site banner

What if the hackers come for us?

Gab - hacked. Truth social - hacked. What if they come for us? The rdrama codebase probably isn't perfectly secure! Chrome or firefox has layers of sandboxes, a hundred different gadgets like 'stack protection' or 'W xor X', and still has a new RCE every week. rdrama can probably be trivially owned if someone googles all the dependency versions for a few hours. also, lol commit history, 'sneed'. If that happens - what leaks? i guess just associations between stored ip addresses (if they are) and post histories. And IP can reveal a lot, or nothing, depending on where you live, ISP, etc. Combine that with a post history referencing improvements you made to your house or your occupation ... might be bad.

Practically, seems incredibly unlikely anyone will care enough to do anything, it's a small community and the essay format gets in the way of 'omg these rightwingers grr'. But, always good to ponder potential security issues. Also, you wanted content, so content.

4
Jump in the discussion.

No email address required.

What if they come for us?

Different scale. Same about concerns that Reddit will ban linking to us, I think.

I don't think there's anyone obsessive enough about us (& with proper skillset at the same time) to bother.

your progenitor rdrama.net is a much larger and much, MUCH, more controversial forum and we have had almost zero security issues so far. I dont wanna leak too much but we got some guys specifically for security shit and they legitimately could be from some 3 letter agency, its pretty crazy. So I would say you are definitely good for the foreseeable future unless this place is crazier then I thought.

I dont wanna leak too much but we got some guys specifically for security shit and they legitimately could be from some 3 letter agency, its pretty crazy

Imagine you're talking to someone and they say - "my homie's a cop, he's like from CSI with all their gadgets and shit, he knows what's up". That ... probably doesn't indicate the homie's a good cop, at all, more that the speaker doesn't really know what they're talking about. Same for "could be from some 3 letter agency", that just isn't a sign of good security at all, on the part of the speaker. obviously it doesn't say anything negative about the security team, just that you wouldnt know either way.

I'd love to have the equivalent of internal NSA security audit tho.

The Dramatard in question speaks Russian and describes himself as a "security researcher." I've been assuming some private company rather than state agency, but we know better than to ask too many questions. Does a pretty good job, though.

unless this place is crazier then I thought.

Well, there's /r/SneerClub. Probably not a lot of hackers there though.

I think that's useful to know, but I do remind everyone that a hacking group burned an ImageMagick zero-day on FurAffinity once. There's an upper limit to how far Rule of Induction brings you, here.

The way online essayists are going to get owned is someone is going to build a model that can take text and spit out candidate authors trained on the whole web corpus.

Eh it's probably pretty safe. There's no actual version specified (lol python), so everything gets the latest version of all dependencies on every image build. Most open source packages are pretty safe, most of the ones that do have issues aren't remotely exploitable, and mostly actual remotely exploitable vulnerabilities that aren't widely known and immediately fixed are only known to a few well-financed organizations that have much bigger fish to fry than our little site.

Also it's a public forum, everyone's post history is already public. Even if it did get hacked, there's not much to get except IPs, emails, and password hashes. IPs aren't very easy to resolve to people, email address might be mildly embarrassing if you used your real name or something easily connected to you, so probably best not to do that (it's optional anyways), and passwords are hashed well, not much real risk unless you used a very easily guessed password connected to accounts on other sites with the same email.

I'm sure people have been trying to attack rdrama for a while too. The fact that they haven't been hacked yet is a good sign. Yeah some of the past coding practices aren't the best, but all of us who have participated in the dev work have looked over it and not seen any security issues.

Most open source packages are pretty safe, most of the ones that do have issues aren't remotely exploitable, and mostly actual remotely exploitable vulnerabilities that aren't widely known and immediately fixed are only known to a few well-financed organizations that have much bigger fish to fry than our little site.

this isn't really accurate in spirit (except the last bit). "most packages are safe" is true in the sense that the termcolors package probably is safe (aside from supply chain / github / npm attacks, because termcolors can use network and filesystem just like express, but separate issue), but it's also vacuous. most issues aren't exploitable too, but again, vacuous. most exploitable vulnerabilities that are widely known are fixed quickly - although see “ This issue was initially discovered in 2016 by a RedHat kernel developer and disclosed in a public email thread, but the Linux kernel community did not patch the issue until it was re-reported in 2021.” from HN frontpage for a funny counterexample. Unfortunately, there are just so many vulnerabilities discovered and used that it's little comfort, and breaches happen constantly. also, the rdrama codebase is not audited frequently for security, and probably has its own flaws.

Of course it's true that nobody cares about our site so nothing will happen probably. its just interesting to work out the details.

The fact that they haven't been hacked yet is a good sign

i'm not sure rdrama would notice. do they have good logging and monitoring? probably not?

IPs aren't very easy to resolve to people

true, and the biggest defense we have is that there's just not much to breach (nobody has their real names like gab) but having your ip does make it much easier to track someone down just because of location, so i'd rather nobody have them.

