Info about the recent attack

[FalconFour]

Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab*

Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too.

They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to advertise how the passwords are hashed.

[1714673089]

1714673089

[1714673089]

1714673089

[1714673089]

1714673089

[Gerken]

Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab*

Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too.

They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to advertise how the passwords are hashed.

If you can't elaborate on what you meant without resorting to dumbass candy analogies you should probably just stop.  And how the passwords are hashed isn't exactly a secret only known to the top members of the cabinet.

[FalconFour]

If you can't elaborate on what you meant without resorting to dumbass candy analogies you should probably just stop.  And how the passwords are hashed isn't exactly a secret only known to the top members of the cabinet.

GJ missing the point. Next please? Can I get someone with a functioning brain, please?

[Gerken]

If you can't elaborate on what you meant without resorting to dumbass candy analogies you should probably just stop.  And how the passwords are hashed isn't exactly a secret only known to the top members of the cabinet.

GJ missing the point. Next please? Can I get someone with a functioning brain, please?

Anyone with a brain ignored you a long time ago.  Guess I should too, but I wanna see if you make a car analogy next. 

[FalconFour]

Anyone with a brain ignored you a long time ago.  Guess I should too, but I wanna see if you make a car analogy next. 

No, but y'see how it says "Gullible" on the ceiling? Right, and I just stole your wallet while you were staring at the ceiling, GJ on that too.

[Raoul Duke]

Anyone with a brain ignored you me a long time ago.  Guess I you should too, after all I only came to this forum to troll. 

FTFY

Now, STFU and GTFO!

[Gerken]

Anyone with a brain ignored you me a long time ago.  Guess I you should too, after all I only came to this forum to troll. 

FTFY

Now, STFU and GTFO!

You seem upset. 

[Raoul Duke]

Anyone with a brain ignored you me a long time ago.  Guess I you should too, after all I only came to this forum to troll.  

FTFY

Now, STFU and GTFO!

You seem upset.  

Upset?  

You seem more upset than me, after all it's you who came here just to troll a forum about something you don't like... Is Bitcoin a threat to you in some way?

[Gerken]

Anyone with a brain ignored you me a long time ago.  Guess I you should too, after all I only came to this forum to troll.  

FTFY

Now, STFU and GTFO!

You seem upset.  

Upset?  

You seem more upset than me, after all it's you who came here just to troll a forum about something you don't like... Is Bitcoin a threat to you in some way?

I have no problem with bitcoin, it's the die hard libertarians that get me rollin.  It's always great seeing them get screwed over by the same system they want to push on everyone else. 

[runeks]

DO NOT USE WEBSITES TO GENERATE YOUR PASSWORDS

There is a good chance that your new and shiny password is stored for later attacks!

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 

This is useful if you want passwords you don't need to remember. Obviously, few people are able to remember a password like "Qc{Jb>pK)|_m". If you want a password that's just as strong but easier to remember, use a dictionary with the shuf command, like this:

Code:

shuf -n 6 --random-source=/dev/random /usr/share/dict/words

This will pick 6 random words (using /dev/urandom to create the random numbers) from the dictionary /usr/share/dict/words. /usr/share/dict/words on my machine contains about 98500 words. I have another dictionary that contains 74000 words (excluding words ending in "'s" from /usr/share/dict/words). Now let's say I create a password using 6 words from the latter dictionary (74000 words):

Code:

shuf -n 6 --random-source=/dev/random Desktop/simwords 
scramblers
chiseled
therapeutic
adjuster
lamebrains
gibbeted

So the password is "ScramblersChiseledTherapeuticAdjusterLamebrainsGibbeted". The number of possible combinations are 74000^6=~10^29 which is the equivalent of a 15 character password consisting of upper/lowercase letters, numbers and special characters (like "&+-qnk_Wh<7TeNF").
Which one is the easiest to remember? They both have approximately the same entropy.

[Raoul Duke]

I have no problem with bitcoin, it's the die hard libertarians that get me rollin.  It's always great seeing them get screwed over by the same system they want to push on everyone else. 

If it's great "seeing them get screwed" why do you interfere instead of just watching from the sideline?
Your interference, and the interference from the other goons makes me suspect that there's more to it than just "seeing die hard libertarians getting screwed over by the same system they want to push"...

[mizerydearia]

I cannot recall where I read it, but I think theymos (was it someone else?) mentioned that only a few bitcoin community members were contacted by email regarding volunteers for hosting the forum.  Is it possible to shed some light on the people that were contacted so the community knows who were the only people that had opportunity to volunteer to host the forum?

Anyone willing to suggest who the people that were contacted are?  Perhaps this is undesirable to publicate?

Found a follow up email after the initial request for volunteers:  http://pastebin.com/48tPCHUP

Malmi Martti
Jeff Garzik
Mike Hearn
Bruce Wagner
Pieter Wuille
email@xx.com
Marc Bevand
Matt Corallo
Jed McCaleb
Gavin Andresen
Nils Schneider
info@xx.cz
solar
Stefan Thomas

Also, included in original email (not shown in pastebin above):
email@onlyonetv.com
info@bitcoin.cz (slush)

[runeks]

Can anyone tell me why sites/programs like LastPass.com/KeyPass/KeyPassX would be anymore secure than the a browser extension like PasswordHash (for Chrome and Firefox)

The principle of this browser extension is that at any site where you are asked to enter a password, the extension will enter a password that is sha256(<your password of choice> + domain) (or any other cryptographic hash function). For example, if my chosen password is "masterpassword", the password that would be used to log into gmail.com would be sha256("masterpasswordgmail.com") (=9b2b649d3124c81093f9080a88b9d3723940dfe0707d8524d0403c9641bc99c3).
This is the principle. The output could of course be truncated since few sites allow passwords this long. But as far as I can see this achieves exactly the same as LastPass.com and KeyPass(X) with much less complexity. If an attacker compromises a database and - even if they are stored as clear text - gets your password (the sha256 hash), he has no use for it since he can't find your master password even knowing the domain that was used together with the master password to create the hash. This is basically using a SALT that is the domain name of the site you're visiting.

[shelbydz]

http://xkcd.com/936/

nuff said
 

[Maged]

Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab*

Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too.

They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to advertise how the passwords are hashed.

Here's the thing: this information was only revealed AFTER the attack. As such, the hacker no longer has access to the system. If they had the idea of taking the user database and cracking the passwords, they either already did or they didn't. There is literally no way to take the user database without explicitly thinking "I want to crack everyone's password!". If they did take the user database, you can bet that they also downloaded the entire source code of the forum, just in case we made any changes to how the passwords were stored (I don't know that we did, and if we didn't change how the passwords were stored, they could have found this out from the SMF source code any time they wanted to - including well before the attack). Basically, the attacker already would have known all this. There is NO danger in revealing this information after the fact.

[FalconFour]

[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]

Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted).

Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post

[Maged]

[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]

Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted).

I suppose that is true. With admin access, they just had to press one button to get a full database dump. That is much less work than coding a dump program yourself.

Basically, this is a case where you just have to weigh the risks that the hacker would decide to suddenly start cracking the passwords after you release the details, to the damage that anything less than full disclosure would cause to your reputation. Remember when Mt.Gox was hiding things how pissed everyone was?

Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post

Nobody here really thinks that mods are special. We just happen to read more posts than everyone else, so we were given the power to moderate the forum ourselves instead of having to report everything.

[SolarSilver]

Passwords

It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.

