Albedo Posted August 28, 2014 Posted August 28, 2014 lmao dude I've seen feminists get shat on in way worse ways than that from actual people who were actually out of their mind. I have zero trouble believing that was real. Of course, I also think the person who wrote them was spineless and wouldn't ever follow through on anything. The thing is that there are crazy people on both sides of the issue like the people who hacked the fine young capitalists indiegogo, and that the whole thing is a clusterfuck I refuse to interact with. It also has practically nothing to do with anything here so maybe we shouldn't get too far off topic. No, thing is, she's controversial, I get that, and I can totally believe that she gets death threats and all sort of shit. It's just that, death threats from a brand new twitter account, and with threats that look written by a woman (Seriously, would a man threaten to "drink blood off your cunt"? Any man? Is giving oral sex to a woman a male fantasy? News to me) just in the wake of the Zoe Quinn thing? Nah. But yes, you're right, this is going way off topic. Quote
InvertMouse Posted August 29, 2014 Posted August 29, 2014 Dang, seems like this stuff has been happening a lot lately (>-<). Hopefully anyone with an account with MG is doing okay. Quote
sanahtlig Posted August 29, 2014 Posted August 29, 2014 I checked the database dump. All they appear to have gotten were usernames, e-mail addresses, and password hashes. Some people's e-mail addresses may contain their real name, so that may be irritating to some. The passwords do not appear to have been decoded. I also use LastPass. I guess I might as well start the arduous task of changing all my passwords to be unique on the hundreds of sites I have accounts at. Quote
Decay Posted August 29, 2014 Posted August 29, 2014 I checked the database dump. All they appear to have gotten were usernames, e-mail addresses, and password hashes. Some people's e-mail addresses may contain their real name, so that may be irritating to some. The passwords do not appear to have been decoded. I also use LastPass. I guess I might as well start the arduous task of changing all my passwords to be unique on the hundreds of sites I have accounts at. LastPass notifies you when you're using a shared password. Instead of remembering every single site I have an account on and changing them all at once, I just changed my password each time I logged into a site and that notice popped up. The way I figure it, any site that uses a shared password anymore is barely ever visited by me and I don't care if the account gets compromised. Quote
Narcosis Posted August 29, 2014 Posted August 29, 2014 That was news to me, do you have any sources? And is this in response to those fake-ass death threats Anita Sarkeesian got? (No, seriously, read the twits... No way a man wrote them.) You can find it here. To be honest, this isn't even serious enough. Quote
Zakamutt Posted August 29, 2014 Posted August 29, 2014 Still haven't getten the famed MG mail about the compromise. I wonder if the others were fakes or something. Quote
hotsauce2000 Posted August 29, 2014 Posted August 29, 2014 Still haven't getten the famed MG mail about the compromise. I wonder if the others were fakes or something. A lot of people haven't gotten it - me included. It's not a fake, though. Quote
sanahtlig Posted August 29, 2014 Posted August 29, 2014 Someone claiming to be the hacker has apologized for the attack on the official forums, claiming he thought MG was promoting child pornography. http://forums.mangagamer.org/viewtopic.php?f=3&t=348&start=15#p9801 Quote
havoc Posted August 29, 2014 Posted August 29, 2014 Someone claiming to be the hacker has apologized for the attack on the official forums, claiming he thought MG was promoting child pornography. http://forums.mangagamer.org/viewtopic.php?f=3&t=348&start=15#p9801 Lol if it actually is him, he is a bigger moron than i thought and impulsive to boot. so let us do a guessing game for his (mental) age. My guess mental age 15, real age 45 year old brain dead. Quote
sanahtlig Posted August 29, 2014 Posted August 29, 2014 A lone vigilante hacker not doing so for profit is likely to be someone with a lot of time on their hands motivated by the sort of naive idealism common among youth. It's actually fairly likely the hacker is college-age or younger. Quote
havoc Posted August 29, 2014 Posted August 29, 2014 What can i say . . . . You reap what you sow. Quote
Kenshin_sama Posted August 29, 2014 Posted August 29, 2014 I had a feeling this guy was a dumbass from the way he wrote on twitter, but I didn't think he'd be this bad. Not sure how severe the punishment for cyber crimes are, but he better learn from it. Quote
sanahtlig Posted September 5, 2014 Posted September 5, 2014 Dear MangaGamer Customers At this time, we would like to announce that full security measures have been implemented on our site. Last Thursday, our site was hacked and email addresses, nick names, and encrypted passwords may have been leaked. The SQL injection vulnerability that allowed this attack was patched up almost immediately, and in the week since then, we have reviewed our site for various other security holes, and fixes have been made to prevent another incident like this from happening. For your security, and to mark the end of this security update, your password has been automatically generated on our end. Your new password is Since this password is temporary, please update your password from your My Account page. (Your new password must include both alphanumeric characters and symbols) Once again, we apologize for the inconvenience this has caused, and we hope that you will continue to support us in our endeavors to bring great visual novels to the west. Best Regards, MangaGamer Staff Quote
