Page 4 of 4 FirstFirst ... 234
Results 91 to 117 of 117

Thread: Widget was hacked... Proof enclosed.

  1. #91
    We kicked ass regardless of hack attempts
    Last edited by xao; 12-17-2007 at 12:08 AM.



  2. Remove this section of ads by registering.
  3. #92
    Quote Originally Posted by szczebrzeszyn View Post
    And by the way, it was clearly a feed format or widget parsing problem (maybe some character like '&' in the name etc). Nothing to worry about
    It looks like it contained the characters. It looks pretty clear that they had to go back before the item was added and remove the entry and re-run the rest of the numbers. Hence the roll back to the mid 17,900,000's then forward to over 18,000,000.

  4. #93
    Quote Originally Posted by EvilEngineer View Post
    Time constraints... and accidental oversight. They are the killers in the programming world. The major thing is that major mistakes are rarely publicized, because of how bad they would impact the business and the customer's impression on how secure their transactions are. The speed at which changes have been made to the servers, the site, widgets, etc... all lead to potential holes that hackers love to try and find.
    But something so simple would be modular and addable to about anything.

  5. #94
    The information showing up in the widget is part of the feed it is parsing. Under the heavy load the server probably just didn't probably write the file resulting in a missing tab or end of line character.

    Besides, even if something was injected into the widget it would not effect the main databases. All the widget does it display the information it pulls from a URL address. You can totally mess with it if you modify your host file and redirect it to a different server.
    “It is in war that the State really comes into its own: swelling in power, in number, in pride, in absolute dominion over the economy and the society.” -- Murray Rothbard

  6. #95
    Well, if anyone was considering an injection attack, they know how to do it now...

    just kidding.

  7. #96
    Quote Originally Posted by LibertyOfOne View Post
    But something so simple would be modular and addable to about anything.
    Ah, naivete.

    Trust me when I say that not everything is programmed to the highest protocols, ESPECIALLY when you have a boss that promised it yesterday and told you today.
    Want to help Dr. Paul's campaign? Canvass! Learn how at http://www.ronpaulreveres.com/
    Want to coordinate your canvassing? Become a Precinct Leader! http://voters.ronpaul2008.com/grassroots/
    Rough Draft: Final Notice of Fiscal Burden
    http://www.ronpaulforums.com/showthread.php?t=92802
    JPEG Graphic of Final Notice of Fiscal Burden http://www.ronpaulforums.com/showthread.php?t=96659



  8. Remove this section of ads by registering.
  9. #97
    Quote Originally Posted by BeFranklin View Post
    What does flash have to do with it? The characters were put into the database that way on the donor page. It was copied to the flash object after the fake hack donation was accepted. Its only incidentally that it was copied to the front page, because whoever did it was a bit of an idiot and didn't mark the "don't show my name on front page". We only hope it didn't work.

    Because the thread title is, "Widget was hacked..." Not "the database was hacked". The widget itself does not accept data, so a sql injection type attack would not work on it. I did mention the submission form would be the attack point, not the widget (as the thread title suggests). The fact that the widget is "flash" has nothing to do with it and I don't think I implied so.

    Like I said before, more than likely it was the character used as a seperator in the data string for the widget that screwed it up.

  10. #98
    Quote Originally Posted by Dr.3D View Post
    There are ways to keep bots from crashing servers that way but does anybody know if the RonPaul2008.com sight has protection from this kind of attack?
    From what I have seen the RP IT people or the hosting company (appears to be rackspace) are not utilizing a DDOS protection product. Being a 12+ year sysadmin, it makes me cringe when a website such as this goes down when it really shouldn't if designed and implemented properly. Servers are cheap, bandwidth is even cheaper, and Linux is free. There is no reason a website of this importance should have a single second of downtime.

