Bogleheads.org

[JPH]

I don't think the bad guys are clever enough to do site-specific password guessing, but I would suggest that people avoid passwords that have any relationship to the name of our mentor.

nisiprius, I made this mistake, and my account was hijacked.

Wow! Who would have guessed that the bad guys would try nisiprius as a common password. That is the mentor of whom you speak, right?

Well, in a way, yes, I suppose so! To nisiprius.

[Default User BR]

nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?


Brian

[DRiP Guy]

I also want to take a moment as others have done, and thank forum admin for both taking the threat seriously, and also informing us of what was going on so we can be proactive.

I'm betting this will cause a lot of us to audit our other passwords, as well as the one used here. So, unlike the original attack (GGGRRRRRR to the scumbags out there), at least the extra vigilance this should inspire in users will serve a useful purpose; as Martha Stewart might say "It's a good thing."

[Easy Rhino]

It's probably the high-fee fund industry attacking... BOGLEHEADS, TO THE BARRICADES!

But seriously I hadn't noticed this topic, but I HAD noticed that I had to log in using a captcha out of the blue a few days ago, so I guess this explains it.

[JPH]

nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?


Brian

I don't know that they did anything. Maybe they edited my old posts so they make more sense. The administrators corrected the problen by providing a new temporary password, which I changed on first login. I am now using a much stronger password. Thank you to Alex and Tashina.

[Petrocelli]

I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch!

I apologize to the forum for this disruption. See you all at Bogleheads 10!

[petrico]

I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch!

The arrogance.

[rustymutt]

Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

[xerty24]

Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

There are plenty of IPs out there too. If you're at all careful, things can't get traced back in a useful way.

[Mel Lindauer]

I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch!

I apologize to the forum for this disruption. See you all at Bogleheads 10!

See, you stay away for a while and you're totally out of the loop, Petro. Actually, Bogleheads 10 was LAST YEAR, and, believe it or not, this year's event is called Bogleheads 11. (We're a creative bunch, aren't we? )

[Alex Frakt]

nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself. We have previously discussed him on this thread: http://www.bogleheads.org/forum/viewtopic.php?t=82238.

We have gotten fairly good at sniffing him out when he signs up, so he switched to this attack on our forum in an attempt to hijack existing member's accounts from which to launch his protests. We now know he successfully hijacked at least three accounts. In JPH's case, he didn't do anything with the account other than attempt to change the e-mail address. He either was holding it in reserve or made a typo in the e-mail address, because he never activated the account after the change. By restoring JPH's original e-mail address and forcing a new password, we were able to get it back.

Two other members were not so lucky and their accounts were used to send dozens of PMs complaining of his ill treatment and "warning" people about the conspiracy he imagines Larry, Mel and I have cooked up. These accounts have been recovered. We don't know if anyone else has been hijacked, so once again I urge you to change your password if you are using one of the weak passwords mentioned in the first post on this thread.

Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

He's arguably insane, but he's unarguably very smart. I've contacted his original ISP and they won't do anything unless compelled by a court or law enforcement order. He now connects through anonymizing servers so there is no way to block or track him. He also always uses temporary e-mail services when he signs up for an account. His hack attempts are illegal and law enforcement could get him easily enough based on the information in our logs, but it appears that since we can't prove sufficient monetary damages, the cops aren't interested in doing more than taking a report. BTW, if anyone out there has some pull with a computer crimes law enforcement entity who might be interested in pursuing this, please let me know via PM. Our servers are in New York and the attacker appears to be based in New York if that makes a difference, but we obviously have readers everywhere.

[SSSS]

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.

The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.

