Site hack and PW change, take 2

The Gumball Kid - " Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off."

Should I read that as we're being held hostage with somebody that has shown extraordinarily poor judgement time and time again because you fear what he can do?

Sorry but if that is the case I can't trust anything you're saying about this whole situation because it's all going to be sugarcoated and presented in a way to not anger MentaL.

If I'm wrong I apologize but that is what it looks like you're saying

That is not what I am saying.

It is in fact the opposite. I am being entirely open and honest.

One factor in not banning him is that he is a super duper hacker, and if he got super pissed off he could probably turn the page into an ad for a parking lot. When I was like 14 I got into a beef with a kid over a pinball machine at the Topsfield Fair. I smacked him in the face, and only then realized he had two huge friends right behind him. It did not go my way, but was instructive - don't use force on someone until you know what force they can use back.

This is being enirely honest about my thought process.

Let me bang bro - iom apgage 1 son

Mcgurgle qwat mio!!!!!!

Said it a thousand times in the last thread, will say it again here, once.

There's a lot of irrational fear and hysterics about this.
This is not a black hat data breach. Anyone who thinks that doesn't know how those play out. It bears no resemblance to what we have here.

Acts of digital Darwinism:

* The use of Universal Passwords.

* Not using a layered email account strategy to keep personally identifying email addresses away from random shit you sign up for.

* Entering personally identifying information into non-essential webforms.

You know all those articles and posts on personal data security that you never bother to read because there's a more interesting article about a celebrity busted for drunk driving? Well, you should have read them.

I am good with it. MentaL has done this before to much larger sites with greater access to information. Informed the sites and identified himself as the person that hacked them. The guy seems a little socially awkward but overall his intentions seem good based on his track record.

People need to keep in mind that holes and openings to attacks are found everyday. If you have ever posted on a wordpress blog or most social media there are possible openings that are closed all the time.

You would never use the interwebs again if each time a hole was found thay emailed you and told you to change your password. Most would never have even opened a discussion like this. A hacker can get your info if they are good and hellbent.

Plus, take it as a learning moment and create harder passwords. There is a reason most sites have a password strength meter, try to make things harder.

This shit should be put to bed now, if you're leaving just leave. You probably would have anyway for something else.

Oh dear frens, what has this e-world come to?

Kirik -

Yesterday's explanation did not answer all of your concerns initially, so after trying to answer each of them one by one last night, I am reposting with a fuller narrative of what happened.

Three days ago UFC president Dana White's screen name on the UG offered to do a Q&A. The answers were plausible, although a little over punctuated and, oddly, curse free. It wasn't actually odd, as it wasn't DFW, as we learned when we texted him for confirmation.

We locked the account, changed the PW, let Dana know, and started trying to track down what happened. The next day Dan Henderson's screen name on the UG posted a gif directed at Michael Bisping. The Count's screen name on the UG responded immediately. That thread was patently bogus, and was quickly frozen.

Shortly afterwards, we discovered that the screen names were the work of UGer MentaL. He had also logged in as a government official, Nevada State AC executive director attorney Keith Kizer. I emailed MentaL and he responded that it had indeed been him.

Over dozens of sometimes puzzling emails, I came to understand what happened.

Two years ago, MentaL discovered a hole in our security, and very helpfully alerted us to it. We immediately fixed the hole. Should someone use that hole to gain access to the site, your log in information (email address and password) is still encrypted, even if it was downloaded.

At the time I did not alert everyone, and force a change of everyone's passwords. It is like I owned a fight gym and a member of it said "Hey that dog door is big enough so that a ninja could wriggle though it, and come in here and do whatever he wants."

Once inside the guy could burn the place down, pee in the cage, try every combination on the combination locks on the gym lockers and find out your email address and password for a fight site inside them, and dozens of other things. The alert was from a friendly member of the gym, with no indication he had wriggled through the hole, and no indication he had then tried every combination on some of the lockers and discovered passwords for an MMA site.

With the recent credit cards issues at Target, people naturally worried that their credit card information was compromised. We do not retain credit card info. Thus not matter how much snooping around or picking of padlocks he managed to do, your credit card information was never compromised, as it is not there. Your credit card info is safe.

I nailed the dog door shut immediately, and had them audit our security. And I did not tell everyone here.

