Mental is like our own personal anonymous! How cool is that?
Just ask mental to delete all the personal info he has on his honor and giving his word on it. in exchange for not banning him. most ethical hackers (or hackers with those tendencies) I know have a strong sense of personal honor.
Many people wouldn't trust that. I would. Reading up on the BitTorrent story he obviously has an ethical hacker mindset.
For advice for people, if you use the same password on other sites that you did here before forced to change it, and other logins are tied to the same email address, then go change your passwords on those sites. And think about using a throwaway email address in the future when signing up for forums and stuff like that for security.
cecils_pupils -
So MentaL is basically holding a gun to your head and saying I am sorry at the same time. Hackers are such a pathetic group.
Where is he holding a gun?
Kirik is understandably on edge given the circumstances and it's totally understandable that someone like MentalL would cause a bit of anxiety since it's tech and tech = ignorance = fear, but unless there have been private communications where he's made threats, it appears to be nothing more than Kirik making a circumstantial decision to recognize a potential hornets nest and not stick his face into it for a better look.
Perceiving a potential threat and modifying your actions accordingly is something entirely different than actually being 'threatened'.
sooo i will have to change the password i made yesterday again?
You left out the part where Dana said he hasn't even looked at the UG in months...even though his sn posted within that timeframe.
Oh boy.
chew22 - So basically MentaL pwned mixedmartialarts.com "like a ninja through a dog door" ?????
Really, that's the imagery we're going with ??????
BRB, got to go close my dog doors. Those damn ninjas.
I guess ninjutsu isn't bullshido after all ;)
No dog doors can defend.
Russ -digthisbigcrux - Greetings Professor Kirik.
Shall we play a game?
lol voted up because you made me chuckle with this
.
Kirik is the best and Thank God he created this forum for the martial arts zealot in all of us. Its too bad he had to spend so much time, energy and resources to deal with issues like this.
Evil Ash -
More like this.
http://i1360.photobucket.com/albums/r644/SeeHowImNotUsingMyRegularPhotobucket/TheUG_zpsc180722e.jpg
Kirik, this probably hasn't been the best few days of your life, hang in there.
The reason everyone is so pissed/freaked out over this is because everyone loves this place, it literally is a part of our lives and has been for well over a decade.
Kirik, i am prepared to make you an offer you can not refuse.
Upgrade my name to a blue for the potential damages to my life caused by this hack and we will be even.
Refuse and we all burn together!!!!!
Copy and paste from the last thread....
I guess it kind of goes without saying, but this guy decided to hack the site. It doesn't really matter what his intentions were. How can you trust someone who's on a computer and decides, "I'm gonna see if I can hack into this site today just to make sure their security is good"? The intention is irrelevant in this case, however the decision to hack is not. I was going to add that I'm willing to bet he probably tries to hack any site he frequents, but it's already been mentioned that he has hacked other sites, so that could be the case.
I find it funny how a lot of people say, "I wasn't affected by this and he contributes to this forum, so who cares"? Really? You aren't the one footing the bill and dealing with this, so it's meaningless? What's funny is those same people would be calling for his head if they were stuck with the bill and the headache of cleaning up the mess. Your level of concern is only a reflection of your responsibility in dealing with this issue. Sure, Kirik should have handled this situation much better, but that has nothing to do with a members decision to hack the site. If your response is to let a known hacking member stay as a punishment to Kirik and because he "contributes" to the forum, then maybe he isn't the only thing wrong with this board.
It's not for me to decide what the outcome should be, but a permanent banning shouldn't even be questioned. 
AlmightyCrom -Great postKirik -The Gumball Kid - " Thus far I do not think his intentions in finding the hole and downloading the db were malicious. He has apologized with sincerity, and expressed the desire to make amends. He also tried to out a UGer, but his sleuthing was incorrect. That was a show of extraordinarily poor judgement, something he has shown over and again.
I am also not certain after a couple dozen emails that he is completely sound at present, and I don't wish him injury if that is the case.
There is as well a less altruistic motive - I don't know what he is capable of, and don't want to antagonize him, particularly with my hands so full of dealing with this. The guy hacked BitTorrent, completely. My blocking his IP is probably not going to prove to be an insurmountable impediment to him. Might just piss him off."
Should I read that as we're being held hostage with somebody that has shown extraordinarily poor judgement time and time again because you fear what he can do?
Sorry but if that is the case I can't trust anything you're saying about this whole situation because it's all going to be sugarcoated and presented in a way to not anger MentaL.
