4chan Sharty Hack And Janitor Email Leak

As far as I can tell, no real maintenance has happened since Poole sold the site a decade ago. Hiroyuki paid for it and then mostly forgot about it.

> Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.

This describes probably 95%+ of the entire software world, from enterprise, to SaaS to IoT to mobile to desktop to embedded... Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed. It's a wonder anything actually even works. If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.

as someone who had to upgrade a stack from php 5.3 to 7.1 back in 2019... do you know what version of php they were running?

Uploading ASP as an image and having it execute server side is one thing.

But in this case, it's subtly different.

This issue relies more on a quirk of how PDF and PostScript relate (PDF is built on a subset of postscript).

Imagine you had an image format which was just C which when compiled and ran produced the width, height, and then stream of RGB values to form an image. And you formalised this such that it had to have a specific structure so that if someone wanted to, they didn't have to write a C compiler, they could just pull out the key bits from this file which looks like ordinary C and produce the same result.

Now imagine that your website supports uploading such image files, and you need to render them to produce a thumbnail, but instead of using a minimal implementation of the standard which doesn't need to compile the code, you go ahead and just run gcc on it and run the output.

That's kind of more or less what happened here.

It's worth noting here that it's not really common knowledge that PDF is basically just a subset of postscript. So it's actually a bit less surprising that these guys fell for this, as it's as if C had become some weird language nobody talks about, and GCC became known as "that tool to wrangle that image format" rather than a general purpose C compiler.

The attackers in this case relied on some ghostscript exploits, that's true, but if you never ran the resulting C-image-format binaries, you could still get pwned through GCC exploits.

Bobby Ignore All Previous Instructions however…

Usually the attacker, on their own computer, or some other server they have root on, will open a port and expose it to the internet and listen. The exploit payload will then make an outbound connection to that port. Once it's connected, the exploit will give the attacker's computer shell access. Search terms include 'reverse shell'.

It takes the normal client/server architecture and turns it inside out. If you remember FTP and active vs passive, it works like active mode FTP.

That's just one way to do it. If the attacker wants to actually listen on an open port on a compromised server that's behind a firewall, look up 'NAT traversal' for like half a dozen ways to do it.

One interesting method to get a shell that I read about is (ab)using ICMP echo requests. ICMP echo requests can contain arbitrary bytes as a payload. So the exploit will poll the attacker's IP address with ICMP echo requests. The exploit will have data payloads that have the shell's output. The attacker's server will respond with ICMP echo requests that have whatever the attacker wants to type into the shell. It's kinda janky but it works. Lots of firewalls might block outbound UDP/TCP connections from internal servers that don't need to make outbound connections, or might whitelist the addresses they're allowed to connect to. But they won't block ICMP, either because it's considered harmless or they forgot or they didn't know it needs to be blocked separately with other rules.

The point is there's any number of ways to do it, each more clever than the last.

https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-ex...

Once you can run any command, you start passing in whatever commands you want.

A shell's stdin and stdout can be redirected to a tcp socket which connects to the attacker. Here are some examples: https://www.invicti.com/learn/reverse-shell/

This is a great question, one I've always wondered. "Shell access" typically requires a terminal to, you know, type stuff in, right?

When the first-gen iPhone was out there was a TIFF vulnerability so bad that you could jailbreak an iPhone just by visiting a specific web site. I remember going to Best Buy and seeing all of the display phones had been jailbroken. (It was easy to tell - this was before the App Store, so having extra app icons on the home screen wasn't normal.)

This was a user-empowering application of the vulnerability. Obviously, a bug that allows root-level arbitrary code execution just by getting the user to load a single image could be used for some pretty bad stuff. (And perhaps was.)

The `Memory Pit` exploit for the Nintendo DSi works in a similar way - it exploits a buffer overflow in the reading of image meta data by the Nintendo DSi Camera application in order to achieve arbitrary code execution.

https://dsibrew.org/wiki/Memory_Pit

For the record this is an example of the "Fencepost error" where the last item in a range gets double counted as the first item in the next range and is incredibly common in dyscalculia (the math version of dyslexia) as people will have "visual number lines" in their head that cover ranges of numbers but the ends get double counted, so there will be a 10-20 number line then a 20-30 number line.

I suspect TheJosh had something like that with the week where he visualized it with Sundays at both ends but lacked the self awareness to realize that this was not a universal representation.

