Is archive.org a security threat? My IT department thinks so

[-]

jsand2@reddit

It is not considered a malicious site, but files uploaded could contain malware. I would also likely deny this request. Its just not worth getting compromised.

Reply

[-]

flunky_the_majestic@reddit (OP)

Other than archive.org, we have pretty open access. Github, SourceForge, FileHippo, CNET, and others are open.

Reply

[-]

I can't vouch for what you do but... > Github, SourceForge, FileHippo, CNET, We block all this. Not a chance in hell we would open them either. But our employees dont need any of that. IT has free reign to grab what we need of course. >To me, the usefulness of archive.org far outweighs its malicious potential. To admins, security is priority. Allowing the company to possibly be compromised just so a an employee can make their job easier just isnt happening. If you dont mind me asking, what can you get easier there than on the internet? Your company might not allow it, but for research in my career, CoPilot has been slaying it lately.

Reply

[-]

flunky_the_majestic@reddit (OP)

> If you dont mind me asking, what can you get easier there than on the internet? Usually it's historical stuff. We'll be working with a local government agency that asks about historical documents. Usually they are available on archive.org. It's frustrating to tell the customer "Can you screen share? We'll search for it together to see if we can find what policy existed for the next town over in 2021"

Reply

[-]

jsand2@reddit

>It would make sense if it was applied that way. But, as I noted, barely anything else is blocked. I think one of these guys just read a news article, decided he wanted to make an impactful decision that sounds smart, and he went for it. You might not be wrong on your IT peeps. Just hearing you say "Defender" earlier had me cringing. Not only do we pay for AV, but we also employ AI across our network to ensure if our employees do click the wrong thing, that it gets stopped before spreading fron their pc. And to be honest, I am not sure I would want to work in an environment without AI on the network like we have here.

Reply

[-]

disclosure5@reddit

You sound like one of these AI sales people with this pitch. Being proud that you block Github really doesn't inspire anyone with regards to your orgs capabilities.

Reply

[-]

jsand2@reddit

>You sound like one of these AI sales people with this pitch. I am most definitely not a sales rep! But if my AI sales rep asked me to talk to a potential customer of theirs, I would upsell the fuck out of it. Its that valuable. >Being proud that you block Github really doesn't inspire anyone with regards to your orgs capabilities. Not sure what you mean by this. I was talking to OP about how we block all that crap, which honestly we likely block 99% of the internet. We only unblock as needed. Dont you worry about my org though, thats what they pay me for. My org is just fine.

Reply

[-]

RedThings@reddit

what do you mean by "we employ AI across our network" ??? xd

Reply

[-]

jsand2@reddit

I mean we have an AI that sniffs our network for anomalies. The client is installed on every endstation/server. The AI learns the activity and watches for anomalies. Someone clicks ramsomeware? It shuts the endstation network down and prevents it from spreading. Someone tries to steal company data? It shuts the network down preventing transfer and notifies us. This is a couple examples out of many things it can do. This AI coats roughly the yearly salary of a new hire. Its worth every penny.

Reply

[-]

RedThings@reddit

that's just normal edr, dlp stuff nothing that needs AI.... just name the product name?

Reply

[-]

jsand2@reddit

Darktrace

Reply

[-]

disclosure5@reddit

Darktrace is a total meme that's bashed relentlessly by security professionals. But you do you.

Reply

[-]

tejanaqkilica@reddit

Hahaha, I knew it was Darktrace. We use it, colossal piece of garbage. In the 4 years that we had it, it has caused nothing but trouble and not once has blocked malicious actors from doing their thing. It's sales people though, oof, they go really hard on it.

Reply

[-]

jsand2@reddit

> In the 4 years that we had it, it has caused nothing but trouble and not once has blocked malicious actors from doing their thing. Yet the 2 years in we have had the complete opposite. It has stopped malicious attacks. I would compare this hate to artists and genAI. Elitists in complete denial of the technology, but ultimately terrified as they know it will end up replacing them.

