PDA

View Full Version : Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack




MacRumors
Jul 18, 2012, 01:49 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2012/07/18/apple-now-including-unique-identifiers-for-in-app-purchase-receipts-to-combat-hack/)


http://images.macrumors.com/article-new/2011/05/in_app_purchase_icon.jpg

Following last week's launch of a hack (http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/) that allowed users to obtain In App Purchase content free of charge by routing their purchase requests through a server run by a Russian hacker, Apple began taking steps (http://www.macrumors.com/2012/07/16/apple-fighting-back-against-in-app-purchase-hack-but-service-still-operational/) to thwart the method. The hacker has, however, continued to develop his method to skirt around Apple's roadblocks.

One of the suggestions for a method by which Apple could improve the security of In App Purchasing was to include a unique identifier in validation receipts, and we've received word that developers are now seeing something along those lines coming from receipts issued by Apple since late yesterday. The receipts carry a new field called "unique_identifer" that appears to include the Unique Device Identifier (UDID) for the device making the In App Purchase.

As one developer noted to us, apps are no longer supposed to be collecting the UDID (http://www.macrumors.com/2012/03/25/apple-begins-rejecting-apps-for-using-the-unique-device-identifier-udid/) and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.

Article Link: Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack (http://www.macrumors.com/2012/07/18/apple-now-including-unique-identifiers-for-in-app-purchase-receipts-to-combat-hack/)



Rudy69
Jul 18, 2012, 01:52 PM
As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.
They might allow developers to use it to check if the purchase is valid. There's a huge difference between that and developers using it to track users and possibly logging these IDs on their own servers

Nabby
Jul 18, 2012, 01:53 PM
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:

RocketRed
Jul 18, 2012, 02:05 PM
i could see this as being extremely useful if you have problems downloading the app (legitimately, of course.)

BC2009
Jul 18, 2012, 02:05 PM
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:

Not if they do it right. They can record the purchase with your account so a "restore purchases" event would trigger that your other devices get their own authorization to run the app. If done right it should create a serious hurdle for the hack.

I'd like to know if they have fixed the sending of the credentials in clear text. I am not sure if there was really a vulnerability here since the overall communication is encrypted according to the installed certificates on the device, but the hacker seemed surprised or disappointed that faking the certs gave him access to the credentials of any user exploiting his hack. I'm not sure if another layer of encryption would make sense here (i.e.: using a public key from Apple with Apple being the only holder of the private key -- then again, that public key would still have to be stored among the device certificates so I am not really seeing any additional layer of protection -- I am seeing that as being a good way to use the hack without exposing your credentials to the hacker's server).

Baklava
Jul 18, 2012, 02:07 PM
Apple, that was fast!

gnasher729
Jul 18, 2012, 02:11 PM
I'd like to know if they have fixed the sending of the credentials in clear text. I am not sure if there was really a vulnerability here since the overall communication is encrypted according to the installed certificates on the device, but the hacker seemed surprised or disappointed that faking the certs gave him access to the credentials of any user exploiting his hack.

It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.

Thunderhawks
Jul 18, 2012, 02:13 PM
It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.

I wish Apple would send them a nice good virus. Same to the hacker.

roland.g
Jul 18, 2012, 02:13 PM
Maybe a UK judge can require the hacker to include the text "this receipt is a copy of a legitimate and cool receipt" for the next 6 months on all receipts and on his website.

Uncle Ruckus
Jul 18, 2012, 02:16 PM
I don think this will change anything.

Uncle Ruckus no relations

madmin
Jul 18, 2012, 02:17 PM
This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...

Mjmar
Jul 18, 2012, 02:18 PM
It's a shame that Apple even needs to do this. The world we live in today...

iSee
Jul 18, 2012, 02:20 PM
I thought we won the cold war! But now Russia is crushing our corrupt capitalist country, just like they said they would!!! ;)

Swift
Jul 18, 2012, 02:36 PM
What I'm sure the unique identifier with be used for is validating a certificate. No one will actually see the number, I'll bet. It's hashed multiple times to make your private id. The public id, the hashed and encrypted bundle, will also validate the certificate. Thus every purchase is through the certificate belonging to that app. The developer can offer a deal and the known customer can make a purchase through Apple.

