and a lot of others) without a lot of distractions.
I should remember to use that more often …
Other than the colours being difficult to read, I really enjoy this webpage.

Now I want to go demake mine.

As the creator was born in 1999, it's interesting to me because she's nostalgic for a period she did not fully experience. It's something I did, and it's neat yet strange to see it being done to a part of my past.
I am in a similar age range and I am drifting towards this aesthetic. I think it's the counterculture of the increasingly sleek websites, with their overcomplicated 3D animations. Not saying either is better than the other, just it is the opposite end of the spectrum and way of still having fun when creating a website while making it feel personal.
it reminds me of the phenomena of parodying 'I Love Lucy!'. Even though it hasn't seen new episodes since 1957 it is included or mentioned in some way in nearly every popular media.

The constant revitalization of the parody through new works ensures that the future will also include some mention. I think 90s aesthetic/internet-culture is a bit like that -- the projects that include those themes beget new similar projects in the future as long as they have some level of audience exposure.

This is common among the younger people joining the internet. An the creator of SpaceHey.com was nostalgic for the days of old social media that happened when he was too young to experience it.

Add me if you have a SpaceHey account! https://spacehey.com/josh

I have a soft spot a mile wide for SpaceHey, there's just something about the whole idea that's really nice. I'm not sure how much of it is because building a whole social media platform out of nostalgia is a very hacker-like thing to do and how much of it is just because it's nice to see a social media platform that's not so aggressively monetised and manipulative but either way I'm really happy it exists.
>It's something I did, and it's neat yet strange to see it being done to a part of my past.

Agree. I read recently that digital cameras have been taking off among younger people in the way vinyl took off among millennials. I'm excited to see how people that grew up with excessive, toxic social media manage to find better solutions for dealing with the internet

I'm not a lot older than her and have a similar fondness for that æsthetic. While it's true I didn't fully experience it, a lot of late 90's sites were still online, more or less untouched, in the late 2000's, so they were there to be appreciated even though they were a relic by then. At that time, IE stagnation was still a thing, and MIDI playback was still in browsers, so the 2008 experience of a 1998 site was probably fairly authentic.
Similar to how I did not experience the late 70's but gained a fondness for it by watching "Taxi" and listening to Television.
I feel this. It seems like somewhere I would have thrived and immensely enjoyed, and I hear people's nostalgia for it, but it's something I never got to experience myself. (~18yo).
Yeah, it was freakin' awesome. All my friends and I made websites. We linked to each other, shared sources of good GIFs and images, chatted on IRC, eventually shared mp3s when those were a thing. It was a seriously badass time to grow up. I regularly feel very thankful/lucky to have grown up in that time period and have my own online computer to experience all that stuff!
I'm nostalgic for the Amiga despite being born in the late 90s!
They were born in 1999, so it's more like what a new generation's impression of what the old web was like.
You don't really have to know what specific year they were born in, the refusal to capitalize is a dead giveaway they did not experience that time at all. Anybody of that time period would be embarrassed to do so on a public site.

Kind of funny how we carry these different meanings to mostly meaningless things.

Making advisories hard to read has been a thing since forever. Remember Gobbles?

https://github.com/thinkitdata/GOBBLES/blob/master/advisorie...

Very true, trends after all come and go.

Specifically about this style though, I feel it fits right into the blog series about "domestic cozy"[1]. It aims to be exactly that, imply super casual/low effort tone, make it feel a bit more personal, and simultaneously about ignoring social traditions that feel redundant to them. Like all trends, it takes effort to follow, and part of this is encouraging friends to turn off auto-capitalization on your phone.

So I would say it's a bit more than just trying to make something hard to read, and focusing on that bit might make you miss the rest of their storytelling process!

[1] https://www.ribbonfarm.com/series/domestic-cozy/

I had an all-lowercase website for a couple years on the early web. So did many of my friends. Archive.org snapshots are 2000-2001, but they'd been around before that in many iterations.

Gah.. it's all embarrassing to look back on for other reasons...

Don't be shy, bring it back, you're ahead of the curve!
Was the author the girl that owned the TSA in the past year?
Iirc it wasn't the TSA directly but an airline and their copy of the nofly list.
FYI, the author uses it/she pronouns.
So it uses it/she pronouns? Usually the object pronoun is second; does that mean that it wants people to call she "it" unless they're doing something to she? That's off the chain, and sounds like meta-trolling.
There are two forms of pronouns. The correct form is multiple pronouns, “he/them” or “it/she”. They are alternatives, both can be used. I think the first is preferred.

The second form is different cases, “he/him”. I have theory that people started using that because they didn’t want to put just “he”. They were following the multiple case form and it stuck. People aren’t really specifying cases because nobody uses different cases and nobody puts cases in the multiple pronouns form.

You might have liked Lulzsec's website. They had an auto-playing audio clip of the Love Boat TV theme and an ASCII ship above text lyrics that replaced the word 'love' with 'lulz'. It was refreshingly amusing.

