Yes I'm sure that all mods are aware of the situation already. And I think that the DD is not stupid enough to tell Jade they are going to steal her account. Probably they'll try to attack someone else. Also, someone's signature on the DD forum says:

' As his penis sunk into her throat, her mouth taking him in completely, Slash nearly blacked out from the pleasure of it.

"Oh my...Gardevoir, yes! I don't believe how good this feels..." '

I don't know, I just find it funny. There are also pictures of the mod lounge on that forum (the account that is logged in is Dry-Ice).

At 7/12/09 01:56 PM, RohantheBarbarian wrote: It's ok, fortunately the mighty power of Wade's e-penis was enough to undo the mass bannage fairly rapidly. I don't mind too much, it's my birthday and it's only a website, but it was annoying that it took me much longer to make a topic for Bahamut's birthday as I first ad to ask a mod what was up and then clarify that I could use an alt despite being banned on my main.

Nice, Wade rocks :D
Also, HAPPY BIRTHDAY!

Hey Thing, I did google the YLoD and I found a guide from someone who had repaired their PS3 and it works like new, and since mine is like 3 years old, I'm pretty sure the warranty is already void. So thanks for the tip and yes, you are right I am suffering from the YLoD, but it's so funny for like every one YLoD for PS3 owners, there's like 1,000+ RROD incidents for XBOX360 owners. roflmao

At 7/12/09 01:30 PM, DumbassDude wrote: I always get banned when the mods get hacked, it also sucks that the two notorious crews are working together to hack their way into Newgrounds.

DD have no lives, it happens

One day they will fall, remember when one of their spammers post a death threat regarding Wade? If only we can find a photo of that user...

At 7/12/09 03:08 PM, SlntCobra1 wrote: it's so funny for like every one YLoD for PS3 owners, there's like 1,000+ RROD incidents for XBOX360 owners. roflmao

My Xbox got the RRoD a couple months back. I knew I was going to get it eventually, the RRoD was permanently repaired too late, so I was expecting it sooner or later. I thought I was going to be very upset when it happened, but I think it bothered my room mate more then me. I didn't even rush it in for repair. At least the whole process is free though, and Microsoft reimburses you for 1 month of Live. I don't touch my Xbox much anymore, all I play now is Ninja Gaiden. I expect that to change come November though if I have enough money lol.

At 7/12/09 04:57 PM, Idiot-Finder wrote:

At 7/12/09 01:30 PM, DumbassDude wrote: I always get banned when the mods get hacked, it also sucks that the two notorious crews are working together to hack their way into Newgrounds.

DD have no lives, it happens

One day they will fall, remember when one of their spammers post a death threat regarding Wade? If only we can find a photo of that user...

Damn, every time i see you your level icon gets sexier. You're making me jealous here Idiot-Finder. Stop it >:(

What's depressing to me is that the DD isn't HACKING, they're PHISHING. Phishing relies upon the target making a mistake, and it's disheartening to see FOUR mods fall for one of the oldest tricks in the book, especially with a time gap in between each incident to make a saving throw and change their password/inform Wade.

DEFCON 1 remains in effect.

In other news, Porkchop is accepted into the Barracks by unanimous decision. Welcome aboard! First thing you should do is register at our forums. Sign up using your NG alias, and PM me the e-mail you'll be using to register so I can confirm it's actually you signing up there...gotta be careful in the wake of all these shenanigans.

At 7/12/09 07:06 PM, SlashFirestorm wrote: What's depressing to me is that the DD isn't HACKING, they're PHISHING. Phishing relies upon the target making a mistake, and it's disheartening to see FOUR mods fall for one of the oldest tricks in the book, especially with a time gap in between each incident to make a saving throw and change their password/inform Wade.

No, actually the last two accounts were stolen using brute force attacks. Everything you need to know is on this thread (everyone should check it out, it's pretty important).

In other news, Porkchop is accepted into the Barracks by unanimous decision.

