Skip to main content
Recent Posts
Tech News / Re: PayPal Closed Someone's Account for Running Tor Relays & More
Last post by Anon -

PayPal has been randomly shutting down people it doesn't like for the last decade. It did it to WikiLeaks and many other controversial people, businesses, journalists, etc. Why not wait for a court order? Why do these big tech companies want to pretend to be the world's morality police?
Tech News / PayPal Closed Someone's Account for Running Tor Relays & More
Last post by Anon -
PayPal apparently shut down a Tor supporter’s account in response to activities supporting Tor, according to the EFF.

According to the Electronic Frontier Foundation, PayPal shut down a Tor supporter’s account used to fund Tor nodes. PayPal is a company that actively enjoys conducting financial censorship and Larry Brandt, the victim of this story, frankly should have known not to use such a company.

The EFF called on PayPal to do some things in response to their handling of Brandt’s account. PayPal has no reason to enact the requested changes or concern itself with the demands of a non-profit. (One can think of the EFF as the Mozilla Foundation. There is even overlap with board members. Although Mozilla is pro-censorship when they feel like it.)

The fact that Tor is even on the radar of PayPal’s censorship department is concerning and likely a sign that this ban is just the start.

In other news, this man's transaction was blocked because the note included "Persian":

Should have used Monero or cash.
Tech News / U.S. Waged Secret Legal Battle to Obtain Emails of 4 Times Reporters
Last post by Anon -
U.S. Waged Secret Legal Battle to Obtain Emails of 4 Times Reporters

The push began in the Trump administration and continued under President Biden, and the Justice Department obtained a gag order to keep it from public view. There was no precedent for the government to impose a gag order on New York Times personnel as part of a leak investigation, said David McCraw, a top lawyer for the newspaper.

Tech News / GitHub's new policies allow removal of PoC exploits used in attacks
Last post by Anon -
GitHub's new policies allow removal of PoC exploits used in attacks

GitHub announced on Friday their updated community guidelines that explain how the company will deal with exploits and malware samples hosted on their service.

To give some background behind the new policy changes, security researcher Nguyen Jang uploaded a proof-of-concept exploit (PoC) to GitHub in March for the Microsoft Exchange ProxyLogon vulnerability.

Soon after uploading the exploit, Jang received an email from Microsoft-owned GitHub stating that PoC exploit was removed as it violated the Acceptable Use Policies.

In a statement to BleepingComputer, GitHub said they took down the PoC to protect Microsoft Exchange servers that were being heavily exploited at the time using the vulnerability.

    "We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited." - GitHub.

However, GitHub faced immediate backlash from security researchers who felt that GitHub was policing the disclosure of legitimate security research simply because it was affecting a Microsoft product.
GitHub releases updated guidelines

In April, GitHub issued a 'call for feedback' to the cybersecurity community regarding their policies for malware and exploits hosted on GitHub.

After a month of input, GitHub officially announced yesterday that repositories created to host malware for malicious campaigns, act as a command and control server, or are used to distribute malicious scripts, are prohibited.

However, the uploading of PoC exploits and malware are permitted as long as they have a dual-user purpose.

In the context of malware and exploits, dual-use means content that can be used for the positive sharing of new information and research while at the same time can also be used for malicious purposes.

The key changes added to the GitHub guidelines are summarized below:

    We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits. We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. This change modifies previously broad language that could be misinterpreted as hostile toward projects with dual-use, clarifying that such projects are welcome.
    We have clarified how and when we may disrupt ongoing attacks that are leveraging the GitHub platform as an exploit or malware content delivery network (CDN). We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.
    We made clear that we have an appeals and reinstatement process directly in this policy. We allow our users to appeal decisions to restrict their content or account access. This is especially important in the security research context, so we’ve very clearly and directly called out the ability for affected users to appeal action taken against their content.
    We’ve suggested a means by which parties may resolve disputes prior to escalating and reporting abuse to GitHub. This appears in the form of a recommendation to leverage an optional file for the project to provide contact information to resolve abuse reports. This encourages members of our community to resolve conflicts directly with project maintainers without requiring formal GitHub abuse reports.

While dual-use content is allowed, the new GitHub guidelines around PoCs and malware states that they retain the right to remove dual-use content, such as exploits or malware, to disrupt active attacks or malware campaigns utilizing GitHub.

    "In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible.

    Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place." - GitHub.

In response to this updated language, people expressed concerns that GitHub and Microsoft are now designating themselves as the "police" of defining what is causing harm, which may not align with the greater cybersecurity community.

    "By using verbiage such as "contains or installs malware or exploits that are in support of ongoing and active attacks that are causing harm" in your use policy, you are effectively designating yourselves as the police of what constitutes "causing harm". By one person's definition, that may just be an exploit proof of concept, by another that may be the whole metasploit framework. How do you plan on judging this, and whose criteria do you plan on using? What definitions are you proposing for these terms? As with most sites these days, good intentions for content moderating will likely just end up in unnecessary censorship of content that the loudest group objects to." - curi0usJack.

GitHub states that they continue to support community feedback regarding their policies to continue improving their policies.
Tech News / U.S. to give ransomware hacks similar priority as terrorism
Last post by Anon -
U.S. to give ransomware hacks similar priority as terrorism
Cryptocurrency / Vitalik Buterin: Ethereum 2.0 | Lex Fridman Podcast #188
Last post by Anon -
Vitalik Buterin: Ethereum 2.0 | Lex Fridman Podcast #188

Code: [Select]

Vitaly Dmitriyevich "Vitalik" Buterin (Russian: Виталий Дмитриевич Бутерин; born 31 January 1994) is a Russian-Canadian programmer and writer who is best known as one of the co-founders of Ethereum. Buterin became involved with cryptocurrency early in its inception, co-founding Bitcoin Magazine in 2011. In 2014, Buterin launched Ethereum with Gavin Wood.
Computer Software / Re: Macro Software
Last post by Anon -
Is it normal for my antivirus software to flag these as false positives, given the nature of these programs?