Yes. That is correct. That is a viable and probably the only solution.Originally Posted by Dan Druff
They can't do this if the hacker already has their old passwords.
They will have to associate it with their e-mail, to where you click a link sent to your e-mail and change your password from there.
I cannot log into my 2+2 account. The webpage that comes up doesn't have a link to log in. So cannot change my 2+2 PW. I also made that account in 2004 and do not have a clue the email account I used it with, and have no way to look up and see if it is even an account I use anymore. Guess I will have to just let things ride and hope for the best.
Hi Todd,
You have no clue what you're talking about, and it's incredibly irresponsible for you to pretend that you do when this issue is serious and there's the legitimate risk that people take your terrible uninformed advice. This is actually a serious issue, and pretending to know what passwords are breakable or how salting works or what I meant to say (which you apparently think is different from what I said...) or what e-mail providers don't provide proper security etc is just so incredibly reckless.
I won't bother to list everything that blatantly you got wrong because the list would be longer than your post, but I want to call particular attention to the many statements that you made to the effect of this one: "only bother with this if your password is easy or a dictionary word." You have absolutely no idea what an easy password is. The hacker showed that he was able to crack multiple passwords, and none of them were "dictionary words." This is because a hacker can easily try 100,000,000,000 different passwords. That means that, for example, it isn't hard to hack passwords that consist of English words with some of the letters capitalized arbitrarily, some of the letters converted into numbers or other "1337" speak, and some random numbers afterwards (e.g. "4rm4D1Ll051" is a weak password). It's also easy to hack all passwords with two english words combined, or an english word followed by a long number, or just a long number, etc etc etc. Your implication that a password is only easy to crack if it's a dictionary word is just incredibly irresponsible.
Last edited by NoahSD; 04-26-2012 at 10:23 PM.
Fuck you Noah.
Hi Noah. Welcome to PokerFraudAlert.
My post was mainly agreeing with what you wrote, so if you're calling it "terrible" and "uninformed", it doesn't speak very highly of your own blog.
I may not have as much inside information about 2+2 as you do, but I've been advising people on keeping their poker accounts secure for many years.
I am not pretending anything, and I would like you to point out specifically where you feel I am incorrect. I won't even bother trying to guess what you're referring to.
The main point of my tweeting the post was to draw attention to the fact that most e-mail systems are not very secure, and therefore this puts people at risk of their real money poker accounts being hacked once their e-mail address is known. Your blog only halfway covered this.
You correctly stated that it's a bad thing for hackers to know your e-mail address, but you suggested just changing their password rather than diassociating that particular e-mail with the important accounts elsewhere, which is the much more secure and sensible solution.
Do you remember the "Steve Da Pimp" hackings from about 5 years back? This guy was able to hack literally any AOL account from the inside (it had nothing to do with how tough their password was), and took over the accounts of many high limit poker players by hacking these e-mails and requesting their poker passwords. He would then go play at high limit tables (just for the fun of it, not with the plan of actually cashing out) and would of course lose, and there was no recourse to get the money back. At least 500k was lost this way, and perhaps over a million. High profile players such as Matt Hawrilenko, John Juanda, and many others were a vicitm of this.
If these hackers are talented (and it appears they might be), I wouldn't exactly feel comfortable knowing that the only thing that separates them from gaining access to high limit poker bankrolls is the security of e-mail systems like Yahoo and AOL.
That was my main point. The rest of my essay was agreeing with you, with just a few minor tweaks of opinion.
I'm not sure what's up with you lately. Every time someone even slightly disagrees with anything you say, you seem to take it personally.
Uhh Noah I am in the information technology field and this is indeed serious business. Does 2p2 have any disaster recovery methods in place? How can this be prevented in the future. Didn't 2p2 send out emails to each user and request that they change their password? If you asked and did not make it mandatory (i.e. send them a link to change their password or else they would be denied access) than the fault lies with 2p2. What are your password complexity requirements? It is time to rebuild Noah. Time to rebuild.
Apparently it's much easier to brute force passwords than I ever imagined. Todd, Noah is taking exception to your advice of "don't worry about your password if it's not a dictionary word". Something like RoCKs+4r3nergy575 can still be brute-forced I guess.
Hi Bootsy,
Just to clarify, I don't work for 2p2 nor do I have access to their backend implementation. I'm just a volunteer moderator. As a result, I don't know the answers to some of your questions. And, this certainly wasn't my implementation.
Also, 2p2 did not send out e-mails to each user and request that they change their password. This is because 2p2 is currently shut down while they sort shit out--You actually can't change your password right now--and, to a lesser degree, for the reasons I gave in my post, which was written when it was still possible to change your password. They of course suggested that people change their passwords on other sites if they're identical to their 2p2 password. I hope people are actually doing that.
I agree that the fault lies with 2p2. We don't know how the hacker got in yet, so we don't yet know if they're at fault for that, but it's certainly. They are at fault for using vBulletin's default hashing implementation, which is painfully insecure and pretty unforgiveable for a site that has such incredibly valuable accounts. With that said, these kind of screw ups are extremely common, so it's wise to expect them, unfortunately.
