RTS hacked

[Melvinmeow]

Even on their own site there was 2 differant posts..
The news early yesterday afternoon said the site was hacked. Then a few hrs later they changed it to say it was a "script" error.

Which one was it or was it a combination of both?

Also I know before when I tested your site when it was originally first opened your passwords were in plain text form. (Noticed when one of your staff asked me to test a few pages for injections. Reason I acctually deleted my own account when I saw that.) Perhaps you changed them to be encrypted since then who knows.

Yes, the first notification by PM that our site was hacked, is false - this was not what caused the problem. Also users passwords were never in plain text form, they have always been encrypted.

Never as in NEVER? or Never as in since after the first week you were open?
Like I said I tested some of your scripts like the 2nd day your site was open and passwords were in fact in plain text. So seeing NEVER said by you is apparently a big lie. You may have changed them to be encrypted since then... but saying they were never plain text leads me to distrust you guys even more since you cant even fess up to what I know to be true cause I saw it with my own eyes.

And if you werent sure if you were hacked or whatever... why send a mass pm saying you were? Why not just leave people clueless like you apparently were at the time. You were better off waiting to gather all the facts then to jump the gun and say something happened and then change your comment.

[TheManMKD]

[Buggyme]

Never as in NEVER? or Never as in since after the first week you were open?
Like I said I tested some of your scripts like the 2nd day your site was open and passwords were in fact in plain text. So seeing NEVER said by you is apparently a big lie. You may have changed them to be encrypted since then... but saying they were never plain text leads me to distrust you guys even more since you cant even fess up to what I know to be true cause I saw it with my own eyes.

How did you see it?
I thought they were using the TBDev source code, which by default encrypts users' passwords?

[Melvinmeow]

Never as in NEVER? or Never as in since after the first week you were open?
Like I said I tested some of your scripts like the 2nd day your site was open and passwords were in fact in plain text. So seeing NEVER said by you is apparently a big lie. You may have changed them to be encrypted since then... but saying they were never plain text leads me to distrust you guys even more since you cant even fess up to what I know to be true cause I saw it with my own eyes.

How did you see it?
I thought they were using the TBDev source code, which by default encrypts users' passwords?

Just because it may/may-not be default doesnt mean all those options have to be used or turned on. TBDev source code is only a base to start from. There are often many many lines of code changed once you have completed the initial setup. Removing the md5 encryption is acctually fairly easy. I beleive maybe only 3 pages to remove it fully... and maybe not even more than 20 lines would even need to be removed from those 3 pages.

For instance im sure just because they are using VBulletin here on FST that doesnt mean they havent changed some stuff added/removed some of the basic functions. For example I know they have added other classes that wouldnt be on the default setup. Im sure several functions as well.

Basically you would just have to remove it from the takelogin, the takesignup, and bittorrant (file).

[Something Else]

New poll idea:

Do you trust RTS ???

[MrVictorRivers]

i dont see why an asshole would delete the files/torrents anyway.....i guess thats the thing to do....but still it seems...so.....wrong....i dont.. know...

[TheFoX]

Storing plaintext is way too easy....

Just add a varchar(50) or a text field to the 'users' table, while leaving the hash check still in place. When the member submits the password, and it passes the check against the md5 hash stored in the users row, you then simply update the users row with the content of the password field submitted by the first script.

Now, as to WHY a site would want to store plain text passwords. Well that one is simple... By acquiring your passwords, they hope to gain entry to your accounts at other trackers. This is why it is sooo important to make sure you use a different password for each tracker you use. Simple security.

[walczanin]

Yes, the first notification by PM that our site was hacked, is false - this was not what caused the problem. Also users passwords were never in plain text form, they have always been encrypted.

Never as in NEVER? or Never as in since after the first week you were open?
Like I said I tested some of your scripts like the 2nd day your site was open and passwords were in fact in plain text. So seeing NEVER said by you is apparently a big lie. You may have changed them to be encrypted since then... but saying they were never plain text leads me to distrust you guys even more since you cant even fess up to what I know to be true cause I saw it with my own eyes.

And if you werent sure if you were hacked or whatever... why send a mass pm saying you were? Why not just leave people clueless like you apparently were at the time. You were better off waiting to gather all the facts then to jump the gun and say something happened and then change your comment.

well said MM

[eliteman]

there is a new announcement which says that the problem was the the script was set to delete all torrents older than 3 days, maybe a hacker did that, but they don't know

[dineitdark]

after reading this thing.. i think i won't have a RTS account in the future.. hehe too risky...