Autism Against FascismJul 2, 2023
admin 

🚨 Kolektiva.social SECURITY ALERT 🚨

This is an alert for Kolektiva.social users. Please read this post in its entirety!

In mid-May 2023, the home of one of Kolektiva.social's admins was raided, and all their electronics were seized by the FBI. The raid was part of an investigation into a local protest. Kolektiva was neither a subject nor target of this investigation. Today, that admin was charged in relation to their alleged participation in this protest.

Unfortunately, at the time of the raid, our admin was troubleshooting an issue and working with a backup copy of the Kolektiva.social database. This backup, dated from the first week of May 2023, was in an *unencrypted* state when the raid occurred and it was seized, along with everything else.

The database is the heart of a Mastodon server. A database copy such as the one seized may include any of the following user data, in this case up to date as of early May 2023:

- User account information like the e-mail address associated with your account, your followers and follows, etc.
- All your posts: public, unlisted, followers-only, *and direct ("DMs")*.
- Possibly IP addresses associated with your account - IP addresses on Kolektiva.social are logged for 3 days and then deleted, so IP addresses from any logins in the 3 days prior to the database backup date would be included.
- A hashed ("encrypted") version of your password.

🚨 👉 As a precaution we highly recommend that all users on Kolektiva.social *change their password immediately* to a new, unique, and strong password.

We sincerely apologize to all our users and regret this breach. In hindsight, it was obviously a mistake to leave a copy of the database in an unencrypted state. Unfortunately, what would otherwise have been a small mistake happened to coincide with a raid, due to bad luck and spectacularly bad timing.

We understand that our users and other people on the Fediverse will have a lot of questions. We will try to answer them as best we can, but please be patient and bear in mind that we may be overwhelmed with messages, and may be delayed in responding or unable to provide answers to certain questions for legal or technical reasons. As a security culture reminder, it can be extremely harmful to the individuals charged and to our community to openly speculate on the Internet about alleged criminal activity or about what law enforcement may be able to do with seized data. Our present awareness is that the seized Kolektiva data is unrelated to the federal investigation and prosecution and we are exploring legal avenues to have the seized data returned and copies destroyed.

Thank you for your understanding and solidarity  

👇 Please see our replies to this post for additional information (1/?) 👇

Jul 1, 2023 at 4:52amWeb
Show threadadmin Jul 1, 2023

Please see our previous post for full context 👆

Why did we delay in notifying our users? After extensive internal discussions and advice from multiple movement lawyers, we made the difficult decision to delay informing our users, since an earlier public statement could have made the situation worse in a number of ways.

To be clear, the physical Kolektiva servers were not targeted or affected by the FBI raid. Our actual, live servers are encrypted, in that the hard drives are encrypted at rest. We have no reason to believe that any Kolektiva.social data has been compromised, outside of the database back-up that was seized. Our admin's various electronic devices and other drives were encrypted, and we swiftly rotated all passwords and keys as appropriate for any potential breach like this. In other words, we have no reason to believe this is an evolving threat to our server integrity, or our users' data security.

So then, why are we asking users to reset their passwords? The seized database did not contain user passwords, it contained hashed user passwords. To better understand why we recommend users change their password, here is a good explainer: https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/

Without offering any excuses, we also think it warrants mentioning that the seized data would be similar to data obtained in any raid or other unauthorized access of any typical Mastodon server. It is the same data any cooperating instance admin can hand over willingly when requested. Unfortunately, there are serious limits to what admins of Mastodon instances can do to protect the data of their users. Users should always take precautions to protect the privacy of information, especially any sensitive information, they share on the Fediverse or anywhere else on the Internet. We hope that if nothing else, this situation serves as a learning experience for our users, and others on the Fediverse. It certainly has for us. For an intro to operational security on Mastodon, we strongly recommend checking out this guide: https://distro.f-91w.club/masto-opsec/

Going forward, we will continue to explore our legal options. Ideally, we would be presenting a comprehensive list of internal changes, policies and best practices that we plan to implement to avoid outcomes like this in the future. These are definitely conversations we have started having, and intend to continue, but we also want people to be aware that we're a small volunteer collective, and we are dramatically affected by these events. Things may be slow to develop. We also have to keep Kolektiva.social running and pick up the slack now that we are missing a crucial team member 💔 .

Our admin's legal situation is shitty, but they currently have the support and legal representation they need. We will post any information or calls for support if that becomes appropriate or needed.

As many understand, our political movements are currently facing high levels of state repression, which has resulted in an increase in digital and other forms of surveillance, raids and arrests, false and overblown criminal charges, increased use of pre-trial detention and lengthy prison sentences. At times like these, political movements are tested and solidarity and security culture become important touchstones for our work to make the world a better place for all.

