MacRumors Forums: Security Leak

[QE2]

I had the same issue I had to go to my iPad save it there then went back to my iMac and all was good.

Thank you, I'll give that a go!

 

[QE2]

A heading is supposed to be short and to the point, did you expect a long-winded detailed explanation as the header?

MR did a decent job informing their members about it in a timely manner. The risks towards the users all depend on whether or not they were foolish enough to replicate/duplicate their login/pass combos elsewhere. That's not MR's fault as it is carelessness on the user's part.

wtf, did you accidentally reply to me by mistake; what part of your reply relates to my comment!?

Where did I assess the the timeliness of macrumors response!?

Where did i say I'd used the password elsewhere!?

Thirdly, in what way does macrumors short heading invalidate what I've said!? My point still stands...

Look, just because you enjoy hating other people on the internet, does not make it okay to go around harassing them...

 

[Hyper-X]

wtf, did you accidentally reply to me by mistake; what part of your reply relates to my comment!?

Where did I assess the the timeliness of macrumors response!?

Where did i say I'd used the password elsewhere!?

Thirdly, in what way does macrumors short heading invalidate what I've said!? My point still stands...

Look, just because you enjoy hating other people on the internet, does not make it okay to go around harassing them...

Hating? No. Harassing? Hardly. Objectivity is what I'm exercising here.

My primary response was towards what I bolded in your quote and it adequately invalidates your response. If you don't know what comprises a header in an article or comprehend how an "upside down pyramid" pertains to writing, then it would be a waste of time explaining it and derailing the thread.

----------

not when there drunk

Fair enough.

 

[bigpoppamac31]

So how do I change my password if I do not know my current password??

 

[S.B.G]

So how do I change my password if I do not know my current password??

Send us a Contact form and the administrators will assist you.

 

[Fastshutter]

Please delete my account

I sent two messages yesterday requesting a deletion of my account. Will this be done soon?

Thanks!

 

[Espeonia]

using salt and peppers makes password brute force IMPOSSIBLE.

you salt your passwords and pass them through a pepper server whose only allowed IP is the web servers.

someone can dump your password tables but cannot crack ANY passwords without your pepper server, Furthermore you can roll your pepper keys every 15 minutes.

such as password hash = 4f6938531f0bc8991f62da7bbd6f7de3fad44562b8c6f4ebf146d5b4e46f7c17

then passes to pepper server to add another random 50 char's rolling every 15 mins.

the pepper server simply records times passwords are recorded and adds the rolled key for that time frame, ONLY the web server can request this action.

you simply store those peppered salts in the DB and they MUST be passed back through the pepper server to be useful.

this can be built in php in a matter of 20 minutes.

If you can hack a website and sump its user table, then chances are, you get the server to request a fair number of the pepper keys.

 

[JackieInCo]

So how do I change my password if I do not know my current password??

Log out and then try and login again. There will be a forgot password link there.

 

[S.B.G]

I sent two messages yesterday requesting a deletion of my account. Will this be done soon?

Thanks!

If you sent in a Contact, please be patient as that workflow takes a bit longer than dealing with a Post Report. Your contact will be answered.

 

[OllyW]

I sent two messages yesterday requesting a deletion of my account. Will this be done soon?

Thanks!

You might need to be a bit more patient. The site admins are obviously very busy at the moment dealing with all the problems we've had this week but they should get back to you in the next few days.

 

[wovel]

iCloud Keychain does not work with this site. In fact, I just changed my password to use the iCloud one, and Safari didn't autofill the login form, negating the purpose altogether.

I always find it strange when sites that have totally irrelevant content prevent me from saving my password. Is Macrumors concerned someone stealing my laptop could post on their site?

 

[ppenn]

It was probably Apple, trying to find out if employees are posting.

 

[caesarp]

Hey, my post to the hacker and his response to me is linked in the Arstechnica article on the security breach:

http://arstechnica.com/security/201...-860000-passwords-speaks-were-not-terrorists/

Here's the link (second one in the article): https://forums.macrumors.com/posts/18355767/

So how can I monetize my new fame?

 

[leighonigar]

BS! Hours after the hack, my Yahoo account was locked out due to suspicious activity. I've been on a few other sites that have had their passwords stolen and never once were any of my email accounts locked out meaning those hackers actually didn't try to use my email, but clearly the person who hacked MacRumors did.

As was suggested to me it's probably more likely that this, if it was due to any hack at all, was probably due to the Adobe hack. Did you have an adobe account? I'd forgotten about mine, but lo, I did.

 

[Slinkwyde]

I have considered switching to KeePass for a while (since I think open source is a huge benefit for this kind of software), but it doesn't have eWallet's convenient Wifi sync. Also, the computer app was written using Microsoft .Net and hence requires the rather heavyweight Mono framework to run on Mac OS or Linux. At least there was no native Mac OS app when I last checked.

