←back to thread

Internet Archive breached again through stolen access tokens

(www.bleepingcomputer.com)
492 points vladyslavfox | 2 comments | 20 Oct 24 15:00 UTC | HN request time: 0.001s | source
Show context
badlibrarian ◴[20 Oct 24 15:40 UTC] No.41896054[source]
Restating my love for Internet Archive and my plea to put a grownup in charge of the thing.

Washington Post: The organization has “industry standard” security systems, Kahle said, but he added that, until this year, the group had largely stayed out of the crosshairs of cybercriminals. Kahle said he’d opted not to prioritize additional investments in cybersecurity out of the Internet Archive’s limited budget of around $20 million to $30 million a year.

https://archive.ph/XzmN2

replies(3): >>41896114 #>>41897651 #>>41900416 #
mmooss ◴[21 Oct 24 03:26 UTC] No.41900416[source]
A non-grownup analysis is to criticize a decision in hindsight. If Internet Archive shifted funds to security, it would mean cutting something from its mission. Given their history, it makes sense IMHO to spend on the mission and take the risk. As long as they have backups, a little downtime won't hurt them - it's not a bank or a hospital.
replies(1): >>41902891 #
1. badlibrarian ◴[21 Oct 24 11:11 UTC] No.41902891[source]
Downtime aside, best practices for running a library generally include not leaking usernames, email addresses, and eight years of front desk correspondence.

They sell paid services to universities and governments, so downtime isn't a great look either.

> it's not a bank

They tried that too. Didn't go well.

https://ncua.gov/newsroom/press-release/2016/internet-archiv...

replies(1): >>41906407 #
2. mmooss ◴[21 Oct 24 17:38 UTC] No.41906407[source]
> best practices for running a library generally include not leaking usernames, email addresses, and eight years of front desk correspondence

That's incorrect IMHO: You are describing outcomes; practices are about procedures. In particular, necessary to the understanding and use of best practices is that do not guarantee outcomes.

Any serious management balances risks, which includes the inevitability, though unpredictable, of negative outcomes. It's impossible to prevent them - not NASA, airlines, surgeons, etc, can prevent them all, and they accept that.

It's a waste of resources to spend more preventing them than you lose overall. Best practices do not provide perfect outcomes; they provide the most reduced trade-offs in risk and cost.