UnderGround Forums
 

UnderGround Forums >> Site hack and PW change, take 2


1/21/14 9:33 AM
Ignore | Quote | Vote Down | Vote Up
Kirik
1368 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Edited: 01/21/14 7:20 PM
Member Since: 1/1/01
Posts: 54312
The UnderGround, Mayor
 

Yesterday's explanation did not answer all of your concerns initially, so after trying to answer each of them one by one last night, I am reposting with a fuller narrative of what happened.

Three days ago UFC president Dana White's screen name on the UG offered to do a Q&A. The answers were plausible, although a little over punctuated and, oddly, curse free. It wasn't actually odd, as it wasn't DFW, as we learned when we texted him for confirmation.

We locked the account, changed the PW, let Dana know, and started trying to track down what happened. The next day Dan Henderson's screen name on the UG posted a gif directed at Michael Bisping. The Count's screen name on the UG responded immediately. That thread was patently bogus, and was quickly frozen.

Shortly afterwards, we discovered that the screen names were the work of UGer MentaL. He had also logged in as a government official, Nevada State AC executive director attorney Keith Kizer. I emailed MentaL and he responded that it had indeed been him.

Over dozens of sometimes puzzling emails, I came to understand what happened.

Two years ago, MentaL discovered a hole in our security, and very helpfully alerted us to it. We immediately fixed the hole. Should someone use that hole to gain access to the site, your log in information (email address and password) is still encrypted, even if it was downloaded.

At the time I did not alert everyone, and force a change of everyone's passwords. It is like I owned a fight gym and a member of it said "Hey that dog door is big enough so that a ninja could wriggle though it, and come in here and do whatever he wants."

Once inside the guy could burn the place down, pee in the cage, try every combination on the combination locks on the gym lockers and find out your email address and password for a fight site inside them, and dozens of other things. The alert was from a friendly member of the gym, with no indication he had wriggled through the hole, and no indication he had then tried every combination on some of the lockers and discovered passwords for an MMA site.

With the recent credit cards issues at Target, people naturally worried that their credit card information was compromised. We do not retain credit card info. Thus not matter how much snooping around or picking of padlocks he managed to do, your credit card information was never compromised, as it is not there. Your credit card info is safe.

I nailed the dog door shut immediately, and had them audit our security. And I did not tell everyone here.

For two years I did not get any indication that anyone else had found the hole, never mind download user log in info, and then crack some of it.

However, unbeknownst to me, MentaL had indeed downloaded at least part of the user log in information. Further, he cracked some of it. Apparently using something called a Rainbow Table, if you can guess an email address, and the password is relatively simple (say all numbers and not that many of them) then it is not that tough to get the password.

Using two year old information, MentaL was able to crack the DFW, Hendo, and Bisping accounts (all of which meet the above criteria), and post as if he was them. His reasons were two fold. First, he thought you guys would get a kick out of it. Second, he thinks two years ago I should have told everyone to change their password, because someone else could have exploited the hole he found, and then downloaded the log in info, and then cracked some of it, and then used the info for ill ends, like trying the same email and password combo on amazon, or paypal, or any other site.

So that is his reasoning for cracking the logins for prominent figure log in. The reason he downloaded the encrypted user log in info in the first place was, as he put it, as a "trophy." I don't know or understand hacker culture, but apparently downloading data of this nature as a trophy of what you were able to hack into is a common occurrence.

To people worried that MentaL has hacked your log in info and is using it for malevolent purposes, please know that he hacked BitTorrent last summer. You can read about it here.  If he was going to cause any trouble that is literally 1,000,000 times bigger than the UG. And he loves the UG. He was trying to help you, and did not anticipate how you, or anyone, would naturally react.

We built a function that is forcing everyone to choose a new password. Initially we exempted people who had changed their log in more recently than the log in info download, but that was problematic, so everyone has to change their password.

