Beek is an idle acount hacker?

[SunshuZFM]

After being offline for a year and a half or so, I was somewhat alarmed by posts that had sopposedly been made by me. Posts that I know I never made. However after being spending so much time with shosh I guess I'm not surprised. Except that someone had to log on in my stead. I never gave my password to anyone including my my now ex-wife. But someone was apparently able to post under my name several posts which are apparently credible(certainly the owner of the site would not have access to my password) granted going on a limb here and I have no doubt that a politically correct and plausible explaination will soon follow. Either way posts were made that "I" did not make and they definately do not reflect my views

SunshuZFM
Dave Mitterling
e-mail-sunshuzfm@yahoo.com

[Falundir X`Viento]

Sayin it now, I told ya all so~

[Garrdor]

Dear Brell,

I'd like to inform you that all th trolls made on your board have not been because of me. I've been idle, and my little brother found my password info. Please dont hate me

[Ddrak]

certainly the owner of the site would not have access to my password

Just a technical point here: unless he's found a way to reverse an MD5 hash, no he wouldn't have access to your password. He could *post* as you by tinkering with the database directly but he couldn't use the regular interfaces.

That was just an aside though - don't let me interrupt a good conspiracy!

Dd

[Relbeek Einre]

Phfft.

Get lost, Sunshuu, it's long over, and no I have no knowledge of who posted from your account except that the IP was the same as Shosh's.

But to think she couldn't have known your password when she was living with you for years is a little retarded, kthx~

[Falundir X`Viento]

Doesn't even have to do that. Just change the password but leave the reg info intact so he could get use of the acct and the owner could just request password reset via email thinking he/she/it forgot it.

[Burz]

Guys, stop being assholes before I ban you all.

-Relbeek

[Relbeek Einre]

Oh, and for the record I can change anyone's password more or less at will - the admin panel lets me do so. What I *can't* do is know what anyone's password is - it's an MD5 hash and that code can't be cracked. So were I so inclined I could easily have changed Sunshuu's PW and given it to Shoshannah or her boytoy, or made a post myself.

Mind you, I didn't, but anyone with a passing familiarity with the phpBB admin panel would know that an admin certainly has the power to do so.

[ZanypherCocoapuffs]

Oh, and for the record I can change anyone's password more or less at will - the admin panel lets me do so. What I *can't* do is know what anyone's password is - it's an MD5 hash and that code can't be cracked. So were I so inclined I could easily have changed Sunshuu's PW and given it to Shoshannah or her boytoy, or made a post myself.

Mind you, I didn't, but anyone with a passing familiarity with the phpBB admin panel would know that an admin certainly has the power to do so.

The urge to confess.

Learned that on Law & Order.

[Relbeek Einre]

There's a reason Jerry Orbach died of prostate cancer.

[-=Xilanthanax=-]

Less protecting your right to be a dick, more fixing our post counts, please.

[Grygonos Thunderwulf]

md5 hash can be cracked fyi...also it was recently found that multiple things can hash to the same md5 result.. (not very often at all but it can happen best I remember)

[Ddrak]

Well, it's a certainty that multiple things hash to the same value (the whole point of a hash is it's 128 bits vs the arbitrary size of the original). The trick for a good hash is to not be able to find any deterministic way to find something that results in a given hash without a brute-force search.

The other thing about a hash is because multiple things (actually, an infinite number of things) are guaranteed to hash to the same value, even if someone does a brute-force search the chance of them finding the particular password that you used to hash to that value is vanishingly small. That's why I say Beek doesn't have access to our passwords.

That's why if someone talks about "cracking" a hash they are not talking about finding the original text but just any random text that matches the same hash. Even more common the idea of "cracking" a hash can also be used to describe how you can formulate a second piece of text from an original + its hash that results in the same hash. I wasn't aware MD5 had been cracked though and would be interested to hear more about it.

Now, through the admin tool, Beek can *change* passwords. What he can't do through the admin tool is change a password back to what it was. Changing a password is irreversible and if you ever find yourself with a changed password for no good reason it's a pretty good clue that an admin may be tinkering with your account.

Dd

[Relbeek Einre]

Exactly Ddrak. You know your shit.

[Relbeek Einre]

Well, actually Ddrak, my evil brain was just thinking of it, and I -could- change a password back.

If I went into the user table and copied the hash from the password column for a user then changed the password, I could change it back by repasting that hash.

It was a trick I used setting up forums elsewhere when I had several test accounts and I'd forgotten their passwords - I'd copy the admin password hash and paste it to the test accounts' passwords, which was a lot simpler than manually going into each one in the Admin panel and changing the PWs.

And of course, I could hack into the database tables and create a post wholecloth. Of course, that'd be spottable by the post never turning up in a Search query.

What it boils down to is that if your forums are important to you, you need to have an Admin whom you trust to not do these things. The Admin pretty much has the power to mess with anything related to the board. This also means, of course, that the Admin has no way to defend himself against charges like Sunshuu's apart from his own reputation and integrity.

For what it's worth, I'd been running under the assumption that Shoshannah or her babydaddy had Sunshuu's password and posted under his name. She told me that Sunshuu was going to be visiting on a Saturday (to see her daughter) and she'd confront him about Valoria's claims, and that was indeed the day of the post, so I didn't really have a reason to disbelieve her at the time - well, until she started posting as Anicka. But the IPs for Sunshuu, Anicka and Shoshannah all matched, so...

[Eannyarah]

With our powers combined we shall form...




RELBEEKuh!!!

[Minute]

What it boils down to is that if your forums are important to you, you need to have an Admin whom you trust to not do these things.

Good thing these forums aren't important.

[Ddrak]

Beek,

Yep - I agree. You can do whatever you like by messing with the database directly. Hell, you could even fix up the search if you worked hard enough. That's why all my statements were given the rider of "through the web interfaces".

The only thing that can't be done without a hell of a lot more computing power than I hope Beek owns is the brute-force cracking of the MD5 hash. Of course, there's no guarantee he hasn't turned off hashing the passwords either so...

Dd

[Klast Brell]

And you would need to care enough to put in the effort.

[maltheos]

Actually, if one has access to the database, one should be able to ( fairly simply) generate a querry to fake postings that would be indistinguishable from "real postings"

No MD5 Hash breaking needed. However, the explanantion that Shosh generated the posting is much more plausible than Beeker going in and performing surgery on the DB. Easier, and more plausible too.

However, beeker ( and anyone with admin access to the Rack 9 box can change edit and falsify postings with impunity.) <-- though why they'd want to is beyond me.