Twoplustwo emails/passwords hacked. Site down

[themuppets]

There's at least a few reasons why you might expect 2p2 to have some interest in maintaining the security of their site. For one thing: Although they're careful about posting the appropriate disclaimers, their site is a major hub for all kinds of marketplace activities including staking, trades and even high stakes sports betting. On top of that, extended downtime like this cuts into their bottom line. Agreed that a lot of the content, especially in the most popular subforums like NVG and BBV, is essentially worthless, but it obviously serves to engage a large audience which 2p2 is apparently successful in monetizing to some degree. Any disruption of that traffic is a threat to their business model. In fact, since finding out that the hackers outed themselves in the 2p2 mod forum, I've been wondering if this may have been an extortion attempt.

[Rollo Tomasi]

i don't know anything about calypso or fancy shmancy passwords please give step by step instructions on how to be saved from the hackers.

[sonatine]

i don't know anything about calypso or fancy shmancy passwords please give step by step instructions on how to be saved from the hackers.

[Rollo Tomasi]

i don't know anything about calypso or fancy shmancy passwords please give step by step instructions on how to be saved from the hackers.

[408Mike]

i don't know anything about calypso or fancy shmancy passwords please give step by step instructions on how to be saved from the hackers.

Well done sir.

[408Mike]

OH SNAP-- PEDO JOKES!!!!

RUN TINE RUN!!!!

[abrown83]

Was there ever any proof that they stored passwords encrypted? I love the take your word for it thing going on.

Brute force attacks expose idiots.

LoL at these people most likely having admin access since the change your password scare from recently.

Can't wait till the Mods and Owner PMs get posted.

LoL at any Web App that still uses MD5, the algorithm has been shown to have flaws since the 90's.

[sonatine]

LoL at any Web App that still uses MD5, the algorithm has been shown to have flaws since the 90's.

really fascinating can i get a synopsis of this?

[abrown83]

LoL at any Web App that still uses MD5, the algorithm has been shown to have flaws since the 90's.

really fascinating can i get a synopsis of this?

The reality is that 128 bit, 32-digit hexadecimal on the whole are becoming less secure.

Attacks have been developed that streamlined the hash starting in the 90's, then in the mid 2000's they found a simple Birthday attack could theoretically be used.

Today with modern GPU's a couple hundred million hashes can be searched a second, usually finding a collision in a matter of seconds thus making brute force attacks a lot simpler.

Here is a link with some of the technical explanations.

Combine that with the number of Rainbow tables that have been published on MD5 and you have an easily beat encryption system.

Now when you add in Salt that makes a lot of what I said basically untrue, of course the exception being if someone gets full admin access and has your tables and has access to both your hashes and your salt...then you are pretty much fucked.

SHA-2 is the standard it hasn't been cracked in over 10 years and was created by the NSA (also it's used to encrypt BitCoins).

SHA-3 will most likely be a 512 or 1024 bit encryption and a 64 hexadecimal hash and will be picked in 2012.

[Crowe Diddly]

This is probably a completely hypothetical post about a friend of mine, knowmsayin?

My friend's always been interested in this type of stuff off-hand, but he never had any background in anything like this, so he's pretty much educated by google on things like this. After reading a shitload about what anonymous was doing and how pretty much security on the web can be rather terrible if you don't know what you are doing, he decided to see just how easy it was to enter a site's db and muck around a bit. On an older laptop running backbox linux, over the course of a week, he found way over a dozen internet sites and forums that were ripe for the picking, it seemed, and many of these websites either sold memberships or products of some sort or another. With some further looking, about half of those sites were better secured than he could handle in a short amount of time, so he decided to just take the first DB available to him and see what's what after.

With various different internet connections, tunnels, and proxies, and even a bit of Tor, over the course of a week, he found an active website/forum that was less than well-secured, lifted the entire DB of the site and forum and its just-over-1000 members, of which about 1/5 had stored CC data (acct #, 3-4 digit security code, and expiration date), along with name, addy, phone, DOB, all that bullshit in cleartext. The site's passwords were encrypted, but the salts were also present (though it took him a bit to notice that). In the course of probably half a day, an old thinkpad using a relatively short wordlist banged away offline and recovered maybe a few hundred of the passwords.

