GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it.
While GiLab reserves the right take further action, up to and including termination (https://about.gitlab.com/terms/), we have chosen not to terminate or lock your account.
Please know this decision was not reached lightly and we appreciate your understanding on the matter.
GitLab Support Team
This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!
For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.
You may exercise freedom of speech but not on server that belongs to a private company - it is their right to limit what kind of content they like.
But in an essence you are right - companies should exist to benefit society, but it is not how it exactly works right now.
Lots of people are saying "But the sites are already exploited" ... they are probably still exploitable further also, and GH/GL don't want to be at that party.
This is not about whether they are legally required to do anything, but whether what they are doing is responsible behavior.
As for being responsible - that is their motivation.
Should I assume that now you have access to this list that you will be contacting the site owners to notify them their sites are infected & exploitable? Would that be responsible on your part?
Their servers, and their decision on what data is on them.
Want to make it available for every to read? Run your own server and host it there.
tl;dr - you have the right to say what you want, but you cant force anyone to listen.
This is not a CVS, so you would still need to run something like git locally on your own server, but the idea of self-hosted modules will solve for the censorship of central authorities.
Github/-lab is for projects imho and not a publishing platform. Why don't you publish it on your blog or something? All power to Github/-lab, kick out such stuff!
The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
> We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
The sites were already exploited. That's the thing. At best I can see the argument you're making being "we don't want the sites to get exploited a second time", but that really shouldn't be a concern. The sites were already exploited, there's nothing left to protect. And publishing a list saying "this site has malware on it" doesn't actually tell anybody how the site was vulnerable anyway, unlike disclosing security vulnerabilities which by their very nature informs people how to take advantage of them.
Nope - corporate suits - and they give us a response which doesn't even make logical sense. Do they think we're idiots?
I'm not sure if GL is trying to protect themselves against something and are making up some excuse to justify it but the reasons given for taken down the list don't hold water.
GL would be far better stating the real reason for taking the info down (surely there must be one).
So far what they've done is seemingly to protect the merchants reputation and perhaps protect GL from some imagined legal backlash? The backlash would have no basis is court or other services like Google's own SafeBrowing would not be viable.
Are we to assume the GL cares more about that than users/visitors to these sites?
The statement from GP is frankly pathetic.
> an open invitation for malicious users to exploit.
Malicious entities have already exploited these websites. This problem is widespread - over 1000 merchants. The author has not put the cart before the horse.
If I wanted to protect my family against this by installing uBlock Origin on their machines, could uBlock possibly be hosted somewhere where they wouldn't face this censorship? They have in the past temporarily blocked websites (e.g. Sourceforge adware) but have rapidly unblocked them when the issue is resolved; this has saved my bacon on numerous occasions.
I really appreciate the transparency here - kudos. You have your facts wrong.
Do you think Google should "responsibly" disclose and wait for webmaster's response before putting websites into Safe Browsing list?
Can I host a project which includes a list similar to Google Safe Browsing, or an adware remover where I list software I consider to be adware?
Not all, but some non-tech people do that..
And lots of webshop owners google their own shop. Shaming sites that are hosting malware seems perfectly reasonable.
On topic: I assume github/gitlab both completely misunderstood what is going on, and thought this was a disclosure of security holes that could be exploited.
I wouldn't be surprised if they do a lot of these.
Perhaps try to throw it up on a few different CDNs where you pay for the service and can contact support. Like S3 or dreamhost (they have decent support too). Arguably github/gitlab isn't the best hosting platform for misunderstood journalists.
as was noted, 600 sites have already cleaned up their act
> Update Oct 14: 631 stores have been fixed, good work everybody!
So is it really as useless as you claim?
The 631 stores have likely been fixed b/c of the publicity (thanks to kicking the list out;)
I think I just don't like when this shame & name business happens on github/gitlab servers. Somewhere else, it's fine.
What about "technical" users?
Which terms specifically does it violate? The terms page you linked to is 10k words long.
As others have mentioned, this is not about responsible disclosure. If those merchants have the good of their customers to heart, they will act to cleanup their sites and disclose the breach themselves. If not they will move to censor this to avoid losing face, maybe not even bothering to remove the malware. And you're just helping them with this.
That does seem quite odd.
I am not a security expert though, and I might be missing out on something.
The responsibility of GitLab and GitHub is also not to judge if it's "more important" to protect the site owners' businesses or the people going to the sites.
If some sites are running malware, the site owners are responsible for fixing it and not harming the people using their sites, not GitLab or GitHub.
