MetaChat REGISTER   ||   LOGIN   ||   IMAGES ARE OFF   ||   RECENT COMMENTS




artphoto by splunge
artphoto by TheophileEscargot
artphoto by Kronos_to_Earth
artphoto by ethylene

Home

About

Search

Archives

Mecha Wiki

Metachat Eye

Emcee

IRC Channels

IRC FAQ


 RSS


Comment Feed:

RSS

MetaChat is an informal place for MeFites to touch base and post, discuss and chatter about topics that may not belong on MetaFilter. Questions? Check the FAQ. Please note: This is important.

05 December 2005

Is it still OK to talk about Metatalk here? [More:] because Drama Drama Drama!
post by: muddgirl at: 21:42 | 78 comments
Surely it's OK. But the Wedge.LeeJay exchange at MeCha is more entertaining.
posted by danostuporstar 05 December | 21:50
*loses plot*

:(
posted by carter 05 December | 21:52
well, matt IMed me today, and he didn't accuse me of anything. life is good.
posted by quonsar 05 December | 21:55
I need a sock puppet. Someone buy me one!
posted by Edible Energy 05 December | 21:59
Matt Haughey just banned me for being Pretty Generic's flatmate. Matt Haughey is a big cunt.
posted by cillit bang 05 December | 22:00
I need a sock puppet. Someone buy me one!

I AM a sockpuppet!
posted by muddgirl 05 December | 22:05
*world collapses*
posted by LeeJay 05 December | 22:07
He's unbanned my account already. Cuntiness over.
posted by cillit bang 05 December | 22:14
Drama! I love it. I hearby christen tonight Drama Night.

::pops microwave popcorn::
posted by ThePinkSuperhero 05 December | 22:32
: >
posted by amberglow 05 December | 22:39
Pretty_Generic will return, this New Year season.
posted by Pretty_Generic 05 December | 22:42
Cuntiness over.

See, that's what MeCha is all about: it's Metafilter, uncunted.
posted by nomis 05 December | 22:46
With big-headed German whores for everyone!
posted by orthogonality 05 December | 22:48
Seriously, this is what happens when you sleep with hookers.
posted by ThePinkSuperhero 05 December | 23:00
If you get a sock puppet will you name it Puppet_Of_Socks? Please please please pretty please? Because I really like that name.
posted by mygothlaundry 05 December | 23:07
Uncunted?!?!

*winces, protects crotch and slinks off*
posted by jrossi4r 05 December | 23:11
Now I know what you can use your viking hat for.
posted by dame 05 December | 23:25
mgl - I'd name mine "Lambchop", the greatest sock-puppet ever. Or perhaps "Trouser Snake" or "mathowie's left sock."
posted by muddgirl 05 December | 23:33
man P_G. I'm not anything of a matthowie fan, but bruteforcing user accounts is really fucked up.
posted by puke & cry 05 December | 23:53
Yeah, seriously. What a dick. Even I couldn't stoop that low.
posted by AlexReynolds 06 December | 00:08
I didn't do it. Someone said "Who wants an account?", and since I didn't have an account, he gave me and some other people the password and we shared it.

The guy told me it wasn't bruteforced. In addition, the account was 5 years old and abandoned. And bear in mind, it's not like mefi accounts have any secret and personal information in them when you log in.
posted by Pretty_Generic 06 December | 00:13
What guy broke into an account for you? If you're guiltless you should be able to say who did this.
posted by AlexReynolds 06 December | 00:24
If you didn't do it, why didn't you mention that when you signed in as spinoza? You said "Your improvements to site security are excellent." but not "sorry, I didn't know it was bruteforced."

And really, that comment about site security gives you away right off. Why would you mention it if you didn't exploit it?
posted by puke & cry 06 December | 00:29
The guy appears to be some sort of leet haxX0r and I wouldn't like to invoke his wrath by outing him here. He's a minor poster.

mathowie knows who it is (as he mentions in the thread), but he's far more interested in disciplining me because he doesn't like me.
posted by Pretty_Generic 06 December | 00:30
He actually said "I eventually tracked down the IP source of the password attempts and found the guy that wrote the script that P_G used."

