MCBans Public Statement

Discussion in 'Bukkit Discussion' started by Firestar, Jan 8, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Firestar

    I'm not going to have an argument. The information that you may have is 7 months old and does not reflect the current workings of the mcbans system.
     
  2. Offline

    nichiatu

    so much drama.
     
  3. Offline

    TkTech

    As you wish. I was simply replying to your (extremely incorrect) statement, as it was brought to my attention.
     
  4. Offline

    alfonsojon

    Hi. I'm concerned for my server's security (changing passwords right now).
    I received an E-mail, which was in my spam folder, from the domain [email protected] (IP being 176.31.206.194), consisting of the following message:
    Show E-mail (open)

    NO security breach at mcbans.comSpamx

    [​IMG]
    [email protected] [email protected] 7 (1 day ago)[​IMG]
    [​IMG]
    [​IMG]
    to me
    [​IMG]
    Dear user who's information was definitely NOT compromised.,
    We are writing to inform you that there was absolutely NO breach in our "extensive" security measures that could allow your personal information and all the API keys to be leaked, because of this we DO NOT suggest you change your mcbans.com password. This breach DID NOT affect anyone. If your Minecraft password is the same as any password you use for MCBans you should not give a fuck. Our server is protected by an expired version of Norton Antivirus from 2007 and thus is absolutely hacker-proof.

    For further support go to support.mcbans.com and open a ticket or contact us on IRC at irc://irc.esper.net:5555 on #mcbans or #yesyourinformationwascompromised. You may verify that your information WAS NOT COMPROMISED by searching for it in our uncompromised database which we have temporarily mirrored publicly for verification purposes:

    http://ddoscom.in/dongs.sql

    As you should see, your information is still in our uncompromised database and thus has not been stolen.

    We would like to thank you for your continued support and use of mcbans.com and we apologize for any inconvenience this has not caused. Rest assured that if there ever were a breach of our systems, the kind Nigerian prince who funds our operation would be more than willing to offer you 7 figure restitution if you can just help him out a bit. Hell, he's probably about to make you this offer just because he loves you.

    I hope you all want Viagra because our associates have plenty to sell.

    Kind Regards,
    The MCBans Badministration Totalitarian Regime and Führer Firestar

    Remember:
    - Firestar likes cocks.
    - Denial is the best security measure ever and lying through your teeth is the truest display of integrity.
    - Also, we have never ever been hacked, if someone claims otherwise they are bullshitting you.
    - And to re-iterate once more, Firestar likes cocks.


    IRC logs extracted from a server that was NOT hacked:

    03:56 <REDACTED> So when are you gonna send the maillist?
    03:56 <REDACTED> I need it right now
    03:56 <Firestarthe> Wait a sec
    03:57 <REDACTED> Okay
    03:58 <Firestarthe> Here you go, LINK REDACTED
    03:58 <REDACTED> Thanks
    03:59 <REDACTED> Enjoy the bitcoins
    [/spoiler=Hide E-Mail]
     
  5. Offline

    NinjaZidane

    As true as this might be, after each attack on an organization's security (both successful or unsuccessful) normally preludes to an improvement in the security of said organization. From the information present to everyone, it seems that the entire McBans system was literally "trusted" to one individual (who helped with said security) as proved by his ability to lock out people who are actually McBans staff. This is also compacted by fears of well known griefers (which McBans is mostly used to block) such as, example, Doridian not only assisting with McBans but possibly having access to the system itself (which he or others could use to attack servers that put their trust in McBans).

    This is worrying, not only to me but any other user out there that is using, or may use in the future, McBans. What improvements can we see come from this? How will you protect your users in the future? How can you guarantee an incident like these never occurs again? I think this are questions on everyone's mind.
     
    Vhab likes this.
  6. Offline

    Firestar

    The system is not trusted to any one person, and the user in question is no longer involved with mcbans or its equipment. And he would not have done anything he had threatened because he did not have access to those services.
     
  7. Offline

    forty_two

    As TkTech has stated, he is in no way affiliated with MCBouncer (or any other ban systems that I know of). He hasn't even logged into the Reddit servers, so not connected in that way either. Please don't make unfounded accusations.
     
  8. Offline

    Firestar

    The information is question was from 7 months ago from an older version of mcbans, and does in no way reflect the operations of the current mcbans.
     
  9. Offline

    JohnTheRipper

    You should come on HF sometime, Crashdoom is a active griefer and a active MCbans staff member. While there may appear to be a conflict of interest there, it's not true, it's about the same as me being both a server admin and a griefer, and countless others like me or Crashdoom. Being a griefer doesn't mean that you don't care about stopping them, I highly doubt anyone on the current MCbans stafflist is going to abuse their powers.
     
  10. Offline

    Firestar

    Crashdoom is NOT a griefer.
     
    rakiru likes this.
  11. Offline

    NuclearW

    @Firestar @battlekid @forty_two @TkTech

    I should note that this thread has gotten significantly off topic. I would suggest taking such a conversation about a reddit post to a more appropriate forum (Offtopic), not to mention the quick argument this thread has become.

