Join 3,416 readers in helping fund MetaFilter (Hide)

Tags:

user login funtion is not working at all
December 5, 2005 11:34 AM   Subscribe

HeadsUpFilter: the user login funtion is not working at all. Thank you.
posted by wheelieman to Bugs at 11:34 AM (103 comments total) 3 users marked this as a favorite

Well, this poses (doesn't beg) certain immediate questions.
posted by Wolfdog at 11:36 AM on December 5, 2005 [1 favorite]


It worked just now for me, but there was a new "Enter the crazy-looking letters" code. If you couldn't log in, how did you post this question?
posted by stopgap at 11:38 AM on December 5, 2005


I just logged in. There's a thingy there now that wasn't there before.
posted by iconomy at 11:39 AM on December 5, 2005


Or, what stopgap said.
posted by iconomy at 11:39 AM on December 5, 2005


OO gotcha, delete thread please, I jumped the gun too soon.
posted by wheelieman at 11:41 AM on December 5, 2005


I tried to login at school, thats how I knew, I am peremently logged on my laptop.
posted by wheelieman at 11:43 AM on December 5, 2005


Well, in the spirit of gun-jumping, I'd like to pre-empt a uno-authored thread and just ask right here:

What's the story, Matt?
posted by cortex at 11:46 AM on December 5, 2005


Q: Who logs out?
A: Hitler

posted by blue_beetle at 11:53 AM on December 5, 2005


I put the captcha there to thwart dictionary attacks. Someone could just write a script to try out a thousand passwords for a username until they found one that had an easy password. Now it requires a human for each attempt, which should stop that kind of hack. I need to lock accounts after 5-10 fails too. I'm working on that today.
posted by mathowie (staff) at 11:58 AM on December 5, 2005


And the plot thickens. Also, I'm making bread and it thickened too. But faster than I expected. Well MeFi suffer a similar fate?
posted by panoptican at 12:03 PM on December 5, 2005


While were at it, I've never been able to log in to AskMe with Firefox. I'm logged in on Metafilter, open Askme in a new tab, and I'm not logged in and am not able to do so. Works fine in IE.
posted by marxchivist at 12:05 PM on December 5, 2005


it did in November 2004
posted by wheelieman at 12:06 PM on December 5, 2005


Matt, any chance you could show the CAPTCHA after three or so attempts? That's what Google does with Gmail, and it's much less disruptive than captcha'ing on the first login try.
posted by killdevil at 12:16 PM on December 5, 2005


Yuck. For some reason I can't log into Metafilter.
posted by dios at 12:30 PM on December 5, 2005


Second killdevil's suggestion. It's really annoying to have to do it the first time out.

Also, you might want to explain that the captcha is case-insensitive.
posted by aberrant at 12:33 PM on December 5, 2005


Fine, the first one is free then.
posted by mathowie (staff) at 12:47 PM on December 5, 2005


It was broken for awhile earlier today while Matt was working on the CAPTCHA. Swear it on a stack of Bibles.
(Someone deleted my cookies last week)
posted by junkbox at 12:49 PM on December 5, 2005


Matt, is this in response to something? Are leet haxors targetting MeFi?
posted by gleuschk at 12:58 PM on December 5, 2005


the first one is free then.

that's what all the pushers say...
posted by jessamyn at 1:18 PM on December 5, 2005 [1 favorite]


Matt, is this in response to something? Are leet haxors targetting MeFi?

Ask Pretty_ab'd_Generic. He won't answer my emails about it.
posted by mathowie (staff) at 1:46 PM on December 5, 2005


ohboy, that kid's going to grow up into an evil genius some day. No-one loan him their volcano hideaway, 'cos you won't get it back.
posted by NinjaPirate at 1:54 PM on December 5, 2005


Oh, dear. Pretty_C.Den_Generic, too?
posted by Gator at 1:55 PM on December 5, 2005


Heh. When will evildoers learn that their IP addresses are being logged?
posted by killdevil at 1:57 PM on December 5, 2005


Hey Matt, one further suggestion -- I wouldn't lock an account until at least 20 or so tries have been unsuccessful. As someone with 30 or so different passwords across all the Internet spots I frequent, I can imagine plugging five to ten guesses into a site I haven't been to in awhile.
posted by killdevil at 2:00 PM on December 5, 2005


Ask Pretty_ab'd_Generic.