If I know your private, unique identifier somehow, then I'd still have to get past some tough encryption to make out the token.

It's part of a paradox of privacy. The only way to be private is to show yourself to someone trusted. Although here, if your iPhone does the initial hash before it sends this field to Apple, it's still safe, especially since all purchases are through SSL.

daxomni
Jul 18, 2012, 02:47 PM
It's a shame that Apple even needs to do this. The world we live in today...
Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.

SpyderBite
Jul 18, 2012, 02:50 PM
This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...

Yah. Cause a fan site would be the most current source for a hacker to keep on top of source code. :rolleyes:

Allenbf
Jul 18, 2012, 02:54 PM
Yah. Cause a fan site would be the most current source for a hacker to keep on top of source code. :rolleyes:

Pretty sure this was sarcasm...

Mad-B-One
Jul 18, 2012, 02:59 PM
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:

That happened to me already - because the old system had sometimes setups where this wasn't tracked. In my opinion, in-App-purchases should be handled the same way App purchases are. Put it on the "purchased" list in the App store.

daxomni
Jul 18, 2012, 03:02 PM
That happened to me already - because the old system had sometimes setups where this wasn't tracked. In my opinion, in-App-purchases should be handled the same way App purchases are. Put it on the "purchased" list in the App store.
Agreed. I've never understood why this wasn't the case from day one.

Mad-B-One
Jul 18, 2012, 03:06 PM
Agreed. I've never understood why this wasn't the case from day one.

I understand it but don't agree with it: More potential revenue. Well, that didn't work out that well, did it? Ultimately, it caused the vulnerability. :cool:

SAIRUS
Jul 18, 2012, 03:17 PM
As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

* It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.

doobybiggs
Jul 18, 2012, 03:30 PM
if apple is using it to follow the users getting the free apps along with the hacker ... what is apple going to do? Cancel their account or make them pay for the apps?

JHankwitz
Jul 18, 2012, 03:46 PM
if apple is using it to follow the users getting the free apps along with the hacker ... what is apple going to do? Cancel their account or make them pay for the apps?

Perhaps it's to know who got ripped off so that Apple can provide it for free or register the purchase on their servers.

gkpm
Jul 18, 2012, 03:49 PM
The Next Web are reporting this is NOT the same as the UDID:


The addition of the field was reported by Macrumors, but contrary to its article, it does not appear to contain a Unique Device Identifier (UDID), something that Apple has been instructing developers to move away from.

http://thenextweb.com/2012/07/18/apple-adds-uniqueidentifier-to-in-app-purchase-receipts-not-udid-may-be-related-to-recent-breach/

----------

As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

* It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.

If you can't run your validation server, check out these guys who seem to do it for free:

http://thenextweb.com/apple/2012/07/18/developers-beeblex-offers-super-secure-and-completely-free-in-app-purchase-validation-for-ios-apps/

tarrant
Jul 18, 2012, 04:04 PM
It seems that this would be very easy for Apple to fix with an iOS update, but of course that doesn't help with existing customers. Just sign the receipts with an App Store certificate, and then ensure that the receipts are signed.

But it also seems strange that Apple didn't do this in the first place.

gnasher729
Jul 18, 2012, 04:18 PM
This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...

Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

mikelove
Jul 18, 2012, 04:27 PM
The Next Web are reporting this is NOT the same as the UDID:

http://thenextweb.com/2012/07/18/apple-adds-uniqueidentifier-to-in-app-purchase-receipts-not-udid-may-be-related-to-recent-breach/


Our iPhone app hasn't been updated since Apple's UDID ban came into effect and still collects UDIDs, and the unique_identifier in our receipts matches the UDID perfectly in every purchase we've gotten since they started including unique_identifier - I'm not sure where TNW got their information but for us at least the IDs do match.

ranReloaded
Jul 18, 2012, 04:38 PM
Tying a device UDID to a purchase is not the solution (some people have more than one device, move to a new device and resell, etc.).

What Apple should provide developers is some sort of 'Account ID', that is unique to each AppleID/iTunes Account, but anonymous (i.e., impossible to figure out the actual AppleID/e-mail address of the user from this proposed ID)

----------

As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

* It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.

Hey, it's not such a big deal. I'm a total php/sysadmin noob and yet got it running relatively quick. I believe I nailed it quite robustly, too.

