
Plenty Of Fish Hacked – Chris Russo’s explains how he did it - domino
http://grumomedia.com/plenty-of-fish-hacked-chris-russos-explains-how-he-did-it/
======
latch
Wherever the truth lies, which in my mind is much closer to Frind's side, an
SQL injection attack, in 2011, on an actively developed site, using modern day
technology, is pathetic.

I've tried to come up with analogies that explain how people can write systems
without actually knowing how to program. Something like, just because I know
how to make nachos or pancakes doesn't mean I'm a cook. This is the type of
stuff I'm talking about though. You can know about if statements, variables
and even fancy classes...you can put it all together and build a system and be
hugely popular, but it doesn't mean you are any good at programming.

Duct tape programmers indeed.

~~~
eli
So... blame the victim? Really?

~~~
Kudos
Why not, when they are being completely irresponsible with millions of
people's data?

~~~
patio11
Nothing like hearing reports of security issues to make one remember the adage
"There but for the grace of God go I." Humility may be in order: substantially
none of us are capable of delivering a system without at least one game-over
bug in it.

~~~
Kudos
There but for the grace of _contracting security professionals_ go I.

~~~
mayank
Incidentally, their notification emails routinely contain your password in
cleartext as a "reminder". I signed up for an account several years ago but
was put off by the incredibly ugly design. Here's an excerpt from an old email
from them (note, redacted by me!) This one is from a few months ago:

\-- Hello _REDACTED_ ,

Thank you for signing up on 10/12/REDACTED 4:08:52 PM. Remember your password
is _REDACTED_. \--

The most recent one from had an empty string as my password, as in "Remember
your password is ."

~~~
T-hawk
That is standard behavior for many web sites whose purpose includes no
important personal information. vBulletin and some other forum engines do that
by default. These site owners figure, probably rightfully so, that the support
burden for a forgotten password exceeds the expected value of some black hat
actually intercepting the plaintext email (low) times the meaningful impact of
any ensuing activity (also low). The chief risk is in compromising a password
that this user also uses for applications of high security impact, but it is
not the responsibility of this particular site owner to protect a user from
generally dumb behavior.

More generally: security best practice is not always about enforcing as
tightly as you possibly can. Security has real costs and it's a cost-benefit
tradeoff against many other factors.

~~~
Kadin
That may be their assumption (clearly is, given the evidence), but I think
it's a pretty poor one and it's certainly off-putting as a potential user.

A dating site contains, practically by definition, a fair bit of personal
information. It's not online banking, but there's a lot of ugly stuff that an
attacker could do if they could break into a large number of user accounts,
and particularly if they could de-anonymize those accounts.

POF was pretty clearly sacrificing security -- which in this context means the
potential privacy of their users -- in order to get more engagement and build
userbase. Bluntly: they were taking risks with their users' data in order to
build their business.

That's not terribly cool in my book, even though I can see why they might have
made the decision. The fact that it's understandable doesn't mean that it's
right.

------
markessien
Frankly, Marcus does not sound like he is very computer Saavy. He sounds like
one of these people who knows how to write some PHP scripts, but does not
really understand the details of what goes on behind it - so assumes that what
this guy is doing is some terribly complicated hack.

I think the argentine guy probably searched the website for vulnerabilities as
a way to get business. He found one and contacted Marcus. Marcus then freaked
out and panicked, leading to this.

~~~
grumo
Marcus taught himself ASP.net
[http://plentyoffish.wordpress.com/2006/06/14/how-i-
started-a...](http://plentyoffish.wordpress.com/2006/06/14/how-i-started-an-
empire/) His story is pretty remarkable considering POF was a one man
operation until recently.

~~~
markessien
ASP.net is just Visual Basic. It's not the most complicated language to learn,
and you don't need to know much about computers to develop in ASP or VB.

~~~
dhyasama
That isn't true. Asp is the web piece of the .net framework and can use VB,
C#, python, ruby or any other language supported by the framework.

~~~
zbanks
But is that how he used it in this case?

~~~
PonyGumbo
Saying 'ASP.NET is VB' is sort of like saying "General Motors is a Buick
Skylark." It just doesn't make any sense. ASP.NET is a framework for
developing web applications. You can use any number of supported languages -
C#, VB.NET, J#, Ruby, Python, F#, etc. I can only assume that he conflated the
late 90s scripting combo of ASP/VBscript with ASP.NET.

