Get the top HN stories in your inbox every day.
Lammy
Redoubts
Surprised there’s no ascii art of programmer socks.
jtvjan
That's a 2016 meme. Much too recent.
markenqualitaet
I mean technically correct. I think cortisol would have been funnier tho.
undefined
jungleanimal
Anonymous strikes again, this time with a well known web registration company with a decade of data. This is a blatant example how poor security management leads to the hardship of thousands if not millions of regular people. Now their private details have a risk of being public and fully open to scrutiny. And its not just some simple data breach they allegedly stole domain purchases and transfers, account credentials of pretty much all their clients. Unacceptable. Embarrassing. They should be held accountable for all this if it comes out to be true.
qeternity
Epik’s lack of security is the least damning thing about Epik.
Google around for their very colorful history. These are bad hombres.
capableweb
Could you share something damning instead of referring people to search, as we probably will find different information.
As far as I can tell, Epik focused on hosting and DNS management for marginalized/excluded groups on the internet, so naturally they attract a lot of groups. Not sure why that'd be bad though.
Things like this also makes me actually like the company more:
> Pharmaceutical watchdog website LegitScript reported in 2018 that they had alerted Epik to the sale of illegal drugs and counterfeit medications on websites registered by Epik, and that Epik had refused to act upon the information without a court order
That's exactly how I want my hosting company to act, and any that don't are actively fragile.
qeternity
I agree with you about Epik’s stance, although I believe they’re doing it for the wrong reasons.
Rob Monster for instance has expressed support for the KKK and claimed that the Christchurch shooting was a hoax.
I’ll defend with my life his right to say abhorrent things. But that also means I get to express myself and call him a bad dude.
undefined
lelandfe
Remember when a guy murdered 11 people in a Pittsburgh synagogue? When it was revealed the shooter had posted about it on Gab beforehand, every service powering the social network pulled the plug. Epik was who brought them back online.[0]
The hero of hate speech is not exactly a sterling reputation to have.
[0] https://www.wired.com/story/how-right-wing-social-media-site...
megous
> Now their private details have a risk of being public
They are public. A simple torrent away.
gremloni
They should also be held accountable for supporting hate ideology.
hdhdheh6dhs
^ we found a nazi sympathizer here folks and or a guy who had nazi things hosted on epik who is now scared to be doxxed
gfodor
Eventually the cloud is going to burst and everyone’s data will be public. The motive will be similar to this one, where a huge blast radius of collateral damage is accepted in the name of harming bad people. Seeing people eagerly download this data that surely includes countless amounts of personal info of non-Nazis shows this clearly.
peterthehacker
> Eventually the cloud is going to burst and everyone’s data will be public
Why? This was Epik being hacked not AWS or Azure. It’s just a domain registrar. And a shady one at that. Their lack of security is not indicative of the rest of the cloud.
southerntofu
Today on HN: https://news.ycombinator.com/item?id=28532531
Microsoft bundling a super-insecure root daemon in all their Linux VMs. They developed it, published it on Github, embedded it everywhere, but when it turned out to be a security nightmare blamed "open source supply chain".
heyitsguay
Fortunately, given the purported scope of the hack, it seems we'll be able to actually quantify that. How many of the websites weren't hosting violent or extremist content? If this is real, we should be able to get an exact percentage.
southerntofu
I would assume given any hosting provider, that most content would not be deemed "violent" or "extremist". But of course, it depends on your interpretation.
For example, some people consider radical servers from the anarchist scene to be hosting violent/extremist material, while i personally consider governments and big corporations to be pretty violent and extremist themselves in how they ruthlessly dominate the world.
Actions and speech are not neutral. It's all a matter of (political) perspective.
qeternity
Epik is not just “any” hosting provider. In fact, there’s no reason to use them unless you fall into the “unhostable” category elsewhere.
Their infra, peering and prices are way worse than pretty much everyone else.
dreadlordbone
I sure hope people don't jump to conclusions re what is violent or extremist.
pletsch
People jump to conclusions? On the internet? No, I don't think that likely
iammisc
Twitter hosts violent and extremist contents. Now please give me jack Dorseys address, phone number, and social security card so we can exact justice /s
That there are people on this forum advocating for vigilantism is frightening. We are quickly approaching the point of lawlessness as a society.
rvz
There you go. Vigilantism is OK only if it doesn’t affect them. But when it does, the outrage is everywhere. To them, it seems that unauthorised access and leaking personal information even if innocents are involved is suddenly OK then?