Er, buh?
posted by Gator at 2:03 PM on December 5, 2005


killdevil, 5 failures requring an email unlock is pretty standard (my bank, paypal, etc).

And his IP was logged, but he was using proxy servers to try and hide it, but it was clear from the first time he started posting again, that it was Pretty_Generic doing the writing on the account. He's also sharing the IP with three other accounts, so I'm sure we'll see P_G pop his head back in real soon.
posted by mathowie (staff) at 2:09 PM on December 5, 2005


By "buh," I meant, is he to be allowed to keep posting?
posted by Gator at 2:13 PM on December 5, 2005


Well, your bank and Paypal are transactional systems with lots of real money behind their hair-trigger account lockouts - that number might be a little extreme for Metafilter. Just sayin'...
posted by killdevil at 2:13 PM on December 5, 2005


Hey guys.

Sorry for ignoring you Matt, my Gmail POP wasn't set up right. Your improvements to site security are excellent.
posted by spinoza at 2:15 PM on December 5, 2005


See! He's back again. The lovable little friend of a database hacker scamp
posted by mathowie (staff) at 2:18 PM on December 5, 2005


I haven't been using proxies by the way; those are actual other people.
posted by spinoza at 2:18 PM on December 5, 2005


I love it when a plan comes together.
posted by Dreamghost at 2:19 PM on December 5, 2005


Okay, 'fess up people. There are really only five people posting to Metafilter, right?
posted by killdevil at 2:24 PM on December 5, 2005


Matt you should of licensed moift's animal catchpa technology.
posted by Dreamghost at 2:25 PM on December 5, 2005


should _have_
posted by brownpau at 2:26 PM on December 5, 2005


I resent the acqusation that I am a real person!
posted by spinoza at 3:52 PM on December 5, 2005


Dictionary attacks can be thwarted by only allowing, say, 5 attempts an hour.

Also this lightens the job on the admin because things will just fix themselves in an hour.
posted by holloway at 3:53 PM on December 5, 2005


*fails to login as mathowie 5 times*
posted by quonsar at 4:05 PM on December 5, 2005


protip: jessamyn's password is b00kwerm
posted by Dreamghost at 4:22 PM on December 5, 2005


Quonsar, usually once they're locked out the system emails the account owner with a unique url for them to login automatically.

0wnz0redq\/0n4r
posted by holloway at 4:41 PM on December 5, 2005


So now that that's settled: why was this thread closed? I've reluctantly come to accept the idea that threads that turn into flamefests get closed, but this seems completely unmotivated... unless it's because it didn't seem "useful," which (IMHO) is a crappy reason.
posted by languagehat at 4:50 PM on December 5, 2005


Clearly because we where being a bunch of immature asshats. It's in the thrill of the chase though really. I mean if you could easily filter people out then it would quickly get boring, if nobody reads what we wrote, then what's the point being inflammatory or annoying?
posted by spinoza at 5:15 PM on December 5, 2005


See, for instance, that wasn't me, the user formerly known as Pretty_Generic, posting. That was someone else. I punctuate rite.
posted by spinoza at 5:20 PM on December 5, 2005


Just because, I'm totally obsessed, with commas - doesn't mean you have, to point it out!
posted by spinoza at 5:21 PM on December 5, 2005


What's rite is rite.
posted by If I Had An Anus at 5:26 PM on December 5, 2005


moo
posted by spinoza at 5:36 PM on December 5, 2005


Hey, is this thing on?
posted by spinoza at 5:38 PM on December 5, 2005


I closed it because the thread seemed to have run it's course.

Pretty_Generic, I banned spinoza and your friend cillit bang's account. And I know your pal Alex bought one of those new accounts and gave you the password, so if you show up on his account too, it'll be gone as well. I hope you're quite done with fucking around, but I somehow doubt it.
posted by mathowie (staff) at 6:13 PM on December 5, 2005


Oh. THIS current-open thread, which was so inconveniently invisible before. Really!

