Recent prevalence of server side hacks. by Fremdfirma

REAL WORLD EVENT DISCUSSIONS

Recent prevalence of server side hacks.

POSTED BY: FREMDFIRMA
UPDATED: Sunday, August 7, 2011 18:38
SHORT URL:
VIEWED: 782
PAGE 1 of 1

Saturday, August 6, 2011 2:24 PM

I wanna comment on this particular problem, a bit.

This is becoming more and more common.

Thing is, as email and game account services put more of the account and information on their end, and then fail to properly secure it - all *your* efforts in that regard come to naught, since it's not your security they're breaching, but the service, which is often far more vulnerable to social engineering tricks.

So what happens is some punk enters your account from that end, and spams all your friends, loots your finances if they're available, and generally raises hell - and guess who the service then blames ?
You, the user, despite that your security was never challenged, much less breached.

I've already seen it in action with Blizzard and Square-Enix, the former being really obvious when the exploiter went right down the list of guild members in alphabetical order despite them being in different time zones and countries - they wanna try to say ALL of them have the exact same virus, at the exact same time?
Yeah, right - of course for liability issues the services will not admit this, not till they're forced to, like Playstation Network was, and mind you they did LIE about it repeatedly first.
The game services have responded by selling/mailing RSA key type devices at the users expense, which doesn't bother them a whit cause they make several bucks of profit on each one, but common email services do not yet have active security of this nature - and apparently some of them keep YOUR address book, or a copy thereof, on THEIR server - there's no good reason for that, there just ain't.

Anyhows, if all YOUR efforts security-wise come to naught, it brings the question of responsibility into it when the service tries to shift blame for this to the user, after placing trusted data on their own apparently less secure servers.

What's the point of having good security on YOUR end, if the service itself can't keep your data secure, and the rush to blame the customer or just flat lie about it is goddamned insulting.

Thoughts ?

-Frem

I do not serve the Blind God.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 2:30 AM

DREAMTROVE

A change in architecture is needed, more towards the wikileaks model or something solid, less located in an easy targetable manner.

The server side attack is like the bank robbery, the server has become the central depot of all information. I suspect the reliable well structured sites will get a reputation for stability, and the facebook crowd will get a different reputation, and will thus attract different audiences.

Some people do all their financial transactions through walmart

That's what a ship is, you know - it's not just a keel and a hull and a deck and sails, that's what a ship needs.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 6:35 AM

NIKI2

Gettin' old, but still a hippie at heart...

I don't quite understand about "clouds"...I think I get the general idea, but I may be missing the finer points. But what occurred to me immediately is "why would I put all my important data on someone ELSE's server, for gawd's sake?!" Is that what a cloud does, or am I getting it wrong? If that IS what it does, it seems to me it's just ASKING for trouble!

Am I correct is assuming that this thread is the result of that e-mail I got from you that wasn't from you yesterday? I've had several of those from various friends lately...it really pisses me off! But then, I'm pissed off by ALL the intrusive advertising surrounding us...on all sides...whichever way we look. We're starting to get robocall advertisements again (which we didn't for a LONG time) and I just want to scream at them. Of course, screaming at a robot does no good...

Hippie Operative Nikovich Nikita Nicovna Talibani,
Contracted Agent of Veritas Oilspillus, code name “Nike”,
signing off

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 7:47 AM

FREMDFIRMA

Indeed it is, Niki - and for the scumbags, it makes sense, why waste all that effort compromising one persons computer when they can bag admin rights on the server, and bonus, they don't even need your password - so nothing YOU do matters a whit, although the service will still try to blame you, mostly to avoid liability.

Only thing they really need is knowledge of currently-live email addresses, and we all know every goddamn vender from Amazon to Zam sells the fucking things on the side - to which this will bite CSN Stores on the ass come monday, since EVERY company I deal with gets a slightly different set of contact info and therefore I know damn well WHO sold it, and the service in question is pointless to yell at cause they sure hell won't admit the breach, not unless forced to.

