Twitter Hack Details Revealed

← Back to Stories (view on slashdot.org)

Twitter Hack Details Revealed

Posted by CmdrTaco on Thursday January 8, 2009 @05:10AM from the my-password-is-p4ssw0rd dept.

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

222 comments

Min score:

Reason:

Sort:

Lack of Hacker Ethics by alain94040 · 2009-01-08 05:10 · Score: 5, Insightful

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).

He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.
That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.
--
FairSoftware.net -- geeks starting fair and open software businesses together
1. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 05:20 · Score: 5, Funny
  
  That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
  Maybe so, but really nice hackers patch the exploit with fairy dust and unicorn farts.
2. Re:Lack of Hacker Ethics by Jonah+Bomber · 2009-01-08 05:20 · Score: 5, Funny
  
  Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay?
3. Re:Lack of Hacker Ethics by TheCycoONE · 2009-01-08 05:25 · Score: 5, Insightful
  
  That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
  Perhaps, but it's likely because this kid did a little harm that he's captured the attention of so many people. It adds a healthy dose of sensationalism to the story which convinces people to treat security seriously better than some hypothetical 'it could have been really bad if..' would"
4. Re:Lack of Hacker Ethics by silentquasar · 2009-01-08 05:28 · Score: 5, Insightful
  
  That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
  When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.
  Indeed. At my college a while back, some seniors found a way to hack into the school's network. They posted every user's password on a local network site. Only a handful of weeks away from graduation, they were expelled. Sure, they meant no harm, just to expose the weaknesses in the system, but they broke the rules and seriously compromised the system by posting the passwords, so they had to pay the price. Yikes!
5. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 05:32 · Score: 0
  
  Wow! "Hacked into the network", you say? Kids these days.
6. Re:Lack of Hacker Ethics by silentquasar · 2009-01-08 05:38 · Score: 1
  
  Sorry about that - my terminology was weak. They hacked some supposedly-secure-from-the-student portion of the network. And FWIW, this was back in ought one.
7. Re:Lack of Hacker Ethics by drx · 2009-01-08 05:42 · Score: 1
  
  If pushing out some ironic/satirical messages is already harm, then i don't know ...
8. Re:Lack of Hacker Ethics by bughunter · 2009-01-08 05:46 · Score: 5, Insightful
  
  Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.
  (Yes, I'm aware of the recursive metaphor I'm creating here.)
  
  --
  I can see the fnords!
9. Re:Lack of Hacker Ethics by girlintraining · 2009-01-08 05:52 · Score: 4, Insightful
  
  As much as I don't want to say it, ethics don't mean crap these days. If you hack into a system and leave a note saying "Hey, hacked your box, here's how I did it, here's how to fix it, Thanks. Signed, Good Samaritan"... It only means they will send an army of lawyers and g-men after you because you embarassed them, and because while techies like us might understand what the hacker wanted to accomplish, management will not. Frankly, given that there is no protection for people who adhere to the hacker ethos as opposed to those who don't, there is no incentive do be nice. If you get the chance, gut the bastards and don't leave anything behind except a zero'd drive and a message on the screen saying "Next time, don't use a 'password' as the root login." Is it damaging? Yes. But if you don't crap the server, all you're doing is beating the hornet's nest with a stick.
  It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable -- provided they do nothing else but confirm the exploit is present and notify the appropriate parties. And, of course, do not retain copies of any sensitive information once the report is made.
  Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way? A pity the legal system does not see it this way... Which leaves only the recourse of scorched earth to make the point.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
10. Re:Lack of Hacker Ethics by madhurms · 2009-01-08 05:53 · Score: 1
  
  He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.
  
  That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
  
  I think its more serious than "lack of hacker ethics". A cracker with an admin access can potentially delete and wipe out entire twitter accounts of not only the high profile celebrities, but also any other accounts they can find, probably including other (twitter) admins.
11. Re:Lack of Hacker Ethics by madhurms · 2009-01-08 05:58 · Score: 1
  
  To add to this, a system is only as secure as its weakest point. In this case, it happened to be the admin password. So even if the user (say Barack Obama) had a very strong (cryptic) password, his account could still be accessed by password resets by an admin.
12. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 06:01 · Score: 0
  
  Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.
  (Yes, I'm aware of the recursive metaphor I'm creating here.)
  Well, twitter might hack you back, or just use a sock puppet to mock you.
  Posted anonymously because I'm "not new here"
13. Re:Lack of Hacker Ethics by RemoWilliams84 · 2009-01-08 06:02 · Score: 5, Funny
  
  Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
  I like to do this when I find a car sitting outside a gas station still running.
  
  --
  "I don't have to think. I only have to do it. The results are always perfect, but that's old news." - Meat Puppets
14. Re:Lack of Hacker Ethics by truthsearch · 2009-01-08 06:02 · Score: 1
  
  I'm sure news agencies and bloggers watch twitter accounts of famous people. Putting in messages (that aren't obviously defacements or spam) could cause incorrect information to spread to "reputable" sources. We've seen bloggers post incorrect information that gets spread around until newspapers pick it up. The same could happen here.
  
  --
  Developers: We can use your help.
15. Re:Lack of Hacker Ethics by causality · 2009-01-08 06:20 · Score: 1
  
  It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable
  It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.
  If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted? Let them wonder why they've seen a sudden spike of $ACTIVITY and let them find and fix the flaws on their own. Let them explain to their users that they couldn't perform damage control/threat mitigation early on because they have soiled any kind of trust relationship between companies and the would-be white hats who could have tipped them off.
  
  If you're going to start shooting messengers, you're going to start running out of messengers. Make sure you don't need their message before you do that. This sort of common sense seems to be the first loss whenever there is a "prosecute everyone!" mentality.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
16. Re:Lack of Hacker Ethics by sexconker · 2009-01-08 06:25 · Score: 2, Interesting
  
  Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.
17. Re:Lack of Hacker Ethics by not+new+here · 2009-01-08 06:30 · Score: 3, Funny
  
  Liar, I'm not new here!
18. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 06:31 · Score: 0
  
  If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all
  Oh, no no no. You report it, just to different people. :-P
19. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 06:34 · Score: 0
  
  First post? check
  Has a spamvertizement for FairSoftware.net? check
20. Re:Lack of Hacker Ethics by reashlin · 2009-01-08 06:38 · Score: 1
  
  Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts.
  Its a nice thought that you could do this but its actually not that easy to implement on a real world basis. Wouldn't it be funny to just write a bot to brute force the username and submit "a" as a password. Twitter/whoever becomes obsolete as no-one can log into their accounts. Worse still the bot works quicker than most because it doesn't even have to vaildate the return page. It can drop it entirely.
21. Re:Lack of Hacker Ethics by daveatneowindotnet · 2009-01-08 06:43 · Score: 1, Interesting
  
  Overrated, really? I thought it was hilarious even if it was crude and cynical.
22. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 06:51 · Score: 1, Insightful
  
  The moderation here has taken a huge dump, lately. I swear lately more things are modded down than modded up. It seems mostly to be moderators apparently devoid of senses of humor and/or unwilling to give people the benefit of the doubt.
23. Re:Lack of Hacker Ethics by FeepingCreature · 2009-01-08 06:52 · Score: 1
  
  Indeed, if you were to count three attempts per user account.
  
  Which is of course the reason why you count attempts by IP.
24. Re:Lack of Hacker Ethics by severoon · 2009-01-08 06:53 · Score: 2, Insightful
  
  I think if you run a system that a good number of people depend upon, and a breach in security could cause important problems, then you have a serious obligation to institute a good security policy. If you don't, it's negligence and should be treated as such.
  Are unethical hackers responsible for their actions? Sure, just as responsible as a business that takes on the trust of its users willingly.
  
  --
  but have you considered the following argument: shut up.
25. Re:Lack of Hacker Ethics by truthsearch · 2009-01-08 06:53 · Score: 1
  
  I don't disagree at all. But the fact remains that most people blindly trust mainstream media, and there are some mainstream organizations that report what's found on blogs with no corroborating evidence.
  
  --
  Developers: We can use your help.
26. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 07:13 · Score: 0
  
  same thing at my high school, though they ended up with only a fine. of course in that case they wouldn't have gotten caught if they'd implemented the plan correctly instead of the dipshit who installed the keyloggers freezing his name in to every login box in the lab
27. Re:Lack of Hacker Ethics by causality · 2009-01-08 07:18 · Score: 1
  
  If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all
  Oh, no no no. You report it, just to different people. :-P
  "To them" was a key component of that sentence. The implication that you have explicitly stated was intentional.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
28. Re:Lack of Hacker Ethics by Tibor+the+Hun · 2009-01-08 07:19 · Score: 1
  
  Haha, yeah, that's a good trick. It sure spooks the kids inside.
  
  --
  If you don't know what AltaVista is (was), get off my lawn.
29. Re:Lack of Hacker Ethics by corywingerter · 2009-01-08 07:20 · Score: 1
  
  You could cause harm to thousands (millions?) of users by placing a link to a dangerous site on a well known and trusted Twitter user (Obama...).
  
  Would I trust a link from The President Elect's Twitter? Sure.
  
  --
  Work smarter, not harder.
30. Re:Lack of Hacker Ethics by sexconker · 2009-01-08 07:28 · Score: 1
  
  So what? Let the retards wallow. If you rely on them believing your iCEO is healthy to keep your stock prices up, then you better educate them, or be more open with them. (Then again, iCEO has that awesome backdate stock options feature, so who really cares?)
31. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 07:33 · Score: 0
  
  Liar, I'm not new here!
  D'oh!
  I meant to say:
  I'm not "new here". Same bait, different fish.
32. Re:Lack of Hacker Ethics by sam0737 · 2009-01-08 07:34 · Score: 1
  
  Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
  ...Even Unix (way before Linux) knew to kick you out after 3 failed attempts...
  Let me fix that for you...Even Windows does!
33. Re:Lack of Hacker Ethics by mcgrew · 2009-01-08 07:38 · Score: 1
  
  Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
  If I come upon an unlocked car with the lights on, I won't even shit the guy's lights off for him. The harm he's possibly caused by my lack of being a good samaritan (a dead battery) is far less than the harm that could be caused by me if he or a policeman happened by as I was opening the door and mistook me for a thief.
  Help people when you can, but don't be a fool.
  
