Pale Moon forum

Thank you (sha256) .

https://www.ghacks.net/2019/07/11/pale- ... nt-4416928

Hornets have already started stinging in this thread sadly.

Well there is nothing that can be done except make damn sure nothing like this happens again. I am not gonna read the comments though.

I am sure we will see it referenced for years to come on every piece of Pale Moon post on ghacks ever.

I have never used the archive server. I've always used the main distribution channels. I also don't use the internal updater to go from an older version of Pale Moon to the newest version of Pale Moon. I always uninstall (in Windows 7) the previous version and then install the newest version. Takes take me all of three minutes of time, but I prefer this method over the internal updater (in Windows 7).

In Windows 7, I'm always using the main distribution channel and in my case the Americas, I also put the previous and newest versions of Pale Moon on three thumb/flash drives in the event if I have to go back to a previous version, I've got it. I use my thumb/flash drives for this instead of the archive server. And I've been using this method since the year 2011.

I do a slightly different method for linux Pale Moon since in my linux Mint (Xfce), my linux Pale Moon is never installed. I run linux Pale Moon from the executable file and I create the linux Pale Moon launcher icon. So in linux Pale Moon the previous version of the linux Pale Moon tarball is saved to those three thumb/flash drives as well.

Would this "hack" of the archive server make me quit using Pale Moon? The simple answer is "No". Speaking just for myself; Pale Moon is easy to customize and I prefer Pale Moon over Chrome, Firefox, Brave, Vivaldi and Opera when it comes to choosing a default browser.

And I will close by saying I'm not a power user in either Linux or Windows 7.

I'm wearing my scale mail suit today and have made sure to seal all obvious hornet-sized openings.

Of course the fanbois are trying to make more of a stink out of it than it should be. And of course they will continue to reference it because oh noes, we're not perfect. Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.

I'll draw an analogy for all the people who missed the details of the situation:
Compare it to living in an apartment building. You assume your apartment is safe because the door locks, and you always make sure to lock it and keep the key safely in your pocket. The building has a more secure entrance with a door that can't possibly be breached/picked open.
Now imagine having a break-in from either one of your fellow tenants because the lock on your apartment door is busted or crappy, or the landlord who just lets himself in with the master key. Whose fault would that be? Yours or the landlord's (in both cases)?
To continue the analogy: I've moved out of the building as a result, and will move to a building where I have known and trusted the landlord for many years.

Hornets have already started stinging in this thread sadly.

The article was very well written & balanced.

Likewise, I too will simply ignore the comments.

Moonchild wrote: ↑

2019-07-11, 12:04

Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.

The only other thing I can think of is using a Windows server. (Honestly though, plenty of people use Windows servers connected to the internet without a problem, so I doubt that the choice of OS was a factor here.)

Who was the previous VPS provider for the archive server?

Isengrim wrote: ↑

2019-07-11, 13:29

Who was the previous VPS provider for the archive server?

I already stated that in my report: Frantech/BuyVM

@Moonchild:

So, in other words, sometimes your flat falls flat?

Moonchild, thank you for providing the list of hashes, and thanks to therube for requesting them.

Would you consider adding a link to the list on pastebin to the Data breach post-mortem, under "How do I verify my downloaded files are clean?" - that's where people who don't already know the location of the list would most likely look for such information.

Update: It seems the link has been added. Thank you, Moonchild.

Thinking about the infection date in 12.17 it came to my mind that I've downloaded 14 of the portable .exe's on the hash list end of March this year!
I've definitely worked with 7 of them within April several days.
I have win10 with active defender, there was never any occurrence nor with malwarebytes monthly scans since then.

All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.

Does all this make sense?

Herb_ wrote: ↑

2019-07-12, 06:47

All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.

I also have the same suspicion as yours. I downloaded a few older portables last year while preserving the modified time from the server: The hashes provided match the ones I've got from these portables. My timestamps might be in (UTC+08:00).

Thanks for that. I'll update the report accordingly.

Wow, that's much better news than previously. Thanks for the update!

Edit: I commented about the update on the ghacks article about the hack. Hopefully it got submitted correctly and Martin updates the article. It probably won't shut up the comment hyenas, though.

This is exactly why I check all hashes if provided for a download and then scan it at Virus Total.

Should have rolled AWS S3. But it's your ship.

What are the chances the main update server that the built-in update facility in the browser its self gets infected next?

Unless it is top down as in someone controlling the node or even higher as in the datacenter its self.. None. They are secure linux servers. This kind of thing that happened required a specific set of circumstances and events that shall not be allowed to happen again.

If there was a lesson to be leared, and I am not saying there is, rest assured it was learned very well.

F22 Simpilot wrote: ↑

2019-07-12, 14:12

Should have rolled AWS S3. But it's your ship.

I'm pretty sure I already explained why not. Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?

F22 Simpilot wrote: ↑

2019-07-12, 14:13

What are the chances the main update server that the built-in update facility in the browser its self gets infected next?

Pretty much zero.
Tell me though... are you now having trust issues with everything we do all of a sudden? Because it seems like you're blowing this way out of proportion.

F22 Simpilot wrote: ↑

2019-07-12, 14:12

Should have rolled AWS S3. But it's your ship.

Moonchild wrote: ↑

2019-07-12, 14:26

Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?

?

A big thank you to everyone that has worked to get this resolved... I was not personally affected since I did not download old versions off the archive server, but a swift response nonetheless.