alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Derek Peterson]

This needs more clarification. Since you and Rob were on the same controversial right platforms, would you consider yourselves both right? Maybe in the same category but not on the same page because of a business conflict?

I am a fundamentalist Christian, not a very good one but I am what I am. And I'm an actual free speech absolutist, not a grifter pretending to be. I have not made any money from any of my free speech projects and I will probably never make any money so not sure what you mean by a "conflict". I do not believe in a centralized internet, especially social media. Grifters and petty tyrants always try to centralize. Monster is both.

I wouldn't call me "right". I despise nearly everyone on the so called right because they preach a false Gospels and make a living pumping fear porn, eg Trump, alex jones, cernovich, ali akbar, Q people, Roger Stone, Nick Fuentes, Milo, etc etc etc and also about every one of them is working with feds to hurt humans.

I dislike Monster because he is a fake Christian, a petty tyrant wannabe, a liar, grifter, fraud and has no respect or concern for others. The idea that this guy would trick a bunch of Christians into joining his dumb company and lie about his security putting people's careers and even their lives in peril makes me so mad that this post would be deleted if I elaborated.

However, I have nearly as much anger toward the hackers and these other leftists who think it is okay and even fun to put people in jail for "hate speech" or get them fired or hack them.

They all deserve each other and they all deserve what they get.

 

[jberryhill]

I've been domaining for over 15 years, and I've never heard people judge a registrar by it's clients, because domain names aren't content.

There are a number of entities which keep track of registrars which have a disproportionate incidence of things in which the entity has an interest. Without either endorsing or criticizing any particular of these "watchdog" type outfits, you can find registrar rankings by, say LegitScript in relation to what they perceive as rogue pharmacies, Spamhaus keeps a "top ten" list of registrars that are used by spammers:

https://www.spamhaus.org/statistics/registrars/

etc.. Spamhaus uses a "badness index" that is normalized to domains under management. Certainly, if you are doing numeric compilations, you would expect GoDaddy to have the highest raw score of (insert "bad thing" here). But if GoDaddy has 10 "bad thing" names to Registrar X's 1 "bad thing" name, but GoDaddy has 100 more domains than Registrar X, then Registrar X has a higher incidence of that "bad thing".

Everyone in the industry keeps something of a running ledger of "what domain registrars are most likely to be utilized by domain thieves". I personally have noticed that I get regular SMS phishing messages using .info domain names which follow a pattern and are remarkably and consistently registered with one registrar.

Over the long term, if a registrar is attracting a disproportionate share of pathological customers, then there can be instability issues. One notorious registrar was disaccredited by ICANN a while back (they may be still arguing in court after a default), so, to any legitimate customers of theirs were adversely impacted by the large volume of abuse upon which they didn't act. But those also involve narrowly defined consensus categories of abuse.

So, registrar responsiveness to certain types of abusive registrants, as ranked by whomever you might trust on things like spam, phishing, child abuse imagery, etc., is worth taking into account in selecting a registrar.

 

[Rob Monster]

I am a fundamentalist Christian, not a very good one but I am what I am. And I'm an actual free speech absolutist, not a grifter pretending to be. I have not made any money from any of my free speech projects and I will probably never make any money so not sure what you mean by a "conflict". I do not believe in a centralized internet, especially social media. Grifters and petty tyrants always try to centralize. Monster is both.

I wouldn't call me "right". I despise nearly everyone on the so called right because they preach a false Gospels and make a living pumping fear porn, eg Trump, alex jones, cernovich, ali akbar, Q people, Roger Stone, Nick Fuentes, Milo, etc etc etc and also about every one of them is working with feds to hurt humans.

I dislike Monster because he is a fake Christian, a petty tyrant wannabe, a liar, grifter, fraud and has no respect or concern for others. The idea that this guy would trick a bunch of Christians into joining his dumb company and lie about his security putting people's careers and even their lives in peril makes me so mad that this post would be deleted if I elaborated.

However, I have nearly as much anger toward the hackers and these other leftists who think it is okay and even fun to put people in jail for "hate speech" or get them fired or hack them.

They all deserve each other and they all deserve what they get.

I think this articulation from Derek is the best I have seen in terms of understanding his mindset.

It is probably a bit apparent that I don’t like Derek. And yet I can still love him. Similarly, I don’t like Joey Camp, Aubrey Cottle, Chad Loder, or Molly White. And yet I can still love them and I can hold an optimistic view about them. The act of sending Aubrey $444 had nothing to do with what he did, but rather it has to do with who he is: a child of the most high God. When a colleague shared the GoFundMe story, it just seemed like the obvious thing to do. After all, love conquers all. Wise as serpents. Harmless as doves.

