Twoplustwo emails/passwords hacked. Site down

There are some surprisingly stupid people that are posting in this thread and I urge them to stop immediately.

Quote:

---

Originally Posted by NoahSD

Yes.. I'm aware of how I come off ITT. But, I dunno, this is a thread on an internet poker forum--It would be out-of-place to be polite. I mean.. a guy just told me to take DS's dildo out of my ass because he thinks that I was wrong about a number that I was actually right about. (Python's md5 function can do 1M in about 4.5 seconds on my laptop, so extrapolating, it can do about 1B in an hour and 100B in 4 day. I tested it before writing the post because I'm careful about the advice that I give about important matters like this. Python is slow as shit compared to a closer-to-metal language or something that makes use of the GPU, so 100B is really not conservative at all. I also checked the rainbow tables freely available online and been surprised at how much they have.) Hell, you guys are making fun of me and telling me that I don't know how to interact with other people. (I do! I swear!) That's the internet, and we all seem to be pretty happy with that.

Anyway, I wrote up a carefully written blog post on a topic that I'm well-versed in--I run an online poker security consulting business, and I'm starting my PhD in computer science specializing in crypto in the fall--because I didn't want people to lose money/personal information to a hacker. I was careful to stress that I wasn't being a standard paranoid crypto nerd and telling people to do things to protect them from the NSA, but rather was giving them practical advice that could quite possibly mean the difference between their accounts being hacked and their accounts not being hacked as a result of 2p2's vulnerability. DD wrote up his own commentary on it that included some things that to me basically read like "Noah's basically right, but I would just ignore this part even though he thinks it's really important." He included a bunch of information that was wrong, so it was clear that he didn't actually know what he was talking about. He's got a pretty big following, so I didn't like the idea of him giving people who will probably listen to him bad advice about a really important topic.

This is the internet, so I didn't respond so nicely. It was still tame as shit compared to like every other post in this thread, though, so I don't get why people other than DD are bothered by it. I guess it's the mixture of rude internet shit and nerdy formal stuff or something? Plus the fact that I ninja-edited, so some people (including DD) just saw a post that was like "You're wrong and stupid but I won't tell you why!!"

Regardless, it's cool that he edited his post.

---

It's not what you said (nobody is disputing you know what you are talking about, and Druff basically only ADDED to what your blog said, he didn't really say it was shit or that you didn't know what you were talking about), it's how you said it. And I think plenty of people have been very nice to you considering your initial post (yes some people have flamed you, but in all honesty you deserved it). Basically what you're saying is that since it's the Internet you expect the worst from everyone so you yourself stoop to that level right from the get-go. Very nice. Just because a few people troll you you should still realize that there are plenty of people looking for a real dialogue on this topic.

Realize that nobody is disputing your knowledge, just your tact... and it's not simply from this one post that this is being judged. Maybe instead of what you posted initially, a simple "I disagree and here is why" could have accomplished the same thing?????

You're steadily climbing my list of "difficult" people in the poker world

Yeah. Rereading my original post (which I didn't do until now.. God I suck), it comes off much worse than I would've liked.

My bad, and sorry to Todd for being a dick. Someone can edit my apology into the original if they'd like.

still need step by step instructions to be protected from this hacking and other hackers

I had to create an account on this forum because of this:

Quote:

---

Originally Posted by Dan Druff

I'm still not sure how the hacker got the password salts.

---

and this:

Quote:

---

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

---

These two sentences shows that you do not understand how storing hashed password works. It may be a bit harsh, but it's the truth :-/

NoahSD may not be using lots of diplomacy here and some may not like his tone, but he's 100% right.

The only point of using what is called a salt is to prevent an attack based on what are called "rainbow tables" from working. If an attacker has access to the hashed password, then it has access to the salt too. Because that is precisely how the thing is supposed to work: the login credentials stored are precisely: {hashed(password + salt), salt}.

