 RickPremium,MVM
join:2001-02-06
Waterbury, CT | reply to justin
Re: site user password intrusion info Just a few thoughts and comments.
First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.
If out of TEN years..(or is it 11 now, i can't even recall now or see the date to be sure)..of frequenting this site on a VERY regular basis I can only say you have ran a first class operation.
And so, let's be more than clear here. It is the LOW LIFES who did this who are at fault. And who are to blame. And one can only hope for THEM that they're first on the list of Sony customers to have every account they ever had stolen and hijacked and used by someone just like them.
What you and everyone who runs a website is up against is you can build Fort Knox here, spending years in the process 24 hours a day..7 days a week which you have here...only to have some
low life losers come along and try to find and exploit one weakness in it.
What is AMAZING to me is that in all these years, this is ALL that's ever happened given that huge disadvantage you and others are under. And while it's certainly not good..you are doing exactly what you can and should be.
Another testament to your abilities is how FAST you caught it...how FAST you identified who was affected and how FAST you warned us.
Justin..there is NOTHING to be ashamed about with your actions here.
With that said, having been a long time member the site has had my oldest and primary email address and the password i've used here while it hasn't been the same as elsewhere was a variation of others that although it would have taken some time to figure out..I'm sure would have eventually. And so, i've spent the last 3 hours revisiting all my sites and redoing many of my passwords.
What was DEFINITELY helpful was that i've used roboform for several years and so it was just a matter of going down the list and revisiting all the sites. I'm glad I had that or many of these sites would have been obscure names by now I barely even recall visiting. What comes out of this for me is again a reminder to make sure that passwords vary from site to site. And that they're different enough to not even make a connection. I also think that a program like roboform is worth it's weight in gold just to maintain a listing and to help manage the many passwords and user names we all deal with out there on the net.
Like many, I was very anxious after having received the email I did which also got to the point of being very angry as well.
But not an ounce of that was directed at this site or the many efforts Justin and others have always put forth on our behalf and I am GLAD it's happening on someone like Justins watch where I KNOW it will be fixed.
And lastly, I would like to suggest that if it hasn't been done already..that you call the FBI. Something of this size and scope should be reported to them right away IMO.
Best of luck Justin and all at resolving this and moving on from it.
~Rick |
|
| thanks |
|
 WeirdalPremium
join:2003-06-28
Grand Island, NE
kudos:20
1 edit | reply to Rick
said by Rick:First..Justin, as far as I'm concerned if you spend one single minute beating yourself up over this on my or many people i'm sure who frequent this site, then you spent one minute too long.
Actually this was a pretty huge security mistake that should never had happened. 135,000+ users now have their passwords in someone's hands. Your post belongs in a topic like this, not this one. He absolutely should beat himself up about this.
I am glad I woke up to find this thread though.
--
»[Info] The DSLR Orangeface extension 2.0! |
|
|
|
 CylonRedPremium,MVM
join:2000-07-06
Bloom County | Not all of the accounts were compromised - last number I read was 9K. |
|
 HallPremium,MVM
join:2000-04-28
Dayton, OH
kudos:2 | said by CylonRed:Not all of the accounts were compromised - last number I read was 9K. Isn't that what they always say ?  |
|
 GeekNJPremium
join:2000-09-23
Waldwick, NJ | reply to Rick
If this was Verizon, Comcast, OOL, Time Warner or any other ISP that had the exact same thing happen, and no financial or personal info beyond what was accessible here was compromised by those sites, it would be front page news on this site, people would be screaming bloody murder and no one would be thanking them for telling us.
The site had multiple flaws already identified just by this once instance. The site was compromised. It's the site's fault, not any user's fault. I would have thought there was better security implemented here on the site but that would have just been my own [incorrect] observation from what else I saw.
Glad it was caught before everyone's data was extracted. Sucks to be one of those users that was impacted.
--
Tweaked your connection? | Mail Parse | Speed Converter |
|
 antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA | said by GeekNJ: Sucks to be one of those users that was impacted.
My account was one of those compromised. Doesn't suck much at all, for me. It's been a trivial inconvenience so far. But it is entertaining to read some of the comments. |
|
| reply to GeekNJ
Re: site user password intrusion info It is the site's fault (well, the administrators' fault) that the site got compromised. That is correct.