Thank you again for your understanding, solidarity, and time taken to read all this.

Show threadadmin Jul 1, 2023

Two additional points:

If you are a kolektiva.social user and have already enabled Two-factor Authentication on your account you should also reset that, just like your password. (Also consider that it's a good idea in general to set up Two-factor authentication, if you are able, to secure access to your account!)

Show threadadmin Jul 1, 2023

Some users have asked or pointed out, and yes it is the case that the database copy would also include cached copies of posts from users on other instances in the Fediverse, and this includes direct posts or "DMs" which were sent to or included a Kolektiva.social user.

We welcome suggestions on how to most effectively notify (a lot) of Fediverse users in general of this, but we also ask for other instance admins to help by communicating this to their own users if it seems appropriate 🙏

Show threadvalJul 1, 2023
@admin Did you / are you going to rotate accounts' signing keys?
Show threadPhilLovesCatsJul 1, 2023
@admin You did the very best for us all. Thank you very much for taking quick actions and the whole amount of information posts! <3
Show threadMarkJul 2, 2023
@admin
Attn:
@aurynn
@swansinflight
Show threadMarkJul 2, 2023
@admin @aurynn @swansinflight
and @theadmin
Show threadStatusSquatter  🍫Jul 2, 2023
@admin thank you                     
Show threadadmin Jul 3, 2023
Update: the RSA signing keys for every account on kolektiva.social have now been rotated.
Show threadMordantivoreJul 3, 2023
@admin cool but why did y'all wait nearly two fucking months to tell us something that should've been revealed same-day
Show threadMordantivoreJul 4, 2023

@admin this wasn't a rhetorical question & it's something none of y'all have explained which shows not one of y'all is actually qualified to be handling something as sensitive as radical server instance

Your silence, incompetence, lack of accountability is driving people away from the instance while y'all act like this is normal & people praise you for being unpaid admins endangering us all with wildly irresponsible data practices & absolute lack of a duty-to-inform

People send out alertas within 24 hrs if they even get an FBI door knock

one of y'all got raided & we weren't told for 2 months and y'all just go "sorry, things have been hectic lol uwu"

Show threadwakest likes your bugs ⁂Jul 1, 2023
@admin will you boost these messages to the @kolektiva account, cause that was the first place I thought to look when I saw the meta that something was going on with #kolektiva
Show threadmJul 1, 2023
@liaizon @admin @kolektiva That is a bot account for posting content of kolektiva.media.
Show threadwakest likes your bugs ⁂Jul 1, 2023
@m @admin @kolektiva well this feels serious enough that its still worth boosting this issue from, it doesn't matter that its a bot account
Show threadGreenDotGuyJul 1, 2023

@admin ITSec person here.

I think the biggest risk is that the encrypted passwords are in the hands of the government. Of course change your password on the compromised database, but ALSO review what your password was and if you use it or anything like it on other services... change those too, review login history/connected devices/and enable 2FA if possible.

I know a lot of folks tend to re-use passwords across services.

Also, consider adopting some changes with how admins maintain the service. You might want to use a European cloud provider and set things up where you have a secure cloud-based enclave to do maintenance and testing, rather than 'downloading the database' to local machines.

Show threadEmelia 👸🏻Jul 1, 2023
@admin @jalcine I wonder if it'd be worth pushing a dump of password hashes from that period across to HaveIBeenPwned?
Show threadLukefromDCJul 1, 2023

@admin A negative of 2FA by the common phone method is this: it makes it easier to prove ownership of your phone. This matters when you do not use contract phones, use only prepaid phones, use only cash, and start over with a new SIM if you run into trouble requiring dealing with human customer service.

Any site offering 2FA should also offer tokens storeable to a flash drive, which replace the SMS messages. That way the "what you own" part of 2FA is a flash drive with a unique random number on it, not a phone. This is considered one of the highest security methods

Show threadTemerityJul 1, 2023
@admin thank you all for the detailed explanation and advice, changing password now. Please let us all know if we can contribute to legal defense for the admin who was raided 🖤
Show threadKevin Karhan Jul 1, 2023

@temerity @admin also it would be beneficial to notify users on how they can exercice their rights against the #FBI and bar them from keeping, analyzing or using said data.

OFC noone should've communicated anything private via the  to begin with!

Show threadTemerityJul 1, 2023
@kkarhan @admin I hope the FBI is sufficiently bored by my posts
Show threadKevin Karhan Jul 1, 2023

@temerity @admin I hope security forces waste their time on me, cuz that's a desireable outcome...