I mean, look how long Playstation Network played lie, lie, deny - when peoples FINANCIAL information was compromised, and for long enough that the 24hr grace period for some folk who did get ripped off had expired, leaving them in the lurch - most banks will unfuck the situation, but ONLY if you notify them within a certain time frame, usually 24 hours, and PSN's lies, denials and stalling screwed a lot of people, sure they came clean in the end, but only cause they HAD to since some folk inside started blowing the whistle.

If it was worth the time I would throw the message traceroutes in the face of that service, showing that the origination IP address was internal to their system - besides which, the PC they woulda supposedly been "sent" from happened to be unplugged and partially disassembled to install a backup system at the time, or it woulda flagged my security anyways since one of the contact list is my own email address for that very reason... but no point explaining that to some outsourced barely literate jerk who can barely speak english and is reading prepared responses off of index cards who's whole job is to stonewall and frustrate you till you go away, IF they ever bother with a person instead of sending you into phonetree carosel hell.

As you can tell I am sore pissed off, since every bit of my truly rabid security means NOTHING if the assholes on the other end play fast and loose with it there - spam is one thing, but as with the Blizzard and PSN situations, peoples financial info gets compromised too, and the first response of the service is blame-the-customer ?
Oh hell no, let's talk LEGAL LIABILITY here, this *is* one of the places our law in general needs a serious overhaul, cause as it stands via illegal and mostly unenforceable EULAs, all the onus is on the customer and none whatever on the service, even for the most drastic failures, which is completely inappropriate any way one looks at it.

I'll prolly wind up splitting the difference with Rev on a private mail server, and not no "virtual" one some other shithead runs, a physical unit in our possession and care, complete with ludicrous levels of encrypt and a goddamn RSA key login to boot - anyone who manages to hack THAT, I'll buy a full bottle of single malt, meh.
(plus other security rigs I will not mention)

Dream is right though, the whole architecture is fucked, plus the notion of putting more and more of YOUR data on THEIR servers where they can claim possession of it, sell it to scammers, and then blame YOU for not protecting it, and demand even more to "prove" your identity, the very self-same circle-cycle trap of a problem masquerading as it's own solution we have with the fucking credit reporting agencies, whom I *sincerely* hope finally get a well deserved ironshod boot in the fuckin balls by a pretty angry legislature - not so funny when it happens to YOU, is it now, congress ?

Mind you, the exploit in question is unpatchable because it's built in for the convenience of law enforcement under CALEA, once again those government mandated backdoors bite us on the ass.
So THIS, I feel, is them hoisted on their own petard.
http://www.boston.com/news/world/europe/articles/2011/08/07/hacker_gro
up_posts_data_stolen_from_70_police_websites_in_us/
Most larger police nets use active monitoring and security though, and a damn lot of them have patched over those backdoors despite it being quite, quite illegal to do so - all for me and none for thee, when it comes to freedom, right ?

Of course, were anyone to ever address the pay-per-click system and show it up for the ponzi scheme it is, throwing it on historys scrapheap, a good chunk of the spam related hacks would disappear overnight.

Anyhow, it grinds my gears, this does.

-Frem

I do not serve the Blind God.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 5:54 PM

RIONAEIRE

Beir bua agus beannacht

People who do that really piss me off. I think I should rather like to shove them in a box and ship them somewhere where there aren't any computers and no parts to build them so they'll leave us alone and not mess up our stuff.

Frem, I remember emailing you a long time ago to see if you wanted to chat about something or other but then someone told me that the email you use here isn't valid anymore and that you don't check it. Is this true? If so I guess we can't email since if I send you a message on the site it won't get to you.

"A completely coherant River means writers don't deliver" KatTaya

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 6:37 PM

FREMDFIRMA

Oh yah, THAT email has been deader than a doornail for years and years, and there's kind of a funny story about it too.

