Anonymous says it will release massive trove of secrets from far-right web host

Anonymous says it will release massive trove of secrets from far-right web host


Unsalted MD5, wow




There was technically security on their files, but it was close to the crappiest possible type.


Like cellphone level or raspberry pi cracking easy




And since it's unsalted, about half of the passwords would be cracked within that minute


Like 2000-2005 random web forum level security


So, more than Parler had.


But not by much.


MD5 is an old hashing algorithm. Hashing is supposed to be one way math where you put in one thing and you get a seemingly-randon thing out the other end, but people figured out a way to shortcut MD5 and reverse it, so it's not really used anymore (we use SHA-256 these days). Because hashing gives you the same output if you give it the same input, it's possible to run down a list hashing things like common passwords, so if you get someone's hashed password list you can look for matches. Salting is when you add some random text to the thing your hashing, so people who have the same password won't have the same hashed password.


Isn't MD5 still used for verification? Like it isn't good to protect your data, but still useful in making sure the file you downloaded is the correct one.


Yes for checksums is fine but not fine storing passwords


MD5 is actually broken for checksums as well, because it's now trivial to generate two files with the exact same MD5 checksum. This has **bad** implications. You use to be able to download a file from a file sharing site, verify the MD5 from some official source, and feel confident that the file was not tampered with. Now, a malicious party could replace the file with a virus (or any other data), and pad it with appropriate data to make the MD5 checksum identical to the original file.


So what's the new standard for checking file integrity? Last I remember even Windows ISO had an MD5 checksum


SHA-1 is fairly common now, but SHA-256 is considered the latest and greatest for the purpose.


Is this 2004?


This isn't a leak, this is a cyber CTF exercise 😂


Will it simply be interesting but damning or actually damaging? Will it be embarrassing but ultimately meaningless? Will heads roll or will it just be an inconvenience due to bad press? I'll be interested to see if anything actually comes of it.


Ngl, I’d like a treasure trove of emails from rich evangelical pastors.


We're looking at you, Kenneth Copeland.


Don't make eye contact!


Honestly all televangelists surprise me with the audiences and congregations they are able to muster but being from Houston and seeing how this guy and his wife are melting into the Joker and one of his pet hyenas I'm kinda impressed someone this stomach churning is able to fill a Waffle House.


Ngl, fuck dirt on these scumbbags, send out social security numbers, bank account numbers, crack their purses open like a piñata. Let's fuck with portfolios, let's sell off assets of theirs for pennies. Idk why anyone thinks anything other than attacking money would work on someone who's already sold their soul.


Just like any of these things, it depends on if the mainstream press decides it's newsworthy or not.


It can still be newsworthy, and not do a damn thing.


Panama papers!


FFS a ton of shit happened because of the Panama Papers. Governments fell, new regulations were passed across the world. The problem is the PP didn’t have a lot of Americans listed because they bank elsewhere. So since no major changes happened in America people start these meme conspiracies. It’s garbage. https://www.icij.org/investigations/panama-papers/five-years-later-panama-papers-still-having-a-big-impact/


Jump back! What's that sound?!


[A car bomb killing a journalist?](https://www.theguardian.com/world/2017/oct/16/malta-car-bomb-kills-panama-papers-journalist)


The worst part about that is the world did literally nothing about it. You cause people to poke their heads too far out of the sand and your life ain't worth much.


and again with Jamal Khashoggi


Here she comes, full blast and top down.


Hot shoe, burnin' down the avenue


Model citizen, zero discipline


This has been successful outside of the US. A lot of people have been arrested and laws were changed. Tax avoidance is legal in the US which is why those papers didn't do squat.


Tax avoidance is legal almost everywhere. Tax evasion however is a criminal offence virtually everywhere. There is a small fine line between the two and it is utter bullshit but hey.


Or not newsworthy but still cause damage through repeated suggestions that it contains damning information (i.e., Wikileaks release of Clinton emails).




[DID SOMEBODY SAY BEES?](https://youtu.be/PYtXuBN1Hvc)




Snowden exposed mass surveillance. Seems all the happened was that I have to 'Press Accept' for some cookies more often than I used to. You're on to something.


