orthodoxy1095
Banned
No shit.
Yeah, it's fair to put it on John, but like you said, Cheapy is ultimately responsible for whatever John did. Or didn't do. Pretty aggravating all around.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Cheapassgamer site hacked
- Thread starter oldschoolpinball
- Start date
hitsugi
Member
They said it was the third warning in that image that was posted. Often times if a security vulnerability is discovered, the person who found it will report it and wait a certain amount of time to see if it has been addressed. If it does not get addressed, they will either:
1. issue another warning
2. expose the vulnerability to the public
3. take the whole site down
Number 2 is somewhat common if they continue to be ignored as it is better to force the person/business' hand in fixing it rather than waiting for someone else to discover the vulnerability and actually take advantage of it. In this case, it's one of the worse scenarios but it's not the worst. If the PWs get dumped online, then yeah.. worst case I suppose.
milkham
Member
Might as well pack it up then
DragoonKain
Neighbours from Hell
Cheapy may be responsible for his site, but he is still a victim in this. If you leave the door to your house unlocked and a burglar comes in, the burglar is still responsible for the crime. The home owner may have made a mistake, but they are still a victim in that they were burglarized.
Everyone involved with the site is a victim, and this idiot hacker is the person to blame.
Everyone involved with the site is a victim, and this idiot hacker is the person to blame.
orthodoxy1095
Banned
Yeah man. I'm just going to start running old versions of all my software and OS, since their known vulnerabilities must not be a big deal.
DeepEnigma
Gold Member
This.
orthodoxy1095
Banned
Poor comparison really. The problem here is that Cheapy leaving the door open to the house allowed for more victims than just him. And he and John are ultimately responsible for any loss of data and information that get out.
hitsugi
Member
Is an opinion. Responsible for the site = responsible for what happens on the site after being provided multiple warnings of things that should be addressed.
This is in no way comparable to someone leaving the door to their house unlocked and being robbed.
DragoonKain
Neighbours from Hell
The same could apply to my example if the home owner has children, or personal information about other people/relatives.
Plus, I doubt he did something as stupid as making the password to the access "1234" diligent hackers find ways to get into places if they are dedicated enough. It may be more the fault of the hosting service than the people who run it. We don't know the facts, it's hard to point the finger.
Absolutely irresponsible for anyone who runs a major forum to not have it updated to the latest version. Sure, it costs a bit of money, but given that site is what's making Cheapy his money, he needs to spring for it. If the forums indeed weren't kept up to date, it's 100% his fault (since, at the end of the day, it's his website).
YianGaruga
Banned
because your forum still works when you run it on an old ass version that's easily exploitable you should?
hitsugi
Member
If you can't quote someone I'm going to have to say the amount of reaching is really insane here. Read some of the thread.
Pontiaction
Member
As much as I love the CAG guys, whatever their IT dude is doing with the site clearly isn't sufficient. It feels like it's not even up long enough between hackings for me to get in there and reset my password or even contemplate deleting my account.
I would think that taking down the server long enough to completely review and then either update or remove all the software on it would be warranted at this point (and was warranted after even the first attack). I don't know how far they've gone so far, but clearly it wasn't sufficient. It's beginning to look like they're in over their heads on matters of web security, sadly.
I would think that taking down the server long enough to completely review and then either update or remove all the software on it would be warranted at this point (and was warranted after even the first attack). I don't know how far they've gone so far, but clearly it wasn't sufficient. It's beginning to look like they're in over their heads on matters of web security, sadly.
DragoonKain
Neighbours from Hell
You know the specific details on how the site was hacked? It could be something totally unrelated for all we know.
Before coming down on Cheapy, wouldn't it be wise to wait for specific details should they come to light?
pantsattack
Member
Nuts man. I hope my info is minimal over there.
YianGaruga
Banned
I'm not coming down on anyone. But the person running the site always has some responsibility. It was hacked, what, 4 times in one day now?
Can you explain how the hacker has 0% responsibility?
Like, how does this work in your brain? Hackers have the right to hack whatever they want if it's not the latest version of particular software?