It's obviously possible to write terrible code in any language, with the aid
of any framework. It sounds like POF did just that.

~~~
markessien
The original site was in ASP, then he migrated it to ASP.net. I doubt that he
paid any attention to the 'framework' part of things. He just did a VB syntax
migration.

------
cheeky
I'm pretty amazed that in this day and age companies still store sensitive
information like user passwords and credit card numbers in plain text.

~~~
coenhyde
IMO storing this kind of information in plain text was never acceptable. It
requires the right combination of arrogance and incompetence for this to
happen.

~~~
mgkimsal
In some ways it's no wonder POF was able to bootstrap and run this amazingly
large system all written by one guy with limited hardware. Dunno what their
stats (or headcount) are now, but years ago POF was heralded as some genius
site because it was all put together by one guy and running on a few load
balanced servers.

I'm not saying it takes multiple people to make something secure, but if one
person either doesn't have the experience or knowledge to make something
secure, and there's only that one person, there's no one else to even
determine there's a problem.

------
jbrennan
I'm not surprised PlentyOfFish was hacked in the least. I signed up at one
point and the password entry form wasn't even obscured. That was my first red
flag. So I made sure to use a throwaway password.

But it got worse. Every few days, POF started sending me newsletters with my
password in plaintext! "in case you forgot, your password is:...." in addition
to whatever else the newetter said. So I knew they were storing passwords in
plaintext.

Couple those things with the complete unusability of the site…well I deleted
my account (which is unsurprisingly difficult to do as well).

------
dekz
_because there was a serial killer, murdering people from the website._

err what?

~~~
Tichy
I have to say, from the writing alone Chris Russo sounds a lot more confidence
inspiring than the POF people. That long rambling blog post by POF did not
come across as very professional.

~~~
leppie
Both posts are rather comical and infantile. Drama all the way, serial killers
and Russians. Techno soap.

~~~
Tichy
The serial killers are a quote from the mail of the wife of POF founder, I
think?

The Russo side does sound "insecure", as he admits himself. Presumably they
have not been in business for very long. But that is not the same as
infantile, it's just inexperienced.

~~~
leppie
Finger-pointing is always infantile.

~~~
Tichy
You've got a point there.

------
tptacek
Am I reading this right? Are both sides of this story intimating that the
security guys found a vulnerability in the site, published it, and then
pitched them a consulting gig? Go live with something or not, pitch a gig or
not, but I'm not sure you can have it both ways without looking skeezy.

------
razzaj
hmmm this really looks like a complicated matter to judge with the available
information. Really there are several plausible scenarios where POF or Chris
could be at fault. The information available to the public is not enough to
make an informed judgement. Everything else is pure speculation or pure DH0
(as per Paul Graham's disagreement hierarchy).

For what we see now, it is clear that POF people were scared shitless from the
report (obviously) and tried to limit the damage and gain time by manipulating
Chris whom they thought has downloaded all their users data and is extorting
them against the disclosure of this data. I think anyone in their shoes would
think the same (at least primarily).

Now wether Chris really intended to extort them or not is another matter we
cant judge from what we are seeing. He does seem like a nice guys from his
emails, and kind of excited about the "opportunity" but really that is not
enough. Nice people sound nice... so do most criminals.

One more thing that is unclear ! Was POF actually hacked (in the sense that
data was leaked) or was it just that a vulnerability got exposed? I think this
will tell us a lot as well about the real motivation of the "hacker".

------
d0mine
To discover a security vulnerability (Chris Russo's POV) in a site and to hack
a site (POF's POV) are different things.

    
    
      POV - point of view

~~~
grumo
You are right and I changed the title of the post to "Plenty Of Fish Hacked -
Chris Russo explains what happened" instead.

------
jcampbell1
> By the nightfall of Sunday 30, Mr. Markus Frind sent me an email accussing
> us to steal his whole user database without a single proof, based on
> supposed information that "20 employees of him told him.

This fellow is either a fool or a terrible liar. If he didn't take the data
then he would have said "I didn't steal the data". He instead accuses Markus
of a lack of proof.

~~~
bad_user
Lack of proof == credible, since the burden of proof is on the accuser

"I didn't steal the data" == my word against yours

~~~
jcampbell1
There is no burden of proof in the court of public opinion. There is no 5th
Amendment either.

Imagine this scenario, your boss says to you: "20 of our employees are telling
me you piss on the toilet seats."

You respond, "You have no proof".

Good luck with that.

~~~
bad_user

         there is no burden of proof in the court of public opinion
    

Except that article by Markus Frind walks a fine line between libel and
opinion.

