SA:MP Downtime

[Nathan]

I'm not gonna say anything but no matter how strong the crypt is, once someone's got the script code and the encrypted password/name/whateverthatisencrypted, it can be decrypted easily.

That's true.

[Stivi]

You can't give an idea about something you don't know, so please don't.

There is no timing set for it as Andeey said, so let's be patient and see how it goes.

Ugh, actually I can give an estimate on something I don't know, I am not stating it's a fact. But I was just trying to keep him away from asking is it fixed yet when the server is locked and there is no point in asking.

The passwords were never stored in plain text. No one ever claimed they were either.

Pre-Teddy I think they were not hashed? Anyway, are all passwords stolen again?

[Exterminator]

I'm not gonna say anything but no matter how strong the crypt is, once someone's got the script code and the encrypted password/name/whateverthatisencrypted, it can be decrypted easily.

Actually it's the other way around. The hash that argonath uses (sha 256) is extremely strong and also salted. Anybody who figures out how to decrypt SHA-256 would be an overnight multi-millionaire and hence extremely unlikely to be sitting around trying to hack argo. There are no known ways to break sha-256. Rather, it's more likely that there was some side channel leaking information from the server.

[Mark]

Actually it's the other way around. The hash that argonath uses (sha 256) is extremely strong and also salted. Anybody who figures out how to decrypt SHA-256 would be an overnight multi-millionaire and hence extremely unlikely to be sitting around trying to hack argo. There are no known ways to break sha-256. Rather, it's more likely that there was some side channel leaking information from the server.

Perhaps the last thing you said is right but anything else can be twisted around because if it's not implemented correctly they can try to brute force it with a powerful system, i'm not saying this is the case but considering that protection in past has been compromised multiple times everyone would have his doubts

https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm

Just like with forums which had a weak protection (md5 kek) even SAMP server hasn't the best out there (be it human mistake or weak security the server went down more than online last month) now since this has been a taboo for weeks, can we know why and how the accounts got breached?

[RuCa]

Dear all,

With RS5.2.009 we force everyone to change their password due some changes in the way we encrypt passwords. The best pratices of password encryption are currently live on the server. As you may understand I can't tell you what sha we are using or either the salt. 

I can't and won't tell you the attack vector but I can make you sure NONE of the passwords were decrypted on previous versions or right now like Marcel said.

Right now none of the developers or either the Server HQ have access to the virtual machine like Andeey said. It's an important tool that we need to make sure SA:MP server is secure. After we receive the access we will start developing the 2FA and update our panel.

I will be looking over this topic and check your posts. If there is any questions that I can reply, I will do it to keep you informed. Let's just keep this clean so we can have some constructive conversation over this topic.

Reply to some questions:

• Is there any ETA

  There is no current ETA on when the server will be back, Though we will leave updates in this topic.
• Why were the passwords in plaintext and not salted/hashed? Are they encrypted now? If someone breaches the host again, will the passwords be easily stolen again?

  The passwords were never stored in plain text. No one ever claimed they were either.
• why use weak security?

  We are using the best pratices for encryption. Right now we don't have weak security.

Best regards,
Frederick Collin

[Kacper_Gorski]

So why all this shit in the first place? IF infact no passwords were leaked,  why is all this shit happening, I remember reading something "No passwords have been leaked" Are we missing something here? @RuCa

[RuCa]

So why all this shit in the first place? IF infact no passwords were leaked,  why is all this shit happening, I remember reading something "No passwords have been leaked" Are we missing something here? @RuCa

Like I said on my previous post no passwords were leaked or decrypted. There is multiple lines of code that need to be executed before anyone login. So multiple things can cause it. Since we don't have any access to the virtual machine, we can't check what can cause such logins, but we are sure it's not password related.

I hope everyone might understand there is a few things we can't tell for example the password encryption for obvious reasons.

[Nathan]

Looking forward for 2FA!

Do we have 2FA options for the forums as well?

[Hidduh]

Looking forward for 2FA!

Do we have 2FA options for the forums as well?

SA:MP had 2FA but it was removed/disabled.
Shitty Machines Forum doesn't natively support 2FA so you have to resort to a third-party plug-in.

[Volcom]

So why all this shit in the first place? IF infact no passwords were leaked,  why is all this shit happening, I remember reading something "No passwords have been leaked" Are we missing something here? @RuCa

If you don't know about scriptting or don't understand please do not comment about it.

