borked

How is making people aware of an exploit that's been going on for some time a security issue? Nobody has posted how the exploit is achieved - just forewarning others that the issue is a real issue, which has made you sit up and take action. Isn't that a Good Thing??

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

TMM_John

I did not say pointing it out is a bad thing. I said discussing the details of it, what is being done, and what is being done to combat it isn't the smartest.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

datatank

It takes all of 1 min to back up your nats templates. I would suggest you do that now

kristin

They all are, not the point.

__________________
Vacares rules.

"Usually only fat guys have the kind of knowledge and ability that Kristin has."

borked

I'm not quite sure what you mean by discussing the details of it. All that has been posted are a set of IPs from a scammer, so that others can check their logs. Like you said:

Through this very thread, started by someone wanting to know what was happening, other people have stepped forward with information that has helped others realise what has gone on. Followed on by your email, now all NATS clients realise there is a problem. Nothing untoward or compromising to others has been discussed.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

borked

for those that aren't sure - just a mysql dump/backup, which you are all doing regularly anyway right takes care of all that

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

TMM_John

You're right, the end result has been a good thing. It has also resulted in us making a policy change. Although I don't think it is the root of the issue it is better to be safe than sorry.

I am not saying things people have said are horrendous. People have asked me to go into details about what we know and what we have done in the past here. I'm simply saying I think this is not the place for that.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

tdfcash3

Im still in a state of utter disbelief that they knew or so long and didnt think to tell us.

__________________


ICQ - 421-515-010

Nysus

Not to bust balls, but hasn't the only indication so far been members who have signed up and cared enough to sign up with a unique email address to then determine they were receiving spam? That's a pretty rare thing to happen..

I'm wondering if you have or are going to contact the authorities?

__________________
What name is pr0 / Untouched Markets using these days? Untouched Markets - pr0 - Refund My Money Now

Someone owes me $2,000 because they didn't do any work that was paid for *pointing at pr0 / William / UntouchedMarkets*

See http://www.gfy.com/fucking-around-and-business-discussion/948258-untouchedmarkets-pr0-refund-money-post16744521.html and for more detailed see http://www.gfy.com/fucking-around-and-business-discussion/948645-re-recent-bullshit-drama-explained-detail-pr0-untouched-markets.html

TMM_John

We were not under the impression it was a widespread problem or we would have made an announcement as we have in the past.

I still do not believe it is a completely widespread issue but we are taking strong action anyway.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

TMM_John

After we collect all of the info we can we will see what we can do with it. However, I'm sure they will wish to speak with those who are having their systems accessed. We can not act on your behalf in that regard.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

tdfcash3

Strong action doesnt mean shit now its happened, you have totally lost my confidence in your software, there has been a lot of talk everywhere about whats best NATS or CCbill, I think this turn of events has just answered that common thread topic!

__________________


ICQ - 421-515-010

TMM_John

I'm sorry to hear that.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

borked

tdfcash3 raised this point and a very valid one. European law for example is extremely strict and clear on this matter, and all programme owners anyway, but especially Europe need to take data security very VERY seriously. The end user of any software that implements personal data storage is ultimately responsible for the security of that data. Not TMM. Most all business software is closed source, so everyone in this industry needs to not be complacent that because XYZ is their software that it's secure.

It looks like NATS has a security hole which is/is being/has been closed, I dunno. But you all need to be taking your customer's data security seriously and checking login logs periodically. You, the user are ultimately responsible for that.

We are proactive on these matters, which is why we've been breach-free for some time now

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

TMM_John

I am out of town and getting on a plane shortly. This will be my last post in this thread for at least hours. Please submit tickets if you have any further questions.

__________________

Skype: JohnA1078
Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

tdfcash3

It seems clear to me until TMM sorts its issues out sponsors can either wait and see or move now, theres plenty of options that john seriously needs to address namely MPA3 and Epoch are looking like a better option right now.

