Plenty of Fish? Might as well rename it plenty of passwords.
The worst part is Markus stores his passwords in plaintext, or slightly better reversible encryption.
POF will mail a person their password. This is a security nightmare because basic precautions were not taken.
I just checked and POF is still able to reproduce and email me my password. I also checked the email I use for POF and there is no mention of this in any of their emails. If markus took this seriously at all he'd be resetting everyones password and have instructions to reset their email password.
"We have reset all users passwords and closed the security hole that allowed them to enter." This is a lie, I just logged in with my username and password. I wasn't even asked on login to change it.
I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.
Its really ridiculous how many sites still store passwords that way. SurveyMonkey still sends forgot password requests in plaintext email. You'd think with $100M of funding they'd have sorted that out by now.
1. He provides emails - I think Mark(Guy from Plenty of Fish), really needs to get those voice recordings of Chris threatening his wife online to be more credible.
2. Mark tells a complicated story - A story with mafia and all that, really? If we follow Occam razor, Chris story sounds more realistic. He saw a flaw and reported it. Everything was going dandy until he saw ads for Plenty of Fish data. At this point Mark decides to try ruin Chris by fabricating a story, since he believe it is him trying to sell the data. It is a simpler story.
3. Why isn't Mark contacting the authorities? - A week and Chris is not in jail and responding freely on his blog?
Mark does have some valid points though,he did hack pirate bay: http://torrentfreak.com/the-pirate-bay-hacked-users-exposed-...
But Chris claimed again, proof of concept and he has no bad intentions.[What is the appropriate way to expose vulnerabilities?]
In my opinion, he[Mark] should release the voice recording to add more credibility because right now he is sounding shaky.
A key point here is that he didn't use a proxy and doesn't seem to hide his identity during the sniffing around, which means he's either:
a) stupid.
b) not intending to do anything malicious.
I think a. is unlikely, because he did actually manage to break in, although, the hole itself might've been trivial and therefore this might not count. I don't think so, though.
Which leaves b.
The hacker's story certainly has less holes, however the style of writing out numbers as words is suspicious; I have only ever seen it in 419 scams: "28,000,000 (twenty eight million users)".
While we were creating the legal documents in order to proceed, Markus Frind got progressively more aggressive and unresposive with us, and told us to speak with their employees, Kate and Jay, because there was a serial killer, murdering people from the website.
If you ask me, both of them sound crazy and deluded. Marcus' story doesn't make much sense if you read the email on that site[1], but carrying on about serial killers doesn't help your case much either. And that freelancer link is just a red herring - I can't see what it's got to do with the case at hand.
[1] Update: Or even if you read his own post: "I listened in the background and I closed the breach if indeed there was one while my wife was on the phone". Er, was there a breach or not? And why are you calling his mother and not the police?
Mate, before you milk that 'interview' for eye-balls, just go back to the PoF article above and read the new comments.
Chris Russo is there commenting, and it calls your ability to judge character into question. For starters, he has never denied the story about Russians holding his computer hostage and threatening to kill him. He just ignored it. Then he goes for the "race" card and says PoF are suspicious of his intent just because he is in Argentina.
I just spoke directly with Chris Russo over Skype.
He is extremely upset about the whole situation.
I don't want to put any words on his mouth.
He tells his own version of the events on the link above which he allowed me to post on his behalf.
I think that document raises a lot more questions than it answers, and some of those questions would have me 'extremely upset' too if I was on the receiving side of them.
The fact that a well known site like POF was hacked is eclipsed by the fact that they both store unencrypted passwords, and the bizarre tone of this article.
I managed to stumble through the first part of the article, but lost interest when Russo claimed that "he can see what the Russians are doing because they took over his computer." This sounds technologically implausible at best.
Maybe the official post in the morning will make more sense.
Is it implausible? Could you not set up some kind of honeypot machine and then monitor it's activity once it's been zombie'd? (Genuine question - I'm definitely no expert on the topic).
"Roberto Alsina
Just a small clarification about this bit:
"They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations…"
I am from Argentina, and I own a company. Yes, in order to bill services to foreign customers, you need to register your company as an "exporter of services". And to do that you have to put money on escrow (but not $15000, only $7500), or your company has to demonstrate assets for over $12500.
If Russo has been working without an incorporated company (he could be a "monotributista", which is a way to bill as a physical person). A monotributista can export services, but... he's personally liable, so doing security consulting that way is insane.
That's probably why Russo could be asking for money up-front: if he didn't, he would have been doing business illegally."
Many freelancers work as monotributistas or responsables inscriptos, exporting services that way. And it's perfectly legal. For a single person shop this would be the first case I hear of, of an incorporate company setup that way.
I wonder if Markus realizes that e-mails have been going out non-stop to customers lately from spam profiles using their 'wants to meet you' "feature". On the one hand, I feel bad for PoF becoming the target of an attack and drama, but from the tone of the post, it wasn't handled right on their side either. PoF really needs to get its act together on the security side. It's sad to because it was a fairly well executed concept when it first arrived on the scene, and has since just turned into what amounts to a spam/ad farm.