On the contrary if site owners could be harmed by the name of their sites being on such list on GitLab or GitHub, then GitLab or GitHub are responsible according to the DMCA.
So GitLab and GitHub are just acting on what they are held responsible for according to the law.
Disclaimer: I am working as a contractor for GitLab and I am not a lawyer. I took no part in GitLab's decision to censor the list and this is just my own opinion.
Nope. DCMA is about copyright, and we have not gotten to the point where someones URL is copyrighted.
> It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.
So no the DMCA is not just about copyright.
businesses who have insurance for things like this, and possibly have software to reduce any issues that they would be directly affected by
or users who could lose a significant (and damaging) amount of money if they arn't careful with checking their statements?
It seems silly to support the scammers in this case?
Responsible disclosure works because companies are responsive to disclosure.
Full disclosure works because companies are negligent and they've been outed.
The author did contact said websites, it is their responsibility to fix the issue in a timely manner. Removing the content was akin to a newspaper removing stories relating to certain politicians to protect them. It is censorship.
This list could prevent people from getting their card skimmed, and you take it down.
I'm moving away from gitlab.
I have to confess, when GH did something offensive I did cancel my paid account there but I still use it, so I guess I didn't care that strongly about it after all...
Even if your cover story is true, you are basically throwing users and banks under the bus to help merchants with dirty card readers continue business as usual. Meanwhile users will continue to be defrauded, and banks will have to take the hit when users complain about charges they didn't make.
How can we even tell this is an official statement from GitLab?
I have a list of major sites with currently active phishing pages. This is basically a join of PhishTank and DMOZ. Nobody seems to be upset by that.
Google is at the top of the list because of their hosting business. It's not just Google Sites. You can put a web site in a Google Spreadsheet cell, which Google doesn't seem to check as a possible phishing site.
If you host for others, or offer a URL shortening service, you need automated checking against all available phishing lists or you will be exploited.
Now what? I'll give you a budget of $100 a year.
Game servers become hot targets by kids who just don't care and do anything to get your server taken down, whether it be competition or a user got banned or just about any reason they can sum up to try and find any given approach to take your service down.
Forgot to mention the free CloudFlare option as well (unless they stopped doing this, haven't had to deal with these things in a few years, but I have a feeling it's still about the same, there's likely even more offers now out there).
The DMCA as written really encourages no investigation whatsoever on the part of the service provider, this is pretty much how everyone acts. File a counter-notice with the service provider if you don't think your content violates anyone's copyright.
In this case, if Github took it down because of a DMCA notice, i think Github actually behaved _better_ than Gitlab. Github is simply following DMCA, if you file a counter-notice, they'll probably restore it -- if they don't, and say it's not an issue of copyright, it's just that they don't want to host your material, then at that point they'll be behaving similarly to Gitlab. Gitlab did not take it down because of a DMCA notice, they took it down because they decided it was 'egregious' and they just didn't want to host it.
I can't find any gitlab docs on filing a DMCA counter notice. Their DMCA policy at https://about.gitlab.com/dmca/ is short and solely targetted at those claiming infringement, there is no description of how to file a counter-notice.
In this case, I think github wins. The terrible parts of github's counter-notice policy (10-14 days until your content comes back) is part of the DMCA law. Take it up with your congresspeople. http://io9.gizmodo.com/the-dmca-how-it-works-and-how-its-abu...
However, reading OP again -- it's not clear to me that Github took it down because of DMCA. They may simply be acting exactly like Gitlab, taking it down because they don't want to host it, unrelated to DMCA. But I wanted to clear up some things about the DMCA, since OP mentioned it.
Exactly, there seems to be a common misunderstanding that if anything is taken down then it because of DMCA, there are number of ways content may be removed from a platform, be it GitHub, Facebook, YouTube, etc. Not all of it is DMCA.
In fact for large platforms that offer take down processes outside of DMCA I would say the vast majority is not, for example anything taken down via ContentID on Youtube is NOT a dmca take down.
I didn't see the list, but did it by any chance contain the logos of the online stores? If it did, the DMCA notices make sense.
The claims are probably from the malware perpetrators as a way to censor discussion and keep the gravy train rolling. It's possible also that the embarrassed commerce sites would file a DMCA claim to keep the public in the dark about how insecure their sites are/were.
As long as you're okay being found guilty of perjury by a US court, or have no plans to enter a US jurisdiction in the near future, you can get any content you want taken down from any site that's required to follow the DMCA.