Welcome to the EGB!

At 7/12/09 07:10 PM, Ismael92 wrote: No, actually the last two accounts were stolen using brute force attacks. Everything you need to know is on this thread (everyone should check it out, it's pretty important).

Well, shit. Everyone in the EGB better have a strong-ass password, and if not, get one right away. Mods seem to be the primary targets, but we're not exactly friends of the DD, ya know?

And for the love of Fulp, nobody should store their passwords on their browser!

I had this opened to reply to four or so posts, left the room, came back and forgot what I was going to say. I doubt we're targets of any value, though changing your password and primary email can't hurt too much. I just reactivated my Facebook account so now it just feels like spring cleaning.

Though it is a bit off-putting to see the DD quoting people from the EGB/NGPD in their forum. Just in case...

I like pie.

^^ Quote that (:

At 7/12/09 12:32 PM, Porkchop wrote:

First off i would like to say welcome the this fine establishment we have here and i hope to see you active around these parts.

Well, 2 more mods got their accounts hijacked, and wreaked havoc on the BBS.

Good god do we have any idea who is doing this so we can get this under control here? Is or is this not illegal, this has to be the ladder of the two. So i am taking time and looking over all of the forums of known spammers and even looking in to 4chans makeshift forums since they got shut down for similar things.

RohanTheBarbarian got his account banned for 30 days for being in a spam thread, among the countless number of users who got banned or something.

Thats just wrong... i hope he gets unbanned for what he did not do. I'm sure that that problem is fixed by now so sorry im a bit late. Maby since i have been less active i have been looked over or something so that could play to my advantage for now.

BBM suggest going here --> https://www.grc.com/passwords.htm to create a alpha-numeric string for a new password. It refreshes each time the page is accessed, so dont think i'm here to hax0r you guys. Remember, safety first is a must!

Oh don't worry about ol' buster i've went there for my new password since i heard about this, now it's using all the character it will allow me. now i will just hope for the best so i will not get hacked myself......if i do i will drop the peoples elbow on there asses.

I'd advise making sure that you change your e-mail accounts too. You dont want to be too careful with these guys on the loose.

I'm ahead of you there i am using a e-mail that is just garbage right now with no info at all on it... fake name and all that stuff so i hope that will make it just a little bit harder to hack my account... i pray it does not happen.

At 7/12/09 04:57 PM, Idiot-Finder wrote: DD have no lives, it happens

Is it them who are doing all this?

One day they will fall, remember when one of their spammers post a death threat regarding Wade? If only we can find a photo of that user...

Can't The admins just pull the computers ip adress and contact the FBI over this matter? That a threat against wade thats going to say that he was going to kill him.. He did not seem to say that he was joking... lets pull another Sirtom.

At 7/12/09 07:16 PM, SlashFirestorm wrote:

At 7/12/09 07:10 PM, Ismael92 wrote: No, actually the last two accounts were stolen using brute force attacks. Everything you need to know is on this thread (everyone should check it out, it's pretty important).

I only have one alt thats using my old username... i really don't give two shits about it if it gets stolen or not since it's got no info of mine on there. Oh checked out the thread and thanks. Since i almost never visit the general i would never had seen it.

Well, shit. Everyone in the EGB better have a strong-ass password, and if not, get one right away. Mods seem to be the primary targets, but we're not exactly friends of the DD, ya know?

oh i'm allready on it, i had to write it down on a sheet of paper since now it's using different case's and symbols... i could never remember that. My usual password would be so easy to guss if you really tried, but that was in the past.

And for the love of Fulp, nobody should store their passwords on their browser!

At 7/12/09 07:16 PM, SlashFirestorm wrote:

At 7/12/09 07:10 PM, Ismael92 wrote: No, actually the last two accounts were stolen using brute force attacks. Everything you need to know is on this thread (everyone should check it out, it's pretty important).