Meaning that he wrote it, you used it.
posted by puke & cry 06 December | 00:32
I don't know about you, but I'm having fun in MeTa.
posted by Eideteker 06 December | 00:35
If you had just spent the five bucks to create a new account, Matt probably wouldn't have cared. From MeTa:

I knew from the first time I saw posts by the ab'd al'Hazred account that it was Pretty_Generic. Same tone, same jokes, same mannerisms. Which is fine, he's gone through a few sock puppets before

If all you wanted was to post on MeFi again, you could've done that without screwing with the site.
posted by Gator 06 December | 00:36
Read mathowie's comments. mathowie has spoken to the guy who wrote the crack. The guy who wrote the crack is the guy who used the crack, and then gave us the password. Do you think he wrote it as a proof-of-concept for his PhD in mathowie-annoying?

He said there was a "vulnerability in certain old accounts", which I assumed meant he'd gone in and plucked out an ancient password for an empty account, not fed the whole fucking dictionary in over the course of several days.

Why would you mention it if you didn't exploit it?

What else was there to talk about?

I never made any serious effort to pretend I wasn't using the account. I'd like to think if I wanted to do something malicious to MetaFilter I would actually do something malicious rather than just sit around participating in threads.
posted by Pretty_Generic 06 December | 00:37
I'd like to think if I wanted to do something malicious to MetaFilter I would actually do something malicious rather than just sit around participating in threads.

Like cracking the site? Or having someone do it on your behalf?
posted by AlexReynolds 06 December | 00:40
gator, that would certainly seem to be the case, but I didn't realise it. Matt seemed to make it very clear I was permabanned the last time (for revealing that a fake AskMe question was fake, or something like that). He also emailed yesterday to say that ab'd al'Hazred wouldn't be banned, but banned it today.
posted by Pretty_Generic 06 December | 00:40
If this was a friend's site or something, maybe it's not a big deal. But you're now actively fucking with someone's livelihood. Not cool.
posted by AlexReynolds 06 December | 00:43
Alex, please think before you speak. If this was meant to be an aggressive attack, it wouldn't have been used against a near-empty abandoned account.
posted by Pretty_Generic 06 December | 00:43
You're not making any sense. You didn't think you'd get away with opening a new account, so you...got somebody to crack an old one? You didn't think posting using an old account would raise any red flags, but registering for a new account would?
posted by Gator 06 December | 00:45
I apologize you guys, just another porcupine wedged up my anus.
posted by Alex Reynolds 06 December | 00:47
Whatever. You don't get it. (Taz, watch out for your site.)
posted by AlexReynolds 06 December | 00:47
You didn't think you'd get away with opening a new account, so you...got somebody to crack an old one?

YOU ARE NOT READING WHAT I AM WRITING. I did not request the account be hacked. It was hacked by a bored hacker, who came into the chatroom and said "here's the password", and so I (as well as other people) used the password because I couldn't register for an account.

I didn't get a new account because I don't have a debit card because I'm a penniless student.
posted by Pretty_Generic 06 December | 00:48
YOU ARE NOT READING WHAT I AM WRITING.

I... I can't read or write.
posted by Alex Reynolds 06 December | 00:51
Hi, Quonsar.
posted by AlexReynolds 06 December | 00:54
I heart Alex
posted by thirteenkiller 06 December | 00:57
Is it still OK to talk about Metatalk here?

Apparantly not.
posted by muddgirl 06 December | 01:14
If this was a friend's site or something, maybe it's not a big deal. But you're now actively fucking with someone's livelihood. Not cool.


Incorrect. This was the coolest way to hack MetaFilter.

What did P_G do, ultimately? Post some articles to the front page that he would have posted anyway. Other than mat's pride, little harm was done.

With 30,000 users someone, eventually, will seriously hack MetaFilter. Better these harmless hacks now before someone comes along and does something really destructive.
posted by The Supreme Dominar 06 December | 01:22
This was the coolest way to hack MetaFilter.

The Unicode username hack was interesting. Most however would not call Pretty_Generic's brute force attack on MetaFilter a "cool hack". Most would call it root kiddies' uninspired cracking, no better than a burglar putting a crowbar into a doorjam. /shrug
posted by AlexReynolds 06 December | 01:32
+script
posted by AlexReynolds 06 December | 01:33
I didn't call brute forcing a cool hack. I said this was a cool way to do it. That is, have a little fun without seriously disrupting things. And what did we get out of it? A better login system and the closing of a huge frelling hole in the user pages. I mean, if I had ten cents for every time I saw "cross-site scripting" on BugTraq then I'd be rich.

An uncool way to hack MetaFilter would have been to collect about two dozen of these accounts and write scripts to spam the front page, MeTa, and AskMe. And then after the limits were reach go ahead and fill up the comments with junk.
posted by The Supreme Dominar 06 December | 01:38
i miss the days of login/login.
posted by amberglow 06 December | 01:42
A question. Assuming that Pretty_Generic really did want to use MeFi in a benign fashion, why not just buy a $5 account and use an anonymizing proxy like Tor?