Now, this person had dozens and dozens of accounts with pretty much all the info they'd ever want or need on these people. Other than an SSN, everything else was there. (Yes, some of the cc data was expired, but much was not.) When he looked at the list of passwords, some were long random passes, some were what appeared to be site-specific, but some were notable for not having anything to do with the site itself. For instance, if a password is rockchalkjayhawk, or SemperFidelis, or Janet030682, then the hacker knew he probably had something special, memorable, and likely used in multiple places. He picked out about a dozen or 5 of these passes and decided to try them out against the listed email accounts in the db. The very first one he picked worked, and the hacker now had complete access to a southern US state mid-level bureaucrat's hotmail address. At this point, the would-be hacker closed up this exercise, happy with the knowledge that pretty much any idiot with a little linux knowledge and the ability to find technical/detailed answers to their problems via google could cause a whole lot of havoc to a whole lot of people without a whole lot of energy, time, or bandwidth.

One other thing stored in the db was the answer to 2 security questions. They were "favorite food" and "mother's maiden name." With info like that, you don't even need to be able to crack the passwords, because you can pretty much get them handed to you on a silver platter at a lot of sites (or have them reset).

Now add to this whatever info could have been found on the site's PM system, and someone could social engineer the fuck out of a whole lot of people.

My friend's online habits about passwords, email addresses, and how to handle security questions have changed greatly since this little experience. All passwords are long, random, and have mixed numbers/letters/symbols as sites allow, many different email addresses are used for different purposes, and the same password is never used twice anywhere. Also, Truecrypt is used on all machines just in case the actual hardware itself is stolen, nothing can be recovered by anyone but my friend.

[BetCheckBet]

Was there ever any proof that they stored passwords encrypted? I love the take your word for it thing going on.

Brute force attacks expose idiots.

LoL at these people most likely having admin access since the change your password scare from recently.

Can't wait till the Mods and Owner PMs get posted.
LoL at any Web App that still uses MD5, the algorithm has been shown to have flaws since the 90's.

I must be slipping....

I didn;t even think of this.

[Yebsite]

[sonatine]

really fascinating can i get a synopsis of this?

The reality is that 128 bit, 32-digit hexadecimal on the whole are becoming less secure.

Attacks have been developed that streamlined the hash starting in the 90's, then in the mid 2000's they found a simple Birthday attack could theoretically be used.

Today with modern GPU's a couple hundred million hashes can be searched a second, usually finding a collision in a matter of seconds thus making brute force attacks a lot simpler.

Here is a link with some of the technical explanations.

Combine that with the number of Rainbow tables that have been published on MD5 and you have an easily beat encryption system.

Now when you add in Salt that makes a lot of what I said basically untrue, of course the exception being if someone gets full admin access and has your tables and has access to both your hashes and your salt...then you are pretty much fucked.

SHA-2 is the standard it hasn't been cracked in over 10 years and was created by the NSA (also it's used to encrypt BitCoins).

SHA-3 will most likely be a 512 or 1024 bit encryption and a 64 hexadecimal hash and will be picked in 2012.

rings bells, thanks!

[sonatine]

Yeah I mean, the real question here; how secure is twoplustwo.eu?

[ShawnFanningsLimpDick]

Hi Todd,
You have no clue what you're talking about, and it's incredibly irresponsible for you to pretend that you do when this issue is serious and there's the legitimate risk that people take your terrible uninformed advice. This is actually a serious issue, and pretending to know what passwords are breakable or how salting works or what I meant to say (which you apparently think is different from what I said...) or what e-mail providers don't provide proper security etc is just so incredibly reckless.

I won't bother to list everything that blatantly you got wrong because the list would be longer than your post, but I want to call particular attention to the many statements that you made to the effect of this one: "only bother with this if your password is easy or a dictionary word." You have absolutely no idea what an easy password is. The hacker showed that he was able to crack multiple passwords, and none of them were "dictionary words." This is because a hacker can easily try 100,000,000,000 different passwords. That means that, for example, it isn't hard to hack passwords that consist of English words with some of the letters capitalized arbitrarily, some of the letters converted into numbers or other "1337" speak, and some random numbers afterwards (e.g. "4rm4D1Ll051" is a weak password). It's also easy to hack all passwords with two english words combined, or an english word followed by a long number, or just a long number, etc etc etc. Your implication that a password is only easy to crack if it's a dictionary word is just incredibly irresponsible.

