Dreamhost hacked

Let us know when something isn't working correctly, or if you find a typo. Do not post complaints or suggestions here.

Moderator: Mods

User avatar
Generic
Princess Zelda
Posts: 5421
Joined: Sat Sep 25, 2004 11:45 am
Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass
Recording Method: Cubase 5AI, Cubase 6
Submitting as: Jon Eric, Hunky
Location: Pittsburgh, PA
Contact:

Dreamhost hacked

Postby Generic » Fri Jan 20, 2012 4:15 pm

Dreamhost - the web hosting service used by Song Fight! and various members of this community - has been hacked. Users are urged to change their passwords ASAP.

http://www.dreamhoststatus.com/2012/01/ ... ity-issue/

Hopefully, everyone who needs to know this already does.
"Warren Zevon would be proud." -Reve Mosquito

Jon Eric - Get your feel on.
Website powered by Spud's Amazing Website Machine.

Circle of Titles!!!!!!
User avatar
jb
Notable Hylian
Posts: 3506
Joined: Sat Sep 25, 2004 10:12 am
Instruments: Guitar, Cello, Keys, Uke, Vox, Perc
Recording Method: Logic X
Submitting as: The John Benjamin Band
Location: WASHINGTON, DC
Contact:

Re: Dreamhost hacked

Postby jb » Fri Jan 20, 2012 4:43 pm

Yeppers. Yup.
User avatar
Manhattan Glutton
Zora
Posts: 1465
Joined: Tue Feb 15, 2005 12:10 pm
Instruments: Angst
Recording Method: REAPER
Location: Madison, WI
Contact:

Re: Dreamhost hacked

Postby Manhattan Glutton » Fri Jan 20, 2012 5:35 pm

And since the dumb fuckers store passwords in plaintext...

Thanks for the heads-up. I did not know.
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.

Nur Ein Archives | The New Ugly Podcast
User avatar
Spud
Notable Hylian
Posts: 4738
Joined: Fri Sep 24, 2004 10:25 am
Instruments: Bass, Keyboards, eHorn
Submitting as: Octothorpe
Location: Seattle
Contact:

Re: Dreamhost hacked

Postby Spud » Fri Jan 20, 2012 5:38 pm

Manhattan Glutton wrote:And since the dumb fuckers store passwords in plaintext...

Do you know that, or just assuming? Just wondering...
"I only listen to good music. And Octothorpe." - Marcus Kellis
Song Fight! The Rockening
User avatar
Billy's Little Trip
Sunshine & Flowers
Posts: 12000
Joined: Mon Nov 13, 2006 2:56 pm
Instruments: Guitar, Bass, Vocals, Drums, Skin Flute
Recording Method: analog to digital via Presonus FireBox, Cubase and a porn machine
Submitting as: Billy's Little Trip, Billy and the Psychotics
Location: Cali fucking ornia

Re: Dreamhost hacked

Postby Billy's Little Trip » Sat Jan 21, 2012 12:19 am

MG is the hacker. I knew he was a shenaniganist.

...for the record. shenaniganist ~BLT 2012
User avatar
fluffy
Ganon
Posts: 9307
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Dreamhost hacked

Postby fluffy » Sat Jan 21, 2012 12:26 am

I don't know if the passwords are stored in plaintext but they are plaintext-recoverable, which means that anything that has access to their decryption key has plaintext access to them. (And plaintext-recoverable by email is yet another hacking vector.)
User avatar
Manhattan Glutton
Zora
Posts: 1465
Joined: Tue Feb 15, 2005 12:10 pm
Instruments: Angst
Recording Method: REAPER
Location: Madison, WI
Contact:

Re: Dreamhost hacked

Postby Manhattan Glutton » Sat Jan 21, 2012 12:29 am

Spud wrote:Do you know that, or just assuming? Just wondering...

What fluffy said. Use the password recovery form sometime - it emails you your password in plaintext.
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.

Nur Ein Archives | The New Ugly Podcast
User avatar
fluffy
Ganon
Posts: 9307
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Location: The Plaidlands (also, Seattle)
Contact:

Re: Dreamhost hacked

Postby fluffy » Mon Jan 21, 2013 12:14 am

Incidentally, I got in a debate with the Dreamhost folks about this recently, because it turns out that it's not just for recovery, but for how they diagnose account problems. Rather than logging in as an admin and doing a 'sudo -u username' thing they actually decrypt your password from the database and copy-paste it into their ssh session, which is ridiculous and opens up even more possibilities for malware-as-attack-vector if they ever have to diagnose your account for some reason.

So, it's best to just set your Dreamhost password to something that is truly unique from anywhere else (maybe even randomize it completely once a week?) and not even use that password to login - use .ssh/authorized_keys instead. (if you know wtf that means.) I use authorized_keys anyway because it's easier for me to deal with AND more secure, and also makes it easy for people to grant and revoke access to each other without sharing a common password (it's how we're finally set up on the Song Fight shell account now) but really, there's no excuse for them to make this necessary.

Return to “Quality Control”

Who is online

Users browsing this forum: No registered users and 1 guest