ErikH2000
Level: Legendary Smitemaster

Rank Points: 2796
Registered: 02-04-2003
IP: Logged

Unfortunately, someone hacked into our server and gained access to different things. The hosting provider had one of their servers broken into as well, and it is possible that the hacker used information gleaned from this previous attack. I don't want to say much about the hacker's methods and motives, because the recognition may be encouraging, and the information could be used against us.

Schik, Jamie, and I have spent the last few days removing hacker-installed backdoors and patching up possible security holes. The server seems reasonably safe now, although we are still investigating and keeping an alert state for other attacks.

If you skimmed over the above information, that's fine, but please read the next part:

If the password that you use for the forum is the same password you use on another more important website, (i.e. online banking) please change your password on the other website.

I don't believe that the hacker has your password information, but it is possible, and the safest thing would be for you to assume he does. That also means that it would be a good idea to change your password on the forum too. But that's not as big of a deal. Note that we have been asking people to not reuse their forum password on important websites for years now. And situations like this one are the reason why.

You might be happy to know that we don't store any credit card information anyplace on our servers. And all of our data is backed up on a regular schedule. If the attacker were to delete every speck of data on our server, we'd be back up and running in 3 or 4 days.

-Erik

____________________________
The Godkiller - Chapter 1 available now on Steam. It's a DROD-like puzzle adventure game.
dev journals | twitch stream | youtube archive (NSFW)

---

[Last edited by ErikH2000 at 10-26-2007 01:55 AM]

Citrus
Level: Smitemaster

Rank Points: 1233
Registered: 01-08-2006
IP: Logged

Whoa, glad you guys told us. Thanks for keeping us aware Erik!

____________________________
Call me Citrus.

larrymurk
Level: Smitemaster

Rank Points: 1917
Registered: 12-09-2004
IP: Logged

I must agree, thx for the update.

Monkey
Level: Master Delver

Rank Points: 190
Registered: 03-21-2006
IP: Logged

Password changed. It seems someone tried to do something that my signature clearly apposes.

____________________________
lurking

calamarain
Level: Smitemaster

Rank Points: 933
Registered: 03-25-2007
IP: Logged

Yikes! Thanks for telling us. I use a unique password for this forum fortunately, but still thanks for letting us know!

____________________________
My Holds

Bingbing
Level: Goblin
Rank Points: 22
Registered: 04-28-2007
IP: Logged

Why is it that every time I leave, something major happens? Sigh, the second I look away, some crazy alien civilzation decides our server is perfect to live on.


My crazy theory.

____________________________
I don't know what to put here.

Chaco
Level: Smitemaster
Rank Points: 3685
Registered: 10-06-2005
IP: Logged

Thank you very much for alerting us to what has happened.

Purely as a redundant security measure, I have changed my password. And yes, I have devised a way to not forget it

____________________________
Quick links to my stuff (in case you forgot where it was):

calamarain
Level: Smitemaster

Rank Points: 933
Registered: 03-25-2007
IP: Logged

Also, I assume an email has been sent to everyone on the mailing list informing them of this?

____________________________
My Holds

NoahT
Level: Smitemaster

Rank Points: 1187
Registered: 06-17-2003
IP: Logged

Changed my password as well.

Edit: And changed again.

-Noah

____________________________
And in the end, the love you take is equal to the love you make.

My stuff:

---

[Last edited by NoahT at 10-26-2007 08:13 AM]

RoboBob3000
Level: Smitemaster

Rank Points: 1982
Registered: 10-23-2003
IP: Logged

Any idea when this happened? A window of time, maybe?

____________________________
http://beepsandbloops.wordpress.com/

Anson
Level: Delver
Rank Points: 67
Registered: 02-05-2007
IP: Logged

What?!?!? Hacking! Oh no! This is Very bad, Also, Why us? We need to figure out what they want.

