AmILateToTheParty
103513
1803
29
tl;dr T-Mobile Austria stores user passwords not in an encrypted form. Source: https://twitter.com/tmobileat/status/981418339653300224
The rush started at who could prove them wrong first
FP Edit: Send software gore
TinyFrog
PHP 5.1???
TomSelleckPI
Käthe's first response is the most unprofessional thing I've ever heard from a company representative, what a stupid bitch.
nrthunderman
July 13 2011. Beautiful.
maxxra
Wow... just wow.
LowlevelRebel
Can someone explain this for the laymen?
inyourheadunderyourskin
Reminds me when some cyber security CEO made fun of 4chan and got royally screwed both personally and his business
The701
Or the one whose company was selling identity theft protection, so he put his name and SSN in his ads.....and had his identity stolen.
SantanaGV
Poor Social Media Intern
MrHailstone
Who cares? Its austri. Germanys way more right wing neighbour.
sothisishowashitpostfeelslike
Do you want to get hacked? Because this is how you get hacked.
PfloTheBoss
Nobody in Austria named käthe, blame Germany for that!
elevatorbro
I bet none of you can put millions of money into my bank account. My I have the best security in the world. 100%
Wellhereiamagain
Can someone explain to me what happened as if I were a somewhat precocious 8 year old?
[deleted]
[deleted]
Wellhereiamagain
Thank you.
nafun
*looks at his t-mobile phone* Panic Intensifies.
Totallyscrewedinaustin
....so what happened next?
Bearto
Probably the guy who runs the T mobile twitter got fired and not much else.
StalkerSan
Wrong approach. The right one is to fix the database.
kmikl
Corporations like t-mobile don't give a single solitary fuck about security because most people don't think about it.
iwillmessagerandompeoplegifs
Someone gonna lose their job....
Vergenbuurg
Imgur is giving me an ad for TMobile...
Tyrrano
Run
MidnightRising
Oh jesus fuck, 5.1.6? That's got the PHP CGI injection bug. You can literally gain shell access with that.
shinagami091
Whoever that PR person is for Tmobile I can guarantee is fired. You challenge the internet, you get wrecked. Every time.
Greymalum
Stating you're even difficult to hack can be a death sentence for a company.
Sapherno11
Of course. Its a challenge at that point
Greymalum
Exactly, and that hasn't worked out well for the boast worthy (for the most part).
jimwormmaster
Yep, it's like saying, "I'M INVINCIBLE!" (and/or UNSTOPPABLE)
chbarts
"You're a loony."
srsfaceI8C
Nothing can be coded that cannot be uncoded. It's that simple.
Rip42
You can, but it's expensive. I'd read up on "formal verification" and how it's starting to be applied in DARPA.
Ivain
exactly. All it takes is finding the key, one way or another. We've known this since the Enigma code.
secretoaster
Kathe shouldn't be online with that attitude.
sothisishowashitpostfeelslike
Käthe thinks she's Wendy, evidently.
GilgaMensch
Well I give them a month till a big leak of users passwords
eldwarfoII
Ashley Madison just weighed in...if they are comfortable making fun of you, you've got a problem
The701
Exactly. If you're so confident that your system is unhackable, 1) It isn't. 2) Time to get an external auditor to break in and show you
The701
your system's deficiencies. 3) Regular testing and patching. "Awwww, that all sounds expensive. " Maybe they have insurance
The701
against stuff like this, so they just say they'll rely on that. That, and you've got shit like forced arbitration in T&C documents, saying
The701
that if you do business with a company, you can't sue them in court or take part in class actions, and apparently that sort of thing is
The701
completely legal in the US. https://www.citizen.org/our-work/access-justice/forced-arbitration-rogues-gallery
bringbakfirefly
This is why companies who care about security hire security firms to hack and patch their systems.
kmikl
They're called Pen-Testers, red and blue teams.
BoomerTiro
Never challenge the internet to do anything.
IPoisonedDorcasMutton
Ah, the Lord British Postulate. If it is declared impossible, the Internet will find a way.
