Life In 19x19

The website got completely defaced today...

It was already hacked on 21. february. I guess they don't care about security much.

Im actually quite surprised at this. Go4Go was affected the same way which can say this was pretty targeted.

Specially because there is really no motivation whatsoever to "hack" a site like GoSensations, which has absolutely no security value whatsoever.

hermitek wrote:It was already hacked on 21. february. I guess they don't care about security much.

That's likely not the issue here.
This are go websites after all, so they are not run by professional web developers and big companies. I wouldn't be surprised if they didn't know how the attackers got those privileges on the first place.

Kaya.gs wrote:Im actually quite surprised at this. Go4Go was affected the same way which can say this was pretty targeted.

Specially because there is really no motivation whatsoever to "hack" a site like GoSensations, which has absolutely no security value whatsoever.

That's why security by obscurity is a failed idea. I hope that is considered for your website.

Security by obscurity is not the issue here (and usually in most web attacks): any web page online can be hacked. My Google account could be compromised, my VPS server could be compromised. And there's no obscurity roaming around: I have a Google account (obviously), and my VPS runs Arch Linux (although I use a high entropy, long passphrase)

For those that have said that x is likely not the issue here, what do you suppose the issue was? A hacker practicing, goofing off, or a kid that lost his last game on kgs by a half moku and was pissed at the go world?

Brodie, it was probably someone running an automated server scanner probably tied to an automated hacking tool. If the server is unprotected, bam. No need for it to be a go player, know the site or anything: you just run it against a list of IPs and a bell rings when one server can be hacked.

Security by obscurity is a way to secure a site (or something) just not telling how it was done. For example, if you use a custom built operating system or webserver stack (one you did in your spare time), it is only secure because no-one has cared to look at how to crack it, not because it is top-notch secure.

RBerenguel wrote: ...No need for it to be a go player...

'Cept that his hack included a message that he had also hacked a series of go-related websites.

It was a message in the RSS feeds/subsections. I thought that "hacked" was referring to these parts. Also afaik KGS has never been hacked.

Seems to have happened again, but under the Tygem section, and this time with the signature of Anonymous. Unless, of course, this is an April Fool's joke by Go Sensations lampooning their security problems a little while back. I'm not sure, neither of them quite seem to make sense...

It's a legit breach. The intruder claiming to be "anonymous" (what a joke) is actually some noob who is in effect using gosensations to generate money using a bitcoin javascript miner.


edit: effectively > in effect

balistic wrote:It's a legit breach. The intruder claiming to be "anonymous" (what a joke) is actually some noob who is effectivly using gosensations to generate money using a bitcoin javascript miner.

Noob question: what does this mean? How can those "anonymus we are legion"-posts make money?

They can't make money, it's FUD. This strategy would be less effective than changing the homepage to a Paypal link that says "please send me money, thanks."

So it is not effectively generating any money then?

I am still curious about what the strategy is. How does someone believe he will make money by posting on gosensations, I can't come up with a strategy that would work even in the imagination of the most delusional. I have no idea about any of this. It's as mysterious to me like ko to a 30 kyu.