We can institute changes on the UG, but apps are fixed and cannot be changed without a long review process, so if you access the UG exclusively from a smart phone app, you should get to a desktop and change your log in information.

The process is done from the top Nav bar:
ACCOUNT
>Site Settings
>>Login Settings
>>>Change Password
>>>Change Email

If you used the same password here as on other sites, you should change those too. It is never good practice to use the same password across multiple sites.

We also added a function that freezes your account if you try too many times to log in with a bad password. This was done to deter brute force attacks on our log in.

After the credit card fears, the biggest question I am getting is why MentaL is still allowed to post.

Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off.

Lastly, he admitted in public via text and imagery to a blatant violation of Federal law. My damages are substantial, and it is an effortless case if a prosecutor wanted a web hacking notch on his or her gunbelt. So if we decide to go after him, it will be remarkably more severe than blocking his IP and deleting his posts.

The guys are also taking a number of further steps to shore up our security over the next several days.

Also, a bunch of people said "Hey, you banned SuperCalo for pretending he was prominent people on the site, but he was the force behind the Fight for Frank and is a good good dude. Then this guy who downloaded our log in info and then hacked some of it is not banned. WTFF." There was a suggestion I offer to wash SuperCalo's dishes for a month, as an enticement, so I did. I hope he comes back.

Please ask further questions below and I will answer them or get someone smart to answer them if I am unable to do so. I do ask that the thread be about the hacking and pw change and not about other things, DTW. I will not be able to answer them immediately, as I have a pressing family medical matter to attend to, but I will get to them.

Above all, you have my sincerest apologies for the trouble to which now tens of thousands of you are being put.

1/21/14 9:36 AM
Ignore | Quote | Vote Down | Vote Up
cleetdog101
5 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/9/07
Posts: 4243
I was just prompted for 2nd password change...done.

When should I expect the 3rd? lol
1/21/14 9:40 AM
Ignore | Quote | Vote Down | Vote Up
Letibleu
1475 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Edited: 01/21/14 10:07 AM
Member Since: 1/6/10
Posts: 9092
fuck it.
1/21/14 9:48 AM
Ignore | Quote | Vote Down | Vote Up
stephen1547
171 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 2/17/10
Posts: 3142

I don't see how I can renew my blue name.  I honestly just don't trust you guys to run this site properly any more.

1/21/14 9:49 AM
Ignore | Quote | Vote Down | Vote Up
deepu
13 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 15980
"The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.
1/21/14 9:49 AM
Ignore | Quote | Vote Down | Vote Up
Evil Ash
1839 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 2/14/10
Posts: 7939
Phone Post 3.0
1/21/14 9:51 AM
Ignore | Quote | Vote Down | Vote Up
The Gumball Kid
Send Private Message Add Comment To Profile

Member Since: 2/7/13
Posts: 1765
" Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off."

Should I read that as we're being held hostage with somebody that has shown extraordinarily poor judgement time and time again because you fear what he can do?

Sorry but if that is the case I can't trust anything you're saying about this whole situation because it's all going to be sugarcoated and presented in a way to not anger MentaL.

If I'm wrong I apologize but that is what it looks like you're saying
1/21/14 9:51 AM
Ignore | Quote | Vote Down | Vote Up
Rhasaan Orange
Send Private Message Add Comment To Profile

Member Since: 12/30/13
Posts: 19
Looking forward to superCalo's return
1/21/14 9:52 AM
Ignore | Quote | Vote Down | Vote Up
ImTheSandMan
Send Private Message Add Comment To Profile

