huh $2a$ is.. blowfish? is that without salt. what is 12. the salt??

don't mind me i just realized bcrypt was named after fucking blowfish

the attacker is opening github issues 😂

> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]

matrix thing Show more

matrix thing, signing keys in prod Show more

@er1n @CobaltVelvet yeah. They got owned earlier because they didnt patch something, then they shut down everything for a few hours, then they made a blog post explaining what happened, and apparently they didnt do a very good job kicking the attacker out before restoring service...

@CobaltVelvet 2a would be bcrypt, and 12 would be the cost factor (basically you can adjust how much cpu/memory it uses and 12 corresponds with a factor of 2^12)

@femto @CobaltVelvet indeed and I had to research it too, as it appears different hash algorithms products are parsed differently in unix:

“The Blowfish hashing scheme uses the second subfield to indicate the logarithm base two of the number of rounds and concatenates the 128-bit salt and the hash in the third subfield.”

So there IS a salt in the hash represented in the screen cap 😅

@CobaltVelvet where can a n00b like me find some explanation of what this means?

Thanks! :)

@Antanicus uhh it's a screenshot of at the time, with the shell of someone gaining access to servers, showing access to a 7TB data storage, a (i guess admin) account with its hashed password, and that they have 5.5M of those.

a huge data breach, possibly worse

@CobaltVelvet I don't know, I hope they warned them before and they choose to ignore the problem. If it isn't the case, that's a kinda shitty thing to do.

@CobaltVelvet Sorry, I misread the situation at first. I though they disclosed actual harmful content for the end users.
It's actually super funny ^^.

@Sylvhem well they still can. these situations are hard to judge and can go from "absolute asshole" to "white hat" and back again in matter of minutes :p

@CobaltVelvet Yeah, but for now they did nothing.
I won't find that funny if they are actually hurting the people who used the service.

matrix thing, re: lmao Show more

matrix thing, re: lmao Show more

re: matrix thing, signing keys in prod Show more

re: matrix thing, signing keys in prod Show more

lolhats Show more

lolhats Show more

THe com makes me think "What, people not well documented and not reading securiy warning? I'm choked (not)"

@CobaltVelvet what's wrong with you. I'd have done exactly the same things.

in fact, that's what I used to do, back when I would regularly break IRC bots.

@SoniEx2 what's wrong with you then. did you interpret the laugh as me saying it's unacceptable? don't do that

Sign in to participate in the conversation

Octodon is a nice general purpose instance. more