[Mudpuppy]

Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

He's arguably insane, but he's unarguably very smart. I've contacted his original ISP and they won't do anything unless compelled by a court or law enforcement order. He now connects through anonymizing servers so there is no way to block or track him. He also always uses temporary e-mail services when he signs up for an account. His hack attempts are illegal and law enforcement could get him easily enough based on the information in our logs, but it appears that since we can't prove sufficient monetary damages, the cops aren't interested in doing more than taking a report. BTW, if anyone out there has some pull with a computer crimes law enforcement entity who might be interested in pursuing this, please let me know via PM. Our servers are in New York and the attacker appears to be based in New York if that makes a difference, but we obviously have readers everywhere.

This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum. But getting a civil court to reveal identity from ISP records can be a bit tedious (if not impossible) unless you have the weight of major industry like MPAA or RIAA. Getting a court order will get you more clout with law enforcement because breaking a legal order is more serious than harassment (unless that harassment is likely to cause immediate danger to life and limb, which is not the case here). But getting the court order in the first place is the problem.

Short of that, it becomes a game of whack-a-mole. If you had a bored developer with time on his/her hands, you could build a honeypot for him to spin his wheels in (e.g. redirect his username on login to a fake site where none of his actions actually propagate to the real site), but that seems almost as much hassle as court proceedings.

[Alex Frakt]

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.

The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.

That's the one.

BTW, if anyone gets a strange or apparently out of character PM (in addition to obvious violations like spam), please click the report button (triangle with an exclamation point) on the message to let us know.

[Alex Frakt]

This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum. But getting a civil court to reveal identity from ISP records can be a bit tedious (if not impossible) unless you have the weight of major industry like MPAA or RIAA. Getting a court order will get you more clout with law enforcement because breaking a legal order is more serious than harassment (unless that harassment is likely to cause immediate danger to life and limb, which is not the case here). But getting the court order in the first place is the problem.

Short of that, it becomes a game of whack-a-mole. If you had a bored developer with time on his/her hands, you could build a honeypot for him to spin his wheels in (e.g. redirect his username on login to a fake site where none of his actions actually propagate to the real site), but that seems almost as much hassle as court proceedings.

That's pretty much our sysadmin's (Larry Auton) take on it. It's frustrating though.

[Default User BR]

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.

Oh, that guy. Yeah.


Brian

[LazyNihilist]

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.

The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.

The same thing happened to me. Got a PM from what looked like a legitimate account (Nowizard) probably hacked. And going on about wild conspiracy theories.

[DavidC]

I just wanted to thank the admins for the work they perform to keep this forum and wiki running on their spare time/dime. And since no one linked them yet for giggles I link to 2 additional XKCD cartoons discussing CAPTCHAS:

• #233 A New CAPTCHA Approach
• #632 Suspicion

[gabylon]

Has it ever been considered to implement login via a secure connection?

[Alex Frakt]

Has it ever been considered to implement login via a secure connection?

The short answer is that it has been considered and rejected. It's discussed in greater depth here: http://www.bogleheads.org/forum/viewtopic.php?t=85181. It would not have helped with this issue.

[pkcrafter]

Geez Alex, I always thought vulgar language was verboten on the forum, and I'm dismayed to see it is not.

Paul

[Random Musings]

This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum.

Perhaps we could have the courts require him to only use high expense ratio variable annuities with 12-b-1 fees. Of course, advisor recommended with a 2% wrap fee payable to this site.

Hate to be frank, but couldn't this person be doing something more productive? like getting laid Nah, probably not.

RM

[zaplunken]

someone has written a program that runs through the member list and attempts to login to each users account by entering random passwords. In anticipation of such attacks, our software only allows a small number of missed passwords before taking steps to lock out the attacker.

They can't be very successful at this, my password is shall we say pretty easy to guess. I use it at many sites that I view as having nothing to loose if hacked but I have different user names so they couldn't connect that password with any other user name at another site.

I see no reason to be concerned if they got my password, why should I? What could they possibly do with it? Post something that gets me banned would be the worst thing. All places that I would be worried about this I have extremely long and complex passwords, no one is ever going to guess them. As far as email, the address I use here is a throwaway, no address book, I don't use it to communicate with anyone but the site.

