Hackergate part four - PLEASE READ!

[RebeccaMumsnet]

Previous thread here and original thread here

We will post here throughout the day with updates and info, please do post any questions and we will get to them as soon as possible.

If you need to get in touch off of the boards, please email [email protected], we have a team of people working through the inbox now and will get back to you ASAP but please do bear with us, it's very busy.

There is also a specific thread about passwords here.

Thanks all
MNHQ

I don't understand I log in via secure https but once I am in the url changed to http.

The initial https is to keep your password secure between your computer and MN. A secure connection is less needed after this as you are not posting anything confidential.

No problem, crossed posts!

Remember to put on a saucy nightie too Grinch

I would hope the swat team don't bring a dog...my dog wouldn't like it and it wouldn't end well for my dog

Thank you ladies!

Just a thought: have you guys turned off your location services on your phones/tablets?

Just thinking in case they get (somehow) hacked.

As to Swating my DS would be so excited to see "real" police.

They're used to coming here because of my ex,
Same here, although not recently. I miss all the excitement. Although some nicer looking cops - like the cutr criminal investigation one - would be welcome.
They would probably enjoy a natter with a couple of other neighbours who are/were on the forces.

Oh. I see (re http/s)
Tech I am not

Lewji same!

I will find a sexy nightie and pose in wait. My ex lives across the road so it would shake him up a bit to. win win!

Lewji same!

I will find a sexy nightie and pose in wait. My ex lives across the road so it would shake him up a bit to. win win!

"The initial https is to keep your password secure between your computer and MN. A secure connection is less needed after this as you are not posting anything confidential."

That's not quite true. You give your username and password, which are long term secrets (or at least the password is) and receive in exchange an authentication cookie, which is a short(er)-term secret. It's like turning up at a building, showing your ID and invitation and being met by your contact, and being given in exchange a cheap printed pass which is good only for that day but allows you to go to the lavatory without an escort.

The problem with mixing HTTP and HTTPS is that it protects the long-term secret (the attacker can't log on as you) but doesn't protect the short-term secret (the attack can pretend to be you for as long as that token is valid). And if you tick the "remember me" or whatever that some websites have, "short term" might mean "a week" or "a month". Worse, if you're passing those short term secrets to the origin website over HTTP, then they're marked as OK to pass over HTTP in some other circumstances. There are then a variety of ways in which those short-term secrets can be stolen, which HTTPS at least makes harder and often prevents.

In 2015, the justification for mixing HTTP and HTTPS is pretty shaky: modern processors make the encryption essentially free and people using operating systems, hardware and browsers old enough to cause problems should be cut off for their own good.

That's not quite true Well no not quite. Your explanation is better, mine was shorter

@headlesslambrini

I think its happening again - funny writing instead of the MN sticky

Hello headlesslambrini, thanks for flagging we'll take a look at that. Just to reassure you that url shouldn't have https only log in pages will have https

Is anyone elses browers sort of half going across to load a page and then starting again from the beginning, its like it was loading the page and then putting a ghost one over the top of it?

I hasten to add that I might just be noticing these things more rather than it being sinister

As for the swatting, do you think if i leave a duster and polish out then they will do a bit of polishing whilst searching through everything, seems a bit of a shame to have to move things twice

What I can't understand is why is his tweeter account still online/active? Surely Tweeter can close it immediately? No?

I don't know if this has been mentioned previously by any other users and I haven't read the entire thread, however, having changed password as per MN instruction, I no longer have the "lock" symbol in my search bar. It is now a "piece of A4 paper" symbol which when clicked gives site information. It tells me my connection is not encrypted and the identity of the website has not been verified. I have logged out and logged back in but it is still the same. It also tells me that I first visited this site on 26 July 2015, however, I have been on MN for two years now.

Should I be concerned about this?

As a fairly sizeable website that holds masses of personal data (even if it isn't addresses and phone numbers), I'm surprised that external security experts have been brought in too late, rather than as a preventative measure.

On my gmail I also get error but like a pp messages do get through

Formidable I could remember the same "padlock" but I wasn't sure if it was always there. I have just checked, when I log on (entering my pw) there is a padlock, after that is gone.

I guess is the http/https explanation above.

It's so glitchy. Though that's probably just my Internet.

"As a fairly sizeable website that holds masses of personal data (even if it isn't addresses and phone numbers)"

Mumsnet's data protection registration (Z1255016) makes interesting reading. It appears that they believe that nothing about users is personally identifiable within the meaning of the act (indeed, the registration doesn't appear to cover Talk at all). I've been a data controller in my youth and I suspect I'd have made the same judgement in 2008 when the registration was made, but the past is another country.

All DadSec really had to do to make whatever point it is they're trying to make is post that creepy fucking clown man thing a few times. That would have put the wind up us. Like Ashes to Ashes, except scarier. Maybe Jeffrey is Gene Hunt? Have the police run a search on all Audi Quattro owners?

Has the new app gone now? Mine is completely blank.