Shouldn’t the lesson be, “don’t put your conspiracy online”?


If you’re plotting something and want to recruit a horde of fellow conspiracy theorists to join you, the go-to company you call to provide “confidential” web services is Epik.

Epik, based in the Seattle suburb of Sammamish, has made its name in the Internet world by providing critical Web services to sites that have run afoul of other companies’ policies against hate speech, misinformation and advocating violence. Its client list is a roll-call of sites known for permitting extreme posts and that have been rejected by other companies for their failure to moderate what their users post.

Online records show those sites have included 8chan, which was dropped by its providers after hosting the manifesto of a gunman who killed 51 Muslims in Christchurch, New Zealand, in 2019; Gab, which was dropped for hosting the antisemitic rants of a gunman who killed 11 people in a Pittsburgh synagogue in 2018; and Parler, which was dropped due to lax moderation related to the Jan. 6 Capitol attack.

They also host anti-abortion groups, including that prolifewhistleblower page (which has since been removed). You’d think someone would realize that if your group requires support from an organization that also supports Nazis and Proud Boys and kooks and violent militias, maybe you should question the company you’re keeping.

It’s a notorious den of villainy, as you can tell. But maybe not anymore…would you trust your evil plan to a company after this?

But that veil abruptly vanished last week when a huge breach by the hacker group Anonymous dumped into public view more than 150 gigabytes of previously private data — including user names, passwords and other identifying information of Epik’s customers.

Extremism researchers and political opponents have treated the leak as a Rosetta Stone to the far-right, helping them to decode who has been doing what with whom over several years. Initial revelations have spilled out steadily across Twitter since news of the hack broke last week, often under the hashtag #epikfail, but those studying the material say they will need months and perhaps years to dig through all of it.

“It’s massive. It may be the biggest domain-style leak I’ve seen and, as an extremism researcher, it’s certainly the most interesting,” said Megan Squire, a computer science professor at Elon University who studies right-wing extremism. “It’s an embarrassment of riches — stress on the embarrassment.”

The founder of Epik, Robert Monster (surely one of the most appropriate names ever) is busy denying that any leak happened and is pretending that it’s all business as usual. Everyone else, however, is laughing at their incompetence, except maybe the far-right individuals who trusted them. They’re probably too busy trying to hide their trail.

Since the hack, Epik’s security protocols have been the target of ridicule among researchers, who’ve marveled at the site’s apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public.

The files include years of website purchase records, internal company emails and customer account credentials revealing who administers some of the biggest far-right websites. The data includes client names, home addresses, email addresses, phone numbers and passwords left in plain, readable text. The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

This is going to be so entertaining. Probably also disappointing as the bodies are unearthed, and the American justice system does nothing.

I’ll just say that the only individuals who have ever been trusted with my Grand Elaborate Scheme to Rule the World are the spiders I whisper to, and they’ll never crack. It’s going to be such a surprise!

Comments

  1. lumipuna says

    If you’re plotting something and want to recruit a horde of fellow conspiracy theorists to join you

    I suppose people plotting crimes together are technically conspirators, even if they may be also conspiracy theorists.

    /pedant

  2. consciousness razor says

    No big deal. He has thoughts and prayers.

    “You are in our prayers today,” Monster wrote last week, as news of the hack spread. “When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good. Blessings to you all.”

  3. Reginald Selkirk says

    my Grand Elaborate Scheme to Rule the World

    Pssst – you’re not supposed to say that out loud.

  4. Marshall says

    Oh also, I haven’t finished the documentary so don’t spoil it if we already know who Q is (are) :D.

  5. Marshall says

    @JoeBuddha yes; weren’t most of the QAnon posts on 8chan? Anyway, I’ll finish the docuseries before I ask questions like this one.

  6. Jake Wildstrom says

    So, in the aftermath of this mess, Monster decided to answer questions in an apparently unmoderated video chat without the benefit of legal counsel. It’s, uh, something. There’s an extraordinary transcript. Particularly delightful snippets:

    Monster, 0:35:56: So July 2018, I’m kind of in this boardroom struggle with the group that was running the company at the time, and we go on vacation, cruising in the Mediterranean, like around August 17. Middle of the Mediterranean underneath a Persian meteor shower and I’m looking up at the sky. Beautiful, clear night, like endless stars, and I have absolute clarity that the Lord is going to need a registrar. It’s the closest thing to a calling I’ve ever experienced.