Cuz they are then preoccupied with a decoy!

Kinda like a flesh proxy, except that I WILL NEVER put a bullet in my head - so take any reports of the latter as a false flag to cover up shit!
https://www.youtube.com/watch?v=pQhTZ60fDbE

Deus Ex: Human Revolution: The Hacker's Suicide

YouTube
Show threadhaqJul 1, 2023
@temerity I hope the US gov AIs learn a lot about UK wildflowers from my posts, lmao.
@kkarhan @admin
Show threadDa_BoomJul 1, 2023

@admin

This would probably include some cached versions of posts from other instance members that the members of your platform follow. So people should be aware of that.

Show threadMichael GruarJul 1, 2023

@admin About the reporting delay - without the full details about the specific admin, I can't comment on an earlier announcement being better or worse for them. But uh, for the rest of us - both on kolektiva and adjacent - the lack of respect is appalling. Private user data is supposed to be private, what on earth was it doing on a local machine?!

On top of that, you need to talk to some different lawyers - especially around GDPR.

Show threadmango 🐌Jul 1, 2023

@admin to everyone making points about security culture:

Security culture 101 is not typing anything you wouldn't want read in front of a grand jury.

Yes it sucks there happened to be an unencrypted backup of the database at the time of the raid but the insecure state of DMs is a well-known problem with the fediverse in general.

Yes, it also sucks password hashes were exposed but at least we're being notified about it now and not when this shit hits the dark web like every for-profit company.

Also, 99.9% of anything posted on this site is out in the open and accessible without needing to sift through an unencrypted backup.

Show threadMage (they/she)Jul 2, 2023
@mango_lacroix @admin yeah that's the big thing. Like, if someone really wants the data, they can just make accounts and scrape the data. That doesn't get them DMs, but it gets most of it, and as people have pointed out the insecurity of Fediverse DMs is well known.
Show threadjomarmJul 1, 2023
@admin I'm not a kolektiva.social user, but I appreciate how openly you're handling this! Good luck!
Show threadThe Unvisable CummitteeJul 1, 2023
@admin damn that sucks. Keep us updated if the admin's needs change!
Show threadMiKlo:~/citizen4.eu$💙💛Jul 2, 2023
@admin
"Our actual, live servers are encrypted, in that the hard drives are encrypted at rest."
And do you inform people that you use #cloudflare proxy ?
Because if effectively some corpo can read all the decrypted data on the way between the browser and the server, then the encryption of the server's drives doesn't matter at all and people's privacy is de facto given over to #cloudflare.
If anyone does not know what cloudflare is, it is a must read: notabug.org/dCF/deCloudflare/s…
#StopCloudflare
dCF/deCloudflare

MIRROR of The Great Cloudwall / Stop Cloudflare / #deCloudflare #Crimeflare

Show thread[email protected]⚪🔵⚪🟡Jul 2, 2023
@MiKlo:~/citizen4.eu$💙💛 Thanks for pointing it out, quote important fact.
Show threadNoah WilliamsJul 3, 2023

@miklo @admin

I love that you’re calling attention to this problem. CF has been quietly TLS terminating the internet for quite a while cause there’s nobody that provides exactly what they do.

I think it’s a good reminder that none of these platforms are to be considered truly private or secure; anything without E2EE should be excluded from such labels.

Show threadMiKlo:~/citizen4.eu$💙💛Jul 3, 2023
@noahsbwilliams @admin This is not just a privacy issue. It is also a tacit acceptance of some corporation deciding, for example, whether someone enters a website or not because they use some tool deemed suspicious (vpn, tor, etc.).
Show threadNoah WilliamsJul 4, 2023

@miklo @admin

True indeed!

Is there some kind of authenticated CDN service that doesn't do the TOR-blocking BS that cloudflare does?

Show threadHoul Floof Jul 1, 2023
@admin 
Show threadSol LunamJul 1, 2023
@admin The unreserved solidarity with the comrade
Show threadpunkoJul 1, 2023
@admin WTF
On the bright side - I hope they enjoy my #Haikoot.
Seriously, though.....
Show threadOphois Jul 1, 2023
@admin Reminder that J. Edgar Hoover never really died #anarchism #anarchy
Show threadMarkJul 1, 2023
@admin
For historical and legal precedent read up on the Indymedia server seizure.
https://www.eff.org/cases/indymedia-server-takedown
@eff
Indymedia Server Takedown

Updated August 2005 » EFF press release about unsealed documents Aug 2 2005 On October 7 2004 more than 20 Independent Media Center (IMC) websites and other Internet services were taken offline pursuant to a Commissioner's Subpoena. The Electronic Frontier Foundation (EFF) represented the interests...