Have you tried right clicking and going to "inspect" then mouse over each line until the thing blocking the page gets highlighted and then right clicking it and deleting it so you can view the page without accepting their cookies? There always seems to be another invisible layer too that you can delete the same way by moving the mouse over the lines in the inspect element thingy until the whole page gets highlighted after you delete the popup thing asking you to accept cookies. I hear it works on some paywalls as well.


How familiar are you with the right wing? They could uncover a pedophilic vampire adrenochrome sucking baby eating nazi conspiracy engulfing every politician on the right. Fox News would be making some lame comment about AOC that same day. Nothing is going to happen.


Haha. You’re over-exaggerating. It’s not like there was a massive insurrection in our nation’s capitol where the losing incumbent, alongside his political allies, whipped a crowd into a frenzy by falsely accusing their opposition of fraud and stealing an election, then send that frenzied crowd marching towards the Capitol building where our lawmakers were currently in the process of certifying said incumbent’s loss, of which said riot resulted in the death of multiple individuals, including a cop, and millions of dollars worth of destruction — and the right wing media successfully whitewashed the whole thing as “tourists who got a bit out of hand and it was all those darned antifa’s fault anyway!”


Yeah that be crazy. Almost as crazy as said incumbent using his last day in office to pardon his former campaign manager for defrauding his own supporters who donated their own money to fulfill his major campaign promise, all while remaining extremely popular with those same supporters. That be insane


Remember the Panama papers and the murder of Epstein? Nothing will come of it


This is misinformation and easily checkable. Lots happened after the Panama papers revelations Edit: quite a lot of people replied to my original comment to say the reporter behind the story got killed. Please actually go and read the facts before commenting as you’re just adding to the misinformation. Yes she was killed but it most likely wasn’t a direct result of her breaking that story since she had been exposing the corruption of the Maltese government for years. It’s also important to remember that part of the problem around the PP scandal was that what many of the companies and people were doing wasn’t actually illegal. Just very immoral.


The biggest overall effect was that some countries tightened their laws that allowed for egregious anonymity. A lot of the stuff found in those papers couldn't be traced back to any individuals.


And I may be misremembering, but the US media played it up huge early on only to not end up with really any prominent Americans getting caught up in it. Lots of international people, and a scheme for sure.. but not enough to keep the scandal in our news cycles for long. They named a total of like four Americans in the trove of 11 million documents. So when people say "nothing really came of it" it's because they're probably Americans and these papers barely had anything to do with the US.


IIRC there were plenty of american shell companies that couldn't be tracked to individuals because no individuals were required to be named when the entities were created. Again, IIRC, I believe that led to some changes in how businesses could be created in a couple US states.


Then the Paradise papers came out that included the Queen and other high profile people. Did anything come of it? Serious question.




Rob monster , the CEO of Epik , his last name is Monster lol you can't make this shit up


The coders of the simulation are getting F’ing lazy.


I'll say. Spam emails are assuming I RUN NORTON.


Well it makes for good a filter. If you run Norton you would probably fall for their scam.


Yep. All these scams that appear so stupid on the surface... because anyone that DOES engage with them is guaranteed to be a gullible moron, aka the perfect target for scammers.


Yep I've been saying this about flat earthers for a while, smells like scambait to me. Identifying as such is like having a neon sign above your head that says "scam me, I fall for anything". Like if I was running scams, that would be step one - make the gullible idiots identify themselves and group together, then blanket their shit will every conceivable scam.


Were you in a coma during the Trump seasons? "Huh, this old character they're dredging up looks to be cartoonishly horrible... Yep, they aren't really trying to make the character anything close to human, just a deeply flawed psycho. No real character development, just wall-to-wall, non-stop scumminess."


These NPCs are getting buggy as fuck too…


Hungry for Apples?


My man! Muhmuhmuhmuhmy man!


That's like the President of Nintendo America being Mr. Bowser.


Or like the CEO of Apple Inc. being Tim Apple.


Or a dentist named Dr. Crentist!


That sounds an awful lot like dentist.


