Results 326 to 350 of 537
Thread: Recent WHT down time
-
03-24-2009, 07:28 AM #326Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
Yeah you're right - Harzem is basically saying "Please come and hack me". I give it 30 hours' CPU time needed to get the plain text of his password. And 2 hours' CPU time to find a collision which can be used to login to his WHT account here.
Seriously guys, this is a security threat. Despite the first post, vBulletin *does not* use a "highly complex" hashing algorithm. MD5 was broken in 2005, it's weak (why vBulletin use it is beyond me) - relatively weak even with the salt. Change your passwords!0
-
03-24-2009, 07:46 AM #327Newbie
- Join Date
- Oct 2005
- Posts
- 21
It's true that MD5 isn't collision proof. However, that doesn't affect the ability to brute force a password. Salted and MD5 hashed passwords aren't feasibly reversed. It's still the de facto standard for password security.
If you're still concerned, change your passwords.█ Novawave Inc.
█ Nathan Lapierre | Director0
-
03-24-2009, 07:50 AM #328Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
I now prefer SHA1, although even its predecessor has been broken. And I agree that the salt does mean that it can't easily be reversed, however that isn't what's needed.
If someone on WHT doesn't change their password, all you need to do is find a collision and you can login with that. And a collision can now be found (on average) in 2 hour's CPU time (8 hours on a 1.6Ghz single proc/core CPU)
That's how the hacker yesterday was posting on someone elses account (a premium member's account with 1000+ posts, in fact). He simply found a collision and logged in using it.
It isn't a case of changing your password if you can be bothered. It's a case that your WHT account can now easily be compromised using the old password. I agree that reverse engineering it into the plain text isn't too easy, but that really isn't the issue here.Last edited by Tristan Perry; 03-24-2009 at 07:56 AM.
0
-
03-24-2009, 07:50 AM #329Disabled
- Join Date
- Sep 2004
- Location
- 20 00 N, 77 00 E
- Posts
- 51
I believe iNET has more blame to bear since its their developers/adminstrators who makes the updates/changes on the code/server settings for including more features, and hence should know the systems like the back of their hand and its highly unlikely for a rackspace admin to administer the server effectively without knowing the details.
Moreover, the dev team should constantly work in sync with their security/administrative team to ensure that that systems are thoroughly tested... and as the saying goes, security is not a one time stuff...but a way of life(for the developers/administrators/security specialists.)
Id didnt excuse them i said there both to blame0
-
03-24-2009, 07:55 AM #330Newbie
- Join Date
- Dec 2006
- Location
- Hull, East Yorkshire (UK)
- Posts
- 18
Rudi Visser, Senior Developer
Mage UK Ltd - Website Design and Development, Corporate Software/Web Development Outsourcing, Online Payment Specialists.0
-
03-24-2009, 07:58 AM #331Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
0
-
03-24-2009, 08:07 AM #332Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
Then come and hack me
MD5 is broken ONLY with a known input, I mean if you KNOW my password, you can find another one with the same MD5 result. If you don't know the input, you are out of luck.
I'm an encryption expert, I have academically studied several encryption methods, hashing algorithms, RSA systems, collision and other types of attacks: I even devised a few encyption and hashing algorithms myself.
And believe me, in terms of storing passwords, md5 is perfectly secure for now. This is why I can bravely show my password hash publicly, as well as the salt.
However md5 is weak for authentication test, I mean if you want to verify the origin of a message, and if you suspect a third party has the source, then they might have created another message with the same md5 result. But for passwords, if the third party knows the password, then they have nothing to break.█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:09 AM #333Newbie
- Join Date
- Dec 2006
- Location
- Hull, East Yorkshire (UK)
- Posts
- 18
Rudi Visser, Senior Developer
Mage UK Ltd - Website Design and Development, Corporate Software/Web Development Outsourcing, Online Payment Specialists.0
-
03-24-2009, 08:10 AM #334Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:18 AM #335Web Hosting Master
- Join Date
- Apr 2004
- Location
- UK
- Posts
- 1,334
0
-
03-24-2009, 08:19 AM #336Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:21 AM #337Web Hosting Master
- Join Date
- Apr 2004
- Location
- UK
- Posts
- 1,334
.
» Kayako customer service software and live chat software- your customers deserve better than helpdesk
0
-
03-24-2009, 08:24 AM #338Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
Okay then. So what is the MD5 hash of:
d131dd02c5e6eec4693d9a0698aff95c
2fcab58712467eab4004583eb8fb7f89
55ad340609f4b30283e488832571415a
085125e8f7cdc99fd91dbdf280373c5b
d8823e3156348f5bae6dacd436c919c6
dd53e2b487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080a80d1e
c69821bcb6a8839396f9652b6ff72a70
and
d131dd02c5e6eec4693d9a0698aff95c
2fcab50712467eab4004583eb8fb7f89
55ad340609f4b30283e4888325f1415a
085125e8f7cdc99fd91dbd7280373c5b
d8823e3156348f5bae6dacd436c919c6
dd53e23487da03fd02396306d248cda0
e99f33420f577ee8ce54b67080280d1e
c69821bcb6a8839396f965ab6ff72a70
To me it seems that they both lead to exactly the same MD5 hash, right?
