github/dmca
1
Fork 0
mirror of https://github.com/github/dmca.git synced 2025-06-18 08:55:43 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

Process DMCA request

Browse Source
This commit is contained in:
dmca-sync-bot 2023-03-22 18:24:03 +00:00
parent feee00cf06
commit 06acde09d9
1 changed files with 91 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
2023/03/2023-03-21-farm-to-people.md Normal file
View File

@ -0,0 +1,91 @@
While GitHub did not find sufficient information to determine a valid anti-circumvention claim, we determined that this takedown notice contains other valid copyright claim(s).
---
**Are you the copyright holder or authorized to act on the copyright owner's behalf?**
Yes, I am the copyright holder.
**Are you submitting a revised DMCA notice after GitHub Trust & Safety requested you make changes to your original notice?**
No
**Does your claim involve content on GitHub or npm.js?**
GitHub
**Please describe the nature of your copyright ownership or authorization to act on the owner's behalf.**
To Whom It May Concern: It's come to our attention that two of our private [private] repositories were accessed via the Heroku/Salesforce data breach in April 2022 ([private]) and were subsequently published publicly by Github user [private] (https://github.com/bkirolos).
Is there a course of action we can take to prove we are the rightful owners of these code bases and have the stolen, cloned, and publicly posted repos removed from [private]'s account?
**Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.**
Two complete repositories which are the code bases for farmtopeople.com's custom frontend website (Vue/Nuxt) and proprietary API middlware (TypeScript). These two repositories were previously owned by Bean LA ([private]), a web development agency which Farm To People LLC contracts to build and maintain it's tech stack. Since the date that the private repositories were hacked and publicly published, ownership of both repos have been transferred to [private] Organization Farm-To-People and are now located here:
- [private]
- [private]
Evidence of Bean LA's ownership of the repos at the time is evidenced in the commit history of the publicly posted repos (e.g. [private]).
**What files should be taken down? Please provide URLs for each file, or if the entire repository, the repositorys URL.**
https://github.com/bkirolos/farmtopeople-nuxt
https://github.com/bkirolos/farmtopeople-api
**Do you claim to have any technological measures in place to control access to your copyrighted content? Please see our <a href="https://docs.github.com/articles/guide-to-submitting-a-dmca-takedown-notice#complaints-about-anti-circumvention-technology">Complaints about Anti-Circumvention Technology</a> if you are unsure.**
Yes
**What technological measures do you have in place and how do they effectively control access to your copyrighted material?**
In this specific case, the OAuth token issued via [private] to Heroku.
Additional technological measures include listing the repositories as "Private" and having MFA enabled on accounts with access to those repositories.
**How is the accused project designed to circumvent your technological protection measures?**
See incident summary here: https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/
GitHubs analysis of the attackers behavior reveals the following activities carried out on GitHub.com using stolen OAuth app tokens:
1. The attacker authenticated to the [private] API using the stolen OAuth tokens issued to Heroku and Travis CI.
2. For most people who had the affected Heroku or Travis CI OAuth apps authorized in their [private] accounts, the attacker listed all the users organizations.
3. The attacker then selectively chose targets based on the listed organizations.
4. The attacker listed the private repositories for user accounts of interest.
5. The attacker then proceeded to clone some of those private repositories.
**<a href="https://docs.github.com/articles/dmca-takedown-policy#b-what-about-forks-or-whats-a-fork">Have you searched for any forks</a> of the allegedly infringing files or repositories? Each fork is a distinct repository and must be identified separately if you believe it is infringing and wish to have it taken down.**
Yes, no forks identified.
**Is the work licensed under an open source license?**
No
**What would be the best solution for the alleged infringement?**
Reported content must be removed
**Do you have the alleged infringers contact information? If so, please provide it.**
[private]
[private]
**I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law.**
**I have taken <a href="https://www.lumendatabase.org/topics/22">fair use</a> into consideration.**
**I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed.**
**I have read and understand GitHub's <a href="https://docs.github.com/articles/guide-to-submitting-a-dmca-takedown-notice/">Guide to Submitting a DMCA Takedown Notice</a>.**
**So that we can get back to you, please provide either your telephone number or physical address.**
[private] (Farm To People)
[private]
[private]
**Please type your full legal name below to sign this request.**
[private]