Even at 16, you should be mature enough to know that this is classless. I hope for their sake they never start their own business and never fuck up, because that'd be awfully sad if the next kids to come along decided to show them the same courtesy they've shown here.
@ElliotSpeck:
> ...I'm available for consulting if you ever want to hire a security manager for @phpfog. :)
As someone who takes security seriously, and manages shared hosting security for a living, I can't imagine what the PHPFog people are going through right now. Finding security holes in commercial systems and discreetly notifying the owners of the problem is one thing; broadcasting knowledge of the holes to the world without a reasonable wait is akin to criminal. I don't care if they actually exploited it, they just threw wide the door without a second thought.
I'm Elliot Speck, one of the guys (let's be realistic, the main guy) behind the phpFog hack, I guess the record needs to be set straight about exactly what went down.
phpfogsucks.com isn't mine, I never contributed directly to it and any work credited by me is assumed by the creator and owner of that site.
My work was slightly different, I was proving that the system was horribly exploitable. Throughout the process I burnt into the box, gained root access, and took a screenshot. I also gained access to the phpFog Twitter account and posted a bit. I didn't damage any files, and when I finally came into contact with Lucas, I explained my methodology directly and gave him a few security pointers for immediate causes for concern. As a result, the project is now on standby as they fix up the issues that were made apparent by my break-in.
I don't consider what I did to be a bad thing. It's better me break in and make the fact I did public, than someone break in silently and wipe the box, losing hundreds of hours of both the team's and clients' time. That is below any moral standard I could possibly even consider upholding.
What I did not do:
-Damage or otherwise alter any of the system files
-Damage, alter or view any client files
-Post or otherwise make public the methodology behind my access
-Post or otherwise make public the engine code for phpFog, this was done by someone else who I showed the code to in order to investigate further potential security holes before I alerted the phpFog team.
I'm posting here to clear the air, but if you have any questions you can contact me on Twitter: @ElliotSpeck.
"It's better me break in and make the fact I did public, than someone break in silently and wipe the box, losing hundreds of hours of both the team's and clients' time."
It's better yet to break in and discreetly notify the folks involved. Show a screenshot at Twitter.com that you COULD have tweeted. Voila-- you've done something positive.
Going public is an immature ego play that doesn't consider the feelings of lots of folks. Even if you want the the ego boost, post a "How I saved PHPfog" post-mortem when the issue is resolved.
I appreciate that you discovered a security flaw and took action to get it fixed. Thank you.
However, the WAY you did this really screwed up a bunch of people. I have an app running on PHP Fog that serves 25,000 people a day, and I woke up on Sunday morning to a stream of complaints that it had been down for hours. You seem technically capable, so I'm sure you have a lot of interesting (and useful) projects and hacks to come. But next time you do something like this, model it after this:
If you're hacking to help people and make the world a better place, do it like David Chen. With your abilities you will get a lot of respect and appreciation if you do it like that. If you act destructively, some people might appreciate your technical chops but you won't get real respect in the field.
And don't worry too much if it feels like you're at the center of a cyclone right now. It'll pass, and as long as you act more deliberately in the future you'll be okay. :)
"I was proving that the system was horribly exploitable."
but I read:
"I was exploiting a horribly exploitable system that, had I notified the admins, almost certainly would have been dealt with fast by some guys who obviously care about their service. If it wasn't, I could have still released it publicly a few days later like every other pen tester anywhere. Instead I went for the lulz. Now I'm backpedaling by justifying bad behavior with worse behavior, editing posts, and blaming people who I told, instead of just admitting I handled it really, really badly."
Personally, I didn't know PHPFog beyond the name, but your jackass move makes me want to actively support them.
And don't kid yourself - nothing you did after finding the vulnerability was in the best interest of PHPFog's users. This isn't pen testing or stumbling across a vulnerability. Telling someone else who released stolen code makes it quite black hat.
I think the takeaway that you should have from this is; the person you showed this exploit to is not trustworthy, I'd avoid associating with them in the future.
Dude, are you aware that this is a federal crime in the US? They have extradition treaties with AUS. You need to get your parents to get you a lawyer - FAST
What a dick move. Did these idiots actually publish their names in relation to this? Coming from "security experts" this is the most unprofessional thing I've ever seen.
Astonishingly classless and mean-spirited. Especially this part:
"feel free to harass the staff in their support forums..."
The founder and CEO of PHP Fog is extremely active in their support forum. He provides lightning fast responses, and is really proactive at trying to help.
