Pedophiles of Sluthate AND Lookism (MRZ, Brian Peppers and many more!)

[Emiya Kiwitsugu]

Hello World programs tend to have very little complexity, usually they are not possible to hack, especially if written in a language like C where there isn't an interpreter to target.

So you're indeed saying you couldn't hack a Hello World program? Wow some badass we got here.

You can't hack, but you're certainly a hack.

 

[misterzee]

Incorrect, pedos have no friends.

I'm no longer in touch with the friend that taught me about constant time comparison functions, and he never knew I was attracted to JBs, though I doubt he would care seeing as he is a libertarian. The other friend knows I like JBs, and frowns on it, but doesn't particularly give a shit.

 

[sugoi-chan]

I'm no longer in touch with the friend that taught me about constant time comparison functions, and he never knew I was attracted to JBs, though I doubt he would care seeing as he is a libertarian. The other friend knows I like JBs, and frowns on it, but doesn't particularly give a shit.

Incorrect: pedos have no friends.

 

[misterzee]

So you're indeed saying you couldn't hack a Hello World program? Wow some badass we got here.

You can't hack, but you're certainly a hack.

I could implement a hello world program, but actually hacking one would be probably impossible seeing as there is very little complexity. How hackable a program is tends to correlate with how complex it is, something as simple as a hello world program isn't really prone to hacking for the most part.

 

[A Ghost]

I'm no longer in touch with the friend

so you lost one of your stuff animals then or did you get put on happy pills and stopped seeing your imaginary friends

 

[Emiya Kiwitsugu]

I could implement a hello world program,

Holy shit guys, we're dealing with a man who can write a Hello World program! This is next level programming.

 

[misterzee]

Holy shit guys, we're dealing with a man who can write a Hello World program! This is next level programming.

The most complex thing I implemented was an information theoretically secure cryptographic packet format, though it was a few years ago and I would probably want to redo it today since my programming skills have substantially improved since then. It was functional though.

 

[ChuckSlaughter]

The funniest thing about this is that our L33T H4CK3R DUD3 is consulting us on how to break our own forum. His complaint seems to literally be that our forum is too good for him to break. Why would we want to change that?

He's trying to frighten us but he is really dumb and his hacking attempts are pathetic compared to what we've already weathered
Also he is still unaware that there are a smattering of actual hackers here

 

[misterzee]

He's trying to frighten us but he is really dumb and his hacking attempts are pathetic compared to what we've already weathered
Also he is still unaware that there are a smattering of actual hackers here

I'm not trying to frighten you I just got bored and decided to look for exploitable vulnerabilities lol. If there are "real hackers" here I'm sure they will confirm the vulnerability if they know about short circuiting comparison functions, and if they don't then they aren't real hackers.

 

[Frank Rizzo]

He's trying to frighten us but he is really dumb and his hacking attempts are pathetic compared to what we've already weathered
Also he is still unaware that there are a smattering of actual hackers here

I just like how he tried to regain his smugness by being all "I'M TOTES HACKING YOUR FORUM! BWA HA HA!"

And yet, when he failed, he backpedaled to "Well....I mean, I totes found some exploits....but uh....I'm not gonna do anything about it cause I'm so nice.....yeah, that's it"

 

[sugoi-chan]

I'm not trying to frighten you I just got bored and decided to look for exploitable vulnerabilities lol. If there are "real hackers" here I'm sure they will confirm the vulnerability if they know about short circuiting comparison functions, and if they don't then they aren't real hackers.

So this is what you do for fun? "hack" websites of people that dislike you and/or think of you as little more than something to mock?

 

[Emiya Kiwitsugu]

I'm not trying to frighten you

That's good to hear, since you weren't doing a very good job of it.

 

[misterzee]

That's good to hear, since you weren't doing a very good job of it.

If I were actually trying to frighten you would I have even mentioned that IP checks being enabled would prevent this from working? Without IP checks being enabled I think it will work, though again I will not say that with certainty yet.

 

[ChuckSlaughter]

Your sy

The reset token is randomized, but it is compared to user input with === which short circuits on the first mismatch. This means that timing the response allows an attacker to determine how many characters of user input match the stored secret value. Since the secret value doesn't reset on incorrect attempts, you can just keep making guesses and taking timing measurements, and you can keep determining how many leading characters are correct in your guess because each new correct character will result in the function taking slightly longer to return, because it does more computation prior to short circuiting. So the randomized reset token isn't actually as helpful as it appears to be, it can be determined by an attacker as previously described. However, it doesn't let you pick a password, rather it randomly generates one and E-mails it to you. This means that you can't use this flaw to take over a targets account, because passwords are done like

$password_hash = hash("password");
$password_hash === "6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e"


$password_hash is put in the database. When you go to login you send in plaintext (well, link encrypted with tls)

$password = "password";

at this point $password is hashed

6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

and compared to the string in the database

6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e === 6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

Although it still short circuits on mismatches, I can't directly control the value because it is the hash value of a password, it doesn't directly use the password, so even if I find a password with collisions like

6baaaaaaaaaaa0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

and it short circuits on the first mismatch, well, I can't easily pick a new password that hashes to everything that I know is a match + an arbitrary character after that to continue testing. So passwords using a system like this are not weak to timing attacks like this.