Exactly my first thought. Just like Swindall a Georgia Republican Representative who got caught taking money from a money launderer. https://www.google.com/amp/s/www.ajc.com/blog/politics/pat-swindall-pioneering-evangelical-congressman-dies/eXW26kDnthtCEwASlJZQTI/%3foutputType=amp


And Bernie Madoff who made off with billions of dollars in a Ponzie scheme.


I had a doctor named Dr. Doctor.


Crentist the Dentist.


Nomative determinism if I've ever seen it




whoopsie doodle!


We’re getting too late in the Matrix simulation. Time to reboot.


"Mommmmmm, can I pick up this Rob Zombie album?" "We have a Rob Spookyname at home." Rob Spookyname at home:


Do Lindsey Graham’s Grindr chats next!


I’ve missed anonymous shenanigans.


They totally went silent during the Trump presidency for some reason. Would love to see them back alongside wikileaks


Well um they kinda stopped long long ago, when the leader was arrested by the FBI and turned into a cooperator, and they arrested all the OGs I wouldn't trust anything after that


Nope. Anonymous is probably 50% CIA and 50% 14 year olds on 4chan


Same. Was hoping for a reunion tour.


Wake me up when it's released.


Actually, it's already released. https://twitter.com/stevanzetti/status/1437778300643028997


The dump can be accessed at [https://epikfail.win](https://epikfail.win)


According to the info there, they were hashing passwords with **md5**, unsalted. Wow. That almost seems worse than just not hashing them at all.


Why is this bad and what should they be using?


So passwords aren't stored, you take a hash (one way function) and store the result. Then when someone enters a password, you hash it and compare it with the hash in your database, that way you never touch their password. MD5 came out in 1992, and can be surprisingly brute forceable, so they should have been using a better hashing algorithm, and salting them which means that you add a little salt (secured generate variable) to the input so that all hashes are different, so if hackers crack password has a hash of 0x5, they can't scan your database for 0x5 and login to everyone whose password hash is 0x5


I'd like to add something to this is that hundreds of millions of common passwords have already had hashes against them run. So it's easy to compare the hash against a list of known hashes and the plaintext. So it's not brute force per se.


This is true, but only relevant when not using randomly generated salts. Using a randomly generated salt does a lot to mitigate this kind of attack.


Hashing, at least in this context, is sort of like one-way encryption. You take a value like `hunter2`, plug it into the function, and it spits out a "hash" for it, like `2ab96390c7dbe3439de74d0c9b0b1767`. Ideally, there should be no way to get the original value back once its been hashed. This is useful for passwords -- when you create an account, the site can take the password you give them, hash it, and only store the hashed version. When you sign in, they just need to use the same hashing algorithm on the password you provide and see if it matches the stored hash. This means that neither they nor any potential hackers can recover your original password. _Ideally._ MD5 is an old, busted hashing algorithm, and cracking it is trivially easy. If you Google that hash I put in my previous paragraph, you'll find dozens of databases that will tell you that it's an MD5 hash for `hunter2`. Salting is the process of adding extra text to the string before hashing it, which makes it harder to crack. If you use something unique to each user, it also means that two users with the same password would have different hashes.


That’s weird all I see is *******


You truly know how old someone is on reddit when the reference [hunter2](http://bash.org/?244321)


This is unfortunately very true. Can I interest you in 100 push-ups training plan, or maybe a floor sealer?


I grab my robe and wizard hat


100 push-ups training plan was one of the funniest things I had ever read. Maybe the first time I cry laughed on the internet.


I love that he used ******* in this example.


Well explained. Thanks


To add on to what everyone else said unsalted MD5 is so bad, you can literally just google hashes to reverse them. c7561db7a418dd39b2201dfe110ab4a4 af78274dcd908e9c347fdca182479aad a1ec23e9b9ab43a88222d9949ee26499 639bae9ac6b3e1a84cebb7b403297b79 46c48bec0d282018b9d167eef7711b2c c7561db7a418dd39b2201dfe110ab4a4 af78274dcd908e9c347fdca182479aad e1686078d1b60d351da5a87543a2a663 639bae9ac6b3e1a84cebb7b403297b79 74e8333ad11685ff3bdae589c8f6e34d


Add that to the list of unexpected Ricks.