Notice that the salt is stored in plain text, next to the hash of (password + salt). Why is the salt stored in plain text next to the hash? Because otherwise it is impossible for the server to know if you entered the correct password or not. That is the reason why the salt is stored (and there's one different salt for each user).

The sole and only purpose of the salt is, once again, is to defeat "rainbow tables". The last thing you want is to be 2+2 and have all your users' password being found by someone doing a lookup in a rainbow table a few terabytes big (and that's what password hacker attacking passwords that aren't salt-protected do: look up passwords in gigantic rainbow tables).

It's still a terrible security breach and some people are going to suffer from this: besides the issue of weak passwords that are going to be cracked and potentially reused on other sites, there's also the issue of (semi-)confidential information in PMs that may have been grabbed by the hacker (you see crazy things in PMs, some people are using PMs to send NDA stuff, for example). Imagine the havoc if the attacker managed to log into a few important user's accounts and access their PMs before 2+2 pulled the plug. Not to the mention that the attacker may actually have had access to the forum since days/weeks/months before starting to blackmail them or whatever.

Heck, if the attacker is chaotic he may also publish a shitload of PMs on whatever pastebin in the next few days.

It's a big fiasco and it could get ugly... But that's not a reason to spread totally bogus information as to how password storing/cracking works.

Anyone interested can read the information on Wikipedia about rainbow tables and password salts.

Quote:

---

Originally Posted by ced4pfa

I had to create an account on this forum because of this:



and this:

Quote:

---

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

---

These two sentences shows that you do not understand how storing hashed password works. It may be a bit harsh, but it's the truth :-/

NoahSD may not be using lots of diplomacy here and some may not like his tone, but he's 100% right.

The only point of using what is called a salt is to prevent an attack based on what are called "rainbow tables" from working. If an attacker has access to the hashed password, then it has access to the salt too. Because that is precisely how the thing is supposed to work: the login credentials stored are precisely: {hashed(password + salt), salt}.

Notice that the salt is stored in plain text, next to the hash of (password + salt). Why is the salt stored in plain text next to the hash? Because otherwise it is impossible for the server to know if you entered the correct password or not. That is the reason why the salt is stored (and there's one different salt for each user).

The sole and only purpose of the salt is, once again, is to defeat "rainbow tables". The last thing you want is to be 2+2 and have all your users' password being found by someone doing a lookup in a rainbow table a few terabytes big (and that's what password hacker attacking passwords that aren't salt-protected do: look up passwords in gigantic rainbow tables).

It's still a terrible security breach and some people are going to suffer from this: besides the issue of weak passwords that are going to be cracked and potentially reused on other sites, there's also the issue of (semi-)confidential information in PMs that may have been grabbed by the hacker (you see crazy things in PMs, some people are using PMs to send NDA stuff, for example). Imagine the havoc if the attacker managed to log into a few important user's accounts and access their PMs before 2+2 pulled the plug. Not to the mention that the attacker may actually have had access to the forum since days/weeks/months before starting to blackmail them or whatever.

Heck, if the attacker is chaotic he may also publish a shitload of PMs on whatever pastebin in the next few days.

It's a big fiasco and it could get ugly... But that's not a reason to spread totally bogus information as to how password storing/cracking works.

Anyone interested can read the information on Wikipedia about rainbow tables and password salts.

---

Everything here is correct except one little thing.

The person obviously has admin access into the database, if that was the case they do not need to log in to get the PMs. They are all stored in one of the database tables. If they just dumped the database they have all the PMs and don't need any passwords to gain access to them.

