FYI: GBATMW.net (GBA The Movie Way) is off-line again. The link is broken and the Google cache redirects you to the message "This account has been suspended." Last time this happened with this site, it was due to someone cracking the site and defacing the homepage (not sure if that is the case this time though). Anyone know if they were expecting to go off-line or if this is indeed an unscheduled outage?
This didn't happen last time chuckstudios hacked it, instead he just put some image of a bodybuilder on. I'm sure it'll be up soon enough.
I left when I got that email a few months ago that it had been hacked and all the info that was saved (Passwords, email, etc.) was probably compromised. A shame, it was a great idea, having all those movies and stuff on one site. Is there any way romulation could pick up the torch?
They are back online again and the note posted on the portal is pasted below. They were hacked again and are warning people to use strong passwords as their password database may have been dumped..... excerpt from: http://gbatmw.net/portal.php Code: Some of you may have noticed our down time recently. If you went onto IRC, you may have even heard why. Yes, we were hacked. Why? How? It's quite embarrassing really. It seems that a program posted on the forum claiming to generate rapidshare premium accounts *actually* uploaded your firefox profile to some FTP site somewhere. I ran the program in SandboxIE (a very good program by the way), but for whatever reason that didn't stop it. I think it's because it was only reading rather than writing to my computer. The result? Every password I had in my firefox stored passwords list became available to the script-kiddies involved. Forunately, I reinstalled windows last week, so there wasn't very many. They did manage to take control of my email, paypal account, ebay account and tried to buy a lot of Xbox Live points. Fortunately gmail has a good account-recovery system. Sadly, the dildo I won on ebay will never arrive, but fortunately I won't get negative feedback for not paying. The database may have been dumped (again...), but the passwords are all encrypted and would take days or weeks to crack (use strong passwords, people!). I've learnt an important lesson (never run untrusted programs, ever. Even if you think they're sandboxed), and everyone's happy. We have lost a few hours (maybe day) of posts and user registrations. If you made anything very important, I'm sorry, but I can't get it back. We do know the IP address and rough location of one of the people that did it (he was behind 7 boxxies, but somehow that didn't stop him logging into our server via FTP with his IP address), and the relevant authorities have been informed. I hope you all enjoyed two days without DS media!
Two times is a wee bit much... And from that text it sounds like they didn't have the passwords "encrypted" the first time. It really leaves me with a bad taste in the mouth, first of all, you don't encrypt passwords, you hash them, the difference is that encryption can be reversed, hashing can't. This all points to the fact that they really have no idea how to use basic password security such as tokens and salts. If they didn't use salt then one run through a rainbow table and most likely a collision will be found for more than 70% of the passwords. I'm glad I don't have an account there.
meh hashing is one time encryption so technically it's also correct to say encrypted when it's actually hashed.
I agree that to be hashed would also mean to be encrypted but the part that worries me is they also say it would take "...days or weeks to crack..." That infers it was NOT a one-way hash (or they don't understand the basics as seph points out). I have an account there but the pwd is not used anywhere else and the e-mail address is a throw away.
Hashing is not one time? (you mean way?) encryption. Encryption implies that's it's reversible, a hash is impossible to reverse. That's what's make them secure in the first place. Sure, you can find a collision where a string will give a matching hash as your password, but there's no guarantees it will be the real password, so you can't ever really learn a users password. This means that if you take a string that matched on site A and use it as a password on site B then it won't match since site B uses a different salt for the hashing. Unless of course they did get lucky and get the right collision, but then you used a shitty password and deserved it.