Reply

[-]

RedThings@reddit

its a bit obvious you are not knowledgeable. Like.. > I mean we have an AI that sniffs our network for anomalies. The client is installed on every endstation/server. The AI learns the activity and watches for anomalies. Someone clicks ramsomeware? It shuts the endstation network down and prevents it from spreading. ???? what where are the people who are ... clicking on ransomware payloads??? thats just not how it works, ransomware is not the initial attack vector. like what are you saying. its clear to people that you are not that knowledgeable because the words/terminology you are using is just flat out wrong/weird. who says "endstation network". im just so bored of these sloppy uncreative ai bros, who cant help themselves but bring ai into every single topic

Reply

[-]

jsand2@reddit

Yawn. Just lol. I didnt realize people on this subreddit were filled with such hatred. From your response, I likely have more years experience in my career than you have years alive. >ai bros But ah yes an AI hater. There it is. Thats ok. The world is already phasing people like you out. Thanks for the laugh, now its time for you to crawl back into the cesspool that is antiai with the rest of the children.

Reply

[-]

TheCourierMojave@reddit

Are you US based? I wouldn't trust a UK based company for cyber security if in the US.

Reply

[-]

jsand2@reddit

Yes. Dont worry about us though, we are in a great spot with it. It truly feels like some of you are terrified of computer technology, AI specifcally, which blows my mind.

Reply

[-]

TheCourierMojave@reddit

Not terrified of AI, waiting for it to actually be useful and do the things I need.

Reply

[-]

charleswj@reddit

What? Where do you think your cyber security products are developed?

Reply

[-]

goingslowfast@reddit

I don’t think I’ve heard anyone US based refer to an endpoint as an endstation.

Reply

[-]

ArgonWilde@reddit

Defender *is* a paid AV, if you have 365 defender licensing (such as E5 security). And what you call "AI" is likely just old school heuristics and behaviour monitoring. Which, again, is a 365 defender feature.

Reply

[-]

Darketernal@reddit

Defender is a lot better than it used to be tbf. Like it stands up with be big boys. Any AV/EDR/XDR isn’t enough without a SIEM anymore tho

Reply

[-]

jsand2@reddit

>It would make sense if it was applied that way. But, as I noted, barely anything else is blocked. I think one of these guys just read a news article, decided he wanted to make an impactful decision that sounds smart, and he went for it. You might not be wrong on your IT peeps. Just hearing you say "Defender" earlier had me cringing. Not only do we pay for AV, but we also employ AI across our network to ensure if our employees do click the wrong thing, that it gets stopped before spreading fron their pc. And to be honest, I am not sure I would want to work in an environment without AI on the network like we have here.

Reply

[-]

TerrorToadx@reddit

What are you even saying? Lol

Reply

[-]

disclosure5@reddit

He's quoting Darktrace sales people. I dragged the name out of him because.. it was obvious what he was getting at.

Reply

[-]

MonkeyPLoofa@reddit

Defender for endpoint makes you cringe? "Not only do we pay for AV"??? "AI that ensures if your employees do click the wrong thing it gets stopped before spreading"?? Do you really sysadmin, bro?

Reply

[-]

thortgot@reddit

Defender for Endpoint would be the product here. Its quite good. AI based EDR? Which one?

Reply

[-]

Mister_Brevity@reddit

Not to be rude, but that’s why you aren’t making the decisions. Everyone likes to second guess IT, but you know what? It’s part of their job to create and enforce policy, not explain themselves to end users. It’s part of your job to follow those policies. This is not complicated. This type of post is not unique, it’s very common to have non IT staff pop in and second guess their IT departments while a) claiming to know more or be more experienced than their IT department, and b) gloat about the things they do to work around it that will later get them fired - because terming staff for shadow IT takes time and a lot of documentation and evidence.

Reply

[-]

marklein@reddit

>My job is to protect the company Counterpoint: Our job is to make the company more effective and efficient, WHILE being secure. Our job (assuming sysadmin) is NOT to only protect the company, that would be secops or security/cyber/blue/purple/red.

Reply

[-]

Mister_Brevity@reddit

That’s really semantics in the context of op’s concern, in a smaller company those duties likely fall on the sysadmin. Either way, IT’s duty is not to accommodate the whims of users.

Reply

[-]

marklein@reddit

We agree to disagree. The business exists to make money, period, and IT exists to support that goal, period. If a user's whim is productive to the business and safe then it is indeed our duty to facilitate it (assuming it's practical, of course). If the employees want X and can demonstrate a business need, and if IT can make it safe and affordable, then that sort of thing should be approved so the business can make more money (either by generating new revenue, or savings by making the employees more productive). We're not gatekeepers, we're business facilitators via technology (with a significant interest in security). (Disclaimer: IT math may be different for a charity who's mission is not to make as much money as possible, but in that case you can just replace "money" with whatever currency the charity deals in (food, vaccines, shoes....))

Reply

[-]

mrlinkwii@reddit

>Our job (assuming sysadmin) is NOT to only protect the company, that would be secops or security/cyber/blue/purple/red. in a good number of companies a sysadmin job includes security/cyber/blue/purple/red because they wont shell out for extra workers

Reply

[-]

narcissisadmin@reddit

FileHippo? Do you also allow MajorGeeks? Yuck.

Reply

[-]

apathyzeal@reddit

What use does archive.org have in your org, though? I don't really see anyone asking this question. It's an important one.

Reply

[-]

flunky_the_majestic@reddit (OP)

https://www.reddit.com/r/sysadmin/comments/1r9dejy/is_archiveorg_a_security_threat_my_it_department/o6bp3hl/ > Usually it's historical stuff. We'll be working with a local government agency that asks about historical documents beyond their control and ours. Usually they are available on archive.org. It's frustrating to tell the customer "Can you screen share? We'll search for it together to see if we can find what policy existed for the next town over in 2021". Prior to this decision, it was a 2 minute job. Now (if we play by the rules) it's an hour of us taking up customer time, or 2 weeks of us making requests to the town.

Reply

[-]

realCptFaustas@reddit

I get your issue, but it never should have been handled by what you were doing. This ain't IT problem it's legal.

Reply

[-]

flunky_the_majestic@reddit (OP)

> This ain't IT problem it's legal. ??? What is legal?

Reply

[-]

sr71oni@reddit

What about it is confusing? A lot of “policies” aren’t usually conceived by IT, but are enforced or enacted by IT. Security posture is usually dictated by org management and/or cybersecurity, which is usually mandated by insurance, which is legal.

Reply

[-]

flunky_the_majestic@reddit (OP)

I guess it's confusing because you and I seem to have very different organizations. This IT department of 3 guys is not that formal.

Reply

[-]

sr71oni@reddit

Ah, well, your IT team must report to someone. Either they just made that rule themselves, or it must have been mandated by someone above them. You can lobby your decision makers for change in policy, but you need to also be prepared to accept that if your board/leadership/whatever backs up your IT department, that will be the policy the org as a whole has decided to abide by.

Reply

[-]

realCptFaustas@reddit

Do any of your 3 guys decide what to look for and what is important in that data? Do any of the 3 guys manage that data? Do any of the 3 guys can confirm it is legit or not for whatever it is being asked for? Anything I asked there is almost never an IT problem, and you are taking responsibility for all of them.

Reply

[-]

flunky_the_majestic@reddit (OP)

> Do any of your 3 guys decide what to look for and what is important in that data? No. > Do any of the 3 guys manage that data? No. > Do any of the 3 guys can confirm it is legit or not for whatever it is being asked for? No > Anything I asked there is almost never an IT problem, and you are taking responsibility for all of them. I am willing to take responsibility for looking up the old logo for a town using archive.org. 100%. No lawyers needed. Do you need to call a lawyer before you click on your email? Are you willing to take that risk?

Reply

[-]

realCptFaustas@reddit

My question then is why? Me reading my received emails is part of my job. No idea how this is some got ya moment for you here.

Reply

[-]

flunky_the_majestic@reddit (OP)

Me doing historical research is part of my job.

Reply

[-]

_UberGuber@reddit

I truly don't understand how archive.org.is this critical to you in your daily life.

Reply

[-]

Servior85@reddit

I haven’t checked it myself, but my old employer blocked it, because „you can download pirated content“. They unblocked the web.archive.org part to view old versions of websites, after my request for it (I sometimes need old documentation, which isn’t publicly available on the vendors website anymore).

Reply

[-]

iagelo@reddit

True, a lot of recent malware host itselt in, for example, image files at archive.org. Mainly second/third stages of phishing, be carefull

Reply

[-]

AutoModerator@reddit

Your [submission](https://www.reddit.com/r/sysadmin/comments/1r9dejy/is_archiveorg_a_security_threat_my_it_department/) in /r/sysadmin was automatically removed because it appears to be empty. Please add some content. A headline or title is not sufficient content. If you feel this action is incorrect, please [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2Fsysadmin). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/sysadmin) if you have any questions or concerns.*

Reply

[-]

almost_s0ber@reddit

Exactly at the level of user that knows enough to be dangerous. Bypassing policy, undermining your IT team's decisions, and introducing risk. You are a (if not THE) major security liability to your organization!