My personal favorite rendition of this: https://www.youtube.com/watch?v=JqylqmDl0Mw (Mega64 - Flame War Theater - "Full Body Workout Every Other Day?")

If a woman ever asks what men’s locker room talk is like, just show them that post. We really are a simple bunch.

lol that was a bait thread, this is the same place that had a discussion on whether a pitbull could defeat the Sun if it snuck up on it at night

Laughing my head off reading through this. Thank you

That IS dumb -- everyone knows there are 8 days in a week. Sunday to Sunday -- you can count it on your hands!

> Obligatory post about the dumbest argument to ever be had online

Jon Bois did an amazing video about this one: https://www.youtube.com/watch?v=eECjjLNAOd4

I never saw this before. Thank you to share. Truly, this is peak Interwebs.

All of this sentiment is many years out of date. "Alt-right" hasn't been a term of self-identification for almost a decade, and hasn't been used as an identifier by pretty much anyone for at least half of that. /pol/ is not the epicentre of the radical online right and has not been for years - it's a backwater in that regard now.

The most notable radicalisation happening on /pol/ nowadays, in my opinion, is a kind of hyper-masculine third-worldist ideology that is anti-semitic in its foundation and deeply misogynistic. While those two traits might sound superficially similar to the 2015 "Alt right", this new ideology has a significant pro-Islamist tendency, and has an almost comprehensive disdain for the west and its ways of life, in favour of authoritarian regimes like like Russia, Iran, and China. Also, as is being corroborated by other online circles like the Nick Fuentes "Groyper" movement, this faction of the online far-right is an increasingly post-racial one, with more traditionally white supremacist views disappearing, to be filled in by antisemitism.

Personally, I think this cultural political shift in the imageboard represents the increased representation of developing countries online, and is an important case study in how quickly cultural foundations can shift inside the borderless land of the internet.

I like /pol/ and although I'm not really interested in defending it (I 100% understand why people don't like it) I will give my opinion of it because I think most people don't get it and take the board wayy too seriously.

/pol/ isn't trying to be like the millions of other politic discussion forums online. It's literally intended to be politically outrageous so when people like yourself complain that it's full of outrageous alt-right content you're typically missing the point.

It's full of things that appear to be alt-right because stuff like racism, sexism and transphobia is extremely politically incorrect. While far-left views might be equally reprehensible, these views are not seen as equally politically incorrect. It's actually quite hard to hold politically incorrect far-left views unless you incorporate some far-right views – being so pro-trans that you hate biological women or something stupid. This is why you tend to see less left-wing content there. It's hard to be offensive and left-wing.**

But even then I think it's wrong to say /pol/ is full of alt-right content to be honest. There are alt-right people there for sure, but huge amount of the political memes posted on /pol/ are mocking the alt-right and the right more broadly. The board is constantly roasting the MAGA movement, for example.

As a brit my favourite threads on /pol/ are the brit/pol/ threads which basically just post politically incorrect memes mocking Brits and joking about how shit the UK is. These threads largely just Brits shitposting with each other and it would be wrong to assume the existence of hateful anti-British content on /pol/ is somehow evidence that /pol/ is xenophobic against Brits. People should take a similar views of the racist/alt-right threads – the vast majority of people there are just trolling and being offensive for a laugh. You don't have to like the humour, but most of it is just people shit posting.

> they actively delete and ban posts that go against alt-right.

Loads of stuff gets removed... If you're posting content that "goes against the alt-right" you're probably taking the board way way to seriously and you probably should be banned.

** Interestingly another commenter in the thread asked about why there's so much interracial porn on /pol/ if it's so racist, which kinda highlights my point here. Just hating white people isn't politically incorrect – there's people doing that all over Reddit. To make hating white people offensive you basically have to incorporate racist stereotypes about about how whites are genetically inferrer to blacks in various way, but then in doing this you'll get viewed as racist and alt-right because you're using racial stereotypes about how blacks are more athletic, etc.

If you're up for it I challenge you to be politically incorrect from a left-wing perspective without it being possible to argue that it's actually far-right.

Why do they allow so much interracial porn spam, and how does that fit into your view of the mods being alt-right racists?

I worked for a major internet company until 2020. HN would be aghast how much "if we failed to provide this service a good chunk of the internet would either go down or sites wouldn't function properly and the stock market probably would dip" stuff runs on redundant pairs of LAMP stacks and other unsophisticated old stuff HN would turn up its nose at.