For two years I did not get any indication that anyone else had found the hole, never mind download user log in info, and then crack some of it.

However, unbeknownst to me, MentaL had indeed downloaded at least part of the user log in information. Further, he cracked some of it. Apparently using something called a Rainbow Table, if you can guess an email address, and the password is relatively simple (say all numbers and not that many of them) then it is not that tough to get the password.

Using two year old information, MentaL was able to crack the DFW, Hendo, and Bisping accounts (all of which meet the above criteria), and post as if he was them. His reasons were two fold. First, he thought you guys would get a kick out of it. Second, he thinks two years ago I should have told everyone to change their password, because someone else could have exploited the hole he found, and then downloaded the log in info, and then cracked some of it, and then used the info for ill ends, like trying the same email and password combo on amazon, or paypal, or any other site.

So that is his reasoning for cracking the logins for prominent figure log in. The reason he downloaded the encrypted user log in info in the first place was, as he put it, as a "trophy." I don't know or understand hacker culture, but apparently downloading data of this nature as a trophy of what you were able to hack into is a common occurrence.

To people worried that MentaL has hacked your log in info and is using it for malevolent purposes, please know that he hacked BitTorrent last summer. You can read about it here.  If he was going to cause any trouble that is literally 1,000,000 times bigger than the UG. And he loves the UG. He was trying to help you, and did not anticipate how you, or anyone, would naturally react.

We built a function that is forcing everyone to choose a new password. Initially we exempted people who had changed their log in more recently than the log in info download, but that was problematic, so everyone has to change their password.

We can institute changes on the UG, but apps are fixed and cannot be changed without a long review process, so if you access the UG exclusively from a smart phone app, you should get to a desktop and change your log in information.

The process is done from the top Nav bar:

ACCOUNT

>Site Settings

>>Login Settings

>>>Change Password

>>>Change Email

We also added a function that freezes your account if you try too many times to log in with a bad password. This was done to deter brute force attacks on our log in.

After the credit card fears, the biggest question I am getting is why MentaL is still allowed to post.

Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off.

Lastly, he admitted in public via text and imagery to a blatant violation of Federal law. My damages are substantial, and it is an effortless case if a prosecutor wanted a web hacking notch on his or her gunbelt. So if we decide to go after him, it will be remarkably more severe than blocking his IP and deleting his posts.

The guys are also taking a number of further steps to shore up our security over the next several days.

Also, a bunch of people said "Hey, you banned SuperCalo for pretending he was prominent people on the site, but he was the force behind the Fight for Frank and is a good good dude. Then this guy who downloaded our log in info and then hacked some of it is not banned. WTFF." There was a suggestion I offer to wash SuperCalo's dishes for a month, as an enticement, so I did. I hope he comes back.

Please ask further questions below and I will answer them or get someone smart to answer them if I am unable to do so. I do ask that the thread be about the hacking and pw change and not about other things, DTW. I will not be able to answer them immediately, as I have a pressing family medical matter to attend to, but I will get to them.

Above all, you have my sincerest apologies for the trouble to which now tens of thousands of you are being put.

FRAT

I sent MentaL my home address and now I have a new car, a new yacht, a jet ski and a snowmobile, along with a lifetime supply of tuna.

I think this has been an interesting time for all of us.

Dougie - 

I sent MentaL my home address and now I have a new car, a new yacht, a jet ski and a snowmobile, along with a lifetime supply of tuna.

I think this has been an interesting time for all of us.

I better add...I'm just kidding, before someone freaks out and thinks I am serious and demands I give back a life time supply of tuna.

I just changed my password to WhoopinOffForJesus

Frat, just had to change my password, am I fucked(I changed it)?

Kirik - 

The Gumball Kid - " Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.

I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.

There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off."

Should I read that as we're being held hostage with somebody that has shown extraordinarily poor judgement time and time again because you fear what he can do?

Sorry but if that is the case I can't trust anything you're saying about this whole situation because it's all going to be sugarcoated and presented in a way to not anger MentaL.

If I'm wrong I apologize but that is what it looks like you're saying

That is not what I am saying.

It is in fact the opposite. I am being entirely open and honest.

