+ T R E M U L O U S » General » General Discussion
|-+ So, uh.. what happened?
Username:
Password:
Home Help Search ^ Login Register
News: Come Chat with us live! Learn how HERE!

Pages: [1]
Topic Tools  
Read October 20, 2009, 01:21:21 AM #0
Rocinante

    *
  • Turrets: +252/-251
So, uh.. what happened?
As some of you have heard, there was a data breach on the tremulous.net forums.  Now that we have all of the details, we would like to share what happened with the members of the forum.  If you don't want to read everything, then just go change your password and call it a day :>

Some time ago - when tremulous.net was hosted with Sourceforge - someone got a copy of the database through a vulnerability with their servers.  This included information from phpbb2, such as the table of private messages and most importantly the user list, including all of the hashed passwords.  Since many of the passwords were fairly weak, consisting of dictionary words with or without some minor obfuscation, it would not have taken long for many accounts to be compromised, and in fact the number is just under 1400.

Archangel/Solar/Inaki was in possession of this database dump and cracked passwords on Saturday evening, when he used it to login as Khalsa, remove his own ban information, and promote himself to having an avatar before logging out and back in as himself.  He then posted a new thread proclaiming how he was unfairly banned.

We quickly realized that something was amiss when none of the moderators or developers who were online knew anything about Archangel being unbanned.  I surmised that perhaps an admin's account was used in the break-in, and Khalsa quickly confirmed it was his own.  While in the process of cleaning things up, it became apparent that at least one other user's account was being used without their permission, and it was decided to lock down the forums until we could gather more details and come up with a plan for bringing everything back safely.

During the course of Sunday, the events of the previous day became known to us and the extent of the breach was revealed.  Unfortunately SMF has no way for us to force password changes on every user, but we did what could be done - let all users know that their password could be compromised, and they should change it.  This is always sound advice after a break-in of any kind, even though there are certain circumstances under which you would be perfectly safe from this breach.  But rather than cloud the good advice with dates and statistics, it's easier to say "change your password - and if you used that password elsewhere, go there and change it too, preferably not to what you just set here."

What has happened now?  Archangel has been banned again, and has agreed that he'll not be coming back - in part of his own free will this time.  Everyone with administrative access (and many without) have already changed their passwords, and we all highly recommend that you do too - if we could force that to happen, we would.  If you have questions about the breach, we'll try to answer them as best we can.  Do note that regardless of your feelings of the original ban of Archangel, the fact remains that what he did since then is over and above what would be considered a bannable offense, so ideas entertaining the notion of reversing his ban will likely just be deleted.

EDIT: Forgot to link to the passwords topic I wrote yesterday, which could be of general interest to people wondering about how passwords and hashes and whatnot work and how they can be compromised.
« Last Edit: October 20, 2009, 01:27:53 AM by Rocinante »
}MG{Mercenaries Guild
"On my ship, the Rocinante, wheeling through the galaxies, headed for the heart of Cygnus, headlong into mystery." -- Rush, "Cygnus X-1"
 
Read October 20, 2009, 02:33:16 AM #1
your face

    *
  • Turrets: +65/-397
Re: So, uh.. what happened?
Thanks for the info!

Quote from: Rocinante on October 20, 2009, 01:21:21 AM
He then posted a new thread proclaiming how he was unfairly banned.

Then how was it fair?

Also, what was it about Yarou haxing Ozzy's account?


Quote from: darkcat{OWZA} on August 09, 2010, 10:47:51 PM
i'm having probles with my back port it lets me acses tremulous but wen i pusk play it kicks me and the consel ses that it's not a sertan kinda file wat do i do??
 
Read October 20, 2009, 02:56:14 AM #2
Nate

  • Turrets: +10/-35
Re: So, uh.. what happened?
From my source, I heard that Archangel had given his cracked passwords out to many people, Yarou being one of them, and then Yarou got into ozzys aim and blah blah..

Archangel is a dumbass nuff' said.

 
Read October 21, 2009, 06:13:19 AM #3
n.o.s.brain

  • Turrets: +113/-24
Re: So, uh.. what happened?
One question:
Why wasn't anyone notified, or didn't anyone change their passwords when the original breach in sourceforge hosting occured some time ago?  Was no one aware it had even been breached?

Also, could one of the mods explain why inaki/archangel was permbanned in the first place?  I know he got a 1 week ban for posting this post.  I appologize if he did some other perm-ban worthy offence I am not aware of.

Quote from: your face on October 20, 2009, 02:33:16 AM
Thanks for the info!

Quote from: Rocinante on October 20, 2009, 01:21:21 AM
He then posted a new thread proclaiming how he was unfairly banned.
Then how was it fair?
I don't think Rocinante said it was fair...  of course, now he is fairly banned...
« Last Edit: October 21, 2009, 06:28:14 AM by n.o.s.brain »

My Radiant Tutorials
The Dreaded Third-Race Mod : UNVANQUISHED.NET
Proudly NOT a console or subscription/micropayment gamer.
 
Read October 21, 2009, 09:18:53 AM #4
KamikOzzy

    *
  • Turrets: +202/-172
Re: So, uh.. what happened?
If you're wondering about me, as word is around already:

Yeah, my account was the other one used on this forum, by Yarou, who did in fact obtain my password from Inaki.

Like a dumbass, I had my AIM password set the same, and he chilled all day on my AIM account.

I had a couple other, well yeah, important things set to the same password, including the AA forums, but Yarou was in it for the lulz and left his damages with Tremulous, rather than going after some of my more sensitive accounts.

Learn from my mistake: Use a password manager, and a different pass for every site you visit. Regularly update passwords (if Khalsa and I weren't using our same pass from 4 years ago we might have avoided trouble). Don't pick a dictionary fuckin word and slap a number on it. Random strings and shit, or at least misspellings.

At day's end, Inaki got to stand on his soapbox for a minute, Yarou got to pull his power trip, and nobody received any real damages (other than one laaaate night of stress on the MG IRC), so gg guys, a valuable lesson to all of us.

|AoD|Ozzyshka at your service.
Still using Windows XP and still playing 1.1
click this: http://cornersrocks.shop-pro.jp/?pid=16232798
 
Read October 21, 2009, 12:40:39 PM #5
Rocinante

    *
  • Turrets: +252/-251
Re: So, uh.. what happened?
Quote from: n.o.s.brain on October 21, 2009, 06:13:19 AM
One question:
Why wasn't anyone notified, or didn't anyone change their passwords when the original breach in sourceforge hosting occured some time ago?  Was no one aware it had even been breached?

Nobody here was made aware of it, correct.

Quote from: n.o.s.brain on October 21, 2009, 06:13:19 AM
Also, could one of the mods explain why inaki/archangel was permbanned in the first place?  I know he got a 1 week ban for posting this post.  I appologize if he did some other perm-ban worthy offence I am not aware of.

That was not the first time he'd been banned for such advice; The original ban was extended.

}MG{Mercenaries Guild
"On my ship, the Rocinante, wheeling through the galaxies, headed for the heart of Cygnus, headlong into mystery." -- Rush, "Cygnus X-1"
 
Read October 21, 2009, 06:11:54 PM #6
benmachine

    *
    *
  • Turrets: +97/-76
Re: So, uh.. what happened?
Quote from: Rocinante on October 21, 2009, 12:40:39 PM
That was not the first time he'd been banned for such advice; The original ban was extended.

To clarify, I placed the original week ban because I didn't know (or remember) he'd done it before; it was then pointed out that it wasn't a first offence so we agreed to extend it. I didn't at the time think this particularly worth commenting on in the original thread; in retrospect it probably was.

}MG{benmachine
 
Read October 24, 2009, 01:11:20 PM #7
The 11th plague of Egypt

  • Turrets: +1/-4
Re: So, uh.. what happened?
So, how the hell do I change my password ?
 
Read October 24, 2009, 01:18:18 PM #8
tuple

    *
  • Turrets: +97/-80
Re: So, uh.. what happened?
Upper right, "Quick Links" go to account settings.

Not a bad time to double check your email address and set a security question too Smiley

 
Read October 24, 2009, 01:26:06 PM #9
The 11th plague of Egypt

  • Turrets: +1/-4
Re: So, uh.. what happened?
Thanks. I was searching for a profile button next to the logout one, I thought the Quick links was something else.
 
Read October 24, 2009, 06:49:49 PM #10
Bissig

  • Turrets: +103/-131
Re: So, uh.. what happened?
Actually I would disregard Tuples post and NOT set a security question.

I worked at the support department of a german webmail company and the most hacked accounts got hacked by stupid/too easy security questions. Actually, as I changed my password, I was suprised to find that kind of alternative login tool still available in modern web software.

Lost password emails and one time login passwords should be the only valid way of re-authenticating lost logins.

sstcentral sst wiki tremcentral trumorz(tm)
 
Read October 25, 2009, 06:54:17 PM #11
marcuswargo

  • Turrets: +4/-2
Re: So, uh.. what happened?
I'd set a question like," whats my religion???" but the answer is totally unrelated to the question being asked. If it lets you type your own question and you cant think of one, I'd just type," Whats my password?" but that might cause problems if YOU need to know your own answer, but hey, you got it written down somewhere, right?

 
Read October 25, 2009, 08:48:19 PM #12
Bissig

  • Turrets: +103/-131
Re: So, uh.. what happened?
Quote from: marcuswargo on October 25, 2009, 06:54:17 PM
I'd set a question like," whats my religion???" but the answer is totally unrelated to the question being asked. If it lets you type your own question and you cant think of one, I'd just type," Whats my password?" but that might cause problems if YOU need to know your own answer, but hey, you got it written down somewhere, right?

You will forget that the answer is different or what answer it is. Because if you didn't you wouldn't need the question. So, an unanswerable question does not solve anything.

sstcentral sst wiki tremcentral trumorz(tm)
 
Read October 25, 2009, 09:10:53 PM #13
Plague Bringer

  • Turrets: +131/-176
Re: So, uh.. what happened?
Quote from: Bissig on October 25, 2009, 08:48:19 PM
You will forget that the answer is different or what answer it is. Because if you didn't you wouldn't need the question. So, an unanswerable question does not solve anything.
+1

My old security answer for Blizzard was my 16 digit library card number. The question was "what is the name of your first pet".

Needless to say, I was pretty confused for a bit.

Quote from: Firstinaction
suck less dick u skunkface
Quote from: KamikOzzy on December 31, 2009, 05:53:17 AM
LOL I love/hate how easily we all get offensive around here. This really has to be the worst forum ever for getting along with people
 
Pages: [1]
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC MySQL | PHP | XHTML | CSS