4chan Sharty Hack And Janitor Email Leak

> Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.

This describes probably 95%+ of the entire software world, from enterprise, to SaaS to IoT to mobile to desktop to embedded... Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed. It's a wonder anything actually even works. If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.

As far as I can tell, no real maintenance has happened since Poole sold the site a decade ago. Hiroyuki paid for it and then mostly forgot about it.

as someone who had to upgrade a stack from php 5.3 to 7.1 back in 2019... do you know what version of php they were running?

Uploading ASP as an image and having it execute server side is one thing.

But in this case, it's subtly different.

This issue relies more on a quirk of how PDF and PostScript relate (PDF is built on a subset of postscript).

Imagine you had an image format which was just C which when compiled and ran produced the width, height, and then stream of RGB values to form an image. And you formalised this such that it had to have a specific structure so that if someone wanted to, they didn't have to write a C compiler, they could just pull out the key bits from this file which looks like ordinary C and produce the same result.

Now imagine that your website supports uploading such image files, and you need to render them to produce a thumbnail, but instead of using a minimal implementation of the standard which doesn't need to compile the code, you go ahead and just run gcc on it and run the output.

That's kind of more or less what happened here.

It's worth noting here that it's not really common knowledge that PDF is basically just a subset of postscript. So it's actually a bit less surprising that these guys fell for this, as it's as if C had become some weird language nobody talks about, and GCC became known as "that tool to wrangle that image format" rather than a general purpose C compiler.

The attackers in this case relied on some ghostscript exploits, that's true, but if you never ran the resulting C-image-format binaries, you could still get pwned through GCC exploits.

These were fun times. I've been working as a pentester for the past ten years, and the job got a lot harder, with everything using frameworks and containerization.

We still get plenty of results, because the tooling also gets better, and finding just one vulnerability is enough to be devastating, which makes it kind of frustrating. There is tons of progress, but much of it is just not paying dividends.

Bobby Ignore All Previous Instructions however…

When the first-gen iPhone was out there was a TIFF vulnerability so bad that you could jailbreak an iPhone just by visiting a specific web site. I remember going to Best Buy and seeing all of the display phones had been jailbroken. (It was easy to tell - this was before the App Store, so having extra app icons on the home screen wasn't normal.)

This was a user-empowering application of the vulnerability. Obviously, a bug that allows root-level arbitrary code execution just by getting the user to load a single image could be used for some pretty bad stuff. (And perhaps was.)

The `Memory Pit` exploit for the Nintendo DSi works in a similar way - it exploits a buffer overflow in the reading of image meta data by the Nintendo DSi Camera application in order to achieve arbitrary code execution.

https://dsibrew.org/wiki/Memory_Pit

4chan, ironically enough, had something similar where steganographic images were posted designed to be copied to Paint, saved as a bmp, renamed to an .hta file, and then executed. It would then spam the board with other variations of itself.

"Bannerbomb", on the Wii, has entered the thread.

https://wiibrew.org/wiki/Bannerbomb

I would also say don't run ghostscript with the same permissions as the web server, especially not if you can just hand it your PDF through stdin and take a PNG through stdout. Sandbox it as much as possible. PDF is a really complex format which means lots of opportunities for buffer overruns and the like. (Edit: Actually, reading through Arch-TK's post above, it sounds like it was much dummer than something like a buffer overrun.)

Newer Ghostscript versions are Affero GPL, that might be problem for some people, although probably not for 4chan (they don't modify it so it should be fine)

(incidentally I am now working on compiling this old GPL ghostscript to webassembly with file isolation... it works fine... but the compilation is kind of annoying)

> Don't run versions of ghostscript from 2012?

Per Wikipedia:

In February 2013, with version 9.07, Ghostscript changed its license from GPLv3 to GNU AGPL.

With the AGPL license being legal kryptonite I wonder if license compatibility drove the decision (and how many other installations of Ghostscript share this concern)?

Does this vuln have a CVE number, or other details? Just curious, since from the posts explaining things this doesn't seem to be based on memory corruption.