Well, shit. Everyone in the EGB better have a strong-ass password, and if not, get one right away. Mods seem to be the primary targets, but we're not exactly friends of the DD, ya know?

And for the love of Fulp, nobody should store their passwords on their browser!

I finally got into the habit of logging in every single time. When I first started off, I would always use that "save your password" feature to save less time (and I forgot my password, so it was a little awkward.) I guess it's for the best.

So the mod count is now up to 4,
Kayneslamdyke, Writersblock, Dry-ice, and Mighty-Potato.

Does anyone know if this is the work of phishing, or email hack?

He is back again these two are the same one which got blammed before submitted without changes

• 

  by <deleted>

  Under Judgment

  (Ages 13+)

• 

  by <deleted>

  Under Judgment

  (Ages 13+)

I seen the carnage done and its scary but four mods.

At 7/12/09 09:19 PM, SupraAddict wrote: Does anyone know if this is the work of phishing, or email hack?

Again, read this thread: --> Recent Account Security Issues. The whole story is explained there, and there's a lot of valuable information (in the whole thread, not only the opening post).

At 7/12/09 09:19 PM, SupraAddict wrote: Does anyone know if this is the work of phishing, or email hack?

A combination of the two factors - phishing (Don't go clicking any suspicious links, forward details of the culprits straight to the admins via PM), with as much detail as possible. If you can, get the link location (RIGHT CLICK followed by selecting "Copy Link Location") and include the details of this.

Against the brute force method, you need to have a very strong password (Numbers, letters, random capitals in the middle, no real words) and a secure email as well. (One that locks you out after a certain number of attempts to log in.

Wow, they got the mighty TATER?! Wow, didn't think he'd get fucked in the ass by the wrong end of a ping-pong paddle.

Regarding my password, the key is to pick something so simple, that NO ONE WOULD EVER THINK OF IT AT ALL EVER!!!!

Anyway, welcome to the Barracks Pork. I'm sure you'll do a fine job. Also, you're gonna want to look at page 1054 for our flash. I think you're gonna like it a lot Porkchop.

Granted he's a new member, but that doesn't mean we can't include him in on it, right?

At 7/13/09 03:38 PM, SlntCobra1 wrote: Regarding my password, the key is to pick something so simple, that NO ONE WOULD EVER THINK OF IT AT ALL EVER!!!!

of course is not... i don't think that would work
well, it would work if you are lucky...
but, as Ismael92 show us... the link http://www.newgrounds.com/bbs/topic/1081 193 from Evark post is very helpful, if they are really using 'brute force' it's possible to get it, the more simple the easier... really

At 7/13/09 04:00 PM, aldlv wrote:

At 7/13/09 03:38 PM, SlntCobra1 wrote: Regarding my password, the key is to pick something so simple, that NO ONE WOULD EVER THINK OF IT AT ALL EVER!!!!

of course is not... i don't think that would work
well, it would work if you are lucky...
but, as Ismael92 show us... the link http://www.newgrounds.com/bbs/topic/1081 193 from Evark post is very helpful, if they are really using 'brute force' it's possible to get it, the more simple the easier... really

Exactly, with a simple password, you are very vulnerable to a brute force attack. There are programs which take all the words on the dictionary (and may even include numbers randomly) and then run them all trying to log in to your account. 2 mods lost their accounts in this way, so be sure your password is as hard as possible (lowercase, uppercase and numbers in a random order).

At 7/13/09 04:38 PM, Lizzardis wrote:

At 7/13/09 04:21 PM, Ismael92 wrote: 2 mods lost their accounts in this way, so be sure your password is as hard as possible (lowercase, uppercase and numbers in a random order).

Fro also told me that when he went to log in, his account had been locked because they had tried to guess his password more than 3 or 5 times.

Luckily he had a strong password and they didn't get in.