Interesting comic Noah cited in a recent blog, btw:
I'm a fan of XKCD as well.
I see you edited your post to include the above. When I responded, it only had that short paragraph at the beginning.I won't bother to list everything that blatantly you got wrong because the list would be longer than your post, but I want to call particular attention to the many statements that you made to the effect of this one: "only bother with this if your password is easy or a dictionary word." You have absolutely no idea what an easy password is. The hacker showed that he was able to crack multiple passwords, and none of them were "dictionary words." This is because a hacker can easily try 100,000,000,000 different passwords. That means that, for example, it isn't hard to hack passwords that consist of English words with some of the letters capitalized arbitrarily, some of the letters converted into numbers or other "1337" speak, and some random numbers afterwards (e.g. "4rm4D1Ll051" is a weak password). It's also easy to hack all passwords with two english words combined, or an english word followed by a long number, or just a long number, etc etc etc. Your implication that a password is only easy to crack if it's a dictionary word is just incredibly irresponsible.
Perhaps I oversimplified what constitutes a weak password, and in fact I'll go back and change my advice to clarify that.
Still, I believe your advice is overkill because most e-mail systems these days have measures in place to prevent brute force password attacks.
I would be more worried about people with the ability to hack these systems from the inside (or through social engineering).
I'm still not understanding why you're not just suggesting people to disassociate their 2+2-related e-mail addresses from anything important.
One thing that has been in my head but I am going to throw this out to Druff and to you Noah to bring up to your technical gurus. Why can't we implement secure HTTP browsing or HTTPS with high level encription that is used for online purchases, banking, etc.?Hi Bootsy,
Just to clarify, I don't work for 2p2 nor do I have access to their backend implementation. I'm just a volunteer moderator.
Also, 2p2 did not send out e-mails to each user and request that they change their password. This is because 2p2 is currently shut down while they sort shit out--You actually can't change your password right now. They suggested that people change their passwords on other sites if they're identical to their 2p2 password.
I'm not sure what 2p2's password complexity requirements were.
I agree that the fault lies with 2p2. We don't know how the hacker got in yet, so we don't yet know if they're at fault for that, but it's certainly. They are at fault for using vBulletin's default hashing implementation, which is painfully insecure and pretty unforgiveable for a site that has such incredibly valuable accounts.
To expand more on what I do, I work more on the systems engineering side on not on the development side. I am trying to bring up processes and procedures in that area.
Hi Todd,
Sorry for the ninja edit. I have a habit of posting a brief and incomplete post and then editing it quickly, which obviously isn't fair to people who read my half-finished posts. This time I was particularly slow because I'm doing a few things at once. My bad.
"Still, I believe your advice is overkill because most e-mail systems these days have measures in place to prevent brute force password attacks."
There's no way to "prevent a brute force attack" when someone gains access to the server--as happened today on 2p2 and will happen again. (Indeed, there is necessarily always at least one person with access to every server unfortunately.) The brute force that I am talking about is brute forcing hashed passwords. That's not preventable because it's something that a hacker does on his own computer.
There are also ways around those ways to "prevent a brute force attack" that you're talking about. Indeed, a hacker tried to brute force passwords in this way on 2p2 not too long, and I think he got a few accounts in spite of 2p2 using industry practices there.
"I'm still not understanding why you're not just suggesting people to disassociate their 2+2-related e-mail addresses from anything important"
I think that people are much more likely to be willing to use secure passwords than they are to use multiple e-mail addresses (that don't just all forward to a master account). Using multiple e-mail addresses is a huge pain in the ass, whereas using secure passwords is incredibly easy as long as you know what constitutes a secure password.
what a terrible post.
Why would anyone bother with a dictionary attack when they can simply modify the POST/GET destination calls within the page source to shuffle off the plaintext entry into a flatfile someplace?
Do you have some forensic evidence actually indicating the crypted passwords were attacked? Occams razor isnt pointing anywhere near that, is why I ask.
Example: did the actors access accounts that had not been logged into since the initial intrusion? If so, then yes it appears they managed to brute force passwords of course. It not, then its unlikely they would climb up a rain pipe to pick an upstairs windows lock when the front door is wide open.
Last edited by sonatine; 04-26-2012 at 10:59 PM.
The default password complexity requirements in a Windows Active Directory environment is eight characters minimum, 22 maximum, the password has to have 1 capital letter and 1 number, what my company did through group policy is to add another requirement which is a manditory symbol. Both my PFA and DD passwords do not meet those requirements and apparently they should.Hi Todd,
Sorry for the ninja edit. I have a habit of posting a brief and incomplete post and then editing it quickly, which obviously isn't fair to people who read my half-finished posts. This time I was particularly slow because I'm doing a few things at once. My bad.
"Still, I believe your advice is overkill because most e-mail systems these days have measures in place to prevent brute force password attacks."