Assuming US jurisdiction this would pretty clearly be at least one, probably many CFAA violations which are criminal.

Usually the attacker, on their own computer, or some other server they have root on, will open a port and expose it to the internet and listen. The exploit payload will then make an outbound connection to that port. Once it's connected, the exploit will give the attacker's computer shell access. Search terms include 'reverse shell'.

It takes the normal client/server architecture and turns it inside out. If you remember FTP and active vs passive, it works like active mode FTP.

That's just one way to do it. If the attacker wants to actually listen on an open port on a compromised server that's behind a firewall, look up 'NAT traversal' for like half a dozen ways to do it.

One interesting method to get a shell that I read about is (ab)using ICMP echo requests. ICMP echo requests can contain arbitrary bytes as a payload. So the exploit will poll the attacker's IP address with ICMP echo requests. The exploit will have data payloads that have the shell's output. The attacker's server will respond with ICMP echo requests that have whatever the attacker wants to type into the shell. It's kinda janky but it works. Lots of firewalls might block outbound UDP/TCP connections from internal servers that don't need to make outbound connections, or might whitelist the addresses they're allowed to connect to. But they won't block ICMP, either because it's considered harmless or they forgot or they didn't know it needs to be blocked separately with other rules.

The point is there's any number of ways to do it, each more clever than the last.

A shell's stdin and stdout can be redirected to a tcp socket which connects to the attacker. Here are some examples: https://www.invicti.com/learn/reverse-shell/

https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-ex...

Once you can run any command, you start passing in whatever commands you want.

most likely "shell access" was confused with execution of "shellcode" which is a type of code, typically bytecode, that gets injected by the hacker and the server gets tricked into executing it. Once it's executed, it can do anything, leave new files, open ports, disable firewalls, change the admin password, etc

This is a great question, one I've always wondered. "Shell access" typically requires a terminal to, you know, type stuff in, right?

If you disable JavaScript, it’s not. PDF removed loops etc from the PostScript it supports

eh, there's a lot of neat pdfs on the papercraft and origami board

Here: https://i.ibb.co/9mWLp4m9/4chanhack.jpg

search through the thread on the site where that attack came from. ctrl+f postscript and you will find the post

Source: https://www.soyjak.st/soy/thread/10615723.html#:~:text=What%...

Kiwifarms is also discussing, links to code and griefing - https://kiwifarms (NSFW/NSFL) .st/threads/soyjak-party-the-sharty.145349/page-1468#post-21102686

This used to be a selling point for me when I was younger, but increasingly I find myself not wanting to deal with poorly-moderated platforms. I can’t tell if it’s because the transgressive vulgarity that these platforms enable has lost its novelty as I’ve gotten older or because the median user has less to contribute. Every time I try to browse 4chan these days I find that half the posts are repulsive, basically pornographic representations of the world, and the other half is the product of psychosis (that is, the people making the posts likely need to be institutionalized).

There are a lot of people who have nothing to contribute to a conversation, and a lot of people who are actively detrimental to a conversation. It used to be that you would put up with the craziest ones for the benefit of finding novel and overlooked ideas, but as the internet has become more accessible, the former group now outnumbers the latter.

I would be inclined to think that the problem is that I just grew out of the shock value, but I see the same trend on almost every other platform, too.

This is good sometimes but also horrible sometimes, because reputation exists for a reason. It's a filter, and if you have terabytes of information around which has mostly garbage quality you need filters if you want to make it useful. Of course, reputation does not solve the problem entirely, but at least it makes some steps towards the solution. Otherwise, you're basically on your own against the ocean of garbage, and not many people can really handle that.

Hard disagree. Finding anything of quality on 4chan is like searching for gold nuggets by hand in a mountain of radioactive poop. The only times I've ever seen anything useful in there is when someone else has already done the hard work of curating a post.

The core reason why HN is superior (IMO) is the curation and the moderation.