I don't get how you are taking this line by Druff:

"I have read on some vBulletin hacking sites that it's possible to deduce the salts and break the hashed passwords, but I wasn't sure if that was actually true. Noah claims that the hashing algorithm (md5) is "completely insecure" against this, which I suppose is possible. I was reading that on some of the hacking sites, as well."

and claiming he was saying anything concrete about salt and hash or whatever breakfast food you are cooking???? His statement seems pretty ambiguous to me if you look at the whole thing in context. Seems like you are looking at "I heard so and so killed 5 people in that movie" and only seeing "I heard so and so killed 5 people"

Quote:

---

Originally Posted by ced4pfa

I had to create an account on this forum because of this:



and this:

Quote:

---

Basically, when a password is hashed (encrypted), you can add a "salt" (another combination of character) on the end of the hashed password, and then hash it again. This makes it very hard to crack the encryption unless you have the salt.

---

These two sentences shows that you do not understand how storing hashed password works. It may be a bit harsh, but it's the truth :-/

NoahSD may not be using lots of diplomacy here and some may not like his tone, but he's 100% right.

The only point of using what is called a salt is to prevent an attack based on what are called "rainbow tables" from working. If an attacker has access to the hashed password, then it has access to the salt too. Because that is precisely how the thing is supposed to work: the login credentials stored are precisely: {hashed(password + salt), salt}.

Notice that the salt is stored in plain text, next to the hash of (password + salt). Why is the salt stored in plain text next to the hash? Because otherwise it is impossible for the server to know if you entered the correct password or not. That is the reason why the salt is stored (and there's one different salt for each user).

The sole and only purpose of the salt is, once again, is to defeat "rainbow tables". The last thing you want is to be 2+2 and have all your users' password being found by someone doing a lookup in a rainbow table a few terabytes big (and that's what password hacker attacking passwords that aren't salt-protected do: look up passwords in gigantic rainbow tables).

It's still a terrible security breach and some people are going to suffer from this: besides the issue of weak passwords that are going to be cracked and potentially reused on other sites, there's also the issue of (semi-)confidential information in PMs that may have been grabbed by the hacker (you see crazy things in PMs, some people are using PMs to send NDA stuff, for example). Imagine the havoc if the attacker managed to log into a few important user's accounts and access their PMs before 2+2 pulled the plug. Not to the mention that the attacker may actually have had access to the forum since days/weeks/months before starting to blackmail them or whatever.

Heck, if the attacker is chaotic he may also publish a shitload of PMs on whatever pastebin in the next few days.

It's a big fiasco and it could get ugly... But that's not a reason to spread totally bogus information as to how password storing/cracking works.

Anyone interested can read the information on Wikipedia about rainbow tables and password salts.

---

On a lighter note - isn't it great that 2p2 is still fucked.

Let's hope Mason is feeling a barrel full of butt hurt right now.

Quote:

---

Update May 1st

After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.

---

Didn't bother to listen to the PokerCast, but from what I hear, Mason didn't really say anything interesting or useful (surprise, surprise).

I wonder if we're ever going to find out how the hacker broke into their server, which was the important first step before the cracking of certain passwords. Was it the fault of their hosting service? Was it the fault of stupidly chosen root passwords? Was it a case of social engineering?

We may never find out, especially if it's embarrassing to twoplustwo.

Quote:

---

Originally Posted by Dan Druff

Quote:

---

Update May 1st

After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.

---

Didn't bother to listen to the PokerCast, but from what I hear, Mason didn't really say anything interesting or useful (surprise, surprise).

I wonder if we're ever going to find out how the hacker broke into their server, which was the important first step before the cracking of certain passwords. Was it the fault of their hosting service? Was it the fault of stupidly chosen root passwords? Was it a case of social engineering?

We may never find out, especially if it's embarrassing to twoplustwo.

---

There is no conceivable scenario where a guy like Mason allows for any discussion about how it was done. I was surprised to hear he would be talking about it, then not surprised at all to hear he gave no details. There is nothing ever to be gained by bringing attention to your security setup.

how the fuck is 2p2 still down

Quote:

---

Originally Posted by Dan Druff

Quote:

---

Update May 1st

After closer inspection, it’s now clear to us that the 2 + 2 Forums are more likely to come back to life next week rather than this week even though at this point in time we cannot give a definite date, and all efforts are being made to shorten the amount of downtime as much as possible. Mason will be on the next episode of the PokerCast (being recorded tonight) discussing this, and our May 2+2 Internet Magazine should be up before the weekend.