Service providers have a choice:
a) follow the DMCA takedown process and be shielded from all liability, whether or not the claim has actual merit
b) evaluate each takedown notice to decide if the material falls within the scope of copyright, ignore takedowns where in the service provider's opinion the material is outside the scope of copyright, and should it go to court, be forced to defend that position on its merits instead of having an automatic liability shield
What sensible service provider is going to choose option b?
This is true, but totally irrelevant as it misses the point of the question.
It's smarter (under the seriously f'ed up DCMA system) to pull it down and wait for a counter notice, at which point they put it back up, and they aren't responsible any more — the person filing the counter notice is responsible because a false counter claim counts as perjury.
At that point, the original issuer of the takedown notice can sue.
Of course, it almost never gets that far when the takedown notices are spurious, as in this case. That's what makes the DMCA such a bad idea — it's a perfect tool for censorship.
I don't think it is that simple. Yes, you may claim a copyright on whole compilation. But you could as well claim a copyright on some parts within that compilation. Since the compilation is a single document, claiming copyright on some part of it would also be sufficient for a takedown.
I am personally very sorry that GL got in a bad light here. They had misinterpreted my data and have acknowledged that. For comparison, I have heard nothing from GH over the last two days.
Gitlab, you rock.
You were doing a public service of already-explited machines that are snarfing credit card numbers. And that is of great importance for anyone who buys stuff online (Like... all of us).
It also goes to show, that we need to further develop P2P type technologies like IPFS and similar stacks, to rid ourselves from monolithic companies dictatorial hands. Because what they find "unsuitable", you are no longer welcome. That's a problem, for all of us.
I had a similar problem with a VPS provider 2 weeks ago. I run IPFS on all my nodes, and comply with good netizen and compsec principles. They ToSsed me, because "my machine was scanning :4001 and they received a complaint". Bullshit. That is the chatter IPFS uses when maintaining the DHT. However, I was actually using a machine and what I paid for... and they didn't like it.
Fortunately, since all my data is via IPFS (and /ipfs and /ipns thanks to filesystem mounting), my data was already backed up and distributed. Filing a dispute with Paypal and purchasing another VPS provider was simple.
I'm especially disappointed by GL. GH is already too big to care about such things.
Even if the service's site had been shut down, everyone would always be able to obtain the transaction from it's hash using any bitcoin client/blockchain explorer, convert it to ASCII and read the text.
I'd like to note that it is worth to sign with GPG all messages posted that way in order to have ability to post updates and verify authorship.
The person was not exposing sites that nobody previously knew about -- the sites were already compromised, there is nothing to compromise again except maybe having more than one attacker in your compromised account. The damage is already done, though.
These are likely web applications that were not kept up to date so the responsible security disclosure already happened when it was reported for WordPress/Drupal/Joomla. It is the site owners responsibility to pay attention to those security disclosures, which they likely failed to do.
And those compromised sites, in my experience, are usually attacking and infecting other sites and servers on the Internet. That makes them a public nuisance and so public disclosure is necessary so they can be appropriately blocked/isolated.
Also, are they actually using DMCA to get these lists taken down? If so, isn't there some penalty for filing a false DMCA?
Only if you get caught, which I don't think will be the case if they did anything to cover up their tracks
Send a counter-notification asserting that the data is not under copyright and have it put back up. Assuming this is really DMCA.
That is quite the catch 22. And of course many of the sites owners are clueless and don't even know how to patch or fix their systems.
My isn't that that a mess?
Also, Pastebin has some shady practices. One example: they offer HTTPS support as a premium feature.
BUT! the point here is the op claims this is a shady practice to provide https to their paying customers.
A shady practice is if they take your personal information and sell it to another without telling you. Shady is when companies lie to their customers.
And this situation is not.
I'm pretty sure someone here has a GitLab instance that is willing to share for this purpose.
However it's a problem and we need a solution.
A torrent? Yes but Google won't index it.
A file on S3 wouldn't work because they could just download it as many times as needed to make the bill skyrocket. Better than a DCMA.
Anything that is unaffected by DDoS, costs no money, can be indexed?
Edit. One more requirement: not easy censorship.
IPFS links are immutable, whereas IPNS links are a mutable pointer to an IPFS hash. They can be updated at will, making them ideal for changing content with a stable hash.
I think the fastest way to get sites fixed is to run a script that crawls sites in the list, parses their Twitter and posts a warning there with link to original article.
Can someone help with that?