This is a PITA for the mods no doubts, my reason for posting is to challenge the forum to point out what I may have overlooked by being so cavalier and to tell others if they did what I have done there shouldn't be any concern. That said, maybe I'm wrong?.

[Call_Me_Op]

Two things confuse me about this.

1.) If they want access to the site, why not just sign-up? It's simple and free.

2.) If they gain access to the site, what are they going to do - attempt to solicit financial advice?

Update: I understand now, after reading Alex's response above.

[HueyLD]

I was asked to enter CAPTCHA characters when I tried to login yesterday. In addition, I could not even access BH.org from home network for a few weeks until yesterday.

So, do I need to change my password? Anything else I need to do?

[LadyGeek]

If you have questions about the security of your password for any reason, just change it for peace of mind. This applies to any website you visit. As long as you can login to the site, there's nothing more to do.

[umfundi]

Password

Really??

Really. Probably a common reaction of users to being told "type password." I think it's usually cluelessness plain and simple, not misplaced cleverness.

When I used Lotus Notes as a corporate mail system, my password was "password". You couldn't get to mail without logging in as yourself (with an enforced strong password), and I was perpetually having to give the mail password to system administrators for some reason or another. Having that password required was pointless and useless.

Reminds me of the old days, when the example in the manual for networking Sun workstations had the machines name Larry, Moe, and Curly. Guess what were the most popular hostnames for workstations?

Keith

[retiredjg]

When I used Lotus Notes as a corporate mail system....

My sympathies. I had the same experience. What a cluster.

[umfundi]

When I used Lotus Notes as a corporate mail system....

My sympathies. I had the same experience. What a cluster.

As I used to explain to my employees: "The purpose of L**** N**** is to lower your expectations."

Keith

[Nowizard]

Mine was one of the accounts that was hacked, and I did have an easily discernible password (stocks). Not being nefarious, I never considered someone using my account and had no reason (until now) to even think about privacy since I would only be posting courteously. I have not seen any responses attributed to me, but appreciate the moderator restoring my privileges. A more subtle password is in place. If anyone received an offensive message "from" Nowizard, I did not send it and am sorry for the inconvenience.

Tim

[SSSS]

I have not seen any responses attributed to me, but appreciate the moderator restoring my privileges. A more subtle password is in place. If anyone received an offensive message "from" Nowizard, I did not send it and am sorry for the inconvenience.

I got a PM a few weeks ago. I was really perplexed about what Larry Swedroe had done to piss you off so bad in such a short span of time.

[LadyGeek]

We just implemented a new feature in the forum software to help select a good password: Forum Software Updated: Show Password Strength

[Random Musings]

We just implemented a new feature in the forum software to help select a good password: Forum Software Updated: Show Password Strength

Thanks for the update.

RM

[Alex Frakt]

The troll is still at it. Even though we are taking measures to prevent the ongoing password attacks from breaching accounts, he was able to determine the password of multiple accounts in the initial attack and has apparently decided to use them up one at a time when something here upsets him. Within the last two days he made several posts using the hijacked account of member WTR3RD and sent several Private Messages using the hijacked account of member nevisbound.

As always, you can help us out by reporting suspicious PMs or posts. Note that many of the accounts he was able to get into are older ones that have had little or no activity lately. If you see a torrent of posts or are contacted by someone who's last post was from months or years ago, you should be suspicious.

A note on passwords. The type of attack the troll is running is very simple. It attempts to log in by plugging in a username and running through a list of likely passwords. We block this after a small number of attempts, so any password that follows the guidelines found in my original post on this thread are safe. The new password strength indicator is based on foiling an attack where the hashed (which more or less means encrypted) password database is compromised. This is what recently occurred on linkedin. That has not happened here. IMO, the really complex passwords needed to get a Strong rating from the password checker are overkill for a site like this.