Agreed. I would go so far as to say all the ills of modern social media are because of ranked platforms, such as upvote/downvote-based, or like-based. They turn into echo chambers, that promote witty one-liners over nuance, and any sort of controversial position is effectively censored.

That said, HN functions decently well, though in some ways it is even worse in the censoring the outliers.

That is heretical now, unimaginable to huge swaths of the Internet.

> united by hatred of a scapegoat.

United by hatred of a scapegoat that they didn't choose on a random whim or due to some common agenda. Otherwise it's completely fine.

If someone rallied a hate-mob on 4chan, though, how would people know?

Since 4chan overtly resists it, it'd rapidly move off of there, but it's still a great place to find like-minded folks that'd follow someone to another server to go brigade someone.

So "not your personal army" == don't be a journalist?

There is no “they”.

Like many others coming from social web, you expect to find some kind of community which fashions everyone shares, an apparel you can put on. The idea is complete opposite: you don't need to follow any fashion, or imagine yourself “part of the team” any more than you want to. Even though it's not written in any rules, you don't have to use slang or tone if you find them dumb, overused (globally or locally), or forced. Neither do you have to treat stupid posts with respect.

I assume that after 15-20 years of being part of collective consciousness, anonymous image boards have mostly the same public as any average site. Amount of crap that you can read there is just the same as everywhere (though in some cases this or that Big Brother hides it from your view — obviously, to make you more comfortable, and spend more time in his warm embrace). The difference is that regular social fashions mandate the use of suitable set of candy wrappers for the crap, then there are customary ways of dealing with them, so in the end people just spend their time wrapping and unwrapping crap, but are proud of themselves, and call it “civilised discourse”.

3/10 troll

That's antithetical to many of the foundational rules of the internet, which are core to 4chan culture.

The whole point is that they don't let the fluctuating, weak-willed whims of normie sensibilities determine what's allowed.

Feature, not bug. Edgy teens don't want responsible adults in their clubhouse. Unfortunately it also attracts manchildren.

If it was pleasant to the senses then it wouldn't be counterculture.

Nobody on Twitter or Reddit or Bluesky or Facebook or whatever ever cared about anyone’s feelings either, they just avoid using certain no-no words.

HN is 4chan in many ways - the smart, civilized people just come here. Whereas the smart people that are willing to act disabled go there.

>there’s less focus on writing the basic filler comments

I’m not sure you’ve actually been to 4chan…

How many of these used Facebook, Twitter or Reddit? They are not mentioned in mainstream media because they are popular, but I assure you there are a lot of deranged people that never even posted on 4chan and just stuck to the “good” ones.

This is a cheap bait - of course when there's a small number of leniently moderated popular platforms, there will eventually be a high-profile criminal that would use one of them, because a) that what "popular" means and b) anti-social types would gravitate to more leniently moderated platforms. And of course on the same platforms there would be online edglelords that would make sure to cheer whatever causes the most offense, because that's what they are there for. If you close 4chan, there would be another platform that would become focus of the same people - because the people focus on the platform, not the platform causes the people to become bad. The press that tried to frame it the way which reverses the cause and the effect is doing you a disservice, and you may want to consider using a better source of information. If, of course, you are interested in understanding the causes and the effects of things, not just feeling good by having your preconceptions confirmed.

Do it for 2ch now.

[flagged]

For the record this is an example of the "Fencepost error" where the last item in a range gets double counted as the first item in the next range and is incredibly common in dyscalculia (the math version of dyslexia) as people will have "visual number lines" in their head that cover ranges of numbers but the ends get double counted, so there will be a 10-20 number line then a 20-30 number line.

I suspect TheJosh had something like that with the week where he visualized it with Sundays at both ends but lacked the self awareness to realize that this was not a universal representation.

My personal favorite rendition of this: https://www.youtube.com/watch?v=JqylqmDl0Mw (Mega64 - Flame War Theater - "Full Body Workout Every Other Day?")

> In 2015, Vice News contacted mathematician Joanna Nelson for a resolution, and she said that TheJosh would have to schedule his workouts in two-week chunks, claiming a week is seven days from Monday to Sunday.

