Cryptome Accidentally Leaks Its Own Visitor IP Addresses (dailydot.com)

← Back to Stories (view on slashdot.org)

Cryptome Accidentally Leaks Its Own Visitor IP Addresses (dailydot.com)

Posted by samzenpus on Sunday October 11, 2015 @10:13AM from the have-some-addresses dept.

An anonymous reader writes with this Daily Dot story about an accidental leak of user info from Cryptome. Cryptome, the Internet's oldest document-exposure site, inadvertently leaked months worth of its own IP logs and other server information, potentially exposing details about its privacy-conscious users. The data, which specifically came from the Cartome sub-directory on Cryptome.org, according to Cryptome co-creator John Young, made their way into the wild when the site logs were included on a pair of USB sticks sent out to a supporter.

40 comments

Min score:

Reason:

Sort:

More proof they're a Republican... by Anonymous Coward · 2015-10-11 10:18 · Score: 0

shill site trolling for leaks. They hate us for wanting privacy.
1. Re: More proof they're a Republican... by Anonymous Coward · 2015-10-11 10:20 · Score: 0
  
  They want us die. To die.
2. Re: More proof they're a Republican... by Anonymous Coward · 2015-10-11 10:22 · Score: 0
  
  That is the way of their kind.
3. Re: More proof they're a Republican... by Anonymous Coward · 2015-10-11 10:32 · Score: 0
  
  It's been obvious for a long time that they're really anti-privacy.
4. Re: More proof they're a Republican... by Anonymous Coward · 2015-10-12 01:17 · Score: 0
  
  How is well has Obama been protecting your privacy?
Surely, you can't be serious... by Zymergy · 2015-10-11 10:27 · Score: 1

I am serious, and I am sure no one in the Government has ~ever~ monitored this web site's traffic or users ever never... (I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...) It sounds like John just accidentally sent out logs on a USB archive stick. I am sure the recipient considered it value-added. (don't see any politics going on here either, not taking the troll bait)
1. Re:Surely, you can't be serious... by RDW · 2015-10-11 10:40 · Score: 2
  
  I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...
  Good luck TLA, I'm behind SEVEN PROXIES whenever I access Cryptome.
2. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-11 11:29 · Score: 0
  
  I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...
  Good luck TLA, I'm behind SEVEN PROXIES whenever I access Cryptome.
  Well, technically you're behind EIGHT proxies.
  (You forgot about mine.)
3. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-11 11:41 · Score: 1
  
  Seven proxies might slow down the FBI or the Secret Service. The NSA can't even tell the difference: they automate that shit and pipe it straight in to their TIA farm.
4. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-11 12:15 · Score: 0
  
  Hey, I know these!!! They're; 127.0.0.1, 127.0.0.2, 127.0.0.3, 127.0.0.4, and 127.0.0.5, 127.0.0.6, and ::1 !
5. Re:Surely, you can't be serious... by Stoutlimb · 2015-10-11 19:23 · Score: 4, Interesting
  
  It makes me wonder why a site so concerned about Internet privacy is keeping logs in the first place.
6. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-11 20:27 · Score: 0
  
  Thanks in advance?
7. Re:Surely, you can't be serious... by KGIII · 2015-10-11 22:07 · Score: 1
  
  Given that they are premised on exposing secrets why would you conclude that they're interested in your privacy? That seems a strange assumption to make.
  
  --
  "So long and thanks for all the fish."
8. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-12 06:03 · Score: 0
  
  Tonight Ice Action.
9. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-12 10:09 · Score: 0
  
  All seven most likely owned or infiltrated by the NSA... Most proxy listing websites probably are too anyway, so they can post any IP they own/infiltrated...
Why do they even store IP addresses? by popo · 2015-10-11 10:33 · Score: 4, Insightful

Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?

--
------ The best brain training is now totally free : )
1. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 10:43 · Score: 1
  
  Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?
  Absolutely! And on top of it, why would these logs ever get anywhere "close" to the outside world--to just a supporter?
2. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 11:48 · Score: 0
  
  I guess they really believe in transparency.
  Information wants to be free, after all.
3. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 12:34 · Score: 1
  
  John Young is a good man who has been doing good things for Americans for a long time. He's never been the most computer-savvy person, though (and maybe his age is interfering with his judgment). It would appear in this case that he kept logs in order to parse them with awstats, gathering his own intelligence on who his visitors were. Frankly, I'd do similar if I were running such a site. Unfortunately he had the awstats installation within the document root of cartome and he neglected to sanitize the logs when copying his site's contents to archival USBs.
  I have a copy of the archive from way back when it was mailed on two CDs for a $20 donation. No log files on those discs, drat. Hard to say how long this has been leaking.
4. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 12:42 · Score: 1
  
