Hey Escapist, care to warn us about the hack?
- Thread starter Pointer
- Start date
Recommended Videos
DDoS stands for distributed denial of service, and is an attack on a server where multiple servers send thousands of requests for a web page, in this case the home page, in an attempt to either slow or crash the server. I overreacted because Lulzsec did it, and thought that they would distribute information as is there MO. DDoS is something I would expect from Anonymous more than anything. And you shouldn't have to change your password.Raskolnikov34 said:
Which it's illegal to have in some countries without every users permission.tahrey said:
I'm pretty sure most email clients have a high-end CC ALL of less than ZP hits.
PMs are obviously different, and wouldn't work.
Thing is...not the first time it's happened. It's only with sloppy architecture like Sony had that people can do so much damage. Amazon might just stumble if hit with a botnet. Microsoft would possibly shrug it off.
Neither would send out emails purely from a single hit. Kross/Virgil put a lot of work into keeping our details safe.
Ah, so that's what happened. I was wondering why it was nearly impossible to get on the site this morning. All hackers suck. End of story.
Serious or not, it would still be nice if there was some sort of recognition on the site itself. Seems odd I found out about the attack on Kotaku then, when I eventually ended up back here and things were online again, there wasn't even a note from the Editor.
What, it's illegal to have a list of the users of your system? Are you even kidding me?The_root_of_all_evil said:
Besides, it wouldn't be too unusual to either shove a clause covering serious-event-notification mass emails in the (generally blindly-skipped through) T+Cs you have to agree, or giving the option to be contacted in that way as part of sign-up. It's not like we've been born into this system and so being immune from contact on the email address we provided to them is a default human right. We chose to be here, and clicked through various agreements to sign up.
And, generally, when I'm presented with such choices, I choose to allow notification and contact of that type, but disallow everyday response-to-thread/quoting notification and the "special offers from carefully chosen 3rd party partners" spam. Hardly rocket science. So if there's a thing we really need to know about - the board is shutting down, changing name, has been compromised so all the passwords have been automatically reset and oh hey you'd be wise to change the PW on any other system where you use the same email and pass (which is a mail I got from gawker some months back) - they can get in contact, but at other times the comms channel remains dark. The way it should. If I have time to pay attention to replies or adverts, then I'm going to be on the website anyway.
What? I'm sorry, I think you accidentally a word or two, somewhere in the of that.
Not necessarily, users logging in would still find out about it at least, as would those who have email notifications for PMs set up (if you can even do that on here? erm). The word can still then get out in ways other than some other third party spilling the beans.
Well, as I think I might have already said on being corrected earlier, we're dealing with two different classes of attack, not just degrees of the same type, and of system responses to it. What the Escapist actually seemed to suffer was a DDoS, a fairly common and not particularly significant thing (unless, say, you're a financial or military body where loss of access at a particular time can be catastrophic, and was the entire reason for the creation of ARPANET in the first place). Hence, not getting notified about it. Your security, and your system, would have to be monumentally, almost actively dumb to barf user account details across the net on being DDoS botnetted (it's like pre-linux Unix behaviour, almost... brain-damaged reactions to a buffer overflow that shouldn't even have been allowed to happen), and users would get pissed off at being told about it every time someone had a pop.Thing is...not the first time it's happened. It's only with sloppy architecture like Sony had that people can do so much damage. Amazon might just stumble if hit with a botnet. Microsoft would possibly shrug it off.
Neither would send out emails purely from a single hit. Kross/Virgil put a lot of work into keeping our details safe.
Now, Sony didn't go down from a DDoS. Someone actually managed to gain "unauthorised" access onto their system (by whatever means - maybe a botnet that managed to snag login details from one of their admins, or just bruteforcing it, I haven't actually paid attention to THAT bit), downloaded a bunch of sensitive, inexplicably unencrypted user account detail files and, presumably, caused a buttload of other damage in the process. Sony then "promptly" (ok, after a good few days delay) turtled and SHUT DOWN F***ING EVERYTHING, as the paraphrased livejournal cliche goes, in order to prevent anyone else using the same methods to regain entry and cause more havoc, and to figure out exactly what happened and how to prevent it in future, perhaps, maybe, or whether it'd just be cheaper to pay compensation to those who bother to claim it.
