Hacker News new | ask | show | jobs
by gwillem 3537 days ago
GL sent me this statement. For the record, I didn't publish vulnerable systems, I published stores that have malware.

---

Willem,

GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it. While GiLab reserves the right take further action, up to and including termination (https://about.gitlab.com/terms/), we have chosen not to terminate or lock your account.

Please know this decision was not reached lightly and we appreciate your understanding on the matter.

Regards, GitLab

GitLab Support Team GitLab, Inc.
6 comments
HillRat 3536 days ago
>For the record, I didn't publish vulnerable systems, I published stores that have malware.

This is a crucial point, because it shows GitLab is basically nonresponsive to the key issue; it's the difference between "Here's how to hack Giant Anchor Retailer" (unethical, possibly illegal) and "Giant Anchor Retailer has been hacked, estimated NNN cards may have been compromised" (of public interest, not illegal). In my case, I want to know if I used any of the retailers on the list!

For GitLab to call this "egregious" and that they "will not abide it" suggests that either GitLab is technically incompetent in security matters, or that they've received legal notices and decided that the shortest path to resolution is to throw their users under the nearest publicly-operated multiwheeled passenger conveyance. In either case, poor show, good reason to seriously consider moving off GH and GL.

link
zAy0LfpBZLC8mAC 3537 days ago
And even if it were (a list of vulnerable systems, that is), why the fuck do they think that they should censor serious journalism? If you operate a public venue, then it is an important societal role of journalism to report on it if that public venue poses a risk to the public, whether that might also have negative consequences for the people operating it is completely irrelevant.
link
llukas 3537 days ago
You mistook "free and accessible" with "public".

You may exercise freedom of speech but not on server that belongs to a private company - it is their right to limit what kind of content they like.

But in an essence you are right - companies should exist to benefit society, but it is not how it exactly works right now.

link
BoorishBears 3536 days ago
I really hate this trend of journalism leaking into services like Github. We have secure ways to share files with high redundancy, why put a service like Github/Gitlab in the line of fire when their primary goal is to enable open collaboration, vs open information.
link
PuffinBlue 3536 days ago
What services are you referring to please?
link
BoorishBears 3536 days ago
Torrents are what in mind really, low barrier of entry for viewing, and someone in an oppressed state who can get arround a website block can probably get the torrent anonymously. To me not being easy to edit is an upside, additional data should require the initial trusted party to share a new magnet
link
gravypod 3536 days ago
Make a torrent?
link
gruez 3536 days ago
Can't be easily updated
link
cheiVia0 3536 days ago
http://www.bittorrent.org/beps/bep_0046.html http://www.bittorrent.org/beps/bep_0039.html
link
mixedCase 3536 days ago
How about IPFS?
link
5h 3537 days ago
Are they in the business of journalism?

Lots of people are saying "But the sites are already exploited" ... they are probably still exploitable further also, and GH/GL don't want to be at that party.

link
zAy0LfpBZLC8mAC 3537 days ago
Would they be required to publish this story if they "were in the business of journalism"?

This is not about whether they are legally required to do anything, but whether what they are doing is responsible behavior.

link
5h 3537 days ago
No, they would not be required - they are a private business and set their own terms.

As for being responsible - that is their motivation.

Should I assume that now you have access to this list that you will be contacting the site owners to notify them their sites are infected & exploitable? Would that be responsible on your part?

link
mattlondon 3536 days ago
There is a right of free speech in many countries (I assume you are in one of them), but that right does not force anyone else to distribute or publish your speech.

Their servers, and their decision on what data is on them.

Want to make it available for every to read? Run your own server and host it there.

tl;dr - you have the right to say what you want, but you cant force anyone to listen.

link
Flimm 3536 days ago
And that's why no one is talking about forcing GitHub and Gitlab to do anything. They're merely complaining. Just because someone complains about something doesn't mean they think it is illegal or ought to be illegal.
link
erikpukinskis 3536 days ago
Yes, but one by one the word "censorship" loses it's meaning. It used to mean preventing people from publishing their work. Now all it means is disagreeing about what should get shown prominently on social networks.
link
mcbits 3536 days ago
Anyone suppressing a work based on ethical judgments is practicing censorship. They could be acting on the authority of a state or religious institution, they could be removing immodest young adult fiction from the shelves at a children's library, or they could be moderating the content of a web site. Web sites are new, but the concept is the same as it's always been.
link
sytse 3536 days ago
Sorry for our mistake Willem, we reinstated the snippet. Also see our blog post about this on https://about.gitlab.com/2016/10/15/gitlab-reinstates-list-o... TLDR; The owners of web stores have a responsibility to their users. And it is in the users interest to have the list published so owners. We currently think that the interest of the user weights heavier.
link
sytse 3536 days ago
For reference the HN discussion of our blog post https://news.ycombinator.com/item?id=12715473
link
austincheney 3536 days ago
I am working on a partial solution to this kind of problem and plan to move from Alpha to Beta version later today.

https://github.com/prettydiff/biddle

This is not a CVS, so you would still need to run something like git locally on your own server, but the idea of self-hosted modules will solve for the censorship of central authorities.

link
Sidgup1 3535 days ago
So? Gitlab doesnt owe you anything.
link
johnsea 3537 days ago
Did you ask them for permission to publish a private communication? Probably not, bad of you! -

Github/-lab is for projects imho and not a publishing platform. Why don't you publish it on your blog or something? All power to Github/-lab, kick out such stuff!

link
Singletoned 3537 days ago
Given that they both offer to host web sites, then they are both (to some extent) publishing platforms.

https://pages.github.com/ https://pages.gitlab.io/

link
johnsea 3537 days ago
As you said: to some extent! Have a look at the "What is Github Pages" [1] and one clearly feels that Pages is meant for software, projects, manuals etc. And NOT to publish documents to shame 3rd party misbehaviour and hopefully attract publicity and quarrel. Such content should go to other places (imho).

[1] https://pages.github.com/

link
ricardobeat 3536 days ago
Why are you so angry? This is not about shaming, but protecting customers - first thing I did even before reading the full article was to click the link to see if I have given my CC to fraudsters, then I was gifted with a 404 from GitLab.
link
johnsea 3536 days ago
Yes you are right, I 'over-reacted'.
link
runholm 3536 days ago
They are both offering hosting of websites. They are absolutely a publishing platform.
link
fredfreddies 3537 days ago
The linked article is his blog on gitlab.
link
ominous 3537 days ago
Github/-lab is for files.
link