Member Since: 4/18/12
Posts: 28
This is some crazy shit. Phone Post 3.0
1/21/14 9:53 AM
Ignore | Quote | Vote Down | Vote Up
ec
69 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 4/22/10
Posts: 3079
In before the triumphant return of Calo, riding a donkey back to the UG. Phone Post 3.0
1/21/14 9:53 AM
Ignore | Quote | Vote Down | Vote Up
Jump Kick
15 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 15001
Didn't read, but I support Kirik and mma.tv. Phone Post 3.0
1/21/14 9:55 AM
Ignore | Quote | Vote Down | Vote Up
Harmon Whistler
201 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 5/9/09
Posts: 10893
6 accounts.
1/21/14 9:55 AM
Ignore | Quote | Vote Down | Vote Up
Global Shield
22 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 2226
Wtf Phone Post 3.0
1/21/14 9:57 AM
Ignore | Quote | Vote Down | Vote Up
DaddyRich
70 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 8/22/02
Posts: 1630
I wonder what the movie and recording industry would've paid for MentL's access to Bit Torrent?
1/21/14 9:57 AM
Ignore | Quote | Vote Down | Vote Up
Kirik
1368 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 54314
The UnderGround, Mayor
deepu - "The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

You can read about it here.

1/21/14 9:58 AM
Ignore | Quote | Vote Down | Vote Up
Delightone
22 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 9/1/10
Posts: 1805
Lol Phone Post 3.0
1/21/14 10:00 AM
Ignore | Quote | Vote Down | Vote Up
FETT_TFK_Tat2tillidie
356 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 12/17/10
Posts: 7285
I'm glad this is all being worked out ... Phone Post 3.0
1/21/14 10:01 AM
Ignore | Quote | Vote Down | Vote Up
CainPoundedMyOldSN
Send Private Message Add Comment To Profile

Member Since: 1/22/13
Posts: 2839
thats awesome you're letting Calo return. nothing i respect more than someone in a position of power doing something they dont have to. whether its admitting they were wrong or taking advice/ keeping an open mind/ considering the possibilty that they might not always be right. cudos
1/21/14 10:01 AM
Ignore | Quote | Vote Down | Vote Up
UGCTT_EnderTL
224 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 11/23/10
Posts: 8408
Evil Ash - Phone Post 3.0
This is awesome! Phone Post 3.0
1/21/14 10:02 AM
Ignore | Quote | Vote Down | Vote Up
Let me bang bro
Send Private Message Add Comment To Profile

Member Since: 5/23/12
Posts: 1822
iom apgage 1 son
1/21/14 10:04 AM
Ignore | Quote | Vote Down | Vote Up
Phil999
2 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 12/24/03
Posts: 4483
in
1/21/14 10:04 AM
Ignore | Quote | Vote Down | Vote Up
uberpinscher
9 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 6/9/11
Posts: 897
yup
1/21/14 10:05 AM
Ignore | Quote | Vote Down | Vote Up
jasonhightower
27 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 8/30/09
Posts: 5495

Renewing my blue when it comes due will be a no brainer.  I have no worries.

 

1/21/14 10:06 AM
Ignore | Quote | Vote Down | Vote Up
Kirik
1368 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 54315
The UnderGround, Mayor
The Gumball Kid - " Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off."

Should I read that as we're being held hostage with somebody that has shown extraordinarily poor judgement time and time again because you fear what he can do?

Sorry but if that is the case I can't trust anything you're saying about this whole situation because it's all going to be sugarcoated and presented in a way to not anger MentaL.

If I'm wrong I apologize but that is what it looks like you're saying

That is not what I am saying.

It is in fact the opposite. I am being entirely open and honest.

One factor in not banning him is that he is a super duper hacker, and if he got super pissed off he could probably turn the page into an ad for a parking lot. When I was like 14 I got into a beef with a kid over a pinball machine at the Topsfield Fair. I smacked him in the face, and only then realized he had two huge friends right behind him. It did not go my way, but was instructive - don't use force on someone until you know what force they can use back.

This is being enirely honest about my thought process.

1/21/14 10:10 AM
Ignore | Quote | Vote Down | Vote Up
sycotik
112 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 11/16/12
Posts: 1281
Let me bang bro - iom apgage 1 son
Mcgurgle qwat mio!!!!!! Phone Post 3.0

Reply Post

You must log in to post a reply. Click here to login.