GSC has been hacked
Johan:
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
I have not seen anything "made up" except theories. Certainly there has been no fabrication of actual EVIDENCE. And everyone is entitled to crackpot theories, after all. Sometimes they're even right.
You don't have to look further than her latest post on PMBD:
Quote from: coconut on PMBD date=1263296840
TSR stores password history, and despite what Team Johan tells you, it is NOT encrypted.
Two made up statements right there:
TSR doesn't store password history at all. Unless Coconut is one of the owners this is information she can't possibly know.
Team Johan was some drivel she posted earlier in that thread about my postings on PMBD and here would be some kind of team effort from TSR. Again presented as a fact, not a theory.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
Which incriminating evidence? I haven't seen any "claims".
I was under the impression Coconut had evidence of the petition showing up at TSR, possibly with some involvement of Atwa. That's what i heard when asking if we should just take Coconuts word for what happened, IIRC.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
I fail to see how that is meaningful. Any number of reasons could cause items to be added to a computerized download basket. Technical glitches, misclicks, or he could simply have forgotten. This happens all the time.
Sure, all of that is theoretically possible. It is also possible that someone used his account to download stuff and thus knew the password. That could also explain how other passwords could have been obtained if the perpetrator logged in to our admin area as Thomas.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
Well, TSR's code is nonstandard. It's not an off-the-shelf component, and as such, is largely immune to attack by common script-kiddies. That means you're going to need some degree of actual wizardry to find and use an exploit. Let us postulate that such a event occurred and resulted in this outside party acquiring your DB. Why, then, is this same party using the access they have gained from it in such an inept, hamfisted way that is utterly inconsistent with anything a wizard would do? Wizards do not concern themselves with anything as boring and drudgerous as manually deleting posts off a site thread by thread. That would be stupid. A wizard would just drop the entire database in a single command. Or steal it and leave silently, without anything to indicate that something was amiss. That is how a wizard would operate. Given that this behavior is completely inconsistent with a wizard, and NO wizard would EVER do such a thing, we must consider the only other alternate hypothesis: An administrative user did so.
Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.
I'd like to think i have a pretty good understanding of it by i am by no means a wizard and neither is Per. Part of the codebase is more then 10 years old and during the time period of the hackings we were maintianing both the old system while working on stabilizing the new one. Stupid mistakes could very well have lead to weak security in some parts of it all.
Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
You may very well be right. Maybe they don't have the knowledge to perform such an operation without leaving a trace...and guess what? They didn't. From your own testimony, big, fat, sloppy traces were left everywhere. Not traces solid enough to prove that one of them specifically did it, for whoever did it DID try to cover their tracks, but clearly, enough to reveal that one of them DID do it.
A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
And yet you are left with a conundrum: You agree that TSR owners are the only ones with access to the member database. Yet, information from that database was leaked. Obviously, one of these must be false: Either TSR owners are not the only ones with access to the database, or you don't know how they REALLY think and operate.
I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.
Quote from: J. M. Pescado on 2010 January 13, 19:05:45
I, on the other hand, know security. I know that in order to accomplish sucha thing WITHOUT authorized access to the database, one would have to be a wizard. This individual would have to have a decent understanding of PHP and SQL injection. He would have to understand this subject matter enough that he could devise his own attacks, for TSR is not stock code and cannot be attacked by script-kiddy methods. Having thus the ABILITY to gain access to the DB, he would then need to know exactly what to look for in the DB, and then, having found that information, he would need a motive and opportunity to USE it. Now, I know wizards. Wizards are very tight with the information they illicitly gain. They do not squander it casually, especially when it is so hard-won, and certainly are not inclined to allow mere hoi polloi to play with it, especially not in such a clumsy and amateurish fashion. So I argue that it is clear a wizard did not do this. Do you dispute this argument?
No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.
Since you're moving stuff to Sweden perhaps i can offer some server space in our racks? ;)
Johan:
Quote from: Inge on 2010 January 13, 21:39:15
Johan, the screenshots of the chat I saw where artists were being given details of some users it was Steve with them, I am sure. This was a chat not a forum.
Not sure what chat that might have beenthen, i was referring to the forum thread that Coconut got screenshots of.
Steve was not actively harvesting pirates there IIRC though he might have posted in the thread.