[Lush]

Due to the excess of the recent events with this downtime, is this a turning point in the community infrastructure where changes in security and other areas of the server are to take place or should we expect to continue having this sort of thing come up?

It feels like we have either
        a) Host issues
        b) Security issues
        c) *or* a mixture of multiple various entities coming to play

Either way, we as a community, with such diversity, should be able to clearly have an idea of what we are facing.  I do not believe the details of HOW but rather WHAT we are doing to prevent its reoccurrence.

*What was breached?
*What is being done to counteract further breaches
*What do we as a community need to concern with? eg. passwords; community emails; etc
*Has the breach been halted or is it ongoing?

I understand what we are facing is a tough cookie to bite on, but rather than fill the topic with "hey are we done yet? are we fixed yet? when will we be done?" I believe we as a community can patiently await the outcome of this.

Thank you HQ & Staff for your continuous efforts.

-Lush

[Exterminator]

Perhaps the last thing you said is right but anything else can be twisted around because if it's not implemented correctly they can try to brute force it with a powerful system, i'm not saying this is the case but considering that protection in past has been compromised multiple times everyone would have his doubts

https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm

Just like with forums which had a weak protection (md5 kek) even SAMP server hasn't the best out there (be it human mistake or weak security the server went down more than online last month) now since this has been a taboo for weeks, can we know why and how the accounts got breached?

At Present, the Bitcoin network has about 5 ExaHash/s capacity. A SHA-256 hash has an exhaustion width of 700 ExaHash. At present, the Bitcoin Network has approximately $400M worth of ASICs dedicated to mining SHA-256. And all that to break just a single hash.

So unless our hacker is actually a billionaire is disguise, SHA-256 is more than safe. SHA-256 is also used in various other forms of encryption including HTTPS, SSL certificate verification, Windows Update e.t.c. Or in other words, anybody that can reliably break SHA-256 can cause havoc in the world (Not to mention becoming an overnight millionaire/billionaire from their domination of BTC mining). The lack of such havoc is ample proof that nobody has a general purpose SHA-256 crack. Anybody that has the hundreds of millions of dollars worth of SHA-256 ASICs and the Godlike technical expertise to break SHA-256 is not going to be spending his time hacking passwords on a dead server now, is he?

[Mr. Goobii]

*What was breached?
*What is being done to counteract further breaches
*What do we as a community need to concern with? eg. passwords; community emails; etc
*Has the breach been halted or is it ongoing?

- The database.
- Fix the way they continuously breach accounts.
- Change password if you feel for it.
- It's still going on.

[Mark]

At Present, the Bitcoin network has about 5 ExaHash/s capacity. A SHA-256 hash has an exhaustion width of 700 ExaHash. At present, the Bitcoin Network has approximately $400M worth of ASICs dedicated to mining SHA-256. And all that to break just a single hash.

So unless our hacker is actually a billionaire is disguise, SHA-256 is more than safe. SHA-256 is also used in various other forms of encryption including HTTPS, SSL certificate verification, Windows Update e.t.c. Or in other words, anybody that can reliably break SHA-256 can cause havoc in the world (Not to mention becoming an overnight millionaire/billionaire from their domination of BTC mining). The lack of such havoc is ample proof that nobody has a general purpose SHA-256 crack. Anybody that has the hundreds of millions of dollars worth of SHA-256 ASICs and the Godlike technical expertise to break SHA-256 is not going to be spending his time hacking passwords on a dead server now, is he?

I never meant to say this was the case of what happened on argo, of course they're not going to waste their time brute forcing some passwords on SAMP server, even knowing the salt, when they can just breach into the server because the owner disappears before they can fix the issue that gave them access. One thing is sure though: when you get breached so many times and your forums also went down in past due to poor security you should focus on fixing it, at least do it for those who are using your services or shut everything down if you don't care about the risk that personal informations get leaked.

[Julio.]

I'm not gonna say anything but no matter how strong the crypt is, once someone's got the script code and the encrypted password/name/whateverthatisencrypted, it can be decrypted easily.

Using SHA-256, if the user has chosen a simple word from the dictionary then sure. But if you're using something like "aeroplane" as your password then you deserve your password being cracked...