Well, I'm already getting spam on my unique email address generated for the forum so we might consider that if that leaked, the hashes leaked as well:

Code:

Received: by 10.42.220.135 with SMTP id hy7cs191738icb;
        Mon, 12 Sep 2011 05:57:14 -0700 (PDT)
Received: by 10.14.13.14 with SMTP id a14mr1481921eea.41.1315832233374;
        Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Return-Path: <no_reply@libertyreserve.com>
Received: from x
        by mx.google.com with ESMTPS id 36si4325308eeh.202.2011.09.12.05.57.12
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Received-SPF: fail (google.com: domain of no_reply@libertyreserve.com does not designate Y as permitted sender) client-ip=Y;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of no_reply@libertyreserve.com does not designate Y as permitted sender) smtp.mail=no_reply@libertyreserve.com
Received: from yama-bousai-web.bosai.vill.yamato.lg.jp ([61.194.116.165])
	by X (8.14.1/8.14.1) with ESMTP id p8CCvAWf028904
	for <My-forum-email@x>; Mon, 12 Sep 2011 14:57:11 +0200 (CEST)
Message-Id: <201109121257.p8CCvAWf028904@X>
Received: from User ([66.219.29.150])
          by yama-bousai-web.bosai.vill.yamato.lg.jp
          (Post.Office MTA v4.1.0.4 release 20090417
           ID# 6014-053U50L50S0V41J) with ESMTP id jp;
          Mon, 12 Sep 2011 19:48:48 +0900
From: "no_reply@libertyreserve.com"<no_reply@libertyreserve.com>
Subject: Liberty Reserve Bonus Winner
Date: Mon, 12 Sep 2011 19:48:28 +0900
MIME-Version: 1.0
Content-Type: text/html;
	charset="iso-8859-9"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

</script>
<div id=yiv2021571761><html>
<table width="750" cellpadding="0" cellspacing="0">
	<tr>
		<td style="background-repeat:no-repeat;" background="" width="100%" align="center">
			<table width="95%" align="center">
				<tr>
					<td align="left" style="padding:10px 0 0 10px;">
						  <img src="https://libertyreserve.s3.amazonaws.com/content/v1.0.1040/themes/white/images/logo.gif" border="0"/>											</td>
				</tr>
			</table>
			<table width="740">
				<tr><td style="padding:0px 40px 0px 0px;" align="center">
<table width="100%"
 border="0" cellpadding="0" cellspacing="0">
  <tr>
    <td valign="top" align="middle"><table cellspacing="0" cellpadding="0" width="100%" border="0">
		<tr>
			<td colspan="2" class="separator"><hr style="font-family:verdana, arial, sans-serif;border:0;width:100%;height:2px;border-top:1px solid #9AA6CD;overflow:hidden;"/></td>
		</tr>
        <tr>
          <td style="font-family:verdana, arial, sans-serif;margin:0;padding:0px 0px 10px 0px;color:#020219;font-weight:bold;font-size:18px;" nowrap width="50%">  <div align="left">20% Bonus Winner </div></td>
          <td style="font-family:verdana, arial, sans-serif;margin:0;padding:0px 0px 10px 0px;color:FF0 000;font-weight:bold;font-size:18px;" nowrap align="right" width="50%"></td>
        </tr>
        <tr>
          <td nowrap colspan="2" height="1"><img height="1"
 src="" width="1"></td>
        </tr>
      </table>
      <table cellspacing="0" cellpadding="0" width="100%"
 border="0">
        <tr>

          <td style="font-family:verdana, arial, sans-serif;font-size:11px;color:#656565;"><div align="left"><strong>&nbsp;&nbsp;&nbsp; </strong>CONGRATULATIONS!<br>
            You have won a the chance to WIN 20% Bonus of your Liberty Reserve account balance. One time - Limited BONUS Offer! You can earn 0.5usd (Balance: 10usd) or up to 500usd (Balance: 10.000usd) depending on your account balance. This BONUS Form must be completed in maximum 5 days using the link below or you will not qualify for the 20% Bonus. Please be aware that if your account balance is 10usd your bonus will be 0(zero) and you will not qualify for the instant Free Bonus. You can use one of our authorized exchangers listed on www.libertyreserve.com website and upload money secure in your account.
            </span></strong><br>
                  <br>
            
