Yeah, it make a long time that I didn’t write a thing on this blog, i’m kinda surprised that this is still alive ! anyway, due to recents news about security problem with some technology we used, we want to inform you about how we/you was affected.
Heartbleed is an OpenSSL security hole that allow to dump 64Kb of ram from a server, anyone can exploit it, and we was affected like 60% of the rest of the world.
YayPonies mirror (yp1 and yp2) has been patched against heartbleed the 8th April.
Now, the not fun part, a little bit after this, we decided to support SSL better, so we replaced our certificates, and asked XtraXtreme to do the same for the direct downloads, we switched to full HTTPS for xtraxtreme yesterday …
… Exept that this server wasn’t patched …
The vulnerability has been open from the 15 April to the 17 April for the yp.xtraxtreme.me direct download mirror…
I’d like to remember that we don’t have any personal information on the website, or on the server, so nothing like that could have possibly leak, but we prefer to inform you anyway.
The vulnerability has been closed since.
Freedom Hosting shutdown
We was one (of the rare, apparently) legitimate service to be hosted via Freedom Hosting on Tor, it also affected tormail, now, the problem is pretty simple, the tormail database is in the hand of the FBI, as said here : http://www.wired.com/2014/01/tormail/
We migrated our mails before, but you can be sure that any mail you sended to us before the new address is now sitting somewhere in the FBI office. (But majority of you sended mail from a GMAIL/Yahoo/… address, so it was already accessible easily…)
We switched, since Febuary 2013, to our own mail solution.
The seedbox was vulnerable, fortunately, it was running with his own user and wasn’t able to access anything else than ponies in read only, it has been corrected as soon as it was reported, first by stopping the remote access, then by using another solutions.