  --
  Free Martian Whores!
34. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 07:39 · Score: 0
  
  I like how we need a law to protect good samaritans. and I'm not knocking the parent post; I agree. I just like how it's come to that.
35. Re:Lack of Hacker Ethics by MyHair · 2009-01-08 07:50 · Score: 2, Funny
  
  Liar, I'm not new here!
  Oh no, not again...
36. Re:Lack of Hacker Ethics by iwan-nl · 2009-01-08 07:51 · Score: 1
  
  One could use a botnet to execute the DOS attack in that case.
  A strategy which might prove a bit more effective is to present the user with a captcha after three failed password attempts. This will not be overly annoying for real users, but it will significantly increase the cost of an attack.
  
  --
  I'm trying to improve my English. Please correct me on any spelling/grammar errors in this post.
37. Re:Lack of Hacker Ethics by drpimp · 2009-01-08 07:54 · Score: 0, Flamebait
  
  Don't get me wrong, calling him gay is a good laugh, I can't stand the guy in all his omnipotent arrogance, but there are a lot more negative impacting points about the guy that would have been better to point out. That said, those who actually read his Tweets probably either wouldn't understand the truth, or opposing opinions if it smacked them in their face.
  
  --
  -- Brought to you by Carl's JR
38. Re:Lack of Hacker Ethics by INTERNET+EXPERT · 2009-01-08 07:58 · Score: 2, Funny
  
  I won't even shit the guy's lights off
  The guy's already drained his car battery. He doesn't need your vulgarities.
39. Re:Lack of Hacker Ethics by randyest · 2009-01-08 08:06 · Score: 1
  
  [Citation needed]
  
  --
  everything in moderation
40. Re:Lack of Hacker Ethics by causality · 2009-01-08 08:13 · Score: 1
  
  I guess it depends on what you think is ethical.
  My ethics don't include taking undeserved abuse from someone for whom you are trying to do a significant favor when the favor is on a "take it or leave it" basis so no one is being coerced into anything. This is a situation where trying to do something good can easily get a person prosecuted. There are probably a lot of "white hats" who would help with these things, for free, if only their efforts were appreciated. Laws like this have a significant chilling effect.
  
  The parallels to gun control are interesting. Criminals who are willing to commit armed robbery and murder and the like are not intimidated by illegal weapons charges. Law-abiding citizens are very much intimidated by illegal weapons charges. What's the result? Armed criminals and disarmed potential victims. There's a good reason why states that enact conceal-carry laws see declines in violent crime, because those laws represent a step away from that situation. Here you have corporations that want the law to protect them from computer intrusion. They got what they wanted. So now you have criminal "black hats" who obviously are not intimidated by computer intrusion charges and law-abiding "white hats" who risk prosecution if they try to do anything about it, just so an otherwise humiliated corporation can save face.
  
  If trying to help them is not appreciated, then I think the proper, ethical response is to leave the corporations to their own devices. That is, to neither help them nor harm them in any way. If they suffer from an exploit that your skills could have prevented or mitigated, just accept that this is the decision they have made. I think it's a situation where people need to "come to their senses" and learn to be realistic, to raise the general consciousness and overcome old ideas like the "cops and robbers" mentality that have not been very successful in this new environment. I'd much rather see that than more clever solutions that don't really address the lack of understanding. These situations take time and, like most truly good things, attempts to speed it up or to force it to happen just makes it worse. It takes a degree of patience, the real kind, to understand and accept this without falling into the trap of the resentment of the non-ideal.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
41. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 08:24 · Score: 0
  
  If those passwords had been hashed, like they should have been, it would have been less of a mess. If it had been hashed and salted, even less than that.
42. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 08:36 · Score: 0
  
  Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
  I like to do this when I find a car sitting outside a gas station still running.
  That is why I probably will never fix my passenger side rear window that won't stay up on its own. At least if I stupidly leave my keys in the car, I can get that window down and open my car back up.
  True, not all that secure to have a window that can be opened from the outside, but if someone really wants to steal my crappy car, they can have at it.
43. Re:Lack of Hacker Ethics by truthsearch · 2009-01-08 08:48 · Score: 1
  
  Are you joking? Turn on any 24 hour news channel and eventually you'll see it. CNN even lets anyone post their own news to their site. Average visitors don't consider if it's validated by CNN. Remember incorrect reports of Steve Jobs' health causing the stock price to drop?
  
  --
  Developers: We can use your help.
44. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 08:49 · Score: 0
  
  I agree with you. However as a sysadmin imagine for a few minutes that one day you login to web cluster and discover hacked.txt. You then cat hacked.txt which reads "I hacked your system using ." What would be your next step?
  Would it be "gee thanks mister anonymous" or would it be "oh great, what did mister anonymous do that I dont know about?" See for example the hacker that found the DNS bug, reported it while installing his own back door in all the systems he reported the issue to.
  Now youre thinking "oh so what you take a few hours to ensure the system is clean and move on with life." But youre forgetting what those few hours cost the company that you work for (which by the way coincidentally considers IT a money sink since normally there is a large amount of cash put into it and little that IT actually produces). So you spend say a day ensuring that one of your systems was not back doored.... Multiply by oh say, 7 web servers, 4 databases, a few file servers... Suddenly 8 man hours turns into 40+ man hours and potentially downtime to your customers (resulting in lost revenue)... I think you get the point here.
  So why isnt there legislation to protect the white hats? Because honestly there is no such thing as a white hat. Even the guy who does it and really did not do anything harmful costs the victim a large amount of time and money; it is not a victimless crime.
45. Re:Lack of Hacker Ethics by dangitman · 2009-01-08 08:59 · Score: 1
  
  We've seen bloggers post incorrect information that gets spread around until newspapers pick it up.
  Indeed. Steve Jobs just personally announced on Twitter that he has died.
  
  --
  ... and then they built the supercollider.
46. Re:Lack of Hacker Ethics by not+new+here · 2009-01-08 08:59 · Score: 1
  
  That brave soul is an inspiration to us all. <lonetear />
47. Re:Lack of Hacker Ethics by orielbean · 2009-01-08 09:00 · Score: 1
  
  Well, I could go hack, get the details I wanted, sell the credit card data or change the grades, etc. Then I leave a cute widdle note there saying "Hey be careful, looks like your passwords are compromised" and look like a hero? There's not an easy answer to this dilemma, as you stated yourself.
48. Re:Lack of Hacker Ethics by randyest · 2009-01-08 09:21 · Score: 1
  
  How will I see that "most people blindly trust mainstream media" by watching a 24 hour news channel? Maybe you thought I was asking for source of your other claim? (I wasn't.)
  
  --
  everything in moderation
49. Re:Lack of Hacker Ethics by Kleen13 · 2009-01-08 09:40 · Score: 1
  
  Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
  I like to do this when I find a car sitting outside a gas station still running.
  OMFG I laughed so loud when I read that that I startled everyone else in the office.
  
  --
  That sinking feeling deep in your gut when you KNOW you screwed up bad summed up with: {head desk} {head desk}
50. Re:Lack of Hacker Ethics by dwarg · 2009-01-08 09:53 · Score: 5, Funny
  
  Yeah, Hacker Ethics, that's it.
  That reminds me of the time I thought I heard a noise at night and I walked into my kids room and there was this guy standing there looking at my 8 month old daughter sleeping. Scared the shit out of me. I was about to either kick his ass, or shit myself when he told me to calm down. He was an Ethical Burglar(TM).
  He had used some pretty basic lock picking methods to break in and just wanted me to know my family was at risk and that we should cage ourselves in our own home so that the marauding Visigoths couldn't break in and kill us all.
  I thanked him for his generous service and he said it was no problem. On his way out he looked at my house one more time and mentioned that he might come back another time and set the place on fire, so we should probably get a coating of asbestos or something to be ready for that.
  I only wish we had more of these ethical hackers and burglers to keep up safe.
51. Re:Lack of Hacker Ethics by smoker2 · 2009-01-08 09:54 · Score: 1
  
  Yeah, my favourite is sticking a script in cron.daily that emails them saying "still here !".
52. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 09:59 · Score: 0
  
  Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. is run by morons, and they should go back to journalism school.
  Fixed that for you.
53. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 10:02 · Score: 5, Funny
  
  To show I have a sense of humor, I modded the parent Troll.
54. Re:Lack of Hacker Ethics by Sleepy · 2009-01-08 10:18 · Score: 1
  
  Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay? ... and is even such an admission NECESSARY, I would ask?
55. Re:Lack of Hacker Ethics by maxume · 2009-01-08 10:27 · Score: 1
  
  Quit fucking locking me out of my car.
  
  --
  Nerd rage is the funniest rage.
56. Re:Lack of Hacker Ethics by Alarindris · 2009-01-08 10:33 · Score: 1
  
  It's sad that nobody has thought to pass a law to protect digital good samaritans
  That's retarded. What would you do if you came home, caught someone picking your lock and they said "O hai! Was just gonna point out your security vulnerabilities!"?
  
  A. Kick their ass.
  B. Call the cops.
  C. Both.
  
  B, maybe C for me.
57. Re:Lack of Hacker Ethics by halber_mensch · 2009-01-08 10:43 · Score: 0
  
  Yeah, Hacker Ethics, that's it.
  That reminds me of the time I thought I heard a noise at night and I walked into my kids room and there was this guy standing there looking at my 8 month old daughter sleeping. Scared the shit out of me. I was about to either kick his ass, or shit myself when he told me to calm down. He was an Ethical Burglar(TM).
  He had used some pretty basic lock picking methods to break in and just wanted me to know my family was at risk and that we should cage ourselves in our own home so that the marauding Visigoths couldn't break in and kill us all.
  I thanked him for his generous service and he said it was no problem. On his way out he looked at my house one more time and mentioned that he might come back another time and set the place on fire, so we should probably get a coating of asbestos or something to be ready for that.
  I only wish we had more of these ethical hackers and burglers to keep up safe.
  Hacker is a term that has a meaning that has long predated the Intarweb and has been given an incorrect meaning by inept journalists.
  Read the definitions on the Jargon file.
  "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. RFC1392, the Internet Users' Glossary, usefully amplifies this as: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular."
  "One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming."
  "An expert or enthusiast of any kind. One might be an astronomy hacker, for example."
  And most importantly for you to read,
  "[deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence password hacker, network hacker. The correct term for this sense is cracker."
  