I mentioned that my app was undergoing a traffic spike, and he personally on his own initiative ran some tests to help me understand how to deal with the load.
I really feel for Lucas and the team at PHP Fog. They are awesome people, so they'll get through this. But dang, it's gotta be miserable.
Absolutely. Especially taking over phpfog.com and their twitter account. All of the folks on that list (http://elliotspeck.com/, http://johnduhart.me/) seem to be just teenagers though.
Please don't put these guys in the same basket as security experts. They are by no means experts, from the looks of it they are just doing it for the lulz at this point...
Heroku, NodeFu and now PHPFog. All the Heroku-style clones have had security issues in the last few months. Security in this space is very, very hard work (I think NodeFu made an checkin mistake and it wasn't a 'jail/isolation breakout' scenario).
Edit- wow - they just pointed phpfog.com at phpfogsucks.com. I feel bad for the phpfog guys - they have a long weekend ahead.
This is a pretty good lesson: when you have that little niggling feeling in the back of your head about something security-related, take care of it. Otherwise, someone WILL exploit it.
Seems like they were using the load balancer as a way to obfuscate the existence of the individual EC2 instances. Also, that has gotta be really expensive to have an EC2 instance-per-customer.
Depends on the type of instance they spin up, but I would definitely tend to agree with you!
Security in shared hosting is extremely hard (I used to be a sys admin for a hosting company in a prior life), especially since there is no good way to separate everyone from each other without making performance suck completely, FreeBSD jails alleviate some of it, but you start having scalability issues, PHP running in php-fpm works, but uses up a lot of resources keeping spare instances around, there are a whole bunch of other ones as well.
Individual virtual machines per user isn't such a crazy idea but it is really expensive. What I would really like to know is how Google has accomplished it, at scale, with AppEngine. How are they able to do their security separation so well that at this point I am not even aware of any security breaches.
There has to be a better way to do it, and securely, but it may require rethinking how the entire architecture fits together, PHP, a web server, and the database engine.
I don't think they are obfuscating it. If I remember correctly, their pricing page made perfectly clear that they used dedicated EC2 instances.
Just for the record - the cheapest EC2 instance type is t1.micro, and amounts to ~15 USD/month (+EBS and IP costs). I didn't see their business plan so I can't tell what is their big picture about that :-)
Not the first "you've been pwned" message on the Internet and won't be the last.
It just happens to be the first I've seen use Google Analytics to track the lulz with CSS and @font-face. With that layout I was expecting to see a customer rant, not a "pwned" message.
On a more serious note are they going to be able to afford to have a separate EC2 instance per customer to avoid having to write a proper sandbox?
It didn't take long for someone to use that vulnerability to open up the entire server. People are posting from the @phpfog Twitter account and someone posted the entire codebase: http://twitter.com/#!/communistcake/status/49340298677075968
Edit: Actually, the links in that message appear to just be mirrors of the links at the bottom of the article.
Edit 2: Links in that last status are now dead. Wonder if the young Elliot Speck is trying to walk it back a bit.
Not particularly related to the post, but seeing "phpfog down for maintenance" - a seemingly innocuous title - on the domain phpfogsucks.com gave me an idea.
If I ever have a semi-successful site, I'm going to register sitenamesucks.com as well, and use it as a status blog to explain downtimes, etc.
1) Every environment is going to be chrooted and Apache will be running under per-user mpm
2) The dedicated ec2 servers will be running in a way that has no security credentials of any sort, a walled garden that will not have access anywhere else.
Anyone actually read the exploit? This is not so much hacking as it is PHPFog being extraordinarily stupid. The fact is that such an obvious vulnerability (that I'm sure many of their experience customers have noticed) went ignored by the PHPFog team.
The phpfogsucks site is tasteless and mean spirited, but it is good information to have for potential PHPFog customers that the service they are shipping their valuable code too is extremely poorly managed.
Not sure what the hack was for the main server, but I'm not even sure I would consider the steps mentioned at this site as hacks so much as "server administration." It's a pretty obvious thing to try. It was only a matter of time before someone decided to poke around and see what they could do.
Actually, I'm going to go sign up for an invite over at phpfog... it looks like something I could make real use of. In a way, this incident may turn out to be a boon for the folks over there.
from the @phpfog timeline : "Time for a contest! How many security enhancements were in PHP 5.3.6? First correct answer gets into the beta immediately."
