The problem also lies with anonymous proxy services which allows these users to hide their identity, and the fact that the proxy owners are not required by any law to keep any logs of their usage, meaning that the users are in fact, untraceable

_________________
---
Sibbi

Disclaimer:
The opinions stated do not neccesarily represent those of my employer.

@sibby
Its not that like someone just use some public proxy, which should or shouldn't have a logs. There is a lot of ppls with botnets, boxes of which infected and being as proxy do what owners of botnet want to do. There is also services which provide you hacked boxes with proxies per small amount from the same botnets. There is also hacked linux boxes, where you yourself can setup any kind of proxy and do whatever you want. I.e. its all pretty easy if you want be annonimouse, and real owners of proxie-bots even do not know what happens, not saying that they should or should't have a monitoring of that activity or save the logs.

Just what the fun to do it, and choice Trevor as victim, when you are adult, and when you have no betefits from it at all (as its pretty undestanable , that hoax will be hoax).

Last edited by kas1e on 11-Jan-2012 at 11:39 AM.
Last edited by kas1e on 11-Jan-2012 at 11:37 AM.

_________________
Join us to improve dopus5!
zerohero's mirror of os4/os3 crosscompiler suites

Quote:

We are sorry to admit it but it seems AmigaWorld.Net was hacked today.

Is there anything to suggest this breech originated from Amigaworld?

At least another 4 community related websites were accessed also , Amiga.org, MorphZone etc.. so assuming his password was the same for all, couldn't the source equally be from one of them sites?

Last edited by Akiko on 11-Jan-2012 at 12:05 PM.

_________________
4000T/BFG9060
CD32/Elsat ProModule, TF360
CD32/ Edu's CD32 <> A1200 Adapter, Vampire V2
CD32/ FMV Module

BUT BUT BUT!!

my password is GOD , damn

i gotta changed it to GOD123 then.

---

damn i hate hackers and i hate changing passwords as they gotta be different on every site to be sure :(

Whats this thing about Trevor's account being hacked???

_________________
See my blog and collection website! . https://www.blog.amigaguru.com

@Taks

Quote:

Whats this thing about Trevor's account being hacked???

What we know is that someone got access to Trevor's account, and two more accounts at least. It was basically used to post some false information which quite quickly could be corrected. We have fixed Trevor's account so he has access to it again. It seems the hacker did not change the passwords of the other two users he posted from.

We're still looking into it and can't really say anything yet.

Regards,
Joachim Birging

AmigaWorld.Net staff

_________________
Common sense - So rare it's almost like a super power

This was not a joke.
It has to be seen as an attempt of commercial sabotage using electronic means .


Quote:

Poster: OlafS25 Date: 11-Jan-2012 11:15:18 I do not know why people waste time by doing this kind of "jokes". (besides it is a crime but when noone know where the hacker got the password nobody can do anything)

_________________
Sam460ex : Radeon Rx550 Single slot Video Card : SIL3112 SATA card

Spectre: My password was Money for nothing :P

and I was going to use "chicks for free"

Quote:

Spectre: My password was Money for nothing :P

_________________
Sam460ex : Radeon Rx550 Single slot Video Card : SIL3112 SATA card

The important thing is to change the passwords from the users that have extra privileges.

The normal user account could be used to exploit security holes, but then again anyone from everywhere could create a normal user account, no need to use an existing one in order to do so.
Check if there are security holes that can lead to system breach (even from simple accounts). There are plenty of sites that inform regularely for such exploits.

_________________
Ordell Robbie: Is she dead, yes or no?
Louis: Pretty much.

@Cass

The advice is mainly meant to protect users from someone having access to their private messages and/or posting in their name because they've somehow gained access to the user passwords. We don't know how, where or how many passwords they have, which is why this is just a general warning...

_________________
---
Sibbi

Disclaimer:
The opinions stated do not neccesarily represent those of my employer.

@ sibbi

Besides using too simple passwords for accounts is a risk of the individual user himself, a totally unsecured login as exists with amigaworld.net opens all doors for sniffing plaintext login data which is the by far bigger security issue than one single, too simple chosen user password.

The login names on the portal don't have any relation to the server itself, they are only valid within the portal, access to the server management ports is blocked except for a select few IP addresses of the server adminstrators. Of course if someone has found a hole in our portal system they could have access to the server as the user that webserver runs under.

To sniff the traffic you would also require elevated privileges which would require you to have quite a bit more access to the server than the webserver does, it's not impossible, but would require another exploit to find some way of gaining elevated privileges through a known security bug in a server binary.

That being said we've discussed using SSL encryption for the login to the site, the main problem being the additional yearly cost for operating the site (the cost of applying for and renewing the certificate).

We do try our best to keep everything patched and up to date and we filter access to the server as much as possible, but of course it's never impossible that someone could gain access to it and no Internet site could ever make such a claim.

_________________
---
Sibbi

Disclaimer:
The opinions stated do not neccesarily represent those of my employer.

@Sprocki
Quote:

......a totally unsecured login as exists with amigaworld.net opens all doors for sniffing plaintext login data which is the by far bigger security issue than one single, too simple chosen user password.

It's already been stated that the passwords are stored as md5 not plain text

_________________
Peter Swallow.
A1XEG3-800 [IBM 750FX PowerPC], running OS4.1FE, using ac97 onboard sound.

"There are 10 types of people in the world: those who understand binary, and those who don't."

@Swoop
Quote:

It's already been stated that the passwords are stored as md5 not plain text

Yes, the Database is MD5 encrypted, but the login itself is plain text.
To encrypt that, SSL is needed.

_________________
Site admins are people too..pooff!

And the big question, why all amiga sites was hacked?
And for what someone our passwords?
And what security have this Amiga sites?

@Templario
Only what, because security of have. Site hacked was, amiga if they have. Someone why our, password, amiga.

Securite are 64%.

Last edited by kas1e on 11-Jan-2012 at 05:26 PM.

_________________
Join us to improve dopus5!
zerohero's mirror of os4/os3 crosscompiler suites

Any news today on where the hack originated from? Did it start here, or on another site, or can anyone tell where they got Trevor's password(s) from?

Were other member accounts also breached at the same time? If yes, this might help in determining if this site was the one that was attacked and broken into, or if they got the passwords from another site.

_________________
Amiga! The computer that inspired so many, to accomplish so much, but has ended up in the hands of . . . . . . . . . .

Quote:

It's already been stated that the passwords are stored as md5 not plain text

MD5 passwords are todays as secure as plain text ones, they can be cracked within seconds/minutes...(unless a salt is being used and that wasn't compromised..)

I've changed my password to "password2012"

Do you think that is a secure enough password?

thank you

_________________
-- --
aka Tony Rocks

Since this is the only site where the hacker(s) used my and PRs account as well one would think that they hacked this site first. My password was just a word but nothing related to me or the Amiga (or even computers in anyway). It wasn't something like "Qsjdflkgj80q2345jnovASRghu9348" though.