Quote:UPDATE 11/9/2016 1:00PM ET

We have now come to believe it is possible that the hacker may have been able to gain access to certain member information on our server, including: Usernames, email addresses, and IP addresses. Passwords were not as easily accessible, and at this point we do not know if it was possible for the hacker to access them. (Further note that passwords on DU are "hashed" and saved in a cryptographically scrambled format rather than as plain text, so if the hacker could access a member's password information they would not have direct access to the password itself -- only to the hash.)

We can say for certain that donor data, such as credit card numbers or addresses, were not compromised because that information is handled by PayPal and never passes through to our servers.

We are not going to bring our website back online until we believe that we are no longer vulnerable to attack and our members' user information is secure. Unfortunately we do not know how long this process will take, and it could possibly take days.

We will be posting updates on Facebook and Twitter.

Thank you again for your patience and understanding.

Quote:Around 4:30pm on Tuesday November 8, Democratic Underground was hacked, apparently by a supporter of Donald Trump. This person clearly knew what they were doing, and despite our best efforts we have not yet been able to resolve the issues caused by the hack.

We are confident that donor data has not been compromised because that information is handled by PayPal and never passes through to our servers. But at this time we are unable to bring our discussion forum online.

The hack was clearly aimed to cause maximum disruption on our busiest night of the year, and we deeply regret that we won't be able to spend election night with our great community of members. We ask for your patience while we continue to work to fix this problem, and while we do not have a time frame we will do our best to get DU back online as soon as possible.

If anyone has any information about the hack, or has knowledge that might help us to fix it, please feel free to contact us: admin@democraticunderground.com

We will be posting updates on Facebook and Twitter.

We are deeply disappointed that this has happened. But we'll be back.

Skinner, EarlG, and Elad
DU Administrators

Quote:If anyone has any information about the hack, or has knowledge that might help us to fix it, please feel free to contact us: admin@democraticunderground.com

Hillary's probably got some extra time on her hands today.

Dammit, I wanted to peruse the epic meltdown that surely went on there last night.

If that password hash wasn't also salted (notice it doesn't say it was) then the hash doesn't mean ****.

(11-09-2016 05:19 PM)TechRocks Wrote:  Dammit, I wanted to peruse the epic meltdown that surely went on there last night.

Yes. That hacker destroyed one heck of a entertaining meltdown. Nobody does it like DU. By the time that site is back online they will have cooled off.

(11-09-2016 05:22 PM)georgia_tech_swagger Wrote:  If that password hash wasn't also salted (notice it doesn't say it was) then the hash doesn't mean ****.

I wondered about that. Would bleachbit help?

(11-09-2016 05:23 PM)EigenEagle Wrote:  

(11-09-2016 05:19 PM)TechRocks Wrote:  Dammit, I wanted to peruse the epic meltdown that surely went on there last night.

Yes. That hacker destroyed one heck of a entertaining meltdown. Nobody does it like DU. By the time that site is back online they will have cooled off.

I had the title of my thread all picked out....Little Nuggets of Gold from the Lunatic Underground.

(11-09-2016 05:24 PM)TechRocks Wrote:  

(11-09-2016 05:22 PM)georgia_tech_swagger Wrote:  If that password hash wasn't also salted (notice it doesn't say it was) then the hash doesn't mean ****.

I wondered about that. Would bleachbit help?

No. Allow me to explain in more detail:

A hash is a one way function. So for example, you could use ROT13 (rotate 13 ... the old Julius Ceasar trick) as a one way hash.

password -> ROT13 -> cnffjbeq

The trouble is, if the hash isn't "salted", or in other words, have some secondary secret factor that is fed into the hash function to alter the outcome, the results are predictable.

So you may say, so what, how do you descramble that from reverse?

Well, humans suck at passwords. So step one is to take a common password (say ... password) and run it through a bunch of standard hashing algorithms and techniques, and see if what you get out of the hash appears in the compromised database in the password list. If it does (particularly a bunch of times) TAHDAH you've just busted the hash. Now it is just a matter of generating a hash for a crapload of standard/weak passwords. This is called "rainbow tables". And creating them is VERY computationally expensive, but it can be GPU and FPGA hardware accelerated to go stupid fast... I'm talking MILLIONS of hashes calculated every minute. And when you've done that ... you no longer need to reverse the hash. You just lookup a user account in the compromised database.... pull the hashed password ... and compare against your rainbow tables to find what the original password was.

And that's why you always salt your hashes. Because if you don't, it's really no better than storing in clear text. All you've done is merely inconvenience the person exploiting you.

I did not know that encryptions that simplistic were even used. Basically a 1-to-1 correspondence between letters like some cereal-box decoder ring.

(11-09-2016 05:44 PM)EigenEagle Wrote:  I did not know that encryptions that simplistic were even used. Basically a 1-to-1 correspondence between letters like some cereal-box decoder ring.

A properly salted hash is strong encryption and very difficult to break. But you're dependent upon the people running the show to make sure they did a proper job.

And a hash is a compromise in cryptography between strength and performance. A hash performs VERY well server side. And that's important if you have to capture, decrypt, verify, and then process that hash for every last single secured login page you deliver. Doing that with extremely strong elliptic curve cryptography is too computationally expensive to do in production. That's why you see the REALLY strong crypto (RSA 4096, ECC 128, etc) used for things like GPG/PGP secured email. You can wait a few seconds to generate the crypto on an email. Nobody wants to wait a few seconds to load a webpage, much less a few minutes when a crapload of people are all on at the same time.

Quote:UPDATE 11/10/2016 12:00PM ET

Democratic Underground is still down, but we're not out! While Elad works on the site's back-end, we've decided to go old-school.

When DU first launched 16 years ago, the Web was a much plainer, simpler experience. Way back in the day we used to accept article submissions from DU members via email, which we would then publish manually on our HTML homepage over our 56K modem connection (yes, we're old).

So given that our super-duper up-to-date modern technology is letting us down in this time of need, we're going to to things the old-fashioned way. We'll post a question of the day, and then you email us your answer. We'll publish the best ones right here on our 503 error page while we're working to get the rest of the site back up. You don't have to write a book, or even a long essay -- just give us your thoughts.

Here's Thursday's Question Of The Day:

How are you feeling now that the election is over?

Send your answer to mail@democraticunderground.com. Make the subject of your email "Question of the Day". Please make sure to include your DU username in the email so that we can publish it when we publish your response.

When we publish new answers, we'll post an update on our Facebook and Twitter pages. We look forward to hearing from you, and thanks again for your patience while we work to restore normal service!

GTS ought to get a kick out that one. That site is as broken as the Democratic party. LOL

The true lesson here is to never enter to credit card information into a site with administrator names of Skinner, EarlG, and Elad.

Quote:DU: we're going to to things the old-fashioned way

Why couldn't they have used Hillary's home-based server?