Pepper, its the superior seasoning


ShA512 - ideally crypto i think. MD5 is a very weak and easily Hackable hashing algorithm. It’s like the equivalent of using numbers to replace letters in your passwords Edit: as people below me have said - sha512 is not good for hashing either. And sha512 compared to md5 is like learning fluent Japanese compared to learning to spell cat.


Ideally they'd be using something like bcrypt. Sha512 is designed to be fast ( so generating rainbow tables is really "easy" with a couple of GPUs ). Bcrypt is designed to be computationally expensive so that making rainbow tables isnt with the effort.


nowadays argon2id is recommended


This wouldn't matter as much if they salted passwords.


sha512 is still fast, which you don't want, and the extra bits just take up disk space for no reason.


Sha512 is not an acceptable password hashing function. It's designed to be fast, much too fast for passwords.


So we can just break out the [Cisco Decoder Rings](https://www.ifm.net.nz/cookbooks/passwordcracker.html)?




Whole damn thing is hilarious lmao: --- You know, when you name a company "Epik", that implies something really big's going to happen. Deserving of the name. Well, **after years of bolstering the worst trash the Internet has to offer, this is, truly, the Epik moment we've all been waiting for.** Contained within this release, the following delicious morsels that will surely be digested for months to come: A decade's worth of data from the company. That's right, everybody. **Time to find out who in your family secretly ran an Ivermectin horse porn fetish site**, disinfo publishing outfit, or yet another QAnon hellhole. Want to know when a nation-state decided to offer hosting to some domestic terror groups, without those pesky DDoS mitigating reverse proxies getting in your way? Want to know the identity of the owner of a domain or large set of domains used in yet another influence/information operation? Decloak origin IPs of nazi websites for further investigation, poking, prodding! **Map out a decade of online fash with a level of clarity nobody has been able to UNTIL NOW!** WHAT YOU GET FOR THE LOW LOW PRICE OF $0.00 * All domain purchases * All domain transfers in/out * All whois history, unredacted * All DNS changes * All email forwards, catch-alls, etc * Payment history (**no credit card data, don't get excited, FBI, we're not in that game**) * Account credentials for: all Epik customers, hosting, Anonymize VPN, and so on Epik internal systems, servers Epik's GoDaddy logins ...and more! IN PLAINTEXT! That's right, Epik barely hashed a damn thing! When we saw hashes, they were merely unsalted MD5 Here's one such sample that made us upset for daring to use "anon": Rob Monster [email protected] robmonster 109d88a0c4a49217c01a36913b034161 (cracked: willem) Yep, these Russian developers they hired are actually just that bad. They probably enjoyed snooping through all of your shit just as much as we did. * **Over 500,000 private keys. What are they for? Who knows!** * We think we spotted a bunch of Anonymize OpenVPN profiles in this, but we were too disgusted with the above to continue digging. * **A dump of an employee's mailbox, just because we could.** * Git repositories for whatever internal applications! * SSH keys! * /home/ and /root/ directories of one of their core systems! This dataset is all that's needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody. And maybe have a little extra fun. For the lulz. Is it possible to own a company as hard as this? We sure love to see it. *Good luck with the rebrand, Robby boy. Herd u liek mudkipz.* *Monero tips for the inevitable legal bills, for when the FBI kicks down OVER 9000 doors after this utterly embarrasses everyone and outs one or more of their poorly thought out stochastic terrorism plots (GOOD LUCK WE'RE BEHIND SEVEN PROXIES)* Support your starving hacktivists, and they will bless you in turn. So long, for now! Support #OperationJane and mess with Texas today! Abortion is a human right!


> Support your starving hacktivists where do i send ramen edit: like anonymous ramen dead drops or something


With more years that I care to mention in IT/CS , a degree or two in what might as well be arcane magicks and conjuring with a side of CS with a minor hobby in what might be called "very applied mathematics", and I swear this post almost makes it worth it. This is hilarious, and this sort of good work should get the guys who posted it a phone call tomorrow morning from the NSA guys at Ft. Meade who, between laughing their assess off, would likely want to set up a conference call for these guys to meet their new team members at some agency without such a public profile as the NSA, and if it's not well then I don't know what will.