There is lots of sample code. The hard part is perhaps getting a hosting service with performance suiting your live needs (reliability, bandwith) without being a rip-off, and setting up SSL certificates.

madmin
Jul 18, 2012, 05:38 PM
Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

I wasn't saying he's wise, simply wondering if it's a good idea to announce these counter measures on a well read website.

Who knows what job opportunities are available where he lives, somewhere in Russia presumably. Perhaps he's too young to work or has some other handicap preventing him from honest employment. Whatever, I agree he shouldn't be doing this, but all this attention probably isn't helping matters IMO.

BC2009
Jul 18, 2012, 05:57 PM
It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.

That's what I was trying to say. It's only clear text for the hacker who hosts the servers because he has forced false certificates onto the device and therefore has the power to decrypt whatever the iPhone is encrypting.

blow45
Jul 18, 2012, 06:00 PM
So let me get this right...

Apple has enough money in the bank to take the whole of Europe out of the financial crises, buy a few countries up, send a few tens of expeditions in outer space, end poverty for a considerable part of Africa, etc. etc.

Ok.

Now, recently, they are being repeatedly taken to the cleaners by hackers. And then, if we are lucky enough, they react to that. Be it with 500,000 users data stolen or with less damage. Of course most security issues that are reported but not widely reported and don't constitute an immediate pr threat are simply put under the rug.

Recently, I read they asked kaspersky for advice....


Now, my question is, seeing as they could buy every kasperky in the solar system, and quite a few of them in inhabited planets in the galaxy....


Why the heck aren't they doing it?

When are they going to start being proactive?

When are they going to start justifying their 50% margins in an industry that right now operates with razor thin margins?

fahlman
Jul 18, 2012, 06:28 PM
Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.

Because sometimes stealing is okay...as long as it's from a greedy American. Oh, that's right there are iOS developers all over the world who use their time away from their family and friends to create apps and expect to be compensated for that time so they can feed their families. Do you get paid for the job function you perform? Thought so, unless you're an unemployed leech.

gkpm
Jul 18, 2012, 06:28 PM
Our iPhone app hasn't been updated since Apple's UDID ban came into effect and still collects UDIDs, and the unique_identifier in our receipts matches the UDID perfectly in every purchase we've gotten since they started including unique_identifier - I'm not sure where TNW got their information but for us at least the IDs do match.

The Next Web has an update:

The source who contacted Macrumors also got in touch with us. They say that a UDID is definitely showing in that slot for them, but they also have not updated their app to remove references to the UDID, something that Apple has been recommending for some time. Developers that have been submitting app updates recently have found the apps being rejected for using the identifying string. This new use of an identifier may be Apple implementing its recommended UUID standard for new devices while still allowing apps running on older versions of the OS to use a UDID.

Mjmar
Jul 18, 2012, 07:04 PM
Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.

There's a difference between fretting and having a conversation. :rolleyes:

gnasher729
Jul 18, 2012, 07:33 PM
Now, recently, they are being repeatedly taken to the cleaners by hackers. And then, if we are lucky enough, they react to that. Be it with 500,000 users data stolen or with less damage.

Excuse me...

But where did you find that data of 500,000 users was stolen from Apple?


Tying a device UDID to a purchase is not the solution (some people have more than one device, move to a new device and resell, etc.).

Chances are very good that the author of the article is just confused and mistook a UUID (unique universal identifier) for a UDID (unique device identifier).

faroZ06
Jul 18, 2012, 10:14 PM
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:

All of your FarmPointz or whatever will suddenly stop being genuine :eek:

----------

So let me get this right...

Apple has enough money in the bank to take the whole of Europe out of the financial crises, buy a few countries up, send a few tens of expeditions in outer space, end poverty for a considerable part of Africa, etc. etc.


Once I read this sentence, I knew what this was going to be about. "Apple should spread the wealth!" or something.

They've already justified their setup by becoming the largest company in the world after being almost bankrupt.

----------

Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

Yeah, hackers = losers. I got the IP of a guy who hacked some Yahoo! accounts, and... oops, entering the "ban" zone.