Sadly archive.org doesn't have a copy from its live state—however I saved the home page at the time (MHTML ftw) and here's a video capture of it*: https://streamable.com/zon5wy

* Expires in one day

Edit: for context Lulzsec were a hacking group a decade back responsible for various headline-making leaks and website hacks.

You should check out the game Hypnospace Outlaw, which is set basically in a geocities-forum hybrid environment. It's basically a love letter to this old very personal internet.
Yes. But I also do not like people younger than me.
No one's mentioned it yet and knowing the HN demographic I'm just gonna say: Turn on javascript for the cat.
Found this on the same blog. Wild read. Apparently they found a copy of the nofly list from 2019. https://maia.crimew.gay/posts/how-to-hack-an-airline/
She has a pretty comprehensive wikipedia entry: https://en.wikipedia.org/wiki/Maia_arson_crimew
[flagged]
(comment deleted)
Appears to be self-authored.
... guess that's why it's comprehensive ^_^
A quick glance to the history of the article, I see it was edited by multiple usernames and IP address at different times. How did you come to the conclusion that it was self authored?
To be fair, if I was writing my own Wikipedia page, I would do the same.
I don't think it's a stretch to assume that infosec experts/hackers have ways to falsify their online identities.
Funny to think about: "writing your own Wikipedia page without it getting taken down for Original Research" is a fun first hobby project to certain kinds of network-security people, as much as as "making your Github activity graph solid green" is a fun first hobby project to bot programmers.
Because this is a person that doesn't meet the notoriety requirements for Wikipedia, and goes into a level of detail that is also totally unnecessary. It is trivial to connect to different servers via VPN and creating new usernames on Wikipedia takes seconds.
They clearly do meet the notability requirements; the cites on this article are almost as long as the article itself. Notability on Wikipedia is a term of art; it refers ("mostly") to how much of the content of the article can be drawn from (ideally diverse) secondary sources. It's not an achievement award.
> Because this is a person that doesn't meet the notoriety requirements for Wikipedia

Very much does, just because you don't know them doesn't mean they don't.

Wikipedia has protections against this. it is not trivial. Each change by random ip also has to be accepted by editor with permissions, and getting these permissions is not easy. It might be possible to bypass all abuse counter measures, but it takes a lot of effort and is not trivial
Easy to check on wikipedia, looks like it was created by the user Ezlev [0], who does not appear to be crimew's wikipedia acocunt, and updated by several other users over the last couple years.

[0] https://en.wikipedia.org/wiki/User:Ezlev

Because this literal fugitive hacktivist is clearly incapable of finding creative ways to get diversified contributions to their Wikipedia page. Heck, they even proudly link to their WP page from their personal site. If they didn't write the article themself, then it was most likely a friend who's close enough to write something that screams self-authored page. Like c'mon, just look at the thing. Have you ever seen that many citations on something that isn't just spamming them trying to stave off the Wikipedia police?
It does seem weirdly detailed about someone I would mark as not really encyclopedically significant; but it has the citations and quotes so what do I know. It's one of the better Wikipedia articles in general

However, it is not self-authored as can be seen in the history of the article.

makes sense to maintain your own wikipedia page as an "about" page. but it's too much hassle for most people
OptimEyes.ai wins Global Infosec Award 2022 OptimEyes.ai data leak - 2023 smh
Aren't these industry awards essentially participation trophies for whoever is willing to pay? Like the notorious "Who's Who Among American High School Students" in the US.
Yes. I started a security company and received tons of award emails and conference invites that were all bullshit.
Back in 90s. I commented to a friend that there sure were a lot of NASA employees on A certain IRC channel. His response was NASA had great computers and no security.
Heck, I've heard stories that several big agencies only started deploying firewalls at their network perimeter in the late 90's. I guess one of the saving graces was that a lot of stuff like personnel records were hard to reach or still only on paper.
Perimeter security with firewalls didn't really come into vogue until the mid 1990s (post-Cheswick and Bellovin), so that seems like a pretty speedy adoption for a big agency.
In the 90s I would be hard-pressed to name any of my techie chums who didn't have a shell account on a NASA box, through legal or illegal means. NASA also had some great cables and satellite runs between their facilities and other partners overseas that allowed for moving warez and porn very quickly across the Atlantic when the commercial connection between the UK and USA was something like 2Mbps for the entire country.
Around here, it was the local college and universities. My friend, in high school at the time, pwned CS departments at both an Ivy and state college, gave out dozens of cracked SunOS accounts to BBSers and script kiddies (the password file was unshadowed...) Tying up all the dialups with IRC and the non-stop downloading of warez eventually brought the attention of sysadmins, but it went on for months.
It's always Jenkins.
Apparently so, considering that this is the same person who got a hold of the No-Fly List a while back, and, you guessed it, they found it through Jenkins somehow.
So ... same attack vector, you implying crimew might be this anonymous 4chinz user? Intriguing...
The fabled titan of security "Jenkins" could be breached by no other.
Sorry, I might've phrased that poorly. I still stand with the fact that Jenkins (especially public-facing ones) are big security risks anyhow.
I didn't even know that .gay was a top level domain...
Registration was first attempted in 2012. It was denied and appealed several times and finally recognized in 2019. After some Covid-related delays, it was opened to the public in 2020. https://en.m.wikipedia.org/wiki/.gay
Time to register gaymusical.gay!
I suspect this leak was made by the author themselves and submitted to 4chan via Tor or a VPN. I don't have hard evidence to back this up but if you read the Wikipedia article about them, it's pretty easy to put two and two together.
Maia is very honest when she hacks a company, unsupported theories don't help anyone.
Maybe because previous hacks have been of varying legality. The entrypoint for the airline hack was also Jenkins.
Maia also has enough going on with lawsuits from being honest in the past. Not taking credit for this one might be for the better...
Their antics have been of questionable legality, and I would assume they'd try to avoid drawing too much attention, given that this is the 3rd US-based company they're trying to hack, and the US just might ask for an extradition.

