info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Attention IJDb members
49 views
Skip to first unread message
Colin E.
Apr 1, 2012, 1:19:56 AM4/1/12
to
The IJDb is a great portal for rec.juggling and I have enjoyed using it.
However, it is riddled with security holes. I noticed this about a year
ago. There is absolutely no protection against SQL injections. Last year,
I managed to rip the emails and password hashes from the database. Why?
Because I wanted to try an SQL injection. I'm young and I found a
tutorial on the internet and I wanted to try it. About a month later,
Colin noticed that the site was hacked and posted a notice and an apology.
However, he only told you that your emails were harvested. He did not
tell you that your passwords were also taken. There is no reason why he
should have believed the passwords were secure if the emails weren't. They
are both on the same database. The passwords are hashed but the hashing
algorithm used is outdated, making dehashing a piece of cake. So I feel
it was irresponsible of him to not inform you of the possibility that your
passwords were compromised.
During that time, there was discussion of was going to happen to the IJDb
and what could replace it if it were to shutdown. I did not say anything
because I didn't want to cause a panic before a solution was agreed upon.
But almost a year later, nothing has changed. Most of you are still using
a website with no protection against nooby hackers like me. I should have
said something much, much sooner.
I'm not going to lie and say I didn't do anything with the passwords I
obtained. I am a mischievous person. Many people use the same password for
everything. I have read emails, infiltrated other sites, and logged into
youtube, amazon, and various other accounts. But other than seriously
invading your privacy, I haven't done any real damage. However, who knows
who else might have taken your information? The IJDb has been around for
quite a while and the code has probably been just as vulnerable as it is
today.
So in short: If you use your IJDb password for other sites, immediately
change all your passwords.
The IJDb is still usable but until some protection is added you should not
expect your password to be secure. Use a unique password for this site. Or
use Google's newsgroup interface instead. However, it may be a good time
to stray away from Usenet and switch to something more modern.
-Not Colin E.
--
----== posted via www.jugglingdb.com ==----
However, it is riddled with security holes. I noticed this about a year
ago. There is absolutely no protection against SQL injections. Last year,
I managed to rip the emails and password hashes from the database. Why?
Because I wanted to try an SQL injection. I'm young and I found a
tutorial on the internet and I wanted to try it. About a month later,
Colin noticed that the site was hacked and posted a notice and an apology.
However, he only told you that your emails were harvested. He did not
tell you that your passwords were also taken. There is no reason why he
should have believed the passwords were secure if the emails weren't. They
are both on the same database. The passwords are hashed but the hashing
algorithm used is outdated, making dehashing a piece of cake. So I feel
it was irresponsible of him to not inform you of the possibility that your
passwords were compromised.
During that time, there was discussion of was going to happen to the IJDb
and what could replace it if it were to shutdown. I did not say anything
because I didn't want to cause a panic before a solution was agreed upon.
But almost a year later, nothing has changed. Most of you are still using
a website with no protection against nooby hackers like me. I should have
said something much, much sooner.
I'm not going to lie and say I didn't do anything with the passwords I
obtained. I am a mischievous person. Many people use the same password for
everything. I have read emails, infiltrated other sites, and logged into
youtube, amazon, and various other accounts. But other than seriously
invading your privacy, I haven't done any real damage. However, who knows
who else might have taken your information? The IJDb has been around for
quite a while and the code has probably been just as vulnerable as it is
today.
So in short: If you use your IJDb password for other sites, immediately
change all your passwords.
The IJDb is still usable but until some protection is added you should not
expect your password to be secure. Use a unique password for this site. Or
use Google's newsgroup interface instead. However, it may be a good time
to stray away from Usenet and switch to something more modern.
-Not Colin E.
--
----== posted via www.jugglingdb.com ==----
EmmetLouis
Apr 1, 2012, 6:24:05 AM4/1/12
to
Not sure if genuine or aprils fool.
Either way I use different passwords for everywhere
Either way I use different passwords for everywhere
Marlon
Apr 1, 2012, 9:35:12 AM4/1/12
to
EmmetLouis wrote:
>
> Not sure if genuine or aprils fool.
>
> Either way I use different passwords for everywhere
>
Not cool, you shouldn't have pointed this out until tomorrow.
>
> Not sure if genuine or aprils fool.
>
> Either way I use different passwords for everywhere
>
0 new messages