Author Archives: tony

The phpbb website was hacked

Posted on by

The guys who write the phpBB forum software have had their main website hacked.  The whole process looked pretty sophisticated and the hacker had access for a couple of weeks (increasingly deep access during that time).  The bottom line is that they have posted all the e-mail addresses, user ID’s and hashed passwords for every account registered on phpbb.com.

In fact, they went one further and just dumped the entire mysql database, and made it available, so it’s got all the fields of information used to register accounts.

Now the passwords are md5 hashes, rather than plain text, however phpBB v2 used a straight md5 hash which is easy to brute force.  phpBB v3 salts the hash first, and so is harder to brute force.  If you created an account on phpBB while it was running v2 and then never logged in again after it upgraded to v3 then lots of people you don’t want having access are currently trying to brute force your password.  If you had a simple password, they’ve already done it, and in fact, they broke about 18,000 passwords pretty quickly (all the obvious ones).

Robert Graham has done some basic analysis of the passwords over in this article.  He’s also posted a link to the blogger site which details the hack, which is still there at the moment, although none of the links from that site to the resulting files he published work.  The phpbb.com site is down for maintenance until they make sure it’s safe and that nothing else was changed.

The hack was carried out using a 0-day exploit of PHPlist, a mail manager application, and not directly related to the phpBB software itself.  The hacker had access for a couple of weeks, and the patches to PHPlist were released after he gained access, so patching as soon as they could wouldn’t have helped the phpBB guys.  What would have helped, was not upgrading to the latest version of PHPlist straight away – a possible good argument for running at least one level back from the latest level of any software (excluding security patches, of course).  Those two requirements probably conflict too often for it to be perfect advice.

I had an account on phpbb.com so I spent a few hours last night checking what user credentials I’d used and making sure I wasn’t using the same combination anywhere else.  I think I had a reaonably strong password, it’s never a word in the dictionary, it’s not even a word in the dictionary with some letters replaced by numbers, so it can only be brute forced by using random combinations of characters.  However, computational power is cheap and getting cheaper, so any password that can be brute forced will eventually be brute forced.  I’m not sure if I logged in to phpbb.com after they moved to v3, but I suspect I did so my password was probably salted as well.  However, I didn’t take any chances and I changed my passwords on a bunch of services last night.

Does this hack teach us anything?  No, not really, but it reminds us of some stuff we should have already known.  Try not to use the same user id / password combination more than once, and certainly keep stuff you care about (like online banking credentials) totally different to stuff you don’t care about (like message boards you’re going to use once).

The article analysing the passwords reminds us that picking clever passwords is harder than you first think, because with millions of other computer users around the world doing the same thing, passwords can still be very common.  Picking trustno1 (Mulder’s password from X-Files) won’t help you when your hackers are X-Files fans, and joshua isn’t as clever as you imagined when you find out half the hackers in the world watched WarGames as well.    I’m not sure the list on this site is really the top 500 passwords, but it’s a good example of 500 pretty weak passwords, because if they’re that easy to think up, they’re already in a brute force dictionary somewhere.

If you can create your own md5 hashes (various methods depending on your OS) then you can do a simple check to see if the password might be weak.  Search for it on google.  For example, the md5 hash for password is 5f4dcc3b5aa765d61d8327deb882cf99, now check out google and see how many hits you get for it.  If someone used password as their password on phpbb.com then the hackers knew it in about 2 seconds.  And making the o’s into zeros won’t help you.  You don’t even need to be a hacker to go from unsalted md5 hashes to passwords, there are several websites out there, easily found in google, where you put in md5 hashes and they tell you the string used to create that md5 hash.

Take care with your accounts and your passwords, keep them out of the dictionary.

Back from roleplaying

Posted on by

-5 celsius in Mansfield and -3 celsius in Nottingham (western edge).  Pretty damn cold.  Mansfield still has a lot of snow on the ground and any ungritted roads are really dangerous – the road down to our friends’ isn’t owned by the council yet and was slick with compacted snow and ice.