Reply

[-]

VestibuleOfTheFutile@reddit

If you really do need that site to perform research as a core part of your job, to the degree that your team is now using non-sanctioned hardware to do so, this is a good example of how rigid process with no exceptions for security actuality creates shadow IT. There needs to be an exception or deviation process to allow access using compensating controls. That could come in the form of an workstation or server you can login to (remote desktop ideally) where you have limited permission do any damage and the machine has limited network access for any malicious software to replicate. Enhanced logging and malware prevention and detection controls could be used on the machine. What I would do in your shoes is potentially stop doing your work when you legitimately can't, and provide limited out with the disclaimer that you're unable to perform your job as requested due to the restrictive IT policy, noting the lack of exception policy, and propose a hardened research workstation as a workaround. The security policy isn't wrong, I agree with blocking the site, but IT works for the business, not the other way around. They need to figure out a way to enable the business to continue to function as normal while still providing reasonable security by default.

Reply

[-]

spin81@reddit

> archive.org does not have any sort of security policies How the hell would they know about that? This sort of hyperbolic nonsense grinds my gears to a pulp.

Reply

[-]

Firefox005@reddit

Malicious compliance time, if they business is going to block a tool that you legitimately need for your job then they should provide at least one alternative. Each time you are a coworker need something from archive.org put in a ticket asking how to access said content as it is necessary for your work. If they want to vet everything that is downloaded from archive.org or provide an alternative location they are free to do so. I am betting however that eventually they will get tired of having to constantly deal with the tickets and will eventually decide to reverse the policy. If they continue to just close the tickets with no its blocked by policy without providing an alternative or workaround then you have ammo to take up the chain and show how much it is actually impacting you and your coworkers ability to function. > Our team has taken to using their own shadow IT hardware to circumvent this and other restrictions. I would not recommend doing this. Imagine if something bad did happen because you circumvented these restrictions, now when they investigate and they see that you have bypassed security controls that are there for the companies safety. Not a good look. > Is archive.org really a threat? Threat in what way? Different companies have different security requirements and that drastically influence what is and isn't a threat. Is it a threat if you create an account on archive.org using your work email address and the same password as your work account and then said website gets its user database dumped? I know you personally would never do something like that but from the perspective of the business it gets a lot fuzzier in that they are dealing with potentially a very large group of people with vastly differing levels of knowledge and savviness, so therefore security controls usually are designed around the lowest common denominator.

Reply

[-]

mapold@reddit

Technically they could also add a local CA root certificate to the browser and direct all [archive.org](http://archive.org) requests to a local MITM proxy, which would block all exe, zip, 7zip, rar, arj, img, iso files. It is also possible to set up a virtual machine running a browser, which is configured to use a proxy server with no restrictions.

Reply

[-]

LibtardsAreFunny@reddit

It's the same ole' game played for years. kinda silly imo. You block that and there are another 100 ways or more to get around it. I guess it just depends on what kind of resources you got to go after all the many ways. It's sort of like file sharing for the last 20 years or iptv services more recently. If there was a way to just block them it would have been done by now. Instead it's wack a mole to infinity.

Reply

[-]

mrlinkwii@reddit

unless you can find a business case for the use , its probably good its blocked

Reply

[-]

burundilapp@reddit

Unless you're a large organisation with a large dedicated security team then most IT teams will be overworked and have policy based controls for web access based on their chosen providers categorisation policies, in this case Microsoft, they can only go so far as what the policy says, asking more of them than that requires resources they probably don't have and would be better deployed elsewhere. 'Computer says no' is common in underfunded depts because it's put the onus back on the business to fund the dept properly to be able to go beyond the 'computer says no' response. It's not uncommon for there to be a machine in a room somewhere, not connected to any internal networks, that has unfiltered internet access. This is what you need access to, or a procedure where you can ask the IT Dept to get data from [archive.org](http://archive.org) for you if you insist it's business criticial, they then have helpdesk tickets that document your use and you are assisting building a business case for review or some level of controlled access to the site.

Reply

[-]

txe4@reddit

One of my ISP’s adult content filters blocks it. Can’t work (at some odd but important workflows) without it. It contains…almost literally everything known to mankind. So if whack-a-mole futile blocking of random websites is your bag, it’s legit to block it.

Reply

[-]

MagicBoyUK@reddit

It bypasses other content filtering is the issue. They might block a specific site, but if you can get all the files hosted there off [archive.org](http://archive.org) then it's a problem.

Reply

[-]

flunky_the_majestic@reddit (OP)

We are not blocked from other sites, like translate.google.com and even sites that are explicitly meant to be in-browser proxies like CroxyProxy.