Monty Mole
Member
He's got a point somewhat. If you leave your house unlocked, it doesn't give the burglar a right to enter your house. But leaving your house unlocked is a pretty stupid thing to do. And yes, victim blaming.
DragoonKain
Neighbours from Hell
This line of thinking takes the onus off the attacker and promotes more of these people to commit these acts if they aren't being held responsible. If lack of updating(big if) is what caused this, sure it may be stupidity, but stupidity is not a crime.
Dr. Zoidberg
Member
I agree but my point is that the actual running of the site is handled by a contractor. From the way he talks on the podcast, the contractor handles the technical things completely. Cheapy probably doesn't even think about whether there are updates, etc. Not trying to absolve anyone of guilt, but I keep seeing people post things that imply Cheapy runs and maintains the site/servers themselves. This is not the case and it's an important distinction, IMO. Personally, I'm less mad at Cheapy as a result of that information and more upset with the contractor.
orthodoxy1095
Banned
No one is saying the hacker has zero responsibility. We're saying they're both responsible.
Hacking? Criminal offense. Negligent IT handling of security and private data? Also a lawsuit waiting to happen.
Hacker attacking the site is an asshole and shouldn't be doing it regardless of security vulnerabilities. Cheapy should be taking all necessary precautions to keep the site updated and protected against attacks. If he needs to hire more web/security devs, then hopefully he is able to do that. If CAG was using older software with more security flaws, then it's quite valid to criticize that, and doing so is not the same as saying Cheapy deserves to have his site attacked or taking away responsibility from the perpetrator of these attacks. I wish him and his devs all the best in resolving this situation.
It's not even leaving the house unlocked, they're just not keeping up with lock technology.
Did you know that you can enter just about any home in America in two seconds using a bump key? Everyone in America should upgrade their fucking locks, like, today, otherwise criminals should start breaking into houses just to teach people a lesson.
And hey, those people who upgraded to bump-proof SmartKey locks? You can break through those in five seconds with just a screwdriver and a wrench. Time to attack everyone in America again.
DeepEnigma
Gold Member
What you just said is an opinion. Both the site admin/owner, and community are victims. No matter how hard you try and 'justify' it happening. Especially when you know none of the details. All speculation at this point.
One being irresponsible does not make them any less a victim of people who know right from wrong, lol.
7DollarHagane
Banned
Who cares about some emails and passwords to some discussion forum? Doesn't matter in the least.
Even if for some reason you had your credit card on there you just get refunded who cares. Almost everyone has their precious "information" exposed at some point. It's just bits on a server.
snoopeasystreet
Member
Few things to keep in mind, this is a massive website.
They run ads, so they for sure have some cash rolling in, and with traffic like that, unless they are using google adsense or some other obscure ad provider, they are probably doing pretty well.
They need to:
1. Make sure their software is up to date. This is probably how this all started. They were literally using a version of their forum software from early 2014. Almost every forum company offers free security updates to users with a valid license of their product, so they clearly just were not doing it. There have been multiple public announcements of bugs in the version they were using and those after it.
2. Pay for a 3rd party service like Incapsula that has a firewall, and malware protection. For what they need it is going to be $200/$300 a month, which is a small price to pay considering what just happened.
3. Hire a server admin with a focus on security.
No security is obviously 100% bulletproof, but this was probably as easy as googling an exploit for the older version that CAG had displayed (for some reason) at the bottom of their forum, and following directions.
I don't want to comment on their security or anything until we know more but isn't it strange that CAG's popularity went down during the winter months? You'd assume around black friday is when the site would peak.
Sorry, while i would be happy to see that guy arrested, criticizing the site owner for running a lousy shop is fair game too.
People are capable of two lines of thought at once.
7DollarHagane
Banned
I imagine all game centric sites dip in the holidays because people spend time playing games more and are busy with holiday activities.
Fallout 4 even affected that one porn site, reducing traffic.
Majority of the good deals happen in the first 6 months of the year too.
