FOR SALE: Khmer440.com [SOLD!]

If you have something so weird, strange or off-topic to post and think it doesn't belong in any other forum; you're probably right. Please put all your gormless, half-baked, inane, glaikit ideas in here. This might also be a place where we throw threads that appear elsewhere that don't belong ANYWHERE end up, instead of having to flush them. FORUM RULES STILL APPLY.
User avatar
General Mackevili
The General
Posts: 17157
Joined: Tue May 06, 2014 5:24 pm
Reputation: 2128
Location: The Kingdom
Contact:
United States of America

Re: FOR SALE: Khmer440.com

Post by General Mackevili »

StroppyChops wrote:
Edit: it's not even deemed to be hacking, it's just admin business as usual.
Personally, I'd consider it hacking. I feel admin have no right to read any members PM's at all, period.

If it's serious enough to warrant snooping, I'm sure The NSA will be all over it anyways.
"Life is too important to take seriously."

"Life does not cease to be funny when people die any more than it ceases to be serious when people laugh."

Have a story or an anonymous news tip for CEO? Need advertising? CONTACT ME

Cambodia Expats Online is the most popular community in the country. JOIN TODAY

Follow CEO on social media:

Facebook
Twitter
YouTube
Google+
Instagram
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

vladimir wrote:I have one question:

Do admins on either board read Private Messages?

I know it can be done, you have to know what you're doing, and you need a reasonable idea of what the content is to do it.

OD, can you verify that?

And, of more significance, if you can hack PM's is it not just a short step to hack their emails?
Despite what the "other admin" loves to claim, it's VERY easy to do. They're not encrypted and it just takes a look at the phpbb_private_msg table in the database to read them. That said, we don't. The only time I ever even open the database is to make mods and most of those have their own scripts for updating the DB build in so I don't even need to do it then. It has been claimed that "some admins" don't have the knowhow to do so... frequently just after they have clearly done so. I can attest that GMack is completely inept at using the database however, and I really just don't give a shit what you have to say in your PMs.

As for hacking email, no... MUCH harder and the most we get is that we know your email address. In 'theory' if you used the same password for here and there we could attempt to crack the encrypted 'hash' of your password here to get the real thing, then use that to log into your email. But that's a LOT of work and really not that effective since there's no guarantee that it can be dehashed (google rainbow tables) or that once it is that you used the same password for both (which you never should).

When you enter your password to this system it encrypts it... so that the word "password" ends up as "5f4dcc3b5aa765d61d8327deb882cf99". Then all it saves in the DB is 5f4dcc3b5aa765d61d8327deb882cf99. Later, when you log in, it takes what you typed and does the same encryption to it, then if the result comes out at 5f4dcc3b5aa765d61d8327deb882cf99 it matches and knows you entered the right one. The original text is never saved in the DB and the only way to get it is to search a list of encrypted words to find one that matches, then see what that word had been. It's called 1 way encryption for a reason.
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

The other method for doing it would be to change the user's password, log in as them, then blame it on some technical glitch and make them reset their password when you're done. This system doesn't do it, though I wish it did, but some systems send out a nice automated email when your password has been changed to tattle on whoever did it.
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

(Also, if you want to see your own password hash there's a handy little generator that I just used for that example: http://www.md5hashgenerator.com/index.php" onclick="window.open(this.href);return false; )
Jaap N.
Expatriate
Posts: 904
Joined: Sat May 17, 2014 1:42 pm
Reputation: 10
Netherlands

Re: FOR SALE: Khmer440.com

Post by Jaap N. »

OrangeDragon wrote:(Also, if you want to see your own password hash there's a handy little generator that I just used for that example: http://www.md5hashgenerator.com/index.php" onclick="window.open(this.href);return false; )
Is software available that does the opposite?
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

Not really, it's called a 1 way encryption for a reason.

The method to "crack" it is to take a huge dictionary of words and encrypt THEM the same way... then you look at the list of those results and see if any match the hash you want to crack. If so you see what word correlated to it and you have the password. A really involved process, especially if they add numbers/etc to their password. That list is called a Rainbow Table, and you can download premade ones pretty much all over the internet.

Like this one:
http://www.md5rainbow.com/" onclick="window.open(this.href);return false;

Google works well too... just do a search for the hash and see if any site has it in their public rainbow tables. A good way to test the security of your password.

Mine, for this site actually, returns:
Your search - XXXXXXXXXXXXXXXXXXXXXXXX - did not match any documents.

Suggestions:

Make sure all words are spelled correctly.
Try different keywords.
Try more general keywords.
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

It should be noted that we ALSO "salt" our encryption... it adds a string of random crap to the password before it encrypts it to make the result harder to snag with a rainbow table.
Jaap N.
Expatriate
Posts: 904
Joined: Sat May 17, 2014 1:42 pm
Reputation: 10
Netherlands

Re: FOR SALE: Khmer440.com

Post by Jaap N. »

Cool, OD, thanks!
OrangeDragon
Site Admin
Posts: 4193
Joined: Fri May 02, 2014 8:05 pm
Reputation: 16
United States of America

Re: FOR SALE: Khmer440.com

Post by OrangeDragon »

Jaap N. wrote:Cool, OD, thanks!
NP. I do suggest everyone always check their PW against google's known hash tables... a password that's a google search away from decrypting really isn't much of a password.

[Shameless Plug: I'm available for network security and penetration testing for reasonable rates to anyone seeking such services. http://www.webivation.net" onclick="window.open(this.href);return false; ]

And related: DARPA Hacking, fun for the whole family! http://www.pcworld.com/article/2070580/ ... s-fun.html" onclick="window.open(this.href);return false;
User avatar
StroppyChops
The Missionary Man
Posts: 10598
Joined: Tue May 06, 2014 11:24 am
Reputation: 1029
Australia

Re: FOR SALE: Khmer440.com

Post by StroppyChops »

In western countries, the admin can be sued and jailed for reading email straight from the database and using that information unlawfully. Most colleges, for example, need a written instruction from the CEO or MD before an admin will look, and then the onus of the law is on the CEO. Naturally this gets abused if there is no watcher system (as you'd see in the justice system) in place.
Bodge: This ain't Kansas, and the neighbours ate Toto!
Post Reply Previous topicNext topic
  • Similar Topics
    Replies
    Views
    Last post

Who is online

Users browsing this forum: No registered users and 104 guests