Thor.re

About Security

So in February, TruckersMP was pwned, first time a service I've been fully or partially responsible for has been pwned. The pwn was attacking a bad password usage practice used by one of the upper team members and affected the forums (password re-use).

Late Sunday/early monday morning, the list of affected users where added to HIBP, submitted by us. Why you may ask? We value the security of our users above anything else, so we reached out to Troy Hunt, and became the first self submitted site, and the 100th breach to be added.

The response from the security community has been generally quite positive, it's sad to have a breach, but it's nice to see recognition that we made the right decision on making a list of users available so that they can be notified as well as help them in the future to know what has leaked and when.

What did we learn from the breach and from submitting ourselves instead of waiting for the perpetrator to float the DB?

  • Have a clear plan on how to handle a breach
  • Notify your users as quickly as possible, the faster the better
  • Don't give access to users who don't strictly need that access
  • If you don't see the DB around, do consider self-submitting to HIBP, that way there's more than 1 avenue for users to learn about the breach and change their passwords
  • Use 2FA where possible
  • Use different passwords everywhere, and require it within your organization especially for people with access to the user/customer data, even if your most sensitive piece of data is a password hash

Be open about it, skip the "We care about our users"-jargon and show that you care, by being transparent, treat your users like they where a corporate customer, even if it's embarrassing to be pwned, by having your users change their passwords, you will also devalue the value of your database because it'll become dated much more quickly.

What we could have done better:
We could have been more transparent to our users about self-submission to HIBP, we recieved some flak for not informing our users that we would be doing that, both Kat_PW and I have taken this to heart, and should we ever have to do it again, we will of course notify our users about this prior.

Finally we should have emailed our users, it wasn't done because we didn't have the infrastructure, though it would have been costy to get that sorted, but the value of doing that would have shown to our users a lot quicker that we care.

If you have any questions or comments, you can reach me on twitter or by mail: tuxy [at] truckersmp.com

What's up

What's happened since I last wrote? Quite a lot actually.

I've Joined the web developer team over at ETS 2 MP and been working on a few new features over there mostly touching into uncharted territory for me such as Elasticsearch, RabbitMQ, Linux Firewalling(being mostly a beastie myseslf, used to PF), and even touching some more familiar things such as .net and PHP (though, a lot of work ahead of us there).

I'll be writing more in the future about some generic experiences that I get from the project around managing Elastic, RabbitMQ, etc.

For those that don't know about this project, to give you a sense of the size, the webserver averages about 4-5Mbit/s a day, when a patch is released we peak 40-50Mbit/s on the main website and we spin up 4 other "CDN" servers to avoid killing the main site. There's also just over 500 000 registered users with ~500-800 registrations a day.

Across 2 game servers(there are 5) we see between 10 and 30 000 unique players online a day.

Categories: ETS 2 MP, Status

Weechat and remote growl notifications

So I decided to move to WeeChat, but I ran into one issue I've always had with irssi, I like to get a desktop notification that is visual and gives me info if there is something I have to respond to or if it can wait like most other clients does.

I started looking into growl notifications since I already got growl and It's usually quite good. First off, there is a lot of scripts out there for this, but most are designed to talk to Growl 1.x, using Growl's UDP (feature removed in 1.3 because it didn't work for the majority of people). Eventually I fell back to growl.py, which turns out uses Growl's GNTP(Incorrectly refered to as Growl Notification Transport Protocol, actually called Generic Notification Transport Protocol), a TCP protocol. So what I wound up doing, since my weechat runs on a remote system I use daily and are connected to close to 24/7.

The configuration I wound up with is the following:

In my ~/.ssh/config:

Host myhost
   HostName myhost.example.com
   RemoteForward 23053 127.0.0.1:23053

On my weechat (replace password with the actual remote password you configure in Growl):

/script install growl.py
/set plugins.var.python.growl.hostname localhost
/set plugins.var.python.growl.password password

I also had to add the folowing to growl.py at line 72:

    logging.basicConfig(level=logging.ERROR)
    from gntp.notifier import GrowlNotifier

Categories: IRC, Weechat, Growl, OS X, Windows