J. M. Pescado:
Quote from: Johan on 2010 January 13, 22:09:00
Having an in-house system is a double edged sword. It's pretty much immune to public exploits on the application level but the security of it is only as good as the knowledge in security possessed by its developers, which would be me and Per.
Yes, but to even penetrate BAD security requires a level of understanding comparable to the people who wrote it, or better. Working from the assumption that you are not grossly incompetent, it therefore requires that someone be at LEAST as good as you to penetrate security effectively: As TSR's systems are all nonstandard, someone doing this would be entirely guessing about your database and directory structure, meaning we're dealing with blind PHP/SQL injection. Not exactly a topic that people in the community are terribly familiar with. The entry barrier to such an act combined with the limited pool of technical talent makes this scenario highly unlikely. Someone external to the community on the other hand, could possess the skills necessary to do this, but then would be devoid of community knowledge, so could not effectively exploit this information to attack along political lines as we have seen, nor would they have the motive to do such a thing. An attacker like this would just deface your website and move on. We haven't seen this, so this scenario, also, is highly unlikely.
Quote from: Johan on 2010 January 13, 22:09:00
Again, we actually don't _know_ that the password came from the TSR database to begin with, you just find it likely based on how you interpret the circumstances.
Well, if it did not come from TSR, where did it come from? You already admitted that TSR stored passwords in the clear, readable to anyone with even the bare minimum of database knowledge, providing they could gain access to it. Many of the attacked victims have admitted that they used their TSR password. A few cases are unconfirmed, but we have not had anyone categorically deny it. If the passwords did not come from TSR, where did they come from? The only other site with that kind of broad reach would be MTS2. But MTS2 is running vBulletin, a system that hashes passwords by default. It is possible that it was altered not to do so, but to pursue this line of reasoning would be to directly accuse Delphy of doing this instead. That does not seem like a particularly reasonable scenario given that Delphy has absolutely no motive for such a thing and has intentionally attempted to remain as neutral as possible on the issue. Therefore, I cannot conceive of any other scenario in which passwords which all coincidentally happen to be shared with TSR accounts could come to be compromised without the source being at TSR. Can you? Even if a third-party source were to acquire these passwords by an independent, non-TSR-related means, how would they know the passwords were shared with TSR so that they could selectively attack only those accounts?
Quote from: Johan on 2010 January 13, 22:09:00
A trace back to Thomas that i would recognize is what i meant. He certainly wouldn't be able to leave a trace going to sherrisim which is what we see here.
I believe that trace is genuine and not a cover up.
We don't really know if there is a trace going to Sherriesim. All we know is that Sherriesim was one of the accounts accessed through that proxy with that particular useragent. Numerous highly plausible scenarios present themselves:
1. Sherriesim's account was among those compromised. As the original owner is apparently deceased, this cannot be verified either way.
2. The useragent, seemingly unique, is actually falsified as a part of the using the proxy service. This is trivial and common. As a known public proxy service, as opposed to private or misconfigured proxies, such a practice would be quite common and independent usage by Sherriesim would not be surprising.
So yes, I believe the information you traced is probably genuine. However, it is also meaningless. The same proxy IP used over an extended duration by seemingly unrelated people is merely evidence that it is a public proxy service, which we knew.
Quote from: Johan on 2010 January 13, 22:09:00
I lean towards either someone had access to the database (via our admin system), a security breach or that the password didn't come from TSR.
Well, of these three scenarios, two appear highly unlikely for the reasons described above. While anything is certainly POSSIBLE, the latter two are unlikely for technical reasons, whereas the first has no particular technical barrier rendering it unlikely: The only reason it is unlikely is because of a computer technician's reading of people. Computer technicians are not exactly known for their great people-reading skills.
Quote from: Johan on 2010 January 13, 22:09:00
No i don't think it was a wizard either, the other scenarios i mentioned earlier would be much more likely.
So there, we agree on something at least.
You mentioned two alternate scenarios: That an unauthorized user hacked TSR and stole the information from TSR, or that the information did not come from TSR, but was manipulated to LOOK like it did. Both of them involve wizardry: Either someone managed to break security by their own efforts, using technical knowledge to do so, or someone created an elaborate phishing trap to steal information about TSR users without compromising the database, a work which would require a fair level of technical knowledge, as they would need to conduct a man-in-the-middle attack or hijack your DNS, AND create a convincing mock-up of TSR. After this display of technical wizardry, the attacker would then proceed to hack unrelated forums and manually delete posts thread by thread. This makes about as much sense as a terrorist acquiring a nuclear device, removing the detonation charge, and then using the conventional explosive as a suicide bomb.
