[cryptome] Cryptome has been leaking its user logs for over a year

oshwm oshwm at openmailbox.org
Fri Oct 9 06:59:30 PDT 2015



On 09/10/15 10:52, rysiek wrote:
> Dnia czwartek, 8 października 2015 20:45:50 Mirimir pisze:
>> On 10/08/2015 07:42 PM, coderman wrote:
>>> On 10/7/15, Michael Best <themikebest at gmail.com> wrote:
>>>> Let me begin by saying that Cryptome initially denied the leak, then that
>>>> the data was stolen, then that the whole thing was a fake "a lie by [a]
>>>> spy-newbie."
>>>
>>> the lie is assuming these requests over plain-text were ever private :P
>>
>> That is the key point!
>>
>> And anyway, all traffic to all websites is public.
> 
> Oh for fucks' sake. There are fuckers who do listen in and surveil, etc, but 
> it is *not* okay to make their work easier. And it is *not* okay to make one's 
> server logs broadly available in such a context.
> 
> Why the fuck are people on this list slamming Snowden and freedom.press for 
> using Cloudflare, and at the same time defending JYA for sending out server 
> logs with dates and IP addresses?
> 

I feel the need to respond here although previously having sat and
watched as I was involved quite heavily in the CF/freedom.press discussion.

So, here's my viewpoint:-

EVERYONE is responsible for their own OpSec and can trust NO website no
matter who created/maintains it.
You can't even trust the infrastructure that your data travels on -
check out you cable/DSL router, the ISP has remote access to it and
that's in your own property supposedly managed by you.

Having said that, it is the duty of EVERY honest website owner to reduce
the amount of user data they hold and/or expose - to do any different is
reckless, inconsiderate and possibly dangerous.

With respect to Cloudflare, there are a different set of problems:-

1) MiTM - they terminate your secure connections without letting you
know BEFORE you connect or transfer confidential communications.

2) They sit in the path fo so much internet traffic that just CF alone
can be used to correlate various bits of data/metadata with regards to
someone that they are a one corp logging system for TLA's etc.
This issue is far larger than the cryptome one although cryptome is
going against what I wrote earlier about data reduction.

freedom.press, like MANY other organisations around the world are using
Cloudflare's services in full knowledge that they MiTM and provide a
irresistable data collection and collation point for the TLA's.
And yet, still claim to be fighting for the good guys.

Snowden? He has his own agenda and is using the "leaks" (if they are
real) to push that agenda - if you agree with what he wants "a
conversation about mass surveillance" then cool, cheer him on (whether
his data is crap or not), otherwise he can be ignored for the most part
as your OpSec should assume EVERYTHING is compromised right down to
discrete component level (think you can't fit an IC into the casing of a
resistor or diode?).

As for Best, as previously said, I haven't time at the moment to review
the data he has presented to know if he has an angle or if he's just a
good guy.

Position clarified enough?

> The hell is this bullshit?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151009/7035fabb/attachment-0002.sig>


More information about the cypherpunks mailing list