Linux is state controlled spyware.

Linux is state controlled spyware. The only OS you should be using in the big 2016 is Temple OS

The HN thread discovering this covert attempt was posted by no other than "rabinovich", a user which shares the name of the POI: https://news.ycombinator.com/item?id=46624740

Furthermore, the Masharabinovich Wikipedia account has reactivated for the first time in 10 years to purge their talk page: https://en.wikipedia.org/wiki/Special:Contributions/Masharabinovich

Now, we still don't know if this Masha Rabinovich is an alias, but the evidence that this person is indeed the creator of archive.is is too great to ignore, and clearly Jani touched a nerve 🧵

So the mysterious person behind archive.today is very likely to be "Masha Rabinovich." A 2023 investigation from Jani Patokallio theorized this much

https://gyrovague.com/2023/08/05/archive-today-on-the-trail-of-the-mysterious-guerrilla-archivist-of-the-internet/

However recently a few things happened over the past few days. A HN user noticed that archive.today visitors are being used in a botnet staging a DDoS attack against Jani's website, and Jani has received a bogus C&D.

Who was the HN user who noticed this? Well... 🧵

The average psychopath robs a bank, the clever psychopath opens one

They're using many IPs, since I began logging only a hour ago I've gotten 3:

43.173.180.83
43.173.173.185
43.173.173.224

Same story for all

---
And just like that we have our first bite:

UA: "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.114 Safari/537.36"
IP: 43.173.180.83

Unfortunately, this is Tencent Cloud which is owned by Aceville which is owned by TCH Delta Limited which is... owned by Tencent. So that's a dead end. Could be TC themselves or any company using TC cloud.

I tried Shodan and Zoomeye and didn't see anything aside from DNS to "openstacklocal."

Any ideas?

I have begun logging the IPs of UA's containing "Windows NT 6."

(by default, in my analytics I only store a hash derived from the User Agent, day, and IP. As I do not know the user agent beyond the fact that it represents a windows 7 user on chrome and that the IP is in singapore, that is drastically too much data for a rainbow tables type deanon. I also store the connecting IP for 14 days, however this is almost always Cloudflare and not the user.)

Maybe I block Windows 7 users in Singapore. But the only reason I identified this in the first place is because of the odd Windows 7 UA. What percent of my *other* visitors are bots? Not all of them, but maybe some of them? Most of them? I can't detect them well, evidently. I don't know who's running them. And I don't want to fingerprint humans to find out. So for now, I do nothing.

But I wish they would go away.

Unless my website is shockingly popular with Singaporean Windows 7 users, these are obviously bots. For what? They aren't DDoSing me, but they are executing JavaScript and evading my (admittedly lax) bot mitigations. Maybe they are stealing my copyrighted content to train an AI model.

So what do I do? Well, maybe nothing. Their traffic costs me nothing relative to the amount of bot requests I get which *don't* execute JavaScript

Windows 7 traffic on my site has dramatically increased over the past 3 months. This was widely reported in the news, and frequently attributed as a statscounter glitch. But I don't use statscounter, and my Windows 7 traffic is still increasing.

No, Windows 7 isn't resurging.

Over 90% of my Windows 7 "visitors" are Chrome users in Singapore with no referrer and 1280x1200 displays. These users *do* execute JS, but do not engage with the page. They appear to visit pages at random.

1/?

This will crash the global economy