That activity seems very extreme doesn't it over just reporting directly to the authorities.
This is best left to the authorities to deal with such issues rather than resorting to such extreme and illegal activities, no matter the cost or innocents affected.
toofy
well, we do have u.s. state governments putting vigilantism into law, and making sure the victims of this vigilantism pay the legal bills of the vigilantes, so at this point, i’m not sure we can clutch our pearls over something which after all these years has become routine (i.e., leaks)
kadoban
How many just regular folks would actually pick Epik? Why?
Syonyk
I intend to for future domain registration.
- Register.com is an annoying cesspool of value-add upsells and is extremely expensive in the process, with added cost to not have your personal info attached directly to your domain whois.
- GoDaddy, other than the creepy ads, has shown plenty of willingness to remove domains hosting content that they don't like, even if it's legal.
- I think Google is a registrar, but I'm not at all comfortable with how easy it might be to move my domain out of their grasp if I care to host my content somewhere else. I'm sure it's possible, I'm sure it has weird issues, and I'm certain there's zero support to talk to.
- Epik has, at least as far as I can tell, a reputation for simply hosting domain registrations, not asking questions, and ignoring just about every request for information.
Of those options, I'm fine with the last. I tend pretty hard towards the "free speech" side of the spectrum, and a registrar that will ignore anything short of a legitimate legal request from the authorities of the nation(s) they operate in is perfectly fine with me. Even if they host domains I consider distasteful, I'd rather support that than someone who will bow to public outrage and go snooping around domains looking for reasons to remove their registration (GoDaddy and Arfcom come to mind here).
There are probably other options, but those are the ones I know of, and why I'm intending to register future domains with Epik. I don't particularly care if a founder of a service is a scumbag in their personal life, as long as they reliably do what they promise to do.
burkaman
Epik "ended its relationship" with The Daily Stormer because of content hosted on the site and the "entanglement" (meaning PR issues). If you're not ok with that, then I don't think Epik is what you're looking for. If you are ok with it, then you can accept service providers disassociating themselves with "distasteful" clients, it's just a matter of exactly how distasteful they have to be.
Source: https://www.npr.org/2021/02/08/965448572/meet-the-man-behind...
Lammy
> Epik has, at least as far as I can tell, a reputation for simply hosting domain registrations, not asking questions, and ignoring just about every request for information.
Give https://www.nearlyfreespeech.net/services/domains a shot.
I'm not affiliated aside from being a happy customer for over a decade. You can read their abuse-handling terms here: https://www.nearlyfreespeech.net/help/abuse
jackson1442
Not sure of either of their policies, but I usually buy my domains from Dynadot then transfer the eligible ones to CloudFlare after the first year. Both are cheap, and I'm pretty sure CloudFlare tends to not divulge much information.
All my ICANN addresses are fake though so that's never been a concern for me.
sophacles
They also have a reputation for securing your important PII behind unsalted md5 password lookups. Im not sure about the rest of their security, but if they screw up something as basic as storing passwords it does not imply good things about the rest of their infosec.
If you are concerned about getting your name off google because their systems are wierd, why wouldn't you be concerned with someone just stealing your domain from the insecure site by (e.g.) just logging in as you and initiating the transfer?
tom-_-
Ideology aside, shouldn't the fact that this hack exposed gigabytes of user data cause you to reconsider them as a reliable domain provider?
Why be concerned with domain providers giving personal information to authorities when Epik has already given it to the entire internet?
jumelles
Gandi? Namecheap?
rjzzleep
Maybe take a look at Gandi. GoDaddy has always been a terrible registrar. People used to recommend Namecheap because of that, but I think namecheap has limits on the length of certain records (which may be annoying for dkim).
In general there are a dozen registrars that are better than GoDaddy or Google without having to choose a right wing nutjob with bad security.
syysilma
I've heard https://njal.la is pretty good.
MileyCyrax
I bought a domain name from a domain squatter who used Epik and there's a 60 day waiting period before I'm allowed to transfer the domain away.
Their site is one of the buggiest I've ever used (no, really), so this hack doesn't surprise me at all. Now I'm trying to remember how much personal information I would have given them.
mtnGoat
A wait period is reasonably common. I’ve ran into it a well, really annoying. I think it’s a lame ploy to drum up business.
