alt.hn

4/26/2025 at 2:49:54 AM

Still standing

 https://blog.4chan.org/post/781845918774394880/still-standing

by neko_ranger

4/27/2025 at 11:16:50 PM

being starved of money for years by advertisers, payment providers, and service providers

Given the language in this announcement that lays blame at everyone else's feet except the people responsible for maintaining the platform, I'm pretty sure that no lessons were learned, and that the security is not likely to improve beyond whatever bandaids that were needed to address this hack.

by romanhn

4/27/2025 at 11:22:58 PM

Even when talking about themselves in the article they mostly focus on some hardware server business.

In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.

If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.

by bradly

4/28/2025 at 1:38:32 AM

How likely is it that the attacker, who now has all of their source code, has already identified several additional vulnerabilities they can use? Seems pretty likely to me.

I don't think advertisers, payment providers, service providers, or hardware vendors told 4chan what version of OpenBSD to run or how often to update packages. Those are tasks that require time and effort, yes, but they're not herculean. They could have been done. I think laziness and disinterest are the more likely reasons.

by ivraatiems

4/28/2025 at 12:17:33 AM

Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. The only difference is they put out a vague generic corpospeak statement whereas this one admitted it was caused by a skeleton crew on a shoestring budget getting caught out. Given the nature of their user base and how many others would love to see 4chan go down, if things were as bad as you imply then hackers would be taking the site down weekly.

by transcriptase

4/28/2025 at 3:50:15 AM

Source?

I have never heard of a bank’s core mainframes being hacked in the last decade (outside of pen tests), even for mid size banks outside the global top 100.

by MichaelZuo

4/28/2025 at 1:03:06 PM

https://www.brightdefense.com/resources/recent-data-breaches...

by transcriptase

4/28/2025 at 3:15:13 PM

These are not the core mainframes… the only parts that actually get what might be called lavish spending on security.

Everything else outside of that… banks obviously have incentives to cut security spending to as low as possible.

by MichaelZuo

4/28/2025 at 5:20:06 PM

Nobody is comparing 4chan to bank mainframes except you. I can’t give a source for something I didn’t claim in the first place.

by transcriptase

4/28/2025 at 5:24:19 PM

Are you confused?

The claim was “ Get real. Companies with infinitely more money, staff, and robust security practices are hacked every day. ”

Banking core mainframes are the only thing I know of that gets anwhere near that kind of claim in terms of money, staff, and “robust security practices” 24/7/365.

And even then it’s far from infinite.

by MichaelZuo

4/28/2025 at 6:07:12 PM

“Infinitely more” compared to a shoestring budget does not mean infinite unless you want to be annoyingly pedantic.

The fact is I provided a fairly comprehensive list of hacks and breaches, many coming from large public companies that spend more in a year on security than 4chan brings in for ad revenue in a decade.

by transcriptase

4/28/2025 at 9:11:23 PM

It’s not even a million times more for a typical mid size bank… probably not even 100,000x… and as far as I know their core mainframes have been 100% secure over the past decade.

Hence my point.

Are you even fully reading my comments?

If you only meant that your claim applies only within an upper limit of say 1000x… saying “infinitely more” is obviously going to mislead some fraction of the readerbase.

by MichaelZuo

4/28/2025 at 5:44:09 AM

What are you talking about? There are massive breaches of huge companies who should be doing better all the time.

In 2017: > More than 40% of the population of America was potentially impacted by the Equifax data breach.

In 2022: > In September 2022, Optus experienced a major data breach that exposed the personal information of millions of customers

That's just 2 off the top of my head.

by sjdrc

4/28/2025 at 3:13:27 PM

Did you miss the words “bank” and “core mainframes”?

i.e. what they actually might spend millions of dollars per week on securing.

by MichaelZuo

4/29/2025 at 7:14:55 AM

Because only a hacked "core mainframe" (definition please) of a bank can excuse the lack of resources at 4chan? Only accepting overly specific evidence is a neat trick to never lose an argument.

by meinersbur

4/27/2025 at 11:22:56 PM

So…it sounds like typical 4chan?

by stego-tech

4/28/2025 at 1:42:41 AM

"We are still standing..." with our pants around our ankles, running around headless, seamless, breathless, brainless.

"I'm pretty sure that no lessons were learned." I would bet that was the case.

by ForOldHack

4/27/2025 at 11:29:47 PM

>One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files.

