MethLabs Shuts out PeerGuardian

Lost&Confused writes to tell us Slyck News is reporting that most of Methlabs.org administration and development staff have been forced out of their own website. For the time being PeerGuardian is being hosted on sourceforge. However, users are advised to stop using the Methlabs.org and Blocklist.org hosted blocklists in favor of the Bluetack list until they can sort things out.

Re:How....

[FrYGuY101]

It's not a business.

Basically, the guys who were in charge of administering the money and servers slowly took over. Now they're claiming ownership of everything.

One of those things about the open source crowd...

[suitepotato]

...they don't tend to be very big on the business accumen. Any enterprise where stuff like this can happen, needs to have contracts in force that head them off. The big business closed source world lives and dies by contracts and legally binding agreements. The licenses on the code produced should not be where the thoughts of legalities end. Internal legal matters are perhaps far more important.

"login ... and change your password" = danger

[dsandler]

Without knowing any details, it's hard to know which party in this situation is the malicious one (possibly both). But this message on the methlabs.org blog is causing the Lost-In-Space-Robot in my head to wave its arms madly:

Unfortunately, they gained access to site backups. In doing so, your passwords may have been compromised, although they are MD5 encrypted. We would like to you login to the Methlabs forums ([url redacted]) and change your password. We sincerely apologize for this issue.

If the webmaster is telling the truth, this is an innocuous request. [Of course, sufficiently strong passwords will survive precomputed hash attacks, and it's still pretty hard to brute-force MD5 hashes (even given recent weaknesses).] However, if the webmaster is malicious, this is no different than a PayPal phishing scam: "Come visit our website (the legitimacy of which is, at best, in doubt) and enter your old password on a Web form. Go ahead, enter a new one, too. Thanks."

The right thing to do in this case, where you have multiple parties which may all be malicious and some of which may have your passwords, in plaintext or hashed format, is probably to stop using those passwords immediately. If you use that forum password elsewhere, change it elsewhere. As for methlabs.org, the safest course of action is probably to wait and see who the good guys are before typing any passwords in, old or new.

Re:Update on the Methlabs.org site

[Henry+V+.009]

"we had several former staff members revolt against the entire P2P community as a whole"

Yeah, that's a really believable line. The site has obviously been hijacked.

Did other members get an email like this?

[basil+montreal]

"Dear Member,

The majority of the Methlabs.org administration and development team have been forced out of their website following a series of threats and incidents. The member of the group that had been trusted to handle the finances and servers slowly managed to take over each individual part of the web site's assets, eventually claiming control over the entire group and locking out the majority of staff.

The organisation's founders, Tim Leonard and Ken McKelland, as well as the majority of the organisation's staff and developers (including the main developer of the PeerGuardian2 application, Cory Nelson and the staff members responsible for auditing the PeerGuardian Blocklists) have all been forcibly removed from the servers that were funded from donations given to the organisation by happy users, and from text advertising placed on the websites forum and project pages.

The money, which was to have been used to help fund the development and hosting costs of the group is now unavailable, stolen by the one who was trusted to keep it.

Development of PeerGuardian will resume, and the website will temporarily move to http://peerguardian.sourceforge.net/ until a new domain is registered and a new server found. The intention of the group is to register a non-profit organisation to handle the development of Methlabs applications and to promote open source projects that aid both security, privacy and peer-to-peer technologies, in order to prevent a repeat of this incident.

The team wish all their users the best through this difficult time, but promise that development will continue. Please visit http://peerguardian.sf.net/ for news as we make progress. All other sites, including http://methlabs.org/ and http://blocklist.org/ are under control of the rogue member and should not be trusted for safe updates to our applications or lists.

A new build of PeerGuardian will be released soon to reflect these changes. Until then we ask you to continue using Beta 6a but with caution as the update servers are no longer under our control.

All staff are available in irc.freenode.net, channel #methlabs if you wish to chat.

Thanks, The Methlabs Staff (looking for a new home) -----

Adam Hoier, Cory Nelson, Eric Mayuk, Fox Lowe, James Shanelec, Joseph Farthing, Ken McKelland, Steffen Tuzar, Tim Leonard

aka

braindancer, D3F, fox, FuRiOuS1, JFM, KuKIE, method, phrosty, r00ted"

News To Me

[Doc+Ruby]

FTFA:
"UPDATE: William Erwin, now confirmed as the hijacker, has posted news on Methlabs.org, claiming the hijacking news is false and stems from a revolt by former team members.

However, after speaking to the Methlabs team and various connected members of the community, P2Pnet, SuprNova and Slyck can all confirm that the original story that the domain has been hijacked is genuine."

The reporter has "heard from both sides", and said that the Methlabs team is correct. That's what real reporters do: they find all the sides of a story, decide which version is the most correct, and tell the story. They don't just report "he said / she said", which reduces the reporter and the publication to puny PR outlets for anyone with a version of the story, no matter how self-serving.

That's not to say the reporter's version is the most correct, or even correct at all. But that's what separates good reporters from bad ones: their skill at finding the most accurate story version. And then telling it so readers get the most accurate version of the story in our heads. Good journalists back up their judgements with representative quotes and descriptions of evidence to bolster the reader's confidence in their version. Really good journalists make good judgements and back it up, earning the ongoing confidence of their readers.

We still all need to take any story from where it comes. Which is why it helps to read some reporters for a long time, to understand their track record, their blind spots, biases, vested interests, and insights. We've watched "journalism" turn into a farce precisely because we no longer expect the journalist to use good judgement in reporting, highlighting what they find to be true. We expect journalists to be "objective" to the extent that the journalist disappears, acting only as a stenographer for whoever gets access to them as a channel for that interested party. Which is worse than useless.

This reporter, on this little story, in a little tech backwater, is exercising exactly the professionalism that most of the people in their industry wouldn't recognize if it faced them across an interview desk.

Sue

[Nom+du+Keyboard]

Anyone who contributed money to PG support should be suing the person who forced the rest of the team out for fraud and theft. I would expect them to have standing in court to pursue such a claim, and could make life very difficult for this apparent criminal.