But you just said you don't believe a wizard did it, either!
Johan:
Quote from: J. M. Pescado on 2010 January 14, 08:17:28
Yes, but to even penetrate BAD security requires a level of understanding comparable to the people who wrote it, or better. Working from the assumption that you are not grossly incompetent, it therefore requires that someone be at LEAST as good as you to penetrate security effectively: As TSR's systems are all nonstandard, someone doing this would be entirely guessing about your database and directory structure, meaning we're dealing with blind PHP/SQL injection. Not exactly a topic that people in the community are terribly familiar with. The entry barrier to such an act combined with the limited pool of technical talent makes this scenario highly unlikely. Someone external to the community on the other hand, could possess the skills necessary to do this, but then would be devoid of community knowledge, so could not effectively exploit this information to attack along political lines as we have seen, nor would they have the motive to do such a thing. An attacker like this would just deface your website and move on. We haven't seen this, so this scenario, also, is highly unlikely.
Those are good points, to find vulnerabilities in a non stock system requires a lot more than google skills so yes, not likely.
It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.
I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.
Quote from: J. M. Pescado on 2010 January 14, 08:17:28
Well, if it did not come from TSR, where did it come from? You already admitted that TSR stored passwords in the clear, readable to anyone with even the bare minimum of database knowledge, providing they could gain access to it. Many of the attacked victims have admitted that they used their TSR password. A few cases are unconfirmed, but we have not had anyone categorically deny it. If the passwords did not come from TSR, where did they come from? The only other site with that kind of broad reach would be MTS2. But MTS2 is running vBulletin, a system that hashes passwords by default. It is possible that it was altered not to do so, but to pursue this line of reasoning would be to directly accuse Delphy of doing this instead. That does not seem like a particularly reasonable scenario given that Delphy has absolutely no motive for such a thing and has intentionally attempted to remain as neutral as possible on the issue. Therefore, I cannot conceive of any other scenario in which passwords which all coincidentally happen to be shared with TSR accounts could come to be compromised without the source being at TSR. Can you? Even if a third-party source were to acquire these passwords by an independent, non-TSR-related means, how would they know the passwords were shared with TSR so that they could selectively attack only those accounts?
Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.
Quote from: J. M. Pescado on 2010 January 14, 08:17:28
We don't really know if there is a trace going to Sherriesim. All we know is that Sherriesim was one of the accounts accessed through that proxy with that particular useragent. Numerous highly plausible scenarios present themselves:
1. Sherriesim's account was among those compromised. As the original owner is apparently deceased, this cannot be verified either way.
2. The useragent, seemingly unique, is actually falsified as a part of the using the proxy service. This is trivial and common. As a known public proxy service, as opposed to private or misconfigured proxies, such a practice would be quite common and independent usage by Sherriesim would not be surprising.
So yes, I believe the information you traced is probably genuine. However, it is also meaningless. The same proxy IP used over an extended duration by seemingly unrelated people is merely evidence that it is a public proxy service, which we knew.
In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.
Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.
#2 The information about this particular user agent was not revealed until after the events took place.
The useragent string matched very few logins on TSR and MTS so it's not at all common within the community.
If any other community site would be interested to gig further into this i can post what useragent and IP (non proxied) to look for.
Quote from: J. M. Pescado on 2010 January 14, 08:17:28
Well, of these three scenarios, two appear highly unlikely for the reasons described above. While anything is certainly POSSIBLE, the latter two are unlikely for technical reasons, whereas the first has no particular technical barrier rendering it unlikely: The only reason it is unlikely is because of a computer technician's reading of people. Computer technicians are not exactly known for their great people-reading skills.
I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.
I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.
You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.
J. M. Pescado:
Quote from: Johan on 2010 January 15, 01:11:13
It would be relatively more likely that our forum got hacked, which is a pretty much standard vBulletin install.
The way we integrate it with TSR is that when you sign up on TSR a forum user is added using the same method the forum itself would use had you signed up using the stock install.
The forum coud be hackable, but again, let's look at the motives and opportunities of people who would do such a thing.
