Pages:
Author

Topic: Info about the recent attack - page 7. (Read 52589 times)

sr. member
Activity: 420
Merit: 250
September 12, 2011, 04:45:22 AM
my suspicion  psy is that they move the site so the original site can be worked on.. fixed, maybe ugpraded... while everyone is able to talk here :p then once the old server is back up, working how it should.. merge the database back in, possibly convert to a new forum type (there are alot of conversion tools out there)

legendary
Activity: 1358
Merit: 1002
September 12, 2011, 04:32:38 AM
I just don't understand why the forum needed to be moved to a new server if the fuckin exploit was on the forum script and not on the server, but i guess that's how shit is managed around here...
sr. member
Activity: 256
Merit: 250
September 12, 2011, 04:26:52 AM
Well, those are the bruteforce cracking speeds for the most popular forum engines' password hashes on AMD Radeon HD6870:

IPB/MyBB: ~500M/s
vBulletin: 700M/s (older versions with short salts) - 512M/s (newer versions with 30-byte salt).
SMF: 980M/s

Those are bruteforce speeds, single-hash, using my own software. oclHashcat has nearly the same speeds, +/- 1-2%. 

Note that since those are salted hashes, speeds are proportional to the number of hashes. E.g cracking two IPB hashes would run at 250M/s, cracking 1000 IPB hashes would run at 500K/s.

Bruteforcing thousands of salted hashes is not very practical. However, with dictionary and rule-based attacks, things are kinda different. And long passwords are not necessarily strong ones.

P.S I did not mention phpbb3 as I haven't implemented it yet, but I can make projections about speed (as it is iterated MD5 in fact) - it should be about 3M/s on 6870 which is significantly slower. PHPBB3's password hashing is much better as compared to IPB/vBulletin/SMF in fact.
legendary
Activity: 1218
Merit: 1000
September 12, 2011, 01:42:56 AM
funny, I don't use php ready made software (the open in open source doesn't stand for open for the right folks amd I'm no lego maker.) and still a "full featured forum" falls under the easy category. My "medium difficulty" cat starts at FB and hard when things like socket_listen() comes to the scene.
full member
Activity: 176
Merit: 100
September 12, 2011, 01:11:36 AM
what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping.
I stopped taking you seriously at that "your" part, but continued to read through your self-perpetuated lack of capitalization* just for entertainment value. And for similar entertainment value, I figure I should tell you that it would've been just as effective, and much less damaging, to have just left out the part about "how the passwords are stored" and just cut to the "if your password is this long" part. There was absolutely no benefit to blurting out exactly how the passwords are stored.

* - that is, "what does it matter to me what some idiot forum noob thinks about my spelling" / "i don't need to be in grammer class whenever i go onlien, fukk you" / "i feel like relaying my low mood and chronic depression through the use of nocaps" / "I Swear i could write Proper Grammar when I need too, I don't need some Stupid forum troll telling me what too do!"

Srsly?
So, in short. You belong to the crowd who believe your own non-vetted coding to be vastly superior to the joint work of others, when it comes to writing secure online software, yet you have no idea what salt is or why it's used?
Salting bascially changes the original value and the comparison value with a known figure so the hashes can't be referenced to a lookup table, and so they can't be broken without knowing the salt value. Oh wait, we know the salt value now. Haha, that was easy™.

Again, with the big exclamation of, "Everyone lock your doors, they might have gotten a copy of the KEY TO THE KINGDOM! *attachment: high-res picture of key to the kingdom.jpg*"
hero member
Activity: 530
Merit: 500
September 11, 2011, 11:32:46 PM
Srsly?

So, in short. You belong to the crowd who believe your own non-vetted coding to be vastly superior to the joint work of others, when it comes to writing secure online software, yet you have no idea what salt is or why it's used?

Your posts contain nothing of value.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 10:04:31 PM
Wait, my head exploded when I read this line:
SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

F... fucking... REALLY?! No, no, not what it's saying, but... that you're actually SAYING THIS? It's like, let's see here, some clown sneaks onto a military base and puts on some kind of demonstration in middle of a road there. Ouch, that's embarrassing. But in the official response, they say...
"Well, we only have one guard stationed at the gate between 4am and 8am, and the rest of the time there are 2 guards except during their lunch break at 12pm and 1pm. And one of them really likes F-16s and is easily distracted by the launches."