ZoF
No comment on Epik but that 60 day wait is almost certainly ICANN lock because whois data was updated. They don't have a choice.
desine
If you truly believe in freedom of speech, it makes sense to support companies who enable those ideals. I'm not familiar enough with the company/drama/story here, but if Epik does not do anything "problematic" other than allow "problematic" speech, then I would consider them. A certain quote often mis-attributed to Voltaire comes to mind [0]. It appears they do have some lines drawn in the sand for free speech, they cancelled service for 8chan.
ohashi
I wouldn't support this borderline nutjob. Making employees watching a video of christchurch shooting and saying it was fake? Yeah, no. He has a lot of ties to extremist right wing too.
jonathanstrange
I don't think anyone really supports unlimited freedom of speech other than as a strategic rhetorical lip service. It's a very unreasonable position. What people mean is that they draw the line at different places, usually while ignoring the law.
People disagree about the definitions of crimes involving publication. For example, almost everyone is against the freedom to disseminate child porn under the excuse of "free speech." Then, some people are against free dissemination of ISIS propaganda, especially when it contains concrete calls for violence. Then again, disseminating Neonazi propaganda with similar calls for violence is not more legal than ISIS propaganda in most countries. Revenge porn and sites dedicated to slander and libel are prohibited in most jurisdictions, too.
The US has lax application of laws against right-wing calls for violence but is well-known to enforce against free speech if other groups like Islamists are involved. In the past, communists and civil rights advocates were also not too welcome. Other countries apply laws more stringently. In various modern and democratic countries content hosted by Stormfront is simply illegal and various posters on their forums commit crimes. Their servers would be raided and shut down by the police if they were under the country's jurisdiction. The US was never governed or occupied by full-blown Nazis, so it is only natural that people tend to be more liberal about these matters there, but that's more of a historical coincidence than an argument.
bogwog
I almost picked them a while back because I searched for "domain registrars" and they came up. Nowhere on the website did it say anything about neo-nazis, fascism, conspiracy theories, etc. Just seemed like a simple registrar with no GoDaddy-esque sleaziness, and a neat, memorable domain name.
So so happy that I ended up not signing up. I just wanted a domain for my personal site and email, but I would've ended up on a public list next to nazis.
veeti
I registered an account with Epik in 2017 before any notoriety over Gab or whatever (though I did not ultimately end up using their services). Apparently this justifies doxxing and slandering me as a neo-nazi.
Considering that Epik have been in operation for almost a decade before a pivot to extremist hosting, I would assume that the vast majority of this """noble""" hack concerns innocent people.
oefrha
Find me a service open to the public and I’ll find you “nazi” customers by someone’s definition. Hell, people were and probably still are “boycotting” GitHub (as in, they put feel-good slogans in their profile while still using it) a while ago for having U.S. Immigrations and Customs Enforcement as a customer. I’m sure if someone manages to completely hack GitHub, they will post everyone’s private repos and billing info, and it’s a just cause because GitHub hosts code for horrible people.
donatj
I’ve ran a website non-stop for over twenty years. I intend to keep it up as long as the internet exists. It’s not really had any major changes since 2008, but it’s a major source of nostalgia in my life. Beyond that it hosts my email address.
I was curious about prepaying for years of my domain in advance, and stumbled upon Erik.
Epik offers a “forever registration” where you get a domain “forever” for something like $500. I was seriously considering it before I heard about all the negative shit associated with them.
I suspect they’ve sold that service to at least a few average Joe’s.
ryantgtg
I’m a regular folk that currently uses epik (just as a domain host). We (actually a volunteer who donated our domain name to us) registered with them like 12 years ago.
I tried to move off of them a couple years ago, but I moved to lunarpages and they didn’t have enough dns options for my service. So then I had to move back to epik.
Um, can anyone recommend another domain host? EDIT: transfer initiated.
Zancarius
I know your question was already answered at this point, but I'm using Namecheap for the domains I didn't have on Epik (mostly personal and some parked that I'm planning on building out eventually).
I've nothing but good things to say about Namecheap. Some of their employees post here from time to time and seem responsive to issues.
BeFlatXIII
What would be extremely funny is if a different group of fake hactivists did a similar hack elsewhere but deliberately added junk data as a way to discredit all hactivism.
undefined
gremloni
It’s mostly nazis. If you’re not a nazi there should be enough pressure to stop you from associating yourself with epik.
gfodor
Horrible argument. Textbook guilt-by-association, and in this case, the "association" is particularly weak.
gremloni
Yea guilt by association works well here. If you’re at the klan meeting, you’re probably a klan member.