Why was a mathematician necessary for this assertion?

If a woman ever asks what men’s locker room talk is like, just show them that post. We really are a simple bunch.

lol that was a bait thread, this is the same place that had a discussion on whether a pitbull could defeat the Sun if it snuck up on it at night

I never saw this before. Thank you to share. Truly, this is peak Interwebs.

That IS dumb -- everyone knows there are 8 days in a week. Sunday to Sunday -- you can count it on your hands!

> Obligatory post about the dumbest argument to ever be had online

Jon Bois did an amazing video about this one: https://www.youtube.com/watch?v=eECjjLNAOd4

Laughing my head off reading through this. Thank you

I need to thank you for the web archive post. The argument was amusing as it was dumb.

I love this thread so much

All of this sentiment is many years out of date. "Alt-right" hasn't been a term of self-identification for almost a decade, and hasn't been used as an identifier by pretty much anyone for at least half of that. /pol/ is not the epicentre of the radical online right and has not been for years - it's a backwater in that regard now.

The most notable radicalisation happening on /pol/ nowadays, in my opinion, is a kind of hyper-masculine third-worldist ideology that is anti-semitic in its foundation and deeply misogynistic. While those two traits might sound superficially similar to the 2015 "Alt right", this new ideology has a significant pro-Islamist tendency, and has an almost comprehensive disdain for the west and its ways of life, in favour of authoritarian regimes like like Russia, Iran, and China. Also, as is being corroborated by other online circles like the Nick Fuentes "Groyper" movement, this faction of the online far-right is an increasingly post-racial one, with more traditionally white supremacist views disappearing, to be filled in by antisemitism.

Personally, I think this cultural political shift in the imageboard represents the increased representation of developing countries online, and is an important case study in how quickly cultural foundations can shift inside the borderless land of the internet.

> On top of that, they actively delete and ban posts that go against alt-right.

Lurk moar.

I like /pol/ and although I'm not really interested in defending it (I 100% understand why people don't like it) I will give my opinion of it because I think most people don't get it and take the board wayy too seriously.

/pol/ isn't trying to be like the millions of other politic discussion forums online. It's literally intended to be politically outrageous so when people like yourself complain that it's full of outrageous alt-right content you're typically missing the point.

It's full of things that appear to be alt-right because stuff like racism, sexism and transphobia is extremely politically incorrect. While far-left views might be equally reprehensible, these views are not seen as equally politically incorrect. It's actually quite hard to hold politically incorrect far-left views unless you incorporate some far-right views – being so pro-trans that you hate biological women or something stupid. This is why you tend to see less left-wing content there. It's hard to be offensive and left-wing.**

But even then I think it's wrong to say /pol/ is full of alt-right content to be honest. There are alt-right people there for sure, but huge amount of the political memes posted on /pol/ are mocking the alt-right and the right more broadly. The board is constantly roasting the MAGA movement, for example.

As a brit my favourite threads on /pol/ are the brit/pol/ threads which basically just post politically incorrect memes mocking Brits and joking about how shit the UK is. These threads largely just Brits shitposting with each other and it would be wrong to assume the existence of hateful anti-British content on /pol/ is somehow evidence that /pol/ is xenophobic against Brits. People should take a similar views of the racist/alt-right threads – the vast majority of people there are just trolling and being offensive for a laugh. You don't have to like the humour, but most of it is just people shit posting.

> they actively delete and ban posts that go against alt-right.

Loads of stuff gets removed... If you're posting content that "goes against the alt-right" you're probably taking the board way way to seriously and you probably should be banned.

** Interestingly another commenter in the thread asked about why there's so much interracial porn on /pol/ if it's so racist, which kinda highlights my point here. Just hating white people isn't politically incorrect – there's people doing that all over Reddit. To make hating white people offensive you basically have to incorporate racist stereotypes about about how whites are genetically inferrer to blacks in various way, but then in doing this you'll get viewed as racist and alt-right because you're using racial stereotypes about how blacks are more athletic, etc.