WHAT THE FUCK KIND OF SECURITY RESPONSE IS THAT?! What user needs to know those intricate details?

Harm versus Benefit analysis. Assume, for example, that the script kiddie(s) responsible for the hack weren't thinking of stealing any passwords. They just wanted to make some lulz. In the process, they got the passing idea to back up the database. They came, they lul'd, they left, watching the aftermath (server shut down for what, almost 2 days?). Now they come along and see that post, and say "OH WOW! I DIDN'T EVEN THINK TO CHECK THE PASSWORDS, LOL, BUT THIS MORON JUST GAVE US THE KINGDOM FOR FREE!". No Googling necessary... in fact, it PROMOTES the idea of curiously trying this theory on their backup database they stole for the lulz. Sure enough, it reveals some admin password, "penis" (which would TYPICALLY be too short to use, but with this lack of security... who knows!). O LOL WOW, IT WORKS, LETS CRACK ALL THESE PASSWORDS WITH OUR MINING GPUs Tongue

Srsly?

what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping.
hero member
Activity: 686
Merit: 500
Shame on everything; regret nothing.
September 11, 2011, 10:03:03 PM
For what it's worth, my .02 BTC is:

My login/pass still work, there hasn't been any unauthorized use of my login/pass, and this place is still my go-to (atm) for info on mining.  Thanks to the admins and owners/operators for everything they do here; personally I TRULY fucking appreciate it.

I just want to throw out a special thanks to jondecker76 for his one on one help.

I truly believe in a world-changing potential for crypto-currencies, especially BTC, and now my faith in the surrounding community is becoming about as strong.
full member
Activity: 176
Merit: 100
September 11, 2011, 09:56:07 PM
Wait, my head exploded when I read this line:
SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

F... fucking... REALLY?! No, no, not what it's saying, but... that you're actually SAYING THIS? It's like, let's see here, some clown sneaks onto a military base and puts on some kind of demonstration in middle of a road there. Ouch, that's embarrassing. But in the official response, they say...
"Well, we only have one guard stationed at the gate between 4am and 8am, and the rest of the time there are 2 guards except during their lunch break at 12pm and 1pm. And one of them really likes F-16s and is easily distracted by the launches."

WHAT THE FUCK KIND OF SECURITY RESPONSE IS THAT?! What user needs to know those intricate details?

Harm versus Benefit analysis. Assume, for example, that the script kiddie(s) responsible for the hack weren't thinking of stealing any passwords. They just wanted to make some lulz. In the process, they got the passing idea to back up the database. They came, they lul'd, they left, watching the aftermath (server shut down for what, almost 2 days?). Now they come along and see that post, and say "OH WOW! I DIDN'T EVEN THINK TO CHECK THE PASSWORDS, LOL, BUT THIS MORON JUST GAVE US THE KINGDOM FOR FREE!". No Googling necessary... in fact, it PROMOTES the idea of curiously trying this theory on their backup database they stole for the lulz. Sure enough, it reveals some admin password, "penis" (which would TYPICALLY be too short to use, but with this lack of security... who knows!). O LOL WOW, IT WORKS, LETS CRACK ALL THESE PASSWORDS WITH OUR MINING GPUs Tongue

Srsly?
newbie
Activity: 17
Merit: 0
September 11, 2011, 09:41:26 PM
Quote
The more I read this thread, the more pissed off I get as the complete mismanagement of this forum and especially the utterly piss poor handling of this incident.  No, we don't expect to be incident free 100% of the time (though that should be the goal), but when there is an incident, how you handle it during and after the crises is just as important as what you do to prevent it in the first place. On both accounts, the before and after, it has been utter and complete fail.  Please stop the cycle of failure.  If you aren't ready or prepared to take steps right now to solve the issues, let someone who is handle it.    Stop damaging the credibility of Bitcoin.

Considering that the forum is comprised of 30% pro/anti-bitcoin trolls, and that the moderators seem to be incapable of doing anything but moving critical threads to off-topic, I'm not at all surprised that the administrators are failing as well.  This place is rotten from the ground up.  I know what a pain updating old software can be.  I also know that it's part of the fucking job.  And now it seems the reins have been handed over to MtGox, who has yet to respond to the obvious problems with his own product today.  How many more shitty pieces of software is the Bitcoin going to have to use before people realize that anything Bitcoin-related is a giant target?  If you can't be bothered to fix the obvious holes I'd rather you don't even bother at all.
full member
Activity: 176
Merit: 100
September 11, 2011, 09:35:38 PM
Heh, well, now that my attention's been brought to this post (whatever dimwit is responsible for keying it in):
Quote
So, you don't like this phpBB fork and want another... well... phpBB fork? 