The thing is than some e-mail services don't lock themselves automatically after several failed attempts, allowing programs to run thousands of possible passwords. The password may be easily guessed unless it's hard and contains no real words. Having "penis" as a password may be secure against people to an extent (most people wouldn't try something extremely easy as this), but programs which check for every word would do it.

If anyone has trouble creating a good password, here's a great guide which will probably help you. It may be good to read it and try to come up with a strong, hard-to-guess password.

I just do an MD5 hash and truncate it to fit a website's character maximum, usually just cutting it in half and writing it down in a handy mini-memo pad. Never letting it pass onto my hard drive in some notepad file, for instance.
Also, a few years ago, around 2005, when I first went into college I got into the habit of never keeping my mail on on my hard-drive, but using Thunderbird Portable on one single USB stick kept on my person or on my desk at all times. Never leaves my sight.

I do want one of these. Heeheeheeeeeheee.

Uh,oh! Krev got herself a razor blade now!! Congrats on the level up! Now, the big question is: how will she use it? Who will be her next victim? Or is she going to go on a shaving spree? Great - the EGB now has their own Sweeney Todd... (cue the melodramatic music)

At 7/13/09 06:23 PM, KrevZabijak wrote: Also, a few years ago, around 2005, when I first went into college I got into the habit of never keeping my mail on on my hard-drive, but using Thunderbird Portable on one single USB stick kept on my person or on my desk at all times. Never leaves my sight.

Yes, I do something similar. I have a pair of 32GB 'sticks that travel with me where-ever I go. One backs up the other, and both have built-in password controlled encryption.

I do want one of these. Heeheeheeeeeheee.

Thatsa nice-a toy!

*STOLEN FLASH ALERT*

• 

  by <deleted>

  Under Judgment

  (Ages 13+)

In the game, it is called Dr. Tran, and it originated from lonesausage.com-it's all in the flash.

Care to provide a link for the original? :)

At 7/13/09 09:09 PM, Lizzardis wrote: Pfft. I had to laugh at that. Sorry. *Flashbacks of Gagsy's tentacle dildo*

HA. I'll always find that funny, cos I was one of the few that actually donated money.

At 7/13/09 09:09 PM, Lizzardis wrote:

At 7/13/09 08:57 PM, byteslinger wrote: Yes, I do something similar. I have a pair of 32GB 'sticks that travel with me where-ever I go. One backs up the other, and both have built-in password controlled encryption.

Can you recommend me some good password controlled encryption please? I have an 8GB stick and they travel with me at school and such and if I were to lose it, I have some stuff on there I don't want them to see....Do you know of a good one....Thats free?

I use "TrueCrypt" in portable more. It's open-source freeware, but it has very low overhead and is about as secure as you can get. Give it a try - download it from MajorGeeks.com:

TrueCrypt download link

It can also be used to protect entire hard drives, or just portions of it. But as a word of warning: anything you encrypt on your USB you should back up unencrypted to CD (rewritable) and leave at home in a safe place. USB sticks are great, but all it takes is one static blip, and 16GB of data and programs will disappear into the Great Bit Bucket in the Sky. You can't have too many backups, trust me!

Hope this helps...

At 7/13/09 09:30 PM, KrevZabijak wrote:

Care to provide a link for the original? :)

The website it's under contains the character, Dr. Tran.
The fact that the submitting account has no data on it, except that game, and the different names isn't suspicious enough?

At 7/13/09 09:09 PM, Lizzardis wrote: Pfft. I had to laugh at that. Sorry. *Flashbacks of Gagsy's tentacle dildo*

HA. I'll always find that funny, cos I was one of the few that actually donated money.

Supra, I meant in the fashion that most people provide links when they want something whistled+investigated.

Just whistling 'stolen' is something I've never done without proof in that fancy ol' box they provide.

Recent attack was on Evark, the DD banned alot of people from reviewing and majorly spammed the portal with threads titled "Duck Divison > Newgrounds".

He was most likely Brute Forced, I guess they went for him instead of Jade because of Evark's warning thread. Crebz joined stickam before and said Jade was next.