  11. #99

  12. #100
    Let me explain what happened more thoroughly. In the submit form, there is embedded PHP or another strong web-coding language used to track stats, which is generally done with things similar to hit-counters you see on webpages. What they do is execute a function that will output the latest results of the input + output or whatever other formulas they use in a fashion which can then be interpreted by reading the page to inherit the values in any language that can recognize the different flags, for example:
    &something - variable used to store virtually any web-related data type which is, in turn, processed by the parser and/or formulas for its next action.
    | - this is the same as the %7C you see in the link here. This is used to separate character strings in the variables (for the widget ticker.)
    I assume the widget processes the input like this:
    Update -> Store current value as old value -> Store new value as old value plus the ticker increase amount -> Update display by the ticker increase amount (which should be checked for negative values and isn't)
    The bank would not allow those characters to go through, but the statistics logging function did. When they check whether or not the person chose to allow their name and location to be shown, they should also check whether or not the donation amount variable is not zero or below, and if so, chuck it out as an accident (this is commonly referred to as error handling.)
    The donor clearly managed to truncate some variables in his/her donation information which would not have been executed had the attacker not chosen to allow their name to display. The widget is made with Flash, and it reads the statistics database linked above [thanks jcims]. The statistic-saving function adds names to the database for processing then outputs them in flash-friendly strings and stores them at certain time intervals. The widget updates every 30 seconds [again jcims] and stores multiple donors' information (that chose for it to be shown) and creates a queue. The string is processed and the variables are updated [time, total donation, etc etc] and are again filtered for display. This is why in that screenshot you see no "&", "=", or "|". They are filtered out by the flash display. The variables still were processed and that's why you saw the decline. The good news is, somehow there was a sanity-check (I assume the server might query the bank for statistics/total amount on x minutes/hrs intervals). This really shouldn't have happened, but I don't think it hurt; in fact, I and quite a few other supporters I've spoken to were actually motivated to donate MORE because we were frantic hoping to hit $18m by midnight EST. We're also safe on the monetary side because the bank processes the input information differently and would _never_ allow for a negative deposit. Hopefully this'll clear up some of the worries and confusion.

    Also, to whomever takes care of the widget and such, &time=1197867180 would be the area to look at (11:53pm) if you can access the database. You can see everything that was included in the parameters the person submitted at or around that time
    Last edited by andJusticeForALL; 12-17-2007 at 03:20 AM.

  13. #101
    Quote Originally Posted by Drknows View Post
    Looks like maybe the backend screwed up and skipped a beat.
    Yes, there were 80k donors, out of all of those the back end is bound to hiccup at least once. I wouldn't get too worked up over this.

  14. #102
    dang I taugh hackers were on our side. Do we have any on right now?

  15. #103
    Quote Originally Posted by EvilEngineer View Post
    Basically what an injection attack is designed to do is utilize character input bars to plant code that they hope the server will parse into actually command statements. It does it by first figuring out what the server is programmed in, then working to design a special character string to dump the current line of code the server would be working on and have it follow a different command... from which that point the hacker can almost have complete control.

    They literally could be draining the entire database of CC#, address... etc
    I'm a DB Developer - Yuppers ...what you say is TOTALLY TRUE.

    I never thought about it. But YES ..one could get in easily.

    I do XQuery now - trust me ...totally open! OMG!

  16. #104
    Any chance of us getting an explanation from HQ rather than being armchair conspiracy theorists?



  17. Remove this section of ads by registering.
  18. #105
    **dust
    Last edited by CriticalThinker; 12-17-2007 at 03:38 AM.

  19. #106
    Do you think the campaign would tell you? That would lower their donations next time from paranoid people. Think about it people?

  20. #107
    That doesn't look like any sort of (successful) attack to me..

  21. #108
    Quote Originally Posted by Laserbeast View Post
    You can't inject a SQL "attack" from the donation page, completely false. Moreso you couldn't inject a SQL "attack" via a Flash widget. I've worked as a database administrator 2 out of my short 21 years on this Earth :P

    Less panic more celebration!!!
    You should start looking for another job. You clearly don't understand what you are talking about.
    Vote for Ron Paul and get a *FREE* Country!

    Supplies are limited. Act now, before it's gone!

  22. #109
    The information should be forwarded to the FBI - attempt to hack, and hacking, computer systems involving credit card information is a federal crime under 18 USC 1030.