Wow, this is a pretty incredible level of incompetence. Server-side SWF exploits are easily mitigated, unless they are using some sort of server-side SWF interpreter, which is absolutely not needed if you implement client-side Ruffle (or just require people to install the browser extension).

They can complain all they want that advertisers and payment processors refuse to work with them, but it's clear that no competent engineers want to work with them either if they're saying stuff like this.

by RIMR

4/28/2025 at 5:48:41 AM

It seems that you're thinking about the SWF content in terms of playback, which is not what they were doing. They were looking inside the bundles for ZIP files and malware (4chan users to shove horrible things into the files they upload), and extracting metadata from the SWF. We'll never know the exact details unless they share the source code. It is possible to write a secure SWF parser, but I think they decided to stop supporting this relic instead.

> Ruffle

Yes, they used that. Take a look at the board.

by r9zgWUN7WS3k6i

4/28/2025 at 5:35:40 AM

You can always volunteer to help "the incompetents".

by moralestapia

4/27/2025 at 11:35:12 PM

Does 4chan contain anything worth checking nowadays?

I remember visiting the site as a teenager to check rage comics, and even for the abrasion of the internet of the time it was too shocking for anything beyond an occasional look - random gore, pictures of underage girls, racist tirades and the like.

I know some people enjoy that Wild West, lack of rules environment for some reason, but is there any content that’s worth it for those who don’t?

by kace91

4/28/2025 at 3:05:11 PM

One of those things (the one that's definitely illegal) is gone for long time now. I think more than a decade. The rest is very much still there.

by clarionbell

4/28/2025 at 1:00:12 PM

I've heard there's a lot of local AI discussions there that don't really occur anywhere else.

by reginald78

4/27/2025 at 11:43:23 PM

[dead]

by wetpaws

4/27/2025 at 11:12:51 PM

I think it’s kind of funny but also entirely unsurprising that 4chan’s post about getting hacked is one of the most honest posts about this topic I’ve seen.

by Waterluvian

4/26/2025 at 4:00:31 AM

4chan is controversial and often very ugly, but it is one of the few old school message boards that allows free speech left.

Like the ACLU used to do, we should help them stay online and exercising their free speech, even if it is annoying and gross.

by silexia

4/27/2025 at 11:29:20 PM

As a long time ACLU financial supporter, I could not disagree more. 4chan is not and never was a bastion of free speech. Comparing 4chan to the ACLU is like comparing a toddler smearing shit on a wall to art. To practice free speech requires an intent to express a point of view. 4chan had to point of view and was just a shithole.

by santoshalper

4/27/2025 at 11:42:59 PM

> To practice free speech requires an intent to express a point of view

Excellent, now we can ban speech we don’t like by just saying it doesn’t actually express a point of view

by john-h-k

4/27/2025 at 11:57:01 PM

You can't yell out in a theatre that there is a fire and cause a stampede.

by chris_wot

4/28/2025 at 12:14:00 AM

Just in case you're not citing that old debunked free speech trope ironically, please see: "Don’t Use These Free-Speech Arguments Ever Again" by First Amendment expert Ken White (https://www.theatlantic.com/ideas/archive/2019/08/free-speec...).

by mrandish

4/28/2025 at 12:47:10 AM

I have no idea what you are talking about, and I am unable to read the article as it is behind a paywall.

by chris_wot

4/28/2025 at 3:17:32 AM

https://archive.is/iZC4v

Hopefully, that works. It's the first time I've done an archive like that. It works for me, but it always did because I'm using the Bypass Paywalls Clean add-on in Firefox https://gitflic.ru/project/magnolia1234/bpc_uploads

by mrandish

4/28/2025 at 5:49:04 AM

So, you can yell "fire" falsely and cause a stampede?

Alex Jones would like a word with you.

by chris_wot

4/28/2025 at 4:05:28 PM

Alex Jones defamed families by lying about the details of their children's deaths on his internet show. Courts have decided that his actions count as defamation.

Why did you bring him up here? Do you think his being punished for profiting off of the defamation of school children is a violation of his first amendment rights?

by skyyler

4/29/2025 at 1:00:20 AM

No, just the opposite. It wasn't a violation of his first amendment rights. You can't target the families of shooting victims like he did and claim that it was "free speech".

by chris_wot

4/28/2025 at 1:00:29 PM

Yes, because the current supreme court standard is "imminent lawless action".

by gruez

4/28/2025 at 8:08:28 PM

Alex Jones would like a word with you.