Okay, I'm embarrassed.
posted by davy at 6:32 PM on December 5, 2005


s'okay, davy.
posted by cortex at 6:42 PM on December 5, 2005


I look forward to this 5-wrong-password lock, so that all the people who disagree with other people can have their accounts shut down in moments.
posted by Jairus at 6:50 PM on December 5, 2005


!
posted by cortex at 6:57 PM on December 5, 2005


I look forward to this 5-wrong-password lock, so that all the people who disagree with other people can have their accounts shut down in moments.

Doesn't it just block further login attempts for a period of time? So if you're already logged in, it wouldn't do anything to you, right?
posted by jessamyn at 7:01 PM on December 5, 2005


IT'S DHOYT ALL OVER AGAIN!!!
posted by Krrrlson at 7:01 PM on December 5, 2005


Jarius: no one anticipated such misuse and there's no way of dealing with it. With 5 wrong passwords I am become death, destroyer of worlds :(
posted by holloway at 7:02 PM on December 5, 2005


Doesn't it just block further login attempts for a period of time? So if you're already logged in, it wouldn't do anything to you, right?

That's what I thought too. Do people log out regularly?
posted by Rothko at 7:05 PM on December 5, 2005


I'll do a timed, failed login thing this week. And give two tries before the captcha kicks in.
posted by mathowie (staff) at 7:05 PM on December 5, 2005


What the hell is going on? Anyone capable of following this masquerade want to to sum it up?
posted by ori at 7:12 PM on December 5, 2005


I'm not a PG sockpuppet, hence my ability to post here again.
posted by cillit bang at 7:16 PM on December 5, 2005


Dictionary attacks? Egad. Let me just say that I have not proposed to quonsar yet today as far as I know.

Seriously, that's some fucked up shit. Yes Matt, I agree, please make it stop.
posted by davy at 7:44 PM on December 5, 2005


What the hell is going on? Anyone capable of following this masquerade want to to sum it up?

I knew from the first time I saw posts by the ab'd al'Hazred account that it was Pretty_Generic. Same tone, same jokes, same mannerisms. Which is fine, he's gone through a few sock puppets before, but this one was a very old account, which was curious, and there was no associated email address.

So I did some digging on Friday. The same IP addresses have been used by Pretty_Generic, ab'd al'Hazred, spinoza, and cillit bang (last one because they share a flat). the ab'd account actually used a variety of uk and us IPs, which is apparently 4 or 5 jokesters from the #tapes channel all using them is what I later figured out (including alexst and dersins among others).

So the messed up part of it is that he somehow got the password to a very old unused account, and I seriously doubted that someone actually took a five year hiatus to be goofy on the site one day and I also doubted that PG could contact that person and get the login. So I spent all weekend doing a security audit, making sure there wasn't any obvious sql or js injection hacks that someone could do some cross site scripting hacks.

I had to unfortunately lock down the user pages, which were a huge gaping security hole. So you can't do custom stylesheets or iframes or anything anymore, but no one had to date done anything crazy with their page so the hack wasn't via that approach. But it was too easy a target to leave open, so it's closed. Sorry about that. Thank cilit bang's roomate for that one.

So with XSS hacks out of the picture, and the evidence being a very old unused account was compromised with a very simple password on it, I figured it was a simple brute force attack on the login page where you write a script to try out username/password combinations from a giant list of words (usually a dictionary, which is why they're often called dictionary attacks). There were no checks in place whatsoever because I never dreamed someone would try this kind of thing. So someone wrote a script and tried names (hour after hour, for a couple days I would guess) before it worked.

Apparently P_G was boasting about this on #tapes and someone with a tinge of ethics let me know. I was already digging away at this, so it helped to know I wasn't going crazy. I eventually tracked down the IP source of the password attempts and found the guy that wrote the script that P_G used. He was fine with it and said it was a simple dictionary attack. That was today and it was good to get closure on this, because I spent most of the weekend not sleeping and worrying about how many accounts were hacked and what I could possibly do to stop future attacks if I had no idea how it was done. Since running mefi puts food on the table, it's pretty unsettling to know that there's an arson running around inside your store and there's not a lot you can do about it.