  23. #110
    In the #ronpaul IRC channel we were pulling directly the raw text data that the widget uses, like the graph sites do.
    After the 11 p.m. minibomb we saw some great donation rate, for example at 23:36:13 EST 2007 we had:
    last 3.1 minutes: $42,491 from 523 donations ($81.24 avg donation, $13,560/min, 166.9 donors/min)
    Overall the bomb after 11 p.m. seemed to have really a lot of small donations, so the number of donors/minute was very high during the last hour before midnight.
    And just to compare it with the overall for the teaparty:
    online total: $6,022,995 from 58,840 donations ($102.36 avg donation, $4,198/min, 41.0 donors/min)
    However the exact accuracy of that overall number is unclear, because during the last 10 minutes before midnight, the data that was being pulling stopped making sense, in particular data that was pulled at a later time had lower numbers than data that was pulled earlier, and about 10 minutes after midnight it jumped back.
    Whether someone tried to hack it during the last 10 minutes, or whether it just collapsed due to the 11 p.m. minibomb that contained tons of small donations, I don't know.
    But anyway all of this is related to the numbers that feed the widget, and the real amount in donations isn't affected by this, so the campaign should calculate the exact number and publish it.

  24. #111
    SQL injection attacks are a non-issue if they use parameterized queries. I'd hope they are doing that.

  25. #112
    Quote Originally Posted by mvpel View Post
    The information should be forwarded to the FBI - attempt to hack, and hacking, computer systems involving credit card information is a federal crime under 18 USC 1030.
    I doubt the FBI would go after itself...



  26. Remove this section of ads by registering.
  27. #113
    There's now press release on ronpaul2008.com that says $6 million total, but it's rather vague. I followed the online donations data during the teaparty and I think the online donations total was higher than $6m in the end (cannot be sure because of what happened in the last 10mins), plus the $400k+ in offline donations that the campaign added at 11 p.m., so shouldn't the total be $6.4m?

  28. #114
    Quote Originally Posted by iddo View Post
    In the #ronpaul IRC channel we were pulling directly the raw text data that the widget uses, like the graph sites do.
    After the 11 p.m. minibomb we saw some great donation rate, for example at 23:36:13 EST 2007 we had:
    last 3.1 minutes: $42,491 from 523 donations ($81.24 avg donation, $13,560/min, 166.9 donors/min)
    Overall the bomb after 11 p.m. seemed to have really a lot of small donations, so the number of donors/minute was very high during the last hour before midnight.
    And just to compare it with the overall for the teaparty:
    online total: $6,022,995 from 58,840 donations ($102.36 avg donation, $4,198/min, 41.0 donors/min)
    However the exact accuracy of that overall number is unclear, because during the last 10 minutes before midnight, the data that was being pulling stopped making sense, in particular data that was pulled at a later time had lower numbers than data that was pulled earlier, and about 10 minutes after midnight it jumped back.
    Whether someone tried to hack it during the last 10 minutes, or whether it just collapsed due to the 11 p.m. minibomb that contained tons of small donations, I don't know.
    But anyway all of this is related to the numbers that feed the widget, and the real amount in donations isn't affected by this, so the campaign should calculate the exact number and publish it.
    I did my best to explain why the number dropped in my post (the last one on page 10)

  29. #115

  30. #116
    its crazy what people will do to try and mess with this revolution
    Support Marijuana Legalization WORLDWIDE

  31. #117
    Quote Originally Posted by andJusticeForALL View Post
    I did my best to explain why the number dropped in my post (the last one on page 10)
    I do have the 11:53 p.m. file from the direct feed. All the data before it made sense, and had to wait until 12:10 a.m. or so until it let me pull another file that made sense. In between the numbers were messed up.
    But what is the total for the teaparty?? $6m total? Or $6m online total + $400k offline total = $6.4m total as I suspect? Or what? Anyone knows?
    If it's $6m total, does it mean that the online total was about $5.6m? How can that be when the numbers I have between Dec. 15 midnight and Dec. 16 midnight progress towards a number higher than $6m? (these numbers track online donations only)
    Now ronpaul2008.com says $6.04m total... so how come it's not $6.4m total?

Page 4 of 4 FirstFirst ... 234


Similar Threads

  1. Replies: 0
    Last Post: 03-13-2014, 11:54 AM
  2. ABC plans to ignore RP on Feb 5th (proof enclosed)
    By Matt Collins in forum Bad Media Reporting on Ron Paul
    Replies: 78
    Last Post: 02-05-2008, 06:06 PM
  3. ABC plans to ignore RP on Feb 5th (proof enclosed)
    By Matt Collins in forum Grassroots Central
    Replies: 167
    Last Post: 02-04-2008, 11:57 PM
  4. LOL More proof widget got messed up
    By shagywashere in forum Tea Party
    Replies: 1
    Last Post: 12-16-2007, 11:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •