

Ask HN: Have you ever been hacked? - redxblood

Have you expeienced hacking? (as a victim or perpetrator)
======
sp4rki
I used to be very into the hacking, software cracking and reverse engineering
scenes when I was a teen – spending my nights discussing Softice cracking
methodologies, scripting telnet fingerprinting utilities, and other
trivialities in IRC while taking care of FXPing releases all night.

One day my mom's email stopped working, so I contacted a CSR for the ISP.
After 2 hours of being passed around to their highest level of tech support
and explaining that she signed up for some shitty extra antivirus service some
time before and that her actual email was probably aliased to an account on
the special antivirus server, they kept insisting the account didn't exist and
that I was lying. I tried to explain that it was almost a given that the alias
just got deleted by someone doing clean-up too many times and I lost all
patience. I dedicated all night to gaining access to their mail servers and
getting my moms account back up.

I documented everything and the next day I went over and talked to their head
engineer. I explained everything while sitting in a computer in his office
proving the hack. I got a free lunch and 3 months of free internet service out
of it. I was also called in a month later to corroborate the vulnerability was
patched.

Two or three weeks later I got suspended from school for stealing some exams
from the teachers shares in their "private" network. I covered my tracks, but
a girl in the computer room at the time accused me of doing "something fishy"
and I was caught with a floppy that contained the exams. That drama took the
better part of the month and included my lawyer (my uncle doing me a favor)
making incredible legal threats. I almost failed that quarter, but I did get
off mostly unpunished.

I do development and specialize in security and risk assessment these days.
It's nowhere as fun as it used to be in the early 90's.

~~~
tptacek
Wow, strongest possible disagree. In the mid-to-late 1990s, you could download
any project's tarball, grep it for "strcpy", and have an exploitable stack
overflow within an hour. Nobody needed any depth in compiler theory, in
constraint solvers, or in cryptography. About the only good thing I can say
for the 1990s is that you sometimes got to work in SPARC and MIPS assembly.

Software security is _harder_ in 2014, definitely. But that's a good thing.

~~~
nate_mcfeters
Agreed. Even when you find trivial to exploit bugs, there's quite often not
trivial to bypass protections in place. Certainly ways around them, but
developing an exploit used to be paint by numbers in comparison.

------
thegeomaster
I can't recall having been hacked personally (I did some fooling around on a
public network in my ex-dorm, was fun), but I recall that the local
government's anti-cyber crime division's website was owned. It was a fail of
epic proportions. Someone found an old Joomla! exploit (a simple SQLi attack
on a forgotten password form) and changed the credentials to admin:admin.

It was a big scandal in the news and the police, as scapegoats, arrested two
19-year-olds who just happened to log in with admin:admin and actually leave
their names on the front page of the website. The fuckers weren't able to
catch _anyone_ besides them, let alone the original perpetrator. The guys were
fined and I think they actually got a short jail sentence.

I once ran a public web server on a No-IP domain, and my lighttpd logs were
_full_ of hundreds and hundreds of probes (I assume all automated) for some
common exploits and security holes. I had some script kiddies attempt to sneak
in SQL injection attacks (I was using MongoDB so they were out of luck) and
even try some stupid shit like entering '>exec("echo 1"); into my forms (to
this day I'm not sure what that was supposed to do) and whatnot.

------
junto
I installed a new DigitalOcean VPS instance with the Wordpress app install
image. I hadn't yet run the Wordpress install because I ran out of time that
evening so I powered down the instance because I knew that the install wasn't
secure.

I had made a few tweaks to the server (SSH setup, etc) so I took a snapshot
and went to bed.

I did not realise but, the snapshot process restarted the server after
completion. The next time I came back the server I had a Polish Wordpress
blog. Luckily I had mis-configured the permissions and you were unable to
install any plugins, so not much damage could be done.

Still, please be aware that snapshots on Digital Ocean restarts the server
after completion!

------
blueflow
Im not aware of cases where someone used my authentification without my
knowledge.

And doing... never something professional. Some scriptkiddie stuff in my
younger years, expanding privileges in our school systems oder experimenting
with sql injections on an (accidentally) unprotected site. Just messinf things
up and try what is possible to do. And copying the lecturers scripts from an
encrypted usb drive while it was mounted (kind of trojan? just a program which
does its job and removes itself).

And i used a keylogger to get access to a classmate's facebook account, and
everytime he defaced someones fb (we was one of the guys checking every pc in
the lab for loggin in fb accounts) i did the same to him. Im not very proud of
this.

------
thyrsus
Of course, we've all been hacked by the NSA and others, but outside of state
actors:

Many years before dropbox, my brother wanted to send me some photos, but
couldn't tell me his IP address - otherwise I would have restricted the
clients to there. I went ahead and turned on an FTP server and an account for
him on my home "server", and told iptables to let anything into that, then
forgot to turn it off when he was finished.

The FTP server turned out to have a bug which allowed unauthenticated access,
and someone started running the eggdrop IRC server on my system, were using
/dev/shm as their home directory and who knows what else.

I'm not aware of any other non-state sponsored violations of my personal
computing resources.

------
scottlocklin
I got pwned by a ssh trojan when using an io.com shell account back in
2002/2003\. Because I was a trusting soul, I had used my shell account to log
into a local music enthusiast board (where I ran an elist and fooled around
with zope and stuff) and my workstation at a government lab. It came to my
attention via ... the NSA monitoring of my government lab workstation (it
wasn't a secure lab, thankfully). The FBI got involved, and the guy who ran
the local music thingee ended up spending almost a week cleaning shit up.
There was an arrest; it was some kid. It was one of the single most
embarrassing things that ever happened to me, in a lifetime of embarrassing
things. It was also unpleasant and extremely time consuming. I don't recommend
it.

------
stevekemp
Once upon a time I was given an account on a host which was publicly
accessible over the internet.

I was told "OK your username is 'steve', your password is 'steve'". Between
the time it was created and the time I logged in for the first time it had
been compromised via a dictionary-attack.

I know these things happen constantly, but I was pretty surprised at the sheer
bad luck and timing involved.

Otherwise I worked at a hosting company for many years, and clients would
frequently get compromised. Largely as a result of outdated
wordpress/magento/drupal installations. (Sometimes dictionary attacks too, but
largely it was outdated web applications allowing remote code-execution.)

------
binarymax
A bit of both :)

For the latter my intentions were strictly prank, and I was young and stupid.
Basically it was just messing around in the highschool computer lab. We
changed what time the bell rang, and put some nonsense meals on the lunch
menu. I was Banned from the lab for my senior year :)

For the former, my static homepage was hacked last year, because the root of
the VPS was hacked. I had been using the provider for about 12 years, and they
had some old IIS and classic asp still running on the box! They injected some
classic asp into my page to point to a fake rolex sales site.

That was fun.

------
cven714
Back when Diablo III had a real money market, someone gained access to my
account and locked me out. I hadn't played in a while, so they could have been
using my character for a month or two. I worked with Blizzard to regain my
account (surprisingly pain-free process), and logged on to find my old
character fully leveled, extremely well-equipped, and wealthy. I never got to
thank the guy, so instead I told all of the new friends I had on my contact
list to thank him for me. They didn't like that.

------
nasmorn
My coworker supports lots of old Joomla installations and they get hacked
every other week. Usually the .htaccess redirects people to porn sites or they
insert SEO spam. I do t know how he copes with it

------
ig1
Pretty much everyone has been hacked, it's more a question of whether they
realize it or not.

------
jqm
I haven't but the guy who's account I am posting this from has been.

(kidding!)

