Computermix, Ipquarx, and Cca - CBM being hacked into to steal keys [chat+pics]

[|Orange|]

I feel like a huge chump now if they do have the full keys if that's what people are saying.

[Ad Bot]

[Truce]

It's incredibly unlikely that the attackers just so happened to have a cbmhost users key on them. There are 2 scenarios that are tens of times more likely:
1. They only had a part of a key, and were not able to recover the rest because they didn't have the rest of the key.
2. They used an alternative method of extracting characters from the keydat, which didn't succeed in extracting all the characters. Not wishing to show that there were characters mising, the attackers only took a picture of the characters they had at the very end.

I started to paste parts of my first post to address each concern of yours and why you are wrong, but I literally ended up pasting the whole post in the end. You should read it, because your disbelief expressed explicitly by "tens of times more likely" was exactly what my post intended to eliminate. Unless you did, and are now feigning ignorance. Additionally, for you to think the bolded is a joke, because I remember you being actively involved in that one big cryptography thread in Coding Help.

[Blake1]

I feel like a huge chump now if they do have the full keys if that's what people are saying.

this.
it's a good thing I have an alt though...going to miss using my main.

[|Orange|]

I think the only upside of this is when I buy a new account, I can finally change this dumb username.

[Ipquarx]

I started to paste parts of my first post to address each concern of yours and why you are wrong, but I literally ended up pasting the whole post in the end. You should read it, because your disbelief expressed explicitly by "tens of times more likely" was exactly what my post intended to eliminate. Unless you did, and are now feigning ignorance. Additionally, for you to think the bolded is a joke, because I remember you being actively involved in that one big cryptography thread in Coding Help.

I did read it, and the reason I didn't reiterate that they haven't done anything with it in a month and a half is because apparently you have more experience with hacking than i do, according to your post.

It's still incredibly unlikely that they happened to have the key of one of the cbmhost users. But the thing is, what you bolded really isn't that unlikely.

I consulted with someone whose looked at how blockland actually decodes the keydat and the processor name is part of the data that is mixed in with the key to produce the keydat. And since the processor is listed on the website, that means it's entirely possible they were only able to decode the latter part of the key using that information.

[Kishgal]

apparently you have more experience with hacking than i do

Only the most high quality and mature of jabs from this guy.

[$trinick]

It's incredibly unlikely that the attackers just so happened to have a cbmhost users key on them. There are 2 scenarios that are tens of times more likely:
1. They only had a part of a key, and were not able to recover the rest because they didn't have the rest of the key.
2. They used an alternative method of extracting characters from the keydat, which didn't succeed in extracting all the characters. Not wishing to show that there were characters mising, the attackers only took a picture of the characters they had at the very end.

There is only one scenario in which situation 1 could possibly be true, and that scenario is that the persons responsible for this attack only had the last 3-4 characters of a key to use in this attack in the first case. What I mean is, since you need a known key to extract the encryption key from a key.dat file, the situation would have to be that they only had the last 4 characters of the known key so they were only able to extract the last 4 characters of the encryption key. Since obtaining the encryption key is the easiest part of the entire process, and the persons responsible could have just signed up for CBMHost, input one of their own keys, and then used the directory traversal attack to download their own key.dat and snag the encryption key.

2 is just impossible. XOR encryptions have 1 solution and ((256^length)-1) incorrect solutions, and there is no way to know which one is correct unless you can either generate the key itself or already know what it is. Since generation of the key uses hashes, you can't generate just part of the key. It's all or nothing. I just said what would happen if they had part of the key, but that seems really unlikely.

It is, in all likelyhood, that they have all the characters in the keys.


The reason the last characters of the keys are shown in the screenshot is obviously for bragging purposes. Whoever is responsible wanted people to know that they had keys, and they wanted it to be verifiable by the people who had the keys. The perpetrator literally just cropped a bunch of lines that were formatted like "KEY NAME BLID" to only show the end of the key but all of the name and BLID so that the owners could verify the keys without letting everyone have them.

They haven't been used for anything malicious because, contrary to popular belief, hackers are not just inherently bad people. Hackers hack for fun, there's a lot of fun in finding exploitations and exploiting them. There's also a lot of fun in trolling / fear mongering, and that's exactly what's going on here. The keys were stolen because they figured out a way how to steal them. They weren't stolen to blackmail people, they weren't stolen to resell, they were stolen as an act of terrorism against the Blockland community. Not to make a point though, just for the fun of it.

Everyone affected, there is no reason to change what key you are using unless given a reason to. By this I mean people impersonating you or joining your server to gain host permissions. That harassment is the worst that people can do to you with your key, other than getting it revoked. If either of that flares up, then I would personally move to an alternate key.

[Ipquarx]

Well stuff. I guess i just hope they don't have the whole things. And don't tell me hope is irrational :V

[Awesomebread²]

Holy stuff I'm lucky as hell. I used CBM host for a long time and when they switched servers, I had to re enter my key through FTP, but for some reason I could never connect. Thank god I didn't, or they'd have my key as well- assuming they have the full keys.

[Georges]

I'm really glad I won that extra key in a building contest now; if they do have my key, I can always switch to a new account.

;-;

[Brickmaster]

I'm really glad I won that extra key in a building contest now; if they do have my key, I can always switch to a new account.

;-;

if you haven't used CBM, they don't have your key.

[ZombieDude]

No it won't. If these losers actually had the full keys they would have done something by now, not just sit around with a list of 40 blockland keys and do nothing with it for a month and a half.

blackmailing?

[Bisjac]

so hat happened? someone who was given keys by many users kept all of them?

[Superbro11]

im lucky i signed up for it buy i got no feedback or anything.

[Ipquarx]

so what happened? someone who was given keys by many users kept all of them?

CBM made the mistake of allowing their webserver to have full access to users encrypted (I use that term lightly) keydat files.

In reality the keydat format is incredibly insecure to people who know what they're doing, and just today I made a program, that when fed ~20 key.dat files from the same machine, outputs the plaintext keys. There were around 40 keys compromised, so they could've gotten the keys without knowing any of the original keys beforehand.