  --
  perl -e "eval pack(q{H*},join q{},qw{70 72696e74207061636b28717b482a7d2c717b343 637323635363534323533343430617d293b})"
58. Re:Lack of Hacker Ethics by LKM · 2009-01-08 10:55 · Score: 0
  
  That was terribly funny, but also terribly stupid. The analogy simply doesn't hold. You know quite well how secure your home is. On the other hand, if there are security issues with IT infrastructure, you probably don't know about them. It's not very useful for you if somebody tells you that your door locks suck; having crappy locks may even be a conscious decision on your part. It is, however, very useful for you if somebody points out security issues with your computer systems. Having security holes in your system is never (well, rarely) a conscious decision.
  If a "nice" hacker had alerted twitter to this issue, the current situation would never have occurred.
59. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 11:16 · Score: 0
  
  I would be mightily angry if someone locked my car door for me. If it's unlocked, it's for a reason - I once had a VW Bug you could lock, but not unlock again, for example.
60. Re:Lack of Hacker Ethics by vvaduva · 2009-01-08 11:53 · Score: 1
  
  "That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm."
  Bah!
61. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 12:05 · Score: 0
  
  Damn, I wish I were a nigger
  Edited for you.
62. Re:Lack of Hacker Ethics by gecko308 · 2009-01-08 12:29 · Score: 1
  
  Security by obscurity, I'm sure. That network isn't exactly a fortress. I accidentally found a publicly accessible share (public to anyone with domain credentials, including students) with a massive .txt file that listed all the email traffic that went through the Exchange server, including to/from addresses and subject lines.
  Regardless, it seems like they deserved to be expelled. With that in mind, it's only slightly surprising that they don't expel students for walking on the grass.
63. Re:Lack of Hacker Ethics by Fulcrum+of+Evil · 2009-01-08 13:33 · Score: 1
  
  I like CC gun laws just fine, but... they don't really affect crime rates either way. That's more a function of economic opportunity and culture than anything else.
  On topic, while I see the good side of pointing out security holes, any time it goes to actively pentesting a site, the perpetrators need to be prosecuted; sure, they don't mean to break things, but a well intentioned idiot can cause a lot of damage, and what would it solve anyway? People who don't care about security won't change just because they know about a problem, they'll only secure things when forced.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
64. Re:Lack of Hacker Ethics by dwarg · 2009-01-08 13:43 · Score: 2, Funny
  
  First of all, it was the (grand)parent comment that coined the term "Hacker Ethics."
  Secondly, the problem with your argument is in actual usage. People that engage in cracking call themselves hackers because calling yourself a cracker implies you married your sister and spend most of your time playing banjo on the porch.
65. Re:Lack of Hacker Ethics by thePowerOfGrayskull · 2009-01-08 14:00 · Score: 1
  
  "[deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence password hacker, network hacker. The correct term for this sense is cracker."
  
  Usage changes meaning over time. This is a lost battle.
66. Re:Lack of Hacker Ethics by shabble · 2009-01-08 15:07 · Score: 1
  
  Even Unix (way before Linux) knew to kick you out after 3 failed attempts.
  
  Perfect way to DOS someone. Exponential timeouts for retries is a better way to go to prevent rapid-fire. (1 second after first wrong attempt, then 2 seconds, 4, 8, 16 etc.)
  
  --
  http://harridanic.com
67. Re:Lack of Hacker Ethics by dptulk · 2009-01-08 15:16 · Score: 1
  
  HA! I was wondering what that smell was in the server room, I must have gotten hacked...
68. Re:Lack of Hacker Ethics by dwarg · 2009-01-08 16:21 · Score: 3, Insightful
  
  That was terribly funny, but also terribly stupid.
  I must say you're awfully good looking, but you smell horrible.
  
  The analogy simply doesn't hold. You know quite well how secure your home is.
  I can see you've put a lot of thought into this... I'll type slowly for you.
  People who like to defend the romantic image of the hacker usually make two mistakes.
  One; they assume the crux of the argument is security when it's actually law.
  Two; they assume intent should be accounted for after the fact.
  The legality of the activity is determined by the possible intent of the actor. When an unauthorized person attempts to bypass a security measure the law is forced to assume they are doing so with malicious intent because they are subverting the means put in place to prevent just that action.
  Breaking into a house is identical to breaking into a computer system in that respect.
  If a crime could only be charged AFTER a person has circumvented security, so they could be sure of intent, what kind of outcomes would that invite before a charge could be filed?
  Seriously, read that last sentence again and think about it.
  
  On the other hand, if there are security issues with IT infrastructure, you probably don't know about them.
  Considering this is Slashdot, I would certainly hope most of us would have a better idea of the security of our computer systems/networks than the security of our parent's basement.
  
  It's not very useful for you if somebody tells you that your door locks suck; having crappy locks may even be a conscious decision on your part.
  Really? This is what you're going with? Tell me, why exactly would I want crappy locks on my doors? If you're referring to the fact that I don't choose to wrap the house in razor wire and dig a moat, then yes I have taken a laissez-faire approach to domestic security. The reason none of us need to go that far is because breaking into a house in unconditionally illegal and there are LEGAL mechanisms in place to protect me and provide recourse if that should happen. That is the primary deterrent that keeps people from walking around and "checking" their neighbor's locks to make sure they're secure.
  
  It is, however, very useful for you if somebody points out security issues with your computer systems. Having security holes in your system is never (well, rarely) a conscious decision.
  Yes it is useful, and there are means to do that which don't involve breaking into someone else's systems and compromising potentially sensitive information--even if only to one person. The difference is that between a hacker and a security consultant.
  If a bank's systems are hacked by anyone outside the organization, regardless of what they do with the information, they are required to inform their customers that their data has been compromised. People close accounts, money is lost and there are repercussions that go beyond the romantic image of the lone hacker who's sticking it to the man, but will never know the soft touch of a woman.
  
  If a "nice" hacker had alerted twitter to this issue, the current situation would never have occurred.
  Fine, let's assume we live in a world that values the noble efforts of hackers and someone hacked Twitter and alerted them to this problem before an evil cracker used this exploit for his nefarious designs. So we've created an atmosphere where everyone feels secure walking around "checking the locks" as I said earlier.
  Are you going to feel more secure knowing there are a lot of people trying to find ways into your system and that some of them are aren't the good kind of hackers and you have no way of knowing what kind of hacker they are until AFTER they've gotten into your system?
  As an admin, if you see suspicious activity on your server logs do you want that activity stopped or should yo
69. Re:Lack of Hacker Ethics by plnix0 · 2009-01-08 16:40 · Score: 0, Flamebait
  
  If you trust Barack Obama, you've already compromised your own security.
70. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 18:20 · Score: 0
  
  this just made my day!
71. Re:Lack of Hacker Ethics by Anonymous Coward · 2009-01-08 18:20 · Score: 0
  
  Bill O'Reilly HASN'T already announced he is gay!?!?!? That is common knowledge, and rather ironic. Perhaps someone should fill him in.
  And since we are talking facts (definitely not rumors), I was watching the BCS Championship game (that's college-level American tackle football there), I remembered that University of Florida quarterback Time Tebow likes to have sex with really fat, male goats. And dudes. I practice ethical posting, so you know Tebow is as gay as O'Reilly.
72. Re:Lack of Hacker Ethics by HungryHobo · 2009-01-08 21:56 · Score: 1
  
  One big difference between hacking and burglery.
  When was the last time you saw a self replicating robot robbing a house?
  In meatspace a human has to go and break into the house, this is a significant risk to them.
  On the net someone in siberia writes some code and releases it which uses a vulnerablility in a system to infect a decent portion of the targets in the world.risk: approx zero.
  If you have pisspoor locks on a house it doesn't make much difference.Slightly higher chance that you suffer a loss. If you have pisspoor security on your computer you will get infected and then that will cause problems for others.
73. Re:Lack of Hacker Ethics by hesaigo999ca · 2009-01-09 01:46 · Score: 1
  
  Well, I agree to your first point, and not to the second, a hacker will do harm, a security specialist will not. I am true believer that this is Twitter's fault. If you leave your front door open, who is at fault, the person who walks in and takes your stereo, or you for leaving the door open (and I want to see the police man's face when you tell him).
  If twitter had done a good job with reviewing their code AND training their employees...this would never have happened....on another note though, I doubt very much that high profile people such as Obama, would even have an account on there. Britney maybe, but Obama, please....these were probably accounts created by someone else, and they looked important enough to hack, but I doubt anything of value was found there.
  If Britney was in touch with Timberlake having an affair, and used twitter to set up meetings or exchange info, I guess you could say someone got lucky, but the PR people for all celebrity stars are wise enough to teach their Hollywood paychecks not to post on public forums, without using code...
74. Re:Lack of Hacker Ethics by causality · 2009-01-09 06:14 · Score: 1
  
  On topic, while I see the good side of pointing out security holes, any time it goes to actively pentesting a site, the perpetrators need to be prosecuted; sure, they don't mean to break things, but a well intentioned idiot can cause a lot of damage, and what would it solve anyway? People who don't care about security won't change just because they know about a problem, they'll only secure things when forced.
  That's very much like the point I was making. I especially agree about the "only secure things when forced". I don't like it but I recognize that this is the reality of the situation in many cases. To me, laws that prosecute people for computer intrusion represent the opposite of "when forced". Think of it this way: if the laws work perfectly and all intruders are either caught and imprisoned, or deterred because of fear of the law, then why bother to secure anything?
  
  This is something that I believe others have explained better than I am likely to, but I'll try. Generally, laws are a way to manage things that we otherwise don't know what to do about. We don't know how to convince everyone to stop being violent, to stop raping or murdering, so we have laws to deal with the people who choose to do these things. This is so much better than nothing that it isn't even funny, but it is not a real solution to the problem of violence. Likewise, laws against computer intrusion are not a real solution to the problem of insecure systems. They can only deal with the people who break into them, and that's if the perpetrator is in a jurisdiction in which this is possible.
  