Should have had updated dependencies though.

otoh the entire site is no longer running because they fell behind on updates

I think this was true at one point but not for the past 5-10 years. Based off of using the site I feel like now a lot of things start on other sites (particularly smaller accounts on twitter), get aggregated and popularized on 4chan, and then get picked up on other sites (often regurgitated back to twitter). Knowyourmeme shows this for a lot of things that people typically attribute as original to 4chan. There was definitely a time when a ton of stuff originated on 4chan but these days everything is so interconnected with the same people posting on twitter, reddit, and 4chan that I think 4chan gets a lot of unearned credit

This absolutely was the case for a long time. It was the cultural center of the internet where nearly all memes sprang from or gained traction and context before leaving orbit for the greater internet.

That has not been the case for years though. I'd say it shifted to twitter as things shifted to inseparably political on almost all of 4chan maybe 6-8 years back and then shifted away from twitter a while after elon bought it and a lot of people started to bail. and I honestly don't know where exactly it's shifted to now, but I'd have to guess tiktok and similar new platforms.

But regardless I do think 4chan has lost nearly all of it's cultural influence, but still maintains it's notoriety.

Don't forget the slurs. They have some unique slurs in there that have backstories too.

> how much terminology, slang and other culture originate and spread there

Could you give some examples? The more unexpected, the better.

Preferably with sources, because tracing word origin is difficult enough on its own.

I thought culture was a “solved problem” now that we have AI.

I can’t keep up anymore.

I feel too many people who conflate /pol/ with the whole website are just regurgitating information they heard from other social media sites. The most popular boards, by far, since 2020 have been the video game and vtuber boards. With Video Game generals being the most popular board for the past five years outside of the occasional political season. You can check this on 4stats.

People who still complain about /pol/ look a little like people who would still complain about ebaumsworld: Completely out of touch individuals who equate everything to a tiny phenomena.

it is, and unfortunately from 2016 onwards it kind of outgrew the rest of the site like a tumorous growth until the whole site became markedly more neonazi and less goofy. something to do with donald trump i suspected

It is - https://en.wikipedia.org/w/index.php?title=/pol/&oldid=12855....

> /g/ was the origin of Chain of Thought for AI

Is this documented?

If someone rallied a hate-mob on 4chan, though, how would people know?

Since 4chan overtly resists it, it'd rapidly move off of there, but it's still a great place to find like-minded folks that'd follow someone to another server to go brigade someone.

So "not your personal army" == don't be a journalist?

Like it or not, 4chan was a major hub of Internet culture. Especially early on some of the best stuff on the internet happened on 4chan (and a good chunk of the worst, of course)

Why? I am not pleased with the government forced pills such as TikTok, Twitter and other such shite shoved down my throat.

You may enjoy the walled garden, I for one don't. Such sites gave you a hole to get away from the dystopian view that these gardens hold.

They gave independence away from forced control.

"Old Internet" doesn't have a very defined meaning, but I think it has more to do with design and functionality than a hard date. While I don't think relevance matters, 4chan is much more relevant than you think. Having a niche is part of the old Internet. Websites used to be niche, but deep, instead of websites like Wikipedia, which are broad and shallow (compare the Castlevania dungeon [0] to the Wikipedia article for Castlevania, for example). Then compare 4chan's limited number of boards with reddit's endless subs. 4chan's design is early web 2.0, doesn't require you create an account, allows (pseudo) anonymous posting, content is mostly unfiltered, unmonetized, free & thought of as ephemeral, etc.

0 - https://castlevaniadungeon.net/dungeon.html

Geocities was going strong in the late 90's too! My first homepage was hosted there on Tokyo Towers.

Side note: When you google "Geocities" the results are in comic sans

22 years is old. Nobody knows what geocities is, it has no relevance. It’s like talking about brands of telegraph wire.

It is not very niche at all. 4chan served a gigantic volume of traffic.

Web 2.0 and before is now considered the old internet.

[dead]

I'm reliably informed they do it for free.

> Isn't it a running joke that the Jannies don't get paid?

You're think about reddit and why it is the way it is from an editorial perspective and what kind of people have the time to mods 100+ subs for free...

But that ceased to be true long ago. While some of the supermods aren't paid by reddit directly, they might be paid by other orgs to mod and influence reddit, corporate or 'grass root'...

Some others simply hijack subs to sell their own products.