I like this!


Damn, seven proxies. That’s impossibru to backtrace.


Stochastic terror plots are good things to thwart.


These hackers are the real MVPs


This kind of writing definitely reminds me of the old forum days.


I wonder if these some oldfigs at work. I've been long out of the loop, but it'd be fun if some of the boys got back together.


Nice Cult of the Dead Cow reference


Thousands of people going through that right now. I’ll check back after they’re finished lol


Look for anything tied to Matt Gaetz. Please god turn up shit.


> You know, when you name a company "Epik", that implies something really big's going to happen. Deserving of the name. Well, after years of bolstering the worst trash the Internet has to offer, this is, truly, the Epik moment we've all been waiting for. lol


Anything juicy in there?


I remember when I had the motivation to pour over documents. Epstein's files, panama papers, the NSA leaks... It takes A LOT of time and A LOT of effort to go through massive amounts of data. You basically have to read everything over and over, start sorting by patterns, researching dates and connections in public information, know when to abandon dead ends... Plus there's so much noise it's maddening. Only one I ever found anything in was the NSA leaks, helping compile all the illegal/immoral activities of the agency for RT4. That one ate at least 1000 hours of my life. Give it time. They'll find what they need. Unfortunately, evidence doesn't go as far as we'd like when it comes to the political right.


This really gives weight to the idea of if you just drown in shady shit its hard to find a starting point.


God and I can hardly find the time to order groceries on a Friday for Saturday pick-up.


epikfail.win Love that URL.


Even better that they're using a .win domain, which is something that has been massively adopted by the far-right lmao.


They just can't stop .win'ing


Almost sounds like the old anonymous




It all kinda went down after LulzSec and their shenanigans.


My money is on lots of gay sex and human trafficking


Probably run out of a pizza parlor basement.


If it turns out Anonymous gathered data on conservative right wingers running a pedophile ring out of a pizza basement…I won’t be surprised


Would it surprise you though?


At this point, I'd be surprised if they weren't.


why use a pizzeria's basement when you can just be like matt gaetz and use cash apps?


They use Apple Pay.


Anonymous needs to expose the Qanon nonsense, especially Ron Watkins.


I mean... HBO already did


What could be worse than what the far right has already done openly in public? ‘We’re gonna overthrow the government! We’re gonna kill the Vice President!’ And that was just one day in America.


Supposedly there are logins, passwords, and billing info. If that's true, that's a lot of info that opens the door for further hacks on the individuals setting up the sites. Turn around at throw that info at banks, email services, etc, and those folks will be severely compromised. Not condoning hacking people, but if the info they say is there, is there. That's a huge issue for the people involved.


There will be another "rally" this weekend, I hope the Capital Police are ready this time


They were asking for clarification on rules of engagement the other day, so it sounds like they are preparing


yeah they would be fools not to prepare.


I expect it to fizzle. These people are cowards when they face consequences.


I don't think enough of us appreciate that even tens of thousands strong all it took was one man shooting one person for the entire thing to collapse. These people only know how to punch down.


That’s why they can play victim at the drop of a hat.


Are you threatening dropping a hat on them!?! How DARE you! Do you know how dangerous that is to a patriotic protestor!!


The traitor that was shot was literally the first consequence for their actions they saw. Their brains went into vapor lock. Trump told them they could do anything they wanted.


With a competent Sec Defense that doesn't send out memos crippling the NGs abilities and won't contribute to delays deploying said NG. Then presumably a better staffed Capital Police and all the fences being back up. Its a different DC this time around.


Also worth noting that prior to that day, these same people *liked* that same Vice President.


Regarding the quote from the Epik CEO, 'nothingburger' is reactionary code for TARFU.


Help me parse your sentence please. Im stumped




If someone on the right calls something a nothingburger that’s code for conservatives to not read it. It means there’s shit in there. It’s the equivalent of a salesperson saying trust me.