          </div></td>
          <td width="5"><img height="1" src=""
 width="5"></td>
        </tr>
      </table>
      <table cellspacing="0" cellpadding="0" width="100%" border="0">
        <tr>
          <td nowrap colspan="2" height="1"><img height="1"
 src="" width="1"></td>
        </tr>
        <tr>
          <td style="font-family:verdana, arial, sans-serif;margin:0;padding:0px 0px 10px 0px;color:#020219;font-weight:bold;font-size:18px;" nowrap width="50%"> How can I get my Bonus?</td>
          <td style="font-family:verdana, arial, sans-serif;margin:0;padding:0px 0px 10px 0px;color:#020219;font-weight:bold;font-size:18px;" nowrap align="right" width="50%"></td>
        </tr>
        <tr>
          <td nowrap colspan="2" height="1"><img height="1"
 src="" width="1"></td>
        </tr>
      </table>
      <table cellspacing="0" cellpadding="0" width="100%"
 border="0">
        <tr>

          <td style="font-family:verdana, arial, sans-serif;font-size:11px;color:#FF0000;" valign="top"><p align="left">
              <strong>&nbsp;&nbsp;&nbsp; Click "GET BONUS!" text below and complete the Bonus Request Form
  on our website
and find your bonus using your current balance:</strong>
     <strong>
<br>
<br>
</blockquote>

</font><a href="http://i.love.skate.lv/bonus/"><strong>&nbsp;&nbsp;&nbsp;GET BONUS!&nbsp;&nbsp;&nbsp;<span class="style25"></strong></a><br>
</blockquote>

            </p></td>
          <td width="5"><img height="1" src=""
 width="5"></td>
        </tr>
      </table>
      <table cellspacing="0" cellpadding="0" width="200%" border="0">
        <tr>
          <td nowrap height="1"><img height="1"
 src="" width="1"></td>
        </tr>
      </table>
      <table cellspacing="0" cellpadding="0" width="100%"
 border="0">
        <tr>
          <td>&nbsp;</td>
<br>
          <td style="font-family:verdana, arial, sans-serif;font-size:11px;color:#656565;" valign="top"><div>
  &nbsp;&nbsp;&nbsp; 
  <div align="left">To increase your bonus you can use one of our autorized exchangers to upload money in your account! Please be aware that this Bonus Offer will expire in 5 bussiness days! Bonus amount will be added to your account balance in maximum 24 hours!<br>
      <br>
    2002 � 2011  Liberty Reserve S.A. All rights reserved. </div>
          </div>
            <br> </td>
          <td width="5"><img height="1" src=""
 width="5"></td>
        </tr>
      </table>
<table cellspacing="0" cellpadding="0" width="100%" border="0">
          <tr>
  <td nowrap colspan="2" height="1"><img height="1"
 src="" width="1"></td>
 </tr>
	<tr>
	 <td nowrap colspan="2" height="1"><img height="1"
 src="" width="1"></td>
	</tr>
 <tr>
	<td colspan="2" class="separator"><hr style="font-family:verdana, arial, sans-serif;border:0;margin:8px 0px 0px 0px;padding:6px 0px 0px 0px;width:100%;height:2px;border-top:1px solid #9AA6CD;overflow:hidden;"/></td>
 </tr>
   </table>
<table cellspacing="0" cellpadding="0" width="100%" border="0">
<tr>

[dishwara]

Well, I'm already getting spam on my unique email address generated for the forum so we might consider that if that leaked, the hashes leaked as well:

+1.

I am also getting spams from libertyreserve.com that i got gift, my account blocked....
Besides i got an email to my inbox from libertyreserve saying some one sent me money. 0.01 USD to my account.
But nothing was in my account.

[Maged]

I'm getting that spam on my old MtGox address, not my forum address.