Considering that the people posting this "creative irreverence" were the same guys calling you a "stupid f*gg*t n*gger piece of sh*t" on Halo 2/3 and CS when they got noscoped from across the map or whatever, "It's just a joke" has always been somewhat suspect. It would be wrong to say that there was no element of tongue-in-cheek-iness and hyperbole, of course. It just wasn't completely innocent, broadly speaking.

Of course, in a post-Bioshock Infinite world, there's really no excuse for not grokking how time and distance from the origins of a cultural behavior pattern can warp even well-meaning notions that aren't regularly re-examined and tuned to align the intention with the zeitgeist. If the Sarah Silverman-esque posters ever looked up and realized, "Oh, they don't know it's a joke, they're ACTUALLY Nazis," it was too late to shift things back. (Unless you were in a Boondocks thread on /co/, in which case correction was freely forthcoming.)

Probably didn't help that at least one mod wanted 4chan to become more racist, on purpose.

> mistook offensive humor for conservatism

Something happened in the post-2010 times along with the Tea Party, and offensive humor - especially overt racism - became a mainstream part of conservativism, all the way to the White House.

> "jokes" where the punchline is "I hate my political enemies"

Hence the laughter in the White House at refusing to follow the court order to return their political enemies from the overseas prison.

4chan may have died, but Trump is more the first 4chan President than Howard Dean was the first "internet candidate", and especially Musk the Twitter Presidential Vizir is the heir to this culture.

Incredibly spot-on and well-put.

the mechanics are old

there's no other online community i know of that still allows fully anonymous posting

the culture changed, but the "environment" causing the culture there to be the way it is still same as the original.

the bump/delete mechanics work well to promote the most controversial, most engaging content, without any advanced statistics or ML.

despite being a shitty place, i don't feel advertised to, spied or in any way abused _by the software itself_ while browsing it

every board had it's own independent archiving service after a while, so board culture ended up stickier than the original design. there's some interesting stuff in there

Posts always got auto deleted. Maybe you aren't familiar with how it worked.

I lied about my age and was given janitor access in the mid 2000s. There was a special /j/ board to coordinate on, but it broke relatively early, and you mostly had to hang out in the #janiteam channel on Rizon. I think almost everybody else was underage as well. There was a minimal web overlay that let you delete/escalate posts. You couldn't see people's IPs, but you could see how many outstanding ban requests they had. These numbers helped me deduce that many boards' most infamous personalities were all the same guy.

We were all offered the chance to become mods in 2010, but moot wanted to see our faces on a Skype call. I thought that was a step too far and just gradually stopped caring after that. Seems like I made the right choice.

On the whole it was barely held together technically and organisationally, mostly run by moot's personal friends, and fun all around. Things were far less serious then.

And the checks arrived on time every month: $0.00

Well... A full dump of the board exclusive to moderators and janitors was leaked too so now you could take a look yourself.

I would've taken you less time to find the 'sinister' content yourself than leave this sprawling reply

To your point:

It's more likely than not real, it contains configs for the entire site.

moot hasn't been relevant for years.

I should have used a better example to support my point.

I was referring to the website it self allowing gay and trans content, and even other non mainstream content (furry, MLP). The content is not just porn related (though a big chunk of it is).

On the porn front, I don't agree with liking 'lady dick' twink lovers only. There's 'normal' gay content (male on male).

On the non porn content, lots of posts will begin with 'Im a gayfag' (fag here I used as a catch all self deprecating term, some users will say I'm a oldfag, even seen ladyfag). Never seen any outright harassment of gay people when they post.

Having said that, there is straight gay, trans, minority hating posts and content.

4chan is a wild jungle. Or was.

You shouldn't be logging in to a server via SSH using a user+password combo, instead use a public/private key combo which is considerably more complex and can't effectively be bruteforced like a user+password.

Most web servers don't really come with any built in defense against brute force attempts vs Basic Auth gates, so unless you've set something up to protect it, someone with enough time will eventually get in.

I haven’t used it for many years now, but phpMyAdmin was long a source of compromises. Lots of security holes.

A password is just plain text, which apart from being bruteforced, can easily be phished. There are so many things wrong with using a password even if it's fairly complex. Instead, stick to passkeys and SSH keys

This stuff is still packaged with cPanel, which is probably the most common way to manage web servers on the internet.

Only if it's only accessible via proper TLS (otherwise it's easy to read the user/pass with MITM as basic auth doesn't encrypt the user/pass).

If there is no throttling/rate-limiting/banning then this setup allows for a lot of attempts, wether brute-force or dictionary.