Nice. I very much appreciate this explanation.


totally and royally fucked up


FUBAR is a more common acronym for what you mean


tARFu means what? Too Awful Regular Fuck Ups?


TARFU, an acronym for "Totally and Royally Fucked Up" or "Things Are Really Fucked Up"


*putting popcorn into microwave*…


Hmm this sounds like something r/conspiracy would love. Checks sub… oh yeah their actual r/the_donald_lite now


Nah they are nonewnormal lite now. All covid conspiracy theories and disinformation now


Lol at anyone that thinks the far right can be hurt or even shamed by stuff like this.


You can't shame the shameless.


Absolutely Zero of it will surprise anyone with a brain.




You can download the full 161GB here: http://epikfail.win




Anonymous says a lot of things. Edit: Anonymous delivered.


The magnet link for the torrent was posted to twitter. It's legit.


What's in it?


~168 gigabytes of various files. According to the release announcement: * All domain purchases * All domain transfers in/out * All whois history, unredacted * All DNS changes * All email forwards, catch-alls, etc * Payment history (no credit card data, don't get excited, FBI, we're not in that game) * Account credentials for: all Epik customers, hosting, Anonymize VPN, and so on Epik internal systems, servers Epik's GoDaddy logins ...and more! IN PLAINTEXT! That's right, Epik barely hashed a damn thing! When we saw hashes, they were merely unsalted MD5 Here's one such sample that made us upset for daring to use "anon": [DragoonDM note: Redacting this just in case; someone's account details] Yep, these Russian developers they hired are actually just that bad. They probably enjoyed snooping through all of your shit just as much as we did. * Over 500,000 private keys. What are they for? Who knows! * We think we spotted a bunch of Anonymize OpenVPN profiles in this, but we were too disgusted with the above to continue digging. * A dump of an employee's mailbox, just because we could. * Git repositories for whatever internal applications! * SSH keys! * /home/ and /root/ directories of one of their core systems!


> Yep, these Russian developers they hired why does this shit mostly point to russia? red flags all the way.




trying?? They succeeded.


That bit caught my eye but for different reasons. The result of offshoring software is typically crappy.


It’s been *super* obvious that a lot of republicans are in bed with Russia.


And their only defense is pointing to Dems and shouting, "China!"


I thought it was bengazi and Ukraine?


Nah, those are the off-season targets. When Repub. ties to Russia are pointed out they deflect to China. Benghazi and Ukraine are when things are a bit calmer.


They are a formless group. Anonymous is literally just them saying the are anonymous.


Yeah. I still can't convince my boyfriend they're not an organization because they have an "official" Twitter...


I tried to explain the idea of Anonymous to my father, I thought his head was going to explode.


If it's any consolation to you, I'm 53 and I "get it." Some of us get it.


He's 65. He can't understand Antifa and after 25 years in the Coast Guard is beside himself at the rise of the far right.


Lol, anyone else wonder where these guys were while Trump was in office? I don't buy anything these dudes do.


I’m guessing we are about to find out about that secret ring of pedaphiles in high levels of the world that q anon promised we would find. The problem will be that it won’t be the party they said it was.


About fucking time! Where has anonymous been? It’s like they were silent since 2016…


Anonymous is anyone who claims to be Anonymous. That’s the entire point.


*stands up* "***I*** am Anonymous"


Some of Anonymous/Lulzsec were caught and faced serious charges... But the FBI allowed them to work for them (and help find others from the group) if they didn't want to be charged ([some info](https://en.m.wikipedia.org/wiki/Hector_Monsegur)). So when you see "Anonymous" leaks or whatever, keep that in mind. Some of their targeting/actions in the last few years feels very different than their original purpose.


I mean Anonymous is anonymous for a reason. Anyone can "rightfully claim" to be a member of anonymous, because there is no bar to entry. It is more of a movement than an actual group and a lot of people use the name for whatever purpose they want simply because external sources (often times news media) think and/or portray it all as the same group.


Presumably disbanded after lulzsec got busted?


Yeah they took a hit from lulzsec. But getting anon to do anything is hard.


They’re not anyone’s personal army, that’s for sure.


yep in fact treating them as such tends to spark their ire