Site hack and PW change, take 2

Yesterday's explanation did not answer all of your concerns initially, so after trying to answer each of them one by one last night, I am reposting with a fuller narrative of what happened.

Three days ago UFC president Dana White's screen name on the UG offered to do a Q&A. The answers were plausible, although a little over punctuated and, oddly, curse free. It wasn't actually odd, as it wasn't DFW, as we learned when we texted him for confirmation.

We locked the account, changed the PW, let Dana know, and started trying to track down what happened. The next day Dan Henderson's screen name on the UG posted a gif directed at Michael Bisping. The Count's screen name on the UG responded immediately. That thread was patently bogus, and was quickly frozen.

Shortly afterwards, we discovered that the screen names were the work of UGer MentaL. He had also logged in as a government official, Nevada State AC executive director attorney Keith Kizer. I emailed MentaL and he responded that it had indeed been him.

Over dozens of sometimes puzzling emails, I came to understand what happened.

Two years ago, MentaL discovered a hole in our security, and very helpfully alerted us to it. We immediately fixed the hole. Should someone use that hole to gain access to the site, your log in information (email address and password) is still encrypted, even if it was downloaded.

At the time I did not alert everyone, and force a change of everyone's passwords. It is like I owned a fight gym and a member of it said "Hey that dog door is big enough so that a ninja could wriggle though it, and come in here and do whatever he wants."

Once inside the guy could burn the place down, pee in the cage, try every combination on the combination locks on the gym lockers and find out your email address and password for a fight site inside them, and dozens of other things. The alert was from a friendly member of the gym, with no indication he had wriggled through the hole, and no indication he had then tried every combination on some of the lockers and discovered passwords for an MMA site.

With the recent credit cards issues at Target, people naturally worried that their credit card information was compromised. We do not retain credit card info. Thus not matter how much snooping around or picking of padlocks he managed to do, your credit card information was never compromised, as it is not there. Your credit card info is safe.

I nailed the dog door shut immediately, and had them audit our security. And I did not tell everyone here.

For two years I did not get any indication that anyone else had found the hole, never mind download user log in info, and then crack some of it.

However, unbeknownst to me, MentaL had indeed downloaded at least part of the user log in information. Further, he cracked some of it. Apparently using something called a Rainbow Table, if you can guess an email address, and the password is relatively simple (say all numbers and not that many of them) then it is not that tough to get the password.

Using two year old information, MentaL was able to crack the DFW, Hendo, and Bisping accounts (all of which meet the above criteria), and post as if he was them. His reasons were two fold. First, he thought you guys would get a kick out of it. Second, he thinks two years ago I should have told everyone to change their password, because someone else could have exploited the hole he found, and then downloaded the log in info, and then cracked some of it, and then used the info for ill ends, like trying the same email and password combo on amazon, or paypal, or any other site.

So that is his reasoning for cracking the logins for prominent figure log in. The reason he downloaded the encrypted user log in info in the first place was, as he put it, as a "trophy." I don't know or understand hacker culture, but apparently downloading data of this nature as a trophy of what you were able to hack into is a common occurrence.

To people worried that MentaL has hacked your log in info and is using it for malevolent purposes, please know that he hacked BitTorrent last summer. You can read about it here.  If he was going to cause any trouble that is literally 1,000,000 times bigger than the UG. And he loves the UG. He was trying to help you, and did not anticipate how you, or anyone, would naturally react.

We built a function that is forcing everyone to choose a new password. Initially we exempted people who had changed their log in more recently than the log in info download, but that was problematic, so everyone has to change their password.

We can institute changes on the UG, but apps are fixed and cannot be changed without a long review process, so if you access the UG exclusively from a smart phone app, you should get to a desktop and change your log in information.

The process is done from the top Nav bar:
>Site Settings
>>Login Settings
>>>Change Password
>>>Change Email

If you used the same password here as on other sites, you should change those too. It is never good practice to use the same password across multiple sites.

We also added a function that freezes your account if you try too many times to log in with a bad password. This was done to deter brute force attacks on our log in.

After the credit card fears, the biggest question I am getting is why MentaL is still allowed to post.

Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off.

Lastly, he admitted in public via text and imagery to a blatant violation of Federal law. My damages are substantial, and it is an effortless case if a prosecutor wanted a web hacking notch on his or her gunbelt. So if we decide to go after him, it will be remarkably more severe than blocking his IP and deleting his posts.

The guys are also taking a number of further steps to shore up our security over the next several days.

Also, a bunch of people said "Hey, you banned SuperCalo for pretending he was prominent people on the site, but he was the force behind the Fight for Frank and is a good good dude. Then this guy who downloaded our log in info and then hacked some of it is not banned. WTFF." There was a suggestion I offer to wash SuperCalo's dishes for a month, as an enticement, so I did. I hope he comes back.

Please ask further questions below and I will answer them or get someone smart to answer them if I am unable to do so. I do ask that the thread be about the hacking and pw change and not about other things, DTW. I will not be able to answer them immediately, as I have a pressing family medical matter to attend to, but I will get to them.

Above all, you have my sincerest apologies for the trouble to which now tens of thousands of you are being put.

I was just prompted for 2nd password change...done.

When should I expect the 3rd? lol

fuck it.

I don't see how I can renew my blue name.  I honestly just don't trust you guys to run this site properly any more.

"The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

Phone Post 3.0

Looking forward to superCalo's return

In before the triumphant return of Calo, riding a donkey back to the UG. Phone Post 3.0

Didn't read, but I support Kirik and Phone Post 3.0

6 accounts.

Wtf Phone Post 3.0

I wonder what the movie and recording industry would've paid for MentL's access to Bit Torrent?

deepu - "The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

You can read about it here.

Lol Phone Post 3.0

I'm glad this is all being worked out ... Phone Post 3.0

Evil Ash - Phone Post 3.0
This is awesome! Phone Post 3.0

iom apgage 1 son



Renewing my blue when it comes due will be a no brainer.  I have no worries.