 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| Acmlm's Board - I2 Archive - - Posts by Laxidman |
| User | Post | ||
Laxidman Micro-Goomba Level: 7 Posts: 1/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| Base 36 works quite nicely. | |||
|
Laxidman Micro-Goomba Level: 7 Posts: 2/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| A winner is me! | |||
|
Laxidman Micro-Goomba Level: 7 Posts: 3/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| Uhh...it'd be nice to keep exploit methods away from the board. Although this board may've already been patched against it, there's still many boards out there that are still vunerable. | |||
|
Laxidman Micro-Goomba Level: 7 Posts: 4/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by Randy53215 I can't speak for others, but personally, I started looking into exploits for this board because I was curious if others had taken the same precautions I learned to take when I started web development. Acmlmboard just happened to be checked while I was in the period of "what the hell...how do these guys exist without getting hacked" phase. Even now, I occasionally check just to satisfy natural curiousity whenever I learn of something new. You see, since I do web development for others, I'm constantly learning new things to help keep the products I make for my clients stable and secure.
Welcome to the internet.
I just love the way that software with so many holes propagated so much. It amazes me that administrators dare to insult these people when while knowing their software is insecure, continue to use it expecting no one to exploit it. Again, welcome to the internet.
Do what everyone else running acmlmboard does and not attract attention. This board has been running with these holes for a hell of a long time before someone came along and started exploiting them. Your personal board quite likely never got hacked (well, until it did :/) because the community was good. Basically, you shouldn't have to worry about being on acmlmboards unless you feel you have a reason to be affected by someone exploiting the system.
I believe people have tried and either due to time or lack of ability failed. Aside from the current dev team, most of the people with ability either also have lives to deal with or simply doesn't care to work on a project that provides them minimal benefit. The point is, either you will make time to "fix this shit" or you take the only remaining option which is to wait for the dev team to fix the holes and make a public release. ====== Now if I can throw in some comments, I will say it annoys me whenever I read posts like this. Get it straight- you're using insecure software. Everyone knows this software is insecure. You're a TEK regular, you've heard this same spiel over and over again. Don't whine and bitch whenever someone rapes a board because someone executed an exploit that half the userbase probably already knew about. I can understand your frustration, but understand that this is what the administrators signed up for when they decided to use this software. Also, take a look at this. The first thing that it says is "Several exploits fixed." Think for a second and say to yourself "if these exploits are fixed in this version, am I vulunerable?". If you downloaded the public release, then quite likely, you are vulunerable (along with other fixed exploits since the public release). Of course, as an administrator, you're sorta in a predicament as you have an established board that can be raped at any time. Simply put, that's your problem. Now, it's not like other software is perfect. phpBB had a security hole a while back that lets you overwrite files or something I'm not too sure. The company did the right thing and released a patch as soon as possible and those who didn't patch got their sites raped. Those who got exploited before the patch or didn't know were just victims who had no chance, those who were exploited after the patch were just idiots who didn't bother to close the door. Of course, not everyone spends their time on a computer 24/7 and is able to keep up to date, but people are assholes, welcome to the internet. I guess what I'm trying to say in the end is take some responsibility for the mistakes you make. Also, as a side note, posts like yours have a tendancy to exaggerate the problem. While you're just venting your feelings, remember that people are reading this. (edited by Laxidman on 02-07-05 09:58 AM) (edited by Laxidman on 02-07-05 10:00 AM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 5/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by Narf Very true. Unfortunately, with the amount of holes that exist and their severity, this software shouldn't have seen such widespread distribution.
I can't speak for everybody, but sometimes, it ends up well-deserved from the perspective of the attacker. Usually I refrain from abusing holes until I feel it's well-deserved which only happened once and that was on Xkeeper's board. After that, I alerted the dev team of my findings for them to fix and make life happy for everyone. [Edit: Curse my selective memories. I also did the same for TEKhacks twice, but those were minor and only done to prove a point in 2 discussions about Acmlmboard security.]