Reply

[-]

itskdog@reddit

You don't need to block the main GTranslate domain any more, they've moved webpage translation to its own domain.

Reply

[-]

iCapn@reddit

[Kinda relevant](https://xkcd.com/651/)

Reply

[-]

flunky_the_majestic@reddit (OP)

Kinda, I guess... but really not. Because content filtering is purposefully permissive here, since we are required to do a lot of general research.

Reply

[-]

CardinalHaias@reddit

Is porn blocked?

Reply

[-]

IdealParking4462@reddit

It also typically falls into the anonymous/proxy category of the solutions I've seen, so it may not be specifically targeted or configured, but rather the broader category is blocked. Though we specifically do block it for this reason, and have an approved user exception list.

Reply

[-]

MagicBoyUK@reddit

Yeah, it falls into the proxy category for the solution we have at work.

Reply

[-]

SifferBTW@reddit

We block archive.org for your purpose. These types of sites are just ripe for abuse. Unfortunately it's becoming a game of whack-a-mole. It seems like more and more archiving sites are popping up. Every time someone has come to me about archive.org, I've found an alternative on the first page of a Google search. People are just lazy and click the first thing they see. Which is all the more reason to block this shit.

Reply

[-]

InvisibleTextArea@reddit

Access archive.org with archive.is? :)

Reply

[-]

NovaRoro@reddit

Your IT department is conflating 'had a breach' with 'is a security threat.' By that logic, Microsoft (SolarWinds), Okta, and every major vendor are blocked. Archive.org's 2025 breach was DDoS + credential stuffing - bad, but not unique. The real risk is shadow IT, which you already have. Better to allow with monitoring than drive users underground.

Reply

[-]

tejanaqkilica@reddit

I think it's OP who is conflating the two concepts, since he also says went back to them, with some more examples of "breaches" when the question really is about this being a security threat or not. I would expect it from some junior it admin with 3-5 years if experience using vendors, I would not expect it from some steel hardened veteran of 25 years in the trenches.

Reply

[-]

flunky_the_majestic@reddit (OP)

> Your IT department is conflating 'had a breach' with 'is a security threat.' EXACTLY. This puts it into words better than I have so far. I believe this is a symptom of their inexperience. I believe one of them read an article, though "breach=bad" and blocked it.

Reply

[-]

bw_van_manen@reddit

I think 'Microsoft blocks it' is the sole reason. They were probably told to implement a policy blocking malicious websites and used the block list from the supplier they already had. All other comments are just to defend choosing the easiest solution. I think the only way to convince them is to find another solution for blocking malicious websites that's equally easy to implement.

Reply

[-]

everforthright36@reddit

The argument shouldn't be other sites we access are worse but the business need for the site.

Reply

[-]

flunky_the_majestic@reddit (OP)

The business need comes up frequently.

Reply

[-]

everforthright36@reddit

Your team has the business need or someone else?

Reply

[-]

RidiculousAnonymer@reddit

Their business might be information gathering and analysis. The might sell information. Being able to check historical data seems relevant in cases like this.

Reply

[-]

Zerowig@reddit

I know you’ve come here looking for validation, OP, but your argument here that you should have this site allowed on the basis that IT doesn’t block other sites, is shitty as hell. I don’t know what type of organization you’re in, but if you went to the “executive leadership team” at any decently ran organization with this nonsense, it would be the nail in your coffin.

Reply

[-]

vermi322@reddit

Admitting to circumventing content filtering is not gonna help their argument either..

Reply

[-]

SolidKnight@reddit

If there is a legit business need then I would allow it. It's not a trusted site so the risk of bumping into malware on it is the same as any other site that allows user uploaded content. Depending on your tooling, you could block downloading files from it if you want to allow users to look at old sites but prevent them from obtaining potentially executable content.

Reply

[-]

Master-IT-All@reddit

>Our team has taken to using their own shadow IT hardware to circumvent this and other restrictions. And what's the policy/response going to be for that? As an IT Admin, I wouldn't rest until you were out the door. You are a liability not an asset.

Reply

[-]

icanneverfinishmy@reddit

Really? For looking up information on archive.org on a separate computer? What if they do it on their own time?

Reply

[-]

Master-IT-All@reddit

Yes, it's a policy to not allow usage of that site. But really it's the former IT admin doing shadow IT that fires my goats up. It's like learning of a fire-fighter that also was an arsonist. Anakin killing the younglings...