Let's crowdfund an AWS s3+CloudFront hosted site. DDosing that is no easy feat, and if corps do try it, the logs can prove their complicity, which has legal implications I presume
I'd be curious whether Gitlab/hub could be held responsible for proving the accuracy of the claims? (That was my initial assumption as to the reason they were taken down.)
Also, it will ask for an email on registration, but it isn't verified and no email is sent.
> I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.
7. I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.
OP doesn't go into details of how they check the stores, but I'd assume they have some sort of script as they checked 255k. If that's the case it would be trivial to send an automated email if malware is detected, and include links explaining how to fix it.
It won't resolve everything but it's a lot nicer than naming&shaming businesses who have effectively done nothing wrong. What I mean is they probably hired a developer or team to build their website, and assumed that they would build a secure website - they didn't go out purposely and find someone to build them a site that would be hacked.
Aren't they actively running malware as a result of their own laziness not to upgrade their Magento Site?
This malware is being used to steal customer credit cards (at the very least) - perhaps identity theft as well. They are the very agents of 3rd-party hackers. This list should be sent to the proper authorities and have the stores closed immediately.
Customers who have made purchases at these stores can and should be looking at lawsuits.
If you're going to run a 3rd-party solution for your ecommerce needs and patches have long been made available, you patch. If you can't even do this one simple thing - you get run off the internet for criminal negligence.
So the malware should be allowed to continue stealing credit card numbers just because the site owners don't know any better?
Is that really a position you wish to defend?
As I said, and GitLab suggested, OP should at least contact them. If you contact them and they say they won't do anything, now that's a different story...
So it sounds like does a pretty good job of fixing things
Someone will make a browser extension that uses this list to warn users?
Change the browser, change the payment system, educate the user by using plugins, propose enhanced security methods in ECMAscript. Write about how easy it is to make missteps on the net. These are all alternatives which might help in a more permanent fashion.
There's nothing ineffective about uncovering a problem and using transparency to create an incentive to fix it. Crude, yes, but not ineffective at all.
What GL did might be considered complicit in skimming users, especially if they acted under pressure from fraudulent shops or even the skimmers themselves (how do we know?).
There is nothing a client can do when the server is compromised.
1. Instruct users never to enter card details directly into a website, but rely on a redirect to the card provider. This would change the origin. When properly setup, this should catch 99% of the problems.
2. Provide stricter browser controls, so third-party ECMAscript is not loaded into the browser by CORS. Again, instruct the user or have us make better browsers.
3. Lobby for better payment services. Here in the Netherlands, payment is done using iDEAL, on a separate origin (using redirects) and the payment is validated using a separate device.
The secondary problem is with the websites, the primary problem is with the supporting technology.
Edit - Poor analogy removed.
You can't really hire someone with the expectation that they'll develop secure code. Finding flaws in code people thought was secure is a pentester's job, and it's a completely different skillset.
https://news.ycombinator.com/item?id=12309035 is informative. For what it's worth, it changed my mind on the matter.
To give you an idea of how unrealistic your scenario is: In reality, yes, the owner of the damaged property could force you to pay for the repair, but also, you could force the plumber to reimburse you for that, and they in turn probably will have insurance for that sort of thing that will reimburse them in turn. Noone would be kicked out of anything, except for the plumber by the insurer if they had that happen a bit too often.
So, because you expect the owners of the affected websites to be dumb, users should not be protected from malware?
But I'll give you an example of how such sites would get fixed: I used to own and work for a CSE, where thousands of stores are listed. If I had easy access to this list, I'd take a quick look at it for possible clients and ask my former company to contact them. They'd first delist the affected shops from the comparison shopping website, then spend enough time with the owners to make sure they understand and can fix the problem.
Github in their ignorance prevented this, but thankfully archive.org exists...
On the other hand, the safe browsing feature of modern browsers usually creates enough pressure on affected shops that they are fixed quickly - so if some shops don't seem to act quickly, they're probably fraudulent themselves.
This had been empirically proven false. As noted in an addendum to the post, 631 broken sites got fixed in just 2 days after the list got published.
They are putting their users at risk through negligence. Many would argue that's wrong.
Twitter is better. Warned users are the best motivation to fix.
Needless to say, I've seen most of those websites for the 1st time.
The world is unfair? No, it's fair and this proves that it is fair.
Imagine if this is instead a list of real world ATMs. The correct response is not "well ive never seen these ATMs before just don't use them, duh", it's "how the fuck can this be allowed to happen and how do we fix it".