Horse, meet bolted stable door from the outside. Except there's a lot of horses still in the stable.... and a lot of genuine jockeys queueing up outside the livery, wondering why they can't get the ride they've paid for.
But that's not the same as what Escapist apparently suffered. All the same, if the guys who set the site up actually know what they're doing, I should hope that the response to a similar kind of attack wouldn't have anything like the same result.
If you've been on holiday for long enough that it's taken you three weeks to respond, how about you talk to the people involved and find out exactly why they did what they did.tahrey said:
I did.
BTW, user list can be classed as illegal due to the DPA among others. PMs won't work because they can be infected, as will re-directs. Users can't log into a system that's bunkered down - That's the entire point of it.
Shut Down Everything isn't LJ, it's from Pandemic 2. President Madagascar to be precise.
Now if you want to carry on complaining, please do, but don't quote me in. I've already done my research.
Sony went down to someone rewiring a node upto a supernode and skimming all the information that passed through it. The fact that none of it was encrypted, as any serious security would demand, is why they're going through the shit.
OK, a point by point refutation, as it's lunchtime, I'm having to deal with long hold times to insurers on the phone, and you appear to be posting from the moon or something.
Not holiday - working, being ill, dealing with hardware failure, impending house move, and would-be-creditors who don't understand that signing off "I certify the above information is true and correct" on a money laundering monitoring form when they actually intend to lie constitutes an act of fraud. In all likelihood I won't get a proper holiday this year, for the second year on the trot.
But, I'm glad that you have such an optimistic view of my life. It's a nice hope that it may turn out to be true.
Anyway I don't know the people involved, and unless they wanted to talk to me direct or my grievance was strong enough that it seemed appropriate to escalate it and bother them about it - neither case came true - I wouldn't presume to do that. Part of what I was saying was, indeed, "things you already know" as I was altering my response and standpoint based on the information that yourself and others fed back about what had really happened (which, as per my original beef, we didn't get told direct; but then, as per my immediately previous post, we arguably didn't need to be and it was blown out of proportion).
There's nothing wrong with having a list of your users, under the Data Protection Act, so long as it's kept safe and can't be stolen by hackers. In fact, for the system to operate at all, there must be SOME list SOMEWHERE in the database. Otherwise how is it going to authenticate your logon, run the private message thing, show your avatar next to your posts? How can the NHS patient records tracking system continue to run without a stored and employee-accessible list of said patients? By securing said data in ways that satisfy the DPA. Don't act as if you know unless you actually do; and if you do, get your facts straight. I've had to work with that stuff before.
Said list may not extend to having all users' email addresses in the Escapist admins' outlook addressbooks, which would be faintly ludicrous (but not outside the realms of possibility - and possible to secure so long as reasonable steps were taken), but I wouldn't think it too difficult to have a facility in, say, the board software that could send an email notification to all registered users at the email address they used to register. I've been a member of other boards where the admins have made use of this, FFS - it's the whole reason I brought it up. Again, facts: straighten them.
How are you suggesting "PMs would be infected"? Infected with what? The problem under discussion was the potential theft of user details, passwords, emails etc. And... "re-directs"? Are you high?
Of course people can't log in and read their PMs. Folk like myself may not do so very often anyway. THATS THE REASON YOU SEND OUT THE EMAILS. Plain text. A couple of lines.
Once more, Gawker did this previously when they came under attack and actually had their password database compromised. I got the email from them in my registered account, and once they were back up, logged in with the reset password they provided, changed it to something novel, and then changed it on the associated email/etc accounts.
I'm not suggesting anything unusual, non-standard, difficult, brand-new or illegal.
"Shut Down Everything" may well have been from Pandemic 2, but I didn't even know it existed (I think I vaguely remember the original Pandemic - the thing with the zombie plague, right?), let alone played it or have it at the top of my meme list. A quick google shows it was released mid-2008...
...however, the PARAPHRASED, as in, NOT copied verbatim but echoed "in the style of" phrase was actually a mutation from an old LiveJournal (remember that?) meme, wayback in the days of Cracky-chan and the like on 4chan (must be like, what... 2006, now?), where a spooked/panicking, sulking or otherwise flouncing LJ'er would "delete fucking everything" (or, DFA), close and lock their account in response to stalking, abuse, general disagreement with their crazy opinions/terrible art, or other unwanted attention. Which fits fairly closely with the Sony reaction to Lulzsec - they frobbed the big red "emegency stop" button, and didn't untrip the breaker for quite some time.
So, I'm still going to
I care very little for how the Sony hack was carried out, I don't doubt it was done as you say, but I don't entirely understand what you mean (...do you?), and at this point it's irrelevant to the discussion. Yes, of course their lack of encryption is what got them in trouble - if I interpret you properly, then they didn't have their passwords going dia https or SSL or whatever, and didn't have a secondary level of security (e.g. a bank style security question answered from a randomised dropdown list that you only get to see after submitting the correct name/pass anyway), making it trivially easy to run wild through their systems once they managed to packet sniff an admin's login - but again... that's not what we're discussing. So long as the Escapist is following better basic procedures than Sony did, which we hope they do, and the attack was a DDoS anyway, it doesn't matter. The issue is one of a lack of communication of a potentially serious issue to those who may be affected by it.
I'd also like to add, as an aside, a point of extreme irony to the Sony case in that they've always previously been so goddamn careful to make sure that their users can't copy even their OWN recordings (past the first generation) by implementing various pernicious DRM schemes. Though I suppose we can see the roots of the wooly thinking that backed up their systemic "eh, one layer is enough" provisions in that you could get around the ATRAC/SPDIF no-copy bits with a fairly simple circuit that sat in-between the two devices on the digital link and just stripped said bits out of the stream (or more accurately, set them to zero on each frame that passed through). No encryption, no checksumming, just presence/no presence of the requisite bits - and similar with the Playstation copy protection, the cruddiest of which could be faked out with a piece of Lego. They make their stuff moron-proof, but skip straight to that stage without going through "idiot proof" first.
Not holiday - working, being ill, dealing with hardware failure, impending house move, and would-be-creditors who don't understand that signing off "I certify the above information is true and correct" on a money laundering monitoring form when they actually intend to lie constitutes an act of fraud. In all likelihood I won't get a proper holiday this year, for the second year on the trot.
But, I'm glad that you have such an optimistic view of my life. It's a nice hope that it may turn out to be true.
Anyway I don't know the people involved, and unless they wanted to talk to me direct or my grievance was strong enough that it seemed appropriate to escalate it and bother them about it - neither case came true - I wouldn't presume to do that. Part of what I was saying was, indeed, "things you already know" as I was altering my response and standpoint based on the information that yourself and others fed back about what had really happened (which, as per my original beef, we didn't get told direct; but then, as per my immediately previous post, we arguably didn't need to be and it was blown out of proportion).
There's nothing wrong with having a list of your users, under the Data Protection Act, so long as it's kept safe and can't be stolen by hackers. In fact, for the system to operate at all, there must be SOME list SOMEWHERE in the database. Otherwise how is it going to authenticate your logon, run the private message thing, show your avatar next to your posts? How can the NHS patient records tracking system continue to run without a stored and employee-accessible list of said patients? By securing said data in ways that satisfy the DPA. Don't act as if you know unless you actually do; and if you do, get your facts straight. I've had to work with that stuff before.
Said list may not extend to having all users' email addresses in the Escapist admins' outlook addressbooks, which would be faintly ludicrous (but not outside the realms of possibility - and possible to secure so long as reasonable steps were taken), but I wouldn't think it too difficult to have a facility in, say, the board software that could send an email notification to all registered users at the email address they used to register. I've been a member of other boards where the admins have made use of this, FFS - it's the whole reason I brought it up. Again, facts: straighten them.
How are you suggesting "PMs would be infected"? Infected with what? The problem under discussion was the potential theft of user details, passwords, emails etc. And... "re-directs"? Are you high?