So in the end, it's just a small group of dorks around P_G fucking around. I'm kind of bummed that what used to be considered malicious behavior on the site was posting silly gifs or going wildly off topic too much. Now, malicious behavior on the site is suddenly someone having fun compromising the db security of the site to further their jokes.
posted by mathowie (staff) at 7:44 PM on December 5, 2005 [15 favorites]


What the hell is going on? Anyone capable of following this masquerade want to to sum it up?

Pretty Generic got someone to run some dictionary attacks for him, and when it became pretty obvious to everyone, Matt closed the accounts Pretty Generic was using, and implemented Captcha to block further dictionary attacks.
posted by Ryvar at 7:44 PM on December 5, 2005


Actually, I waited until the captcha was in place and that I was sure it was just a dictionary attack before I banned anyone. Once it was identified and could be prevented, then I knew it was pretty much case closed.
posted by mathowie (staff) at 8:01 PM on December 5, 2005


Chin up Matt. Thanks for all your hard work. It's to bad people turn evil. But as you know, hell hath no fury as an internet nerd scorned.
posted by Mr T at 8:12 PM on December 5, 2005


Late to the - well, I'll still say "party", for want of a better term - but I'm still curious (I had wondered about how this ab'd character could suddenly pop up after five years and be everywhere on the site, too).

Oh, yeah, my question - so, is Steven Den Beste back or not? Or were both of his logins P_G, too?
posted by yhbc at 8:30 PM on December 5, 2005


There are some "pranks" even I consider beyond the frigging pale.

E.g., if I may interject a short gripe on something I think might be roughly equivalent to these "hijinks" discussed in this thread, tonight in real life the annoyingly loud and childish college boys from the apartment downstairs lit a little bonfire of cardboard in the back yard. And drove off with it still smoldering. Right up next to the house. I had to go out there with a bucket and douse it. I think the landlord ought to hear about that, eh? (I'm also beginning to think that people should be disallowed from living "independently" till they're 23 unless they're properly vetted and licensed; maybe supervised dorms are a good thing.)

So yeah, I'm with you here Matt. Sometimes ya gotta "line 'em up and shoot 'em."
posted by davy at 8:46 PM on December 5, 2005


Steven looks like Steven to me, he's posting from a west coast cable modem and I'm pretty sure he's in California.
posted by mathowie (staff) at 8:47 PM on December 5, 2005


Pretty_Generic would like to express that he didn't know about the hax prior to the hax taking place, and that his only involvement was being given the password to the old account so he could post on a website he likes.
posted by Menomena at 8:48 PM on December 5, 2005


For what it's worth, there's been quite a bit of debate on #tapes w/r/t this dictionary attack, but Pretty_Generic would like to have a chance to make a response. I can make no claims as to the validity of the statement, but I believe that he at least deserves the ability to respond to the charges.

Here goes.

Pretty_Generic would like to express that he had nothing to do with the dictionary attack, did not know the method by which the account was obtained, and was merely happy to have joint use of an account offered to him for a website he likes to frequent from time to time.
posted by LimePi at 8:48 PM on December 5, 2005 [1 favorite]


mathowie, I think you handled this with tact and restraint, considering. Good security is always a good idea; it doesn't necessarily mean the dawn of an era of distrust and paranoia. Something there is that doesn't love a wall.
posted by ori at 8:54 PM on December 5, 2005


Pretty Generic would like his balls wiped, if anyone else on #tapes could be so obliged
posted by mathowie (staff) at 8:55 PM on December 5, 2005 [5 favorites]


Pretty_Generic would like to express that he had no idea the woman was a whore, did not know the method by which the whore was obtained, and was merely happy to have joint use of a whore offered to him for a penis he likes to entertain from time to time.
posted by quonsar at 8:56 PM on December 5, 2005 [4 favorites]


I'll have you know I already wiped his balls at least twice today. :|
posted by Azhruwi at 8:56 PM on December 5, 2005


I LOLed. And I'm getting too old for that.
posted by yhbc at 8:57 PM on December 5, 2005


Dammit. On preview, I did it again. Twice.
posted by yhbc at 8:58 PM on December 5, 2005


The part of me that throws rocks at wasp's nests is telling me to flag that...
posted by Alvy Ampersand at 8:58 PM on December 5, 2005


Pretty Generic would like his balls wiped, if anyone else on #tapes could be so obliged

Damn P_G i thought we agreed to use the mathowie account only sparingly.
posted by Dreamghost at 9:04 PM on December 5, 2005 [1 favorite]


I take umbrage at how matt insists on tarring everyone in #tapes with the same brush. I'm sure that if someone were to do the same to all MeFites, he would certainly object.
posted by antifreez_ at 9:15 PM on December 5, 2005


I was going to post something along those lines, too - we're talking about a few people out of . . . what, fifty?
posted by Ryvar at 9:17 PM on December 5, 2005


Pretty_Generic would like to express that he had nothing to do with the dictionary attack, did not know the method by which the account was obtained, and was merely happy to have joint use of an account offered to him for a website he likes to frequent from time to time.

HELLO I AM DOCTOR ZVIGIDAL FROM NIGERIA. I WOULD LIKE TO HAVE JOINT USE OF ACCOUNTS YOU HAVE. IN RETURN I WOULD OFFER YOU TO HAVE A HEALTHY SUM DEPOSITED. PLEASE REPLY.

Nice detective work, Matt. P_G... not cool.
posted by odinsdream at 9:25 PM on December 5, 2005


Sorry, I thought my conclusion made that clear: So in the end, it's just a small group of dorks around P_G fucking around = not all members of #tapes
posted by mathowie (staff) at 9:27 PM on December 5, 2005


for a website he likes to frequent from time to time

Here's to the hope that the time gets less and less frequent.
posted by crunchland at 9:28 PM on December 5, 2005


Oh, okay. It was just the "Pretty Generic would like his balls wiped, if anyone else on #tapes could be so obliged" comment that threw me, I guess.
posted by antifreez_ at 9:35 PM on December 5, 2005


Is this the appropriate time to post the waaaahmbulance jpeg?
posted by nowonmai at 9:37 PM on December 5, 2005


comment that threw me, I guess.

That's mostly a joke in reference to all the posting-for-P_G-by-proxy that was going on tonight in the other thread. Seeing a bunch of messages (in duplicate no less) makes it look like he's royalty or something, hence the joke about his balls needing to be wiped by someone else.
posted by mathowie (staff) at 10:31 PM on December 5, 2005


That's mostly a joke in reference to all the posting-for-P_G-by-proxy that was going on tonight in the other thread. Seeing a bunch of messages (in duplicate no less) makes it look like he's royalty or something, hence the joke about his balls needing to be wiped by someone else.

Ah, I read that as 'whipped'. Shows how lysdexic I am..
posted by delmoi at 11:28 PM on December 5, 2005


Ah, I read that as 'whipped'.

Well I'm not getting any sleep tonight now, thanks to you.
posted by Ryvar at 12:11 AM on December 6, 2005


matt - don't know if this is any help, but i thought the the user-defined html was a really cool feature, and have copied it on a site i am making. what i've done in addition, though (since i am also worried about the security trade-offs), is support skins, and the user-defined html is escaped (so the markup appears as text) when the "safe" skin is used. i thought that was a reasonable compromise that gave people the freedom to do cool things on one specific page, but let anyone with a modicum of technical ability verify what was happening if there were any doubts (the skin can be select by a simple url value, so http:.....?skin=safe shows the page content directly).

just a suggestion/idea....
posted by andrew cooke at 6:10 AM on December 6, 2005


I'm also beginning to think that people should be disallowed from living "independently" till they're 23 unless they're properly vetted and licensed

I've long thought males between the ages of 16 and 23 (exact ages negotiable, but that's the general idea) should be put on an island somewhere and allowed to take out their hormone-driven aggression on each other; then the survivors could be allowed to rejoin society. Presto: no more wars, no more suicide bombings, no more graffiti, and a lot fewer teenage pregnancies. And don't tell me I'm being sexist: teenage girls may be bitchy, but very few of them go around killing people (and even fewer would do so if there weren't teenage boys around to inspire them).

And will people quit posting messages for P_G? He's an asshole and he's been banned. Leave him on his island.
posted by languagehat at 6:31 AM on December 6, 2005 [2 favorites]


Matt, this tightening means that, whenever members next change their profile, all stylesheet data is stripped and individuality lost. I know, I've just taken the bullet to check. It appears that several other members have suffered the same undressing.
This is pretty bad. Individuality wins plaudits here, I would really hate to see this aspect of the community die off.