__________________


ICQ - 421-515-010

DVTimes

Thats a good point.

I know firms in the UK facing BIG fines. I presume that websites based in the UK could also be subject to BIG fines.

__________________
The Affiliate Program

Dirty D

Looks pretty widespread to me...

__________________

Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG!
Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan
Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

ShotGun

The scary thing is how easy MPA and Nats are to hack. The even scarier thing is both of those companies think their program can not be hacked. If they'd get off their high horse for a second they'd realize how many exploits each of them has they may be able to actually secure their script. Instead they are too busy getting drunk on their own kool aid.

Anybody thinking of buying Nats should read John's posts in this thread. Is that the type of guy you want to do business with?

__________________
I use the best sponsors so fucking lock and load:
Quickbuck.com | WegCash.com | SicCash.com |

ladida

You think MPA doesn't have issues like this? Or any other software paysites use for that matter like the various number of CMS's? Ask around...

People in this thread are funny. Noone cares about their security untill it's either
a) posted on a public board
b) starts receiving complaints from members

__________________
agentGFY *at* gmail.com

tdfcash3

so what options are left?

__________________


ICQ - 421-515-010

borked

ehm, *cough* *cough* *cough*

damn, I'm getting a bad throat *cough*

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

AmeliaG

How would someone go about finding where there was an exploit and getting rid of it?

__________________
GFY Hall of Famer

AltStar Hall of Famer



Blue Blood's SpookyCash.com

Babe photography portfolio

DVTimes

sounds bad

have a drink of water.

__________________
The Affiliate Program

ladida

Care about your own security, or hire someone if you want to be secure. No other way. And even then, you are NOT going to be unhackable, you'll just patch things faster, close holes faster, and minimise the damage. Live with it, internet is like that.
You should get that cough looked at, especially if you meant to imply they weren't hacked...

__________________
agentGFY *at* gmail.com

ladida

By hiring someone that's worth alot more then what people in the industry think they are. Other then that, living in ignorance is possibly the best bet. What you don't know doesn't hurt you.

__________________
agentGFY *at* gmail.com

milan

Please see thread

http://www.gfy.com/fucking-around-and-business-discussion/779742-oc3-networks-customers-urgent.html

issue was knows to them LONG ago but rather then notifying customer they preferred the scare tactics... called Caz and threaten to sue.

great way to conduct business.

__________________
QuadraNET - ICQ:2222 15312 - milan [nosp@m] QuadraNET.com
24/7 "REALLY ON-SITE" Support - Completely Premium Network
Public & Private Network, Remote Reboot, Private VLANs
99.99% Guaranteed Network Uptime / BGP4 Multihomed
24/7 LIVE CHAT, Phone and Ticket Support
1-888-5-QUADRA

RazorSharpe

Your post is ignorance at its very finest. Most people here are not infuriated that the NATS script is hackable, they are infuriated, and rightly so, that the exploit may have been known to the developers for quite some time and nothing was done about it.

John's many posts have me feeling like a mug especially considering that he feels the problems was not widespread and he only informed certain clients who he thought it might have affected. Why not email all clients and request that they submit a ticket for an upgrade and have the TMM techs check it across the board? This could have been prevented if they had informed all clients from the get go.

Your mightier than thou attitude about how little and how much people know or don't know is what is funny about this thread.

...

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

SiMpLe

Called Caz and threaten to sue for what - Letting people know about a serious exploit?? wtf

As the day goes on and more people keep coming to me saying "Thank You" it just keeps getting better and better. I'm at a loss for words right now.

__________________
Sean Holland
Vice President
OrbitalPay / Global Electronic Technology (GET)
SKYPE: iam.sean ::: sholland at orbitalpay.com
888-775-1500

borked

Have your system admin monitor all admin accounts. By doing that you will have no more problems from this.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

ladida

Seeing as you have no idea what i do, you're not only funny, but ignorant to that.