  As complex as they are, computers and networks are still significantly simpler and easier to understand than human beings. We can describe and theorize and predict with great success every last thing that these machines can do; with human beings, we don't really even know what consciousness is. You don't even need perfect security or anything remotely like it; all you need to do is to make the average compromise difficult enough that it is no longer worthwhile. I think this is doable and that the only reason why it hasn't already happened is that it's not very important to us, collectively. In the meantime, laws that create a culture in which the criminals have several advantages are counterproductive. I think we can do better than that.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
75. Re:Lack of Hacker Ethics by mattwarden · 2009-01-09 06:34 · Score: 1
  
  Where's the -1, Spoiler Alert mod when you need it
76. Re:Lack of Hacker Ethics by bluenotecigars · 2009-01-09 17:47 · Score: 1
  
  I like Bill O'Reilly. Say it aint so. Didn't he end up settling out of court for sexual harrasment suit by some woman.
  
  --
  Blue Note Cigars
77. Re:Lack of Hacker Ethics by LKM · 2009-01-14 03:25 · Score: 1
  
  One; they assume the crux of the argument is security when it's actually law.
  I said nothing at all about the law.
  
  Two; they assume intent should be accounted for after the fact.
  I don't. I think the result should be taken into consideration when evaluation somebody's actions - again, not talking about the law.
  As for the rest of your comment; I'm not quite sure what I did to upset you so. I don't have the time to read your whole essay, just one small point:
  
  Fine, let's assume we live in a world that values the noble efforts of hackers and someone hacked Twitter and alerted them to this problem before an evil cracker used this exploit for his nefarious designs. So we've created an atmosphere where everyone feels secure walking around "checking the locks" as I said earlier.
  Precisely, and that is exactly what you want, because you can be sure as hell that the bad guys are checking the locks, too.
  
  Are you going to feel more secure knowing there are a lot of people trying to find ways into your system
  
  Looking at my logs, a lot of people are already trying to find ways into my systems. Hopefully, not all of them are bad guys.
  Frankly, I don't understand your position. You're making it sound as though you think that not having "good" hackers will make the "bad" hackers go away. It won't.
  People are trying to hack my systems constantly, and if somebody sends me a message saying "hey, you forgot to validate user input in that form", or "hey, you don't prevent an infinite amount of login attempts on that site", you know what I'm going to do? I'm going to fucking thank them for alerting me to the problem.
78. Re:Lack of Hacker Ethics by dwarg · 2009-01-14 06:40 · Score: 1
  
  As for the rest of your comment; I'm not quite sure what I did to upset you so. I don't have the time to read your whole essay, just one small point:
  I do apologize for the tone of my earlier response, web anonymity and Slashdot grandstanding may have gotten the best of me. In addition, I get frustrated with the people that bring up "good hackers" or "hacker ethics" every time a story breaks about a major system being compromised.
  That said, if you can't be bothered to read the entirety of my previous post, you obviously aren't interested in listening to any opinion that doesn't already agree with your own, so what's the point in writing at all?
  I'll try to keep this brief as to not overwhelm you and waste a minimum of our time.
  You make two statements in your last post that would seem to imply that you either don't understand what I wrote, or don't want to understand.
  First, you point out that you, "said nothing about the law." Which was exactly my point.
  Second, you say that I'm implying. "that not having "good" hackers will make the "bad" hackers go away." Which is a misrepresentation of what I said, probably stemming from that fact that you didn't read "my whole essay."
Digital Gangsters are... by mfh · 2009-01-08 05:22 · Score: 1

Twits!

--
The dangers of knowledge trigger emotional distress in human beings.
You know who made minutiae funny and interesting? by Anonymous Coward · 2009-01-08 05:24 · Score: 0

Seinfeld. Sorry, but your tweets are fucking boring and have no value.
hacker ethics by mfh · 2009-01-08 05:25 · Score: 1

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics.
Yes, there was no profit here. The least the kid could have done was to hold these twits hostage for some consulting fees!! /sarcasm

--
The dangers of knowledge trigger emotional distress in human beings.
Twitter co-founder Biz Stone ... by maxwells+daemon · 2009-01-08 05:25 · Score: 1

porn name?
1. Re:Twitter co-founder Biz Stone ... by Anonymous Coward · 2009-01-08 05:49 · Score: 0
  
  porn name?
  Nah, that could also be a drug dealer's name you insensitive clod!
After all of this... by Thelasko · 2009-01-08 05:29 · Score: 1

Obama still won't give up his Crackberry.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
1. Re:After all of this... by NewbieV · 2009-01-08 05:45 · Score: 3, Interesting
  
  Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.
  
  --
  
  "For every right, an equal responsibility..."
2. Re:After all of this... by Anonymous Coward · 2009-01-08 06:29 · Score: 0
  
  Apartments are a the true killer app in this economy.
3. Re:After all of this... by Joe+Snipe · 2009-01-08 07:18 · Score: 2, Funny
  
  That sounds more dangerous; because now my buddy is going to have a blank phone when we go out drinking tonight.
  
  --
  Sometimes, life itself is sarcasm...
4. Re:After all of this... by mcgrew · 2009-01-08 07:27 · Score: 2, Informative
  
  That's not why they want him to give it up. Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing. If he keeps his blackberry he's a fool.
  
  --
  Free Martian Whores!
5. Re:After all of this... by piltdownman84 · 2009-01-08 07:56 · Score: 1
  
  I'll have to remember that when out drinking and having hard time with my password.
6. Re:After all of this... by Actually,+I+do+RTFA · 2009-01-08 08:42 · Score: 1
  
  . Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing.
  Or preserved for prosperity. It would be amazing to examine the thinking of FDR or Churchill, and many people use their letters to do so. Imagine if all their business coorespondence was in one place.
  
  If he keeps his blackberry he's a fool.
  There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.
  
  --
  Your ad here. Ask me how!
7. Re:After all of this... by dangitman · 2009-01-08 09:05 · Score: 1
  
  Huh? Why couldn't Presidential emails sent via Blackberry be stored in the archive? After all, the emails still go through a mail server. The linked article mentions nothing about data retention laws - it says that they are worried somebody will steal/hack into it.
  
  --
  ... and then they built the supercollider.
8. Re:After all of this... by bberens · 2009-01-08 09:30 · Score: 1
  
  The issue is probably more of an IT security nightmare than anything else. How much street cred could someone get for hacking the POTUS's e-mail account. Of course, that's a good way to get bagged and tagged too... but kids are dumb these days.
  
  --
  Check out my lame java blog at www.javachopshop.com
9. Re:After all of this... by Fulcrum+of+Evil · 2009-01-08 13:50 · Score: 2, Funny
  
  There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.
  A corporate email service archiving mail? Whodathunkit?
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
10. Re:After all of this... by commodoresloat · 2009-01-08 19:15 · Score: 1
  
  Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.
  There's also a lot more valuable information in a blackberry than there is in a twitter account.
11. Re:After all of this... by mcgrew · 2009-01-09 03:01 · Score: 1
  
  If there's an email there's no "plausable deniability". If you speak to someone face to face you can deny ever saying anything.
  
  --
  Free Martian Whores!
Bill'O exposed by Anonymous Coward · 2009-01-08 05:35 · Score: 0

A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay,"
Maybe the hacker DID have some good intentions after all.
As much as I dislike crackers in general, I also dislike the Fox propaganda machine and especially Bill, but seeing the first attack the later.. oh well. I'm curious as to how the mainstream media will respond to this hacking and attacking story.
1. Re:Bill'O exposed by Anonymous Coward · 2009-01-08 07:05 · Score: 0
  
  "I also dislike the Fox propaganda machine"
  Let me guess... You're okay with the much larger and much more pervasive and well-funded Obama propaganda machine, though, right?
Oh Noes! by Anonymous Coward · 2009-01-08 05:42 · Score: 0

Not another poorly implemented trendy little site that everyone will forget all about six months from now! Better make a twit or a tweet or a snit or a shite or whatever they're called while you still can! If you don't you might have to wait until you can make a boop or a blup or a doot on twatter.com!

Really now, am I the only one who thinks of the sound of a mosquito in your ear when I see the word "twitter"? Annoying Slashdot troll with multiple personality sockpuppet account disorder notwithstanding...
1. Re:Oh Noes! by Anonymous Coward · 2009-01-08 06:42 · Score: 0
  
  you can make a twat on twattle.com!
  
  There fixed it for you!
Limit logins without DOS? by Manip · 2009-01-08 05:47 · Score: 4, Interesting

This is one of my favourite security conundrums.
How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?
Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).
IP Limit - Very easy to bypass with a proxy list.
Hard Account Limits - Denial of service
Thus is the problem. How do you limit logins without hurting legitimate users?
1. Re:Limit logins without DOS? by larry+bagina · 2009-01-08 05:56 · Score: 5, Insightful
  
  Slow down cowboy! It's been 1 minute since your last failed attempt to login.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
2. Re:Limit logins without DOS? by Anonymous Coward · 2009-01-08 05:59 · Score: 0
  
  [ 0) limit simultaneous tries per account, and perhaps ip ]
  1) Randomize the amount of time the login verification takes.
  2) If login fails, then force the attacker to wait for a long time to know the answer.
  Not bulletproof but helps...
3. Re:Limit logins without DOS? by jeffmeden · 2009-01-08 05:59 · Score: 3, Insightful
  
  Easy, increase the amount of time between the password being supplied and the pass/fail response being sent. If the script has to wait for 5 seconds to see if the password is bad, it increases the dictionary run time by a LOT. The only way around this is to run multiple iterations of the script, each with a section of the list to run. This makes them much easier to spot by other filters.
  However, a legit user waiting 5 seconds for the login to complete probably won't generate a lot of complaints.
4. Re:Limit logins without DOS? by the_humeister · 2009-01-08 06:00 · Score: 1
  
  Encryption with a unique keyfob just for you. I'd want that for banks, but not necessarily for Twitter because who cares if I'm now "taking a huge crap in the toilet that's now overflowing."?
5. Re:Limit logins without DOS? by paulhar · 2009-01-08 06:02 · Score: 3, Interesting
  
  One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.
  You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.
  You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X failed attempts recently".
  Then elsewhere you limit the number of failed logins from a single IP address to different accounts via a similar method to slow them down trying 100,000,000 accounts with password X.
  Oh, and you internally you check that passwords aren't common dictionary attack words to prevent users from running with knives when they create / modify their account...
6. Re:Limit logins without DOS? by evanbd · 2009-01-08 06:03 · Score: 1
  