At 7/14/09 11:12 AM, DumbassDude wrote: Recent attack was on Evark, the DD banned alot of people from reviewing and majorly spammed the portal with threads titled "Duck Divison > Newgrounds".

He was most likely Brute Forced, I guess they went for him instead of Jade because of Evark's warning thread. Crebz joined stickam before and said Jade was next.

Alas, I have been review banned, as well. And we lost another good mod.

Anyone else think that upping the password character limit beyond ten, including special characters, couldn't hurt? I know they're probably doing it through e-mail, but still, the Newgrounds password system is rather simple compared to most e-mail clients...

Damn, another good mod loses his account. Poor Evark :(

They went after his account because of that thread, that's for sure. They wanted his account because I'm pretty sure a lot of people will feel insecure after this, since he was the one who told everyone to calm down etc etc.

I really didn't see that coming.

Newgrounds needs to implement some password and login rules immediately. These rules are generally easy to code, and it shouldn't take more than a few days or so to put together:

1) Password length - minimum 6 chars, max 20 (may require a database change)

2) Password MUST contain at least 1 uppercase letter, 1 lowercase letter, a digit and a special symbol ($,#,^,&, etc) (simple string-text checking function)

3) If someone logs in with a "weak" password, the system will force the user to change the password now, and it must follow the above rules (code change to login module)

4) When logging onto a user account, the sign-in program needs to keep track of unsuccessful login attempts for a given user ID. If 5 or more occur in a row, either the user forgot the password, or it's a hack attempt. In either case, an entry is made into a log file that tells the date/time/user ID, P address, etc - and the account is locked for a period of time. If this is a brute-force attack, we will know where it's coming from - even if it is from multiple sources. Later, we can ban those IP addresses completely (code change, new log tracking table in the database)

Yes, I realize that this option could prevent the real user from accessing the account if someone else is hacking it at the same time, so there's more logic to do:

5) All accounts should have a new feature - challenge question and user response. They should be set up on all accounts as required fields. The questions will be displayable after the fact, but the answers are treated like passwords - not shown on any screen, and only known to the user and the admin database. In the event an account has been locked due to a hack job, a new link on the login screen will pop up a challenge box, where the user name is entered first. The system will show 5 challenge questions - 4 are random, one will be the real one. The user has to then select the correct question, and provide the answer. (answers are converted to lower case, and punctuation is ignored). If the user selects the correct question and provides the right answer, the account lockout is lifted, and the sign-in screen is shown again. In this case, if the correct password is given now, the login will be successful, even if other people are trying to hack in. (more code change, and updates to the user account master file)

6) All admins and mods and any account with some sort of power should be forced to change their passwords every 30 days, as per the above rules. (nightly processing change, new field in the user account table)

If we gather enough IP information on these attacks, we can compare attack IPs versus "normal" logins - which may lead us to the alts of users who are trying to do us harm. It's not foolproof, but it will give us a starting point. If an IP address is used for extensive hacking, it can be banned and ignored completely. (data mining and analysis program digging through new IP log table)

I think if we just tighten up the security here a bit, we can make brute-force password attacks fail 99+% of the time. These ideas that I presented are the same ones I've used for other secure retail and store websites, as well as from some work I've done for some accounting firms.

If Tom or Wade are interested in doing this, and want me to lend a hand and/or give them more details, that would be great - I would love to help. They can PM me if they want, or respond here.

I'm tired of a bunch of hacker wanna-bes messing up Newgrounds. Time to step up the game - and the first order of business: beef up our defenses!

*Salutes*

Yes, the password should have more characters, and support special ones. This would make the NG passwords impossible to guess, and almost impossible to brute-force (considering the 3-tries lock). I liked what you wrote about the "challenge question", and it even has a cool name.

Also, any person who wants to help Newgrounds and has some spare time might want to check this thread by Tom: Flash Genres & Tags - Wanna help?