Kiwifarms under attack | Veteran of the Psychic Wars | The Internet is for EVERYONE.

Status
Not open for further replies.

Collision

Green Tea Ice Cream
Joined
Jun 5, 2022
Messages
381
Reaction score
1,420
Awards
126
Yes, it certainly seems like this exploit was his fuckup. He gloated quite a bit when Ethan Ralph's shit got hacked, and that looks really bad now in hindsight.
It's a stupid mistake. These things happen all the time but it's still stupid that he, apparently, wasn't validating and sanitizing inputs properly. I'm personally more bothered by the software endorsements thread and the ruforo thread (unfortunately most of the posts about how smart writing your own forum software in Rust is aren't archived here). If he wasn't putting himself out there as an expert that people should trust then I wouldn't be bothered that he made stupid mistakes.

Does anyone remember if something similar happened with Infinity Next? I remember there being a security exploit that allowed dumping all the user information but I can't seem to find any records of it.
 
Virtual Cafe Awards

handoferis

Executor of Dry IT Men
Bronze
Joined
May 28, 2022
Messages
737
Reaction score
1,909
Awards
195
It's a stupid mistake. These things happen all the time but it's still stupid that he, apparently, wasn't validating and sanitizing inputs properly. I'm personally more bothered by the software endorsements thread and the ruforo thread (unfortunately most of the posts about how smart writing your own forum software in Rust is aren't archived here). If he wasn't putting himself out there as an expert that people should trust then I wouldn't be bothered that he made stupid mistakes.

Does anyone remember if something similar happened with Infinity Next? I remember there being a security exploit that allowed dumping all the user information but I can't seem to find any records of it.
From what I can glean, it looks like a unique interaction of shimming some shit you wrote into another piece of software that doesn't do validation. i.e., bunk file was uploaded to xenforo containing code, got linked into chat, code executed. idk if he knew that xenforo was vulnerable to this (but he should have assumed outdated version was full of holes), but just blindly allowing attachments from parent service to load into shim that was using the session from the parent service is the problem here (as the chat shim was displayed at the top of every page). If this method had been used solely within xenforo, it would have been limited to people viewing pages containing that particular attachment (assuming xenforo would have executed the code), and would have been slower to act and likely detectable before chowing down on an admin session, as you'd have people going "hey why'd my avatar change?"

Session reuse in a globally loaded shim was the real mistake, with a side of trusting other software implicitly to do the job for you. obvs haven't seen the ins and outs so this is to some level speculation, but it's my best guess at what happened.
 
Last edited:
Virtual Cafe Awards

Collision

Green Tea Ice Cream
Joined
Jun 5, 2022
Messages
381
Reaction score
1,420
Awards
126
From what I can glean, it looks like a unique interaction of shimming some shit you wrote into another piece of software that doesn't do validation. i.e., bunk file was uploaded to xenforo containing code, got linked into chat, code executed. idk if he knew that xenforo was vulnerable to this (but he should have assumed outdated version was full of holes), but just blindly allowing attachments from parent service to load into shim that was using the session from the parent service is the problem here (as the chat shim was displayed at the top of every page). If this method had been used solely within xenforo, it would have been limited to people viewing pages containing that particular attachment (assuming xenforo would have executed the code), and would have been slower to act and likely detectable before chowing down on an admin session, as you'd have people going "hey why'd my avatar change?"
Based on the source, it looks to me like the sanitization is not executed when a message has bbcode tags inside bbcode tags. I might be misinterpreting what's going on because my experience with Rust is essentially 0. Either way, hooking the ruforo chat server into his production site was a bad idea.

Reading over Null's statement I also noticed this :lainDissatisfied:
1663618251961.png
 
Virtual Cafe Awards

handoferis

Executor of Dry IT Men
Bronze
Joined
May 28, 2022
Messages
737
Reaction score
1,909
Awards
195
Based on the source, it looks to me like the sanitization is not executed when a message has bbcode tags inside bbcode tags. I might be misinterpreting what's going on because my experience with Rust is essentially 0. Either way, hooking the ruforo chat server into his production site was a bad idea.

Reading over Null's statement I also noticed this :lainDissatisfied:
mh, this doesn't really cover it. tags in tags aren't sanitized but are appended to the parent and sanitized later. this sanitization only operates on plain text though, and the payload was delivered inside a .opus file so wouldn't have been caught either way. also not a rust dev, but it looks like links/images just get straight passthrough.
 