Meaning there is more than one way to get to your password hash (with the salt) - hence once this collision is found your WHT account can be compromised without knowing your main password.
If I'm wrong here I'd like to know where
I said that *MD5* is weak. It's weaker than other hashing algorithms that haven't yet been broken (for example SHA1)
And so, whilst MD5 hashing with a salt is fairly strong, it's still relatively weaker than other hashing algorithms (that haven't yet been broken) with a salt.0
-
03-24-2009, 08:26 AM #339Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
You are proving my point.
They have the same hash, because the designer had access to one of the SOURCEs, and designed the other accordingly.
That's what I'm talking since the beginning. You have to KNOW the password to devise another password that produces the same md5 hash. But since in the WHT case the attacker doesn't know the source password, he cannot create another with the same md5 hash.█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:26 AM #340Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
0
-
03-24-2009, 08:27 AM #341Web Hosting Master
- Join Date
- Apr 2004
- Location
- UK
- Posts
- 1,334
The only similarity they may share is that Mr. X who worked on MD5 also worked on encryption algorithms. I am not sure what "principals" the two concepts share. They serve two entirely different purposes. Hashing algorithms such as MD5, by their very nature, are not reverisble. The data is not recoverable from the resulting hash - the data is worthless. The hint is in the name - messages are digested.
Encryption, on the other hand, is designed to preserve the integrity of data. The algorithm that encrypts data can decrypt the data (or a complimentary algorithm can do so), preserving its integrity in its entirety.
There is a distinct difference between hashing (finger printing) and encryption. The two concepts are worlds apart.
Anyway, it looks like we are drifting off topic.
» Kayako customer service software and live chat software- your customers deserve better than helpdesk
0
-
03-24-2009, 08:27 AM #342Aspiring Evangelist
- Join Date
- Apr 2004
- Location
- USA
- Posts
- 445
That sums it up very well.
I'm not too worried about losing posts. I never had many intelligent thoughts anyhow. Mostly I come here looking for help. I don't know enough to give any help.
I'm not too worried about my password being stolen, either. I'm smart enough to use a different password for everything.►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄
0
-
03-24-2009, 08:29 AM #343Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 2,360
I've a online business and I am not a I.T. expert, and Rackspace market their business to people like us, "leave all the i.t. job to them". Now, whether they can do what they promise is another thing. At their price, I would assume they have a administrator for couple of machine.
0
-
03-24-2009, 08:39 AM #344Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
I know all the differences between encryption and hashing, but thanks for enlightening those who don't
One don't have to write journals to know something. I don't know why you and some others are determined not to believe me. If you don't believe me, please post your own facts about how an MD5 hash can be reverse engineered other than plain pur brute force attack.
Please read http://www.cryptography.com/cnews/hash.html and several others before commenting how a collision vulnerability will reveal our passwords, I'm eager to see what you have to say.
And I don't know why people are assuming that I'm lying when I say "I know how hashing works and we are still safe."█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:40 AM #345Web Hosting Master
- Join Date
- Sep 2006
- Location
- Cardiff - United Kingdom
- Posts
- 1,569
Thanks for the information Harzem, my logic must have been wrong
I still don't feel secure with it out there, hence why I buffed up my security yesterday, although it's nice to know it's less of a risk than I had originally thought.0
-
03-24-2009, 08:41 AM #346Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
By the way, any experienced guy can create a hashing algorithm using an encryption algorithm, and anyone can cerate an encryption algorithm using a hashing algorithm. They are NOT that different topics.
█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!0
-
03-24-2009, 08:43 AM #347Web Hosting Master
- Join Date
- Jun 2003
- Location
- Tampa FL
- Posts
- 2,380
so its a done deal they are sticking with this backup?
Ceridius Networks Sales
Email/MSN sales@ceridius.com
Ceridius Networks - Reseller of Hivelocity Hosting
Network Speed Test0
-
03-24-2009, 08:43 AM #348Web Hosting Master
- Join Date
- Apr 2004
- Location
- UK
- Posts
- 1,334
0
-
03-24-2009, 08:47 AM #349Web Hosting Guru
- Join Date
- Oct 2004
- Location
- Oakville, ON
- Posts
- 263
Okay,... So I noticed that every day I have to change my password... Is this something caused by the hacked or is this a security thing thats just bugged?
If I dont change the password I can't access the board.
Just to be like the rest... hehe Lost 80 posts .0
-
03-24-2009, 08:49 AM #350Web Hosting Master
- Join Date
- Jul 2008
- Posts
- 972
Harzem; if MD5 has been 'cracked' then your password is notsecure. I could stuff together a basic program that brute forced your password, sure it'd take some time, but it's entirely possible. Ignoring that fact is silly. I don't believe you've not changed your password anyway, this is all for show.
0