    Monster, 0:42:00: No no no, let me finish, let me finish the story, and then I’m going to come to Steve’s question. Right, fair? Alright. So… I’m the moderator. But I promise I will listen to everybody. I will not leave until all your questions are answered. We can go all night. It’s okay. My wife and daughter are in Austin so I have the house to myself. If the dog has to pee he’s got a diaper on.

    Unidentified: I bet God could create technology that couldn’t be hacked.
    Rauhauser: The problem is… what Kirt has said there is sort of the philosophical view. And I think it’s true, everything can be hacked. But the question is, do you have the time, the money, enough matter in the universe to convert into computing power in order to do it? And the goal…
    HF: And amphetamines, Neal. Amphetamines.
    Rauhauser: Yeah, okay, that might be a consideration…
    Unidentified: That’s true, the stimulants, they definitely do help out.
    Unidentified: Can I just say? Cocaine, hell of a drug, bro.
    Unidentified: Facts.
    Monster: [reading the chat, not visible] Hellbat wants to know, [crosstalk] what do I know about gematria. Do you guys know about gematria? It’s kind of interesting.
    Unidentified: Amphetamines are just the natural way to go, you know?
    Unidentified: Yeah, it’s some kind of woo woo bullshit.

    Monster: I think it’s kind of fascinating. The universe is defined by a lot of math. You look at the music and tones…

    Monster, 2:59:00: And then Wikipedia! Those of you who think Wikipedia is anything other than propaganda, you’re…
    Unidentified: He’s just fucking around talking about it. Did he like apologize for getting everybody’s fucking data? Or is he just rambling like a fucking idiot?
    Monster: Uh, no. No, no, no, not like a fucking idiot.
    Unidentified: Oh, you can hear me?
    Monster: I can.
    Unidentified, 2:59:22: You fucking clown.
    Monster: …because you can mute yourself, or you can… what’s your name?
    Unidentified: No I’m not gonna bother. No thank you. Continue on, keep going.

  7. Akira MacKenzie says

    Probably also disappointing as the bodies are unearthed, and the American justice system does nothing.

    Democrats: “But… but if we did something, it might make the Right angry. Don’t you remember Oklahoma City?”

  8. Owlmirror says

    underneath a Persian meteor shower

    The transcriber either misheard or mistyped, because I listened to him, and he did say “Perseid”.

  9. numerobis says

    Apparently a bunch of sysadmins who never knowingly worked with Epik found some of their info in there. Now they’re trying to work back who they were working with, that subcontracted to Epik, so they can switch suppliers.

  10. Owlmirror says

    Apparently a bunch of sysadmins who never knowingly worked with Epik found some of their info in there.

    An Ars Technica post says that: “Epik had scraped WHOIS records of domains, even those not owned by the company, and stored these records. In doing so, the contact information of those who have never transacted with Epik directly was also retained in Epik’s systems.”

  11. Who Cares says

    @numerobis(#12):
    To add to what Owlmirror(#13) wrote they also never updated their database once the current WHOIS record expired/changed. So if you went to EPIK to get a parked domain to move it to somewhere else that one visit is enough to be in their database forever.

    And they did protect the data. They hashed it with unsalted MD5 cue jaws hitting the floor followed by belly aching laughter from basically anyone doing anything in computer security.

  12. Roy says

    “The founder of Epik, Robert Monster (surely one of the most appropriate names ever)”

    Huh. Everyone’s a little bit racist.

  13. blf says

    There are credible-seeming reports the data includes credit card numbers, etc., including CVV numbers (Card Verification Values, the numbers printed on the back of the card). If true, that means Epic’s stored data is also in violation of the PCI (Payment Card Industry) standards, which strictly prohibits non-transient CVV storage.

    Storing CVVs is a HUGE verboten! Epik very presumably accepted credit cards for payment for their “services”. (Indeed, how else would they have the CVVs?) The card providers (the “banks”) and service networks (Visa, etc.), require up-to-date PCI conformance as part of their terms of service. Epik could soon be buried under zillions of bricks shot from cannons by armies of lawyers. (Whoever independently certified Epik’s credit card “system” as PCI-compliant could also be under a heap, or possibly a victim (e.g., Epik lied to them), or (perhaps most likely?) Epik didn’t keep their independent certification up-to-date.)

  14. Pierce R. Butler says

    Another triumph for Voltaire’s Prayer.

    So why are these guys still, generally speaking, winning?

  15. birgerjohansson says

    Ha, there has been a huge leak of emails from Trump’s layers dating to the days after the election, showing they knew the trumpian version of events was BS.