The answer to IP bans and logs- Proxies. (edited by Laxidman on 02-07-05 11:38 AM) (edited by Laxidman on 02-07-05 11:47 AM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 6/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| For those wondering, this ain't me. I went through this bullshit suspicion before antireality was hosed. I'll throw in the same information I threw at Tamarin Calanis, the ip address is teh same and unless you happen to be a hacker god, you can't steal that. If you could assimilate any ip address, internet security would go to shit. If it isn't Tamarin Calanis who did this, it's probably some neighborhood kid since he's running an unsecured wireless router. Proxies will only let you get the ip of the server they are running on so Tamarin Calanis may have a proxy on his system from some trojan or something. I do know someone tried to frame me by giving me max stats and rank on antireality which annoyed me. I did assume it was Xkeeper who did this, but Xkeeper doesn't tend to hide himself and he denied it when I asked him about what happened to me. I thought they fixed this shit in 1.92. I'm suffering through the aftereffects of lots o' Jolt Cola so this post will probably suck in grammar. |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 7/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| Not surprised people think it's me after what happened at Xkeeper's board. The exploit I used there is the now-public editprofile one that Dekker Avesque posted a patch to, I'm assuming Xkeeper found what I did and alerted you to it? Reading the "OMG ACMLMBOARD HAX"-type threads, the people I know who are capable of hacking boards are Blacklord, Xkeeper, knuck, blackhole69, and myself. Thaddeus has a reputation of being responsible for board hackings but he would've had more fun. Other than those people, I don't know. I read those pms that were posted here and on antireality from the hacker when I was initially suspected. My only theory regarding the style is that the posts I have here and Xkeeper's site were copied and rewritten but that would require being a target and would explain the modified account on antireality. My issue is that other than Xkeeper, I would not know who would do that. Xkeeper denies it and I doubt the other users on his board are capable of this. Going for a long shot, it is possible that someone with a grudge against me on the translation side of the romhacking community is doing this and that would be either HighTimes or Hoky. They should not be capable of doing this but considering Hoky brought on an attack to #rom-hacking, I wouldn't be surprised. Although, I imagine that if it happened, boards I don't go to and never heard before would not be attacked. I became admin again on Randy's board because he thought I could find something, all I have is that the hacker has the same ip as Tamarin Calanis and that it was like 50 or something hackers all fucking the site at once. It would be nice if I found out who it is because apparently he has some connection to me. Dekker Avesque, do you mean the logging function like what antireality has? Those log the server-generated variables (generated from apache or other webserver) and aside from user-agent, I can't see how you would be able to do anything with them. I thought there was a way to fuck it, but the only place that would be possible is editing the post to modify the ip field and I don't think I even got that right. There was no point though since the logging function still gets you. Xeogred, I never heard of your board until the start of this thread. Most of my interaction happens on IRC and my board activities mainly consist of arguing on the side of the hacker because of people like you. I would've done it here but you already replied to the type of arguments I would have made. I thought it was interesting when Randy messages me out of the blue and asks me about antireality since I remember I registered there and I believe that was during the period I was testing out the XSS stuff. If it was me, I would have already been caught since Xkeeper already had an idea it was me before I confessed. (edited by Laxidman on 03-01-05 07:34 PM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 8/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| If he does, then I have no idea who it would be. I confessed and defended myself on Xkeeper's board so I wouldn't have any retalitory attacks against me in this community, anything else would have to be due to bad relations between me and the few in the translation community I have problems with. Most of the holes I know of, I already alerted to the acmlmboard dev team. I don't believe in spreading the information since someone will just use it to fuck over unpatched boards. I recall Blacklord asking me about them so he could patch his board (of course I didn't tell him), amusing that later on, I start seeing posts about him hacking boards. Since Dekker seems to be a capable PHP programmer, I would like to think he will actually fix whatever problems are causing your guys' sites to get fucked. (edited by Laxidman on 03-01-05 07:58 PM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 9/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by dan #1-Didn't the attacks continue even after someone posted a fix? I'd consider it not so bad to have the information spread through irc/aim/whatever since you'll likely hit less people that information is relative to than on the site the hole affects. #2-The victims would know how to fix the problem, but now you guys have open the door for others to hack unpatched boards. I see people will be having fun with that editprofile hole now. I'm more of a fan of the "bother the damn dev team" option. These are *capable* people who are aware of most of the bugs and I would like to think are actually working to fix them. It sucks to have to wait for them to release new versions but I'm assuming that with these recent attacks, they're working as fast as possible to bring a new version out that addresses these issues. Least the information goes where it counts without adding more victims to the list. Unfortunately, I figure with these holes now open to the public, you guys have now added more stress to their work. ----------------------------- Originally posted by Xeogred Shouldn't matter to you since you already got help from the dev team regarding the editprofile issue. If it's fixed in the next version, you would've already gotten it fixed, otherwise, that next version is as vulunerable as the last. What you could've done was alert the dev team the fix didn't work and as this board is running off the newer versions whatever exploit exists likely affects this and considering that they should know the code better than any of us, actually fix the problem. I would say anybody who had read this thread with malicious intent now knows how to exploit a few boards. I say this because if I didn't already know of these holes, I would know what to attack and how by simply looking at what the patch fixes. That is, if I had malicious intent. The patch explains what the hole is and the affected areas. Since SQL Injection has already been discussed here, anybody could figure out how to do it with a google search. There are even examples in the PHP.net article that was linked from one of the posts. ---- Remember