Further, the conclusion about Jenkins being the attack vector is drawn without much thought or explanation, and it is also interesting that they've used the same attack vector elsewhere.

(comment deleted)
It says in the wiki entry that Switzerland does not extradite citizens unless they consent to it. She is probably already not able to leave Switzerland due to her US indictment.
> and I would assume they'd try to avoid drawing too much attention

I follow her on Tumblr and I assure you this is not the case. She's very ebullient and loves answering questions about her hacking.

The readme of the leak contains "meow :3", and the author's website is strongly cat-themed. Doesn't prove anything, but an interesting coincidence.
>hello i am maia arson crimew (it/she) and i am gay, mostly for girls, and i'm a tiny kitten :3

Kind of seals it. I admire their brazenness.

4chan blocks Tor and VPNs
You cannot block Tor and VPNs. You can block known Tor and VPN ranges.
It is trivial to get a list of all Tor exit IPs from the Tor Project itself, blocking it completely.
You can pay for 4chan and bypass the blocks: https://www.4channel.org/pass

Costs $20 per year and can be paid with various cryptocurrencies. Since 4chan keeps IP logs, this seems like a good deal for someone leaking company source code.

>and submitted to 4chan via Tor or a VPN.

4chan blocks both Tor and VPNs. It's a terrible place to leak things, but a hacker can most probably find innocuous IPs.

I had to check the article to understand how it is notable for a 4chan user to also be a business owner.

They're using "owned" in leet speak sense, infiltrated security.

The correct spelling in that case is pwned isn’t it? I got it from context, but those always felt like subtly different words to me.
I've seen owned plenty of times. "Owned a box" like that
pwn is a typo'd version of own, but since it's unambiguous it would have been better here
> The correct spelling in that case is pwned isn’t it? I got it from context, but those always felt like subtly different words to me.

For me owned was as in "CIA owned Crypto AG" not "netrunner owned the Chrome"

not that Chrome

Man I was wondering the exactly same thing! I’m not a native speaker so that might be why
Native speaker, and title confused me even being familiar with the whole owned/pwned thing. I clicked on the article simply because I was curious why being a 4chan-using sole proprietor would be at all interesting.
Oh wow. I think that’s actually worth a title edit to add a note.
yeah should probably be edited to "pwned" just to make it clear, even though "owned" is the original term for, well, getting owned/rekt/"hacked"/etc.

I too thought it would be about a company who was a sole proprietor of an infosec corp lol

Ok, we've s/o/p/'d the title above. Thanks!

Edit: oops, I meant s/ow/pw/.

> which makes it all so much more ironic how completely they have been hacked.

Nope, not really. It just takes one mistake and you're pwned. Imagine giving the intern a small project, you're losing your head due to your main project, no time to supervise. Boom.

/e: Or imagine an update in one of your libs/apps. In order to not to be hacked you need to make everything right. In order to hack you just need to find one mistake. Well, kinda, but you know what I mean

I guess they meant paradoxical. Being a security company they are juicy target for an attacker's rep, meaning they are in the situation where they are both more protected than usual but also more at risk. That's the arm's race paradox I guess.
It only takes one mistake, but this was a pretty easy one to prevent. At a mature company with a decent security program, creating an internet facing Jenkins instance wouldn't have been approved by IT, doesn't matter if it was an intern with an overworked manager trying to set it up. So it is pretty bad that a security company failed at something as basic as minimizing their attack surface (and possibly not sufficient segmentation between the dev environment and customer data, but the post is not very detailed on that part). Not surprising, though.
[flagged]
the platonic ideal of what 'hacker' means imo
hactivism means hacking every unsecure jenkins instance for lulz?
No, just the ones where the result is a leak of information on some large government surveillance program, or, say, exposing incompetence of a company that sells security-related products - especially ones focused on "intellectual property".

Not that there's anything wrong with lulz as a motivation from the perspective of old-time hacker ethos.

>if you enjoyed this or any of my other work feel free to support me on my ko-fi. this is my only real source of income so anything goes a long way, and monthly contributions help tremendously with budgeting

wow she seems smart. I hope ko-fi is enough

Theme aside I really like this site's design.
I always tell myself, if I ever start any kind of business, I’ll make sure to host my website as static content on a read only file system. And customer data will be handled by 3rd party
No third parties for my customer data. I will write it on flash paper and burn it all every Friday.