I Just Logged In As You

3rd vote for Rockhardawesome

He created a GUI in visual basic and tracked your IP address.

Social engineering is the usual way - mentioned girlfriend/pet/streetname possibly?

Something to do with the following: wumpus, elizabeth, billcosby, jooky, burton, betsy, gamebasement, wise-ebusiness, boland boss, chuck snyder, lifepoint, brentwood

Or if I was able to figure out your crystaltech account ID (which could easily be social engineered), thatā€™d open the floodgates for me.

0wned.

May I just add that the concept of the Hacker badge (if implemented as the anonymous emailer suggested) is one of the best security Hacks ever. Find something of little value you can give people to get them to attempt to hack your site and admit it.

Encourage Hacking!

Passwords are flawed, they are too easily broken, but Iā€™ve found the cure: I donā€™t use passwords. Think about it - you only change your password and thatā€™s only half of your identifier when logging in!

Isntead, every 28 days I change my identity. This month Iā€™m Gerald Wobblebottom. Who knows who I will be next month. In fact, some days I donā€™t know who I am until I get to work and see my name on the door.

Was it orange?

Cā€™monā€¦I have work to doā€¦Now whoā€™s gonna spend time in finding the way how he did itā€¦Damn! You just ruined my working dayā€¦

I appreciate the guy with ethicsā€¦ :slight_smile:

Donā€™t be silly, do you think Jeff is stupid?

It was of course 0r4n93.

How did this person discover your password? My guess is you inadvertently typed your password into a Stack-Overflow field while thinking focus was on another window. The perp then spotted the random word in an SO post, and guessed that it must be a password.

Iā€™m going to guess he got your password the same way Anonymous got Sarah Palinā€™s yahoo account password: Broken secret question system.

I would have to guess that it was a cross-site attack (XSS), you mentioned it in a particular blog post as well as several times when talking about particular vulnerabilities that you should pay attention to. Personally Iā€™m partial to picking randomly generated passwords from pwgen, writing them down together with all my old passwords on a note which I keep somewhere safe. Itā€™s suprising though, how quickly you can memorize a number of random alphanumerics.

http://www.codinghorror.com/blog/archives/001171.html

Iā€™ll also say Rockhardawsome

I suppose it was contained in a configfile which you published somewhere.
Or you used the same password on another website which is controlled by the attacker.

the password isā€¦

1ā€¦ 2ā€¦ 3ā€¦ 4ā€¦ 5ā€¦

Hey! Thatā€™s the same combination I have on my luggage!

good thing i donā€™t use OpenID for anything else than Stack Overflowā€¦

The most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed.

but will you punish him? :slight_smile: