Cryptome Accidentally Leaks Its Own Visitor IP Addresses (dailydot.com)

← Back to Stories (view on slashdot.org)

Cryptome Accidentally Leaks Its Own Visitor IP Addresses (dailydot.com)

Posted by samzenpus on Sunday October 11, 2015 @10:13AM from the have-some-addresses dept.

An anonymous reader writes with this Daily Dot story about an accidental leak of user info from Cryptome. Cryptome, the Internet's oldest document-exposure site, inadvertently leaked months worth of its own IP logs and other server information, potentially exposing details about its privacy-conscious users. The data, which specifically came from the Cartome sub-directory on Cryptome.org, according to Cryptome co-creator John Young, made their way into the wild when the site logs were included on a pair of USB sticks sent out to a supporter.

22 of 40 comments (clear)

Min score:

Reason:

Sort:

Surely, you can't be serious... by Zymergy · 2015-10-11 10:27 · Score: 1

I am serious, and I am sure no one in the Government has ~ever~ monitored this web site's traffic or users ever never... (I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...) It sounds like John just accidentally sent out logs on a USB archive stick. I am sure the recipient considered it value-added. (don't see any politics going on here either, not taking the troll bait)
1. Re:Surely, you can't be serious... by RDW · 2015-10-11 10:40 · Score: 2
  
  I always assume I am always logged by some alphabet agency and added to some bad-list for checking out the very cool stuff at cryptome.org throughout the years...
  Good luck TLA, I'm behind SEVEN PROXIES whenever I access Cryptome.
2. Re:Surely, you can't be serious... by Anonymous Coward · 2015-10-11 11:41 · Score: 1
  
  Seven proxies might slow down the FBI or the Secret Service. The NSA can't even tell the difference: they automate that shit and pipe it straight in to their TIA farm.
3. Re:Surely, you can't be serious... by Stoutlimb · 2015-10-11 19:23 · Score: 4, Interesting
  
  It makes me wonder why a site so concerned about Internet privacy is keeping logs in the first place.
4. Re:Surely, you can't be serious... by KGIII · 2015-10-11 22:07 · Score: 1
  
  Given that they are premised on exposing secrets why would you conclude that they're interested in your privacy? That seems a strange assumption to make.
  
  --
  "So long and thanks for all the fish."
Why do they even store IP addresses? by popo · 2015-10-11 10:33 · Score: 4, Insightful

Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?

--
------ The best brain training is now totally free : )
1. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 10:43 · Score: 1
  
  Why does an anonymous leak site even store identifying information? Isn't the best defense to never even keep the data?
  Absolutely! And on top of it, why would these logs ever get anywhere "close" to the outside world--to just a supporter?
2. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 12:34 · Score: 1
  
  John Young is a good man who has been doing good things for Americans for a long time. He's never been the most computer-savvy person, though (and maybe his age is interfering with his judgment). It would appear in this case that he kept logs in order to parse them with awstats, gathering his own intelligence on who his visitors were. Frankly, I'd do similar if I were running such a site. Unfortunately he had the awstats installation within the document root of cartome and he neglected to sanitize the logs when copying his site's contents to archival USBs.
  I have a copy of the archive from way back when it was mailed on two CDs for a $20 donation. No log files on those discs, drat. Hard to say how long this has been leaking.
3. Re:Why do they even store IP addresses? by Anonymous Coward · 2015-10-11 12:42 · Score: 1
  
  John Young says since 2013, blames ISP
As long as the world is turning and spinning, by turkeydance · 2015-10-11 10:34 · Score: 1

we're gonna be dizzy and we're gonna make mistakes. Mel Brooks
Why log by Anonymous Coward · 2015-10-11 10:35 · Score: 1

WTF!? Why would a privacy conscious website even keep logs? DuckDuckGo for example doesn't keep logs so that privacy can actually be maintained.
1. Re:Why log by dmbasso · 2015-10-11 11:05 · Score: 3, Insightful
  
  Honest question from my ignorance: how can you be sure they don't keep logs? Did they make pinky promises?
  
  --
  `echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
2. Re:Why log by FrozenGeek · 2015-10-11 13:11 · Score: 1
  
  This. This is exactly the question I wanted to ask.
  
  --
  linquendum tondere
3. Re:Why log by Impy+the+Impiuos+Imp · 2015-10-12 01:12 · Score: 1
  
  Yes, yes they did.
  I wonder if they have to install monitor recording software in response to a warrant or seciruty letter. Can they be forced to?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
4. Re:Why log by kmoser · 2015-10-12 04:20 · Score: 1
  
  Perhaps the logs were faked.
Sigh by edittard · 2015-10-11 10:50 · Score: 1

That should be "months' worth".

--
At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
goes to show by Osgeld · 2015-10-11 11:09 · Score: 5, Insightful

the robustness of any security is based on the stupidest person
1. Re:goes to show by JustAnotherOldGuy · 2015-10-11 12:30 · Score: 1
  
  the robustness of any security is based on the stupidest person
  Sadly, this is very, very true. :(
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
"dedicated to revealing secrets" privacy consciou? by raymorris · 2015-10-11 11:28 · Score: 2

I see that the site is dedicated to spreading information that some people would prefer to keep private. They publicize things that they think should not be private, "violate the privacy" of those whom they think should have their information revealed and publicized (rightly or wrongly).
So in some sense, it's an anti-privacy site, for better or worse. I don't immediately see any indication that the operator is "privacy conscious ". Do you? Or is it more like "I think he -should- be privacy conscious, so I assume that he is"?
That said, I imagine anyone publishing just about anything would be interested in knowing how many people use the site, which types of documents get the most interest, etc. That information comes from log analysis.
"Pathetic" -level security by gweihir · 2015-10-11 13:14 · Score: 1

Seriously, this data should not even be recorded on such a site. And it it is, it should not even be written locally and immediately exported to a machine that is specially protected and not reachable from the Internet. So that is _two_ massive screw-ups right there.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Was a time every post of yours had ur IP address by Trax3001BBS · 2015-10-11 15:49 · Score: 2

Up until just a few years ago (when Google claimed the Usenet) a posters IP address was always displayed in the headers. It was no big deal.
Ha! by Anonymous Coward · 2015-10-12 02:04 · Score: 1

Cryptome is hosted on web.com, formerly Network Solutions, it's a shared platform with like 750k other sites on it all run wild hair PHP applications and 8 year old WP installs on a giant NFS mount. It's all horribly insecure.