____________________________

Please, I admire Guthix, I solve problems, I fix rules too. I used to be a Scoundril, Complaining about the forums, But now i changed.

Briareos
Level: Smitemaster

Rank Points: 3516
Registered: 08-07-2005
IP: Logged

Whoa. Now, there's one password I'm usually using for forum logins, but that wouldn't even fit the 8 character limit here so I was using a different one anyway, but I changed it nonetheless.

Still - I hope you're not storing the passwords in plain text, but instead only a hash that doesn't do an attacker any good elsewhere? And if not - how about it?

np: The Orb - Towers Of Dub (Ambient Mix) (U.F.Orb Remixes)

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009)

Dex Stewart
Level: Smiter
Rank Points: 355
Registered: 01-19-2007
IP: Logged

There's an 8 character limit? My password has much more than that. And this hack makes me glad that I was forced to use at least one letter in high caps and at least one number when creating my password. This way it's different from all my other passwords .

Oneiromancer
Level: Legendary Smitemaster

Rank Points: 2936
Registered: 03-29-2003
IP: Logged

8 character minimum, not maximum.

____________________________
"He who is certain he knows the ending of things when he is only beginning them is either extremely wise or extremely foolish; no matter which is true, he is certainly an unhappy man, for he has put a knife in the heart of wonder." -- Tad Williams

coppro
Level: Smitemaster
Rank Points: 1309
Registered: 11-24-2005
IP: Logged

Briareos wrote:
Still - I hope you're not storing the passwords in plain text, but instead only a hash that doesn't do an attacker any good elsewhere? And if not - how about it?

I've commented on this before, but apparently Schik doesn't think that the plaintext copy of your password being sent to your browser and stored in a cookie every time you post is a problem.

halyavin
Level: Delver
Rank Points: 52
Registered: 02-20-2006
IP: Logged

Anson wrote:
What?!?!? Hacking! Oh no! This is Very bad, Also, Why us? We need to figure out what they want.

Have I said that every site will eventually be checked by hackers? I hope that this accident encourage CaravelNet to increase security and prevent more paintful loses in the future.

Luckily, I used forum's password only in unimportant places.
PS I hope that the hacker hadn't enough time/permissions/experience to install invisible rootkits... Windows users reinstall the system in this case, but you haven't reserve server I guess .

Briareos
Level: Smitemaster

Rank Points: 3516
Registered: 08-07-2005
IP: Logged

Oneiromancer wrote:
8 character minimum, not maximum.

Hmmm... guess I mixed it up with somewhere else, then. Or maybe it was the need to include non-alphanumeric characters, unless I'm misremembering...

np: Alter Ego - Pleasure Island (Why Not?!)

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009)

Briareos
Level: Smitemaster

Rank Points: 3516
Registered: 08-07-2005
IP: Logged

coppro wrote:
I've commented on this before, but apparently Schik doesn't think that the plaintext copy of your password being sent to your browser and stored in a cookie every time you post is a problem.

Well, I'd say it *is* less of a problem, because you're not getting hold of all username/password combinations at once. Only little by little, depending on where you snoop for TCP connections...

np: Future Sound Of London - Room 207 (From The Archives Vol. 3)

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009)

UrAvgAzn
Level: Smiter

Rank Points: 468
Registered: 04-15-2006
IP: Logged

Scary that we got hacked.. I wonder who would do it though.

Oneiromancer wrote:
8 character minimum, not maximum.

I've got less than that.

Keep posting,

____________________________
"The leaf, still green, must someday fall.
Such grief, such joy, to live at all."
- T.A. Barron, The Lost Years of Merlin

RoboBob3000
Level: Smitemaster

Rank Points: 1982
Registered: 10-23-2003
IP: Logged

UrAvgAzn wrote:
Scary that we got hacked.. I wonder who would do it though.

Oneiromancer wrote:
8 character minimum, not maximum.

I've got less than that.