In the Reddit discussion, someone recommended KeePassX ($0) and KyPass Companion (paid but polished), but I haven't used them so I can't vouch for them. You'll need to check whether or not those third party implementations of KeePass are open-source.

 

[Hyper-X]

All hail the grammar king. It's just one letter; cut the guy a break. It's not a formal letter to his boss; it's a reply in a forum.

Don't take things literally, my response wasn't seriously aimed at correcting his grammar which I acknowledged after his reply. Now go have some juice and watch tv, there's no fire here.

 

[Fastshutter]

You might need to be a bit more patient. The site admins are obviously very busy at the moment dealing with all the problems we've had this week but they should get back to you in the next few days.

Thank you. I will check back in a few days.

 

[Fishrrman]

I haven't read all the posts of this topic, so my questions may be a repeat of ones that have already been asked.

Why is searching now disabled?
When will it be restored?

(I'm going out on a limb and will guess that the site was hacked via a "vector" that existed in the search routines...)

 

[S.B.G]

I haven't read all the posts of this topic, so my questions may be a repeat of ones that have already been asked.

Why is searching now disabled?
When will it be restored?

(I'm going out on a limb and will guess that the site was hacked via a "vector" that existed in the search routines...)

See this thread: Where is "Search this Forum?"

 

[Hitch08]

Is there somewhere we can go to get updates on the status of things? Is there any more information regarding what we obtained by the hackers?

I'm not savvy on this stuff, so maybe I have asked too soon.

 

[nostromo77]

Deactivate

Where is the Deactivate Account button?

Or is that not offered as a service here?

 

[S.B.G]

Where is the Deactivate Account button?

Or is that not offered as a service here?

If you wish to have your account canceled, please send your request to us in a Contact form.

 

[nostromo77]

Thanks!!

if you wish to have your account canceled, please send your request to us in a contact form.

 

[PinkyMacGodess]

This is ridiculous. Is there no one that can come up with a better authentication methodology than user names and passwords? We have so many accounts and the demands put on us by IT and security people basically equates to "if you can access your own data, it's not secure enough", and "even if you can't remember your login credentials, someone else is likely to find them eventually".

I have a document with all my account info for my own reference, snd my friend has all hers in a spreadsheet. I won't put my passwords into a public service that is owned by any entity that's attractive to hacking. What happens when Lastpass, 1Password or iCloud keychain are cracked and violated? Personal server storage is less likely to be targeted than an account service or Apple, et all.

Using a number generating token works pretty well, but it's not unhackable either. Get the seed value for the token, and some of the values and the algorithm can be reverse generated and then you will be able to generate the exact same 'random' numbers for infinity.

You would, and should, be surprised at the number of personal servers that are hacked, or have issues with updates and bad software. I'm flabbergasted at the number of people that don't use a hardware firewall, and insist on using software firewalls like Zone Alarm, etc, and the built-in firewalls on the OS they are using. Those are worth what you pay for them, and only as good as the idiot that clicks 'Allow' every time that message pops up. One client had a software firewall on his home business Windows computer. Swore it was 'secure'. His kids used the computer. I went to a site and the box popped up. The kid said 'Just click the allow button. It'll go away.' He blanched, and bought a hardware firewall appliance (and a 'disposable' computer for the kids). Even hardware firewalls can be hacked too. Wireless should be considered suspect and insecure too. I've run into companies that I can join their 'secure' network FROM THE PARKING LOT and print to their 'secure' printers'

Security can be an illusion... I honestly think there is NO secure system, except for the one left in a locked room with no outside connections except for power, and what good would that be...

 

[Primejimbo]

Using a number generating token works pretty well, but it's not unhackable either. Get the seed value for the token, and some of the values and the algorithm can be reverse generated and then you will be able to generate the exact same 'random' numbers for infinity.

You would, and should, be surprised at the number of personal servers that are hacked, or have issues with updates and bad software. I'm flabbergasted at the number of people that don't use a hardware firewall, and insist on using software firewalls like Zone Alarm, etc, and the built-in firewalls on the OS they are using. Those are worth what you pay for them, and only as good as the idiot that clicks 'Allow' every time that message pops up. One client had a software firewall on his home business Windows computer. Swore it was 'secure'. His kids used the computer. I went to a site and the box popped up. The kid said 'Just click the allow button. It'll go away.' He blanched, and bought a hardware firewall appliance (and a 'disposable' computer for the kids). Even hardware firewalls can be hacked too. Wireless should be considered suspect and insecure too. I've run into companies that I can join their 'secure' network FROM THE PARKING LOT and print to their 'secure' printers'

Security can be an illusion... I honestly think there is NO secure system, except for the one left in a locked room with no outside connections except for power, and what good would that be...

What would be a good/decent hardware firewall appliance for home use? is it worth getting this since it's just for home and personal use?