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).

Lulz are necessary. Forums are somewhat easy to code? I invite you to look at this page:
http://hostfile.org/viewtopic.php?id=148
As you take a look around at that rather eyesore-tastic, yet somehow very zippy-loading, website... keep this in mind: I wrote that whole thing, with the exception of the BBcode engine that turns a smiley into a graphic, or a URL into a link, but the entire layout/structure/function/etc., that's all hand-crafted in Notepad++. The forum is built on the comments engine, which is tied into the rest of the site. It hasn't yet been "hacked" in all its 4-5 years of running. Of course, given the topic, it also hasn't been very popular, either (hence the "Oh that's right, none of my projects ever got this big, but they also never got hacked" thing). And I still invite someone to try "hacking" it. Good f'ing luck. One thing you won't find in a single line of my code is the potential for an SQL injection exploit. Cheap, first-grade-coding shit there. I even made a function alias for mysql_real_escape_string, since I used it so often and didn't want to type the whole thing out every time.

But lemme tell you: building those systems was a bitch. Even a forum as dumb-basic as that, is a bitch to code. Simple? Yeah, it's easy as hell to take a distribution package of some forum software, and drop its archive onto your server and set it up (hey, admins? yeah, it's really easy to upgrade. that's our point). That's because the programmers MADE it easy to install. Writing it in the first place? Not easy.
legendary
Activity: 1260
Merit: 1000
September 11, 2011, 09:10:56 PM
for christ's sake,

Why the f**k are we still using the same exact - the same HACKED - version of the forum software?

I was pissed when I saw the forum come back online and saw we're still on the same version. So I posted, "why the hell are we still using the same version?". And nothing was said. Now, again, I ask, why the f**k are we still using the same version?!

First, use KeePass or something. I don't have to worry about changing my password since this is the only site that gibberish password is used on. Anyone worried about security oughtta do the same.

Second, WHAT THE HELL IT IS NOT THAT HARD TO UPGRADE TO A NEW VERSION OF SMF. This old legacy version of SMF isn't even available to download anymore. What the hell. My head hurts thinking about how unfathomably irresponsible that is.

Third, did I read back a few pages ago that you're looking for some web admin help? Here. Right here. This is me e-raising my hand. Am I a little douchy in this "volunteering" process? Fuck yeah I am, but what experienced sysadmin would NOT be pissed as they watch a popular forum flail its arms in catastrophic misery? It's the "Why wasn't I there? Oh that's right, none of my projects ever got this big, but they also never got hacked" effect. Take it or leave it.

But do something about it. I really don't want to F5 this page and see someone belching up some manufactured excuse/response, and still see the same version-banner at the bottom. That'll just go to prove how immature Bitcoin admins/techs are... oh, what's that falling over there? Price of Bitcoin. Steve Jobs resigned as CEO of Apple. Apple stock fell like a rock. Did Apple do anything tangibly wrong? No, their fucking CEO resigned. You see how related-but-technically-unrelated things affect prices? Why do you think these Cosby clowns attacked the site? derp.

This.

Pretty much what I was thinking but didn't want to come out and say.  I have been advocating for months for a new forum software and nothing has been done.  Reading over the first post and subsequent posts I see that it's because of a lack of technical knowledge, not some other deep seated and ill-thought out need to keep with forum software developed over a half decade ago.  

I've also volunteered my services and also web hosting for the forums.  I don't particularly want to admin the forums, but if it's a choice between continuing with SMF and me having to do it, I would choose me having to do it.  Or FalconFour, or someone else technically inclined.  Whatever... just stop using this shitty piece of software and harden your web server.

The more I read this thread, the more pissed off I get at the complete mismanagement of this forum and especially the utterly piss poor handling of this incident.  No, we don't expect to be incident free 100% of the time (though that should be the goal), but when there is an incident, how you handle it during and after the crises is just as important as what you do to prevent it in the first place. On both accounts, the before and after, it has been utter and complete fail.  Please stop the cycle of failure.  If you aren't ready or prepared to take steps right now to solve the issues, let someone who is handle it.    