As the lead developer on a dating site myself, I can say that it's ridiculously hard to keep out spam profiles. We block by country, Project Honeypot entries, and HTTP header profiling, use captchas, and use other bot-sniffing tricks, but in the end we still have to manually ban IP addresses every day.
We don't store passwords in plaintext though, sheesh.
Edit: I just upgraded the hashing algorithm on the site from SHA1 to Bcrypt. Paranoia for the win.
I read "closed the security hole", but I never read "reinstalled everything from scratch using clean data sources" - isn't that what he should have been doing?
I still feel icky because of the sourceforge hack and wonder if I should reinstall everything. I probably should :-(
I'm on plentyoffish and they do weekly send you your password in plaintext (there are plenty of other sites that do this). Thankfully I change my passwords each month to a random string of 12 characters and don't really care. Perhaps if hackers get into my account, my account can finally get a date!
I don't understand why the victim of a crime is being given a hard time.
Scenario: I own a safe with all my personal information locked inside of it; a Safe Cracker (let's call him...Chris) comes along a cracks me safe. Chris call me as says to me 'yeah, I cracked your safe if you don't hire my company to fix you safe's vulnerability maybe your personal information might get out.'
Who is the bad guy in that situation the dope with the safe, with a 1-2-3-4 combination or the guy who takes the dopes information and attempts to use it for his own personal gain.
NOTE: To anyone who still thinks the dope is more to blame; please send me your address i'll rob your apartment/house then sell your things back to you (don't worry I'll also sell you new locks).
It is mind boggling that the young 23yo Chris Russo was smart enough to hack PlentyOfFish but not make any sense with his crazy requests and compulsive lies.
This morning Markus Frind CEO of PlentyOfFish plans to do and official statement about the events.
Fun Fact: Markus Frind graduated the same year as I did from BCIT in Vancouver. I took Mechanical Design and Mark took Computer Science. Do I regret not taking CS, hmm maybe?
It is mind boggling that you contact Chris Russo, get his version of the events, publish it receiving page views and ad revenue and then immediately claim he "does not make any sense with his crazy requests and compulsive lies" without any demonstration of these claims. Now, you might be right, he might be a compulsive liar, but if he is why are you publishing his version of the events on your site then quietly labeling him crazy on HN without some measure of proof? You do realise such claims are libelous right?
Grumo media looks pretty cool. Maybe you shouldn't regret it? I'm doing a startup in Vancouver as well. Your videos look awesome but are out of my current budget. :(
From Markus' account, it sure looks like that; but note that a "chris russo" says, in the comments, that he's only given a proof of concept and that the web server logs will show that he didn't make a full dump.
Of course, sending a PoC with an offer to fix the security does have a "nice website you have there, it'd be a shame if something happened to it" vibe to it; still, it's factually different from trying to extort money from a company by dangling a dump of their customer database.
I'll ignore the issues with the plaintext/reversible passwords since that's a trope that has been bandied about enough lately and ask if anyone has technical details on the hack itself, I'm quite curious if it was a simple SQL injection or something more artful.
I'd tend to lean towards injection, given that it took Russo (apparently?) 2 days to produce a working exploit with what amounts to fiddling around, but if anyone knows where I can read a write-up on it I'd appreciate it.
(Professional curiosity, I'm a web dev and like to be apprised of what catches the more popular sites. Sometimes you get lucky and it's subtle/neat.)
[+] [-] fleitz|15 years ago|reply
The worst part is Markus stores his passwords in plaintext, or slightly better reversible encryption.
POF will mail a person their password. This is a security nightmare because basic precautions were not taken.
I just checked and POF is still able to reproduce and email me my password. I also checked the email I use for POF and there is no mention of this in any of their emails. If markus took this seriously at all he'd be resetting everyones password and have instructions to reset their email password.
"We have reset all users passwords and closed the security hole that allowed them to enter." This is a lie, I just logged in with my username and password. I wasn't even asked on login to change it.
[+] [-] AgentConundrum|15 years ago|reply
I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.
[+] [-] healthyhippo|15 years ago|reply
[+] [-] chegra|15 years ago|reply
-http://grumomedia.com/plenty-of-fish-hacked-chris-russos-exp...
1. He provides emails - I think Mark(Guy from Plenty of Fish), really needs to get those voice recordings of Chris threatening his wife online to be more credible.
2. Mark tells a complicated story - A story with mafia and all that, really? If we follow Occam razor, Chris story sounds more realistic. He saw a flaw and reported it. Everything was going dandy until he saw ads for Plenty of Fish data. At this point Mark decides to try ruin Chris by fabricating a story, since he believe it is him trying to sell the data. It is a simpler story.
3. Why isn't Mark contacting the authorities? - A week and Chris is not in jail and responding freely on his blog?
Mark does have some valid points though,he did hack pirate bay: http://torrentfreak.com/the-pirate-bay-hacked-users-exposed-... But Chris claimed again, proof of concept and he has no bad intentions.[What is the appropriate way to expose vulnerabilities?]
In my opinion, he[Mark] should release the voice recording to add more credibility because right now he is sounding shaky.