Keep posting,

*Brute forces UrAvgAzn's account*

____________________________
http://beepsandbloops.wordpress.com/

AlefBet
Level: Smitemaster
Rank Points: 979
Registered: 07-16-2003
IP: Logged

UrAvgAzn wrote:

Oneiromancer wrote:
8 character minimum, not maximum.

I've got less than that.

Your password was probably grandfathered in from before the forum had that requirement, then. I bet that if you tried to change your password now, it wouldn't accept a short one as the new one.

____________________________
I was charged with conspiracy to commit jay-walking, and accessory to changing lanes without signaling after the fact .

++Adam H. Peterson

ErikH2000
Level: Legendary Smitemaster

Rank Points: 2796
Registered: 02-04-2003
IP: Logged

We (Mike, Schik, Jamie, me) are not going to talk about what we do or don't do as far as security, because it gives information to hackers and promotes a challenge for them to come and get us. I don't want to claim that we are the best security experts, but most of the things brought up in this topic, we already thought about and handled. You can bring up ideas for security improvements--I won't censor you--but I don't think we actually need help here. And we're certainly not going to enter into public discussion over it, for the reasons I mentioned.

Who did it? Why? We care, but again, we're not gonna discuss it.

Let me go the opposite direction for a moment so you can see what I'm talking about...

I CAN'T BELIEVE SOMEBODY GOT INTO OUR SERVER! WOW, WHAT AMAZING SKILLS THEY HAVE. I AM DEFINITELY AFRAID OF THEM. THINK OF ALL THE SCARY THINGS THEY COULD DO. I STAND IN TERRIFIED AWE THAT SOMEONE COULD JUST BREAK IN AND DO WHATEVER THEY WANT. I DON'T EVEN UNDERSTAND HOW SOMETHING LIKE THAT IS POSSIBLE.

See how this (and milder variants) can stroke a scriptkiddy's ego? Or here's another stupid way to respond...

HEAR THIS, HACKER. YOU HAVE MADE A LIFELONG ENEMY. WE WILL NOT TOLERATE THIS KIND OF DISRUPTION AND ABUSE. BECAUSE NOW WE ARE SUPERTOUGH AND READY FOR ANYTHING YOU COULD THROW AT US. IF I FIGURE OUT WHO YOU ARE, I WILL SEND LAWYERS AND THE RUSSIAN MAFIA AT YOU.

...which wakes all the little scriptkiddies up so they can have a go at us.

No, no, no. We clean up the graffiti and go about our business. Nothing to see here, people.

-Erik

____________________________
The Godkiller - Chapter 1 available now on Steam. It's a DROD-like puzzle adventure game.
dev journals | twitch stream | youtube archive (NSFW)

AlefBet
Level: Smitemaster
Rank Points: 979
Registered: 07-16-2003
IP: Logged

ErikH2000 wrote:
. . . And all of our data is backed up on a regular schedule.

Too bad you weren't as careful when a certain rank point incident involving bicycles, wheelies, and trains occurred a few years back.

Has anyone gone back to see if a beanstalk has grown at the site of that mishap?

____________________________
I was charged with conspiracy to commit jay-walking, and accessory to changing lanes without signaling after the fact .

++Adam H. Peterson

Oneiromancer
Level: Legendary Smitemaster

Rank Points: 2936
Registered: 03-29-2003
IP: Logged

AlefBet wrote:

UrAvgAzn wrote:

Oneiromancer wrote:
8 character minimum, not maximum.

I've got less than that.

Your password was probably grandfathered in from before the forum had that requirement, then. I bet that if you tried to change your password now, it wouldn't accept a short one as the new one.

This is correct. The password policy was changed a while back but old passwords were left as-is. I remember taking a while to get a new password that met with the policy.

____________________________
"He who is certain he knows the ending of things when he is only beginning them is either extremely wise or extremely foolish; no matter which is true, he is certainly an unhappy man, for he has put a knife in the heart of wonder." -- Tad Williams