  A global limit with an exception that grants a per-ip limit to ips that have previously had a successful login (within the last $time_period) does better than those options.
7. Re:Limit logins without DOS? by Anonymous Coward · 2009-01-08 06:03 · Score: 1, Insightful
  
  Here's an idea: make the login username private and separate from the public-facing username (and not an email address either). Thus when signing up for an account, you would select a public username and a private username in addition to a password.
  This would most forms of attack next to impossible, because the publicly visible username would have no bearing on the login credentials. A potential hacker would have no idea what account they needed to hack.
  Patent pending, patent pending, patent pending. But surely someone has done this already?
8. Re:Limit logins without DOS? by causality · 2009-01-08 06:03 · Score: 3, Insightful
  
  This is one of my favourite security conundrums.
  How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?
  Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).
  IP Limit - Very easy to bypass with a proxy list.
  Hard Account Limits - Denial of service
  Thus is the problem. How do you limit logins without hurting legitimate users?
  One approach is to still allow the login but to insert artificial delays. Maybe your password cracker can guess several thousand passwords in one second; too bad, because the site will only allow you to try one every three seconds. Even a fairly weak password can be extremely difficult to guess this way, though it is no substitute for strong passwords that are never sent as cleartext.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
9. Re:Limit logins without DOS? by TubeSteak · 2009-01-08 06:17 · Score: 1
  
  Hard Account Limits - Denial of service
  Thus is the problem. How do you limit logins without hurting legitimate users?
  Give locked out users the option to send a one-time login link to their e-mail address of record.
  It isn't much different than sending out a password reset e-mail.
  But it's fairly stupid not to include a hard cap on the # of login attempts per [unit of time]
  
  --
  [Fuck Beta]
  o0t!
10. Re:Limit logins without DOS? by RoFLKOPTr · 2009-01-08 06:18 · Score: 1
  
  IP Limit - Very easy to bypass with a proxy list.
  Not really. He was able to fire off thousands of passwords a minute and left it running overnight. Whereas, if they would only allow his IP address 5 failed attempts within, say, a 30 minute period, he would have had to switch proxies every 5 password attempts. Beside the fact that he will probably run out of proxies by midnight, it would also take him probably 5 seconds to establish a connection with the proxy and then only be able to use that proxy for 5 password attempts. It would be much more hassle than it's worth, and would make 100 password guesses take probably 20 times as long as they would have without proxies.
11. Re:Limit logins without DOS? by Phrogman · 2009-01-08 06:19 · Score: 4, Interesting
  
  Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.
  
  --
  "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
12. Re:Limit logins without DOS? by bendodge · 2009-01-08 06:31 · Score: 1
  
  Security question after a few attempts. And let people make their own security question.
  
  --
  The government can't save you.
13. Re:Limit logins without DOS? by Thaelon · 2009-01-08 06:31 · Score: 1
  
  One way to do it is to have the person with the locked account call or stop by the helpdesk to get their account password reset.
  In the case of twitter it would likely be calling only. Real users have no problem confronting a real human being to get access to their account. Hackers are less likely to. Also, it's a lot more difficult to brute force something involving a phone call to a person every 4 attempts.
  DOS, can still be used, but if the user can let you know there's a problem via a phone call you can take additional attempts to protect their specific account, or to block the DOS on a case by case basis. This will help very little against a DDOS against a single account, but will typically thwart a malicious individual that is just harassing your user.
  
  --
  Question everything
14. Re:Limit logins without DOS? by el3mentary · 2009-01-08 06:36 · Score: 1
  
  I've seen this system used on forums before.
  
  --
  I reject your reality and substitute my own.
15. Re:Limit logins without DOS? by Kozz · 2009-01-08 06:38 · Score: 1
  
  Congratulations, you've DOSed the help desk.
  
  --
  I only post comments when someone on the internet is wrong.
16. Re:Limit logins without DOS? by fuzzyfuzzyfungus · 2009-01-08 06:50 · Score: 1
  
  That is basically what we do for internal user logins, since we have to have a helpdesk anyway; but there is just no way that some barely-ad-supported-trendy-new-media-web2.0-mashup-widget-api-hipster outfit is going to be able to afford a bunch of real people sitting at phones and waiting for users with free accounts to have trouble. Also, while it definitely stops high-speed scripted attacks, humans are, on average, pretty easy to social engineer. In an environment where I can walk down and talk to you in person, or verify some sort of credentials you have as an employee, this is manageable. Random internet service user, though, not so much.
17. Re:Limit logins without DOS? by TrickyPeach · 2009-01-08 06:53 · Score: 1
  
  How many login tries does a legitimate user need anyway? 3? Surely if you don't know it, you just don't know it?
  
  --
  Conformism is the new nonconformism.
18. Re:Limit logins without DOS? by Anonymous Coward · 2009-01-08 06:57 · Score: 0
  
  If IP Limits are not used, this will still allow for denial of service (for as long as the attack is ongoing (plus the login timeout)).
19. Re:Limit logins without DOS? by cdfh · 2009-01-08 07:02 · Score: 1
  
  The attacker does not need to wait until the response is sent: many can be sent concurrently. Preventing multiple concurrent login attempts opens the window for DoS attacks.
20. Re:Limit logins without DOS? by Anonymous Coward · 2009-01-08 07:04 · Score: 1, Interesting
  
  For my users to log in they have to supply the correct password AND have not failed a password check in the last 3 seconds. If not, they get a "Wrong Password" message either way.
21. Re:Limit logins without DOS? by BarryJacobsen · 2009-01-08 07:13 · Score: 1
  
  Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.
  The problem with this is that it doesn't prevent the denial of service scenario that the institution of the delay was trying to prevent! If the script is running on the account, the legitimate user now has to wait an incredibly long time to log in.
  
  --
  Track your TV Shows with your iPhone - FREE
22. Re:Limit logins without DOS? by Anonymous Coward · 2009-01-08 07:16 · Score: 0
  
  Aka "Tarpitting" - usually applied with an exponential delay increase each iteration.
23. Re:Limit logins without DOS? by SBacks · 2009-01-08 07:22 · Score: 1
  
  I've seen this system used on forums before.
  And, this is basically how (some) video games work. Login with the account username, but everything from you appears as your character's name.
24. Re:Limit logins without DOS? by nobodylocalhost · 2009-01-08 07:36 · Score: 1
  
  Easy, user keys. During account creation, generate a unique user key and send it to the client creating the account and make the login associate to the user key only. This way, the user can carry their key in a usb drive when they move around, the client will simply be directed to encrypt the authentication attempt using the user key.
  the following may increase security:
  1) associated user name do not affect key generation. (this way the attacker has to guess the user name linked to the key)
  2) key morphing scheme. (this will make "left behind" keys essentially useless, and also let authentication become a intrusion detection mechanism. This however can become a problem in the event of network failure or power failure, thus need a propose/confirm threeway handshake.)
  Note this is a bit different than the current ssl scheme where the same public key can be used for many different users. This essentially requires the host site to maintain a key database along with their user accounts. It will stop brute force because it would be rather difficult to reproduce an unique key generated at unspecified time with unknown hardware in unknown conditions and isn't even sent during login attempt. The server can then simply set to ignore any traffic that doesn't conform to protocol specification.
  If you want it to conform with the web standards we have right now, just generate a cert for each and every user. On the user end browser will treat it as a normal ssl connection. On the server end however, you grab the user name via public ssl, then switch to the unique user cert for the rest of your session including password with that particular user. If the user lacks proper cert, well, the server will just serve blank and give protocol error. This cannot be password brute forced.
  
  --
  Where is the "Ignorant" mod tag?
25. Re:Limit logins without DOS? by ghjm · 2009-01-08 07:49 · Score: 1
  
  This utterly misses the denial of service side of the issue. If you and your BFF are of the age where Twitter is important to you, but then you stop being BFFs, each of you can remove the other's Twitter access by running a script that constantly tries and fails to log in.
  It also misses the point that the moving part in the attack is the username, not the password. If I only get three attempts before it locks me out or becomes too slow to bother with, I'll try password, Password1 and letmein on every userid.
  Blocking login attempts after 5 different *userids* from the same source might work, but then you have to define what a source is.
  -Graham
26. Re:Limit logins without DOS? by GWLlosa · 2009-01-08 08:12 · Score: 1
  
  Easy. You throttle the logins. After the first failed login, you add a 1 sec delay. Every subsequent failed login, you double the delay. Reset delay after successful login. Good luck with your million-year dictionary attack.
27. Re:Limit logins without DOS? by mollymoo · 2009-01-08 08:18 · Score: 1
  
  I'd want several, so I could try all the different passwords I've used over the years for unimportant stuff. I use unique and secure passwords for important stuff, but I just not going to bother trying to remember different passwords for a dozen different forums where the worst that could happen is someone posts something rude with my account. So I re-use a standard password with somethign to do with the site appended to it - my Slashdot password might be pa55wordslash, or pa55wordslashdot, or pa55word/., or oldpa55wordslash, or evenolderpasswordslash... I might need several guesses.
  
  --
  Chernobyl 'not a wildlife haven' - BBC News
28. Re:Limit logins without DOS? by DorkRawk · 2009-01-08 08:29 · Score: 1
  
  In the same vain, you could have each attempt have some sort of increasingly intensive client side processing task. This could be used for charitable means (like protein folding or the likes). A user who makes 5 mistakes on their password wouldn't notice much of difference (but many users logging in would produce some good processing power) and a bot trying to dictionary attack would get so hung up on increasingly more intensive processing tasks that it would become useless.
  
  --
  Steal my band's record! Seriously,
29. Re:Limit logins without DOS? by gwylim · 2009-01-08 08:51 · Score: 1
  
  Maybe you could combine them. Use a soft limit, then require captcha.
30. Re:Limit logins without DOS? by ZerdZerd · 2009-01-08 09:42 · Score: 1
  
  Exactly. And use the power of exponential!
  
  --
  I'm not insane! My mother had me tested.
31. Re:Limit logins without DOS? by bberens · 2009-01-08 09:44 · Score: 1
  
  ...he would have had to switch proxies every 5 password attempts.
  
