Using a different username and password for everything doesn't look so silly now.
It almost seems like catch 22 though, I do have a usernames and passwords different for different sites, but then I need a list of all these, it isn't possible to remember:
Banks Forums Bills Uni/Work Other Misc accounts
which could result in maybe 50 different username/password combinations, it is rather stupid to rely upon memory. So then people create lists, so when a list may be stolen electronically or physically, then you're ****ed.
which could result in maybe 50 different username/password combinations, it is rather stupid to rely upon memory. So then people create lists, so when a list may be stolen electronically or physically, then you're ****ed.
There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.
There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.
Two of the links exploit a bug in the default search system - where TSR uses Sol, a non-default search system - so that bug won't work, and one applies to an outdated version of vbulletin (3.6.1) when the site uses version 4.
Just because there are security bugs which exist (and I assume have now been fixed as vbulletin is at version 4.2 and the search bug was only said to work until version 4.1) doesn't mean they are likely to affect TSR. Even if TSR doesn't upgrade every time an update comes out with the vbulletin upgrade path, it is still able to manually apply security patches.
Nearly all software, vbulletin, Windows, Mac OS X, etc etc will have security holes in it, and then will patch said holes when someone finds them.
Thats a minute of searching to find those and as I said they may or may not have been used, it could have been a straight forward exploit on the server to get the database. I did see others that stated they work on any version of vBulletin. One thing will be for sure is that now one exploit has been successful here it will be all around the hacking forums and others will be having a go. I know about software and patching and updates and given TSR has been exploited then probably they didn't since vBulleting keep an FAQ on known exploits.
Back with the old insults, shows the maturity in your personality guess it supports the idea your the only person working in the IT industry LOL.
So you have access to a web cam to check my veins LOL better get yourself a job as a Doctor.
False. Nowhere has it been stated that the administrative passwords were either null or default.
But then no one has said the admin passwords were not either null or default so your own assupmtion is *******s but you do like to be a shield.
Seeing as the payment details are all held with Paypal and have not been included in the damage assessment, it's reasonable to suggest that these have not been affected.
Already said that is at least one saving grace that they were smart enough to realise they did not have the knowledge to be storing payment details.
No, I don't know the detail - I know what I've been told. But then again, neither do you - not exactly a tenable standpoint from which to launch a first-strike, is it?
Its not me going around calling people who have every justification to be annoyed 'Dicks' is it?
No, I don't see the site's owners passing that responsibility. They've held their hands up and apologised for what has happened.
The site was attacked on the 14th and the announcement given to user on the 22nd if thats how often they check their logs or how quick they manage to figure these things out they need to employ better monitoring. As for holding their hands up then if any usable information was gathered it would already have been used. If they hadn't held their hands up they would have been liable to punishment from ICO so thats a bit like saying an individual would never try to reduce their taxes when they have only ever been PAYE with their employer deducting it.
TSR isn't standing me up to defend them - I do not represent TSR. I'm just a regular user that works in infosec for a living and take an interest in the site
Thats another small saving for them as you would think anyone they actually did put up would have better customer skills than to be going around insulting anyone thats not in agreement that TSR was a poor victim.
How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here
How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here
Hello, We're sorry to have scared you and for the inconvenience this is causing. I would suggest you first read this blog post which explains what happened, what we're doing about it and how to protect yourself. However, the quickest way to protect your data is simply to 1) change your password 2) if you use the same password elsewhere, change it on other sites too. Once you do these two things, your data will be safe. We collect very little personal data on the site, so in most cases the only important information this person is likely to have stolen will be emails and password - we don't even ask for people's names. To close your account, please post a request in the Ask A Moderator forum. We have overhauled our security system though to further protect from this happening, and we'd obviously be sorry to see you go! Jack
But then no one has said the admin passwords were not either null or default so your own assupmtion is *******s but you do like to be a shield.
Already said that is at least one saving grace that they were smart enough to realise they did not have the knowledge to be storing payment details.
The site was attacked on the 14th and the announcement given to user on the 22nd if thats how often they check their logs or how quick they manage to figure these things out they need to employ better monitoring. As for holding their hands up then if any usable information was gathered it would already have been used. If they hadn't held their hands up they would have been liable to punishment from ICO so thats a bit like saying an individual would never try to reduce their taxes when they have only ever been PAYE with their employer deducting it.
I think it can be assumed that any account which has privileges is not an 'easy' password, as this is the first time anything like this has happened in ~10 years. Also, afaik vbulletin doesn't allow empty passwords, and there is no 'default' password - you enter the base admin password during initial install, and then any account you enter a password when it is created.
Incorrect - they don't have the additional security that would be warranted if they store payment details (and they don't have justification to get the resources needed to process payments themselves). Regardless of how strong/weak the default password storage system was, then I believe it is acceptable to assume that it was fit for purpose, as I said before. Dev time for them is limited, and so they work on adding new features / fixing bugs in their own code, instead of checking through code they have bought (and so should be tested by the provider). If they were doing something not supported by the base code, so they wrote their own code for it, then they would consider other parts affected, and upgrade them as needed, such as data storage.
It depends on how clever the person who store the data was. Unless you are suggesting that every single action taken by every privileged user should be checked, then sometimes things will take time to spot. Not to mention that the hacker may have taken steps to hide what they were doing, and so it only became clear when there was a number of 'normal' actions which when put together were not normal. I don't think we can comment on their monitoring systems without knowing more about what they do, and I at least do not assume that everything is worst-case without reason to.
How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here
If you use the internet, 'important stuff' might be taken. Much much bigger companies than TSR have been attacked, so if you are worried - you better close your internet banking, close paypal, close any e-mail accounts, and so on.
If you decide you only want to leave TSR, you can change your e-mail address and password to something that isn't related to you, and then ask in Ask a Moderator to be permanently banned. Then if anything like this happened again, nothing related to you would be disclosed.
There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.
im sorry but what is up with all the brown noses on here.
the fact is peoples' passwords have been given away. a causal apology really isnt good enough.
more annoying is the arrogant attitude of people on here saying 'if you use the internet then expect your data to be breached'. sort your act out you silly geeks, not every body has ten computers and military grade encryption for their passwords! RIDICULOUS
the fact is peoples' passwords have been given away. a causal apology really isnt good enough.
They've apologised for what happened and not tried to cover it up or play it down, they've emailed everyone saying they should change their passwords, and they've taken steps to ensure the same thing can't happen again. What exactly would be "good enough" if that isn't?