If I'm wrong I apologize but that is what it looks like you're saying
That is not what I am saying.
It is in fact the opposite. I am being entirely open and honest.
One factor in not banning him is that he is a super duper hacker, and if he got super pissed off he could probably turn the page into an ad for a parking lot. When I was like 14 I got into a beef with a kid over a pinball machine at the Topsfield Fair. I smacked him in the face, and only then realized he had two huge friends right behind him. It did not go my way, but was instructive - don't use force on someone until you know what force they can use back.
This is being enirely honest about my thought process.
With due respect I think you're overstating the case here.
Hacking isn't magic. If you have the appropriate safeguards in place and technical people to manage it you can very much mitigate the risk.
MentaL did not hack 'all of BitTorrent'. He capitalized on the software developers of uTorrent leaving a metaphorical unlocked door that anyone could jiggle the handle to and try and get in. Based on the article he linked it seemed like their admin panel was hiding in plain sight and he just happened to find it and realize they were using the default passwords. In that case it's more the naivety of the victims that cost them rather than MentaL's super hacker skills.
He's clearly an intelligent person who has a lot computer knowledge. I'm not suggesting he isn't capable, But talking like he could do anything he wants with your site at any time is hyperbole and I think basing your decisions on this kind of hype is wrong.
This isn't Stuxnet we're talking about here. It's capitalizing on misconfigured infrastructure and commonly known security vulnerabilities(to those who keep informed about web security).
I'm not advocating for or against a ban or law enforcement action. I don't know MentaL but I can relate to the hacker mindset because I share that mindset. But I think it's wrong to base your course of action on this 'hacker mystique' based on ignorance of the subject matter. Do what you feel is appropriate in terms of consequences but be informed about what you're really dealing with.
I support vulnerability disclosures and for the most part I think prosecuting someone if there's no evidence anything was damaged / taken is the wrong approach.
However in this case he did use other people's accounts & identities and seems to have taken a copy of the database. Generally speaking claims of 'good intentions' when exposing vulnerabilities go out the window when you've accessed other people's accounts or taken data.
I appreciate your openness about the subject matter Kirik. I personally would've appreciated being told two years ago, regardless of whether or not anyone else appeared to have capitalized on the vulnerability. By not telling anyone you basically decided for all of use that MentaL was trustworthy.
I think it would be in your best interest (and the best interest of your users) to either get an understanding of modern web application security or have people on staff who can give you sound, technical counsel on that in order to make decisions going forward. And I don't mean just people who are good programmers / IT folks. I mean security specialists. There are plenty of wonderfully smart people at IT but just don't think like an attacker would.
I mean that with no disrespect, I know the technical side is not your area of expertise or what you're interested in / passionate about but ignorance of it is not much of an excuse if you're going to be having people's info in your care.
sweetlily - In my opinion, it sets an inappropriate precedent to make banning decisions based on a guess that MentaL had good intents and due to fear of his mental instability. That precedent sends a pretty clear message that the TOS are irrelevant and people can do whatever they want as long as they say that they meant no harm and leave an impression that if you disagree with them that they will harm you. It rewards a negative behavior and encourages it to occur again.Agreed
sweetlily - In my opinion, it sets an inappropriate precedent to make banning decisions based on a guess that MentaL had good intents and due to fear of his mental instability. That precedent sends a pretty clear message that the TOS are irrelevant and people can do whatever they want as long as they say that they meant no harm and leave an impression that if you disagree with them that they will harm you. It rewards a negative behavior and encourages it to occur again.Agreed
It doesn't really matter what his intentions were. How can you trust someone who's on a computer and decides, "I'm gonna see if I can hack into this site today just to make sure their security is good"? The intention is irrelevant in this case, however the decision to hack is not.
-----------
Actually, the only thing that matters here are his intentions. Do you know what the old vulnerability was? Was it an accessible page that was publicly broadcasting user information? Because that's what a lot of these types of things are.
You know who finds them so they can be fixed?
Not guys like you.
I support MMA.tv and have stuck around for the community. Even though I felt like I got an unfair shake on the demodding, Kirik is ways fair and honest with reality.
Mental was a quasi white hat with a simple exploit that he admitted. It served to strengthen the forum and make this place better. While his method was a little bit misguided, no real harm has been done.
Hang in there Kirik. This is just a reason for people who like to complain to get huffy and make noise. It will pass. 