1. Random Net Kiddies: Someone like this simply would not have the patience to try to puzzle out your arcane DB structure and extract passwords. An attacking script kiddy will deface your forum and move onto the next target.
2. Someone from the community: Assuming you postulate an anti-TSR activitist doing this, one who is impulsive and disregards publicly-issued orders, would they honestly pass up an opportunity to simply vandalize your forum directly, or pass up the intelligence coup that being able to read your Secret Squirrel sections would be? Alternatively, if it is the work of an internal TSR faction, they would still be interested in your Secret Squirrelism.
Quote from: Johan on 2010 January 15, 01:11:13
I don't find it likely someone within the community would have the skills required for such an attack either but there are lots of places on the net where script kiddies with egos that needs feeding gladly helps.
And so we come to the fact that community is just not that technically apt. And script kiddies don't operate this way, they go for quantity: Vandalize, move on.
Quote from: Johan on 2010 January 15, 01:11:13
Hashed passwords (in this case md5 + salt) are not immune to decoding. Google it if you're in doubt.
Buggys password was even of the sort you could have guessed and got lucky.
It is possible to crack a salted md5 password, given a sufficiently weak password and sufficient time. However, this is nontrivial in both computational expense and skill required, because you'd need to rig up a small cluster to be able to break unrelated passwords in reasonable time. And there are simply far better ways of doing so if you can acquire a hashed password off someone else's database (also, md5 is losing popularity as a cryptographic hash and software that uses it is becoming uncommon, as most now prefer SHA or others). Additionally, it does not address the fact that even IF they acquired the password elsewhere, they would not know that users were ALSO using them on TSR, and thus would not be able to selectively attack only TSR users, unless they were testing every compromised user on TSR first, which you would notice. While it is possible that the Buggybooz password was individually guessed, a password guessing attack would A: Leave evidence of previous login failures unless they managed to completely luck out and guess the first time, and B: Not repeatedly occur and correlate with people-who-happened-to-reuse-TSR-passwords. With that in mind, I am quite certain the passwords originate from the TSR database. As for HOW they originated from the TSR database, we've ruled out pretty much all the Johan-supported scenarios, on technical grounds, so unless you've got a new scenario to propose, we're running out of non-ugly ways to see this.
Quote from: Johan on 2010 January 15, 01:11:13
In response to those scenarios:
#1 We also know that the Sherriesim account was accessed through a non proxy IP with that particluar useragent.
This is a significant detail. The origin of that IP fits with Sherriesim's location AFAIK.
"The UK" is not really a meaningful location to fit things to, as many people come from that area, including, but not limited to, say, Atwa, IIRC.
Quote from: Johan on 2010 January 15, 01:11:13
Thomas or someone acting on his behalf would not be able to fake that.
Without this detail i would have agreed with your conclusion.
Unless said person were, say, from the UK. In truth, the Sherriesim detail doesn't really answer the question of where the passwords came from. It only tells us that the attacker who directly carried out the action was possibly not Thomas himself.
Quote from: Johan on 2010 January 15, 01:11:13
I don't think i have any special skills reading people but i can usually tell if Thomas is lying to me, it's probably not very unusual within family.
Quote from: Johan on 2010 January 15, 01:11:13
You might think he's stupid, evil, greedy and whatever else his reputation says he is and therefore you find it plausible or even likely he did it.
I know what he really is like and although i don't always agree with his ways it's really not _that_ bad.
Fair enough, but that leaves unaddressed the question of who did it. Either Thomas is not showing any signs of lying because he genuinely believes what he told you is true, perhaps because you asked the wrong questions or he misunderstood the question or the acts, or someone else did it. Both could be entirely plausible.
Quote from: Johan on 2010 January 15, 01:11:13
I simply don't believe the password were willingly handed out by Thomas for many reasons but mostly because i know him very well.
There would be absolutely no gain for him and/or TSR to have someone hack buggys's account on MTS.
YOU simply wouldn't believe it. And you're right: There's absolutely no logical gain to be had from such an act. Doesn't mean people, particularly artiste-types, don't frequently and consistently behave stupidly and illogically. As a computer tech, this idea is probably not something you really grok, but people are frequently very stupid, irrational, and short-sighted. This is why they buy insurance, lottery tickets, and crap some spammer shilled.
Navigation
[0] Message Index
[#] Next page
[*] Previous page