GSC has been hacked
Inge:
As a T with some F, I say that a twin *would* know if their twin was lying. Whether techie or artistic. And the liar would be finding it increasingly hard to look nonchalent as the pressure is maintained and the income of several people they are close to reduces as a result.
I have made the point that because Thomas has chosen to put on a bold face to the public and maintain he did nothing wrong in originally doxing members, it has *invited* suspicion of further, more heinous, acts that he probably did not commit. Had he put his hands up in the first place and said the doxing was a mistake, like Johan has, then although there would still be disdain for TSR as a paysite, we probably would not be thinking of Thomas as the devil incarnate right now.
The reason most sims sites get hacked is a combination of poor security and a person who has a grudge against the site owner. Everyone can take care of point 1, then 1000 devil Thomases with 1000 minion ATWAs working under their direct instruction can't touch you. A hacker to your sims site does you a favour. It teaches you about security before you make the same mistake with your company's website and lose a load of money. Part of that security is about vetting the people you entrust with privileges and info on the site - and this comes full circle back to TSR trusting unvetted FAs with admin-level information.
Johan:
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
The forum coud be hackable, but again, let's look at the motives and opportunities of people who would do such a thing.
1. Random Net Kiddies: Someone like this simply would not have the patience to try to puzzle out your arcane DB structure and extract passwords. An attacking script kiddy will deface your forum and move onto the next target.
2. Someone from the community: Assuming you postulate an anti-TSR activitist doing this, one who is impulsive and disregards publicly-issued orders, would they honestly pass up an opportunity to simply vandalize your forum directly, or pass up the intelligence coup that being able to read your Secret Squirrel sections would be? Alternatively, if it is the work of an internal TSR faction, they would still be interested in your Secret Squirrelism.
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
And so we come to the fact that community is just not that technically apt. And script kiddies don't operate this way, they go for quantity: Vandalize, move on.
A third option could be a combination of a 2 getting help from a 1.
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
It is possible to crack a salted md5 password, given a sufficiently weak password and sufficient time. However, this is nontrivial in both computational expense and skill required, because you'd need to rig up a small cluster to be able to break unrelated passwords in reasonable time. And there are simply far better ways of doing so if you can acquire a hashed password off someone else's database (also, md5 is losing popularity as a cryptographic hash and software that uses it is becoming uncommon, as most now prefer SHA or others). Additionally, it does not address the fact that even IF they acquired the password elsewhere, they would not know that users were ALSO using them on TSR, and thus would not be able to selectively attack only TSR users, unless they were testing every compromised user on TSR first, which you would notice. While it is possible that the Buggybooz password was individually guessed, a password guessing attack would A: Leave evidence of previous login failures unless they managed to completely luck out and guess the first time, and B: Not repeatedly occur and correlate with people-who-happened-to-reuse-TSR-passwords. With that in mind, I am quite certain the passwords originate from the TSR database. As for HOW they originated from the TSR database, we've ruled out pretty much all the Johan-supported scenarios, on technical grounds, so unless you've got a new scenario to propose, we're running out of non-ugly ways to see this.
http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.
The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.
We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
"The UK" is not really a meaningful location to fit things to, as many people come from that area, including, but not limited to, say, Atwa, IIRC.
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
Unless said person were, say, from the UK. In truth, the Sherriesim detail doesn't really answer the question of where the passwords came from. It only tells us that the attacker who directly carried out the action was possibly not Thomas himself.
It's more specific than "The UK", at least one of the sherriesim IP's come from a Manchester ISP. Since this happened some time ago it might be hard to get more information about this now but if some other site owner is willing to have a look in the logs we could perhaps shed even more light on this.
Indeed it does not answer the question where the password came from but it says something about who did it.
Quote from: J. M. Pescado on 2010 January 15, 01:31:48
YOU simply wouldn't believe it. And you're right: There's absolutely no logical gain to be had from such an act. Doesn't mean people, particularly artiste-types, don't frequently and consistently behave stupidly and illogically. As a computer tech, this idea is probably not something you really grok, but people are frequently very stupid, irrational, and short-sighted. This is why they buy insurance, lottery tickets, and crap some spammer shilled.
Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.
J. M. Pescado:
Quote from: Johan on 2010 January 15, 08:45:23
http://www.waraxe.us/forum-57.html
This is an example of where you could get information on how to crack a hashed password, find someone to crack it for you and even get help hacking a forum.
Scriptkiddy site. Common, but of no real use. This misses one severe underlying difficulty: To get a HASHED password, you need to have access to the database the hashed password CAME from. You already admitted TSR didn't hash them, so getting access to the TSR database would have bypassed this problem to begin with. Conversely, if someone got a password from ELSEWHERE, they would not be able to know which ones are the same as TSR's, and therefore, would not be able to attack pretending the information came from TSR when it did not. Therefore, there are no plausible scenarios for this OTHER than the TSR-origin scenario. Can you think of a plausible origin in which someone could somehow acquire compromised passwords from a non-TSR source, and then make them look like they came from TSR without access to TSR itself? I can't. Even if the information could be gained from elsewhere, which is not likely, since you would need DB access there, too, there is no way to massage this information to then make it look like it came from TSR.
Quote from: Johan on 2010 January 15, 08:45:23
The main reason i don't want to write this scenario off completely is that we have had other events where someone has managed to log in on multiple FA accounts on TSR being able to delete things.
I'm not sure which incidents you're referring to, but if you're talking about what I think you're talking about, I seem to recall incidents in which an actual FA decided to soup from TSR, and did this on their own. This act was then immediately written off as the work of "hackers" officially.
Quote from: Johan on 2010 January 15, 08:45:23
We did not find out how that could have happened either and it also support the theory that passwords somehow leaked from the TSR database.
We changed passwords on those FA account to completely random ones to rule out the possibility that they could have been obtained elsewhere and even after that some accounts were compromised.
Alternatively, if we're talking about the same incident, or even a similar case, they COULD have simply bypassed the password change using the lost password recovery system, if they had access to the email, either because they actually *WERE* the user in question, only behaving in a manner that your staff didn't approve of by trying to leave, or because they had already hacked that particular user completely.
Quote from: Johan on 2010 January 15, 08:45:23
Assuming the following hackings on various sites would also be Thomas that would amount to a level of stupidity i can't even begin to imagine given the debacle the Buggubooz incident resulted in.
We have never specified that Thomas himself committed the hackings. In fact, this scenario seems unlikely. The more plausible scenario is that someone, possibly Thomas, possibly someone else, provided the agent who then proceeded to do this with the information needed to carry it out, and then turned them loose, disavowing any responsibility for their actions. While the Buggybooz incident turned out to be somewhat of a disaster, this may not even have been an intended outcome: It is possible that the original information was released for some other purpose, and, well, you can't put the genie back in the bottle.
Inge:
But Pescado, what you're not seeing is that TSR don't *want* these hacking attacks that could look like TSR-related-originated-assisted to happen as it is bad publicity. So why would they do them? It's not like they're getting rid of pirate content, as everyone knows the hacked site owner simply restores the site immediately. The anti-TSR brigade have far more motive to be doing this - "false flag" you call it?
Soggy Fox:
It could just be that intent aside, being not as good as covering your tracks. If being forced to watch Smoking Gun presents: World's Dumbest..... most people might think they are being clever, but really aren't.
Navigation
[0] Message Index
[#] Next page
[*] Previous page