Does Matt have some way to defeat that?
posted by teece 06 December | 01:44
P_G Why didn't you just buy a new account rather then using someone else's old one?

I really did think it was an old poster coming back for some reason. Why? I didn't know maybe he thought the site sucked and now they were coming back? That's what happened with me and kuro5hin, my UID there is 135 but I didn't post regularly until there were a ton of members. Or maybe they were just dhoyt or someone who got banned and was using an old sockpuppet of their own. I didn't think someone just stole it.

Maybe I'm just too trusting, but either way, weak.
posted by delmoi 06 December | 02:10
I agree the Unicode username thing was the 'coolest' hack. Unicode usernames are just cool, IMO and the Unicode->faking people's names thing was disruptive (especially in that matt just shut down creating Unicode names before I could think up a cool one) it was the kinda thing that makes you think, a new way of looking at things. Obvious in retrospect, yet so ingenious. Like the phone tap hacks that just got published

(okay, maybe not totally novel, but still)

Anyway, a dictionary attack? To take over other people's old accounts? Fn' weak.
posted by delmoi 06 December | 02:15
Storm, meet teacup.
P_G's a bit of a prankster, but he's not going to do anything malicious. There was a vulnrability, it's been closed. That is all.

The unicode thing was genius. I wish I'd know that when I'd registered my sock puppets mathovvie and y6yby6.
posted by seanyboy 06 December | 03:37
Pretty_Generic, plz not to hax the metachat website with u'r phearsum haxotr powrz

> shut up i hack you
> tell me your network number man then you're dead
> in five minutes your hard drive is deleted
> say goodbye


*Shakes head sadly*

Aw, P_G, I figured you'd be able to come back eventually... Why'd ya do it... why? why?

but, as has been mentioned, it seems that nothing nasty was done, and it did give Matt a chance to sew up some holes before worse could happen...

So who knows.

Please tune in tomorrow to MetaDays of Our Lives.
posted by taz 06 December | 06:19
Yes, but how do you hack the fuckin' gibson already?
posted by stavrosthewonderchicken 06 December | 06:55
or:

Me hack you longtime.
posted by stavrosthewonderchicken 06 December | 07:08
The sad thing is the loss of the cool personalized user pages.
posted by danostuporstar 06 December | 09:21
The sad thing is the loss of the cool personalized user pages.

Yep.

Seanyboy, you were mathovvie? I still can't see that name without laughing out loud.
posted by iconomy 06 December | 09:27
The sad thing is the loss of the cool personalized user pages.

No kidding! Fortunately, the ones that are already personalized appear locked in (at least mine is).
posted by ThePinkSuperhero 06 December | 09:32
So what happened to dhoyt? I missed that whole saga.
posted by sisterhavana 06 December | 09:46
The sad thing is the loss of the cool personalized user pages.

No kidding! Fortunately, the ones that are already personalized appear locked in

:(

I lost mine, because once I saw it had the new banner appearing on top, I went in to make changes, and of course ended up losing the whole thing, since now any style tags get stripped.

I'm really gonna miss that.

sisterhavana: see here
posted by taz 06 December | 09:51
:-( taz
I was lucky- one of my Mefite friends e-mailed me to point it out last night. Thank goodness my user page is perfect and I don't want to make any changes, because it's staying that way for life.
posted by ThePinkSuperhero 06 December | 10:10
Actually, this little drama worked out like it is supposed to in theory.

Fer instance, the federal criminal justice system is focussed on getting the truth out in public.

If you ever find yourself facing federal criminal charges, 1) get a good lawyer, 2) make a complete proffer 3) pray nobody got hurt bad enough that the judge isn't seriously pissed at you.

celit bang: you just ran afoul of misprision. See the preceding paragraph.
posted by warbaby 06 December | 10:31
I think the problem was not that P_G found a way back in to the site, and that he and his friend helped point out a site vulnerability [dictionary attack? please!] but that it happened over the course of a few days, with only hints being given out so that mathowie (and, to a lesser extent, me) were trying to figure out wtf was going on. So, from an admin perspective the problems were:

- creation of an almost all noise account (spinoza) that filled up AskMe with junk that required some attention. subsequent password-sharing of that account filling up MeTa with junk that didn't require too much attention. Watching spinoza reply to ab'd al'Hazred's posts and thinking wtf?
- figuring out the mystery of the ab'd al'Hazred account, knowing it was P_G and not knowing how/why and not knowing why it shared an IP with cillit bang who had always been a valuable MeFite
- wondering what other holes might be around the site and responding to other users saying "I can't login WTF?" as mathowie tried to lock down the site some more, just to make sure things were kosher.
- knowing that there were 4-6 people who had MeFi logins who knew that P_G had this account and *knew how it was done* and hadn't let mathowie or me know feels sort of ooky.
- dealing with P_G's insistent "who me?" replies to all of this.