Noah please take David Sklanksy's dashboard vibrator out of your ass for a few seconds here. You're not on 2+2 now so get off your high horse and stop throwing stupid criticisms of Druff around. A hacker can "easily try 100,000,000,000 different passwords". No they fucking cannot. Not unless they're the NSA with an acre of computers on the case. The MD5 hash is fairly time consuming and even a database of pre-computed values is only going to cover a small part of the sample space. If the hacker had access to the entire password file then running a few standard dictionary attacks or existing MD5 matches is going to scoop a reasonable number of hits. It doesn't mean they can crack passwords at will.

Finally this isn't important. An online poker forum has had some passwords compromised. Big fucking deal. Just because you devote your entire life to nuthugging David and Mason don't assume the rest of us do. Anyone whose life can be seriously impacted if their 2+2 password was known has already screwed up.

[Dan Druff]

Hi Todd,
You have no clue what you're talking about, and it's incredibly irresponsible for you to pretend that you do when this issue is serious and there's the legitimate risk that people take your terrible uninformed advice. This is actually a serious issue, and pretending to know what passwords are breakable or how salting works or what I meant to say (which you apparently think is different from what I said...) or what e-mail providers don't provide proper security etc is just so incredibly reckless.

I won't bother to list everything that blatantly you got wrong because the list would be longer than your post, but I want to call particular attention to the many statements that you made to the effect of this one: "only bother with this if your password is easy or a dictionary word." You have absolutely no idea what an easy password is. The hacker showed that he was able to crack multiple passwords, and none of them were "dictionary words." This is because a hacker can easily try 100,000,000,000 different passwords. That means that, for example, it isn't hard to hack passwords that consist of English words with some of the letters capitalized arbitrarily, some of the letters converted into numbers or other "1337" speak, and some random numbers afterwards (e.g. "4rm4D1Ll051" is a weak password). It's also easy to hack all passwords with two english words combined, or an english word followed by a long number, or just a long number, etc etc etc. Your implication that a password is only easy to crack if it's a dictionary word is just incredibly irresponsible.

Noah please take David Sklanksy's dashboard vibrator out of your ass for a few seconds here. You're not on 2+2 now so get off your high horse and stop throwing stupid criticisms of Druff around. A hacker can "easily try 100,000,000,000 different passwords". No they fucking cannot. Not unless they're the NSA with an acre of computers on the case. The MD5 hash is fairly time consuming and even a database of pre-computed values is only going to cover a small part of the sample space. If the hacker had access to the entire password file then running a few standard dictionary attacks or existing MD5 matches is going to scoop a reasonable number of hits. It doesn't mean they can crack passwords at will.

Finally this isn't important. An online poker forum has had some passwords compromised. Big fucking deal. Just because you devote your entire life to nuthugging David and Mason don't assume the rest of us do. Anyone whose life can be seriously impacted if their 2+2 password was known has already screwed up.

And now you know why I named a blanket after this man.

[abrown83]

Hi Todd,
You have no clue what you're talking about, and it's incredibly irresponsible for you to pretend that you do when this issue is serious and there's the legitimate risk that people take your terrible uninformed advice. This is actually a serious issue, and pretending to know what passwords are breakable or how salting works or what I meant to say (which you apparently think is different from what I said...) or what e-mail providers don't provide proper security etc is just so incredibly reckless.

I won't bother to list everything that blatantly you got wrong because the list would be longer than your post, but I want to call particular attention to the many statements that you made to the effect of this one: "only bother with this if your password is easy or a dictionary word." You have absolutely no idea what an easy password is. The hacker showed that he was able to crack multiple passwords, and none of them were "dictionary words." This is because a hacker can easily try 100,000,000,000 different passwords. That means that, for example, it isn't hard to hack passwords that consist of English words with some of the letters capitalized arbitrarily, some of the letters converted into numbers or other "1337" speak, and some random numbers afterwards (e.g. "4rm4D1Ll051" is a weak password). It's also easy to hack all passwords with two english words combined, or an english word followed by a long number, or just a long number, etc etc etc. Your implication that a password is only easy to crack if it's a dictionary word is just incredibly irresponsible.