this? Originally posted by Jesper Sucks for them. You can still get shit fixed without making the information public, just talk to the dev team. Anyways, they request you talk to them instead of making the problem worse. Granted, the problem was already bad enough before you posted about it, but you guys just now created a few more hackers that could destroy boards. --- Pretty cruel of me to say this, but with all of information about exploits, nothing was fixed since the hacker still ended up exploiting boards. You guys only succeeded in making the problem worse. (Sorry for all of the edits, I keep realizing that I'm missing details to produce a decent argument.) (edited by Laxidman on 03-04-05 08:46 PM) (edited by Laxidman on 03-04-05 08:58 PM) (edited by Laxidman on 03-04-05 09:02 PM) (edited by Laxidman on 03-04-05 09:28 PM) (edited by Laxidman on 03-04-05 09:47 PM) (edited by Laxidman on 03-04-05 09:51 PM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 10/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by MathOnNapkins You're right, and I'm sure that the posts here have spelled how insecure the board is but there's quite a difference between telling the people the board is insecure and telling people how it is insecure. Most people just need to see a dead board (or many) and know this software is insecure. What people don't need are basically instructions on how to ruin more boards. As Dan has pointed, security by obscurity is not a good idea, and that is what you are proposing, Laxid. Sorry, but these holes have existed for many many versions. Good idea or not, this is why more boards haven't been attacked. That editprofile one should work on all versions of acmlmboard which is why it was particularly bad to leak it. I guess it all comes down to responsibility, how much fault does Dekker take if someone uses his good-intention to fuck over another board? Hypothetically, if it was me who told the hacker that fucked over Xeogred's board how to do it, would he hold anything against me? (Considering I'm a suspect in all of this, I stress hypothetically!) --- Originally posted by DarkSlaya I'm not windwaker, but I could answer that. Acmlmboards tend to be more secure by people communicating with the dev team to patch up holes. As most people tend to go to the source to get new versions, sending your information there benefits more people and keeps that information to those who can actually do something about it. And considering someone posted a link with examples on SQL injection and the patch discusses those exact areas, you guys basically told them how to use the exploit. Also, I'd disagree with anybody who already knows how to hack would already know the exploits. If that was the case, all of these exploits would already be fixed within the 4 years this board has been up around (edited by Laxidman on 03-05-05 01:39 AM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 11/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| True, but people could do what Xeogred did and contact the dev team to get the fixes from them. Talking about it isn't much of an issue either unless you're giving too much information. Saying holes exist that turn people into admins is not much of an issue, but telling people how to turn themselves into admins is quite a problem. I believe that post said it was done through sql injection but didn't specify where as opposed to this post that gives the exact problem areas. As for posting that link about SQL injection, last I checked, the PHP manual contains an article about SQL injection (hell, it may even be the same one, I'm not sure what link it is). It's that one that was posted here. Anyone with half a brain could find that article, as it is in a section with the heading 'security'. Same could be said with finding these exploits but you're overestimating people. I can say that because this board has been around for 4 years and we're now just being concerned over that topic and just as they finally gotten around to fixing XSS attacks. These are things that have been problems for many many years which is why I was surprised this board never protected against them. (edited by Laxidman on 03-05-05 05:43 AM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 12/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by Xeogred I used that argument as a reason NOT to discuss it with other people outside the dev team. I guess it all comes down to responsibility, how much fault does Dekker take if someone uses his good-intention to fuck over another board? Hypothetically, if it was me who told the hacker that fucked over Xeogred's board how to do it, would he hold anything against me? (Considering I'm a suspect in all of this, I stress hypothetically!) Read again. ---- I thought about your post a bit and realized something, do you actually think I actually told this hacker how to break into your board? I mean, unless I'd assume you came to that conclusion if you didn't know what hypothetically meant, otherwise, this should have said I have no idea who this person is. Think about it for a second, if I actually taught someone how to hack your board, would I be stupid enough to mention it? This hacker has probably said nothing in this thread because he's smart enough not to get caught. I knew saying that hypothetical bullshit would've bit me in the ass, but I hoped you had enough sense to know I was making an argument. One thing I'd have to ask though- what is your problem? Would it satisfy you if I was involved in an attack on your board? Because we can have a repeat of the Xkeeper incident, I should be covered in a legal sense because you gave me permission to, I'll invite Thaddeus and we'll have a grand ol' time. Considering that all of the holes I exploited in 1.8 have been likely fixed, I'll have to check for holes in whatever version you're using. I just want to state this is not a threat, it is an offer to satisfy whatever grudge you have against me. All of these posts you seem to be dead set against me for reasons unknown. I thought I covered this shit already, but apparently, you choose to ignore it. So, I'm giving you an offer, do you want me to attack your board? With the attitude you're giving me, I have no problem complying. You'll have a security test that results in posts under Xeogred whose account name has been changed to <insert person you don't like here, which I suppose would be me>. Listen, the only reason I even posted in this thread is because I expected people to point fingers at me since Tamarin had no qualms about doing so. As with Randy's case and usually with everyone else, they all got this long spiel about how it's their fault for being an idiot and using acmlmboard, but it seemed you already were aware of that kind of response so I didn't bother. I'm just trying to defend myself while arguing my beliefs. (edited by Laxidman on 03-05-05 10:55 PM) (edited by Laxidman on 03-06-05 05:30 AM) (edited by Laxidman on 03-06-05 05:32 AM) (edited by Laxidman on 03-06-05 05:33 AM) (edited by Laxidman on 03-06-05 05:45 AM) |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 13/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by Xeogred Not really, I was gone all day. It's fine, though. I think I just read too much into it, sorta set me off. Sorry about that. |
| Acmlm's Board - I2 Archive - - Posts by Laxidman |
