Tremulous Forum
General => General Discussion => Topic started by: Rocinante on October 20, 2009, 02:21:21 am
-
As some of you have heard, there was a data breach on the tremulous.net forums. Now that we have all of the details, we would like to share what happened with the members of the forum. If you don't want to read everything, then just go change your password and call it a day :>
Some time ago - when tremulous.net was hosted with Sourceforge - someone got a copy of the database through a vulnerability with their servers. This included information from phpbb2, such as the table of private messages and most importantly the user list, including all of the hashed passwords. Since many of the passwords were fairly weak, consisting of dictionary words with or without some minor obfuscation, it would not have taken long for many accounts to be compromised, and in fact the number is just under 1400.
Archangel/Solar/Inaki was in possession of this database dump and cracked passwords on Saturday evening, when he used it to login as Khalsa, remove his own ban information, and promote himself to having an avatar before logging out and back in as himself. He then posted a new thread proclaiming how he was unfairly banned.
We quickly realized that something was amiss when none of the moderators or developers who were online knew anything about Archangel being unbanned. I surmised that perhaps an admin's account was used in the break-in, and Khalsa quickly confirmed it was his own. While in the process of cleaning things up, it became apparent that at least one other user's account was being used without their permission, and it was decided to lock down the forums until we could gather more details and come up with a plan for bringing everything back safely.
During the course of Sunday, the events of the previous day became known to us and the extent of the breach was revealed. Unfortunately SMF has no way for us to force password changes on every user, but we did what could be done - let all users know that their password could be compromised, and they should change it. This is always sound advice after a break-in of any kind, even though there are certain circumstances under which you would be perfectly safe from this breach. But rather than cloud the good advice with dates and statistics, it's easier to say "change your password - and if you used that password elsewhere, go there and change it too, preferably not to what you just set here."
What has happened now? Archangel has been banned again, and has agreed that he'll not be coming back - in part of his own free will this time. Everyone with administrative access (and many without) have already changed their passwords, and we all highly recommend that you do too - if we could force that to happen, we would. If you have questions about the breach, we'll try to answer them as best we can. Do note that regardless of your feelings of the original ban of Archangel, the fact remains that what he did since then is over and above what would be considered a bannable offense, so ideas entertaining the notion of reversing his ban will likely just be deleted.
EDIT: Forgot to link to the passwords topic (http://tremulous.net/forum/index.php?topic=12111.0) I wrote yesterday, which could be of general interest to people wondering about how passwords and hashes and whatnot work and how they can be compromised.
-
Thanks for the info!
He then posted a new thread proclaiming how he was unfairly banned.
Then how was it fair?
Also, what was it about Yarou haxing Ozzy's account?
-
From my source, I heard that Archangel had given his cracked passwords out to many people, Yarou being one of them, and then Yarou got into ozzys aim and blah blah..
Archangel is a dumbass nuff' said.
-
One question:
Why wasn't anyone notified, or didn't anyone change their passwords when the original breach in sourceforge hosting occured some time ago? Was no one aware it had even been breached?
Also, could one of the mods explain why inaki/archangel was permbanned in the first place? I know he got a 1 week ban (http://tremulous.net/forum/index.php?topic=11829.msg176113#msg176113) for posting this (http://tremulous.net/forum/index.php?topic=11829.msg175966#msg175966) post. I appologize if he did some other perm-ban worthy offence I am not aware of.
Thanks for the info!
He then posted a new thread proclaiming how he was unfairly banned.
Then how was it fair?
I don't think Rocinante said it was fair... of course, now he is fairly banned...
-
If you're wondering about me, as word is around already:
Yeah, my account was the other one used on this forum, by Yarou, who did in fact obtain my password from Inaki.
Like a dumbass, I had my AIM password set the same, and he chilled all day on my AIM account.
I had a couple other, well yeah, important things set to the same password, including the AA forums, but Yarou was in it for the lulz and left his damages with Tremulous, rather than going after some of my more sensitive accounts.
Learn from my mistake: Use a password manager, and a different pass for every site you visit. Regularly update passwords (if Khalsa and I weren't using our same pass from 4 years ago we might have avoided trouble). Don't pick a dictionary fuckin word and slap a number on it. Random strings and shit, or at least misspellings.
At day's end, Inaki got to stand on his soapbox for a minute, Yarou got to pull his power trip, and nobody received any real damages (other than one laaaate night of stress on the MG IRC), so gg guys, a valuable lesson to all of us.
-
One question:
Why wasn't anyone notified, or didn't anyone change their passwords when the original breach in sourceforge hosting occured some time ago? Was no one aware it had even been breached?
Nobody here was made aware of it, correct.
Also, could one of the mods explain why inaki/archangel was permbanned in the first place? I know he got a 1 week ban (http://tremulous.net/forum/index.php?topic=11829.msg176113#msg176113) for posting this (http://tremulous.net/forum/index.php?topic=11829.msg175966#msg175966) post. I appologize if he did some other perm-ban worthy offence I am not aware of.
That was not the first time he'd been banned for such advice; The original ban was extended.
-
That was not the first time he'd been banned for such advice; The original ban was extended.
To clarify, I placed the original week ban because I didn't know (or remember) he'd done it before; it was then pointed out that it wasn't a first offence so we agreed to extend it. I didn't at the time think this particularly worth commenting on in the original thread; in retrospect it probably was.
-
So, how the hell do I change my password ?
-
Upper right, "Quick Links" go to account settings.
Not a bad time to double check your email address and set a security question too :)
-
Thanks. I was searching for a profile button next to the logout one, I thought the Quick links was something else.
-
Actually I would disregard Tuples post and NOT set a security question.
I worked at the support department of a german webmail company and the most hacked accounts got hacked by stupid/too easy security questions. Actually, as I changed my password, I was suprised to find that kind of alternative login tool still available in modern web software.
Lost password emails and one time login passwords should be the only valid way of re-authenticating lost logins.
-
I'd set a question like," whats my religion???" but the answer is totally unrelated to the question being asked. If it lets you type your own question and you cant think of one, I'd just type," Whats my password?" but that might cause problems if YOU need to know your own answer, but hey, you got it written down somewhere, right?
-
I'd set a question like," whats my religion???" but the answer is totally unrelated to the question being asked. If it lets you type your own question and you cant think of one, I'd just type," Whats my password?" but that might cause problems if YOU need to know your own answer, but hey, you got it written down somewhere, right?
You will forget that the answer is different or what answer it is. Because if you didn't you wouldn't need the question. So, an unanswerable question does not solve anything.
-
You will forget that the answer is different or what answer it is. Because if you didn't you wouldn't need the question. So, an unanswerable question does not solve anything.
+1
My old security answer for Blizzard was my 16 digit library card number. The question was "what is the name of your first pet".
Needless to say, I was pretty confused for a bit.