However, the session cookie isn't using that logic:



$rememberKey is user provided, and $this->prepareRememberKeyForCookie() returns a hash value from a static database value.

This means that I can keep brute forcing the $rememberKey value and taking timing measurements, and each time it takes statistically slightly longer than before, I can assume I got another character correct and then move on to the next character just like with the password reset token, eventually this will allow me to grab the session key.

It looks like IP checks will fuck me on this though, but actually kiwifarms.net doesn't have IP checks enabled so I don't need to worry about that. I'm still not confident enough to say I'm sure, but due to IP checks on sessions not being enabled, I think this may be enough to hijack sessions when users set a remember me cookie.

You're so full of shit talking about old hax incorrectly. These kind of timing differences are not even detectable over tor

Well I knew about constant time comparison because once I implemented a program that used message authentication codes but I compared the MAC with a short circuiting == and a hacker friend told me I had to use a constant time comparison function when comparing against secret data.

Yeah I'm sure you're going to get accurate timings on a modern CPU on a system with hundreds of users... Not only over the internet... But over Tir.

I actually though you might have been semi skilled before this

I'm not trying to frighten you I just got bored and decided to look for exploitable vulnerabilities lol. If there are "real hackers" here I'm sure they will confirm the vulnerability if they know about short circuiting comparison functions, and if they don't then they aren't real hackers.

show me where the comparison short circuits. I don't even think PHP works like that

 

[missy]

show me where the comparison short circuits. I don't even think PHP works like that

Over Tor it might be hard to get accurate timings, however I would just use a server in the same data center (connected to over Tor) if I really wanted to do this, though I don't want to do it that much lol. You do have a point there though.

PHP and virtually all languages short circuit on == and ===, you should really know that because it is vital to secure programming, particularly in cryptography but really in all things.

Here is a link a leet hacker friend suggested to me when I mentioned this attack

https://media.ccc.de/browse/congress/2012/29c3-5044-en-time_is_not_on_your_side_h264.html#video

here is a quick over view

http://codahale.com/a-lesson-in-timing-attacks/

 

[sugoi-chan]

Over Tor it might be hard to get accurate timings, however I would just use a server in the same data center (connected to over Tor) if I really wanted to do this, though I don't want to do it that much lol. You do have a point there though.

PHP and virtually all languages short circuit on == and ===, you should really know that because it is vital to secure programming, particularly in cryptography but really in all things.

Here is a link a leet hacker friend suggested to me when I mentioned this attack

https://media.ccc.de/browse/congress/2012/29c3-5044-en-time_is_not_on_your_side_h264.html#video

here is a quick over view

http://codahale.com/a-lesson-in-timing-attacks/

lol at the insistence that you have friends.

Is this friend the same stuffed animal that made you think you're a hacker?

 

[DirkBloodStormKing]

Wow, MRZ has gotten pretty fuckin' exceptional hasn't he?

 

[melty]

Here is a link a leet hacker friend suggested to me when I mentioned this attack

Pretty sure the 12 year old kid you met in Minecraft is not a "leet hacker"

 

[*Asterisk*]

Is there a point to continuously banning @mrz, @zrm, @drz, or whatever proxy he uses next? I'm all for giving him the death penalty, but this doesn't seem very effective.

Has he been posting CP, links to CP, or ambiguous CP he faps to anyway? I know he's done that at least twice before on this site, but he just keeps coming back.

Is there a way to block his account from the ability to link webpages or pics? Because if there is, maybe that'd settle all the problems we can manage without knowing his real name, address, and where the nearest "problem solver" is within his vicinity.

 

[Lucricities]

Is there a point to continuously banning @mrz, @zrm, @drz, or whatever proxy he uses next? I'm all for giving him the death penalty, but this doesn't seem very effective.

Since accounts need to be accepted here it's really annoying and pathetic to have to keep making accounts to post and it probably drives him nuts. I like it.

Uhm, no it wouldn't make me human, it would make me the thing that comes after human. All life on Earth shares a common ancestor, using your logic all life on Earth is the same species.

Yes I must reproduce in order to overtake the human population, this is going to be challenging seeing as I'm not certain it's possible for my species to reproduce with humans, and we are so few in number.

I didn't feel like reading through all 20 pages I missed but does this come up again? He thinks he's X-Men and understands less about evolution than my grandparents, it's so funny. Can anyone link me to any textwalls he's written on the subject?