Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

caesarp said:
So you are proud of being a criminal and a jerk? Wonderful. I'm sure your parents are proud too.
Click to expand...

I'm not proud of it. I find tackling different sites challenging and fun.

Pretty sure my parents wouldn't be proud of it either, but hey.
 
lol said:
I'm not proud of it. I find tackling different sites challenging and fun.

Pretty sure my parents wouldn't be proud of it either, but hey.
Click to expand...

I agree, finding security leaks IS fun, but you're then supposed to have a conscience and TELL THE SITE ADMIN ABOUT THE HOLE and not take the user data. I hope you get found, sued, and imprisoned.
 
Last edited by a moderator:
srgz said:
I agree, finding security leaks IS fun, but you're then supposed to have a conscience and TELL THE SITE ADMIN ABOUT THE HOLE and not take the user data. I hope you get found, sued, and imprisoned.
Click to expand...

You seem pretty mad.

Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.
 
Last edited by a moderator:
citi said:
It's probably going to end up in their spam folder and they'll never see it.
Click to expand...

Doesn't matter, at least MacRumors made the initiative (and there's still people to whom it won't go to their spam folder). At that point it's the users responsibility to check their folders, rather than MacRumors' responsibility to send the alert.
 
Last edited:
lol said:
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.




That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.
Click to expand...

So what drives you to do this? If not fame, what?
 
Digital Dude said:
I really don't see this as a big deal unless you use the same password for everything. I simply went into my one password program and generated a long-ass character string and that was it.
Click to expand...

I was using a simple Macrumors-specific password and now I had to create a newer one. My muscle memory doesn't remember that and it's more difficult to login now! Yes first world problem. :(
 
lol said:
You seem pretty mad.

Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.
Click to expand...

So then why didn't you do that this time? Wat prompted you to go blackhat and steal the user data for yourself? You're right I'm damned mad you little **** nugget. Grow a consience please.

Also, when did this happen? I noticed a few days ago I started getting massive amounts of spam sent to the email I regg'd with macrumors. This is probably where it came from. So this douche did it all for money. What a scumbag.

Anyone else notice a HUGE increase in spam the past few days, all being sent to the addy you used to sign up for macrumors?
 
lol said:
You seem pretty mad.

Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.
Click to expand...

I bet you're not so tough and cavalier in person. Its easy to hide behind your keyboard, isn't it? If you are such a whitehat, why not admit who you are and turn yourself in? Chicken?
 
lol said:
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.
Click to expand...

Did you login with my iMessage/FaceTime on one of your devices?
 
lol said:
To test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out.
Click to expand...

I left the door to my house open today by mistake. Do you think its okay to walk in and out of my house, but not take anything?

Guess what, you shouldn't even try the door knob.
 
lol said:
Hey guys, "hacker" here. I'm going to disprove some of the comments you guys have been making.

I'll need to provide some sort of proof to prove it's me. Arn, the first 16 bits of your old password hash was cd89d763f091c664. Your salt is (or was?) #er<ib"E%R0sa%`8b%N3+!5<J&PqnT.


First of all, regarding the passwords. As far as I'm aware, the older versions of vbulletin and the current all share the same hashing algorithm. 860106 users were dumped. Out of those, 488429 of them still had a salt which had a length of 3 bits. Anyone that'd been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work do do, it's like to have many with a 3 bit salt). We're not "mass cracking" the hashes. It doesn't take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results. We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason). We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.

Second of all, I personally think Arn done a great job disclosing the details of what had happened in the time that he took to do so. Many other huge companies and corporations, probably some that you're all registered to, have taken days, weeks, or even never, to report a compromise. You should be thankful.

Third, we're not going to "leak" anything. There's no reason for us to. There's no fun in that. Don't believe us if you don't want to, we honestly could not care less.

Foruth, stop balming this on the "outdated vBulletin software". The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you're talking about. 3.x is far more secure than the latter. Just because it's older, it doesn't mean it's any worse.



That concludes it. Consider the "malicious" attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.
Click to expand...


Rule of internet forums #1: No matter what happened, it's a moderator's fault. ;)
 
He logged into my twitter account too.
MR, please find this guy and get his ass prosecuted.
 
Last edited by a moderator:
lol said:
I'm not proud of it. I find tackling different sites challenging and fun.

Pretty sure my parents wouldn't be proud of it either, but hey.
Click to expand...

I'm pretty sure it would be challenging and fun to break into the playboy mansion and have my way with the ladies there. But I don't do it, because its not legal (and for other reasons of course).

Don't the same rules apply to you and your impulses or desires?
 
lol said:
We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason).
Click to expand...

Everything proves otherwise. You need to explain yourself more than that. What the hell do you mean by "unless we target you specifically for some unrelated reason?"
 
looks like someone must hate MR or apple products ...maybe because they bought a defect product....
 
srgz said:
He logged into my twitter account too.
MR, please find this guy and get his ass prosecuted.
Click to expand...

djtech42 said:
Did you login with my iMessage/FaceTime on one of your devices?
Click to expand...

Again, like I said in my initial post, I'm not doing anything with anyones' information. Why would I waste my time trying to get into someone that I don't even knows' twitter or facetime account?
 
Last edited by a moderator:
lol said:
Again, like I said in my initial post, I'm not doing anything with anyones' information. Why would I waste my time trying to get into someone that I don't even knows' twitter or facetime account?
Click to expand...

But what would you do if someone offered you money for the list of email addresses you now hold?

A forum hack did indeed seem odd. What would one do with the accounts. I assumed it was to simply get a list of email addresses to sell.

As for the legal side. We all know the law doesn't give two hoots about hacking. Even hitting goverent systems is low risk.
 
Mercenary said:
But what would you do if someone offered you money for the list of email addresses you now hold?

A forum hack did indeed seem odd. What would one do with the accounts. I assumed it was to simply get a list of email addresses to sell.

As for the legal side. We all know the law doesn't give two hoots about hacking. Even hitting goverent systems is low risk.
Click to expand...

I have no need for money. I'd decline.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back