Chicago VPS FAIL

The general posts

Moderator: XlogicX

Chicago VPS FAIL

Postby Automated Penguin » Thu Feb 23, 2012 4:47 pm

SO today I am greeted by this amazing deal, a 7/month VPS wth 2 gigs of ram right? So OK I have to check this out.

Anyway they sent me an email after registration containing my Username/Password combo. So I Sent them a support ticket asking whats up with that, because I feel like its a strong indicator that they arent hashing passwords right?

Well I'll let you read the rest....

Hello,

I have some questions about the service.

First of all I was wondering if there is any user controlled way to switch distros on the VM, basically re-image the vm on demand.

Secondly I am fairly alarmed at the fact that you are displaying and emailing me my password in plain text. This seems to imply that you are storing the passwords without securely hashing them first. I would like to hear some kind of explanation for that.

Thanks,

-Charles

Charles,

In the control panel you can reload your VPS whenever you would like.

As for storing your passwords, this is not my area of expertese so my lead tech would have to answer that.

Regards,

---------------
Chris Fabozzi
CEO / Director of Operations
Chris@chicagovps.net



LOL THE CE FUCKING O IS DOING THE TECH SUPPORT? SWEET. Also he seems to know nothing about the DB/password storage. Epic.


Thanks,

I would like to hear what your lead tech has to say about it if possible.

Thanks,

-Charles



Charles,

All of the passwords are hashed in teh database. Once logged in, they are decrypted.


So passwords are "hashed" and then "decrypted" Uh Yeah...

Hi Jeremiah,

How then are you able to display them to me in plain text?

I don't understand how that would be possible if you are hashing the passwords?

Thanks for your time,

-Charles




You may also want to review some of your procedures regarding sending and
displaying passwords in general.

It is widely accepted that sending passwords over email or displaying them
in plain text is extremely dangerous and often unnecessary.

Here are a few Google hits I came up with which discuss this issue.

http://www.techconsumer.com/2008/02/11/ ... via-email/

http://www.thebitmill.com/articles/password_email.html

http://imsaar.posterous.com/boycott-web ... l-with-you

Typically the server code encrypts the plain-text password with a one-way
cypher , and stores the result of that. The idea is that it is
computationally infeasible to obtain the plain-text password from the
cypher text.

When the user logs in, they give their password, the server hashes it,
and checks if the result matches the cypher text stored in the
server's database.

But the server cannot tell the user what the user's password is, because
the server never stores a plain text copy.

Please reply with your thoughts on this subject as it concerns me and other
security conscious customers greatly.

Thanks again for your time,

-Charles




Chicago VPS

Charles,

I understand the concepts, please review my signature. There are two options, you get passwords or you don't. This is from the developers of the software and not my of my own call.

If you feel it is an issue, use a nulled password, and change your password in your VPS and billing.

---------
Jeremiah Shinkle
jshinkle@chicagovps.net
Chief Networking Officer
A+, N+, S+, Se+, L+, CCNA, ASA - Networking, cPBC::Tech, cPPC::Sales


LOL DEALING WITH A BAD ASS HERE SEC+ OMFG. Man this guy amirite? lol, Also change my password? what good would that do me it would just get re-stored in the same plain text field in their DB? huh.

Anyway I'll update you as these shenanigans move forward...

UPDATE:

So I just sent this.... No reply yet..

Hi Jeremiah,

Yeah I totally understand software restraints I'm just still conflicted on the whole hashed or not thing.

I feel like the fact that I am seeing my password in plain text is a strong indicator that the database is storing the passwords without hashing them first you know?

I guess I'm just looking for a more technical answer to satisfy my curiosity. I realize I'm asking a lot more than the average user but I feel like security is very important and I like to know that the services I use are secure.

I see your Sec+ so I know you are familiar with the concepts and that you understand my logic and concerns here.

I would really appreciate a technical answer as to how my information is being stored is all, I'm sure you can relate.

Thanks again and sorry for being such a bother,

-Charles


Let me know what you guys think, am I out of line here? Maybe I should have held back on the sending passwords in emails lecture...

UPDATE:

Some more chatter... I'm starting to feel like I'm climbing a tree with no fruit here...

Charles,

As i stated, they are encrypted in the database, just like mine and the rest of the administrators on here. It decrypts them upon login.

---------
Jeremiah Shinkle
jshinkle@chicagovps.net
Chief Networking Officer
A+, N+, S+, Se+, L+, CCNA, ASA - Networking, cPBC::Tech, cPPC::Sales

Hi Jeremy,

That doesn't make sense to me, as you know, a hash is a one way function by definition.