As for Derek's ongoing assertions about lying, these have already been debunked. However, I can see where it comes from. For example, I have stated that I generally avoid conventional churches in Seattle. He likely noted that point. It just so happens that my family recently began going to a church in nearby Bellevue that the kids like and so it became family event. It also just so happens that I also delivered a talk at a men’s prayer breakfast at the day before. As a result his claim of "You have never gone to church” was especially absurd. I have actually been to MANY physical churches, including in Seattle.

As for Derek’s disdain for some of our clients like Gab and Infowars, I certainly don’t agree with all of their content or all of their users. However, as a self-proclaimed “free speech absolutist”, this a priori should mean that the sites he does not like at all should be allowed to exist. In a free speech absolutist world, Joey’s sites would stay online. One man’s whistleblowing is another man’s harassment. One man’s truth is another man’s "fear porn".There is a lot of gray area. A free speech absolutist should actually be indifferent. The cognitive dissonance must be deafening.

As for Derek’s Christian faith, I don’t identify with it. I don’t claim to be perfect. I used to swear like a sailor, loved money, and mocked gays. I came to Christ in Fall 2013. I applied Romans 12:1 on Feb 5, 2014. in July 2018, I petitioned the Lord for two things: (1) the capacity to love everyone and judge nobody, and (2) a servant’s heart. Sanctification started in March 2020. Derek can call me a "fake Christian, a petty tyrant wannabe, a liar, grifter, fraud and has no respect or concern for others” but we’ll likely disagree on how Christians should exemplify “love thy neighbor” or “judge not lest ye be judged”.

As for Q content, I personally never bought into that movement though I know many who did and still do. However, here again is the debate about whether such content should be allowed to exist. We did not allow 8-Chan to use Epik and yet General Flynn is an Epik client. We did not believe 8-Chan was capable of self-governing in 2019. And yet, in 2020 I had no issue with empowering General Flynn. Although registrars and hosts are not content editors, we do have free will to decide who to empower and for how long. Uncoachable edge lords don’t tend to last long at Epik.

Ultimately, I am confident that Epik is a force for good. While we don’t claim to have the answers, we learn quickly, attract great people, work hard, and are agnostic on build vs. buy. As a result, we tend to get more done than most. This recent hack incident was the greatest crisis we have ever faced. And yet it confirmed something we sensed, and that is that we have remarkably loyal clients. We are deeply grateful for them. The team is working diligently to make sure such an incident does not happen again at Epik. In time, I am hopeful that we can distill what we learn into something that can help others.

Have a good rest of the weekend!

 

[Molly White]

@Rob Monster Camp's doxing site is still live, hosted on a server with an Epik IP. I sent it to you earlier via DM to ensure it wouldn't be missed.

 

[Derek Peterson]

I think this articulation from Derek is the best I have seen in terms of understanding his mindset.

It is probably a bit apparent that I don’t like Derek. And yet I can still love him. Similarly, I don’t like Joey Camp, Aubrey Cottle, Chad Loder, or Molly White. And yet I can still love them and I can hold an optimistic view about them. The act of sending Aubrey $444 had nothing to do with what he did, but rather it has to do with who he is: a child of the most high God. When a colleague shared the GoFundMe story, it just seemed like the obvious thing to do. After all, love conquers all. Wise as serpents. Harmless as doves.

As for Derek's ongoing assertions about lying, these have already been debunked. However, I can see where it comes from. For example, I have stated that I generally avoid conventional churches in Seattle. He likely noted that point. It just so happens that my family recently began going to a church in nearby Bellevue that the kids like and so it became family event. It also just so happens that I also delivered a talk at a men’s prayer breakfast at the day before. As a result his claim of "You have never gone to church” was especially absurd. I have actually been to MANY physical churches, including in Seattle.

As for Derek’s disdain for some of our clients like Gab and Infowars, I certainly don’t agree with all of their content or all of their users. However, as a self-proclaimed “free speech absolutist”, this a priori should mean that the sites he does not like at all should be allowed to exist. In a free speech absolutist world, Joey’s sites would stay online. One man’s whistleblowing is another man’s harassment. One man’s truth is another man’s "fear porn".There is a lot of gray area. A free speech absolutist should actually be indifferent. The cognitive dissonance must be deafening.

As for Derek’s Christian faith, I don’t identify with it. I don’t claim to be perfect. I used to swear like a sailor, loved money, and mocked gays. I came to Christ in Fall 2013. I applied Romans 12:1 on Feb 5, 2014. in July 2018, I petitioned the Lord for two things: (1) the capacity to love everyone and judge nobody, and (2) a servant’s heart. Sanctification started in March 2020. Derek can call me a "fake Christian, a petty tyrant wannabe, a liar, grifter, fraud and has no respect or concern for others” but we’ll likely disagree on how Christians should exemplify “love thy neighbor” or “judge not lest ye be judged”.