  I wonder what the security implications are of IPv6. Until this moment I hadn't really thought about it in that context.
  
  --
  Check out my lame java blog at www.javachopshop.com
32. Re:Limit logins without DOS? by oreaq · 2009-01-08 09:58 · Score: 1
  
  That's easy. Use SSL with client authentication especially if you have administrative privileges and the machine can be reached over the internet.
33. Re:Limit logins without DOS? by smoker2 · 2009-01-08 10:01 · Score: 1
  
  Why ? Surely whatever we are talking about here allows multiple logins ? I can have gmail open on 2 PCs at once, I can login over SSH more than once.
34. Re:Limit logins without DOS? by Fulcrum+of+Evil · 2009-01-08 13:56 · Score: 1
  
  Blocking login attempts after 5 different *userids* from the same source might work, but then you have to define what a source is.
  That's easy - you don't have to be perfect, just limit damage; a 15 minute timeout (even a silent one) after enough failures is innocuous enough that you can accept some false positives, so define source as IP, with whitelists for known trusted sources and perhaps AOL (lots of people on one IP). Once you've pinched the largest offenders, look at your remaining kiddie traffic, and define a couple more sources to reduce those numbers further, until you get to an acceptable level.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
35. Re:Limit logins without DOS? by Fulcrum+of+Evil · 2009-01-08 14:02 · Score: 1
  
  2) Block anonymous proxies. If you ever look at your logs, slashdot will sometimes request a file when you're not logged in and post (http://slashdot.org/ok.txt) from you to see if your IP is an anonymous proxy. IF they get their own file from your IP, they block you.
  Huh, If I were a nefarious dude (and I am the Fulcrum of Evil), I'd implement proxying at the router, so that sort of thing would show me as living at some specified IP.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
36. Re:Limit logins without DOS? by Fulcrum+of+Evil · 2009-01-08 14:09 · Score: 1
  
  Note this is a bit different than the current ssl scheme where the same public key can be used for many different users.
  
  No, it's a client cert, done poorly. Use client certs if that's what you want, but don't expect twitterheads to figure that out.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
37. Re:Limit logins without DOS? by shird · 2009-01-08 16:34 · Score: 1
  
  This is a good approach, I believe yahoo were/are using this. The server includes a random challenge as part of the login page, and the client processes the challenge by continually performing md5 operations in javascript with the challenge until it finds a suitable match (see hashcash). The client must include the calculated "answer" as part of the login.
  This prevents a script from running across millions of accounts and also helps to prevent a DoS against the server itself and not just the accounts. It has issues with clients with javascript disabled or fast/slow PCs however.
  
  --
  I.O.U One Sig.
38. Re:Limit logins without DOS? by shird · 2009-01-08 16:43 · Score: 1
  
  You could also avoid the use of a challenge/response by combining with login delays. This way, first logins don't require a challenge/response (and therefore the don't require the use of javascript), but 2nd/3rd/4th attempts either require a 5/10/20 minute delay, or the delay can be bypassed by using a challenge/response.
  This way people without javascript can still login without problem. It just means victims of a DoS may have to use a javascript enabled client to get around any delay an attacker may have caused, which shouldn't be much of an issue. The worst DoS damage an attacker cause is forcing a user to use a javascript enabled client.
  
  --
  I.O.U One Sig.
39. Re:Limit logins without DOS? by TrickyPeach · 2009-01-08 23:11 · Score: 1
  
  Make the limit something a little higher then? What do you do when you only get x amount of tries?
  
  --
  Conformism is the new nonconformism.
40. Re:Limit logins without DOS? by mollymoo · 2009-01-09 02:58 · Score: 1
  
  Either give up and don't bother or do the password reset email thingy. Neither particularly endears the site to me.
  
  --
  Chernobyl 'not a wildlife haven' - BBC News
41. Re:Limit logins without DOS? by BarryJacobsen · 2009-01-09 03:44 · Score: 1
  
  Why ? Surely whatever we are talking about here allows multiple logins ? I can have gmail open on 2 PCs at once, I can login over SSH more than once.
  Of course there can be multiple logins, but if the delay is tied to the session or IP, do you really think the scripters/bots wouldn't just use a new session or try from a bunch of different IPs? That's exactly why botnets are useful - they're massively parallel. In order for the delay to be meaningful, it has to be tied to the account and as such an increasing delay would make it quite easy to "delay DOS" a user.
  
  --
  Track your TV Shows with your iPhone - FREE
42. Re:Limit logins without DOS? by Fulcrum+of+Evil · 2009-01-09 06:09 · Score: 1
  
  no, it's easy: configure the router to proxy to proxy all requests to the slashdot domain. Since the AJAX trick is strictly client side, it will present as consistent with the regular traffic. Slashadmins would need to grab a separate domain for their proxy poison.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
43. Re:Limit logins without DOS? by smoker2 · 2009-01-10 03:57 · Score: 1
  
  I don't agree. Tying a failed login attempt to the account is basically branding the account as bad. It's not the account that has problems it is the user who doesn't know the password. It doesn't matter if the botnet does spawn new sessions or switch IPs if they don't know the password. They will just run into the delay again. The legitimate user can log in at any stage because they know the correct password, and therefore do not enter a delaying loop. The only way you might run into trouble is if you share the same IP as the imposter. How likely is that ?
  
  Ever heard of threads ? The login script doesn't care who is trying to log in. It simply checks its tables to see if variable X is associated with variable Y. If not, they don't get in. In addition, if this is the 2nd or subsequent failed attempt from that IP, they don't get an answer for a gradually increasing time. This is the same script for ALL logins. You get the same delaying tactic if you get the username wrong too. All that matters is having X and Y together. When they do have the correct combination, then all the user specific stuff is fired up, by passing a variable to a separate script. It would be a waste of resources to do it any other way. The only way you could "delay DoS" anybody is by filling the pipes with requests which keeps you from accessing the login script at all, which is not a built in script delay at all, just a standard overloading of resources.
why is this news? by iron+spartan · 2009-01-08 05:51 · Score: 2, Insightful

Why should we care about this? Its not like someones SSN or Credit Card info was stolen. Stuff like this happens all the time.
If you want to defame someone, its a lot easier to just make some wild and unprovable claim on the right webs sites and let the internet do its thing.
1. Re:why is this news? by PoitNarf · 2009-01-08 06:18 · Score: 1
  
  We should care about this because this directly shows end users that many /. readers such as myself support exactly why a weak password such as "happiness" is an inherently bad thing.
  
  --
  
  "0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Re:You know who made minutiae funny and interestin by Anonymous Coward · 2009-01-08 05:56 · Score: 0

What's the deeeeeeaaaaaalllllllllllll with tweets?
Re:iam3prez by Anonymous Coward · 2009-01-08 06:00 · Score: 2, Informative

It wasn't Obama's account that got attacked. They attacked the account of a Twitter administrator, and then got access to the web-based control panel to reset Obama's password. Pretty lame that a) the admin had such a bad password and b) you can access the control panel from the public internet with the same login as your twitter account.
Re:iam3prez by AntiNazi · 2009-01-08 06:00 · Score: 1

RTFA.

I know it's /. so I'll give you the summary. He dictionaried a staff member and used the admin panel to reset passwords on the celeb/news accounts. The password strength of all accounts other than the staff member were irrelevant.
Comment removed by account_deleted · 2009-01-08 06:01 · Score: 5, Insightful

Comment removed based on user account deletion
Comment removed by account_deleted · 2009-01-08 06:02 · Score: 4, Informative

Comment removed based on user account deletion
Re:iam3prez by Mr.+Sketch · 2009-01-08 06:05 · Score: 3, Informative

Looks like you didn't actually read the article. The account of a twitter admin was hacked with a dictionary attack. That account was then used to reset the passwords for various other accounts (Fox News, Obama, Britney Spears, etc) to gain access to those accounts. The original passwords for those additional accounts were not obtained. Only one account (the twitter admin) was hacked, the rest just had their passwords reset.

--
Things you think are in the Constitution, but are not.
Comment removed by account_deleted · 2009-01-08 06:08 · Score: 4, Insightful

Comment removed based on user account deletion
biometrics by JeanBaptiste · 2009-01-08 06:15 · Score: 1

of course that opens a whole other can of worms, but it solves everything you've listed.
Best Result of Twitter Hack - new movies... by Jherek+Carnelian · 2009-01-08 06:23 · Score: 1

Because of the message from the hacked britney spears account, I found out about a cool indie horror flick - Teeth - found it online and enjoyed it for the quirky little story that it was.
1. Re:Best Result of Twitter Hack - new movies... by Anonymous Coward · 2009-01-08 06:34 · Score: 0
  
  That was one of the most terrible movies I've ever seen.
2. Re:Best Result of Twitter Hack - new movies... by Anonymous Coward · 2009-01-08 07:07 · Score: 0
  
  Agreed
The Britney Spears hack message by Anonymous Coward · 2009-01-08 06:23 · Score: 1, Funny

"HI Yall! Brit Brit here, just wanted to update you all on the size of my vagina. Its about 4 feet wide with razor sharp teeth."
Re:Compromise One Password, Compromise Them All by SighKoPath · 2009-01-08 06:27 · Score: 5, Informative

FTA:

GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.
No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.
Re:Compromise One Password, Compromise Them All by Snorfalorpagus · 2009-01-08 06:28 · Score: 1, Informative

Do you know anyone who uses the same password for everything?
Do you think Britney Spears might be one of those people? What about the President-Elect?
Bad security practices glom together and eventually snowball. In this particular case, the harm was likely de minimus but do you think the individuals whose accounts have been compromised thought to go change their password at their bank, or their email, or whatever?
You don't (probably) use the same key for your house and your care and your safety deposit box, but on the internet that's what a lot, maybe most, people do. It's a bad security practice. And if you can discover someone's password on one site due to that site's bad security practices, the security of other, responsible sites is moot.
It should be noted that, for the most part, sites will encode the users password with a salt/hash of some form. From the article:

After resetting the password for the account, he gave the credentials to five people.
So, for this level of attack, using the same password isn't so much an issue. You'd need a more involved level of access to get the unencrypted password and do some *real* damage.
Comment removed by account_deleted · 2009-01-08 06:31 · Score: 4, Interesting

Comment removed based on user account deletion
Hacker Ethics? by ezwip · 2009-01-08 06:32 · Score: 1

It's a harmless attack.