There's no way to "prevent a brute force attack" when someone gains access to the server--as happened today on 2p2 and will happen again. (Indeed, there is necessarily always at least one person with access to every server unfortunately.) The brute force that I am talking about is brute forcing hashed passwords. That's not preventable because it's something that a hacker does on his own computer.
"I'm still not understanding why you're not just suggesting people to disassociate their 2+2-related e-mail addresses from anything important"
I think that people are much more likely to be willing to use secure passwords than they are to use multiple e-mail addresses (that don't just all forward to a master account). Using multiple e-mail addresses is a huge pain in the ass, whereas using secure passwords is incredibly easy as long as you know what constitutes a secure password.
Figuring out what sites I used that had the same password as 2p2 and then changing them is also, a gigantic pain in the ass. Noah are you saying that 2p2 was using "out of box" precautions and that is what ultimately was to blame for the issue? I am sorry if my question isn't worded right, I am not big on tech stuff, I guess what I am asking is could this have been easily prevented if certain measures were taken, whatever they may have been?
Shouldn't it be up to the individual user whether he wants to use multiple e-mails? Your blog didn't mention that suggestion at all. I felt was a huge omission, which is why I wrote that post commenting on the whole thing in the first place.Hi Todd,
Sorry for the ninja edit. I have a habit of posting a brief and incomplete post and then editing it quickly, which obviously isn't fair to people who read my half-finished posts. This time I was particularly slow because I'm doing a few things at once. My bad.
"Still, I believe your advice is overkill because most e-mail systems these days have measures in place to prevent brute force password attacks."
There's no way to "prevent a brute force attack" when someone gains access to the server--as happened today on 2p2 and will happen again. (Indeed, there is necessarily always at least one person with access to every server unfortunately.) The brute force that I am talking about is brute forcing hashed passwords. That's not preventable because it's something that a hacker does on his own computer.
There are also ways around those ways to "prevent a brute force attack" that you're talking about. Indeed, a hacker tried to brute force passwords in this way on 2p2 not too long, and I think he got a few accounts in spite of 2p2 using industry practices there.
"I'm still not understanding why you're not just suggesting people to disassociate their 2+2-related e-mail addresses from anything important"
I think that people are much more likely to be willing to use secure passwords than they are to use multiple e-mail addresses (that don't just all forward to a master account). Using multiple e-mail addresses is a huge pain in the ass, whereas using secure passwords is incredibly easy as long as you know what constitutes a secure password.
To my knowledge, nearly all of the online poker account hackings have been by way of keylogging, phishing, and server-side e-mail hacking, NOT brute-force attacks on passwords.
You say that hackers can brute force passwords by gaining access to the server and going after the hashed passwords. Yes, that can be done, but I have news for you. If someone has the ability to gain access to the server of an e-mail provider, they probably already have the ability to change people's passwords without brute-forcing anything. So, again, a strong password wouldn't help anything in such a case.
This isn't to say that I am suggesting people to choose weak passwords, but a pet peeve of mine has been people using one e-mail for everything -- including their poker accounts with hundreds of thousands of dollars -- and then being surprised when they get hacked. I think that simply encouraging people to choose good passwords gives them a false sense of security, when in reality the smartest thing to do (at least with a lot of money in a poker account) is to use different e-mails for at least those big accounts.
I'm not saying to use 20 different e-mails, but rather to identify the few accounts you REALLY never want hacked (especially if you're a high limit player), and use different e-mails for those.
BTW, I edited the post you were complaining about.
Agree. Obviously, when things go wrong, it's a big problem. Not that this in any way excuses 2p2's actions, but you really shouldn't use the same password across multiple sites that have any value. Password leaks are really common--I can't stress that enough.Figuring out what sites I used that had the same password as 2p2 and then changing them is also, a gigantic pain in the ass. Noah are you saying that 2p2 was using "out of box" precautions and that is what ultimately was to blame for the issue? I am sorry if my question isn't worded right, I am not big on tech stuff, I guess what I am asking is could this have been easily prevented if certain measures were taken, whatever they may have been?
I don't know the full extent of 2p2's implementation, and I'm not sure off-hand what's out-of-the-box on vBulletin. I do know that they used a terrible hashing algorithm, but it's also the hashing algorithm that almost everybody who's not a crypto nerd uses. That's the reason that a password leak is such a big problem--If they were one of the rare sites that actually use a secure hashing algorithm that's actually made for passwords and not a general-purpose algorithm, things would still be bad, but much less bad.
They also obviously managed to have a password leak in the first place. I don't know how this happened, so I have no idea what mistake caused it, nor do I have a sense for whether it was 2p2's fault. It's possible that the guy used a 0-day exploit in php which could have affected anybody, or it's possible that 2p2 had a really really insecure SQL inject vulnerability. The answer is probably somewhere in between.
Sorry that that's not a simple answer--It's not a simple problem.
It was probably PeterDC that did it.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Reply With Quote