Reply

[-]

icanneverfinishmy@reddit

Meh.. I think "Shadow IT" is probably an overly dramatic characterization. It sounds like OP gets blocked on their work device, so they use a personal device. At my office, personal email isn't allowed. Nobody would ever care if you look at personal email on your own phone, though. It sounds to me like OP used the term loosely and you came down on them hard for it.

Reply

[-]

flunky_the_majestic@reddit (OP)

So, I'm on the phone with a customer. We're on the topic of missing records for their softball team in 2014. I offer to look it up. I'm blocked. I look it up on my phone. And now I'm fired. Sounds reasonable.

Reply

[-]

Master-IT-All@reddit

Yes, assholes out the door.

Reply

[-]

unichode@reddit

Yikes dude. Sounds like you'd be out first.

Reply

[-]

SeaVolume3325@reddit

We block it but simultaneously allow old versions of Notepad++...

Reply

[-]

the_marque@reddit

it is literally auto updates for Notepad++ that were a problem.

Reply

[-]

SeaVolume3325@reddit

I mean yea but that doesn't mean an updated version shouldn't be pushed from us, not the auto-updater.

Reply

[-]

the_marque@reddit

The reasons your IT team has given have a thick layer of "go-away" logic. Unless your org is truly huge, I doubt something as simple as blocking or unblocking a website is assessed with that level of depth. ***That said -*** and unfortunately for you - if the website is *already blocked* I'd probably also reject this request. The wayback machine is for nostalgic curiosity at this point, with most commercially/legally useful information missing. Meanwhile, the site allows users to upload all kinds of content of little historical value and extremely questionable provenance.

Reply

[-]

Master-IT-All@reddit

Oh, to answer the question: No [archive.org](http://archive.org) is not a serious threat and does not need to be blocked at the site level. Content on the site however does need to be treated as potentially problematic for a business from an information reliability standpoint and from a technical threat standpoint. As a technical threat, the site allows uploading of executable code with limited veracity of the code's safety. As such all executable content (and likely compressed files) from the site should be banned at the end point and firewall level from being downloadable on corporate managed devices. This should comply with a basic security hardening, end users really shouldn't be able to download executable content in a controlled and secure environment. The information the site contains in documents does need to be verified and shouldn't form the only basis of truth. In legal term, it is secondary evidence. A photo-copy equivalent.

Reply

[-]

jeffrey_f@reddit

Legitimate, actually. Maybe work WITH IT to find a good alternative.

Reply

[-]

981flacht6@reddit

It's kind of a piracy site really is what it comes down to. And we're not going to open that up to our own liability.

Reply

[-]

MightBeDownstairs@reddit

Fucking tired of shadow IT. Y’all cause so many problems

Reply

[-]

dracotrapnet@reddit

Microsoft is more of a threat than archive.org.

Reply

[-]

xendr0me@reddit

At a minimum block - [**web.archive.org**](http://web.archive.org) You can use that to bypass content blocks.

Reply

[-]

KittensInc@reddit

>They have made the decision that [archive.org](http://archive.org) is dangerous because of their 2025 breach, and it is blocked from our computers. Have they also blocked [Microsoft](https://www.analyticsinsight.net/news/microsofts-massive-cyberattack-hackers-infiltrate-100-companies-worldwide)? [Google](https://news.trendmicro.com/2025/08/26/google-data-breach-gmail/)? [Apple](https://www.theguardian.com/technology/2013/jul/22/apple-developer-site-hacked)? [Dell](https://techcrunch.com/2024/05/09/dell-discloses-data-breach-of-customers-physical-addresses/)? [Facebook](https://www.bleepingcomputer.com/news/security/200-000-facebook-marketplace-user-records-leaked-on-hacking-forum/)? [AT&T](https://www.troyhunt.com/inside-the-massive-alleged-att-data-breach/)? [Marriott](https://www.forbes.com/sites/suzannerowankelleher/2024/10/10/marriott-52-million-slap-wrist-cybersecurity-breaches-lax-security/)? [Hyatt](https://abcnews.com/Technology/hyatt-reveals-data-breach-impacted-250-hotels/story?id=36315368)? [Adobe](https://www.comparitech.com/blog/information-security/7-million-adobe-creative-cloud-accounts-exposed-to-the-public/)? [Slack](https://cybernews.com/security/slack-admits-security-breach/)? [Trello](https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-email-addresses-to-15-million-accounts/)? [Confluence](https://techcrunch.com/2023/11/01/atlassian-urges-customers-to-take-immediate-action-to-protect-against-data-loss-security-bug/)? [Jira](https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worldwide-jira-hacking-spree/)? [Staples](https://fortune.com/2014/12/19/staples-cards-affected-breach/)? [LinkedIn](https://arstechnica.com/information-technology/2012/06/8-million-leaked-passwords-connected-to-linkedin/)? [Washington Post](https://www.pcmag.com/archive/june-hack-of-washington-post-netted-127m-user-account-details-266619)? Name a big tech-related company, and you can name a breach. Blocking websites because they have had a breach means blocking basically every website you'd want to use.