--
"I guess I'm gonna fade into Bolivian."
Obama, a celebrity? by IronChef · 2009-01-08 06:39 · Score: 4, Funny

Somehow it is disturbing that the President-Elect is lumped in with Britney as a celebrity.
What is the level of discourse on Mr. Obama's twitter thing, anyway? I could look, I suppose, but it is more fun to imagine.
---
im in ur white house
secret service bitches following me everywhere. about 3 minutes ago from web
these pancakes are righteous! about 2 hours ago from airforce1r
are ufoz real? I am going to find out! about 4 hours ago from web
I think Hillary just cut the cheese LOLz about 8 hours ago from twitterrific
1. Re:Obama, a celebrity? by Anonymous Coward · 2009-01-08 06:44 · Score: 0
  
  Hahahaha. I L0L'd. Mod points to you sir.
2. Re:Obama, a celebrity? by mdm-adph · 2009-01-08 06:55 · Score: 1
  
  You sure that's not Bush's twitter you're imagining? It looks like what one would expect...
  
  --
  It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
3. Re:Obama, a celebrity? by Anonymous Coward · 2009-01-08 07:24 · Score: 1, Funny
  
  Nah, Bush can't type that fast.
4. Re:Obama, a celebrity? by Anonymous Coward · 2009-01-08 07:25 · Score: 0
  
  Hahahaha. I L0L'd. Mod points to you sir.
  You mean you L'd OL.
  OMG Grammar Nazi is on ur internets!!!
5. Re:Obama, a celebrity? by vvaduva · 2009-01-08 11:58 · Score: 1
  
  You sir are one funny cracker! :)
6. Re:Obama, a celebrity? by Fulcrum+of+Evil · 2009-01-08 14:14 · Score: 1
  
  At first I was like :-D, but then I serious'd.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
7. Re:Obama, a celebrity? by mattwarden · 2009-01-09 06:39 · Score: 1
  
  capital gains? nom nom nom about 4 hours ago from web
8. Re:Obama, a celebrity? by IronChef · 2009-01-09 07:36 · Score: 1
  
  I just LOL'd a little.
  And I can't believe that I got one flamebait mod on that comment... Lighten up, Francis!
Re:Compromise One Password, Compromise Them All by reashlin · 2009-01-08 06:41 · Score: 1

You just made me think then about "writing passwords on a post it" and actually how wonderfully secure a method it really is. Exempt from in a public place (at work say) a hacker has no way of getting your details but breaking in to your house. With the number of passwords I have I keep them in a password safe. Something that could be interfered with via the net. Possibly without me even noticing.
Easy... by msimm · 2009-01-08 06:43 · Score: 1

You don't. Instead you throttle login speed and monitor X multiple fails. You can also break-up the way the application responds to multiple failed attempts, you can redirect X failed logins to a help page or password reset page. Your only limited by your imagination, there is a lot you can do that won't really impact a human but will impact a script and quite differently.

--
Quack, quack.
Re:Compromise One Password, Compromise Them All by ByOhTek · 2009-01-08 06:47 · Score: 1

I do, and it's perfectly fine!
I mean who'd guess a password like "1FeelDumbEnteringThisPassword" anyway? I'm perfectly safe!

--
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Re:Compromise One Password, Compromise Them All by mcgrew · 2009-01-08 06:49 · Score: 1

Using the same password for slashdot as your bank account would be stupid, yes, since nobody wants Cowboy Niel in his bank account, but I do reuse certain passwords.
My various email accounts have the same passwords as each other. My password for the dozens of newspapers I log on to is 111111, easy to remamber and what possible reason would I have for keeping it secret? That password is not for my benefit, it's for the newspaper's benefit, and is only an annoyance to me.
My slashdot password is unique, as is my network password at work.
I don't bank by mail and do as little online commerce as possible, because a tinfoil hat only goes so far.

--
Free Martian Whores!
Comment removed by account_deleted · 2009-01-08 06:53 · Score: 2, Interesting

Comment removed based on user account deletion
So why do you hate gay people? by SuperKendall · 2009-01-08 06:58 · Score: 1

I also dislike the Fox propaganda machine and especially Bill
Don't forget gay people! Your seething hatred of gay people comes out in treating "I am gay" as an insult. How many more frightened people still in the closet will be afraid to come out when it's demonstrated so clearly that "being gay is uncool".
Pretty lame all the way around. It speaks volumes about the attacker that the wittiest attack they could come up with was that.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:So why do you hate gay people? by Anonymous Coward · 2009-01-08 07:40 · Score: 2, Funny
  
  Don't forget lame people! Your seething hatred of lame people comes out in treating "pretty lame" as an insult. How many more frightened people still at home in a wheelchair will be afraid to come out when it's demonstrated so clearly that being "lame" is uncool.
2. Re:So why do you hate gay people? by Anonymous Coward · 2009-01-08 08:32 · Score: 0
  
  The post, although tactless, was supposed to be ironic, not simply gay bashing. O'Reilly is considered by many to be strongly against gay rights. Therefore, it's humorous to say he is gay. A little trite, but kind of funny.
3. Re:So why do you hate gay people? by dangitman · 2009-01-08 09:11 · Score: 1
  
  Don't forget gay people! Your seething hatred of gay people comes out in treating "I am gay" as an insult.
  
  You don't get it. It's not that being gay is bad, it's that people like O'Reilly see that as an insult, and they rant about gay people. It's all about the irony, not homophobia. Why do you think certain Republican politicians make such an effort to tell everybody they aren't gay? There was that one guy who even went on about being proud of his family history having "no divorces" and "no homosexuality".
  
  --
  ... and then they built the supercollider.
4. Re:So why do you hate gay people? by SuperKendall · 2009-01-08 09:23 · Score: 1
  
  You don't get it. It's not that being gay is bad, it's that people like O'Reilly see that as an insult
  O'Reilly doesn't see it as an insult, he doesn't care.
  Talk about not getting it, using such a phrase with the INTENT OF CAUSING DISTRESS lends further weight to the concept that being gay is bad. You should not promote that ideology in any context. Furthering the meaning for a term you do not wish to use does nothing but increase the power of it, however used.
  The britney spears one was much better, instead of using slang for "Vagina" is was just presently straightforwardly as an item of interest. Much better crafted without being really derogatory toward women in general. Also somewhat creative.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
5. Re:So why do you hate gay people? by dangitman · 2009-01-08 09:50 · Score: 1
  
  O'Reilly doesn't see it as an insult, he doesn't care.
  Are you sure about that?
  
  Talk about not getting it, using such a phrase with the INTENT OF CAUSING DISTRESS lends further weight to the concept that being gay is bad. You should not promote that ideology in any context.
  
  Nonsense. Many gay people themselves get a rise by insinuating that a rigidly straight person is gay. Having it used for ironic humor is a way of "demilitarizing" the word. Remember, "gay" is a word that was reclaimed and repurposed by gay people, from being an insult into a positive thing. I think your attitude towards it will only maintain its power to offend. The only people who find it offensive to be called gay are homophobes.
  
  --
  ... and then they built the supercollider.
6. Re:So why do you hate gay people? by SuperKendall · 2009-01-08 10:05 · Score: 1
  
  Are you sure about that?
  Yes, most Republicans are actually pretty open minded. Even a lot of people who do not approve of gay marriage are very tolerant of alternate sexual orientations (like Obama for instance, who also stated he opposed gay marriage). What public statements has O'Reilly made that make you think he has anything against gay individuals in general?
  Nonsense. Many gay people themselves get a rise by insinuating that a rigidly straight person is gay
  Not my friends. But then they feel comfortable being gay and are not insecure as some may be I suppose...
  However, it doesn't matter what they think, what matters is the end effect of the action. To use the concept of being gay as an insult is as I said backwards motion for the cause of universal tolerance of a gay lifestyle, and it's a mistake to use it that way as it only furthers intolerance.
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
7. Re:So why do you hate gay people? by dangitman · 2009-01-08 15:39 · Score: 1
  
  Yes, most Republicans are actually pretty open minded. Even a lot of people who do not approve of gay marriage are very tolerant of alternate sexual orientations
  
  that's an oxymoron. Obviously, if you oppose gay marriage, then being gay does matter to you, otherwise why would you oppose it. And you musn't have been paying attention if you think the Republican Party is open-minded.
  
  What public statements has O'Reilly made that make you think he has anything against gay individuals in general?
  Seriously? Have you not ever listened to the man? One link from a 5-second Googling.
  
  Not my friends. But then they feel comfortable being gay and are not insecure as some may be I suppose...
  It doesn't have anything to do with insecurity, quite the opposite. If your friends use the word gay, then they are using a reclaimed epithet themselves. If calling O'Reilly gay as a joke is so offensive, then that indicates fragility and insecurity.
  
  However, it doesn't matter what they think, what matters is the end effect of the action. To use the concept of being gay as an insult is as I said backwards motion for the cause of universal tolerance of a gay lifestyle, and it's a mistake to use it that way as it only furthers intolerance.
  It all depends on the context and the intent. Clearly in this case, it's a lampooning of O'Reilly's homophobia and self-portrayal as America's straightest man. It's meant to insult O'Reilly and homophobes, not gay people.
  
  --
  ... and then they built the supercollider.
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 07:05 · Score: 2, Informative

Many credit card companies offer a one-time-use credit card number you can use for online purchases. I find it invaluable for online shopping.
Bill O'Reilly is gay? by Anonymous Coward · 2009-01-08 07:10 · Score: 0

That sure explains a LOT.
Re:Compromise One Password, Compromise Them All by mcgrew · 2009-01-08 07:21 · Score: 2, Interesting

You don't (probably) use the same key for your house and your care and your safety deposit box
No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.
Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234). Yeah, posting it on a post-it on the monitor is stupid, but keeping it written down with other valuables allows you a tougher to crack password, one a dictionary attack like the one used at Twitter is impossible. E.g., d5#6*;mtTMbp can't be remembered by anyone but a savant, but if it's written down it can't be forgotten.
You could also use the title of a book, write that down, and use every n character in the password. For example, Shrew 9 would be SBlatsle which is every ninth character (exclusing spaces) from the introduction to Wm Shakespeare's Taming Of The Shrew.