As for Q content, I personally never bought into that movement though I know many who did and still do. However, here again is the debate about whether such content should be allowed to exist. We did not allow 8-Chan to use Epik and yet General Flynn is an Epik client. We did not believe 8-Chan was capable of self-governing in 2019. And yet, in 2020 I had no issue with empowering General Flynn. Although registrars and hosts are not content editors, we do have free will to decide who to empower and for how long. Uncoachable edge lords don’t tend to last long at Epik.

Ultimately, I am confident that Epik is a force for good. While we don’t claim to have the answers, we learn quickly, attract great people, work hard, and are agnostic on build vs. buy. As a result, we tend to get more done than most. This recent hack incident was the greatest crisis we have ever faced. And yet it confirmed something we sensed, and that is that we have remarkably loyal clients. We are deeply grateful for them. The team is working diligently to make sure such an incident does not happen again at Epik. In time, I am hopeful that we can distill what we learn into something that can help others.

Have a good rest of the weekend!

You are so transparently fake it's silly, almost child like. You gave that guy money and posted it publicly to embarrass him or as some kind of bribe or both or you would have donated as anon.

I see you are again trying to shift the topic of the hack to be about website content when it is actually about you LYING about having a fully secure website when you had never even had access to the code. Lying about white labels, storing full credit card details, logging false logins in text, non or very poorly encrypted passwords, etc etc.

Again, I never suggested you should take down Joey Camps website, I have never even heard of the guy until your "live stream". It was pitiful and weak to do that on your livestream without review process. Almost like you were showing off. Really sickening. For me that alone is reason enough no one should ever use your service. You cancelled a guy on an emotional whim. What about your European "due process"?

"Uncoachable", "empower" You have issues. Serious issues.

You have literally threatened everyone in this thread with lawsuits and threatened me, an actual Christian many times for literally telling the truth about your lies. You have called me and others liars when we were telling the truth. You have made personal attacks against people for telling the truth. Against me to many people behind the scenes and here.

Sanctification starts the moment someone is saved. I guess this is how you are going to try for a pass for all your lies prior to March 2020? LOL. You should have said today. Face it dude, you are reprobate and a curse to the world.

Let's start with some easy ones. Try not to lie reprobate:
1) Couple of years ago when you claimed to have built a VPN and I called you out because the core was a white label that you had no control over and you called me a liar, a troll, tried to get me banned on several platforms and threatened to sue me was I right or wrong?
2) Do you now admit it was wrong to claim to have a fully secure platform when in fact you had no control over the code and had never had it reviewed?
3) Did you request Joey Camp to investigate Molly in any way?

 

[Evil.dll]

To Whom it may concern,

“As for @bmugford and his interest in Epik operating updates, as far as I know, he has no domains at Epik. As far as I can tell his last transaction on Epik was in 2014. I am sure this mystery will be revealed in time...

Have a blessed evening everyone!”


Disclosure of a consumer transaction from a an entity to a third party without the prior consent of that individual is not a great practice, but could also be met with litigious anticipation if the nature of that disclosure leads the affected party receiving undue hardship or fallout from such an action from that entity. Also taking videos of server racks probably does not fall in the category of best practices. P.S. a Petabyte is nothing to brag about, certainly not #BigData come back when you have seen Yottabytes of storage that is actually secure. Good talk, Sport

 

[bmugford]

Disclosure of a consumer transaction from a an entity to a third party without the prior consent of that individual is not a great practice, but could also be met with litigious anticipation if the nature of that disclosure leads the affected party receiving undue hardship or fallout from such an action from that entity.

I was thinking the same thing. It doesn't seem real appropriate.
It is also not helpful to Rob or Epik in any way.

Maybe Rob thinks it is some gotcha moment or something that I did not have any domains at Epik. Like I said, if I did I would have certainly moved them long ago.

However, I was still pwned in the data breach as were thousands of current and former customers and millions of others.

Oh, I also like how he ends with - "I am sure this mystery will be revealed in time...", whatever that is supposed to mean.

Brad

 

[Evil.dll]

I was thinking the same thing.

Maybe Rob thinks it is some gotcha moment or something that I did not have any domains at Epik. Like I said, if I did I would have certainly moved them long ago.

However, I was still "pwned" in the data breach as were thousands of current and former customers and millions of others.