---

Didn't bother to listen to the PokerCast, but from what I hear, Mason didn't really say anything interesting or useful (surprise, surprise).

I wonder if we're ever going to find out how the hacker broke into their server, which was the important first step before the cracking of certain passwords. Was it the fault of their hosting service? Was it the fault of stupidly chosen root passwords? Was it a case of social engineering?

We may never find out, especially if it's embarrassing to twoplustwo.

---

What are your thoughts on what may occur when they are back up? Will information eventually be posted somewhere, will massive swaths of the forum be deleted, will it seem like nothing happened? I really have no idea what they are donig that takes two weeks to accomplish --of course I know nothing about hacking and what can and can't be done on that front...

Quote:

---

Originally Posted by Steve-O

Quote:

---

Originally Posted by Dan Druff

Didn't bother to listen to the PokerCast, but from what I hear, Mason didn't really say anything interesting or useful (surprise, surprise).

I wonder if we're ever going to find out how the hacker broke into their server, which was the important first step before the cracking of certain passwords. Was it the fault of their hosting service? Was it the fault of stupidly chosen root passwords? Was it a case of social engineering?

We may never find out, especially if it's embarrassing to twoplustwo.

---

What are your thoughts on what may occur when they are back up? Will information eventually be posted somewhere, will massive swaths of the forum be deleted, will it seem like nothing happened? I really have no idea what they are donig that takes two weeks to accomplish --of course I know nothing about hacking and what can and can't be done on that front...

---

My guess is Mason and company are still in negotiations with the hacker to come to terms on black mail

Quote:

---

Originally Posted by Jasep

Quote:

---

Originally Posted by Steve-O

What are your thoughts on what may occur when they are back up? Will information eventually be posted somewhere, will massive swaths of the forum be deleted, will it seem like nothing happened? I really have no idea what they are donig that takes two weeks to accomplish --of course I know nothing about hacking and what can and can't be done on that front...

---

My guess is Mason and company are still in negotiations with the hacker to come to terms on black mail

---

This.

Blackmail is a possibility. However, most hackers do this kinda shit for the lulz. I can see Mason wanting to protect his forum by shutting it down until a security team he hires gets to the bottom of exactly what exploit was used. At that point they will have some work to do to protect against it and that takes time. There is no doubt in my mind that they keep very regular backups and that when it comes back up it will be complete.

It's wishful thinking to assume that a hacker with an agenda to embarrass them did the job. I hope it is though.

Quote:

---

Originally Posted by Deal

Blackmail is a possibility. However, most hackers do this kinda shit for the lulz. I can see Mason wanting to protect his forum by shutting it down until a security team he hires gets to the bottom of exactly what exploit was used. At that point they will have some work to do to protect against it and that takes time. There is no doubt in my mind that they keep very regular backups and that when it comes back up it will be complete.

It's wishful thinking to assume that a hacker with an agenda to embarrass them did the job. I hope it is though.

---

Look at the owners of 2p2, are you telling me that that parade of weirdos did not have some deep dark shit in their PM boxes? of course they did... who knows the level of truly odd things that exist there... Maybe the hacker started out for the lulz but then realized hey... I have PMs between Mason and Sklansky explaining how they love to eat ricotta cheese out of the vaginas of blind, downs young girls and thought to himself... this may be worth something.

Not saying thats there but really its anyones guess what someone could have come across

Quote:

---

Originally Posted by Jasep

Quote:

---

Originally Posted by Deal

Blackmail is a possibility. However, most hackers do this kinda shit for the lulz. I can see Mason wanting to protect his forum by shutting it down until a security team he hires gets to the bottom of exactly what exploit was used. At that point they will have some work to do to protect against it and that takes time. There is no doubt in my mind that they keep very regular backups and that when it comes back up it will be complete.