_-david-_
Let's take your logic and apply it to HN.
There are some Nazis here. If you do not stop posting here you are associating with Nazis. Since you post here you are either a Nazi or Nazi sympathizer.
gremloni
Nazis are an unwelcome minority here and the leadership here is vocally against nazis. Can’t say the same for epik.
ryan29
Did anyone download it and look? This is huge if it's true isn't it? I don't want to download it because I don't know what the laws are, but I'm really interested to know if it's true. Rob Monster is a really big domain investor, right?
This is really big news if it's true.
Edit: I looked it up. Rob started Epik [1]. I wonder if that's really his password. Lol.
Edit 2: I wasn't aware of Epik's reputation either. I just knew they're a big (ish) registrar.
Natsu
I heard about it yesterday but only the release on Twitter, I haven't seen the torrent.
It will be interesting to see which media outlets report on it after so many adopted a policy of not reporting on hacked info.
zavertnik
The torrent is on her website, a few people tweeted that they finally had seeders, but I'm unsure if they got the entire archive.
I'm currently trying to download it now, but the torrent file is so large that it's crashing most torrent software (pico, deluge, webtorrent) I throw at it, on 2 machines!
NavinF
How big is it? I had similar issues downloading danbooru2020 (3.4TB), but rtorrent did the job with only ~5G RSS. Every other client used 4x the memory and never completed the download.
adriancr
transmission seems fine
r721
From Emma Best (DDoSecrets)'s tweets it looks like it's unavailable at the moment (6h ago):
>There don't seem to be any active seeds and just under 0.5% seems to be available ATM, so... we'll see what happens!
commoner
It's possible that the source sharded the torrent payload and then distributed the shards among multiple "seeds" that are brought online/offline on a rolling schedule, to avoid being identified as the lone seed. Since none of the "seeds" have the entire payload, they are identified as peers (specifically, leechers) in the torrent client.
nebula8804
This 30+ MB torrent file is choking ruTorrent and Deluge clients on my seedbox. Not sure how to fix it. Do you know of some alternative way to process such a large file? I have never seen such a large torrent file like this before.
undefined
iszomer
I downloaded the torrent file and casually browsed the index but didn't want to waste my time, bandwidth, and storage for a 150+ GB dump.
mcintyre1994
Looks like they had access to their CDN at some point too: https://archive.is/traih
EamonnMR
I love the old school memes (seven proxies, cowsay, nine thousand, the whole thing being a txt file.) Some early aughts charm right there.
hwers
Tells you something about the age of the hackers probably (over 30)
optimalsolver
The old boys ride again.
Thorrez
Lest anyone be confused, this is Epik the web hosting company[1], not Epic Games the videogame company[2], or Epic Systems the healthcare software company[3].
[1] https://en.wikipedia.org/wiki/Epik_(company)
LewisVerstappen
Nor is it Epic! the digital reading platform for kids[1], not EPIC the Electronic Privacy Information Center[2], or EPIC Provisions the company behind high protein meat snacks[3].
chrischen
While I wasn't going to get it confused with any other Epics, I had no idea what Epik with a K was.
Hackbraten
Neither is it Epyx, Inc., the venerable videogame company [1].
atlanta90210
Epyx published Jumpman on the Commodore 64. Loved that game.
FDSGSG
>[2] https://epic.org/
https://epic.org/privacy/surveillance/prg-scorecard/basis.ph...
Only two left to go?
Thorrez
Wow, do you try to SQL inject every site linked from HN comments?
trymas
> Epik was founded in 2009 by Rob Monster
The founder's name is like from The Onion article.
junon
The whole site looks like it's parody information ("epic" with a K, "Rob Monster", nazi stuff, etc) but it becomes weirder when you realize they aren't parodying anything and all of it is accurate.
Applejinx
Very interesting that Anonymous went after them. I guess it just goes to show you that Anonymous is nobody's puppet, however much any given cause would like to consider them its personal army.
Apparently NOT Epik's personal army: far from it.
post_break
Thanks, I thought it was Epic Systems and was worried about all the healthcare data flowing.
undefined
petecooper
The linked .torrent file is ~30MB, and appears to be ~180GB of data with ~190,000 files. It's split into ~689,000 pieces of ~256KB, hence the comparatively large .torrent file overall.
banana_giraffe
Looks like the seeder is gone, but they were online just barely briefly enough to get the torrent metadata.
