Two days after someone broke into the email account of vice presidential candidate Sarah Palin, unknown intruders have hacked the website of conservative commentator Bill O'Reilly and posted personal details of more than 200 of its subscribers. The breach into BillOreilly.com came as retaliation for remarks O'Reilly made on …
Couldn't happen to a nicer guy...
Think he should stick to targets to scared to fight back (like politicians ).
Epic Win?? :D
Mine's the one wit the wikileaking pockets...
cleartext passwords, that's kinda stupid
I'm sure that The Register would never make such a mistake.
"Oh damn, I use it all over the place."
That's just classic!
I think that at moments like this, little applications like Password Safe (http://passwordsafe.sourceforge.net/) etc should be publicized to educate the masses. It is extremely easy to use and is extremely small and works on my PC and Mac.
Bill O'Really a "conservative"? .... Bwah ha ha ha ha ha ....
This FRAUD "likes" and supports Marxist Barak Osama Hussein Obama! He rails against McCain!
Bill O'Really (not) is a complete media fraud; keep in mind he's been sued for Sexual Harrasment and for nearly a decade hosted a TV "Tabloid" show before his "political enlightenment" .... sounds like a dirt-bag Liberal to me and most just based on those two guilty verdicts!
Spin Zone? Bill O/Reilly IS A SPIN ZONE! Bullshit Spin.
Slimy and Disgusting
The Register stooping so low? Linking to a site, linking to images of submitted content, which is newsworthy?
Shame on you... You're like that guy who stole the 50 bucks my grandma sent me through the mail.
What Kinda Rogue...
... administrator builds a website using unhashed passwords!
The developers and admisistrators of this site need a serious lesson in security and privacy. Not to mention this Bill O'Reilly chap needing to learn a few things about how the world, and especially the online world, really works.
Doing such a stupid thing as criticizing "hackers" for proving that a US Politician is not following the rules on government email, is just screaming out to the world "HACK ME!!"
Paris, Cos she knows the importance of using (a) good hash!
O'Reilly is a prat but..
All these shennanigans just serve to feed into the usual right wing conspiracy theories. This just risks mobilising otherwise apathetic conservative voters (it'll be a battle cry, dammit!) and in a country with voluntary voting that is more important than steering public opinion.
The smug giggling from the savvy will ring hollow if, come election time, the booths are full of republicans trying to turn the "left wing cyberterrorist" tide while the slackarsed 18-25s are at home buzzing on the afterglow of that burn on Bill O'R .. "Man, we got him one!" .. "Man, he so 20th century!".
"Man, his team is running the country again... shit."
Punish the innocent
. . .by exposing to the world their names and home addresses?
Black helicopters for all the hypocritical fucktards who are now cumming, but will return to crying over the Patriot Act.
Who would have thunk it?
Webster Phreaky doesn't like Bill "Der Stürmer" O'Reilly? I would have imagined him to be one of the leaked ones. Maybe Billy said something nice about Apple once.
It exposes the big fat lie
... that the 'conservatives' have been shoving in our faces for years, that only they can protect you from those nefarious 'terrorist' types. The reality is that they can't protect their straw house from wolves.
It just couldn't hapen to a nicer guy.
This has put a nice big smile on my face as I eat my bacon roll.
I had always assumed...
That now-days people were always using hashed password databases, I mean it's just common sense. So to see this, I am shocked, and shame on the hackers for not obscuring those people's passwords or usernames & home addresses!.
Anyone who pays to receive their opinions from Bill O'Reilly should be publicly flogged and sterilised, and have any existing children taken away for de-programming.
I call Poe's law on "Webster Phreaky"
I call a slightly non-canonical version of Poe's Law (http://rationalwiki.com/wiki/Poe%27s_Law) with regard to "Webster Phreaky". Not even in Merkinland can people be that dull-witted, addle-pated and generally such an obvious 24-carat arse. It's not real, it's a gifted troll (who is laying it on slightly too thickly).
Paris 'cos "they're real".