Re: the MySpace XSS escapade in October
the browser you really need to watch for is IE, and it fell foul of a specific bug.
There seem to be a couple of ways to strip and protect the submitted string without removing the ability to add user-defined CSS. I'd be more than happy to work with you on this, if you're not flush with time.

If you don't see this post, I'll work out a proof of concept and mail you with the results.
posted by NinjaPirate at 6:43 AM on December 6, 2005


Whoa! That's some drama, well-handled.
posted by OmieWise at 6:53 AM on December 6, 2005


Well, that was quite a show. Once again proving that the only real security is physical security.
posted by warbaby at 7:08 AM on December 6, 2005


I'm kind of bummed that what used to be considered malicious behavior on the site was posting silly gifs or going wildly off topic too much. Now, malicious behavior on the site is suddenly someone having fun compromising the db security of the site to further their jokes.

I think I shall bookmark this to show people who whine about siteadmins/sysadmins/whatever simply turning off features or deleting "problem" items/people rather than "taking the time to figure out blah blah blah". Grod bless you for spending this much time on any one issue like this, just thinking about such a waste of time by a few clowns annoys me and it wasn't my time.
posted by phearlez at 12:51 PM on December 6, 2005


which is apparently 4 or 5 jokesters from the #tapes channel all using them is what I later figured out (including alexst and dersins among others).

For the record, I have only ever posted one thing to metafilter from an account that is not this one.

It was this comment, which was, I thought, pretty innocuous.

My apologies, however, for whatever small part I may have played in causing Matt trouble.
posted by dersins at 2:13 PM on December 6, 2005


Wow. How weird, man. I just don't get this internet stuff...
posted by klangklangston at 1:04 PM on December 11, 2005


Wow again. How did I miss this one? So is there anyone who still thinks users using more than one account 'just for fun' is a good idea?
posted by mediareport at 9:31 PM on December 11, 2005


Holy fuck. People need lives.
posted by scarabic at 10:18 PM on December 11, 2005


We limit users to one account on my forum system. It's hard to police as the IPB is set up, so anyone can fire up extra accounts and the only way to find them are suspicions or recognizing IPs.

Sometimes it can be innocuous and we had an April Fools prank last year where several users registered parody accounts of other users and went to town. However, usually it's someone being an ass and trying to sidestep any restrictions placed on their primary account.
posted by Captaintripps at 8:34 AM on December 12, 2005


*mind explodes*

I can't believe I missed this one either. Perhaps it did begin as an innocent jape but really, anything that causes mathowie sleepless nights is not high on the list of "things that constitute a good idea". Not big and not clever, P_G.
posted by greycap at 2:24 PM on December 12, 2005


Pretty_Pathetic
posted by furtive at 5:24 PM on December 12, 2005


Hmm.

3 strikes and you wait helps with dictionary attacks, but I'd lock any account with no activity for over, say, three months, and have a page with "No, we want you back, email me and I'll open the account back up". Any account that's 3x3d (3 striked for the third time in a day) gets locked. I'll buy a few errors, but after nine in one day, you've either forgotten your password, or you never knew it.

A report on failed logins/user/day would show who else might have been compromised. I'm willing to bet there are far more out there. (A smart guy keeps cracking accounts until he has a few in pocket. P_G may be an ass, but he's not dumb.)

Finally, I have to consider the last appearences of MiguelCaradoso and Steven Den Beste to be fraudlent. Both popped into to great rejocing, posting in rather odd ways, and were never heard from again.

As a BOFH, I'd lock those accounts right now, and count on the real ones being willing to pipe up if they do want to come back.
posted by eriko at 5:58 PM on December 12, 2005


Finally, I have to consider the last appearences of MiguelCaradoso and Steven Den Beste to be fraudlent. Both popped into to great rejocing, posting in rather odd ways, and were never heard from again. - eriko

This is a sad but very real possibility.
posted by raedyn at 7:14 AM on December 13, 2005


Not so.
posted by adamvasco at 4:47 AM on December 14, 2005


« Older This had me thinking: wouldn't...  |  Too much of this discussion is... Newer »

You are not logged in, either login or create an account to post comments