Fact 1. Several webmasters in this very thread knew about these issues. They ignored them knowingly (not the nats issue, the issues that their data is leaking)
Fact 2. Several webmasters in this thread have been notified of harvesting emails from their databases in the past and have chose to ignore it (unrelated to the problem in the thread, but they have the hollier then thou attitude)
Fact 3. There's alot more webmasters on this board that know their databases are compromised and still chose to ignore it.

Now crawl back to where you came from since you have no idea what im talking about. Nats was once a good product while Nathan was around. I don't like John from TMM, nor do i like Garry from MPA, nor do i like any other software producer more then the other. I'm just stating facts. Facts you have no idea about.

__________________
agentGFY *at* gmail.com

Dirty D

Thank you for this thread.

A real eye opener... and answers a few questions about security that have recently come up!

__________________

Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG!
Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan
Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

spacedog

Hmm??

Here's something about your Fred Schank.

Scroll down to the 3rd post under service providers
http://www.getafreelancer.com/projec...rogrammer.html

"I am the lead programmer for a software company based in NJ. We design backend software for webmasters. I have done the majority of the programming on a CMS geared towards the adult industry. I am interested in finding a few projects to work on, during my free time"

spacedog

Can't post other forums, so here's screen cap.

TheSenator

lets see how far this rabbit hole goes...

__________________
ISeekGirls.com since 2005

RazorSharpe

I didn't think I had to know you to be qualified to answer a post in which you blatantly state that all webmasters in this thread don't care about their security. You don't me or what i do to be qualified enough to make an assertion like that. Why is it so many people, yourself included, seem to think that we should know them and if we don't know them or what they do we should "crawl back into our holes"? What is that all about? Did you develop some miracle drug? Stop apartheid? Maybe brought peace to the world? No? Then i don't give two fucks who you are to be honest .... Jesus, some of you twats have an awfully high estimation of yourselves.

...

__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

DVTimes

This is going to be a loooooooooooooooong thread.

best get your sig spots in and pretend you have somthing important to say on the subject.

Looks like xmass will suck this year for Nats.

__________________
The Affiliate Program

borked

OK, "agentGFY", stop the rumour-mongering right there and stop trying to be the big guy. Point me to a single post in this thread that shows a webmaster has known about this issue and ignored it? Or where one has been notified of harvesting emails and ingored it? Your "facts" are without substance.

There are A LOT of responsible programme owners in this industry, some are more conscious and aware about certain matters than others, and nobody has ignored anything.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

garry

We did not plan to post in this thread since it had nothing to do about
us. But ShotGun and ladida changed that and their posts needs a reply
from us.

Now I don't want to go in to a discussion about whether this was a hack
or an inside job. But ShotGun and ladida are correct when he say that
any program is hackable. However, they are not correct when they say
that we think that our program cannot be hacked. We are very aware of
this, and have taken all available precautions possible and we continue
to strive to keep up to date on what possible hackers try to achieve. We
even hired two known hackers to try to hack in to our program, and on
top of that when a prominent program moved over to MPA3 we had to have a
3rd party audit company go over the whole source code.

All of this and still I am not saying we are totally un-touchable. No
one is. However, the last two years we have not had one report about
any hacks, we have gotten plenty of hack attempts reported, but no
actual breach. But maybe the most important thing is that when and if
we do get any breach we stop everything else we are doing to fix and
update all programs.

I can also guarantee you all that we do not have any one password
working as master access to all MPA3 installs.

__________________
The Creator Of THE STANDARD* *in Affiliate Program Software - We make affiliates and program owners more money! MPA3® – Anything Else Is A Replica

Choose between our impressive lineup of software's: MPA3® PRO - MPA3® ENTERPRISE - MPA3® Standard -MAS® CMS - and topping it off with amazing DESIGN, Consulting and Webmaster Services! "Your Mansion of Opportunities!"