Virtual Cafe Awards

punishedgnome

Well-Known Traveler
Joined
Feb 2, 2022
Messages
481
Reaction score
1,145
Awards
123
He should walk away at this point for his own mental health. The site isn't worth it. Just vanish and log off for a few years. Get a job at some place that isn't going to care about your online history like a warehouse or some shit. Do a nostalgia appearance on the Dick Show in two years if you feel like it.
 
Virtual Cafe Awards

SolidStateSurvivor

This is Extremely Dangerous to Our Democracy
Joined
Feb 15, 2022
Messages
1,125
Reaction score
5,422
Awards
246
Website
youtuube.neocities.org
Further proof the inmates are running the asylum

He should walk away at this point for his own mental health. The site isn't worth it. Just vanish and log off for a few years. Get a job at some place that isn't going to care about your online history like a warehouse or some shit. Do a nostalgia appearance on the Dick Show in two years if you feel like it.
No, he needs to continue to fight this. Null needs to demonstrate that these sort of tactics will not be allowed to work on others in the future.
 
Virtual Cafe Awards

punishedgnome

Well-Known Traveler
Joined
Feb 2, 2022
Messages
481
Reaction score
1,145
Awards
123
No, he needs to continue to fight this. Null needs to demonstrate that these sort of tactics will not be allowed to work on others in the future.
I agree with your sentiment, but I don't see how someone getting unpersoned to this degree ends with anything other than a wobbly chair and some rope. He's the main character in Brazil after Information Retrieval captures him at this point. The best way to take away their power is to log off and not engage.
 
Virtual Cafe Awards

Collision

Green Tea Ice Cream
Joined
Jun 5, 2022
Messages
381
Reaction score
1,420
Awards
126
Null needs to demonstrate that these sort of tactics will not be allowed to work on others in the future.
It seems like they have already worked to the extent they can in the first place. Venerating Null is a mistake.

If people want a free and open network then they need to make personal choices that lead to that outcome.
 
Virtual Cafe Awards

Natalia Simp

My Queen!
Joined
Sep 23, 2021
Messages
118
Reaction score
171
Awards
42
No, he needs to continue to fight this. Null needs to demonstrate that these sort of tactics will not be allowed to work on others in the future.
Agreed, first it's Josh, and not much is lost. As we allow more of this to continue, it'll turn into political opponents, and anyone who thinks differently from TPTB.
 
Virtual Cafe Awards

Andrew Eldritch

Definitely Not Goth
Joined
Sep 22, 2022
Messages
35
Reaction score
69
Awards
16
He should walk away at this point for his own mental health. The site isn't worth it. Just vanish and log off for a few years. Get a job at some place that isn't going to care about your online history like a warehouse or some shit. Do a nostalgia appearance on the Dick Show in two years if you feel like it.
Josh is a bit of a lolcow himself, it seems he likes the attention to a certain extent. I don't think he will give the farms up so easily. If he was less of an edgelord when replying to the press and instead gave some serious statement like he did in those blogposts about the structure of the internet ('where the sidewalk ends' or something) he could have a serious point, but he's just screeching about those darn genocidal troons on telegram.

I hope the farms return so I can lurk the thread about disfigured babies and the parents that whore them out on social media.
 
Virtual Cafe Awards

nobodyhere

About that last paragraph... I used to use KF a lot, and while I think some of it is a testament to how destructive certain ""lifestyles"" are, are KiwiFarms not comprised of "freaks trying to scare people into submission"? Did CIA "GAYmer word"'s thread just... not happen?

KF is the prime example of a serpent eating its own tail. There's no winning with KF users; anytime a thread starts discussing anything of legitimate worth, you instantly get a bunch of anklebiters saying "REE SHUT UP CHRISTFAGS LOLLLL LOOK AT THIS!! DOESN'T IT MAKE YOU ANGRY!?????"
 
interesting to see that josh's new favorite rightwing daddy is moldbug. you know, the guy the early SJWs gave so many e-wedgies to that the powers that be had to bring in bannondorf and his merry crew to 2/3-heartedly larp as the new legion of doom

as a certain Twitter user (who was outed as a serial rapist a decade ago, or 6 years too early to wind up on any of these guys's radar) once said, "redpilled by moldbug again!!!!!"

every plan null makes seems to depend on his enemies, who he spent the last 6 years doing everything humanly possible to piss off as much as possible, somehow getting bored or backing off. it's like he's waiting for the same kinds of glowies who back matt walsh or libs of tiktok or what the fuck ever to swoop in and save his radioactive ass when in reality they could whip up 5 less troublesome clones of him in a second if they needed to and they don't feel the need to.

he doesn't understand that like him, his adversaries would absolutely go through hyper-unpersoning even if they didn't have institutional backing- and they do. a guy groomed by chanboards not even realizing his enemies are also guys groomed by chanboards. the incredible intellectual dilligence of a guy who's even pissed off the dudes who coded his forum software.
 