Nayleen Posted September 5, 2014 Posted September 5, 2014 Can you clarify something for me? Encryption hopefully doesn't mean what I hope they mean. Encryption is reversible, e.g. you can get the original value back from an encrypted one. Hashing would be what you want to do for passwords, using a proper, modern, secure algorithm (I heard something about them using unsalted md5 hashes before - inadequate). Emails could be encrypted, although there's little value to it. And, depending on how they're used around the site, even those could be hashed instead. Quote
sanahtlig Posted September 5, 2014 Posted September 5, 2014 They've said previously the passwords that were leaked were encrypted, when they were actually hashed (as you surmised, using unsalted MD5). My guess is the spokesperson isn't technically inclined enough to understand the difference. I have requested clarification however. The e-mail address is used to send e-mails to customers, so I doubt it can be hashed. Nayleen 1 Quote
Decay Posted September 5, 2014 Posted September 5, 2014 Hashing can be a form of encryption when using it to obfuscate passwords. The problem is that it was a really simple hash algorithm (md5) and the hashes weren't salted. So while it wasn't exactly strong encryption, it's still encryption. Using something like SHA-2 and salting it would be a whole lot better. Quote
sanahtlig Posted September 5, 2014 Posted September 5, 2014 Hashing is not a form of encryption, though many refer to it as such. Encryption is reversible (intended to be decoded to reveal the original message). Hashes are irreversible. Both encryption and cryptographic hashes are forms of cryptography. Though the average user probably doesn't care about the difference, the difference has practical implications. http://danielmiessler.com/study/encoding_encryption_hashing/ Storing an encrypted password is sort of like setting a login password on a laptop, with a sticky note on the monitor proclaiming what the password is. Sure, it'll stop some forms of attack, but it won't stop the type of attack it really needs to stop: some stranger swiping your laptop and logging in as you. Nayleen 1 Quote
Nayleen Posted September 5, 2014 Posted September 5, 2014 Thanks for pointing it out, the common definition and understanding is kind of wishy-washy unfortunately. I'm looking forward to MG's reply since it's kind of important moving forward to know if personal information, especially passwords, are safe. Personally I'd refrain from ordering from them if proper measures aren't taken, just out of sheer principle. Quote
sanahtlig Posted September 5, 2014 Posted September 5, 2014 If you're using unique passwords for every site, the passwords aren't actually that valuable. When a breach is discovered, companies will patch it and reset your password, preventing further unauthorized access to the account. What's more concerning are e-mail addresses that contain peoples' real names. Many customers wouldn't be thrilled to have their real names publicly linked with pornography. If you share passwords across sites, then you should be concerned, as you're at risk of identity theft. Sites major and minor get hacked all the time. If you have any Internet presence at all, your previous usernames and passwords are probably in some criminal database somewhere of combinations to try first when hacking an account. The only protection is using unique passwords for every site. Quote
Nayleen Posted September 5, 2014 Posted September 5, 2014 Oh, I know all too well. Like I said, it's more out of principle and that I don't want to support companies treating sensitive customer information with anything but the highest amount of precaution and security. Stuff gets hacked all the time, but properly hashed (with high cost factors) and salted passwords are still pretty much useless to hackers, so a step in the right direction. Quote
sanahtlig Posted September 5, 2014 Posted September 5, 2014 They need to safeguard the e-mail addresses. However, I'm not sure what safeguards could be taken other than simply making sure the site isn't vulnerable to common routes of attack. In other words, I'm not sure what can be done to demonstrate their commitment to customer privacy. We've already established that encrypting e-mail addresses sounds reassuring but probably doesn't actually increase security. Maybe they could hire a security firm to certify them as standards compliant? I'm not sure if that would be cost-effective or feasible for them. Quote
Nayleen Posted September 5, 2014 Posted September 5, 2014 I agree wholeheartedly on your notion that it's not only the passwords, but also the users' identities that need protection. In Germany the TÜV (Technischer Überwachungsverein) runs these kind of tests for online stores and e-commerce sites (one of which I work for) and issues certifications as well, unfortunately I don't know if there are any similar organizations carrying the same weight - not meeting TÜV standards will get you sued and your business shut down eventually on repeat offenses - for the US market. That's certainly something that would help ensure the safety of their servers. A company that uses unsalted md5 hashes for passwords is pretty likely to be prone to other attack vectors, be it simple SQL injection, publicly reachable SQL servers, unsanitzied user input, outdated libraries and software, unpatched OpenSSL... the list goes on, and properly securing a web server and related software is tedious and ongoing business as vulnerabilities pop up from time to time. sanahtlig 1 Quote
Down Posted September 6, 2014 Posted September 6, 2014 Relevant to your discussion (might Sanahtlig posting here actually). Seems like they took a lot of different steps (although it seems like their previous system was full of holes), although they don't precise what hashing they now use for the passwords. Quote
Totodile Posted September 6, 2014 Posted September 6, 2014 that's why i always check the site certificates. Although i'm pretty much paranoid myself so everything from my FB to my YT has differing personal information, the only thing that remains constant is my Age and list of disposable emails. That's where Google+ also comes in handy Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.