If you're up for it I challenge you to be politically incorrect from a left-wing perspective without it being possible to argue that it's actually far-right.

[flagged]

This absolutely was the case for a long time. It was the cultural center of the internet where nearly all memes sprang from or gained traction and context before leaving orbit for the greater internet.

That has not been the case for years though. I'd say it shifted to twitter as things shifted to inseparably political on almost all of 4chan maybe 6-8 years back and then shifted away from twitter a while after elon bought it and a lot of people started to bail. and I honestly don't know where exactly it's shifted to now, but I'd have to guess tiktok and similar new platforms.

But regardless I do think 4chan has lost nearly all of it's cultural influence, but still maintains it's notoriety.

I think this was true at one point but not for the past 5-10 years. Based off of using the site I feel like now a lot of things start on other sites (particularly smaller accounts on twitter), get aggregated and popularized on 4chan, and then get picked up on other sites (often regurgitated back to twitter). Knowyourmeme shows this for a lot of things that people typically attribute as original to 4chan. There was definitely a time when a ton of stuff originated on 4chan but these days everything is so interconnected with the same people posting on twitter, reddit, and 4chan that I think 4chan gets a lot of unearned credit

Don't forget the slurs. They have some unique slurs in there that have backstories too.

> how much terminology, slang and other culture originate and spread there

Could you give some examples? The more unexpected, the better.

Preferably with sources, because tracing word origin is difficult enough on its own.

I thought culture was a “solved problem” now that we have AI.

I can’t keep up anymore.

I worked for a major internet company until 2020. HN would be aghast how much "if we failed to provide this service a good chunk of the internet would either go down or sites wouldn't function properly and the stock market probably would dip" stuff runs on redundant pairs of LAMP stacks and other unsophisticated old stuff HN would turn up its nose at.

Should have had updated dependencies though.

otoh the entire site is no longer running because they fell behind on updates

Nobody that is over 30 thinks any of those things are necessary because we all remember them not existing and websites handling plenty of traffic fine.

I think no algorithmic curation is its strength. It means that even if an echo chamber appears anybody can still post their opinion and it doesn't get downvoted into oblivion when people disagree.

I feel too many people who conflate /pol/ with the whole website are just regurgitating information they heard from other social media sites. The most popular boards, by far, since 2020 have been the video game and vtuber boards. With Video Game generals being the most popular board for the past five years outside of the occasional political season. You can check this on 4stats.

People who still complain about /pol/ look a little like people who would still complain about ebaumsworld: Completely out of touch individuals who equate everything to a tiny phenomena.

it is, and unfortunately from 2016 onwards it kind of outgrew the rest of the site like a tumorous growth until the whole site became markedly more neonazi and less goofy. something to do with donald trump i suspected

It is - https://en.wikipedia.org/w/index.php?title=/pol/&oldid=12855....

4chan is more moderated than you'd imagine.

I like that there can be wild places on the internet where people can pieces of shit. 4Chan had communist trolls, Jew-hating trolls, Zionist-trolls, pro-Christian trolls, anti-Christian pro-pagan trolls. It didn't foster any fascism in society. It was just a place where people could say mostly what they want.

That is what has saved Reddit. You cannot find society fascism coordination there because the mods are strong. If 4chan followed that model bronies might still be a thing.

> /g/ was the origin of Chain of Thought for AI

Is this documented?

/g/ was also the home of a Windows XP source code leak (at least publicly). Some gaming-related leaks also came from /v/, such as the 1999 Duke Nukem Forever builds.

I used to hang out at Head-Fi a lot in the early ‘00s. It’s a headphone and headphone accessories (amplifiers, DACs, etc.) forum, and people nerd out about building their own stuff. I recall writing a review on some obscure Chinese brand of sound card that people liked, because it happened to have a really good DAC for the rear output (it was a surround sound card, back when that was something interesting).