--
Free Martian Whores!
Re:Compromise One Password, Compromise Them All by everett · 2009-01-08 07:24 · Score: 2, Informative

Please RTFA before you post. Thank you. The accounts in question had their password reset to a random 12 character string that was then used to post fake tweets. Your comment is irrelevant.

--
Sig withheld to protect the innocent.
Tag this "fourfeetwide" and "razorsharpteeth" plz by Anonymous Coward · 2009-01-08 07:30 · Score: 0

That is all, I have nothing further to say.
gtfo. by Anonymous Coward · 2009-01-08 07:30 · Score: 0

Get over it already, Twitter had accounts bruteforce, its not like he hacked the pentagon.
Re:Compromise One Password, Compromise Them All by FredFredrickson · 2009-01-08 07:32 · Score: 2, Informative

Paypal has secure cards too now for free, just install the paypal plugin. I use single use mastercard numbers for all my online purchasing. Especially nice for porn sites, so you don't have to worry about random charges.

--
Belief? Hope? Preference?The Existential Vortex
Attention: Hacker by Anonymous Coward · 2009-01-08 07:44 · Score: 0

Now that you've gone through Twitter, can you please go do something to GameFAQs that will make the administrator, SBAllen, tighten up user security? It would be much appreciated after the strings of accounts that were broken into in 2008. There wasn't just one set of accounts being hijacked, but more like several sets of accounts that were hijacked over the year.
I'm pretty sure it wouldn't be much harder than Twitter. Even though the field says "email", you can log in with usernames, too. And then from there, it's just finding the passwords, and GameFAQs allows far too many login attempts just like Twitter does.
If you could have such a large impact that SBAllen actually does something to make users' accounts more secure, a lot of users would be very grateful.
Thank you.
--Some GameFAQs user
Comment removed by account_deleted · 2009-01-08 07:48 · Score: 1

Comment removed based on user account deletion
Non-profit required by bill_mcgonigle · 2009-01-08 08:02 · Score: 1

The harm he's possibly caused by my lack of being a good samaritan (a dead battery) is far less than the harm that could be caused by me if he or a policeman happened by as I was opening the door and mistook me for a thief.
Somebody please start a non-profit legal defense fund to help fight these abuses. It'll better society when a prosecutor doesn't stand a good chance of getting news coverage for prosecuting somebody who pulls a person from a burning car.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Assumptions by bill_mcgonigle · 2009-01-08 08:06 · Score: 2, Insightful

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
That's a great analogy. How do you know the owner hasn't left his keys under the seat? Security through obscurity is the best strategy for low-value assets.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 08:21 · Score: 0

The point is valid, but the ZDnet article points out that the passwords were reset to a random string of letters and numbers.
So in this instance, their passwords weren't exposed.
Re:Compromise One Password, Compromise Them All by Lumpy · 2009-01-08 08:29 · Score: 1

I do have the same key on all my doors at the house and the mailbox, back gate, garage, shed. That same key also works for my mothers home so I only need 1 key to cover two homes and all areas in those homes. I also had my bike locks all changed to use the same key. as well as my motorcycle was re-keyed so one ket unlocks everything.
Having a different key does nothing. A determined thief will get past everything.
Locks are there to keep crackheads and punk kids out of your stuff.

--
Do not look at laser with remaining good eye.
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 09:29 · Score: 0

Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234).

\
Bruce Schneier has also stated that he keeps his passwords written down and stored in his wallet.
Re:Compromise One Password, Compromise Them All by MegaFur · 2009-01-08 09:47 · Score: 2, Insightful

Yes, in general, if you compromise one password, you might be compromising them all. In this specific case however, the "hacker" in question never got the passwords himself. He got the password-reset tool to help out a user who has forgotten their password. So that's one happy out of the whole thing--there was a good security practice there that actual passwords are a little harder to get at than that.

--
Furry cows moo and decompress.
Re:Compromise One Password, Compromise Them All by JWSmythe · 2009-01-08 09:51 · Score: 2, Insightful

Locks are for honest people.
If I wanted your motorcycle, I'd bring a couple friends, and throw it in the back of a pickup truck, to be rekeyed later.
If I wanted into your house, I'd kick in the door, or go through a window.
If I wanted into your shed, I'd put a pry bar through the padlock and twist.
It's a good thing I don't want these things. :)
Really, I've helped people get around things they've locked accidentally.
One was a door with a "security" lock (one extra pin). They closed it, and couldn't reopen it, because no one had the key. That took me 5 minutes with a lockpick set.
Once the CEO of a company I worked for needed a document on his desk. He was very insistent he needed it immediately. We told him the door was locked, and he had the only key. We then asked for permission to get in by alternative means. His only response was "don't break anything" I had one of the guys stand on a chair and lift a drop ceiling panel out, so he could climb over the wall. It took about 45 seconds.
We had a a life or death emergency at my house, and someone was in the locked room. The fastest method was required to open the door. A swift kick just beside the doorknob, and the door opened, without me missing a step running into the room.
I don't know how many times when I was a kid, someone would get home before their parents, and couldn't get into their own house because they forgot their keys. I'd usually be in, in less than 5 minutes. There's always a window or door that isn't locked, or doesn't latch well.
The same applies here. You have 100 employees with access to do something (like in this case play with twitter accounts). If every one of them isn't secured well (good passwords, good password protection policies, good security measures) it doesn't matter how great one is, someone will walk in through the easier method.
I was moving some servers, and no one knew the password to one of them. I couldn't log in to set the new IP. I asked politely, and then rebooted into single user to change it. I didn't need the password, I had physical access.

--
Serious? Seriousness is well above my pay grade.
slashdot troll is incompetent by Anonymous Coward · 2009-01-08 09:52 · Score: 0

They didn't use an exploit, you cunt.
Off topic but important by techprophet · 2009-01-08 09:58 · Score: 1, Interesting

You all need to ban the IP that keeps posting these. This has been on two stories in the past two days (this being the 2nd). These are vulgar profanities that should offend all people of every color and creed by their racism. I hope the guy who posted these doesn't have any mod points soon because if he does I'm hosed.
1. Re:Off topic but important by KovaaK · 2009-01-09 04:44 · Score: 1
  
  If you ban the IP, they will just start using anonymous proxies. Slashdot's moderation system isn't that bad for dealing with trolls.
  I recently had the thought that AC's should be prohibited from posting in a new article for an hour or so (sort of in the same way that subscribers have access to articles before regular users do) so that their troll comments are less likely to be near the top of the discussion... any thoughts on that?
2. Re:Off topic but important by techprophet · 2009-01-09 06:17 · Score: 1
  
  That might work, but then they could just create a new account every time, which brings us back to the initial problem. Isn't the internet wonderful? The only problem that can't be solved (permanently) is keeping people out!
Re:Compromise One Password, Compromise Them All by Chrono11901 · 2009-01-08 12:04 · Score: 3, Insightful

wait wait wait... you're on slashdot... news for nerds... and you pay for porn?!
Please hand over your geek card on the way out.
Anyone else notice this? by DontPanic6x9 · 2009-01-08 13:35 · Score: 1

I love how he said, "celebrities such as Britney Spears and Barack Obama". Doesn't that just bring you back to the days of the McCain campaign calling Barack a celebrity like Paris Hilton?
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 18:04 · Score: 0

best comment so far
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 20:04 · Score: 0

Any passwords could be compromised including the admin account using the dictionary attack. So really, the GPs analysis of potential harm is pretty accurate.
Re:Compromise One Password, Compromise Them All by Nazlfrag · 2009-01-08 20:05 · Score: 1

The successful dictionary attack gave the hacker the unencrypted password. Encoding wouldn't help at all in this case.
Re:Compromise One Password, Compromise Them All by Anonymous Coward · 2009-01-08 21:49 · Score: 0

What a coincidence! My password is 'unique' too!
Comment removed by account_deleted · 2009-01-09 00:10 · Score: 1

Comment removed based on user account deletion
Re:Compromise One Password, Compromise Them All by FredFredrickson · 2009-01-09 02:30 · Score: 1

Regularly, no. But one time I wanted to test a secure card, so I tried one of those "$1 trials" and realized quickly trial means "no access." Then I canceled the card, and never heard from them again.

But you're right, I'm not sure what I was thinking that night.

--
Belief? Hope? Preference?The Existential Vortex
Re:YTCracker tag by Malevolyn · 2009-01-09 03:59 · Score: 1

STC is the greatest!

--
Your ad here.
Re:Compromise One Password, Compromise Them All by Lumpy · 2009-01-09 04:14 · Score: 1

If I wanted your motorcycle, I'd bring a couple friends, and throw it in the back of a pickup truck, to be rekeyed later.
nope :) 900 pound bike. you and 4 of your friends aint' getting it "thrown in the back of a truck" nothing beat's a thief than making it so damn heavy he cant transport it.
That's why safes work.

--
Do not look at laser with remaining good eye.
Re:Compromise One Password, Compromise Them All by ShannaraFan · 2009-01-09 06:03 · Score: 1

*I* use the same password for everything, thanks for telling everyone, you insensitive clod!
Re:YTCracker tag by slummy · 2009-01-09 06:13 · Score: 1

Pushin' and poppin' X Server knockin' Systematic file lockin
Re:Different Questions by everett · 2009-01-09 07:41 · Score: 1

You're an idiot if you think that the celebrities in question are the people who actually post content to these pages. I assure you president-elect Barack Obama is far too busy to be running his own twitter feed. Most likely he has a PR agent who is doing it for him, therefore it is reasonable to assume that the password that could be compromised would not be the president-elects, but that of said PR rep. This is a non issue.

--
Sig withheld to protect the innocent.
Re:Compromise One Password, Compromise Them All by JWSmythe · 2009-01-10 14:49 · Score: 1

It depends on the friends. I know I've tossed (not so gracefully) a relatively bare smallblock chevy engine (approx 180 lbs) into the back of a van by myself. Now that I'm older, I prefer to have help. :)
4 and tossing it in the truck was just an example. Two people and a ramp would definitely be able to load it.

--
Serious? Seriousness is well above my pay grade.