Funny thing is that Bill Boy was talking about gawker.com and 4chan/anon/whatever thought Bill was talking about them - they even renamed the subtitle of /b/ as the terms Bill used. So erm.. it's all been a big mistake.. nothing to see here..
re: It just couldn't hapen to a nicer guy.
I'm sorry Dave....
It didn't happen to the Mouth that Roared, it happened to a couple of hundred of his fans.
Crowing about it is pretty lame.
Check out the wikileaks site...
Notice how most of the people with the dumbest passwords are also the people with the longest subscriptions?
Just a small observation, make of it what you will...
Another nice video from O'Reilly
On the same subject
As far as I"m concerned, they've lost all legitimacy when they choose to allow activities such as this which have nothing to do with their supposed purpose, exposing unethical behavior, and merely choose to embarrass those with whom they disagree philosophically or politically. There are ways to take them down - no one is invulnerable - and eventually those ways will be found.
Is one of the biggest sphincters ever to appear on US TV, he is an onscreen bully and deserves every piece of crap thrown his way. A pox on his house.
Mines the white lab coat with white dust on it.
well... the governments want to be able to monitor all of us so i guess that it should be ok for us to be able to monitor them.
After all MP's EXEMPT from ID cards, MP's Children EXEMPT from the Childrens database, Phorm, etc. No doubt when the next orwellien law comes into place they will be EXEMPT again.
You reap what you sow.
ROW ROW FIGHT THE POWAH
So thousands of anarchist rebels thought that Bill called them "liberal leftists" when actually he was talking about gawker, 4chan's mods knew this but encouraged a riot for the sheer fun of it.
There's no political motive here, it's all about entartainment.
...why don't you stop with the bullshit about McCain not being physically capable of using a damn keyboard already? It isn't funny; it isn't clever. Everyone knows the whole story by now, so just stop it.
And as for the ones that say "I'm missing my arms and I'm writing this comment!"... well good for you, but how many of you are 72 again?
"...why don't you stop with the bullshit about McCain not being physically capable of using a damn keyboard already? It isn't funny; it isn't clever."
The man who invented the Blackberry can't use a keyboard?
I suppose it'll take even longer than the 'Al Gore invented the internet' to lie down and die; after all - (unlike McCain) nobody actually made the claim.
...the video clips of O'reilly on Wikileaks, someone needs to send O'reilly some juicy stolen tid-bits, and see if he publishes them (or for that matter, just investigate his past sources, I'm sure there's some dirt in there somewhere).
el Reg is el stupido
Hacking and posting innocent names/addresses is OK as long as you don't like 'em seems to be the order of the day. Ethics can be supplanted by temporal feelings of dislike or tit for tat outrage. The arguments from posters here seem to be that it is OK to hack and post someone else's name, email and password because:
1) they hate Bill O'Reilly
2) the subscribers are 'dumb'
3) the security is 'weak'
4) any combination of above.
I think it shameful that Dan Goodin can link to the site and it permanantly colors any conversation he might have about citizen privacy which USED to be an issue championed by this website. Nowadays privacy is just a fashionable term for the chattering class and only supported when it suits their whims..
RE: It just couldn't hapen to a nicer guy.
And, these [happy people] aren't innocent. They're the [happy people] who supported the last [happy person] for the past 8 years, and the incoming next 4. [Happy people].
Casualties of War
I don't like O'Reilly. The guy holds some views that are totally insane, so I was chuckling away when I read this. It's good someone busted him down a little. I remember one interview where he criticized the people of Iraq, saying they are not doing enough to help themselves. But we hear the stories of people being blown up while queuing for jobs in security. Some of these guy's died before they even got the job!
Hard as this may seem, the users that were exposed are kind of like casualties of war, and O'Reilly is the general.
A Little Fire
A friend of mine was very supportive of the PATRIOT act when it came out.
I told him it was a bad idea. He wanted to know why. I said, "well, you're happy with this kind of power in the hands of today's .gov, but what happens when the opposition are in power -- do you really want THEM to have that kind of "carte blanche" with your rights?"
He thought about it. He reckoned that it would be rolled back before the opposition got into power.