It's wishful thinking to assume that a hacker with an agenda to embarrass them did the job. I hope it is though.

---

Look at the owners of 2p2, are you telling me that that parade of weirdos did not have some deep dark shit in their PM boxes? of course they did... who knows the level of truly odd things that exist there... Maybe the hacker started out for the lulz but then realized hey... I have PMs between Mason and Sklansky explaining how they love to eat ricotta cheese out of the vaginas of blind, downs young girls and thought to himself... this may be worth something.

Not saying thats there but really its anyones guess what someone could have come across

---

I would bet it goes much deeper than this. As funny as the PM's might be, we've seen in the past that they'll just talk about it if it comes to that point. I would be more curious to know if there are PM's about silencing people, accusations that were swept aside, or other shadiness that would basically ruin the credibility of the owners/higher-ups there.

Here's one example: My guess is that you'll find "insiders" who contacted people through the 2+2 forum's PM system, spilling shit about UB, Full Tilt and other things. They may have been deleted on the moderators/owners end, or by Haley Hintze for example, but the sent copies could still be in these other accounts along with any replies. How much of that was supressed/ignored over the years?

Maybe Russ Hamilton or Scott Tom contacted Mason or David and they've been hiding some critical correspondence all this time. There is just so much that could be in those PM's AND the Moderator Forum it's hard to even wrap my head around what the hacker might have stumbled on.

Quote:

---

Originally Posted by Steve-O

Quote:

---

Originally Posted by Jasep

Look at the owners of 2p2, are you telling me that that parade of weirdos did not have some deep dark shit in their PM boxes? of course they did... who knows the level of truly odd things that exist there... Maybe the hacker started out for the lulz but then realized hey... I have PMs between Mason and Sklansky explaining how they love to eat ricotta cheese out of the vaginas of blind, downs young girls and thought to himself... this may be worth something.

Not saying thats there but really its anyones guess what someone could have come across

---

I would bet it goes much deeper than this. As funny as the PM's might be, we've seen in the past that they'll just talk about it if it comes to that point. I would be more curious to know if there are PM's about silencing people, accusations that were swept aside, or other shadiness that would basically ruin the credibility of the owners/higher-ups there.

Here's one example: My guess is that you'll find "insiders" who contacted people through the 2+2 forum's PM system, spilling shit about UB, Full Tilt and other things. They may have been deleted on the moderators/owners end, or by Haley Hintze for example, but the sent copies could still be in these other accounts along with any replies. How much of that was supressed/ignored over the years?

Maybe Russ Hamilton or Scott Tom contacted Mason or David and they've been hiding some critical correspondence all this time. There is just so much that could be in those PM's AND the Moderator Forum it's hard to even wrap my head around what the hacker might have stumbled on.

---

That would be awesome. It's just more likely that the culprit here gets his kicks with technology alone and not with other carbon based lifeforms. He/they might know nothing about the forum and targeted 2+2 due to it's technology platform or ISP or due to the fact so many packets flow thru gateways/routers the hackers have gained access to. So many of these cases are about the thrill of the hack. The hackers usually aren't in it to get arrested and care little about the data they gain access to.

The other possible attack vector is the backups themselves. Often companies use 3rd party services to backup and store copies in diverse locations. These backup providers become targets of hackers. Armed with a set of backups hackers could gain access to the online site.

The latest:

Update May 4th

Today's conservative target date for the forums to come back is May 12th. The 2+2 Magazine is delayed but still coming to you soon.

Another 100% valid excuse for not turning up 2+2 without total sanitation taking place first would be wanting to avoid malware being hosted or distributed via XSS from their server. Because so much of the userbase plays online poker, it would be basically inexcusable for them to risk having their server host malicious content when the end game for a successful malware attack from there would have such potentially huge financial dividends.