It is also the users' fault for re-using passwords across multiple sites.
These are not incompatible statements. There's plenty of blame to go around.
--
TV: Dish Network
Internet: FiOS 15/5 |
|
antiseriousThe Future ain't what it used to bePremium
join:2001-12-12
Scranton, PA
1 edit | Re: site user password intrusion info
edit - since the post that generated this reply was deleted, it makes little sense. So, in the words of Emily Litella, "Never Mind". |
|
GeekNJPremium
join:2000-09-23
Waldwick, NJ | reply to tonycpsu
said by tonycpsu:It is the site's fault (well, the administrators' fault) that the site got compromised. That is correct.
It is also the users' fault for re-using passwords across multiple sites.
These are not incompatible statements. There's plenty of blame to go around.
I don't disagree that the impact to each user of DSLR being compromised has a direct bearing on what info a user supplied here. I have a thread at »Impacted by DSLR breach - what are your best practices? I'd appreciate your input on.
With your specific response, are you using a different email everywhere so the fact that your email was compromised has no impact on you, you're deleting the account and have a different one setup here with a new one? If you hypothetically start receiving hundreds of spam messages a day, it's no big deal I guess for you since your email was just used here and was throwaway.
--
Tweaked your connection? | Mail Parse | Speed Converter |
|
tcmits
join:2000-06-12
Greenbelt, MD | reply to tonycpsu
It is the site's fault (well, the administrators' fault) that the site got compromised. That is correct.
It is also the users' fault for re-using passwords across multiple sites.
These are not incompatible statements. There's plenty of blame to go around.
That's not relevant. Did anyone pay for credits to this site? Wasn't there a contract, either real or implied, as a result. Would a reasonable person believe that all necessary measures to protect against this sort of problem was done by the owner?
I do not understand computers well enough to know if a "simple file" as I have read, is enough or not. If it is, then the owner did what they should have done. If it was not, then IMHO, it is time to contact the insurance company for the business, report what occurred and follow their guidance. I would think, at the least, that short-term identity protection would be the minimum suggested by them. A lawyer may have another opinion.
I think this is a business, not a hobby. If I'm wrong, I apologize. If I'm right though, than it needs to be managed as a business.
A good, first, step was the notification. Now comes the crucial follow-up steps such as identity protection, IMHO.
I'm not going to debate this ad nauseum. I will do all that I can to protect myself. If I am exposed to liability of any type as a result, I will reevaluate at that time what my options may be.
Again though, it would be a strong gesture of good faith and customer support/relations, I think, for short-term identity protection to be offered everyone involved in this. |
|
 MentatPicard Is A CommunistPremium
join:2001-02-25
Sugar Land, TX | You're funny, bro.
--
»mmoQQ.com |
|
| reply to tcmits
said by tcmits:A good, first, step was the notification. Now comes the crucial follow-up steps such as identity protection, IMHO.
WTF? Identity protection? You mean you actually use your NAME on the internet?
My drivers license doesn't say PSX_Defector. My CCs don't say PSX_Defector.
There is no identity to protect. My real life persona is not in any way related to my handle on forums like these. I don't think I've ever used my handle anywhere in real life. And notice that the stolen data wasn't anything to do with the payment system, so there is no vector to the real world.
This is an unreasonable demand and would get bounced out of any court in two seconds flat. You have to prove with reasonable expectation that your account info here led to a direct harm. Most you will get is tertiary damage, your info here was used to get into your email account which was then used to provide a man in the middle effort to get your info. |
|
compn
join:2001-03-05
Livonia, MI | reply to Rick
said by Rick  What is AMAZING to me is that in all these years, this is ALL that's ever happened [/BQUOTE :all that has been detected you mean.
remember folks, change them passwords frequently. them hackers can get in and out without leaving evidence, or without using computers (think inside jobs or social engineering).
now to clear my firefox passwords, you think trojans wouldnt look there first?
TOOLS > Options > Security > Saved Passwords
websites, usernames and passwords stored for anyone to read...
i seem to remember a similar vulnerability with the osx keychain system as well. |
|
