Pedophiles of Sluthate AND Lookism (MRZ, Brian Peppers and many more!)

  • Thread starter Thread starter JU 199
  • Start date Start date
  • 🏰 The Fediverse is up. If you know, you know.
  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account

Which user is a bigger faggot?

  • @drz

  • Marijan Siklic

Results are only viewable after voting.
A deviant, voluptuous woman walks into a coffee shop near Z's house. She shares all of his world views and is looking for any boyfriend-for-life who shares her unpopular views on pedophilia and patriarchy. She sighs, will anybody ever approach her?

Meanwhile, Z is impotently trying to break password security on a forum that called him names. She leaves the coffee shop, never to return.
 
Moogsy said:
A deviant, voluptuous woman walks into a coffee shop near Z's house. She shares all of his world views and is looking for any boyfriend-for-life who shares her unpopular views on pedophilia and patriarchy. She sighs, will anybody ever approach her?

Meanwhile, Z is impotently trying to break password security on a forum that called him names. She leaves the coffee shop, never to return.
Click to expand...
Their act was called the aristocrats.
 
The funniest thing about this is that our L33T H4CK3R DUD3 is consulting us on how to break our own forum. His complaint seems to literally be that our forum is too good for him to break. Why would we want to change that?
 
DrChristianTroy said:
Now that he's banned is there any chance we can ban talk of hacking and all that nerd shit? Shit's spergy as fuck and mad boring.
Click to expand...
geekboy400 said:
but it proves that mrz has mad HACKZERS SKILLZ
Click to expand...

But we just hacked into a live feed of what Mr.Z is doing

grBsd2g.png


FarmHack-wh1p0g.jpg
 
Moogsy said:
A deviant, voluptuous woman walks into a coffee shop near Z's house. She shares all of his world views and is looking for any boyfriend-for-life who shares her unpopular views on pedophilia and patriarchy. She sighs, will anybody ever approach her?

Meanwhile, Z is impotently trying to break password security on a forum that called him names. She leaves the coffee shop, never to return.
Click to expand...

Implausible. Tits are too developed for Mrz's tastes.

Hey Mrz. Are these the uber 1337 skills that keep you safe from the FBI? I know @CatParty asked for proof that you were some skilled haxx0r, but I think this is too embarrassing to count.
 
Aw, I missed out on mrz thinking he "hacked" new user confirmations and then his realization he didn't. :( I'm a huge fan of how, when he fails, he says "well, there must be another layer of security I need to get through..."
 
Alright MrZ, you've been talking a lot of shit and I just waded through around 20 pages of your uninformed technobabble. It really is obvious how much of an amateur you are, and how insecure you really are, in both life and online. You use a lot of the correct terms, but you use them incorrectly and when called upon to explain them, you can't. It's obvious that like others have said, you're just googling trade terms and attempting to pass them off as your own knowledge.

I have yet to see anything that implies you know anything about what you're talking about. You claim the FBI are all script kiddies, well, it would appear that you are the thing you claim to hate about them, because every single thing you've ever mentioned can be found most anywhere, using about 5 minutes of googling.

In short, you still don't know a goddamn thing about what you're talking about. You're a hopeless loser and your one claim to fame, that you know anything at all about infosec, is laughably disprovable because of your primitive understanding of protocol and topologies. Your "multiple layers of isolation" are a joke and anyone with serious intent could crush your supposed setup (which I doubt even exists, considering you haven't shown any proof at all, anywhere of it, which is interesting considering you are so desperate for attention that you'd have posted all about it by now if you had something like that in place). So your failure is three-fold: first, to spout a bunch of jargon incorrectly and out of sequence, second, to create a topology that wouldn't even work correctly provided it existed, and three, to assume that the FBI, to say nothing of those of us here with real security and technical experience, couldn't crush you like an egg carton within minutes.

One final point: your assumption that you would be safe in so-called "free" countries forgets one thing: they are free countries, right? That means they're free to disappear you without warning or sanction, leaving not a trace of your existence. All you'd have to do is piss off the wrong person, something you're very very good at. Be sure to renounce your citizenship when you leave, ok? Don't want to leave any loose ends, after all. :D
 
flossman said:
Aw, I missed out on mrz thinking he "hacked" new user confirmations and then his realization he didn't. :( I'm a huge fan of how, when he fails, he says "well, there must be another layer of security I need to get through..."
Click to expand...

Maybe he can get his friends from Infosec and the FBI to help. The guy is basically the nerd version of the Navy Seal copypasta.
 
Well there was another layer, timing leaks in account reset logic allow retrieval of the account reset code, but then it just E-mails the new password to the registered E-mail address. Right now I'm looking at this

public function loginUserByRememberKeyFromCookie($userId, $rememberKey, $auth = null)
{
if ($auth === null)
{
$auth = $this->getUserAuthenticationRecordByUserId($userId);
}

if (!$auth || $this->prepareRememberKeyForCookie($auth['remember_key']) !== $rememberKey)
{
return false;
}

return true;
}
Click to expand...

public function loginUserByRememberCookie($userCookie)
{
if (!$userCookie)
{
return false;
}

$userCookieParts = explode(',', $userCookie);
if (count($userCookieParts) < 2)
{
return false;
}

$userId = intval($userCookieParts[0]);
$rememberKey = $userCookieParts[1];
if (!$userId || !$rememberKey)
{
return false;
}

$auth = $this->getUserAuthenticationRecordByUserId($userId);
$loggedIn = $this->loginUserByRememberKeyFromCookie($userId, $rememberKey, $auth);
if ($loggedIn)
{
return $userId;
}
else
{
return false;
}
}
Click to expand...

public function getUserAuthenticationRecordByUserId($userId)
{
return $this->_getDb()->fetchRow('

SELECT *
FROM xf_user_authenticate
WHERE user_id = ?