If you are going to be an asshole about it, sure, of course you can criticize the owner at the same time. Of course, the owner tries to make steps to correct the issue and the hacker continues because reasons. It kind of makes any continued dialog and discourse about what CheapyD could have done in the past (in which we still don't know exactly how this hack happened in the first place) somewhat outweighed if you have someone who is actively and continuously trying to impede progress and efforts to correct the problem.
well it looks like they are back up. But it's not even 100% sure who was doing the follow up and repeat attacks, the forums say that it was just someone who kept throwing scripts at the server looking for vulnerabilities and they've been patching them.
we'll see. Hopefully this get David to put in some more security, it's a big, popular site, and a worthwhile one too.
we'll see. Hopefully this get David to put in some more security, it's a big, popular site, and a worthwhile one too.
bitesnintendog
Member
Seasonal deal sites probably take a good chunk of their traffic along with people buying less for themselves during that time.
davidwhangchoi
Member
damn missed Bravely Second bc CAG was up and down, i didn't bother checking...
bummer... i'm going to Wendy's
bummer... i'm going to Wendy's
CollectedDust
Member
All I'll say is: it's easy to be an armchair analyst. Nobody here likely knows the details related to why CAG was doing things the way they were, so we shouldn't judge. I agree that websites should take care of their users personal information, and I hope that CAG fully recovers from this. If they can learn something along the way, even better.Few things to keep in mind, this is a massive website.
They run ads, so they for sure have some cash rolling in, and with traffic like that, unless they are using google adsense or some other obscure ad provider, they are probably doing pretty well.
They need to:
1. Make sure their software is up to date. This is probably how this all started. They were literally using a version of their forum software from early 2014. Almost every forum company offers free security updates to users with a valid license of their product, so they clearly just were not doing it. There have been multiple public announcements of bugs in the version they were using and those after it.
2. Pay for a 3rd party service like Incapsula that has a firewall, and malware protection. For what they need it is going to be $200/$300 a month, which is a small price to pay considering what just happened.
3. Hire a server admin with a focus on security.
No security is obviously 100% bulletproof, but this was probably as easy as googling an exploit for the older version that CAG had displayed (for some reason) at the bottom of their forum, and following directions.
Edit: 200th post!
Is this seriously something that has to be explained? Of course the hacker is at fault. Bad people are going to do bad things. We know that. So responsibility then lands on the shoulders of people on the other side to make sure bad things happen in minimized, and that's what is being discussed. At that point, I'm saying I'd place the blame fully on him.
Yeah, it's absolutely up to the contractor to keep up with these things, and if this were the case of being a bigger company, I'd of course not expect the CEO to keep track of if all of their software is up to date or not. But, so far as I know, CAG is still the way CheapyD makes all of his income—and if that's the case, I'm making damn sure I know if my website is up to date software-wise or not. That's something you check in with on the contractor on a weekly or bi-weekly basis. Ten minute Skype voice call, make sure everything is okay, make sure back-ups are up to date and software updated. Or, you have the contractor have a file detailing when things were last updated or backed up.
Last I knew, he was making six figures off the site. Not sure if that's still the case, but damn, I'm going into overdrive paranoia mode about the website that's making me that kind of cash and letting me live the lifestyle I want if I'm in his place.
He's human, though. We all are. People make mistakes. Forum software being 1+ years old is completely unacceptable at this level, however, and he absolutely, positively should take interest in that. I'm also, BTW, very aware of how difficult it can be to update forum software if you've done any kind of customization to it. I've been there personally. Still, it has to happen. I was running a little nothing of a message forum and even we got hit. Of course a place like CAG is going to be a huge, huge target.
It absolutely does matter. Any leaking of or weakness in the storage of our digital information is hugely important, and saying it isn't is scary.
Few things to keep in mind, this is a massive website.
They run ads, so they for sure have some cash rolling in, and with traffic like that, unless they are using google adsense or some other obscure ad provider, they are probably doing pretty well.
.
CAG could get $0 from ads and still be fine.
they are affiliates for a number of sites (such as amazon) and have software in place to convert all links on their site into affiliate links thus every time you buy something from a link on CAG they get like 2-5% of that sale.
it's sad the hack happened, i've got a burner password on the site so I don't care... I am just annoyed that their stay signed in doesn't seem to be working. I have to log back in every few hours.
entremet
Member
Cheapy actually didn't have ads for a good number of years and it was enough to sustain himself financially.