CrystalCry
The internet better not make me happy and wealthy
Sqwuid
Yeah if they even try I will fuck em up I bet theyre too chiken
Ivain
Especially not when there's trained security experts on twitter that WILL break down the pathetic arugments for storing passwords in plain
Alphahi
Hey Internet, I bet you can't get me laid!
BadTimesFriendAhead
This isn't even a challenge, goddammit, someone with a few months of experience could go around those "safety measures".
AcidNightmare
not even if it is to make me legally rich?
SecondHandDeathWish
The internet can't pay off my $24k of debt...
ARealJonStewart
I mean, it totally can...
kprice1234
Yeah but they'd have to send some of that internet money
ARealJonStewart
Oh was that you challenging it?
ARealJonStewart
I'm sorry I'm not the most not tired right now
quickbrownfoxhumpsthelazydog
Passwords shouldn't even be stored in an encrypted form but only as an irreversible cryptographic hash.
malakim
But how will the customer representative know your password then?
quickbrownfoxhumpsthelazydog
Should I take that as a joke or a question?
malakim
quickbrownfoxhumpsthelazydog
If permissions have been properly set, the rep doesn't have to know your password to do his job. Your password is for you and for you alone.
quickbrownfoxhumpsthelazydog
That way even if the database gets hacked, all the hacker would ever be able to see is gibberish instead of your password.
Tesseract09
With a salted hash on each password.
zma123456
As an IT guy this gave me an heart attack.
MadeYouLookAgain
a*
CptRobotNinja
Why would you fucking challenge the internet to hack you?
GlowstickJedi
Same. Never using TMobile for ANYTHING
MerToo
As a grammar nazi you gave me an headache AUGH!
FloodingWaters
i guarantee the net admin was ready to murder the tmobile social media rep.
FloodingWaters
oh, and by 'ready' i mean had a plan, a weapon and a place to dump the body
CabNumber1729
I have a webshop, we use PayPal to avoid all this. They take 4% but i think its worth it.
FloodingWaters
not hosting cardholder data is definitely worth 4%, but tmobile has user account data regardless. not feasible for them.
CabNumber1729
Odd thing is people call to pay over the phone, they dont 'trust online'. They tell me, a stranger, their numbers. People huh
FloodingWaters
old people, i assume. but yeah, fuck if i'm givin out my shit unsecured
squintish
Aren't passwords usually encrypted even to admin? That's why they can't tell you your password, only let you make a new one. Also WTF is 1/2
Sheepyhead
Passwords should not be recoverable by anyone, which is why all good login systems only allow you to change it, not to retrieve it
squintish
practice of asking for your password over the phone? Do they even have an IT department?
Bizarkly
Yeah -- somewhere Kevin Mitnick is laughing hysterically...
baronvk
You should use different passwords for every app/website, it's helpful to use a mnemonic algorithm to generate ones only you can know. :)
NotTheSharpestSpoonInTheDrawer
Yes you should, but nobody does
Tesseract09
Or use a password manager to store strong passwords
The701
@azerbaijan What I love about this stuff is that a few sites now are enforcing *maximum* password lengths. Vanguard does this, I think they
The701
are at a max of 12 or 14 characters, and Wells Fargo also allows a maximum of 14 characters now. I understand a minimum length, but a
The701
maximum seems like it'd discourage strong passwords. Something like DFdsf*&9;df))7()(@#$²∞±fsl3 should be fairly strong, right? The weakness
The701
then is that it needs to be stored somewhere.....like an offline encrypted database with a lengthy password.
bluemyles
yea max length restrictions are really frustrating. even with appropriate encryption they can be weak to brute force attacks.
sassymcsassypants
Can you explain that please?
baronvk
It's a memory trick to basically build the password, use rules for consistency, like for imgur you might do something like...
baronvk
first three letters backwards, add ing to the end, some fancy numbers and a special character. 67gmi$%ing and you apply these rules to all
baronvk
you remember the rules not the password, I've been able to login to my account on websites I didn't even remember signing up for.
baronvk
the more rules you have the more secure it becomes, it can still be broken but not nearly as easily as using the same passwords
bluemyles
https://www.rempe.us/diceware/#eff
sassymcsassypants
Wow this was a really good way to explain how it worked. Thanks!
