
Plenty of Fish Hacked - grumo
http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/
======
fleitz
Plenty of Fish? Might as well rename it plenty of passwords.

The worst part is Markus stores his passwords in plaintext, or _slightly_
better reversible encryption.

POF will mail a person their password. This is a security nightmare because
basic precautions were not taken.

I just checked and POF is still able to reproduce and email me my password. I
also checked the email I use for POF and there is no mention of this in any of
their emails. If markus took this seriously at all he'd be resetting everyones
password and have instructions to reset their email password.

"We have reset all users passwords and closed the security hole that allowed
them to enter." This is a lie, I just logged in with my username and password.
I wasn't even asked on login to change it.

~~~
AgentConundrum
It's actually worse than that.

I don't know what it's like now, since I haven't used POF since 2008 or so
when I met my current girlfriend (though I only remembered to kill the account
a few months back), but back then they would actually send you reminders every
so often - I want to say once a week - that included your plain text password
as a reminder.

I think this is just the kick in the ass I needed to go through all my
accounts around the internet and make sure they all have unique, reasonably
complex passwords. My email and banking passwords have always been unique, but
I know I've been slack elsewhere. I won't let that happen again.

~~~
jacquesm
If there is an option to use some kind of hardware token with your banking
then I would strongly advise you to take that.

Having just a password to protect your bank account sounds pretty scary to me.
That's about as juicy as it gets. I'm paranoid enough about my servers having
'just' a password to protect them (oh, and an ACL), if my bank accounts would
have only a password I wouldn't sleep.

Every time I log on I have to use my chipcard in a little electronic device
with an LCD display and a bunch of buttons on it, the chipcard generates a
unique ID every time I log in. When I want to do an actual transaction I have
to authorize it using 1, 2 or 3 challenges depending on the amount and
destination of the transaction. It's less convenient than a password protected
system but it's fairly secure.

It's also protected against the most common form of theft called 'skimming'
because it uses the chip and not the magnetic stripe so a thief using the data
on a skimmed card could only use that to use an ATM but not to access the
internet banking section of the website of my bank.

~~~
AgentConundrum
Are you European? I only ask because my friend in London is the only person
I've ever heard of using such a device.

Unfortunately, such a thing seems all but unheard of here in Canada.

Our debit and credit cards are being replaced with cards with chips embedded,
which could be a sign that such devices are coming, but for now I'm afraid my
password is my only real line of defense online. I have noticed that when I
login from a new computer (for example, when I visit my parents), the site
uses one of my challenge questions to ensure it's really me. I guess that's
something, although I really don't know the exact circumstances that trigger
the challenge.

~~~
prodigal_erik
The weird thing is that Blizzard will cheerfully sell you a $7 hardware token
to protect your imaginary WoW gold and equipment, but I don't know of any US
banks that offer one to protect your actual money.

~~~
patio11
Paypal will.

Don't quote me on this, but I think banks are starting to lean on "possession
of a trusted mobile device" as their two-factor authentication. The basic
theory is that I give them a number I can receive SMSes at, and then any time
they want to verify that the person operating my web browser is really me,
they say "We just sent you a one-time password via SMS. Enter it, resend it,
or talk to customer service."

This has significant advantages over dongles from the perspective of the bank:
they don't have to get into dongle distribution, and people are probably
better at keeping cell phones available than they are at keeping dongles
available.

~~~
whatusername
My bank in Australia does this (for any transaction to an account I've never
sent money to before). Works prettty well.

I click a button, they SMS a 6 digit code, I enter it, money transferred (or
bill paid).

~~~
jlangenauer
Which bank?