  John Young says since 2013, blames ISP
5. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 19:54 · Score: 0
  
  he kept logs in order to parse them with awstats, gathering his own intelligence on who his visitors were
  Do as I say, don't do as I do... This is why trust is a misplaced concept in information security. Information that can be collected will be collected, information that can be abused will be abused. Design protocols with that in mind.
As long as the world is turning and spinning, by turkeydance · 2015-10-11 10:34 · Score: 1

we're gonna be dizzy and we're gonna make mistakes. Mel Brooks
Why log by Anonymous Coward · 2015-10-11 10:35 · Score: 1

WTF!? Why would a privacy conscious website even keep logs? DuckDuckGo for example doesn't keep logs so that privacy can actually be maintained.
1. Re:Why log by dmbasso · 2015-10-11 11:05 · Score: 3, Insightful
  
  Honest question from my ignorance: how can you be sure they don't keep logs? Did they make pinky promises?
  
  --
  `echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
2. Re:Why log by FrozenGeek · 2015-10-11 13:11 · Score: 1
  
  This. This is exactly the question I wanted to ask.
  
  --
  linquendum tondere
3. Re:Why log by Impy+the+Impiuos+Imp · 2015-10-12 01:12 · Score: 1
  
  Yes, yes they did.
  I wonder if they have to install monitor recording software in response to a warrant or seciruty letter. Can they be forced to?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
4. Re:Why log by kmoser · 2015-10-12 04:20 · Score: 1
  
  Perhaps the logs were faked.
5. Re:Why log by Anonymous Coward · 2015-10-12 08:27 · Score: 0
  
  Cryptome admitted they were real, been authenticated. Cryptome blamed their ISP for Cryptome mailing the logs to people for years.
Sigh by edittard · 2015-10-11 10:50 · Score: 1

That should be "months' worth".

--
At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
with people like that as your supporters ... by Anonymous Coward · 2015-10-11 11:04 · Score: 0

Well, with people like that as your supporters ...
Who needs enemies?
goes to show by Osgeld · 2015-10-11 11:09 · Score: 5, Insightful

the robustness of any security is based on the stupidest person
1. Re:goes to show by JustAnotherOldGuy · 2015-10-11 12:30 · Score: 1
  
  the robustness of any security is based on the stupidest person
  Sadly, this is very, very true. :(
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
"dedicated to revealing secrets" privacy consciou? by raymorris · 2015-10-11 11:28 · Score: 2

I see that the site is dedicated to spreading information that some people would prefer to keep private. They publicize things that they think should not be private, "violate the privacy" of those whom they think should have their information revealed and publicized (rightly or wrongly).
So in some sense, it's an anti-privacy site, for better or worse. I don't immediately see any indication that the operator is "privacy conscious ". Do you? Or is it more like "I think he -should- be privacy conscious, so I assume that he is"?
That said, I imagine anyone publishing just about anything would be interested in knowing how many people use the site, which types of documents get the most interest, etc. That information comes from log analysis.
They use tracking cookies now too by Anonymous Coward · 2015-10-11 12:56 · Score: 0

http://imgur.com/gallery/TXgC9Xe/
"Pathetic" -level security by gweihir · 2015-10-11 13:14 · Score: 1

Seriously, this data should not even be recorded on such a site. And it it is, it should not even be written locally and immediately exported to a machine that is specially protected and not reachable from the Internet. So that is _two_ massive screw-ups right there.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Was a time every post of yours had ur IP address by Trax3001BBS · 2015-10-11 15:49 · Score: 2

Up until just a few years ago (when Google claimed the Usenet) a posters IP address was always displayed in the headers. It was no big deal.
So what by Anonymous Coward · 2015-10-11 17:45 · Score: 0

This is a public website, without https. I visit it and I don't give a rats ass about it. I suspect true revolutionaries would actually use Tor and proxies to visit it. Besides, who can be hurt with the truth.
Who cares? by Anonymous Coward · 2015-10-11 22:42 · Score: 0

Who cares?
Its not going to stop me visiting cryptome any time time soon. The more people know I am visiting cryptome, the more seriously they will have to think about doing anything stupid.
Ha! by Anonymous Coward · 2015-10-12 02:04 · Score: 1

Cryptome is hosted on web.com, formerly Network Solutions, it's a shared platform with like 750k other sites on it all run wild hair PHP applications and 8 year old WP installs on a giant NFS mount. It's all horribly insecure.