See, I was a charter member of Juno, and very clearly recall the ORIGINAL MOTTO of the company was "Email was meant to be free!".

Then greed came into it, ads and more ads and more and more ads to where the service was groaning under the stress - it was the goddamn spinny-flashy, malware laden ADS that were eating up all the bandwidth, not the simple-text emails the users were sending, but of course in their blind short-sighted GREED they refused to see that, and then started throwing a hissy...
And then bandwidth caps, despite the goddamn popups and banners being what ate 90% of it by then, and throwing people off for daring to USE the service they were offered, an all too common attitude which I think constitutes fraud and breach of contract.
Somewhere in there they dumped the original motto on the sly, and then flat stated intention to start billing folk and throw em off when they didn't pay - at which point I went berserk, and filled the bigwigs email boxes with emails containing the phrase "Email was meant to be free!" with html display commands which, in theory would display it in letters eight feet tall, but in practice overloaded the hardware/software capabilities of the machine when opened and crashed their operating systems with ye olde blue screen of death.

They were, uhhh.. not amused.
Of course, neither was I - that bait and switch shit is bad enough, but this, this... ATTITUDE - "Oh god, how DARE you USE the service we offered you, you evil bastard!!!" - that sends me into spirals of rage, triple-especially when it is a service YOU PAID FOR.

Imagine if your power company sent you threatening letters for daring to plug in appliances, and then shut off power to you on a sweltering 90F day because oh-noes, you actually USED the electricity you're paying for!

That particular kind of Randroid Business Ethics (/sarcasm) is aided and abetted by certain useful idiots here, who rail and scream about folks collecting stuff like unemployment or social security despite paying into it for years and years, often to the point where they get far less out than they put in, AND when the deal keeps changing for the worse and their stuck with it cause it's kind of a gunpoint forced contribution deal - and yet when they DARE get some of their own back, certain so-called-conservatives have a hissy about it ?
THAT is the kind of tyranny-enabling bullshit I hate the worst, not all tyranny comes from the halls of government, in fact more of it comes from boardroom tables.

Of course, what it boils down to, what it *always* boils down to, with stuff like this, that pushes my berserk button and sends me on a rampage...

YOU. DO. NOT. BREAK. CONTRACT. WITH. ME!

Ya make a deal with me, and then maliciously, intentionally, attempt to renege on it, by the howling souls of the einherjar, imma take it out of your goddamn hide, metaphorical or otherwise.
The treacherous nature of what Juno did to their users is something I've never forgiven, and for a very long time afterwords continued to screw up and actively sabotage any effort on their part to stick it to their users.

"Email was meant to be free!"

*ahem*, err.. sorry, vennnntinnng...
*whistles and stares at a corner of the ceiling*
Annnnyhows...

I cannot recieve board messages, but I can send em, and I will toss a contact addy your way in short order here.

-Frem

I do not serve the Blind God.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, August 7, 2011 6:38 PM

KWICKO

"We'll know our disinformation program is complete when everything the American public believes is false." -- William Casey, Reagan's presidential campaign manager & CIA Director (from first staff meeting in 1981)

Generally speaking, if Frem wants to send you a message, he sends it to you. I've gotten a few, but have no real way to reply, which is what his security requires, and I'm okay with that.

I found a couple odd transactions on my one credit card this month - a Netflix charge for $7.99, and then TWO refunds from Netflix for $7.99 each, for a net GAIN to me of $7.99.

Thing is, I don't have a Netflix account, and never have, and am not likely to ever have one. So where did those charges come from, and how did they get my credit card account info?

I'm guessing they got it via PSN, since they're affiliated in that Netflix is available through the PS3.

"Although it is not true that all conservatives are stupid people, it is true that most stupid people are conservatives." - John Stuart Mill

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

YOUR OPTIONS

SHARE THREAD

NEW POSTS TODAY

USER	POST DATE

USER

POST DATE