Around since 1997 and the company that introduced "Cascading Billing" to the industry. MPA3® V5 - The most intuitive Affiliate Program Software ever made - MPA3® V5 – Anything Else Is A Replica

RP Fade

yeah seems it's overdue imo..

__________________
HomemadeCash.com - Homemade & GF sites powered by NScash.com
HomemadeVideoPass.com - The only all homemade mega site
OurHomemadePorno.com - Real couples fucking on camera
Contact ICQ: 400-786-531 Email: fade AT nscash.com

Ross

We were affected by this as well.... thanks to Razorsharpe for calling me today to bring this to my attention. We'll be talking to the NATS guys tomorrow and hoping to have this resolved. Nats isn't exactly cheap, I really shouldn't have to deal with problems like this.

SiMpLe

And the list grows - "But its not widespread" pffff

Have a good Holiday people - It's family time

__________________
Sean Holland
Vice President
OrbitalPay / Global Electronic Technology (GET)
SKYPE: iam.sean ::: sholland at orbitalpay.com
888-775-1500

Trixxxia

I sure hope all the techs at NATS got their Xmas shopping done early - doesn't look like they'll have time this weekend.

I truly hope that Swiftwill being diligent with security, covered our ass with this.

ladida

You sure yap'd alot of nonsense in that post of yours, however, i don't think anything, unlike you. I know, since i have been shown emails where program owners have been notified, or i have notified them myself, and they ignored problem, untill it is brought up in a thread like this for example (i didn't say ALL, nor did i mean you since i dont even know you). So again, think before you speak, or don't speak at all, at least don't attack the person you know nothing about.

I don't have to point you anywhere since i dont owe you anything. I trade info, and you are not on my list of clients. Those that i speak of know it's them and they won't dispute my post. If they do, it'll get even funnier. I just stated how things are, whether you chose to believe it or not, it's your business, but i'm not gona stand by when clueless people attack me for what i know.


Furthermore, there's alot of backstabbing in this thread from people that supposedly "want to help". So nats got hacked. WOOO HOOO... What do you (or other in the thread) know exactly of the time that Mansion got hacked? Strongbox? Sitedepth? AdultWebware? Or any other shit that people use?
So some are furious that they have not been notified? LOL. Get a grip. Ofcourse John is not gona make a public statement their server is compromised (if it is), or that they have a problem in the code. It'd be a suicide. Same as when any other porn company gets hacked, you don't see a public apology here that people's emails/personal info got harvested do you? No, they fix the shit and move on (or don't even fix it and blame someone else). Or when software companies fix faults in their software on your server without you even knowing that it was a live exploit through which your server got hacked?

__________________
agentGFY *at* gmail.com

spacedog

You don't really need a Nats tech to resolve this.

Re-read through the thread, as some users posted instructions on how to deny Fred from gaining access to the admin

pocketkangaroo

I would hope all of you who have been affected will contact the authorities about this. Whoever did this has to be somewhat knowledgeable with the industry. A run-of-the-mill hacker would have harvested the CC data as well as the e-mail data. The hacker knew what they could and couldn't get away with.

I'd suggest looking at the spam e-mails you received following the member signups. See if there is a common sponsor or theme to those spams. See if you can get the affiliate data from that particular sponsor. It shouldn't be too difficult to see who profited off this data.

Sebastian Sands

ccbill is coming out with their new cascading system right on time..

pocketkangaroo

Question for NATS sponsors. Would this have given them access to affiliate data? We promote a lot of NATS sponsors and store not only our business information but bank information and our password. I just want to know if they can see that and if so, we will change the payment method until the issue is resolved.

SubAms

So he works for TMM?

__________________
Promote exclusive British sites with Suburban Cash
Suburban Amateurs - Danica Collins

SubAms

Glad I dont use Nats

__________________
Promote exclusive British sites with Suburban Cash
Suburban Amateurs - Danica Collins