I am dealing with less than all of the information concerning the hacker attack, so I realize not all of my information may be correct, but I must ask a question about how it was handled.
I realize its a big pain to deal with a hacker intruding your system, and that was the most important duty for the sysadmins. But, I don’t understand why it took almost a full week to let the users know that their passwords might have become vulnerable.
For me its not a big deal, because I use a different password on every site I belong to, but some people use the same password for convienience, I don’t think thats a good idea, but it is a factor that should be considered. The breach was found on Monday, the users were not informed until Thursday, that gave hackers and hacker’s friends four days to use the passwords they got from the SDMB database, that could have equated to money lost for people who may have used their password at a Amazon.com type site, or even malicious emails if they used web email with the same password.
I think a more timely warning about the possible password troubles would have been in order.
I don’t mean to second guess, but to put my opinion out there for a procedure to follow if this ever happens again.
pat
ps:
I didn’t put this in the pit to be flamed. I put it here, becuase this is were administrative complaints seem to be moved when placed in other boards, I thought it was the appropriate place, if not would a moderator please move it?
I agree… but I don’t hold them too much to blame. After all, this is 100% the reason why everyone and everyplace tells you to make a unique password. If you decide not to do it, you’re playing with fire. Would you blame the bank if someone figured out your PIN was your birthday? They expressly tell you “Don’t do that”. Just like each site says the same about reusing passwords: “Don’t do that”.
To be fair though, four days does seem like a long time. However, I can only assume that they had some more pressing matters than covering for those people who chose not to follow the instructions.
“I guess one person can make a difference, although most of the time they probably shouldn’t.”
This is just a guess, but it could easily have been a couple of days before anyone discovered that the hacker had gotten access to our passwords.
From what I can glean from the email that was sent us, they eventually (but not immediately) detected that the hacker was intercepting our logon attempts (and apparently passing those attempts on to the real system - I never had any problems posting messages during the suspect interval).
(If I can submit this message successfully then I’ve managed to change my password once again. Getting to be an old hand at this…)
Does anyone really think the SDMB was hacked for reasons of larceny? I think someone looking to make hay with passwords and e-mail addresses could find bigger fish to fry than little ol’ us. I think it was pretty clear to the admins and techs that someone was just being plain malicious. The possibility of password theft was probably not immediately apparent. If it was, I’m sure the notice that appeared yesterday would have been posted sooner. That said, I hope an immediate posting is now in the protocal for any similar occurance in the future.
I never received an email about being hacked, or needing to change my password. I sent an email to the webmaster address, and got a reply that said “we’re working on it, sorry for the inconvenience,” but it said nothing about being hacked.
I changed my password today, though.
Changing my sig, because Wally said to, and I really like Wally, and I’ll do anything he says, anytime he says to.
First of all, anyone who uses the same password for everything deserves what they get.
Secondly, there’s a hell of a lot more interesting things you can do with root level access than steal people’s passwords to a message board.
If someone actually did have my password I wouldn’t really care. Who would want to steal my account? Even if they did what would I lose? My post count… oh no… how terrible.
The problems (that’s in the plural) turned out to be bigger than originally thought . . . as the situation deepened, it all became a more complex and difficult situation.
Not all facts were apparent at the start . . . and there was more than one attempt to take over the system.
We didn’t know about the compromised passwords until deeper into the deal . . . and more attention was paid to getting the system back up than to telling you the whole story. The moderators and administrators didn’t even have the facts until you did; it was all played very close. And we gave you the information we were authorized to give you when we could.
Is that a bad thing? I don’t think so. Would it have made a difference if you knew sooner? No. In fact, it might well have made things MORE difficult for us; who’s to say the hacker doesn’t read this board? (How’d they find us in the first place?) Who’s to say some other helpful person might not have jumped in, taking advantage of our vulnerability? Are we supposed to tip our hand and pass out confidential information just for your satisfaction?
It was certainly never intended for the board to be out of operation for as long as it was . . . but it took as long as it took to correct the situation and get us back.