Also, am I the only one who finds it odd that hackforums.net is not constantly attacked? I can't believe a site like that is allowed to exist, but I guess it's "freedom of expression".

visor
Jul 19, 2012, 03:36 AM
I don't understand why Apple does not give out the id's of the person buying a product from me. After all - Apple is just a 3rd party in the deal, right? Why should one of the actors not know who the other one is? It's not share holders dealing here.

blow45
Jul 19, 2012, 03:52 AM
Excuse me...

But where did you find that data of 500,000 users was stolen from Apple?




not from apple, from apple users, flashback trojan, get your facts straight. :)

gjwfoasfsaevg
Jul 19, 2012, 04:13 AM
Apple just needs to update iOS to make sure that the connection to the apple server was signed with the correct certificate, problem solved.

gnasher729
Jul 19, 2012, 01:12 PM
not from apple, from apple users, flashback trojan, get your facts straight. :)

Get your facts straight. Flashback trojan didn't steal anything from any Mac users. And it wasn't very good at stealing from anyone else either.

And let me just see if I got this right: You make a post that clearly claims that Apple is taken to the cleaners with 500,000 users' data stolen. That means that these users' data was stolen from Apple, since you said _Apple_ was taken to the cleaners, not the users. I ask for proof. You then turn around, change your story to "data stolen from users", and you tell me to get my facts straight when you can't even stick to the same story for five minutes?


I don't understand why Apple does not give out the id's of the person buying a product from me. After all - Apple is just a 3rd party in the deal, right? Why should one of the actors not know who the other one is? It's not share holders dealing here.

If you think you need to know my AppleID before you are willing to sell to me, then you can keep whatever you are selling.

blow45
Jul 19, 2012, 06:17 PM
Get your facts straight. Flashback trojan didn't steal anything from any Mac users. And it wasn't very good at stealing from anyone else either.

And let me just see if I got this right: You make a post that clearly claims that Apple is taken to the cleaners with 500,000 users' data stolen. That means that these users' data was stolen from Apple, since you said _Apple_ was taken to the cleaners, not the users. I ask for proof. You then turn around, change your story to "data stolen from users", and you tell me to get my facts straight when you can't even stick to the same story for five minutes?

If you think you need to know my AppleID before you are willing to sell to me, then you can keep whatever you are selling.

Oh, yeah, it didn't steal anything? Why? Cause you 've personally checked all of the at least 600,000 infected macs? Or cause you say so as an apple apologist and we have to take your word for it?

http://mashable.com/2012/04/11/mac-flashback-trojan-effects/

No, when I say apple is taken to the cleaners, I mean their os is taken to the cleaners via malware and that results to user's data being compromised. Perfectly clear, and perfectly simple. If you can't get your facts straight at least don't misconstrue what others are saying.

orthorim
Jul 20, 2012, 11:24 AM
No, when I say apple is taken to the cleaners, I mean their os is taken to the cleaners via malware...

Taken to the cleaners - I don't think it means what you think it means, somehow.

Flashback didn't really do much and it's now dead. I am sure we'll see more exploits and more malware but so far nobody was taken to the cleaners. By and large Flashback required users to download the malware and enter their admin password.... what's horrific is that Adobe's official Flash updater works in the exact same way, but that will hopefully come to an end with sandboxing in Mountain Lion. Why you'd write your software to work exactly like a piece of malware is beyond me... but that's Adobe for you :confused:

Back on topic not sure I am too happy about this - I don't really understand enough about it but I do wonder why the UDID is necessary, I sure hope Apple doesn't go all Nazi and starts tracking UDIDs. A class action lawsuit is going to come anyways but if they did collect data it would have merit, too.

The way to prevent a man in the middle attack is by using cryptography. This is what any kind of public key system and even HTTPS is designed for. It should be possible for Apple to implement in app purchases in a way that the phone can be sure it's actually talking to Apple servers?!

ERIC273
Aug 22, 2012, 11:56 PM
Also, am I the only one who finds it odd that hackforums.net is not constantly attacked? I can't believe a site like that is allowed to exist, but I guess it's "freedom of expression".

No. HF is a grey hat website, we help people, more than we hurt people, and we're a NO FRAUD forum. We pay our taxes, we're a US REGISTERED BUSINESS. Believe me, we would not risk our 400,000 active member database.