Every time some moron does a high-profile hack like this, and splashes it about we come that much closer to yet another piece of badly-written draconian legislation that will make vaguely and ambiguously defined online "misbehavior" a felony with a mandatory ten-year sentence.
So laugh it up.
Sometimes it's a Reichstag fire. Sometimes it's just a series of annoying-but-public smaller fires.
Sooner or later some politico is going to make his bones by making an example of pimply-faced lads who were just larking about.
And you'll all cry "foul!" when it happens.
Enjoy the laugh while you can.
$password = md5($password);
Given how ridiculously simple it is to hash a password before storing it in a database or comparing it to the value in the database ... I am shocked by the number of sites that dont' bother to take this precaution.
I don't think its possible to find a web programming book that doesn't show you how to take this simple precaution.
Anyway its fully possible to both admire the humor of a crime, be delighted that it occurred and still feel the perpetrator should be brought to justice.
I have little sympathy for Bill O'Reilly...
However, I don't much like pointless finger-pointing either.
It says on the Wikileaks page: "Unless otherwise specified the document described here [...] Is of political, diplomatic, ethical or historical significance."
Not that much significance, the way I see it.
pwhash = sha1(password)
Not immediately doable, but a quick search for "sha1 vbs" should provide a copy/paste function for classic ASP programmers. Oh, and IsNumeric() is useful too, for sanitizing input.
/me thumbs nose at idiots trying to hack his site
Seems kind of petty
Okay, Bill O'Reilly was totally asking for it badmouthing hackers while having that kind of "security", but I don't quite understand what Wikileaks' motivation for publishing this one was. I thought the point was to publish corportate or government secret documents, especially when they point to someone up to no good. Palin's email may qualify, but I fail to see how Bill O'Reilly's subscriber account information does.
@ David Wilkinson & Gordon Fecyk
NO NO NO NO NO. *EPIC FAIL*.
When hashing passwords you MUST MUST MUST *SALT* them!
For you lazy Web 2.0ers out there, try phpass:
That's probably all of them.
@ GC Birzan
It always amazes me how incredibly stubborn and irritating that guy is!
@ROW ROW FIGHT THE POWAH
"There's no political motive here, it's all about entartainment."
or, in /b/tard speak; "They did it for the lulz".
Re: 205 Subscribers?
LOL -Nice one!
@Jon Teda and Webster
I don't think that Poe's law can be applied to Webster, because he seems to be a genuine fcuk-mook.
Poe's paradox might apply though.
As for Jon Teda...I'm not sure if you are with phreaky there or not.
You don't like the idea of the elite's emails being hacked into but say nothing of them hacking into our emails, packet sniffing or data mining?
You say nothing about the elite being above the law and buying judges or telling them what to do like they wuz gangstas?
You back up the comment (a parody) that it couldn't happen to a nicer guy, then counter it with a comment about the happy people (mooks? Elite?).
Does Poe's law apply to your post I wonder?
I've signed on to a few sites that will send you your password if you forget. If you want that feature (as a site operator) you can't hash. Yeah, I know, I know - sending out a random password and making them change it at sign on is better, but that kind of thing can be confusing to O'Reilly's demographic. They've got enough to think about trying to get to the early-bird special at the Country Kitchen buffet and all...
@Michael G - situational ethicists need not apply
Why are people attacking the victims? Can it be justified in any ethical sense? The private information of 200+ people was posted to the public. To dissemble because one does not like the website owner brings the attendant implication that people who subscribe to the site are less worthy of protection. Where does the concept of 'less worthy of protection' enter into any liberal minded thought?
The 200+ people whose information was released are far from 'elite'. Your argument lacks any reason or rationality. Explain how any of the subscribers were part of the 'elite' or be forever branded a fool. For you to tie an argument of class shows you to lack any thoughtfulness. You are probably more 'elite' than any one of the subscribers who mistakenly had faith in the security of the website.