Engaging Mark, with the complete mess and incredibly poor handling of his own hacking incident at MtGox is also so incredibly questionable as to be almost mind boggling.  It would be like hiring the Sony security team to head up your security.  Why would you do that?  MtGox and Sony have both shown they can't handle security before a crisis and are unable to handle it during or after a crisis, so you hire them to... handle security?!  Wait, what?   Huh

Stop making the, quite literally, worst decision that is possible to make short of giving out your passwords publicly. Stop damaging the credibility of Bitcoin. 
newbie
Activity: 19
Merit: 0
September 11, 2011, 08:58:34 PM
Good to know! Thanks theymos!
full member
Activity: 176
Merit: 100
September 11, 2011, 08:46:11 PM
for christ's sake,

Why the f**k are we still using the same exact - the same HACKED - version of the forum software?

I was pissed when I saw the forum come back online and saw we're still on the same version. So I posted, "why the hell are we still using the same version?". And nothing was said. Now, again, I ask, why the f**k are we still using the same version?!

First, use KeePass or something. I don't have to worry about changing my password since this is the only site that gibberish password is used on. Anyone worried about security oughtta do the same.

Second, WHAT THE HELL IT IS NOT THAT HARD TO UPGRADE TO A NEW VERSION OF SMF. This old legacy version of SMF isn't even available to download anymore. What the hell. My head hurts thinking about how unfathomably irresponsible that is.

Third, did I read back a few pages ago that you're looking for some web admin help? Here. Right here. This is me e-raising my hand. Am I a little douchy in this "volunteering" process? Fuck yeah I am, but what experienced sysadmin would NOT be pissed as they watch a popular forum flail its arms in catastrophic misery? It's the "Why wasn't I there? Oh that's right, none of my projects ever got this big, but they also never got hacked" effect. Take it or leave it.

But do something about it. I really don't want to F5 this page and see someone belching up some manufactured excuse/response, and still see the same version-banner at the bottom. That'll just go to prove how immature Bitcoin admins/techs are... oh, what's that falling over there? Price of Bitcoin. Steve Jobs resigned as CEO of Apple. Apple stock fell like a rock. Did Apple do anything tangibly wrong? No, their fucking CEO resigned. You see how related-but-technically-unrelated things affect prices? Why do you think these Cosby clowns attacked the site? derp.
hero member
Activity: 770
Merit: 502
September 11, 2011, 08:03:33 PM
Yea, lastpass application encrypts your passwords before they leave your pc to be stored online through SSL and decrypts them on your pc.

Only you, that have the master password, can access your passwords. Even if some how someone gained access to you password database, it is encrypted.

There is also that thought if your pc has a keylogger, well your screwed for not securing your pc correctly/properly.
hero member
Activity: 530
Merit: 500
September 11, 2011, 07:54:34 PM
but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

First study how LastPass works, then post. They don't hold your passwords. They cannot retrieve them.

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.

Your browser store is at risk of being easily broken into by a client side web browser exploit.

I'll just repeat what so many have already posted: Use LastPass. Generate a new 12+ char password for each site you use. Sleep well.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
September 11, 2011, 07:45:18 PM
Thank you theymos for brining this to our attention. Since there is no practical way to guarantee security, it's nice that you keep us in the loop.
legendary
Activity: 1218
Merit: 1000
September 11, 2011, 07:17:12 PM
Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.


So, you don't like this phpBB fork and want another... well... phpBB fork?  Tongue

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).
legendary
Activity: 1260
Merit: 1000
September 11, 2011, 07:07:05 PM
Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.
legendary
Activity: 1218
Merit: 1000
September 11, 2011, 07:02:37 PM
no but the freamwork is better for handling fuck-ups. Smiley

Coders don't use frameworks, Lego makers do. It "speeds up «development»" (yeah, right! Put some pieces of Lego together is now called "developing"... go figure!) but nags hardly performance by loading interpreters filled up with "resources" (which you normally will not even be using 1%).
Still, Python is somewhat better than the mother of all framework fuck ups so far; Java.

And obviously you have more bugs found on PHP applications than anything else, PHP has 76,9% of the dynamic web content share... that's like saying there're more car accidents than motorcycle, no wonder, there're way more cars in the road than motorcycles!

Quote from: W3C link=http://w3techs.com/technologies/details/pl-php/all/all
PHP is used by 76.9% of all the websites whose server-side programming language we know.
Pages:
Jump to: