So.. Has Anandtech Been Hacked?

[Kirby]

oooh

What are they gonna do? Send a strongly worded email to a nigerian email account?

and you obviously dont know harvey.

Call their mother?

 

[Train]

There's nothing to brute force. If you pull a hashed pw out of the database, you use the hash to log in with. The boards themselves should never even see a clear text pw when logging in.

lol no

 

[SunnyD]

Wrong. How does that data get hashed without being on the webserver? You can not rely on javascript to do any user side processing.

Wow. Alrighty then.

 

[Crusty]

Wow. Alrighty then.

You are right about the MD5 being done client side, and that's absolutely retarded.

You do realize that is NOT the standard way of doing authentication right?

If you want to secure your data in transmission you use SSL, not hashing data using client side code.

edit: disabling javascript still lets you login and you pass your password in plaintext.

vb_login_username=crusty&vb_login_password=##########&s=&securitytoken=guest&do=login&vb_login_md5password=&vb_login_md5password_utf=

instead of

vb_login_username=crusty&vb_login_password=&s=&securitytoken=guest&do=login&vb_login_md5password=#####################################&vb_login_md5password_utf=


Honestly, neither one is good for one reason or the other. If SSL was being used we wouldn't even be having this discussion as there would be absolutely no reason to hash passwords client side.

 

[arcenite]

just let me know when it's safe to change my interim pw

 

[yllus]

Wrong. How does that data get hashed without being on the webserver? You can not rely on javascript to do any user side processing.

Actually he's right, if this install of vBulletin is a typical one.

If we accept that our accounts here aren't important enough to use SSL when the password information is passed from our computers to the forum server, the vBulletin method is, when you hit submit after filling out your username and password in the login form what actually happens is a JavaScript call to hash your password with MD5 and submit that, not your password. In this way you add a little bit more security in that your password is never transmitted in the clear (except when it's submitted the first time).

I should add that all of our passwords should be quite safe. Our e-mail addresses may not be so lucky.

 

[Crusty]

Actually he's right, if this install of vBulletin is a typical one.

If we accept that our accounts here aren't important enough to use SSL when the password information is passed from our computers to the forum server, the vBulletin method is, when you hit submit after filling out your username and password in the login form what actually happens is a JavaScript call to hash your password with MD5 and submit that, not your password. In this way you add a little bit more security in that your password is never transmitted in the clear (except when it's submitted the first time).

I should add that all of our passwords should be quite safe. Our e-mail addresses may not be so lucky.

Read my post above, clarified some things and it looks like we both agree that the real solution is to use SSL. I was completely surprised to see javascript hashing my password as the only added benefit to having the hash done client side would be that if someone were to get a hold of it they could only use it to login to this site only.

However that's kind of a moot point IMO as if someone is in a position where they are capturing my network traffic my AT forum's password is the least of my worries. I'd be more concerned with MITM attacks against my banking sites.

 

[Terabyte]

Has anyone else been getting spam emails about a Citi Sears credit card? I've been getting them recently :twisted:

 

[BuckMaster]

So much for my only account that didnt get spam e-mails everyday till today! . Thanks Anandtech!

 

[lxskllr]

The only spam I get is in my cupboard :^)

 

[Newbian]

Has anyone else been getting spam emails about a Citi Sears credit card? I've been getting them recently :twisted:

Well you show your email in your profile so that's your problem.

 

[rockyct]

<snip>
See? It really isn't that difficult
[/B]

You have quite the imagination. Do you mind interpreting one more time for the answer in this thread about the broken search engine: http://forums.anandtech.com/showthread.php?t=2029178 which only leads to a thread about more people bitching about the broken search engine?

 

[rockyct]

Well you show your email in your profile so that's your problem.

Well, then it shouldn't be a requirement for the FS/T forum to show your email address.

 

[Terabyte]

Well you show your email in your profile so that's your problem.

Required per Fs/ft forum

Well, then it shouldn't be a requirement for the FS/T forum to show your email address.

I don't mind the requirement. I liked how in FT, the system automatically added "REMOVE" in the middle of your email...like bobREMOVE@bob.com. Maybe we need something like that for vB?

 

[lxskllr]

You have quite the imagination. Do you mind interpreting one more time for the answer in this thread about the broken search engine: http://forums.anandtech.com/showthread.php?t=2029178 which only leads to a thread about more people bitching about the broken search engine?

That was a mostly non-informative answer, but Gillbot was pointing out other people with the same problem which would indicate that it isn't immediately fixable, and there's nothing wrong with cesthree's setup :^)

 

[Triumph]

I noticed something odd about the way that the email from the forum admins was worded. It reminded me of the mannerisms of a certain regular poster here. Here is the text of the email I received:

Draglift.com

Is a site that lets you Watch Movies and TV Shows online for Free.

No clutterness, no lag,

Watch over 27 movies,

and lots of TV Shows.

Notice any similarities between that writing and style and that, of our very own.....Sandorski!?!?!

http://forums.anandtech.com/showthread.php?t=312128

Go out and do that Job and Live there without Air Con then. Don't come mumbling to me when you get Heat Stroke.

They are not performing cushy Office Jobs all day, but spending most of their time out in the sun. They probably use those Homes for recouping during breaks even(possibly). Plus they are for whole families, likely far from any facility with AirCon, Rivers or Bodies of water, and other opportunities to cool down.

Much of California's Agricultural areas are Desert or near Desert. People didn't perform those Activities in those locations for 250, 000 years. It is not a Luxury, it is a necessity.

 

[Gillbot]

That was a mostly non-informative answer, but Gillbot was pointing out other people with the same problem which would indicate that it isn't immediately fixable, and there's nothing wrong with cesthree's setup :^)

in the manually populated FS/FT field, you can manually enter the REMOVE portion as it's a simple text field. See my profile for an example.

Your profile email however doesn't seem to be as safe as my account was compromised. Sadly, I was NOT smart enough to use a different password until now. Lesson learned I guess. Luckily, here and that email were the only shared ones that really matter to me.

 

[OILFIELDTRASH]

Well you show your email in your profile so that's your problem.

Noob

 

[Terabyte]

Noob

I changed it

 

[OILFIELDTRASH]

I changed it

Any chance I get to call someone a noob (which isn't often) I've got to jump on it.

 

[dennilfloss]

just let me know when it's safe to change my interim pw

Ditto.:hmm:

 

[guyver01]

I noticed something odd about the way that the email from the forum admins was worded. It reminded me of the mannerisms of a certain regular poster here. Here is the text of the email I received:



Notice any similarities between that writing and style and that, of our very own.....Sandorski!?!?!

So.. you're saying either one of the following:
(1) Sandorski hacked Anandtech
(2) Sandorski writes like a chinese gold farmer (WoW reference)


i'm gonna vote... #2

 

[F1N3ST]

Noob

Hey, he's a Newb, not a noob. Get it right.

 

[Finalnight]

CORE BREACH, CORE BREACH!!!!!

(been waiting to use that one)

 

[Fear No Evil]

It does seem pretty unprofessional at the top of the forum like that. Keep the wit to the posts themselves..