Cryptome grudgingly admits to leak of users' ancient IP addresses
If you looked for vulnerabilities in 2009, you're vulnerable today. A bit.
Venerable leak site Cryptome.org has 'fessed up to a data leak that saw some users' IP addresses reach the Internet.
After initially dismissing data posted by security researcher Michael Best as a mockup, Cryptome founder John Young conceded that a USB key sent to some of the site's supporters included site statistics data containing the IP addresses.
As Best posts, Young e-mailed him to agree that the data included on the dongles was Amazon Web Services statistics data: “Not the stats for Cryptome itself but for the Cartome sub-directory, for four months, November 2009-February 2010. Included in a full site restoration by ISP NetSol after a full shutdown in June 2013.”
Best had originally posted the addresses, which were also visible on Cryptome (but deleted by Young), but writes that he removed the information in response to Young's request to delete the addresses.
As Young's e-mail notes, however, “nothing can be fully deleted or hidden.” Best has cleansed the data of IP addresses, but left domain data intact, here. While Best claims Young was initially hostile, the incident serves to underline how difficult security is, even for those long versed in vulnerabilities.
Young encourages users to treat every channel including his own as suspect, and reminds us a third-party slip (since he attributes the inclusion of the statistics to a restore-from-backup) is especially hard to predict.
It's been a difficult year for Cryptome: in September, Young revoked its public PGP keys and his own after learning of a possible compromise.
At that time, he told The Register the revocation was precautionary, with the leak related to architectural work he carried out for a New York subway line extension. ®