~~~
whatusername
That one. :)

<http://www.commbank.com.au> for those who don't get the joke.

~~~
MattF
They will also issue a token for those of us living outside the country.

------
chegra
Why does the Hacker "Chris Russo" sound more credible than the guy from Plenty
of Fish?

-[http://grumomedia.com/plenty-of-fish-hacked-chris-russos-exp...](http://grumomedia.com/plenty-of-fish-hacked-chris-russos-explains-how-he-did-it/)

1\. He provides emails - I think Mark(Guy from Plenty of Fish), really needs
to get those voice recordings of Chris threatening his wife online to be more
credible.

2\. Mark tells a complicated story - A story with mafia and all that, really?
If we follow Occam razor, Chris story sounds more realistic. He saw a flaw and
reported it. Everything was going dandy until he saw ads for Plenty of Fish
data. At this point Mark decides to try ruin Chris by fabricating a story,
since he believe it is him trying to sell the data. It is a simpler story.

3\. Why isn't Mark contacting the authorities? - A week and Chris is not in
jail and responding freely on his blog?

Mark does have some valid points though,he did hack pirate bay:
[http://torrentfreak.com/the-pirate-bay-hacked-users-
exposed-...](http://torrentfreak.com/the-pirate-bay-hacked-users-
exposed-100708/) But Chris claimed again, proof of concept and he has no bad
intentions.[What is the appropriate way to expose vulnerabilities?]

In my opinion, he[Mark] should release the voice recording to add more
credibility because right now he is sounding shaky.

~~~
StormN
A key point here is that he didn't use a proxy and doesn't seem to hide his
identity during the sniffing around, which means he's either: a) stupid. b)
not intending to do anything malicious.

I think a. is unlikely, because he did actually manage to break in, although,
the hole itself might've been trivial and therefore this might not count. I
don't think so, though. Which leaves b.

~~~
notahacker
I think it's pretty obvious from both sides of the story that what Chris
intended to do was (c) demonstrate the existence of a vulnerability in order
to hard-sell his security consultancy.

Reading between the lines, it looks like his sales tactics were heavy on the
FUD (he pointedly hasn't denied making any claims about Russian conspiracies),
leaving Frind paranoid and angry. And probably also embarrassed if the
security flaws were as basic as is being suggested.

------
grumo
Just got in contact with Chris Russo who hacked PlentyOfFish His version of
the events here -> [http://grumomedia.com/plenty-of-fish-hacked-chris-russos-
exp...](http://grumomedia.com/plenty-of-fish-hacked-chris-russos-explains-how-
he-did-it/)

~~~
mahmud
Mate, before you milk that 'interview' for eye-balls, just go back to the PoF
article above and read the new comments.

Chris Russo is there commenting, and it calls your ability to judge character
into question. For starters, he has never denied the story about Russians
holding his computer hostage and threatening to kill him. He just ignored it.
Then he goes for the "race" card and says PoF are suspicious of his intent
just because he is in Argentina.

~~~
nandemo
Wait, so if I post here that mahmud is on the yakuza payroll and has kidnapped
my puppies then people are supposed to believe it until you deny it?

~~~
mahmud
They were triads, not yakuza.

I believe the PoF guy simply because he has more to lose. You can already see
this Russo character writing his own "If I Did It"[1] account of the tale.
Looks like his attempt at getting a gig backfired.

[1] <http://en.wikipedia.org/wiki/If_I_Did_It>

------
ivanstojic
The fact that a well known site like POF was hacked is eclipsed by the fact
that they both store unencrypted passwords, and the bizarre tone of this
article.

I managed to stumble through the first part of the article, but lost interest
when Russo claimed that "he can see what the Russians are doing because they
took over his computer." This sounds technologically implausible at best.

Maybe the official post in the morning will make more sense.

~~~
benohear
Is it implausible? Could you not set up some kind of honeypot machine and then
monitor it's activity once it's been zombie'd? (Genuine question - I'm
definitely no expert on the topic).

~~~
ivanstojic
Certainly! That part alone is not only plausible, but also quite common.
Antivirus companies, security researchers and various other interested parties
have been known to use such tactics.

However, it doesn't make sense then those who hacked his supposed honeypot
would be aware of his oversight ("they are trying to kill him"), while still
using the honeypot to perform whatever illegal shenanigans they were up to
("they are currently downloading plentyoffish’s database").