4:22 PM Mar 18th vía Twitter for Mac
http://twitter.com/phpfog/status/48856795669737472
[+] [-] pjhyett|15 years ago|reply
[+] [-] _phred|15 years ago|reply
@ElliotSpeck: > ...I'm available for consulting if you ever want to hire a security manager for @phpfog. :)
As someone who takes security seriously, and manages shared hosting security for a living, I can't imagine what the PHPFog people are going through right now. Finding security holes in commercial systems and discreetly notifying the owners of the problem is one thing; broadcasting knowledge of the holes to the world without a reasonable wait is akin to criminal. I don't care if they actually exploited it, they just threw wide the door without a second thought.
[+] [-] acangiano|15 years ago|reply
"Wow, heroku for PHP. I thought of this once, sadly I wouldn't be able to get 1.2 mil in funding :(".
Well, at least we didn't have to look too hard for a motive.
[+] [-] rmccue|15 years ago|reply
[+] [-] EamonLeonard|15 years ago|reply
[+] [-] ElliotSpeck|15 years ago|reply
I'm Elliot Speck, one of the guys (let's be realistic, the main guy) behind the phpFog hack, I guess the record needs to be set straight about exactly what went down.
phpfogsucks.com isn't mine, I never contributed directly to it and any work credited by me is assumed by the creator and owner of that site.
My work was slightly different, I was proving that the system was horribly exploitable. Throughout the process I burnt into the box, gained root access, and took a screenshot. I also gained access to the phpFog Twitter account and posted a bit. I didn't damage any files, and when I finally came into contact with Lucas, I explained my methodology directly and gave him a few security pointers for immediate causes for concern. As a result, the project is now on standby as they fix up the issues that were made apparent by my break-in.
I don't consider what I did to be a bad thing. It's better me break in and make the fact I did public, than someone break in silently and wipe the box, losing hundreds of hours of both the team's and clients' time. That is below any moral standard I could possibly even consider upholding.
What I did not do:
-Damage or otherwise alter any of the system files
-Damage, alter or view any client files
-Post or otherwise make public the methodology behind my access
-Post or otherwise make public the engine code for phpFog, this was done by someone else who I showed the code to in order to investigate further potential security holes before I alerted the phpFog team.
I'm posting here to clear the air, but if you have any questions you can contact me on Twitter: @ElliotSpeck.
[+] [-] webwright|15 years ago|reply
It's better yet to break in and discreetly notify the folks involved. Show a screenshot at Twitter.com that you COULD have tweeted. Voila-- you've done something positive.
Going public is an immature ego play that doesn't consider the feelings of lots of folks. Even if you want the the ego boost, post a "How I saved PHPfog" post-mortem when the issue is resolved.
Shame on you.
[+] [-] jpadvo|15 years ago|reply
I appreciate that you discovered a security flaw and took action to get it fixed. Thank you.
However, the WAY you did this really screwed up a bunch of people. I have an app running on PHP Fog that serves 25,000 people a day, and I woke up on Sunday morning to a stream of complaints that it had been down for hours. You seem technically capable, so I'm sure you have a lot of interesting (and useful) projects and hacks to come. But next time you do something like this, model it after this:
http://daverecycles.com/post/2858880862/heroku-hacked-dissec...
If you're hacking to help people and make the world a better place, do it like David Chen. With your abilities you will get a lot of respect and appreciation if you do it like that. If you act destructively, some people might appreciate your technical chops but you won't get real respect in the field.
And don't worry too much if it feels like you're at the center of a cyclone right now. It'll pass, and as long as you act more deliberately in the future you'll be okay. :)
- Jason
[+] [-] troydavis|15 years ago|reply
"I was proving that the system was horribly exploitable."
but I read:
"I was exploiting a horribly exploitable system that, had I notified the admins, almost certainly would have been dealt with fast by some guys who obviously care about their service. If it wasn't, I could have still released it publicly a few days later like every other pen tester anywhere. Instead I went for the lulz. Now I'm backpedaling by justifying bad behavior with worse behavior, editing posts, and blaming people who I told, instead of just admitting I handled it really, really badly."
Personally, I didn't know PHPFog beyond the name, but your jackass move makes me want to actively support them.
And don't kid yourself - nothing you did after finding the vulnerability was in the best interest of PHPFog's users. This isn't pen testing or stumbling across a vulnerability. Telling someone else who released stolen code makes it quite black hat.
[+] [-] sucuri2|15 years ago|reply
phpfogsucks.com is hosted with tomato.compwhizii.net:
http://sharingmyip.com/?site=phpfogsucks.com
Which is owned by John Du Hart ( http://johnduhart.me/ ) .
You guys could be in a lot of legal trouble if they decide to press charges.
[+] [-] ianl|15 years ago|reply
[+] [-] ErrantX|15 years ago|reply
[+] [-] Timzzz|15 years ago|reply
[+] [-] nbpoole|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] shykes|15 years ago|reply
[+] [-] jpadvo|15 years ago|reply
"feel free to harass the staff in their support forums..."
The founder and CEO of PHP Fog is extremely active in their support forum. He provides lightning fast responses, and is really proactive at trying to help.
I mentioned that my app was undergoing a traffic spike, and he personally on his own initiative ran some tests to help me understand how to deal with the load.
I really feel for Lucas and the team at PHP Fog. They are awesome people, so they'll get through this. But dang, it's gotta be miserable.
[+] [-] sriramk|15 years ago|reply
[+] [-] X-Istence|15 years ago|reply
[+] [-] mcantelon|15 years ago|reply
[+] [-] lastkarrde|15 years ago|reply
Atleast they were kind enough to remove all API keys and passwords from the code dump.
[+] [-] int3|15 years ago|reply
[+] [-] sriramk|15 years ago|reply
Edit- wow - they just pointed phpfog.com at phpfogsucks.com. I feel bad for the phpfog guys - they have a long weekend ahead.
[+] [-] jarin|15 years ago|reply
Seems like they were using the load balancer as a way to obfuscate the existence of the individual EC2 instances. Also, that has gotta be really expensive to have an EC2 instance-per-customer.
[+] [-] X-Istence|15 years ago|reply
Security in shared hosting is extremely hard (I used to be a sys admin for a hosting company in a prior life), especially since there is no good way to separate everyone from each other without making performance suck completely, FreeBSD jails alleviate some of it, but you start having scalability issues, PHP running in php-fpm works, but uses up a lot of resources keeping spare instances around, there are a whole bunch of other ones as well.
Individual virtual machines per user isn't such a crazy idea but it is really expensive. What I would really like to know is how Google has accomplished it, at scale, with AppEngine. How are they able to do their security separation so well that at this point I am not even aware of any security breaches.
There has to be a better way to do it, and securely, but it may require rethinking how the entire architecture fits together, PHP, a web server, and the database engine.
[+] [-] jpetazzo|15 years ago|reply
Just for the record - the cheapest EC2 instance type is t1.micro, and amounts to ~15 USD/month (+EBS and IP costs). I didn't see their business plan so I can't tell what is their big picture about that :-)
[+] [-] blocke|15 years ago|reply
It just happens to be the first I've seen use Google Analytics to track the lulz with CSS and @font-face. With that layout I was expecting to see a customer rant, not a "pwned" message.
On a more serious note are they going to be able to afford to have a separate EC2 instance per customer to avoid having to write a proper sandbox?
[+] [-] _phred|15 years ago|reply
[+] [-] tsigo|15 years ago|reply
Edit: Actually, the links in that message appear to just be mirrors of the links at the bottom of the article.
Edit 2: Links in that last status are now dead. Wonder if the young Elliot Speck is trying to walk it back a bit.
[+] [-] X-Istence|15 years ago|reply
[+] [-] JonnieCache|15 years ago|reply
[+] [-] sucuri2|15 years ago|reply
http://sharingmyip.com/?site=phpfogsucks.com
The guy ( http://johnduhart.me/ )could be in trouble if they decide to go with legal action.
[+] [-] Kilimanjaro|15 years ago|reply
[+] [-] AgentConundrum|15 years ago|reply
If I ever have a semi-successful site, I'm going to register sitenamesucks.com as well, and use it as a status blog to explain downtimes, etc.
[+] [-] masnick|15 years ago|reply
1) Every environment is going to be chrooted and Apache will be running under per-user mpm
2) The dedicated ec2 servers will be running in a way that has no security credentials of any sort, a walled garden that will not have access anywhere else.
[+] [-] dexen|15 years ago|reply
----
[1] http://serverfault.com/questions/19473/does-using-chroot-for...
[+] [-] nestlequ1k|15 years ago|reply
The phpfogsucks site is tasteless and mean spirited, but it is good information to have for potential PHPFog customers that the service they are shipping their valuable code too is extremely poorly managed.
[+] [-] bhickey|15 years ago|reply
[+] [-] gexla|15 years ago|reply
[+] [-] marksands07|15 years ago|reply
[+] [-] tsigo|15 years ago|reply
[+] [-] hakala|15 years ago|reply
[deleted]
[+] [-] gaoshan|15 years ago|reply
[+] [-] hmart|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]