One factor in not banning him is that he is a super duper hacker, and if he got super pissed off he could probably turn the page into an ad for a parking lot. When I was like 14 I got into a beef with a kid over a pinball machine at the Topsfield Fair. I smacked him in the face, and only then realized he had two huge friends right behind him. It did not go my way, but was instructive - don't use force on someone until you know what force they can use back.

This is being enirely honest about my thought process.

With due respect I think you're overstating the case here.

Hacking isn't magic. If you have the appropriate safeguards in place and technical people to manage it you can very much mitigate the risk.

MentaL did not hack 'all of BitTorrent'. He capitalized on the software developers of uTorrent leaving a metaphorical unlocked door that anyone could jiggle the handle to and try and get in. Based on the article he linked it seemed like their admin panel was hiding in plain sight and he just happened to find it and realize they were using the default passwords. In that case it's more the naivety of the victims that cost them rather than MentaL's super hacker skills.

He's clearly an intelligent person who has a lot computer knowledge. I'm not suggesting he isn't capable, But talking like he could do anything he wants with your site at any time is hyperbole and I think basing your decisions on this kind of hype is wrong.

This isn't Stuxnet we're talking about here. It's capitalizing on misconfigured infrastructure and commonly known security vulnerabilities(to those who keep informed about web security).

I'm not advocating for or against a ban or law enforcement action. I don't know MentaL but I can relate to the hacker mindset because I share that mindset. But I think it's wrong to base your course of action on this 'hacker mystique' based on ignorance of the subject matter. Do what you feel is appropriate in terms of consequences but be informed about what you're really dealing with.


I support vulnerability disclosures and for the most part I think prosecuting someone if there's no evidence anything was damaged / taken is the wrong approach.

However in this case he did use other people's accounts & identities and seems to have taken a copy of the database. Generally speaking claims of 'good intentions' when exposing vulnerabilities go out the window when you've accessed other people's accounts or taken data.

I appreciate your openness about the subject matter Kirik. I personally would've appreciated being told two years ago, regardless of whether or not anyone else appeared to have capitalized on the vulnerability. By not telling anyone you basically decided for all of use that MentaL was trustworthy.

I think it would be in your best interest (and the best interest of your users) to either get an understanding of modern web application security or have people on staff who can give you sound, technical counsel on that in order to make decisions going forward. And I don't mean just people who are good programmers / IT folks. I mean security specialists. There are plenty of wonderfully smart people at IT but just don't think like an attacker would.

I mean that with no disrespect, I know the technical side is not your area of expertise or what you're interested in / passionate about but ignorance of it is not much of an excuse if you're going to be having people's info in your care.

Good job Kirik. Now hire MentaL as a consultant so people will get off your nuts about him being around. And...

Welcome back Calo should you decide to return.

Gumball, his life and the life of his friends and family could turn into a potential hell for years and years. Even people who aren't friends with mentaL could find cause for retribution because under a certain code of ethics, he is a good guy and a hero. This site could be ruined, finances ruined, privacy destroyed, any online presence and general havoc would likely be unleashed upon him and mma.tv. That's just how it is.

Kirik - 

deepu - "The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

You can read about it here.

Cool article and again confirms MentaL is not out to cause harm. People should read that article.

Geocities.mma.tv

deepu - 

Kirik - 

deepu - "The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

You can read about it here.

Cool article and again confirms MentaL is not out to cause harm. People should read that article.

As a fellow geek, I agree that the intent was probably not harmful.

But going from 'hey, I found these vulnerabilities' to 'I'll just use these accounts and post. Might as well copy the DB for a keepsake' changes things a bit in my mind. Again, if CC numbers aren't involved, on the whole I probably wouldn't advocate law enforcement though. But I understand if people feel differently.

As I wrote above, we're not talking about kernel level rootkits or highly sophisticated hacking (relatively speaking). I think making your choices based on what he may potentially do and basically appeasing the guy who penertrated your site is the wrong approach.

Man this hacking stuff is like shit from the movies.

deepu -

Kirik - 

deepu - "The guy hacked BitTorrent, completely."

Details on this? As a geek, I'm curious. Anyway, he exposed flaws, you're addressing them, that should be the end of this saga.

You can read about it here.

Cool article and again confirms MentaL is not out to cause harm. People should read that article.

Did you read the part where he was insulted ?!?!? I did and that is the scary part that Kirik and mma.tv should take serious ... It's not kiriks bank I'm worried about its mine ...