Nebuchadnezzarthesecond
I think I'm gonna need an explanation for the techy bit
bluemyles
in addition to the lack of encryption, letting users see what versions of linux/php you are using aids attackers immensely.
MrFunreal
Plain text passwords. Aka "toms password is tomato" written in a text file on their server. Somewhere.
anonymouslyposting
Basically your lock smith has a key to every house that he keeps just sitting on his desk in the mall...
The701
And the box is labeled "Keys for every house." "But it's ok, because both the front AND back doors are amazingly well-locked."
LoquaciousDude
and the address to the house is on the key
newsguycraigevans
They done fucked up.
SmellOfMonkey
They're trying to backdoor the Unix bus to Python the root directory. If that doesn't work they'll piggyback a decryption handshake. >
SmellOfMonkey
Hacking in Hollywood scripts.
unclefood
Whoever downvoted this is just pissed the can’t manage to hack a Gibson.
SmellOfMonkey
Cheers uncle
semtex94
Instead of encoding words with a cypher, they keep it written on paper in a locked box . Break the lock (hacking), you have the passwords.
Bizarkly
"But 'sneaker-net' *can't* be hacked via online protocols!" pleadingdogeyes.gif
FAECI
A password should be hashed. Hashing is a process easy to do from text to hash but hard from hash to text. This way if (1)
FAECI
A hacker gets in they see the stored hash and not the password. When you type in the password the website hashes whatever you typed in (2)
FAECI
And compares the resulting hash with the hash they have stored. That way your password isnt actually stored anywhere, making it safer (3)
FAECI
Instead of that they just stored the password in text, meaning that if someone does hack into the servers they can see all the passwords (4)
colderfish
Normally you make a one-way encrypt, so "mypaawd" gets saved as "g38sj2jdowj..etc" with no "undo". When you come back, we do it again and..
colderfish
Compare the 2 encrypted goobly goop. We never keep the passwords themselves. Moreover, we never keep the username/encrypted pass on the ..
colderfish
Webserver. It's always on a separate, more protected, database server. Never, ever, ever in some CSV file. That's fucking insane.
TheDrunkChicken
Storing passwords as plaintext on your server is HORRENDOUSLY bad security. Security protocols are also about 7 years out of date. (1/3)
DrArbitrary
I just roll my own crypto solution, it's way more secure.
Bizarkly
Apparently, so do they: the ROT26 protocol...
Boom2219
I prefer the ROT13 Twice method or the substitution cipher with no characters in my key code
TheDrunkChicken
People have managed to inject code into the website hence the 'only the best security' dialogue. You shouldn't be able to do this. (2/3)
TheDrunkChicken
Passwords are stored on a server that literally is called 'passwords'. You've just made it that much easier for hackers to locate them(3/3)
TheDrunkChicken
PR rep obviously has zero cyber security training which shows that in house security protocols are severely lacking (4/whoops)
TheDrunkChicken
Where is the oversight by regulators? How has this happened? All in all this should be fucking terrifying to people. (5/5)
AllTheGoodOnesWereGone
That's just Red Hat Enterprise Linux 6.x, which is fully supported until 2020 and probably is the most deployed Linux version.
MidnightRising
Red Hat 6.x is usually pretty fine, that's their extended life OS. It's their PHP version that has hackers drooling. Really easy to hack.
bluemyles
in any case users shouldn't be able to see any of this.
kelik1
Except their version was last updated in 2011
AllTheGoodOnesWereGone
So it's probably 6.2 with patches. Might well be vulnerabilities, or it might be known to be stable / secure for their env. Wouldn't bet :)
serenityfast
That MAY be fine for the kernel, but that PHP version is old as shit.
AllTheGoodOnesWereGone
Red Hat is just super conservative and won't update the major version of stuff like the kernel during the entire 6.x series, so it's still
AllTheGoodOnesWereGone
based on a version that started in 2009! Great for stability (stuff does not break when you up-to-date) but bad for compatibility with
AllTheGoodOnesWereGone
modern tools that expect at least kernel 3. It's a real pain today as software developers to support 2009 kernel/glibc API versions.
insegrevious
They won’t do a major kernel in six... RHEL7 is the update ;)