    If this thread continues to break Bukkit rules and remains as it is now I will lock it. Please do not make me do that.

    Agreed
     
  12. Offline

    Evenprime

    I'm amazed that people still don't do background checks when they hire others and are going to give them any kind of access or control over critical services (directed at nobody in particular). I actually read about Z. coding for Terraria a week ago and couldn't believe it. People do NOT change, as long as what they do is successful.

    MCBans has a very poor history of whom they employ or trust with their project, which (at least that's how it got explained to me once) is the result of people knowing each other or considering each other friends. I really hope these events also change the employment process for the sake of those that rely on the service. Or the other way around, cause server operators to distrust services like McBans by default.
     
  13. Offline

    Firestar

    We have changed the way we approach hiring new team members.
     
    rakiru likes this.
  14. Offline

    JohnTheRipper

    You seem a little out of touch :p.

    I may be wrong, but from what he's said, he appears to be a active griefer. I've seen many things confirming this.
     
  15. Offline

    Firestar

    This is off-topic, and is incorrect.
     
  16. Offline

    JohnTheRipper

    Yes, it's a little offtopic. No, it's not untrue.

    Go take a look through his posts on HF, I've seen several confirming what I said.

    Anyways, I'm not going to continue taking this offtopic, if you don't believe be then go look for yourself, let's keep this ontopic now.

    Edit: Just wanted to add in that he also helped sell a grief client at one point in time on HF, and yet you claim he never griefs?
     
  17. Offline

    Firestar

    If you could provide me proof through a pm that would be helpful. Otherwise, even based on his posts what I see, he did not even mention himself griefing.
     
  18. Offline

    Noman_1000

    I really want to know this.

    Is the salt leaked?
     
  19. Offline

    Firestar

    it was in the database as well, that is why we are telling people to change their password.
     
  20. Offline

    Noman_1000

    Excuse my language but.

    FFFFFFFFFFFFFFFFFFFFFFFFFuck.
     
  21. Offline

    cjc343

    It's unfortunate this wasn't answered when first asked... much less disclosed prior to that.
     
  22. Offline

    Tylerjd

    It is good that MCBans came out with a public statement like this.

    That being said, they could have been more transparent to their users, like saying that the salt was in the compromised DB. I'm not going to judge you for having the salt in the same DB as the passwords, but that should have been said in the first post.

    Also, I noticed that you don't use SSL on the MCBans login page, as far as I can see. Interesting.
     
  23. Offline

    Firestar

    SMF as well as other PHP scripts all have their salts in the DB. MCBans.com was not hacked it was the old forums.mcbans.com server, which we have changed hosts.

    http://www.simplemachines.org/community/index.php?topic=424775.0
     
  24. Offline

    Tylerjd

    Well, thanks for clarifying that at least.

    I know that MCBans.com itself was not hacked.

    I would like a clarification on something else. In your original post you say:
    Now in your reply to me, you said that the forums.mcbans.com server was the one hacked, implying it was those forums hacked. But in your OP, you said it was a backup of MCBans.com. So I am guessing it was the latter, but this is conflicting information.

    Also, can I ask why it took a week to make a statement anyways?


    In a separate note: I'm becoming weary of who to trust these days. RSA, MCBans, who is next, Google?
     
  25. Offline

    Jarace

    My mcbans account locked me out, Im assuming this is why.
    I also received an email explaining that the server was NOT breached, of which i was informed is fake.
    The sender's email was [email protected]. If you would like the email, Here it is:
    Show Spoiler
    Show Spoiler
     
  26. Offline

    kyle0440

    So, to clarify, if I created an account in December 2011, am I at risk?
    I already got the email, but I'm just wondering about the password.

    Also, have you been able to locate the specific people/person responsible?
     
  27. Offline

    alexanderpas

    AFAIK there were SQL dumps on that machine.

    Why? there can be several reasons for that, with one it being a cheap option to use as off-site backup.
    this is actually answered in the OP
    @Firestar: learn from how they handled communications http://blog.lastpass.com/2011/05/lastpass-security-notification.html be upfront!

    I also have a question, what hashing algorithm was used for mcbans?

    You're forgetting the biggest of them all, SONY leaking credit card data of 10% of the world.
     
  28. Offline

    Firestar

    they are 2 separate servers, so mcbans.com server was not hacked, the forums.mcbans.com server was, which housed the mcbans.com site pre-april 15th

    "Contacted all ISPs/hosts used to facilitate this attack. Most if not, all ISP’s/hosts have complied with our requests, and we will continue to ask for take-downs until we see fit."
     
  29. Offline

    Nathan C

    Google has already been hacked I believe.
     
  30. Offline

    alexanderpas

    This basically means that if they find the person who did it, he get's booted from the internet.
     
Thread Status:
Not open for further replies.

Share This Page