I gradually lost interest when they started heavily pushing commercial sponsors. I get it; sites aren’t free to host, and moderator time isn’t free / unlimited, but it’s still sad.

Bodybuilding.com's misc board was essentially the same sort of raunchy teen hangout as /b/, sans the porn. It wasn't anything goes, but a lot did, and of course you were dealing with the kinds of meatheads (said lovingly) who would happen upon bb.com in the first place.

Not hidden gems, no, but some of big titles originated from /agdg/, both Risk of Rain and VA-11 Hall-A started as progress posts in /agdg/ before hitting combined >1M sales.

I remember one user who made a really fun arcade flight simulator.

/g/ genuinely was one of the worst boards on the website, but there were a handful of lurkers who made good posts in some of the general threads. the site as a whole was still was a diverse place up until yesterday, with only a few boards being unusably bad, and it was getting increasingly better.

it's a bit sad really. zero-barrier to entry, no login gates, no accounts, and traffic was so high that it moved really fast. it was like a dive bar covered in grime. will be sad to see it go. none of the other imageboards still kicking are quite the same, most are even worse tbh.

Let me be bold: transphobia is counter-culture nowadays (at least in Western societies). Counter-culture is not always a good thing.

Yeah, after 2015 it became impossible to go to any of the boards if you weren’t a pol poster. They made it their mission to spread their vile shit everywhere.

Gamergate and Donald Trump was a 4-6 year period depending on where you put the needle. There were 10 years before it and now close to 5 years after it. The people who continue to hammer about it are just announcing that they don't understand the site and are complaining about ancient history. The most popular board right now is the video game generals board, and second place belongs to the regular video games board.

> How do replies work

Reply references the post it is replying to by ID, most boards will turn that ID into a link or even create a UI to view a chain of replies.

> How do you know it's actually the person you're replying to who's replying back?

You shouldn't, an anonymous imageboard invites you to engage with ideas, not people. However, on most boards you can enter a password with your post, which is displayed as a hash, changing you from anonymous to pseudonymous (although this is generally considered attention-seeking and is frowned upon).

If that's your thing, you can turn nicknames and avatars on in profile settings after registration.

What is the good reason?

Where I'm sat the only reason our three (?) social media companies restrict none illegal speech/content is to make it more appealing to advertisers.

I miss the internet before it was driven by advertisers and their investors.

I'm not looking for corporate sanitized social media site #102032. Imageboards if nothing else allow people to be people and you know what? Sure sometimes people suck, but I don't want some overvalued social media companies in America deciding what I can and can't see.

Sure I've encountered awful people on imageboards, but I've also encountered very nice, helpful people, some of which I've stayed in contact with long term.

Maybe today's social media. It's basically early xbox live tier banter. A relic of a different time on the internet that is incomprehensible to the outsiders who weren't around for it.

It wasn't hard to find things no, but the narrative one often reads is that it's the mainstream consensus there to the universal opinion rather than a fringe opinion which exists and isn't banned from having.

Do people also treat Reddit the same way?

Ragusea is an idiot, though and I arrived at that conclusion without any help from 4ch.

/ck/ from around 2015 to hmm… maybe 2018-19 was pretty good, and probably my home board. Decent cook along threads (I hope Patti is doing ok), /ck/ challenge threads where there was some theme we had to follow and posts would get ranked… and of course the yearly lemon pig [1] threads. Sadly I guess fast food posting, shitting on foodtubers, and general /pol/ shittery made it go down in my view. Still went there most days until yesterday though.

[1] https://en.m.wikipedia.org/wiki/Lemon_pig

Like it or not, 4chan was a major hub of Internet culture. Especially early on some of the best stuff on the internet happened on 4chan (and a good chunk of the worst, of course)

You can but I think it would make you quite dull

Why? I am not pleased with the government forced pills such as TikTok, Twitter and other such shite shoved down my throat.

You may enjoy the walled garden, I for one don't. Such sites gave you a hole to get away from the dystopian view that these gardens hold.

They gave independence away from forced control.