For those that are curious what's in there:
https://gist.github.com/Q726kbXuN/57f3825493d04867c3d192fd93...
wp381640
Wordpress with a bunch of plugins and a theme from themeforest. Figures.
I wouldn't be poking any bears had I been running that setup.
undefined
sieabahlpark
Looks like just a pretty standard WP frontend. Not really much of value.
1vuio0pswjnm7
Thats because that page doesnt show the full list. Try this instead
https://gist.github.com/Q726kbXuN/57f3825493d04867c3d192fd93...
banana_giraffe
Or just click on "view the full file" to see the full list.
kgeist
Just a few days ago a Russian web host was hacked as well, with a similar statement. I guess they're all exploiting some recently discovered bug in web hosting software.
schleck8
Not infrastructure related, but on monday the german anonymous collective managed to get a former IT admin of one of the largest covid conspiracy theorists to hand over his credentials, transferred all domains (he had ~ 10 aliases) and deleted his telegram channels
he still hasn't regained control -> https://www.attilahildmann.de/
southerntofu
Operation Tinfoil. Thanks for the link, love that!
throwawepik
There is a .swp file in the torrent:
> strings .whois.sql.swp
b0nano 5.4
anonymous
datahound
whois.sql
I tested on my machine and nano swap files contain the nano version (5.4), the username (anonymous), the hostname (datahound) and the filename (whois.sql).
southerntofu
Nice catch! I downvoted though, because helping to deanonymize antifascist hackers is against my ethics.
rijoja
The ethical thing to do when you find a security breach is to report it to them. If you support people who are willing to commit crime to get into power then I really hope that you take some time to think about your political convictions.
southerntofu
> The ethical thing to do when you find a security breach is to report it to them.
Do you hold secret services and private hacking companies (Hacking Team, Cellebrite..) to the same standards? If not, why are you complaining about this instance of small-scale hacking for the lulz, and not about the actual insecurity industry who derives power/authority and money from hacking?
> If you support people who are willing to commit crime to get into power
I certainly don't. I despise power in all forms, unless you're talking power as in "empowerment" or "power to the people". I will however, defend and help anyone committing crimes to abolish power and injustice, because "justice" is not something that can be measured or achieved with the oppressors's tools, namely laws and repression.
If you don't support people who break unjust laws and help make those abusing power accountable, I really hope that you take some time to think about your political convictions, and what you would have thought of the Resistance movement against nazi occupation during WWII.
createunderrate
Quietly reporting a security breach to the company you breached will not make other companies think twice about mishandling the data of their users.
nextlevelwizard
So you are saying that this Epik company was run by fascists?
southerntofu
I'm saying they are very confident and happy to host actual fascists and other stripes of neo-nazis and white supremacists. I have no clue about their own personal opinions, although some people further down this thread suggested they had such affiliations.
Providing material support to people is never neutral. I'm happy some sysadmins and community managers are taking a stand against abuse and harassment. On the other hand i'm also concerned State-mandated censorship is detrimental to human rights and will in fact be used more (as it already is) against anarchists, queers and other minorities and not against actual fascists because our governments are much closer to the historical definitions of "fascism" than they'd like to admit. So i'm clearly against censorship, but i agree with XKCD that kicking assholes out of our communities is not a "free speech" issue: https://xkcd.com/1357/
I can't say i'm very comfortable with these "free speech" hosts who would certainly turn away any opinions they disagree with. I much prefer radical servers like riseup/autistici who have clear policies on where they stand politically and what kind of activities they're ready to fight for and what kind of activities they'll fight off.
Contrary to Protonmail and their millions of dollars, Riseup is a self-organized non-profit (born of the altermondialist/internationalist movement) who had servers seized rather than rat on their users [0]... unless some people/activities directly contradict their ethical principles in which case they reserve the right to collaborate with law enforcement [1] instead of risking the infrastructure needed by all their users (as in a seppuku pledge, like Lavabit did).
[0] https://riseup.net/en/about-us/press/fbi-seizes-anonymous-re... [1] https://riseup.net/en/about-us/policy/government-faq#what-ab...
r721
Twitter thread: https://twitter.com/chadloder/status/1437517323775086594
Archived OP link: https://archive.is/KJTHN
Get the top HN stories in your inbox every day.
>NOTORIOUS "HACKERS ON ESTRADIOL" PRESENT GRAND REVEAL
I love how this is a tongue-in-cheek reference to the "hackers on steroids" piece from 2007 https://www.youtube.com/watch?v=DNO6G4ApJQY