As TFA helpfully points out, defamation is outside First Amendment protection.

by mikestew

4/28/2025 at 11:16:46 PM

Alex Jones lost a civil case to the families of the victims. There was no first amendment issue because the first amendment specifies what the government can and cannot limit w.r.t. speech.

by ternaryoperator

4/29/2025 at 7:09:36 PM

> There was no first amendment issue because the first amendment specifies what the government can and cannot limit w.r.t. speech.

Defamation is by definition unprotected speech, but in the US the legal criteria of what is protected and unprotected speech fundamentally revolve around the First Amendment. The courts, part of the government, enforce civil disputes. The First Amendment applies to civil lawsuits which would directly or indirectly restrict or compel speech.

Alex Jones met the criteria for defamation in multiple civil cases because he spread false statements (conspiracy theories, to be clear), he ignored every indication that his statements were false (in a way that I believe fulfills at least the "reckless disregard of whether it was false or not" branch of the actual malice standard established in Sullivan [1]), and his statements harmed the families reputations (to the point where people motivated by or hiding behind his lies threatened the families [2] and defaced at least one victim's grave [3]).

Disclaimer: I personally believe that Alex Jones knew his statements were false and spread them anyway (the "with knowledge that it was false" branch of actual malice).

[1] https://en.wikipedia.org/wiki/New_York_Times_Co._v._Sullivan

[2] https://en.wikipedia.org/wiki/Alex_Jones

[3] https://apnews.com/article/alex-jones-infowars-bankruptcy-sa...

by hn_acker

4/28/2025 at 6:34:37 PM

> So, you can yell "fire" falsely and cause a stampede?

As the article I linked points out, that trope was (and still is) a hypothetical that tells us nothing useful about first amendment speech rights. The reason the article is so valuable and often cited is when one of those first amendment tropes is tossed into a discussion, it's usually to imply some specific speech which is protected - is not protected. They are often deployed either in error by those who don't understand how very narrow and incredibly rare first amendment exceptions actually are, or as a bad faith rhetorical device by those who already know the first amendment protects speech they wish it didn't.

As a student and fan of first amendment jurisprudence, the fascinating thing about the tropes is that most of them come from old, exceptional cases where the court got it wrong. Cases which were either reversed by later courts or so thoroughly disavowed they've never come back before the court. A long time ago, various eras of SCOTUS courts wobbled around in the long process of figuring out first amendment exceptions and some bad decisions were made - then later corrected. After decades of trying (and failing) to work out a set of rules permitting "good speech" while stopping "bad speech", it became obvious it was impossible.

Over the past 50 years or so, SCOTUS narrowed in on a detailed set of precedents which are as consistent and crystal clear as they are radically extreme - always protecting almost ALL speech - including the worst, most vile, offensive and hateful speech that has no redeeming value whatsoever. Speech I personally despise and wish no one ever said. While I hate the speech (and, often, the speaker), I fiercely defend the first amendment which protects it. Tolerating the awful things people I dislike do with their rights is the price of still having those rights when we need them most. After all those decades of trial and error, in the end, I think SCOTUS finally got it just about perfect.

So the next time you feel like hauling out the "fire... crowded theater" thing, consider instead just saying "The goddamn first amendment fully and absolutely protects this offensive, vile, bullshit speech - and I hate that these assholes said this shit because it's wrong - and here's why..." This would have the benefit of very likely being correct regarding the first amendment and I'd totally respect your feelings and even probably agree with you.

by mrandish

4/29/2025 at 1:05:38 AM

You could more easily have quoted ''Brandenburg v. Ohio'', 395 U.S. 444 (1969) [42]-[44]:

The line between what is permissible and not subject to control and what may be made impermissible and subject to regulation is the line between ideas and overt acts.

The example usually given by those who would punish speech is the case of one who falsely shouts fire in a crowded theatre.

This is, however, a classic case where speech is brigaded with action. See Speiser v. Randall, 357 U.S. 513, 536—537, 78 S.Ct. 1332, 1346, 2 L.Ed.2d 1460 (Douglas, J., concurring.) They are indeed inseparable and a prosecution can be launched for the overt acts actually caused. Apart from rare instances of that kind, speech is, I think, immune from prosecution.

https://www.law.cornell.edu/supremecourt/text/395/444

by chris_wot

4/28/2025 at 12:16:39 PM

Absolutely. Point is we have to judge it in context. People saying horrible things for no reason on a message board is fundamentally different to causing a stampede in a cinema.