PM me for forums that exist, that include credit card fraud that shouldn't.
ALSO, we get DDoSed all the ****ing time.

faroZ06
Aug 23, 2012, 12:41 AM
No. HF is a grey hat website, we help people, more than we hurt people, and we're a NO FRAUD forum. We pay our taxes, we're a US REGISTERED BUSINESS. Believe me, we would not risk our 400,000 active member database.

PM me for forums that exist, that include credit card fraud that shouldn't.
ALSO, we get DDoSed all the ****ing time.

Sorry, I'm going to have to call BS on that. Well, I guess you do help people hurt other people:

https://dl.dropbox.com/u/643634/Screen%20shot%202012-08-22%20at%2010.39.48%20PM.PNG

If that site has been DDOS'd, that's good to hear. And it looks like some good hackers are hacking the bad hackers: http://seclists.org/fulldisclosure/2009/Jul/164. But since you're paying taxes, I'm sorry that I can't give a little tax money to the US since I don't see any ads.

If anyone cares to see more:

https://dl.dropbox.com/u/643634/Screen%20shot%202012-08-22%20at%2010.43.38%20PM.PNG

Well at least they closed down the "manipulation" section.

ERIC273
Aug 23, 2012, 12:20 PM
Sorry, I'm going to have to call BS on that. Well, I guess you do help people hurt other people:

Image (https://dl.dropbox.com/u/643634/Screen%20shot%202012-08-22%20at%2010.39.48%20PM.PNG)

If that site has been DDOS'd, that's good to hear. And it looks like some good hackers are hacking the bad hackers: http://seclists.org/fulldisclosure/2009/Jul/164. But since you're paying taxes, I'm sorry that I can't give a little tax money to the US since I don't see any ads.

If anyone cares to see more:

Image (https://dl.dropbox.com/u/643634/Screen%20shot%202012-08-22%20at%2010.43.38%20PM.PNG)

Well at least they closed down the "manipulation" section.

All of those sections are for information purposes. The Manipulation section is closed because people were committing fraud, we're a no fraud forum.
I understand we have some risqué sections, but believe me, the good outweighs the bad.
http://gyazo.com/4433d4c9806242a2364938f983dbd6c5.png

If you look through our entire site you won't find one infected link.

We pay A LOT of taxes, we receive hundreds of dollars of donations daily.
An official group costs 4,000 cash, and we have at least 1 new group monthly.

We were even once BlackListed my Malware Bytes.


Look at the owners success "Omniscient" or Jesse Labrocca (Owner of HackForums)
http://forums.malwarebytes.org//index.php?showtopic=36808

We ended up getting nasty legally, all 300,000 members of HF got free pro memberships to malware bytes.

We're not the bad guys.

Check out

alboraaq.com

faroZ06
Aug 23, 2012, 12:52 PM
All of those sections are for information purposes. The Manipulation section is closed because people were committing fraud, we're a no fraud forum.
I understand we have some risqué sections, but believe me, the good outweighs the bad.
Image (http://gyazo.com/4433d4c9806242a2364938f983dbd6c5.png)

If you look through our entire site you won't find one infected link.

We pay A LOT of taxes, we receive hundreds of dollars of donations daily.
An official group costs 4,000 cash, and we have at least 1 new group monthly.

We were even once BlackListed my Malware Bytes.


Look at the owners success "Omniscient" or Jesse Labrocca (Owner of HackForums)
http://forums.malwarebytes.org//index.php?showtopic=36808

We ended up getting nasty legally, all 300,000 members of HF got free pro memberships to malware bytes.

We're not the bad guys.

Check out

alboraaq.com

So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

ERIC273
Aug 23, 2012, 02:21 PM
So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

Again, we teach, 99% of the people whom claim to have defaced an website leave messages like secure your server. We're not the target for a reason, the government would prefer a forum our size hosted on short, that they have to reason to seize, over all the carding forums which are close to our size, hosted offshore. Our forum contains more people who kiss the admins ass for 24x24 pixel awards, than actual hackers.

----------

So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

Though we're not 100% goodnatured, we're not illegal, what the members do is not our problem, as long as they don't do anything fraud relating, claiming to, or showing how to access a server is not illegal, and purely informational.

99% of website that are breached, are just to show the owners to secure their ****.