And you can get your ass sued to stratosphere and lose if you fail to produce
reasonable proof when making public accusations.

~~~
jcampbell1
I agree with you. Defamation / libel laws are far more strict in Canada than
in the US. This is clearly going to interfere with Chris Russo's ability to
earn a living as a security researcher. I have a feeling he is going to get
paid to go away at some point.

------
PonyGumbo
Wow. I just read the Inc Magazine article about this guy from 2009:
[http://www.inc.com/magazine/20090101/and-the-money-comes-
rol...](http://www.inc.com/magazine/20090101/and-the-money-comes-rolling-
in.html)

Highlights:

1\. The site makes $10 million/year. 2\. He has three employees, all customer
service. He does everything else. 3\. He pays himself $5 million/year.

This quote is particularly telling: "At other sites, when one thing goes
slightly wrong, the reaction is to buy more servers or hire a Ph.D.," he says.
"It's almost unbelievable -- it's like people are trying to justify their jobs
by spending money. This isn't rocket science."

------
nailer
This guy still sounds like a scumbag. He's complaining they responded to
someone threatening to post people's private info by saying they'd post info
on the person doing it? Boo-hoo.

If Chris wasn't going to post the info publically (ie, extort POF), then he
had nothing to worry about.

As an observer this certainly doesn't make Mr Russo seem any better.

Edit: per below, removed work extortion as posting people's private data might
be done for other reasons rather than to make money.

~~~
Tichy
I don't read anything about an extortion attempt (in this account), what am I
missing?

I guess it is normal for a security firm to hope to gain some business by
exposing security flaws (hey, we found a hole in your site, hire us to fix
it). As this incident shows, it is not an easy business to be in...

~~~
nailer
That's true, the guy might just post the data to be an asshole, rather than
asking for money.

Either way, the guy who was cracked is saying if the cracker posts the stolen
data, he will post the cracker's contact details to every account. Which is
completely reasonable.

~~~
Tichy
I didn't read anything about him posting the stolen data. I think he
specifically wrote that he didn't even steal any data.

I don't know whose account is true, but I don't think it is reasonable to
threaten somebody who approaches you with information about a security hole,
just in case that somebody has evil intentions. In general it seems reasonable
in human interactions to not issue death threats upon the first encounter.

~~~
nailer
> I didn't read anything about him posting the stolen data.

Read the post again - the owner of the site is saying he will publish the guys
details if he posts the data.

If he doesn't post people's personal data, fine. The site owner won't publish
his address.

If he does, then fair enough.

~~~
Tichy
Hi, nice to meet you. Btw, try anything funny on me, and I'll set the Russian
mob on you.

How to explain? Yes, strictly logically speaking it is "OK" (no funny actions,
no Russion mob). But psychologically I don't think it would be a good approach
to human interaction. It establishes an atmosphere of distrust right from the
start. You approach somebody and say "you might be a criminal".

Or imagine you meet somebody on a party and he says "Hi, my name is soandso.
By the way, I carry a gun". How would that make you feel?

~~~
nailer
I understand what you're saying, but do you have any information that this is
how the site owner began the conversation?

I imagine we're seeing a small snippet of something larger.

I also see the security company guy doesn't dispute that his revelation the
site was cracked began with a push for payment to remedy the situation.

~~~
Tichy
No idea, really. It sounds as if Russo denies having any data, in which case I
struggle coming up with a good reason for POF to issue the warning. But
ultimately, I really only know what is written in the two articles. I guess
time will tell.

~~~
nailer
> It sounds as if Russo denies having any data

I don't get that impression - I imagine that if he didn't have any data, he'd
say so explicitly. If he didn't have data, though, I'd totally agree with your
observations.

> I guess time will tell.

Indeed.

------
david_shaw
Nothing, including all of the justifications for the terrible security
practices, should excuse Marcus Frind for the death threats and sheer hatred
being thrown at the messenger.

Chris mentioned that this was _actively_ being exploited by malicious hackers.
Taking your rage out on the guy trying to help is not appropriate by any
means.

------
gbrindisi
Maybe relevant:
[http://www.reddit.com/r/netsec/comments/f647p/i_found_a_seri...](http://www.reddit.com/r/netsec/comments/f647p/i_found_a_serious_security_flaw_in_a_social/)

------
alnayyir
Sorta what I asked for the original thread, but not any great details. More or
less what I expected though.

I guess that'll have to sate my curiosity for now.

------
drstrangevibes
in any case epic fail at damage limitation by all involved

------
leon_
Wow, I don't know whom to believe. But it's 1a drama. And I love drama :)