Why are people attacking supporters of universal privacy? Can it be because the attackers dislike a person and are willing to subvert principles for temporal emotional release? There is no litmus test sir - privacy is for everyone or it will only fall into the hands of the elite. Those are liberal thoughts and ones which will hold me in good stead over the people who chortle over the misery of others.
"salting" -- right, makes sense, but clarification?
I was just emulating the other poster, granted. So for the rest of us geeks, "salting" is including some other (pseudo) ramdomized value with the password hash?
This means my password fields would have to include the "salted" password hash and the "salt" value, and the steps would go like this:
1) Accept new or changed password from user
2) Generate some pseudorandomized value, possibly hashing that, making "salt"
3) Use "salt" and password to generate "salted" hash representing password
4) Store "salt" and "salted" password hash as separate values
Then when authenticating a user, use their supplied password and internally generated "salt" to make hash to compare against stored "salted" hash?
Sounds like we're making breakfast here. As cute as it sounds, I suppose this can prevent a brute force attack against the password hash. I take other steps along the way to prevent this sort of thing; no one can just start a new session knowing a password hash the way I do things, but I suppose this is one more obstacle to overcome.
Toilet papering someone's house is also immoral, but funny. So I'll laugh this time. I don't see a signifigant amount of damage to the subscribers or Bill O'Reilly. Names and addresses are available all over the place, so the only new info here is that Bob subscribes to Bill. Unless having the password allows you to log into Bills' site and access more info or charge up more services or something, that would be pretty jacked up to post that info then. The webmaster will have to put things back together, but shame on him for not doing it right the first time.
@Jon Teda with elite support
Now hang on a sec.
At no point did I say those 200+ were the elite.
I would have thought it quite clear that the elite are the ones in power, not the casualties of war.
As for my political stance, I have no idea what it is.
I would hold everybody equal under the law, since that seems to be a good principle to me.
Everybody should have the right to privacy, not just those in power; not just those who have the power of armies, federal agencies, intelligence agencies and other special forces to enforce their right to privacy.
Privacy is the only freedom we have; an Englishman's home is supposed to be his castle.
Not anymore it seems.
The ruling elite should be, as Carl Schmitt would have it, only there by the action or inaction of the people who put them there and suffer them to rule.
We do need order to realise our world vision and to prosper and progress, and anarchy will not guarantee progress and prosperity like order can - however, I do not like the idea of people as numbers or as resources.
To this end, I of course disagree with the exposure of these people's names and passwords etc. To hack into the website and show some token of this having been done would have been more than enough 'lulz' for these rebels without a cause I think.
The subsequent posting of these details on Wikileaks and their subsequent hosting of these images is completely unecessary also, and no positive gain may be discerned from these actions which would balance out the negative impact on the 200+ subscribers to Billy-boy's mook-fest.
Nevertheless - and this is what I am arguing against - the elite (those in power, not the 200+) should not ever be able to say things like 'nobody can invade a sovereign country in the 21st Century' or that people have a right to privacy and use words like freedom, justice, democracy, the constitution and the American Way when they are destroying all these things for the general populace of their own country and invading/bombing the hell out of others.
I don't like their argument for this - do as I say and not as I do.
The elite are not supposed to be above the same rules/laws that everybody else lives by and just make things up as they go along - that is tantamount to dictatorship, and all the eccentric or anarchic spur of the moment decisions that go with that state.
I like order.
Am I a liberal?
I don't think you get the concept.
1. DO NOT store plaintext passwords in a database.
2. DO NOT store the information required to verify passwords in the same database as the passwords.
3. If a user forgets a password, generate a new one and send it to them.
@ Gordon Feyck
Typically it's more like this: when storing.
1. Generate n-byte random salt, n normally being 2
2. feed salt into hash algorithm
3. feed password into hash algorithm
4. append hash to salt and store in database.
1. get values from database, feed first n bytes into hash algorithm
2. feed password into hash algorithm
3. compare hash to remaining bytes of stored data.
Yes, it defeats a dictionary attack (by making it take 2^n times longer), which is important when a disgruntled admin dumps a copy of your database and takes it home to break at his/her leisure - even security pros reuse low-security passwords, there are just too many sites not too....