In short, the site is safer now and no major harm was done, besides the annoying captcha and the loss of customizeable user pages. However, dealing with this was a big waste of everyone's time in much the same way that the fake AskMe question was, tracking down IP addresses and paypal logins and keeping a close eye on the flag queue. I know it may not seem like it, but mathowie is light on the banhammer because he's one of those "I really believe people can be good at heart" guys and it's a shame to see that exploited. cillit bang, I am sorry you were caught in the crossfire.
posted by jessamyn 06 December | 10:37
So, the spinoza account filled up askme with junk? Because I didn't know about that. I thought it was mostly benign.

The rest I can definitely see as a pain in the ass... but still, something that had an overall beneficial outcome if it was to patch up insecure stuff with a minimum of damage being done in terms of bringing it to Matt's attention.
posted by taz 06 December | 10:46
jess: This is why misprision is a felony. Secret-keeping can cause a lot of grief.
posted by warbaby 06 December | 10:47
"filled up" may be overkill, but there were lots of jokey noise comments (and very few helpful ones) coming from the spinoza account in AskMe over its short lifetime.
posted by jessamyn 06 December | 10:49
- creation of an almost all noise account (spinoza) that filled up AskMe with junk that required some attention. subsequent password-sharing of that account filling up MeTa with junk that didn't require too much attention. Watching spinoza reply to ab'd al'Hazred's posts and thinking wtf?

spinoza was a paid account; I didn't buy it, I didn't share the password, the vast majority of the comments aren't mine. If spinoza replied to ab'd al'Hazred, it was someone else replying to me.

knowing that there were 4-6 people who had MeFi logins who knew that P_G had this account and *knew how it was done* and hadn't let mathowie or me know feels sort of ooky.

Well, none of us knew how it was done, except the hacker. He was misleading.

I'm sorry that I didn't respond to mathowie's email immediately, because I didn't receive it (my fault). By the time I realised he was asking for me, he knew everything.
posted by Pretty_Generic 06 December | 11:50
As I said, the reason I didn't just buy a new account was because I thought I was permabanned in the eyes of the haughey and would be struck down and the $5 taken. And since I don't have a debit card, it would have to be someone else's $5, which wouldn't be very nice.
posted by Pretty_Generic 06 December | 12:05
taz! You lost your gorgeous user page? That really, really sucks.

And since I don't have a debit card, it would have to be someone else's $5, which wouldn't be very nice.

Or, you know, you could have accepted the fact that you were banned and LET IT GO.
posted by LeeJay 06 December | 12:32
hehehehehehe
posted by Edible Energy 06 December | 12:50
You guys are jerks.
posted by thirteenkiller 06 December | 13:43
I can't even remember what P_G was banned for originally.
posted by grouse 06 December | 14:33
The fake AskMeta question about the guy who got his blind girlfriend's sister pregnant.
posted by ThePinkSuperhero 06 December | 15:17
thirteenkiller is a sock puppet.
posted by quonsar 06 December | 15:24
I started to edit my user page to see if I could make the blue bar vanish. Glad I didn't. heh.
posted by weretable and the undead chairs 06 December | 15:37
I am not!
posted by thirteenkiller 06 December | 17:25
ya, ya i think u r.
posted by Alex Reynolds 06 December | 17:41
P_G, If you want a new account, email me and I'll sort it out for you. No problems. Just give me a username and a password, and I'll do the rest. You'll owe me one of those London price pints, but heh - I guess I'll have won on that deal.
posted by seanyboy 06 December | 17:58
I AM NOT!
posted by thirteenkiller 06 December | 18:03
you might have a better chance getting a new username by not using the firstname/lastname combo of an existing user. just saying.....
posted by jessamyn 06 December | 18:44
Who you talking to, Jessamyn?
posted by thirteenkiller 06 December | 19:15
Radio (Victrola) Goatdog. || I had my first Metachat dream last night.

HOME  ||   REGISTER  ||   LOGIN
All posts and comments © their authors