Reply

[-]

flunky_the_majestic@reddit (OP)

That's pretty much the point I brought up with them when they told me they blocked it because of the breach. Then they told me those companies have security policies published, so it's OK to keep them open.

Reply

[-]

Ssakaa@reddit

> Then they told me those companies have security policies published, so it's OK to keep them open. ... I'm intrigued on the policies they're referring to. https://archive.org/about/terms https://help.archive.org/help/internet-archive-access-policy/

Reply

[-]

Disastrous_Meal_4982@reddit

I wouldn’t block it because of security. I’d block it because of copyright infringement risk.

Reply

[-]

sannchit@reddit

Wait till they hear about Wikipedia 😛

Reply

[-]

cajunjoel@reddit

Apples and oranges. :)

Reply

[-]

Darketernal@reddit

Lots of orgs historically blocked it because it was a way to proxy to sites they shouldn’t be going to. Any modern firewall/content filter should be able to handle that though while allowing the legitimate usage.

Reply

[-]

Mindestiny@reddit

Yes, it is. Namely because it archives tons of greywear/malware sites, including copies of compromised executables. I've yet to run into an Enterprise site filtering solution that doesn't have it blocked by default for exactly this reason. Realistically the risks it opens up by being a repository for that stuff don't outweigh whatever business case end users would have for needing to access copies of old websites.

Reply

[-]

flunky_the_majestic@reddit (OP)

> Realistically the risks it opens up by being a repository for that stuff don't outweigh whatever business case end users would have for needing to access copies of old websites. Part of our work is to consult on policies and website content, which often refer to historical copies of documents that neither we nor the customer have.

Reply

[-]

mnvoronin@reddit

>which is officially a Federal Depository Library now Try to approach it from this angle. You work with government documents and it's a designated FDL.

Reply

[-]

Mindestiny@reddit

Then yes, you're one of the rare edge cases where archive.org provides tangible, meaningful business value :p That being said, yes, it's *also* still a legitimate threat. If you're going to unblock it, you should have bulletproof XDR in place, very hardened endpoints, and a strong packet inspection firewall in place beyond just rudimentary category based web filtering.

Reply

[-]

TheElectricCamel@reddit

It's blocked on a couple of our clients because staff were uploading company documents but making them private.... Until they didn't

Reply

[-]

borider22@reddit

thoughts can be dangerous

Reply

[-]

BasedTechnicalCat@reddit

Yes, it should be blocked as it can be used to host malicious content behind a reputable domain. Employees can also use it to circumvent web filtering solutions. Things like pastebin should also be blocked but that is a separate issue.

Reply

[-]

flunky_the_majestic@reddit (OP)

So, as stated elsewhere, the internet is basically wide open except for explicit threats due to the research nature of our work. archive.org is singled out because they had a breach once. That is the stated reason. If we want to download malware, we could find a way. That's what workstation security is for.

Reply

[-]

DrDan21@reddit

They block it at my org but more so as a pseudo proxy for accessing blocked sites Same with Google Translate

Reply

[-]

eufemiapiccio77@reddit

People use it for exfil also people store a lot of torrents and other files zip files etc on there could have malware etc

Reply

[-]

Recent_Perspective53@reddit

Used github once, not again, damn short attention span and malware

Reply

[-]

flunky_the_majestic@reddit (OP)

It sounds like you're not a software development shop.