Brad

A consumer has a reasonable expectation of privacy in financial transactions with an entity that stores and uses their data, a breach of this privacy causes a loss in trust, but more importantly it denigrates the integrity of the system storing the data. And could lead to harmful social engineering attacks which could lead to emotional and financial hardship

 

[bmugford]

I am sure this mystery will be revealed in time...

Should bmugford expect a profile at Camp's site too, by the way? That seems to keep happening to people where you talk about "things being revealed".

A consumer has a reasonable expectation of privacy in financial transactions with an entity that stores and uses their data, a breach of this privacy causes a loss in trust, but more importantly it denigrates the integrity of the system storing the data. And could lead to harmful social engineering attacks which could lead to emotional and financial hardship

Hey, as if getting pwned in the data breach was not bad enough, now the CEO proactively doxxes my (lack of) relationship to the company and transaction history...as if it hurts my credibility or something.

It just makes Rob look that much worse.

My data was included in the breach. That is the only relationship I need.

Brad

 

[DN Playbook]

It's not the job of registrars to police the content of sites.

True. But if a registrar is also a host and a problematic site is drawn to their attention that is against their TOS then it would be expected that actions would be taken.

Hate sites are at DirectNic, Enom, Tucows, and almost every domain wholesaler. Even stormfront set up shop on DirectNic a long time ago. The pitchforks are after Epik today for god knows what reason for content, when registrars larger than his also have domain names related to hate sites

This is very different from a registrar who is actively courting, seeking, and promoting ideals of such sites and players. Epik has made it a business model.

Over the long term, if a registrar is attracting a disproportionate share of pathological customers, then there can be instability issues.

This is especially true when it comes to shared hosting. If customers sharing the same server space who are on the same IP range where sites are put on black lists will be effected in detrimental ways. The reputation of customers who are operating in bad faith can impact those that are unrelated simply by being in close proximity. So if an IP is flagged because of someone else's actions, and you happen to share the same IP then you are screwed.

 

[Derek Peterson]

Hey, as if getting pwned in the data breach was not bad enough, now the CEO proactively doxxes my (lack of) relationship to the company and transaction history...as if it hurts my credibility or something.

It just makes Rob look that much worse.

My data was included in the breach. That is the only relationship I need.

Brad

Yes, but he did it brotherly Christian love because he loves you.

 

[bmugford]

Yes, but he did it brotherly Christian love because he loves you.

Yeah, I can really feel the love.

Imagine being the CEO, only board member, and majority shareholder of a company that just suffered an Epik data breach based on "shitty code" then giving out private customer transaction information on a public forum without permission.

To be so flippant with that information... Some people will never learn.

Brad

 

[Derek Peterson]

Yeah, I can really feel the love.

Imagine being the CEO, only board member, and majority shareholder of a company that just suffered an Epik data breach based on "shitty code" then giving out private customer transaction information on a public forum without permission.

To be so flippant with that information... Some people will never learn.

Brad

Imagine being the sucker guy that just gave this train wreck $32,000,000.

 

[Evil.dll]

I see a lot of veiled language suggesting that certain parties may be considering taking legal action against some of the individuals posting on this forum. I would strongly advise those parties that Electronically Stored Information is discoverable from opposing counsels, so discretion should be used when communicating potentially damaging information on public facing websites. A common misstep from eagerly litigious individuals is to assume that this information is somehow going to be overlooked or not found, my advice to those individuals or entities would be to consult their legal counsel about the rules of discovery involved with respect to ESI.

 

[Future Sensors]

Also taking videos of server racks probably does not fall in the category of best practices. P.S. a Petabyte is nothing to brag about, certainly not #BigData come back when you have seen Yottabytes of storage that is actually secure. Good talk, Sport

Exactly. This is the core of the problem and has been pointed out many times by me and by others on this forum in the past. The CEO is too easily impressed. He even mentioned that they use routers. And BGP. And datacenters with EMP protection. At the same moment, the CEO does not seem capable of securing even the most trivial things, or select the best people in his team to audit the registrar code they use. Or even get access to this code.

 

[Windoms]

in July 2018, I petitioned the Lord for two things: (1) the capacity to love everyone and judge nobody, and (2) a servant’s heart.

Almost sounds like a brave mounted champion.
Except its flawed, since you are scrapbooking.

Proverbs 29 27
The righteous detest the wicked;
the wicked detest the upright.

Even kind saints will order punishment for the wicked.

Helping them () stop is commandable.

 

[Future Sensors]

Rob, it is now very clear about which topics you like to talk extensively. You previously indicated that you did the video meeting against the advice of your legal advisor. I assume that you are now being advised by the best legal people around you about what you should and should not communicate. Thank you for your effort. Still a lot of questions that you flat out ignore. Have a nice Sunday.