Last edited:
Virtual Cafe Awards

Shantotto

TTD Militia
Joined
Jul 13, 2022
Messages
163
Reaction score
591
Awards
81
Josh is a bit of a lolcow himself, it seems he likes the attention to a certain extent. I don't think he will give the farms up so easily. If he was less of an edgelord when replying to the press and instead gave some serious statement like he did in those blogposts about the structure of the internet ('where the sidewalk ends' or something) he could have a serious point, but he's just screeching about those darn genocidal troons on telegram.

I hope the farms return so I can lurk the thread about disfigured babies and the parents that whore them out on social media.
This is true. Although I enjoy his unfiltered manner of speech, in a livestream with Nick Rekieta he admits that while he was struggling to get the help through support tickets and contacting very key people occupying the same server farm who actually might have been willing to help him keep the site afloat, his emails, according to a network engineer he recently got in contact with, made him sound like a complete asshole prick. So now he has the network engineer write the emails for him.
 
Virtual Cafe Awards
1663992842544.png


I feel the need to point out that KF is the only forum I can think of where people thought to contact the Xenforo guys and tell them to cut off updates. Not even the last remaining crime forums (i.e. Zooville) are getting that treatment. Just something that happens when the entire internet wants to fuck you.
 
Virtual Cafe Awards
Josh is a bit of a lolcow himself, it seems he likes the attention to a certain extent. I don't think he will give the farms up so easily. If he was less of an edgelord when replying to the press and instead gave some serious statement like he did in those blogposts about the structure of the internet ('where the sidewalk ends' or something) he could have a serious point, but he's just screeching about those darn genocidal troons on telegram.

I hope the farms return so I can lurk the thread about disfigured babies and the parents that whore them out on social media.

To be fair. I see this as a given because if you know your history, it shouldn't surprise anyone that the News media has a pretty bad history of distorting and warping both the words and perception of people as early I say the 1860s and maybe earlier than that.

Point is that to Null, even if he were to make a serious statement, even if he were to speak with these journalists, they'll somehow twist what he says and will be put in an (already) negative light with much of the general public contrary to the evidence and to Null, that's too much bullshit for him to deal with. So unfortunately, as of now, telegram and his website is where he's only going to make such statements without fear of having his words minced and only be interviewed by net users willing to lend them an ear to him.
 
Virtual Cafe Awards

punishedgnome

Well-Known Traveler
Joined
Feb 2, 2022
Messages
481
Reaction score
1,145
Awards
123
Has Null ever reached out publicly (e.g., on a live stream or a featured post on kiwifarms.net) looking for employees/volunteers to help him maintain the site or to contribute to his software? Does he employ anyone other than himself at all? I'm genuinely curious about this.
Some guy on the forum going by Crunklord used to help him a lot, I don't know about the forums specifically, but a lot of other stuff related to Kiwi Farms like Kiwifarms.cc and the Kiwi Farm git instance. I also know he was working on an open source forums software in Rust that he was looking for people to work on.
 
Virtual Cafe Awards

thewhiterose

Traveler
Joined
Jul 9, 2022
Messages
30
Reaction score
85
Awards
14
I just wanted to chime in here and say, I've only ever really been in the periphery of KF and related stuff, so I don't know all of the history, drama, etc. But I've been following this whole thing and I'm just so unsettled by all of it. Regardless of how you feel about Null and KF, it's pretty chilling to realize this is what we've kind of been afraid of with regards to technology ramping up to such heights. What is happening to him is a legitimate nightmare. As a computer n00b (aka I don't know half the shit you guys are talking about) it seems like this shows just how duct taped together the infrastructure of the Internet really is.

Kind of feels like we are cavemen playing with something we don't fully understand the consequences of- we've built our entire society on top of the Internet but there are about 10 million holes which people can exploit if they hate you, in ways inconceivable to someone from a century ago. And many of those people might know other people who work for big tech companies who can personally fuck you over even worse. Government has no hope of regulating this shit, and even if they did they wouldn't do it in our best interests.

It's not just a good ol fashioned shunning or even exile where at least you could start over somewhere else- it's total annihilation of a person's livelihood regardless of where they go...

There's an article on Reduxx link archived ver (hopefully i didn't fuck that up) recently about Google (they reversed it luckily), Paypal, and Venmo all blocking a couple of pro-gay anti-transing children organizations from their accounts, citing a violation of ???. Meanwhile a MAP organization is still up and running and able to receive funding.
 
Virtual Cafe Awards
Status
Not open for further replies.