', $userId);
}
Click to expand...

public function prepareRememberKeyForCookie($rememberKey)
{
return sha1(XenForo_Application::get('config')->globalSalt . $rememberKey);
}
Click to expand...

It's hashing a value from the database and then doing a short circuiting comparison of the hash value versus the raw user input, my initial impression is that a timing attack can reveal the hash value and then the cookie string can simply be set to the hash value since that part isn't being hashed by the forum software, at first glance it looks like this may allow hijacking of user sessions if they check the remember me box, though I'm not sure of this yet.
 
TheIceCreamMan said:
One final point: your assumption that you would be safe in so-called "free" countries forgets one thing: they are free countries, right? That means they're free to disappear you without warning or sanction, leaving not a trace of your existence. All you'd have to do is piss off the wrong person, something you're very very good at. Be sure to renounce your citizenship when you leave, ok? Don't want to leave any loose ends, after all. :biggrin:
Click to expand...

That's my favorite part about Mrz. He assumes that cause it's not against the law it means that the countries are paradises where people will welcome him with open arms and let them openly fondle and ogle their kids. One of the benefits of living in AmeriKKKa and its fascist laws is that you're much less likely to be found dead in a ditch thanks to a mob of vigilante parents once they find out how much of a creep you are.

Ruin said:
Maybe he can get his friends from Infosec and the FBI to help. The guy is basically the nerd version of the Navy Seal copypasta.
Click to expand...

I was getting a distinct whiff of Darqwolff from his posts myself.
 
shittywhat said:
Well there was another layer, timing leaks in account reset logic allow retrieval of the account reset code, but then it just E-mails the new password to the registered E-mail address. Right now I'm looking at this









It's hashing a value from the database and then doing a short circuiting comparison of the hash value versus the raw user input, my initial impression is that a timing attack can reveal the hash value and then the cookie string can simply be set to the hash value since that part isn't being hashed by the forum software, at first glance it looks like this may allow hijacking of user sessions if they check the remember me box, though I'm not sure of this yet.
Click to expand...

Wow you can right click and select "view page source" We're all in awe of your technical prowess.
 
They got the logic correct with passwords, the raw password is hashed and compared to a hash in the database, so even if timing leaks part of the stored hash value in the database, you still need to reverse it to get the correct password to feed (and indeed for timing to reveal the entire password hash, you need to know passwords that hash to each hash[x] character sequence), but they apparently fucked up the logic when it comes to the remember me string in the cookie, because you can use a timing attack to get the hash value it is compared against, but then you just feed it the raw string so there is nothing to reverse.

Ruin said:
Wow you can right click and select "view page source" We're all in awe of your technical prowess.
Click to expand...

Well I'm actually looking at the php which isn't revealed with view page source lol.
 
shittywhat said:
Well I'm actually looking at the php which isn't revealed with view page source lol.
Click to expand...

So you opened the page source, grabbed the location of the php document from the document links, and then went directly to the php file's location. I'm so proud of you.

Can we not ban this alt? At least for now? Watching him crawl his way through baby's first hack is pretty funny.
 
Last edited:
shittywhat said:
They got the logic correct with passwords, the raw password is hashed and compared to a hash in the database, so even if timing leaks part of the stored hash value in the database, you still need to reverse it to get the correct password to feed (and indeed for timing to reveal the entire password hash, you need to know passwords that hash to each hash[x] character sequence), but they apparently fucked up the logic when it comes to the remember me string in the cookie, because you can use a timing attack to get the hash value it is compared against, but then you just feed it the raw string so there is nothing to reverse.
Click to expand...

Whatever happened to " I write security tutorials for the FBI?" A brilliant hacker like yourself is stumped by standard website security?
 
sugoi-chan said:
So you opened the page source, grabbed the location of the php document from the document links, and then went directly to the php's location. I'm so proud of you.

Can we not ban this alt? At least for now? Watching him crawl his way through baby's first hack is pretty funny.
Click to expand...

No I actually grabbed the source code from github and dug around through it looking at areas to do with login, authentication, passwords, etc. I'm pretty sure they fucked up the remember me cookie logic, because a timing attack here

$this->prepareRememberKeyForCookie($auth['remember_key']) !== $rememberKey)

can reveal the value of

$this->prepareRememberKeyForCookie($auth['remember_key'])

because you can arbitrarily set

$rememberKey

and time the return, and then you can just keep getting closer and closer until it is === and then it seems like it will log you in as that user.
 
shittywhat said:
No I actually grabbed the source code from github and dug around through it looking at areas to do with login, authentication, passwords, etc. I'm pretty sure they fucked up the remember me cookie logic, because a timing attack here

$this->prepareRememberKeyForCookie($auth['remember_key']) !== $rememberKey)

can reveal the value of

$this->prepareRememberKeyForCookie($auth['remember_key'])

because you can arbitrarily set

$rememberKey

and time the return, and then you can just keep getting closer and closer until it is === and then it seems like it will log you in as that user.
Click to expand...

Then why haven't you logged in as me yet?
 
shittywhat said:
No I actually grabbed the source code from github and dug around through it looking at areas to do with login, authentication, passwords, etc. I'm pretty sure they fucked up the remember me cookie logic, because a timing attack here

$this->prepareRememberKeyForCookie($auth['remember_key']) !== $rememberKey)

can reveal the value of

$this->prepareRememberKeyForCookie($auth['remember_key'])

because you can arbitrarily set

$rememberKey

and time the return, and then you can just keep getting closer and closer until it is === and then it seems like it will log you in as that user.
Click to expand...

logo-large.png
 
You must log in or register to reply here.
Back
Top Bottom