------
jarin
From the TechCrunch article comments:

"Roberto Alsina Just a small clarification about this bit:

"They then start talking about money because they need to incorporate a
company that can deal with companies outside of Argentina and that will cost
$15,000. They also needed to know if they were going to make over $100k/year
or 500k/year as that would require different registrations…"

I am from Argentina, and I own a company. Yes, in order to bill services to
foreign customers, you need to register your company as an "exporter of
services". And to do that you have to put money on escrow (but not $15000,
only $7500), or your company has to demonstrate assets for over $12500.

If Russo has been working without an incorporated company (he could be a
"monotributista", which is a way to bill as a physical person). A
monotributista can export services, but... he's personally liable, so doing
security consulting that way is insane.

That's probably why Russo could be asking for money up-front: if he didn't, he
would have been doing business illegally."

~~~
loboman
Many freelancers work as monotributistas or responsables inscriptos, exporting
services that way. And it's perfectly legal. For a single person shop this
would be the first case I hear of, of an incorporate company setup that way.

~~~
ralsina
Yes, it's perfectly legal, but is incredibly stupid in this case because of
the liability.

If you work on security this way, you are going to get sued eventually. If you
are a monotributista or responsable inscripto, you will lose everything. A SRL
(like a LLC) is the logical way to handle this kind of work.

What I meant by illegally is that it would be illegal if he was already
incorporated as a SRL and exporting services (he needs to do the escrow to do
that legally).

------
nowarninglabel
I wonder if Markus realizes that e-mails have been going out non-stop to
customers lately from spam profiles using their 'wants to meet you' "feature".
On the one hand, I feel bad for PoF becoming the target of an attack and
drama, but from the tone of the post, it wasn't handled right on their side
either. PoF really needs to get its act together on the security side. It's
sad to because it was a fairly well executed concept when it first arrived on
the scene, and has since just turned into what amounts to a spam/ad farm.

~~~
jarin
As the lead developer on a dating site myself, I can say that it's
ridiculously hard to keep out spam profiles. We block by country, Project
Honeypot entries, and HTTP header profiling, use captchas, and use other bot-
sniffing tricks, but in the end we still have to manually ban IP addresses
every day.

We don't store passwords in plaintext though, sheesh.

Edit: I just upgraded the hashing algorithm on the site from SHA1 to Bcrypt.
Paranoia for the win.

------
Tichy
I read "closed the security hole", but I never read "reinstalled everything
from scratch using clean data sources" - isn't that what he should have been
doing?

I still feel icky because of the sourceforge hack and wonder if I should
reinstall everything. I probably should :-(

------
credo
Related, but slightly off-topic.

When I read this post on my iPhone, I saw a match.com ad on the top of the
page. match.com competes with Plenty Of Fish.

POF is a multi-million dollar business. I'm surprised that they aren't paying
Wordpress to provide an ad-free experience.

~~~
gaius
POF is entirely funded by ads from paid-for dating sites. It's a weird
business model, but it seems lucrative.

~~~
StormN
No, it's not. They have a large(ish) self-serve advertising platform like FB
with various levels of targeting.

~~~
mikecolella
A huge percentage of the ads served on the self serve platform are affiliates
promoting other dating sites.