I agree that we need laws to make "yelling fire and causing stampedes" illegal. I do not agree that "free speech requires an intent to express a point of view" is the correct way of implementing this.

by john-h-k

4/27/2025 at 11:40:02 PM

Absolutely not. Free speech exists just fine on the Internet, evidenced by the fact that a site like 4chan is capable of existing in the first place. We don't have to financially support repulsive communities just to protect their ability to exist.

If 4chan were taken down by government action, I might be inclined to speak up for them in some capacity, as I don't consider that anything 4chan is currently doing illegal, but that's not the situation here. If 4chan dies because it's a poorly-managed shithole with no allies, then we can and should let it die, and rest easy knowing that it wasn't censored, it collapsed under it's own debt.

by RIMR

4/28/2025 at 7:08:03 PM

What are you planning to do to help them stay online?

by rideontime

4/27/2025 at 11:10:14 PM

they were clearly focused on purchasing hardware over writing secure code

by knowitnone

4/27/2025 at 11:18:31 PM

I agree. It is interesting how much they focus the hardware servers in the article.

I'd be more interested knowing which package was vulnerable?, was it a known exploit?, and what systems were/are in place to alert on vulnerable dependencies?. Instead they are focused on the new servers just taking too long and not enough money because of advertiser pressures.

by bradly

4/28/2025 at 1:51:19 AM

They do mention their OS being out of date. One possible interpretation is they are using packages provided by a Linux distro, and getting up to date may have required a full OS update.

If that's were case, it would be easy to see how they might want to tie their OS upgrade to a hardware refresh rather than taking servers offline for a reinstall.

by dbaggerman

4/28/2025 at 2:51:54 AM

According to a Firebase video [0], the outdated and exploited package was called GhostScript.

[0] https://youtu.be/XNratwOrSiY?si=dxfD8Y7-wfOi0XcJ

by j_bum

4/28/2025 at 4:25:46 AM

Fireship is the channel name - firebase is the product he initially had based his channel off

by sadeshmukh

4/28/2025 at 1:54:30 PM

Oops - thanks for correcting my typo

by j_bum

4/28/2025 at 1:22:55 AM

Probably didn't even need to change their code, just get on current versions.

by xnx

4/26/2025 at 7:05:16 PM

This is a worthwhile read. Don't trust user input and try your damnest not to feed it into third party components. If you do, keep them up to date.

by lysace

4/28/2025 at 12:19:40 AM

I wonder if 4chan would benefit from open sourcing their website. Reddit used to be this way. Outsource the dev work to the open web.

by giancarlostoro

4/26/2025 at 12:47:11 AM

One of the pillars of the old, non-infested-by-normies Internet, still stands. Good news.

by Funes-

4/27/2025 at 11:52:46 PM

I remember when that site came about. It was a shithole then, and it's even worse of a shithole now.

by esseph

4/28/2025 at 12:07:00 AM

Yeah, it's never really been a place I'm interested frequenting but I'm also oddly pleased that we live in a world where it can still exist.

by mrandish

4/27/2025 at 11:33:17 PM

Keeping a website that has openly catered to pedophiles and nazis online is hardly "good news", unless you are a pedophile or a nazi.

It won't matter for long though. The userbase has had its trust shattered, and this blogpost makes it clear that 4chan has no ability to defend itself from future attacks, which are absolutely coming.

by RIMR

4/27/2025 at 11:42:59 PM

[flagged]

by joejoo

4/28/2025 at 12:00:22 AM

lol.

I think it’s moreso that when a normal person enters 4chan they either decide to get out while they still can or stay and become whatever the opposite of a “normie” is.

Wouldn’t say the latter sounds like it would be worth it at all though.

by yapyap

4/27/2025 at 11:53:17 PM

There will always be places devoid of normies, thankfully. They exist in every platform, new and old. Knowledge of dog whistles will be necessary though…

by bslanej

4/27/2025 at 11:57:01 PM

Since when has 4chan had an official blog?

by bob1029

4/28/2025 at 12:12:54 AM

Hopefully, not for long.

by tonnydourado

4/28/2025 at 12:20:05 AM

Curious as to the basis for animus.

by smitty1e

4/27/2025 at 11:14:58 PM

Wonder what they were feeding that pdf into. Ghostscript perhaps?

by baggy_trough

4/28/2025 at 12:18:58 AM

[dead]

by hutderek

4/27/2025 at 11:24:23 PM

Imaging dedicating hundreds or thousands of unpaid hours of your life to protect and preserve what amounts to a truck stop toilet. What a total fucking waste.

They should, in fact, give up and use the time for literally anything else.

by santoshalper