Of course people can't log in and read their PMs. Folk like myself may not do so very often anyway. THATS THE REASON YOU SEND OUT THE EMAILS. Plain text. A couple of lines.
Once more, Gawker did this previously when they came under attack and actually had their password database compromised. I got the email from them in my registered account, and once they were back up, logged in with the reset password they provided, changed it to something novel, and then changed it on the associated email/etc accounts.
I'm not suggesting anything unusual, non-standard, difficult, brand-new or illegal.
"Shut Down Everything" may well have been from Pandemic 2, but I didn't even know it existed (I think I vaguely remember the original Pandemic - the thing with the zombie plague, right?), let alone played it or have it at the top of my meme list. A quick google shows it was released mid-2008...
...however, the PARAPHRASED, as in, NOT copied verbatim but echoed "in the style of" phrase was actually a mutation from an old LiveJournal (remember that?) meme, wayback in the days of Cracky-chan and the like on 4chan (must be like, what... 2006, now?), where a spooked/panicking, sulking or otherwise flouncing LJ'er would "delete fucking everything" (or, DFA), close and lock their account in response to stalking, abuse, general disagreement with their crazy opinions/terrible art, or other unwanted attention. Which fits fairly closely with the Sony reaction to Lulzsec - they frobbed the big red "emegency stop" button, and didn't untrip the breaker for quite some time.
So, I'm still going to
- you may have done your research, but I feel at least some of it is {inadequate/misguided/incomplete/insert comedy fourth option}.The_root_of_all_evil said:
I care very little for how the Sony hack was carried out, I don't doubt it was done as you say, but I don't entirely understand what you mean (...do you?), and at this point it's irrelevant to the discussion. Yes, of course their lack of encryption is what got them in trouble - if I interpret you properly, then they didn't have their passwords going dia https or SSL or whatever, and didn't have a secondary level of security (e.g. a bank style security question answered from a randomised dropdown list that you only get to see after submitting the correct name/pass anyway), making it trivially easy to run wild through their systems once they managed to packet sniff an admin's login - but again... that's not what we're discussing. So long as the Escapist is following better basic procedures than Sony did, which we hope they do, and the attack was a DDoS anyway, it doesn't matter. The issue is one of a lack of communication of a potentially serious issue to those who may be affected by it.
I'd also like to add, as an aside, a point of extreme irony to the Sony case in that they've always previously been so goddamn careful to make sure that their users can't copy even their OWN recordings (past the first generation) by implementing various pernicious DRM schemes. Though I suppose we can see the roots of the wooly thinking that backed up their systemic "eh, one layer is enough" provisions in that you could get around the ATRAC/SPDIF no-copy bits with a fairly simple circuit that sat in-between the two devices on the digital link and just stripped said bits out of the stream (or more accurately, set them to zero on each frame that passed through). No encryption, no checksumming, just presence/no presence of the requisite bits - and similar with the Playstation copy protection, the cruddiest of which could be faked out with a piece of Lego. They make their stuff moron-proof, but skip straight to that stage without going through "idiot proof" first.
Pointer said:
We did directly address users. Sorry if you happened to not read the ten trillion threads that spawned in the weeks following the "attack". Absolutely nothing happened. Nothing was compromised. If you have a complaint, either PM me or send in a ticket like everyone else. Posting this here is just sensationalizing and will be treated as such.tahrey said:
Why would we acknowledge script kiddies with a Twitter account that discovered how to use a botnet? It only gives them attention/feeds trolls and they didn't accomplish anything except for flooding our web servers offline for a few hours. We've been through many more severe attacks then this in the past (this was relatively minor as DDoS's go, we just don't have much extra in the way of hardware to soak heavy page refreshing), but I'm sorry we didn't say anything as a news post.Pointer said:
If you want, you can follow my Twitter feed [http://twitter.com/Unaz], as I'll usually post anything unusual there (along with random other crap you're probably not interested in), or as news in the Tech team group [http://www.escapistmagazine.com/groups/view/Tech-Team].