FWIW, I tend to be a bit skeptical of certain types of things coming from the security community. They do have a tendency to overstate the severity and applicability of issues due to the benefits of publicity in that community.

Ex - the browser environment is riddled with RCEs because the attack surface is massively huge - they are expected to let any site on the net run arbitrary JS code with a ton of flexibility on their user's systems, and to use as much of the overall power of those systems as possible, but not let that code behave beyond certain limits. I sympathize with the people trying to keep that secure. But it doesn't have a lot in common with most other environments.

The web server environment has a much more limited attack surface. For the most part, apart from supply chain attacks, you can only really attack it by sending HTTP requests to it. That doesn't make them invulnerable, but it does mean that the great majority of vulnerabilities follow a few specific patterns that are straightforward to avoid. None of us who have worked with the code here have found any of those in the codebase yet.

I don't think I'd quite bet that there's no vulnerabilities at all. But it seems unlikely enough that there's anything serious that I'm not actively worrying about it. Especially combined with our relatively small size, general lack of going out of our way to piss people off, and lack of really juicy things to be gained from compromising the site.

Eh. googling 'flask RCE' shows a few.

And web servers regularly get owned by leaving API keys open, configuring something wrong, too. Maybe you use azure, and the part of azure you're using is broken. maybe your web server is perfect but your cloudflare password is 'marseeeeeey2' without 2fa and you get owned that way.

But it seems unlikely enough that there's anything serious that I'm not actively worrying about it.

I guarantee someone sufficiently motivated could be inside rdrama in a week or two. But I highly doubt anyone is.

They do have a tendency to overstate the severity and applicability of issues due to the benefits of publicity in that community.

Not sure if they overstate the severity of issues; If the NSA has been hacking everything, how has nobody seen them coming?

They were playing chess & you were playing checkers;

Not directly applicable here*, but cybersecurity in general is... there's no cybersecurity, really. Intel ME.

* but maybe for Gab / Truth and such?

That is a reasonable question!

The answer is that we will probably get hacked at some point.

We have some protection based on the way the server architecture works. We don't keep a persistent image around; the site environment is in Docker, and every time I update it, it reconstructs it from scratch. Even if someone manages to find a backdoor and create a more permanent backdoor, it'll all get evaporated next time we do an update. It's difficult to break out of Docker and so we're unlikely to have any sort of long-term unfixable compromise; once we find it, we can fix it and it's solved.

Of course, they can still steal the database during that time.

Email addresses would be exposed, and, of course, the full contents of the visible site. I'm not sure if IP addresses are stored right now; at some point I'll be changing it to store a hashed version, but that's only vague security because there just aren't that many IP addresses.

It is worth noting that we're in communication with the rdrama devs; yes, the codebase has forked pretty heavily, but we likely still share a lot of the same issues (and I'd love to gradually de-fork things over time). Nevertheless, this is still a volunteer endeavor, we just don't have the personpower to do full professional-level security audits.

  1. We aren't important enough. We have about a dozen thousand users that do not-much more than words-words-words in a closed community.

  2. We have some pretty good programmers onboard. The codebase is probably not clean right now, but I think it's a matter of time.

I haven't looked at the codebase, but if it's not clean now I think the default is it does not become clean. If it's not secure now I think the default is it does not become secure. Having good programmers on board makes non-default results slightly more accessible, but doesn't make them default.

You can never be perfectly secure, no matter how many resources you spend on the path there. After having my identity stolen a few years ago, I ramped up my level of paranoia, but even when you're dealing with financial issues you can only go so far.

In my opinion, the most important layers I use are:

  1. Use a separate, randomly generated password for each site, tracked in an offline encrypted password store

  2. Don't admit to criminal activity online, or make any statements that would pass the "local newspaper headline" bar

  3. Harden your personal finances and personal relationships so they're robust to perturbation

From 1, there is no correlated danger from any particular site being hacked, even if they're storing passwords in plaintext. (Which I certainly hope we're not doing here...)

From 2, you acknowledge the fact that any anonymizing procedure can always be broken, and mitigate the consequences regardless. I don't care if it's a VPN, Tor, or your own personal series of hardware proxies, it can be broken. The only way out is to act within your risk tolerance. I'm confident that if someone came up to my boss with some mildly spicy rant I wrote on the Motte, he'd be glad to ignore it so long as it didn't draw public attention. Thus, the local paper headline limit.

From 3, which I admit is a bit beyond scope, you make certain that should the worst happen you'll be all right regardless. (And financial independence is a good thing to have regardless.)

If somebody intends to spend their life as a hardcore political dissident, these sorts of measures aren't sufficient, but then I'm not intending to do that.

yeah i should've incluced "dont use an irl email or shared password". the signup page should probably have that like kiwi does

You shouldn’t divulge any personal information or use the same email you use for everything. The stakes are pretty low for a site like this. We’re more likely to just get DDOSed than anything else.

For that matter, don't use an email to sign up at all. Insane to associate one when you're allowed to skip it - one of the few things I liked about Reddit was their similar lack of an email requirement.