 

[Evil.dll]

“PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.”

 

[Evil.dll]

• Do not store data from a credit/debit card's magnetic stripe.
• Do not store a credit/debit card's CVV or CVV2 security code (this is the security number on the back of the card, usually three digits).
• Store only the information required to complete the transaction.
• If you do store the 16-digit card number, make sure you have a plan to destroy these numbers once they are no longer needed.
• Make sure your partners and vendors also follow the payment card security standards. Visa maintains a list of PCI compliant service providers.
• Only use point-of-sale payment software that has is compliant with the Payment Application Best Practices (PABP).
• Use firewalls around your payment card processing system.
• Make sure passwords and security codes are in fact secure.
• Encrypt payment card information stored on the processor's computers or sent over the internet (or any public network).
• Use anti-virus software and update it regularly.
• Make sure employee access to data is tightly controlled.
• Give each employee who uses a computer a unique user ID.
• Tightly control access to hard-copy payment card information.
• Put a data security policy in place for employees who handle sensitive data and reinforce it.

 

[Evil.dll]

• Make sure passwords and security codes are in fact secure. (Excerpt from PCI DSS compliance)

 

[Future Sensors]

• Make sure passwords and security codes are in fact secure.

• Make sure you have access to your own codebase.

 

[shoulda9393]

There are a number of entities which keep track of registrars which have a disproportionate incidence of things in which the entity has an interest. Without either endorsing or criticizing any particular of these "watchdog" type outfits, you can find registrar rankings by, say LegitScript in relation to what they perceive as rogue pharmacies, Spamhaus keeps a "top ten" list of registrars that are used by spammers:

etc.. Spamhaus uses a "badness index" that is normalized to domains under management. Certainly, if you are doing numeric compilations, you would expect GoDaddy to have the highest raw score of (insert "bad thing" here). But if GoDaddy has 10 "bad thing" names to Registrar X's 1 "bad thing" name, but GoDaddy has 100 more domains than Registrar X, then Registrar X has a higher incidence of that "bad thing".

Everyone in the industry keeps something of a running ledger of "what domain registrars are most likely to be utilized by domain thieves". I personally have noticed that I get regular SMS phishing messages using .info domain names which follow a pattern and are remarkably and consistently registered with one registrar.

Over the long term, if a registrar is attracting a disproportionate share of pathological customers, then there can be instability issues. One notorious registrar was disaccredited by ICANN a while back (they may be still arguing in court after a default), so, to any legitimate customers of theirs were adversely impacted by the large volume of abuse upon which they didn't act. But those also involve narrowly defined consensus categories of abuse.

So, registrar responsiveness to certain types of abusive registrants, as ranked by whomever you might trust on things like spam, phishing, child abuse imagery, etc., is worth taking into account in selecting a registrar.

Spam, phishing, CP etc is not what I meant by 'content'.

By 'content' I meant what Epik is debated over, ie the controversially political customers it has as some customers or 'watchdogs'.

You spend a lot of time nitpicking my statements about things this thread isn't even about.

 

[shoulda9393]

True. But if a registrar is also a host and a problematic site is drawn to their attention that is against their TOS then it would be expected that actions would be taken.



This is very different from a registrar who is actively courting, seeking, and promoting ideals of such sites and players. Epik has made it a business model.



This is especially true when it comes to shared hosting. If customers sharing the same server space who are on the same IP range where sites are put on black lists will be effected in detrimental ways. The reputation of customers who are operating in bad faith can impact those that are unrelated simply by being in close proximity. So if an IP is flagged because of someone else's actions, and you happen to share the same IP then you are screwed.

I don't really see why it matters if a registrar is courting political extremism when the same is already allowed on major registrars, and the sites would have existed without Epik.

If the sites would have existed anyway, why does it matter if Epik is the one giving them a name rather than Tucows?

Fortunately, no one is going to turn the internet in a big space where everyone agrees on everything. People have to allow dissenting (legal) speech to be able to express their own.

If a person gets bumped off Epik they have plenty of options to go to, although it is inconvenient being bumped off a registrar.

 

[Future Sensors]

far-left customers it has

Can you name some of these customers?

 

[shoulda9393]

Can you name some of these customers?

I have them in my DMs. And yes there were (many) more far-rightists than far-leftists using the registrar. But why exactly would I tell people who they are when this thread is about a data leak and such people are concerned about their personal info.

Oh right cuz this thread isn't about that, it's about all these personal vendettas people have.

To be honest though, Njalla and PRQ is better than Epik for (most) far-left content.