Dreamhost - the web hosting service used by Song Fight! and various members of this community - has been hacked. Users are urged to change their passwords ASAP.
http://www.dreamhoststatus.com/2012/01/ ... ity-issue/
Hopefully, everyone who needs to know this already does.
Dreamhost hacked
- JonPorobil
- Beat It
- Posts: 5682
- Joined: Sat Sep 25, 2004 11:45 am
- Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass, lots of VSTs
- Recording Method: Cubase 10.5
- Submitting as: Jon Eric, Jon Porobil, others
- Pronouns: He/Him
- Location: Pittsburgh, PA
- Contact:
Dreamhost hacked
"Warren Zevon would be proud." -Reve Mosquito
Stages, an album of about dealing with loss, anxiety, and grieving a difficult year, now available on Bandcamp and all streaming platforms! https://jonporobil.bandcamp.com/album/stages
Stages, an album of about dealing with loss, anxiety, and grieving a difficult year, now available on Bandcamp and all streaming platforms! https://jonporobil.bandcamp.com/album/stages
- Manhattan Glutton
- Ice Cream Man
- Posts: 1530
- Joined: Tue Feb 15, 2005 12:10 pm
- Instruments: Angst
- Recording Method: REAPER
- Location: Madison, WI
- Contact:
Re: Dreamhost hacked
And since the dumb fuckers store passwords in plaintext...
Thanks for the heads-up. I did not know.
Thanks for the heads-up. I did not know.
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.
Nur Ein Archives | The New Ugly Podcast
Nur Ein Archives | The New Ugly Podcast
- Spud
- Hot for Teacher
- Posts: 4770
- Joined: Fri Sep 24, 2004 10:25 am
- Instruments: Bass, Keyboards, eHorn
- Submitting as: Octothorpe
- Location: Seattle
- Contact:
Re: Dreamhost hacked
Do you know that, or just assuming? Just wondering...Manhattan Glutton wrote:And since the dumb fuckers store passwords in plaintext...
- Billy's Little Trip
- Odie
- Posts: 12090
- Joined: Mon Nov 13, 2006 2:56 pm
- Instruments: Guitar, Bass, Vocals, Drums, Skin Flute
- Recording Method: analog to digital via Presonus FireBox, Cubase and a porn machine
- Submitting as: Billy's Little Trip, Billy and the Psychotics
- Location: Cali fucking ornia
Re: Dreamhost hacked
MG is the hacker. I knew he was a shenaniganist.
...for the record. shenaniganist ~BLT 2012
...for the record. shenaniganist ~BLT 2012
- fluffy
- Eruption
- Posts: 11028
- Joined: Sat Sep 25, 2004 10:56 am
- Instruments: sometimes
- Recording Method: Logic Pro X
- Submitting as: Sockpuppet
- Pronouns: she/they
- Location: Seattle-ish
- Contact:
Re: Dreamhost hacked
I don't know if the passwords are stored in plaintext but they are plaintext-recoverable, which means that anything that has access to their decryption key has plaintext access to them. (And plaintext-recoverable by email is yet another hacking vector.)
- Manhattan Glutton
- Ice Cream Man
- Posts: 1530
- Joined: Tue Feb 15, 2005 12:10 pm
- Instruments: Angst
- Recording Method: REAPER
- Location: Madison, WI
- Contact:
Re: Dreamhost hacked
What fluffy said. Use the password recovery form sometime - it emails you your password in plaintext.Spud wrote:Do you know that, or just assuming? Just wondering...
If I had a dollar for every one of my songs j$ has called a 90s pastiche, I'd have $1 for every song I've written.
Nur Ein Archives | The New Ugly Podcast
Nur Ein Archives | The New Ugly Podcast
- fluffy
- Eruption
- Posts: 11028
- Joined: Sat Sep 25, 2004 10:56 am
- Instruments: sometimes
- Recording Method: Logic Pro X
- Submitting as: Sockpuppet
- Pronouns: she/they
- Location: Seattle-ish
- Contact:
Re: Dreamhost hacked
Incidentally, I got in a debate with the Dreamhost folks about this recently, because it turns out that it's not just for recovery, but for how they diagnose account problems. Rather than logging in as an admin and doing a 'sudo -u username' thing they actually decrypt your password from the database and copy-paste it into their ssh session, which is ridiculous and opens up even more possibilities for malware-as-attack-vector if they ever have to diagnose your account for some reason.
So, it's best to just set your Dreamhost password to something that is truly unique from anywhere else (maybe even randomize it completely once a week?) and not even use that password to login - use .ssh/authorized_keys instead. (if you know wtf that means.) I use authorized_keys anyway because it's easier for me to deal with AND more secure, and also makes it easy for people to grant and revoke access to each other without sharing a common password (it's how we're finally set up on the Song Fight shell account now) but really, there's no excuse for them to make this necessary.
So, it's best to just set your Dreamhost password to something that is truly unique from anywhere else (maybe even randomize it completely once a week?) and not even use that password to login - use .ssh/authorized_keys instead. (if you know wtf that means.) I use authorized_keys anyway because it's easier for me to deal with AND more secure, and also makes it easy for people to grant and revoke access to each other without sharing a common password (it's how we're finally set up on the Song Fight shell account now) but really, there's no excuse for them to make this necessary.