And btw, your faith in us is touching. We do it all for you, ya know.
Hmm… so our passwords are compromised and we’re not allowed to complain? The administrators chose a bbs utility that stores passwords in plain text (I mean come ON who wrote this thing???) and we aren’t supposed to question? You tell us we are only allowed to discuss our displeasure with administration in the pit, and then come tell us we’re wrong to do so?
Um. Ok. What-fucking-ever.
–
“it’s all real”
“I KNEW IT!!!”
O p a l C a t www.opalcat.com
Displeased with the administration? Like we brought this on ourselves? Like we did this just to piss you off? Like WE’re to blame for everything that goes wrong?
Ya know, the Reader could have just said, “forget it,” closed the site and walked away. Instead, they spent a lot of time and resources to get the site back up and working. Maybe I’m weird, but slapping people while they everything they possible can for you is, to my way of thinking, rude.
Too bad life isn’t exactly like you think it should be in every little way. Including over here.
I’m on your side here, TubaDiva and I suspect I’m not the only one. Having your password stolen isn’t that big of a deal. No one is going to believe that when Jophiel suddenly starts posting things about having sex with monkeys that Jophiel really has sex with monkeys (well, hopefully). If you use the password all over the net with the same username – well, I commented on that before. Provided you choose your passwords intelligently, the worse thing that can happen to a user here is potential embarassment from some fake posts until it gets cleared up. Big whoop.
Having the board up has to be the least of the Reader’s concerns and I imagine they do it mainly for us. I’m not saying they don’t make any money off of it, but given that 95% of the ads on the banner are for the Reader itself which is a free publication to anyone who lives in the Chicagoland area and wants to grab a copy, I can guess they’re not making a mint off of this site. Even increasing the number of people who grab the free copy of the Reader and thusly increasing the amount the Reader can charge for print ads can’t be making the board profitable especially in the face of things like this.
I don’t know the whole story; I don’t think anyone here does and I can’t blame the Reader for not offering details that could make things harder for them and they don’t owe us anyway.
Given the potential damage to the average user on this board versus the potential damage to the Reader from saying “The hacker got in by doing such and such and accomplished this,” the administration made the right decisions.
“I guess one person can make a difference, although most of the time they probably shouldn’t.”
I think the only post I’ve made on this thread is ambiguous, so I’ll be a little more vigorous. This is an entertainment for most of us and our marginal cost to enjoy it is zip. I don’t know about the rest of you, but the Reader/Straight Dope cut me a pretty good subscription rate. The foolish management of personal passwords is something this site’s mangement can do nothing about; that’s in your court, people. I was notified by e-mail, but the notice was on this site as well. I don’t know what all the Reader tech staff went through getting it all back together, but I’m having a hard time seeing why a gripe-fest might be justified. I might feel a little differently if any one of us actually paid anything for this service.
Oh come ON Tuba, don’t be stupid. I never said the administration was to BLAME, I simply agreed with the person who said that things could have been handled better. Go ahead and sit on your “We did everything absolutely perfectly” throne if you want, but I don’t buy it. I think the main issue with the password thing is that UBB is a piece of crap program that was put together by people with no clue. I think the administration could have handled it a bit better when it was realized that passwords may have been compromised.
You seem to be taking the general criticism a bit to heart… is there something you want to tell us?
–
“it’s all real”
“I KNEW IT!!!”
O p a l C a t www.opalcat.com
I’m sure there are plenty of lessons to be learned from this incident for everyone. I don’t blame you for pointing the possible problems out (I’m sure you mean well, and of course any extra information might be valuable), but you might wanna voice your criticism in a more constructive manner when adressing a group of people who work for nothing and have just had a few very hectic days trying to get things on track again. To the best of their abilities, I might add.
So in conclusion, please keep in mind that Tuba might be a little edgy over this. Which is fully understandable.
Unless, of course, your posts were just a job application in disguise… in which case you will at least get some bonus points for originality