Noah please take David Sklanksy's dashboard vibrator out of your ass for a few seconds here. You're not on 2+2 now so get off your high horse and stop throwing stupid criticisms of Druff around. A hacker can "easily try 100,000,000,000 different passwords". No they fucking cannot. Not unless they're the NSA with an acre of computers on the case. The MD5 hash is fairly time consuming and even a database of pre-computed values is only going to cover a small part of the sample space. If the hacker had access to the entire password file then running a few standard dictionary attacks or existing MD5 matches is going to scoop a reasonable number of hits. It doesn't mean they can crack passwords at will.

Finally this isn't important. An online poker forum has had some passwords compromised. Big fucking deal. Just because you devote your entire life to nuthugging David and Mason don't assume the rest of us do. Anyone whose life can be seriously impacted if their 2+2 password was known has already screwed up.

This is just plain wrong. Not that I want to be in any boat that agrees with NoadSD but...

Nvidia GeForce 8800's have been shown to fairly easily surpass 200,000,000 hashes a second. With some basic knowledge or if you know where to look online you can write something that could search a few hundred billion combinations fairly quickly.

[Jasep]

Regardless of whatever nerd speak you guys are involved in on this whole two plus two thing I have a question for Noah...

Noah are you self aware? I mean, do you realize how you come across to people with the wording you use or are you just socially awkward and see no problem talking to people the way that you do?

I agree that you are a respected member of the poker forum community but plain and simple you are a bit of a dick and should probably evaluate the way you talk to people and how you come across. We get it, your smart, you know a lot about computers and stuff, what you have no idea about is to talk to people and treat people with a small amount of civility. Figure that out and you will probably be an alright guy.

[Steve-O]

Regardless of whatever nerd speak you guys are involved in on this whole two plus two thing I have a question for Noah...

Noah are you self aware? I mean, do you realize how you come across to people with the wording you use or are you just socially awkward and see no problem talking to people the way that you do?

I agree that you are a respected member of the poker forum community but plain and simple you are a bit of a dick and should probably evaluate the way you talk to people and how you come across. We get it, your smart, you know a lot about computers and stuff, what you have no idea about is to talk to people and treat people with a small amount of civility. Figure that out and you will probably be an alright guy.

Product of Internet poker really: It seems like 25% of Internet generation poker players are fairly normal, 50% are slightly introverted, and 25% just really have no clue how to interact with people on any level outside of 2+2 speak. They are more socially awkward than Paul Magriel and Josh Schlein combined.

[NoahSD]

Yes.. I'm aware of how I come off ITT. But, I dunno, this is a thread on an internet poker forum--It would be out-of-place to be polite. I mean.. a guy just told me to take DS's dildo out of my ass because he thinks that I was wrong about a number that I was actually right about. (Python's md5 function can do 1M in about 4.5 seconds on my laptop, so extrapolating, it can do about 1B in an hour and 100B in 4 day. I tested it before writing the post because I'm careful about the advice that I give about important matters like this. Python is slow as shit compared to a closer-to-metal language or something that makes use of the GPU, so 100B is really not conservative at all. I also checked the rainbow tables freely available online and been surprised at how much they have.) Hell, you guys are making fun of me and telling me that I don't know how to interact with other people. (I do! I swear!) That's the internet, and we all seem to be pretty happy with that.

Anyway, I wrote up a carefully written blog post on a topic that I'm well-versed in--I run an online poker security consulting business, and I'm starting my PhD in computer science specializing in crypto in the fall--because I didn't want people to lose money/personal information to a hacker. I was careful to stress that I wasn't being a standard paranoid crypto nerd and telling people to do things to protect them from the NSA, but rather was giving them practical advice that could quite possibly mean the difference between their accounts being hacked and their accounts not being hacked as a result of 2p2's vulnerability. DD wrote up his own commentary on it that included some things that to me basically read like "Noah's basically right, but I would just ignore this part even though he thinks it's really important." He included a bunch of information that was wrong, so it was clear that he didn't actually know what he was talking about. He's got a pretty big following, so I didn't like the idea of him giving people who will probably listen to him bad advice about a really important topic.

This is the internet, so I didn't respond so nicely. It was still tame as shit compared to like every other post in this thread, though, so I don't get why people other than DD are bothered by it. I guess it's the mixture of rude internet shit and nerdy formal stuff or something? Plus the fact that I ninja-edited, so some people (including DD) just saw a post that was like "You're wrong and stupid but I won't tell you why!!"

Regardless, it's cool that he edited his post.