Electronic Frontier Foundation
Show threadjonny (nonvenomous)Jul 1, 2023
@admin holy fucking shit. hoping your admin is OK and the raid was fruitless.
Show threadazJul 1, 2023
@jonny @admin plus one!
Show threadsilhouetteJul 1, 2023
@admin ah the thing right wingers constantly fantasize about but it only ever happens to left wingers for some reason
Show threadGeoff WinklessJul 1, 2023

@admin I'm not going to go into working on unencrypted data. Pretty certain that if your server can read the data, so could the FBI.

What I'm more concerned over is that this announcement is in July, and this is something you have known about since May.

Show threadPurple Jul 1, 2023

@admin

Please cycle all RSA keys ASAP using "tootctl accounts rotate --all" !

These are stored in the database and are used for communication between instances (specifically, outgoing posts), these keys will allow impersonation when leaked.

Show threadadmin Jul 1, 2023
@Purple looking into this!
Show threadApicultor 🐝Jul 1, 2023

@admin No full-disk encryption in use by your admin on their own box where they were working with your data? That's just as inexcusable as delaying the breach notification for a month.

Mindblowing.

EDIT: In addition to mindblowing, I submit that another term is also applicable: negligence. Gross negligence.

Show threadDr Kim FoaleJul 1, 2023
@admin as a new server admin this kinda thing is terrifying to hear is a possibility, solidarity and thoughts with you, i hope youre doing ok considering x
Show threadMeow.tar.gz  Jul 1, 2023
@admin This is pretty chilling. What protest was this?
Show threadRiley S. FaelanJul 1, 2023
@admin: I'm not a Kolektiva user, but as a sometimes reliability engineer, thank you for handling this security incident so openly.
Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Jul 1, 2023

@admin

……This backup, dated from the first week of May 2023, was in an unencrypted state when the raid occurred and it was seized, along with everything else.……C'mon…… The story of that French Anarchist's LUKS1 encrypted volume getting cracked by the police didn't teach you anything?


https://nantes.indymedia.org/posts/87395/une-lettre-divan-enferme-a-la-prison-de-villepinte-perquisitions-et-disques-durs-dechiffres/

Une lettre d’Ivan, enfermé à la prison de Villepinte : perquisitions et disques durs déchiffrés » Indymedia Nantes

Show thread Shlee booped around &Jul 1, 2023
@admin I’m not looking forward to the discourse.
Show threadLukefromDCJul 1, 2023

@admin Literally the only thing on my entire account that is NOT public is IP addresses and passphrase.

I just changed the passphrase-and I do not have a landline and have never had a contract phone. I get phones, prepaid SIMs, and airtime cash-only, no name.

No Google, no Facebook, no Twitter, no Tiktok etc, no ad supported apps at all. No data from personal info vacuuming monetized apps, all of them are banned on my hardware. Thus the kind of tactics used for J6 (broad warrants to Google and Apple) are useless against me.

Have fun trying to exploit my account from those kind of IP addresses motherfuckers. Want to fuck with me? Bring it on...

Show threadsmidbotJul 1, 2023

@admin it would be good to know if any safe guards have been put in place, either technical or social, to keep admins from holding local copies of the database for no reason.

If you really need to hack on the real user database, spin up a VM in the server environment. There is never a reason to have the database downloaded to a local drive and doing so goes against all best practices for handling user data.

Show threadLeft Field FarmJul 1, 2023
@dadbod
Show threadGregJul 1, 2023

@admin This may seem harsh but I believe this is an instance-ending event, and my opinion is that you should read-only your instance and give users their 3 months to get their data out.

"Please change your passwords" is an unacceptable path forward.

Show threadJesseJul 1, 2023
@admin @KuJoe Thought you should be aware of this. I don't think we really need to take any action in response. Defederating doesn't seem warranted, at least to me. But informing our users, probably.
Show threadKuJoe 💞Jul 1, 2023
@JesseF8693 Thanks for the heads up. It looks like that instances staff are handling it as best they can. I don't think there's anything to inform our users about in regards to this situation.
Show threadDoomsdaysCWJul 1, 2023

@admin This brings to mind this oldie but goodie from World Party...

""Someone was 'round here asking questions
'Bout someone who looks like you
I said, I don't know where you are
He said, that he was going to be back
I told him where you are..."

https://www.youtube.com/watch?v=DO1cW97Z3sU

World Party - All Come True

YouTube