huh $2a$ is.. blowfish? is that without salt. what is 12. the salt??

don't mind me i just realized bcrypt was named after fucking blowfish

the attacker is opening github issues 😂

> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]

matrix thing Show more

matrix thing, signing keys in prod Show more

@er1n @CobaltVelvet yeah. They got owned earlier because they didnt patch something, then they shut down everything for a few hours, then they made a blog post explaining what happened, and apparently they didnt do a very good job kicking the attacker out before restoring service...

@CobaltVelvet 2a would be bcrypt, and 12 would be the cost factor (basically you can adjust how much cpu/memory it uses and 12 corresponds with a factor of 2^12)

@femto @CobaltVelvet indeed and I had to research it too, as it appears different hash algorithms products are parsed differently in unix:

“The Blowfish hashing scheme uses the second subfield to indicate the logarithm base two of the number of rounds and concatenates the 128-bit salt and the hash in the third subfield.”

cromwell-intl.com/cybersecurit

So there IS a salt in the hash represented in the screen cap 😅

@CobaltVelvet where can a n00b like me find some explanation of what this means?

Thanks! :)

@Antanicus uhh it's a screenshot of matrix.org at the time, with the shell of someone gaining access to matrix.org servers, showing access to a 7TB data storage, a (i guess admin) account with its hashed password, and that they have 5.5M of those.

a huge data breach, possibly worse

@CobaltVelvet I don't know, I hope they warned them before and they choose to ignore the problem. If it isn't the case, that's a kinda shitty thing to do.

@CobaltVelvet Sorry, I misread the situation at first. I though they disclosed actual harmful content for the end users.
It's actually super funny ^^.

@Sylvhem well they still can. these situations are hard to judge and can go from "absolute asshole" to "white hat" and back again in matter of minutes :p

@CobaltVelvet Yeah, but for now they did nothing.
I won't find that funny if they are actually hurting the people who used the service.

matrix thing, re: lmao Show more

matrix thing, re: lmao Show more

re: matrix thing, signing keys in prod Show more

re: matrix thing, signing keys in prod Show more

lolhats Show more

lolhats Show more

@CobaltVelvet
THe com makes me think "What, people not well documented and not reading securiy warning? I'm choked (not)"

@CobaltVelvet what's wrong with you. I'd have done exactly the same things.

in fact, that's what I used to do, back when I would regularly break IRC bots.

@SoniEx2 what's wrong with you then. did you interpret the laugh as me saying it's unacceptable? don't do that

Sign in to participate in the conversation
Octodon

Octodon is a nice general purpose instance. more