OK. Guys. Look. I know. I know already. I'm not complaining about it any more. Please read my previous post. I was having it out with the other dude who seems, for some reason, to think e.g. that securely keeping track of who's signed up to your forum, and using that information (possibly in a double-blind fashion, i.e. only the server knows the email addresses and decodes them internally without you ever having access) to send them important messages in a way that many other sites do somehow compromises the Data Protection Act... which even if that was correct, doesn't apply worldwide.
As in the posting that Kross / Pointer quoted, the only news that I got was something that came through from elsewhere that "we" had been hacked by Lulzsec, and as the headline-bothering fallout from some of their other antics - despite them being botnet-abusing script kiddies - had been quite damaging previously (cf: PSN going down for a couple weeks, piles of user passwords and credit card details being compromised, breaking into lower-security military networks, etc) it seemed like it was being hushed up for some reason.
I didn't mean to (over-) sensationalise it in any way, I was just after some answers.
Once the truth was out that it was actually little more than a poorly executed DDoS attempt, and it was Lulzsec sensationalising it, I wasn't really bothered about that side of it any more (as I've pointed out 2 or 3 times already), as I can understand such things are common enough that my spam filter would start flagging the notifications, but the genie was out of the bottle and the arguments had started.
No, I didn't see any of the "trillions of threads" mentioning it. I don't often scout through the top levels of the various boards (just click on things on the hot threads sidebar that interest me - they're all I tend to have time for, and more), so if there was mention in there I missed it, and --- fully my own fault, mea culpa --- I forgot to do a general search for mentions. However, once again, at the point of posting, it sounded like a far more serious breach, and last time a board I had an account with suffered one of those, it didn't take until "whenever I next log in" to be directly informed, so I may have said the same things even if I'd seen the topic titles (...but, again foolishly, not read the body text).
(Or maybe I did and there was nothing there. Without a screencapture record, I can't prove it)
I didn't even KNOW there was a support ticketing system or the like, or who to contact, hence putting it in an open thread. I'm not familiar with having those on typical discussion boards. A good thing, though - if I have a problem in future, I'll use it, if I can find it
(I presume go to the top level, find the Help board, and post in there?)
Sorry if this has bothered you. I'm quite happy to leave this where it is, if you want to lock it, delete the whole thread, whatever. The matter has passed, and beyond the initial scare was a non-issue anyway.
As in the posting that Kross / Pointer quoted, the only news that I got was something that came through from elsewhere that "we" had been hacked by Lulzsec, and as the headline-bothering fallout from some of their other antics - despite them being botnet-abusing script kiddies - had been quite damaging previously (cf: PSN going down for a couple weeks, piles of user passwords and credit card details being compromised, breaking into lower-security military networks, etc) it seemed like it was being hushed up for some reason.
I didn't mean to (over-) sensationalise it in any way, I was just after some answers.
Once the truth was out that it was actually little more than a poorly executed DDoS attempt, and it was Lulzsec sensationalising it, I wasn't really bothered about that side of it any more (as I've pointed out 2 or 3 times already), as I can understand such things are common enough that my spam filter would start flagging the notifications, but the genie was out of the bottle and the arguments had started.
No, I didn't see any of the "trillions of threads" mentioning it. I don't often scout through the top levels of the various boards (just click on things on the hot threads sidebar that interest me - they're all I tend to have time for, and more), so if there was mention in there I missed it, and --- fully my own fault, mea culpa --- I forgot to do a general search for mentions. However, once again, at the point of posting, it sounded like a far more serious breach, and last time a board I had an account with suffered one of those, it didn't take until "whenever I next log in" to be directly informed, so I may have said the same things even if I'd seen the topic titles (...but, again foolishly, not read the body text).
(Or maybe I did and there was nothing there. Without a screencapture record, I can't prove it)
I didn't even KNOW there was a support ticketing system or the like, or who to contact, hence putting it in an open thread. I'm not familiar with having those on typical discussion boards. A good thing, though - if I have a problem in future, I'll use it, if I can find it
(I presume go to the top level, find the Help board, and post in there?)
Sorry if this has bothered you. I'm quite happy to leave this where it is, if you want to lock it, delete the whole thread, whatever. The matter has passed, and beyond the initial scare was a non-issue anyway.