site banner

What if the hackers come for us?

Gab - hacked. Truth social - hacked. What if they come for us? The rdrama codebase probably isn't perfectly secure! Chrome or firefox has layers of sandboxes, a hundred different gadgets like 'stack protection' or 'W xor X', and still has a new RCE every week. rdrama can probably be trivially owned if someone googles all the dependency versions for a few hours. also, lol commit history, 'sneed'. If that happens - what leaks? i guess just associations between stored ip addresses (if they are) and post histories. And IP can reveal a lot, or nothing, depending on where you live, ISP, etc. Combine that with a post history referencing improvements you made to your house or your occupation ... might be bad.

Practically, seems incredibly unlikely anyone will care enough to do anything, it's a small community and the essay format gets in the way of 'omg these rightwingers grr'. But, always good to ponder potential security issues. Also, you wanted content, so content.

4
Jump in the discussion.

No email address required.

That is a reasonable question!

The answer is that we will probably get hacked at some point.

We have some protection based on the way the server architecture works. We don't keep a persistent image around; the site environment is in Docker, and every time I update it, it reconstructs it from scratch. Even if someone manages to find a backdoor and create a more permanent backdoor, it'll all get evaporated next time we do an update. It's difficult to break out of Docker and so we're unlikely to have any sort of long-term unfixable compromise; once we find it, we can fix it and it's solved.

Of course, they can still steal the database during that time.

Email addresses would be exposed, and, of course, the full contents of the visible site. I'm not sure if IP addresses are stored right now; at some point I'll be changing it to store a hashed version, but that's only vague security because there just aren't that many IP addresses.

It is worth noting that we're in communication with the rdrama devs; yes, the codebase has forked pretty heavily, but we likely still share a lot of the same issues (and I'd love to gradually de-fork things over time). Nevertheless, this is still a volunteer endeavor, we just don't have the personpower to do full professional-level security audits.