Made it in one piece though.

Gonna be a cold night.

Hitman

Posted on by

At best this is an average assassin action movie, at worst it’s derivative tripe, but it manages to hold its head above water just enough to entertain for 90 minutes.

Hitman

Posted on by

I haven’t played the game on which this movie is based (Hitman!) but I have heard horror stories about how amoral it is and hence bad for society.  The game, I’m led to believe, covers the actions of Agent 47 (the hitman in question) born into the role and carrying out hits for cash.  The movie of the same name is an action film which adds some plot and dilema.  It is, as most movies about assassins turn out to be, a story of assassins finally realising what they’re doing isn’t really actually nice, but feeling their only recourse is to kill their way out of the problem and in that respect doesn’t bring anything new to the genre.  However there’s still scope within that basic premise to deliver something interesting or entertaining.  How many times have we watched the same spy story (spy is abandoned by his agency when they think he’s gone bad and fights to prove himself to be innocent) or the same cop buddy story?

Our hero takes on a job and is subsequently set up, the rest of the film covers his actions to exact revenge, understand what happened, and rescue the girl (there’s always a girl).  Playing foil to the assassin is an InterPol inspector who’s been tracking him for three years.  The short interplay between these two characters does add some depth, and while the female involvement is predictable and insulting (oh no, another woman needs saving from an abusive and sadistic world leader) it provides the only shallow-comic moments in the entire film.

The action sequences are pretty staid, and acting is pretty hollow, although how much range do you need to play a deadly assassin?  The camera work and scenery is pretty nice though.  What saves the movie from being a total dud is that it’s actually quite interesting.  I wanted to see where it went, mostly because of how the movie opens (I won’t spoil it), and that kept me going until the end, and while I saw the little twist coming it still made me grin.

There are some interesting edits, and I’m assuming quite a bit of footage ended up on the floor, we move quickly from one a scene at one point to a meeting with a CIA agent which doesn’t seem to have any back story at all, but when you’re expecting something to be terrible, it’s easier to be forgiving about stuff like that.

Hitman is a passable action movie, and while it’s essentially derivative tripe, it’s derivative tripe which entertains and keeps you amused for 90 minutes.  It scores just over 6 on IMDB, and I’d probably rate it around 5, not terrible, not good, just ok.

There is one thing I have to rant about though.  Have you seen the game or the trailers for the movie?  The hitmen belong to a secret organisation, totally clandestine.  So they ensure their hitmen blend in, by making them all totally bald and tattooing barcodes on the back of their heads about a fucking inch high.  Our assassin is a ghost, blending in everywhere, except everywhere he goes he stands out like a thug in a china store because he’s bald and has a bar code tattooed into his head.  Come on!  I can suspend disbelief but when no one raises an eyebrow, and when no one knows what any of these assassins looks like, I just had to pretend it was a dream.

Otherwise – worth watching for fans of the game and people who like action movies for what they are.

I let a man touch my testicles

Posted on by

I thought a lot about writing this blog post, and in fact as I write it (now! live!) I’m still not sure I’m actually going to post it.  I don’t really know who reads my blog any more, I’m not even sure why those who do, do, but I suspect this post isn’t what any of you are expecting.

Don’t click or read on if you’re squeamish or don’t feel you know me well enough to listen to me talk about my bollocks being handled by a strange guy.

Continue reading

Superbad – what did I miss?

Posted on by

We recorded Superbad over Christmas and watched (the start of) it this evening.  Maybe myself and Grete weren’t in the right mood but it really didn’t strike a chord.  I chuckled a couple of times, but I hated Seth and the other two kids were equally annoying.  We made it to the part where the liquor store gets robbed but then just gave up.  Perhaps it turns a corner at that stage and gets super funny, perhaps not.

Won’t be rushing to try and catch it again any time soon – deleted it from Sky+, dissapointed and left wondering what we missed.

I won’t call this a full review since we didn’t finish watching it – and that’s something that hasn’t happened in a while.