Please explain how the passwords are "decrypted" from a hash. I assume I am missing something or we aren't using the same terminology.

I am fairly technical you don't have to tone it down for me.

Thanks!


UPDATE:

LEVEL 2 ACHIEVED. So I got past the CEO and the Chief Networking Officer.... Who is next?
#773023 - General VPS Questions Open - Level 2

UPDATE:

Well after 6 days of no response they finally copped out on me.

Hi, Haven't heard back in a while.

Just wondering what the status of this ticket is?

Thanks.

Charles


Still looking for some kind of response to this....

The non-response I'm receiving seems to indicate you are doing some research or have no response for me?

Please let me know what the status of this issue is.

Thanks.


Charles,

I am very sorry but we are not able to discuss this due to security. If you have any other questions, please let us know.

---------
Luc Ayotte
ChicagoVPS Support Tech
layotte@chicagovps.net


I guess their infrastructure cant stand up to scrutiny or technical questions of any nature...
How disappointing.
Last edited by Automated Penguin on Wed Feb 29, 2012 9:24 pm, edited 4 times in total.
- you just lost the game -
User avatar
Automated Penguin
Red Box
 
Posts: 568
Joined: Tue Jan 22, 2008 12:47 am

Re: Chicago VPS FAIL

Postby PHLAK » Thu Feb 23, 2012 5:17 pm

$7/mo VPS? You get what you pay for I guess.
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Chicago VPS FAIL

Postby Automated Penguin » Thu Feb 23, 2012 5:50 pm

PHLAK wrote:$7/mo VPS? You get what you pay for I guess.


Yeah its actually not that bad for 7 bux a month,

I should probably stop kicking them in the teeth and just enjoy what I got.
- you just lost the game -
User avatar
Automated Penguin
Red Box
 
Posts: 568
Joined: Tue Jan 22, 2008 12:47 am

Re: Chicago VPS FAIL

Postby PHLAK » Thu Feb 23, 2012 5:57 pm

Automated Penguin wrote:I should probably stop kicking them in the teeth and just enjoy what I got.


This is the wrong community to be proposing that.
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Chicago VPS FAIL

Postby XlogicX » Fri Feb 24, 2012 12:08 am

Epic conversation, thanks for sharing :)

Best part:

I understand the concepts, please review my signature.


Lol, who cares. The request is for him to show his actual understanding, not the pieces of paper that says he should understand (of which he is not demonstrating). Him saying what he's saying and pointing to his certs merely make the certs look bad, in context.
In the beginner's mind there are many possibilities, in the expert's mind there are few.
User avatar
XlogicX
Forum Modulator
 
Posts: 383
Joined: Sat Dec 22, 2007 9:28 am
Location: Tempe, AZ

Re: Chicago VPS FAIL

Postby Automated Penguin » Fri Feb 24, 2012 7:35 am

XlogicX wrote:Epic conversation, thanks for sharing :)

Best part:

I understand the concepts, please review my signature.


Lol, who cares. The request is for him to show his actual understanding, not the pieces of paper that says he should understand (of which he is not demonstrating). Him saying what he's saying and pointing to his certs merely make the certs look bad, in context.


Yeah that was my take on it as well. I wanted to reply with like "Are you seriously asking me to be satisfied with the fact that you have a sec+?" But I figured that was the fast track to ending the conversation
- you just lost the game -
User avatar
Automated Penguin
Red Box
 
Posts: 568
Joined: Tue Jan 22, 2008 12:47 am

Re: Chicago VPS FAIL

Postby XlogicX » Fri Feb 24, 2012 11:19 pm

Right exactly, I think the way you've been handling it is correct.
In the beginner's mind there are many possibilities, in the expert's mind there are few.
User avatar
XlogicX
Forum Modulator
 
Posts: 383
Joined: Sat Dec 22, 2007 9:28 am
Location: Tempe, AZ

Re: Chicago VPS FAIL

Postby PHLAK » Mon Feb 27, 2012 8:22 am

Any updates on what level 2 had to say?
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Chicago VPS FAIL

Postby Urbal » Mon Feb 27, 2012 11:22 am

This is fucking great! I can't wait to hear the outcome. "Please review my signature"... classic!
User avatar
Urbal
Acoustic Coupler
 
Posts: 46
Joined: Tue Sep 06, 2011 6:01 pm

Re: Chicago VPS FAIL

Postby Automated Penguin » Mon Feb 27, 2012 1:41 pm

They have parked my ticket at "level two" and haven't contacted me since my last update.
- you just lost the game -
User avatar
Automated Penguin
Red Box
 
Posts: 568
Joined: Tue Jan 22, 2008 12:47 am

Next

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 2 guests

cron