------
TheBranca18
I'm on plentyoffish and they do weekly send you your password in plaintext
(there are plenty of other sites that do this). Thankfully I change my
passwords each month to a random string of 12 characters and don't really
care. Perhaps if hackers get into my account, my account can finally get a
date!

~~~
ZoFreX
> Perhaps if hackers get into my account, my account can finally get a date!

No, you have to wait for OKCupid to get hacked for that to happen.

------
njmanwhore
I don't understand why the victim of a crime is being given a hard time.

Scenario: I own a safe with all my personal information locked inside of it; a
Safe Cracker (let's call him...Chris) comes along a cracks me safe. Chris call
me as says to me 'yeah, I cracked your safe if you don't hire my company to
fix you safe's vulnerability maybe your personal information might get out.'

Who is the bad guy in that situation the dope with the safe, with a 1-2-3-4
combination or the guy who takes the dopes information and attempts to use it
for his own personal gain.

NOTE: To anyone who still thinks the dope is more to blame; please send me
your address i'll rob your apartment/house then sell your things back to you
(don't worry I'll also sell you new locks).

------
dannyv
Chris Russo _says_ he didn't dump any data.

[http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-
ha...](http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-
hacked/#comment-119001)

------
simonhamp
Wouldn't surprise me one bit if this all came out as a sham and they were all
just in it to get some attention...

I mean, who settles things through the blogosphere... come on folks, there is
a judicial system!

~~~
enry_straker
Things can get really stuck - as the protagonistss appear to be on different
continents

------
grumo
It is mind boggling that the young 23yo Chris Russo was smart enough to hack
PlentyOfFish but not make any sense with his crazy requests and compulsive
lies. This morning Markus Frind CEO of PlentyOfFish plans to do and official
statement about the events.

Fun Fact: Markus Frind graduated the same year as I did from BCIT in
Vancouver. I took Mechanical Design and Mark took Computer Science. Do I
regret not taking CS, hmm maybe?

~~~
fleitz
Grumo media looks pretty cool. Maybe you shouldn't regret it? I'm doing a
startup in Vancouver as well. Your videos look awesome but are out of my
current budget. :(

~~~
domino
I just checked your profile, do you also do iPhone apps? We're a cool startup
in Vancouver and we're looking for help with our iPhone development, maybe we
can chat

~~~
fleitz
Yup, definitely do do that. I'll email you right now. team at summify.com?

~~~
domino
Yes, that's it

------
mahmud
This is extortion, plain and simple.

~~~
JoachimSchipper
From Markus' account, it sure looks like that; but note that a "chris russo"
says, in the comments, that he's only given a proof of concept and that the
web server logs will show that he didn't make a full dump.

Of course, sending a PoC with an offer to fix the security does have a "nice
website you have there, it'd be a shame if something happened to it" vibe to
it; still, it's factually different from trying to extort money from a company
by dangling a dump of their customer database.

~~~
jacquesm
That's a technicality in my opinion. If the website owner would ask you to fix
it that would be one thing, to hack them and then to 'offer to fix it'
(presumably for a fee) is across the line. It's a fine one but it's definitely
there.

Hacked a site?

Send them a message about it, give them time to respond and time to fix. If
they don't respond after a reasonable time has passed go public with it, don't
try to translate it in to paid work.

~~~
JoachimSchipper
Trying to turn a PoC into paid work is indeed sketchy; but I do understand
that security researchers/whitehat hackers would like to get paid for their
work.

It would be good if more companies set up bug bounties, and even better if
they'd set the reward a bit closer to (reputed) black-market prices.

------
alnayyir
I'll ignore the issues with the plaintext/reversible passwords since that's a
trope that has been bandied about enough lately and ask if anyone has
technical details on the hack itself, I'm quite curious if it was a simple SQL
injection or something more artful.

I'd tend to lean towards injection, given that it took Russo (apparently?) 2
days to produce a working exploit with what amounts to fiddling around, but if
anyone knows where I can read a write-up on it I'd appreciate it.

(Professional curiosity, I'm a web dev and like to be apprised of what catches
the more popular sites. Sometimes you get lucky and it's subtle/neat.)

------
zackattack
This is why my pof passwords are always some variation of "zachary" (with some
numbers appended).

~~~
JoachimSchipper
You're just _asking_ for a "disregard that, I suck cocks" now.

~~~
JoachimSchipper
Apparently the above is unpopular - I was just trying to point out that
posting your password (or enough of it that one could bruteforce the rest) has
its downsides.

------
leon_
And then he posts it on HACKER news?

