What are /r/pwned's favorite Products & Services?

From 3.5 billion Reddit comments

> (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone.

How is this guy even working in IT?

Edit: Have I been Pwned claims it was salted SHA1.(source)

Because someone contacted him and sent him a copy of the db to add to his existing collection. The owner, Troy, is a well known person in the security scene and his site is popular and highly useful.

https://haveibeenpwned.com/About

http://www.troyhunt.com/p/about.html

No, that's not correct. Any VPN provider that offers port forwarding without having developed a specific protection against this kind of attack is affected. It was discovered by a competing VPN Provider, 'Perfect Privacy', whom decided to privately inform other major providers before publishing their findings in their blog:

That's not accurate. Look at the URL it's using the readfile function:

http://php.net/manual/en/function.readfile.php

The bug is in using a un-sanatized input and then, laughably, using it as an invocation target.

$a = $_GET['a']; $b = $_GET['b']; $a($b);

When $a=readfile and $b=somefile.php you get:

readfile('somefile.php');

Which then outputs that file raw without any PHP processing. It can work for remote files, TCP sockets, etc. as well:

readfile("tcp://127.0.0.1:8080");

The lack of information about who runs the site and what they are checking the data against is really troubling.

Instead, try using this:

https://haveibeenpwned.com/ <-- run by @troyhunt (who is well known and respected in the security sphere)

https://haveibeenpwned.com/PwnedWebsites#Edmodo

The leak contained email addresses, usernames, and bcrypt hashed passwords. So, the details of your information in the dump were the email address associated with your Edmodo account, your Edmodo username, and your hashed Edmodo password - all of which you know without having to view the dump.

Isn't notepad++ a super common attack vector to own windows machines?

Maybe they've fixed it by now http://www.zdnet.com/article/evilgrade-exploit-toolkit-pwns-insecure-online-updates/ (news is from 2008)

I disagreed with her on something and she straight up tweeted back at me that I was an FSB agent. My twitter proceeded to explode, and then for reasons I forget I ended up calling Jester an untalented skiddie. (It was relevant to whatever Mensch was saying at the time)

She proceeded to tag Jester and get him and his fanboys involved, and I had to just go leave my phone on the charger to buzz and ding for a few hours.

Mensch is not a Mensch. She's The fuckin' Limey.

https://steemit.com/deepstate/@nigelmarkdias/palpatine-s-revenge-deep-state-shadow-government-and-freedom

That "Limey" from the chat logs.

I'm working my way through the breaches listed against my email address on https://haveibeenpwned.com/

&#x200B;

When a particular account is named, I change my account details.

When a list is mentioned - like 'Anti Public Combo List' - and 'unverified' is added, what am I supposed to do?

Well I don't know about the specifics of this defacement but I think it is more likely he used something to access wherever their employees keep the credentials to their tumblr blog?

I'm not sure how they have the DNS resolution set up for that snapchat-blog domain, might be managed at tumblr or they have some kind of reverse proxy solution cobbled together. Of course the latter might be more vulnerable. (EDIT: seems Tumblr allows you to set this up quite easily https://www.tumblr.com/docs/en/blog_management#customdomain)

I don't think they'd 0 day the server for something as trivial as this? And I find it hard to believe that this server instance runs much else than the blog. Yes it has their name on it and has the potential to infect many visitors with drivebydownloads or tempt them with malicious links but it might still not be critical.

you mean VPN information links? I just set it up myself on a ubuntu box. If you have a server on your own maybe try something like this:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

Here you go. I know it's probably not what you're looking for but it's the only thing I know available for you to check for yourself. Personally, I don't condone downloading these dumps for malicious reasons against any entity, but rather to assist in the remediation and response to those exact threats. If you're in the same business it might be worth just downloading it and checking if your .org or anyone you care about were included and notify them.

You're right you don't know I'm not him, however if you look I'm the one he is trying to get at. I cannot prove anything 100% of course but I know and recognise his style of attack, accuses Reddit users of being other users and or brings up random profiles on Twitter and accuses said users of being that person, could be anybody who has a profile on Twitter or wherever doesn't matter.

Example: User posts a link, me for example on the odd occasion, I then get accused of being the owner of the site. So the logic is if I post https://haveibeenpwned.com then apparently I must instantly be Troy Hunt. Just like apparently I must be the guy who owns the site of the link I posted a couple of days back which I found popped up on my Twitter feed. Oh wait hang on I found a link to a site called 'Forbes' I must be the owner of that too yeah?

The logic doesn't work, no proof whatsoever to back up the theory or opinion. Just because someone posts a link to a site in here or any other sub on Reddit does not automatically mean that person is the owner. Some Reddit users are either complete and utter idiots and/or just like to wind people up. Also be very careful what you post coz hell your messages/posts/comments might end up being screenshot and copied/pasted - also another pathetic act.

The flaw isn't in the OpenVPN client, right? Is it in the VPN server configuration, the VPN protocol, or the VPN specification?

I've searched for a way to confirm the vulnerability but all I find are pages reblogging the Perfect Privacy posting. I tried all the tests on Perfect Privacy and it only pulled my VPN related addresses.