[+] [-] StormN|15 years ago|reply
I think a. is unlikely, because he did actually manage to break in, although, the hole itself might've been trivial and therefore this might not count. I don't think so, though. Which leaves b.
[+] [-] Simon1979|15 years ago|reply
[+] [-] grumo|15 years ago|reply
[+] [-] anthonyb|15 years ago|reply
If you ask me, both of them sound crazy and deluded. Marcus' story doesn't make much sense if you read the email on that site[1], but carrying on about serial killers doesn't help your case much either. And that freelancer link is just a red herring - I can't see what it's got to do with the case at hand.
[1] Update: Or even if you read his own post: "I listened in the background and I closed the breach if indeed there was one while my wife was on the phone". Er, was there a breach or not? And why are you calling his mother and not the police?
[+] [-] mahmud|15 years ago|reply
Chris Russo is there commenting, and it calls your ability to judge character into question. For starters, he has never denied the story about Russians holding his computer hostage and threatening to kill him. He just ignored it. Then he goes for the "race" card and says PoF are suspicious of his intent just because he is in Argentina.
[+] [-] grumo|15 years ago|reply
[+] [-] jacquesm|15 years ago|reply
There is more than meets the eye here imo.
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] ivanstojic|15 years ago|reply
I managed to stumble through the first part of the article, but lost interest when Russo claimed that "he can see what the Russians are doing because they took over his computer." This sounds technologically implausible at best.
Maybe the official post in the morning will make more sense.
[+] [-] benohear|15 years ago|reply
[+] [-] jarin|15 years ago|reply
"Roberto Alsina Just a small clarification about this bit:
"They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations…"
I am from Argentina, and I own a company. Yes, in order to bill services to foreign customers, you need to register your company as an "exporter of services". And to do that you have to put money on escrow (but not $15000, only $7500), or your company has to demonstrate assets for over $12500.
If Russo has been working without an incorporated company (he could be a "monotributista", which is a way to bill as a physical person). A monotributista can export services, but... he's personally liable, so doing security consulting that way is insane.
That's probably why Russo could be asking for money up-front: if he didn't, he would have been doing business illegally."
[+] [-] loboman|15 years ago|reply
[+] [-] nowarninglabel|15 years ago|reply
[+] [-] jarin|15 years ago|reply
We don't store passwords in plaintext though, sheesh.
Edit: I just upgraded the hashing algorithm on the site from SHA1 to Bcrypt. Paranoia for the win.
[+] [-] Tichy|15 years ago|reply
I still feel icky because of the sourceforge hack and wonder if I should reinstall everything. I probably should :-(
[+] [-] credo|15 years ago|reply
When I read this post on my iPhone, I saw a match.com ad on the top of the page. match.com competes with Plenty Of Fish.
POF is a multi-million dollar business. I'm surprised that they aren't paying Wordpress to provide an ad-free experience.
[+] [-] gaius|15 years ago|reply
[+] [-] TheBranca18|15 years ago|reply
[+] [-] ZoFreX|15 years ago|reply
No, you have to wait for OKCupid to get hacked for that to happen.
[+] [-] njmanwhore|15 years ago|reply
Scenario: I own a safe with all my personal information locked inside of it; a Safe Cracker (let's call him...Chris) comes along a cracks me safe. Chris call me as says to me 'yeah, I cracked your safe if you don't hire my company to fix you safe's vulnerability maybe your personal information might get out.'
Who is the bad guy in that situation the dope with the safe, with a 1-2-3-4 combination or the guy who takes the dopes information and attempts to use it for his own personal gain.
NOTE: To anyone who still thinks the dope is more to blame; please send me your address i'll rob your apartment/house then sell your things back to you (don't worry I'll also sell you new locks).
[+] [-] dannyv|15 years ago|reply
http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-ha...
[+] [-] simonhamp|15 years ago|reply
I mean, who settles things through the blogosphere... come on folks, there is a judicial system!
[+] [-] enry_straker|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] grumo|15 years ago|reply
Fun Fact: Markus Frind graduated the same year as I did from BCIT in Vancouver. I took Mechanical Design and Mark took Computer Science. Do I regret not taking CS, hmm maybe?
[+] [-] nopassrecover|15 years ago|reply
[+] [-] axod|15 years ago|reply
[+] [-] mahmud|15 years ago|reply
[+] [-] fleitz|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] mahmud|15 years ago|reply
[+] [-] JoachimSchipper|15 years ago|reply
Of course, sending a PoC with an offer to fix the security does have a "nice website you have there, it'd be a shame if something happened to it" vibe to it; still, it's factually different from trying to extort money from a company by dangling a dump of their customer database.
[+] [-] alnayyir|15 years ago|reply
I'd tend to lean towards injection, given that it took Russo (apparently?) 2 days to produce a working exploit with what amounts to fiddling around, but if anyone knows where I can read a write-up on it I'd appreciate it.
(Professional curiosity, I'm a web dev and like to be apprised of what catches the more popular sites. Sometimes you get lucky and it's subtle/neat.)
[+] [-] zackattack|15 years ago|reply
[+] [-] JoachimSchipper|15 years ago|reply