Reply

[-]

Recent_Perspective53@reddit

No factory, just lost track of what I was doing

Reply

[-]

Phyxiis@reddit

Based on what you use it for in other comments, my initial thought is: these municipalities, etc should have the historical policies themselves. If they dont have a policy that they created or “the town next door” doesn’t have either, then these policies (or whatever you’re working on) should be recreated. I’m not sure I agree or disagree with your IT department, however they’ve apparently deemed it non critical to business functionality. It does open up your screen sharing method which is kind basically shadow IT and circumvents policy. Presumably there was some sort of managerial approval of the block. As far as others say Microsoft and others have had its share of breaches, that’s irrelevant if the business cannot function without those services. They’ve clearly identified MS breach as acceptable because of business functionality, whereas archive.org they have not deemed it as such. Just my thoughts

Reply

[-]

flunky_the_majestic@reddit (OP)

> these municipalities, etc should have the historical policies themselves. If they dont have a policy that they created or “the town next door” doesn’t have either, then these policies (or whatever you’re working on) should be recreated. We aren't creating policy here. We're working on content that is often affected by it, or needs to account for the ways policies or website content in the area have changed over time. We're just making sure the content we create is consistent with what has been done in the past. "Recreating policies" would be a making a huge project out of something that should be a 2 minute research project.

Reply

[-]

Bogus1989@reddit

maybe show the readouts of site on virustotal.com or alternatives to it. or find another archive site for enterprise that is a more secure alternative?

Reply

[-]

SirLoremIpsum@reddit

> I requested a review of the archive.org block policy. I brought up several products in our industry who have suffered breaches on par with archive.org. We can still access those sites, though. Just on this point - that's not good logic. "X is allegedly unsafe but we can access y sites that are the same level of unsafe. So all should be open" Is more of an argument for more blocking than less. > Our team has taken to using their own shadow IT hardware to circumvent this and other restrictions. I know you gotta do what you gotta do, but surely you can appreciate how annoying it is for everyone?? How many posts here are about disasters from random departments doing this to circumvent things.

Reply

[-]

flunky_the_majestic@reddit (OP)

> "X is allegedly unsafe but we can access y sites that are the same level of unsafe. So all should be open" But this isn't the argument. "Our filtering is purposefully permissive because we are required to perform a broad range of research. Archive.org, an important source for that research, is blocked because they couldn't hold up to a massive DDoS attack one time."

Reply

[-]

hops_on_hops@reddit

If you think you know better, then put in your application next time there's an opening in IT. Until then, you have received your response from the authority on this decision at your organization.

Reply

[-]

flunky_the_majestic@reddit (OP)

> If you think you know better, then put in your application next time there's an opening in IT. This would be a demotion.

Reply

[-]

Ihavefourknees@reddit

You would be wrong to do so. You're in the wrong for what you want. If you were in the trenches for as long as you say, then you'd appreciate that IT takes security very seriously. I would deny this request as well.

Reply

[-]

Dave_A480@reddit

I don't know that it's actually a threat to read. However it has archived a lot of commercial software of questionable provenance, including some virus-infected warez 'cracks' for said software's copy protection. Which can be a lifesaver if you, for example, have a perpetual license for the CS6 era Adobe stuff but lost your install media (the MD5 hashes for this particular software are commonly available, so it's possible to validate).... But perhaps not the best thing in an IT environment where end-users may try to install 'that' (I have no idea what your policies are in terms of user-admin-rights)....

Reply

[-]

404_GravitasNotFound@reddit

Care to share some MD5 in PM? Would make some friends happy (CS5 es their favorite before all the new cloud versions). Also, careful the company of cooked mud pushed Reddit to delete any content regarding high sea plundering of their mud creations

Reply

[-]

Dave_A480@reddit

The MD5s are easily available via google (IIRC even still found on official Adobe pages, also forums)...

Reply

[-]

Wonder_Weenis@reddit

I mean, it could pretty easily be used for exfil

Reply

[-]

flunky_the_majestic@reddit (OP)

Pastebin is wide open 🤷‍♂️

Reply

[-]

Secret_Account07@reddit

I could see the argument being made, technically I can say with almost certainty somewhere on archive.org is something compromising This is a stupid hill to die on. I guarantee your org has at least 500 more important threats/vulnerabilities that would be better spent with their time

Reply

[-]

illicITparameters@reddit

That’s personally a bit to extreme for my taste, but if asked to argue in favor of unblocking it, I’d decline.

Reply

[-]

BigChubs1@reddit

Same. Just computers get scanned more often

Reply

[-]

MagicBoyUK@reddit

It bypasses other content filtering is the issue. They might block really [reallynastyapplication.com](http://reallynastyapplication.com) , but if you can get all the files hosted there off [archive.org](http://archive.org) then it's a problem.

Reply

[-]

Total_Job29@reddit

Archive.org as in the way back machine archive.org Their breach was a pretty simple user creds. One of countless breaches. The team are idiots to be blocking it.

Reply

Reply to Post

134 Comments