[LadyGeek]

OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

For detailed password discussions see: Forum Software Updated: Show Password Strength and Another reason why you should never reuse passwords...

[Epsilon Delta]

OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.

[Mel Lindauer]

OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.

You need to use one or more numbers and/or characters and even a much shorter password will become stronger. Give it a try.

[Alex Frakt]

OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.

Exactly. Time for the obligatory xkcd comic.
http://xkcd.com/936/

[dratkinson]

Just a data point.

Was required to login today. First time in months. (Will need to wait a few days before I figure out if this is the new normal BH anti-intrusion login method.)

Fumble-fingered my password.

BH CAPTCHA image was not displayed on my Win98SE PC; it is on other sites. (Don't remember which. My problem, not board's. Will upgrade PC one day, just not today.)

"Forgot my password" option worked for me.

Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)



I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)

[LadyGeek]

Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)

I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)

The haystack scheme will be fine as long as you don't tell anybody what it is. HTTPS will not protect you. See: https access to bogleheads.org?.

[dratkinson]

Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)

I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)

The haystack scheme will be fine as long as you don't tell anybody what it is. HTTPS will not protect you. See: https access to bogleheads.org?.

True, I was concerned about a clear air interception, but your linked topic reminded me that there are worse things to worry about... so, guess I'll try not to be too paranoid.



Second data point. Today, followed topic reply notification email link into BH without the need to re-login. So I'm happy.

[vectorizer]

Alex and LadyG., you guys are doing an exemplary job dealing with this attack. Thank you. I wish you didn't have to waste your time because of one deranged individual. And thanks for already having an important mitigation in place limiting the number of login attempts; the addition of mandatory CAPTCHA was a good and reasonable temporary control. Hopefully members with weak passwords will heed your advice and utilize the new password strength feature (since mine is only "good", I should change mine too). Thanks again.

[gotherelate]

Regarding suspicious private message (PM)s, I got two within the last week or so. In both cases, a note said that the sender deleted the message before I opened/read it. May that have been part of the attack? If so, should I report these in the future? Thanks.

[retiredjg]

Regarding suspicious private message (PM)s, I got two within the last week or so. In both cases, a note said that the sender deleted the message before I opened/read it. May that have been part of the attack? If so, should I report these in the future? Thanks.

I got one of these this morning. Thought it was pretty strange since I get messages from a couple of different types of groups and this person didn't fit either group. Should this be reported?

[LadyGeek]

gotherelate and retiredjg: Yes, thanks. No, but thanks for asking. PMs with no content have no information to report.

Unwelcome PMs of any type can be reported as described in this sticky: REPORTING VIOLATIONS AND UNWELCOME PMs

Update 6/15: Sorry, I misread the question. PMs with no content do not need to be reported (there's nothing to report). I modified my comments.

[bdpb]

Doesn't it require the hacker to know the login username before any hack attempts can be made?

Wouldn't a private login username different than the public displayed username virtually eliminate this problem?

The hacker would have to acquire the private username as well as hack the password.

[LadyGeek]

For obvious reasons, no details other than what's been already stated will be discussed.

[sscritic]

gotherelate and retiredjg: Yes, thanks. No, but thanks for asking. PMs with no content have no information to report.

Unwelcome PMs of any type can be reported as described in this sticky: REPORTING VIOLATIONS AND UNWELCOME PMs

Update 6/15: Sorry, I misread the question. PMs with no content do not need to be reported (there's nothing to report). I modified my comments.

And the reason for the update I would guess is Alex's comment yesterday in the linked thread.

I'm not sure who said to report retracted PMs, but I can't think of a reason why it would be necessary.

P.S. That's what's fun about having two threads on the same topic. They run in parallel, and if you run in only one, you can't keep up.

[LadyGeek]

It's from here. I fixed the problem by posting a correction in the thread.

P.S. It's also good to know that the members will keep you straight. Thanks.

[Mel Lindauer]

The forum is under attack. This explains what's going on.