Stan-O

Oh, so you guys actually got the password reset links? I've requested them a few times, never got an e-mail. Checked spam folder of course (because really, why wouldn't the password reset link end up in spam folder, right?) and nothing.

It's like saying don't blame the last person who didn't lock the door leaving the office which got robbed, because there're lock picks.

Uhm, thanks guys, but I meant I heard nothing from USPSA!

It's been about 17 hours since I let them know (and that's how they found out) and I didn't get a thank you or a pat on the back or anything. Next time I won't bother.

The e-mail/password combinations that can be tried at other sites -- like eBay, PayPal, personal finance, cloud storage. Basically anything which can either get hackers the actual financial information to steal from you or access to documents with such information. Or the naughty pics from your cloud storage if you're a celebrity. While I agree both cases are equally bad, one thing is hackers gaining access to the membership database (compromised data) and another thing granting permission to the third parties for access (lack of data handling regulations).

No that can't be the reason -- they can easily spend 5 minutes or so to pull the e-mails out of the database without risking any further attacks. I didn't want to increase the exposure of the dump until every USPSA member was made aware of the leak, I don't know what's taking USPSA so long to reach out to the membership. Nothing can be gained by posting the link to the dump here, even if your e-mail address isn't there, you're still at risk.

This. Sanitize your inputs. Lucky someone didn't drop the classifier table. Crap, I could have made GM overnight!

And the very next step should be hiring/paying someone competent to run their website and IT stuff. I would be laughed out of my job if I would ever even suggest or think of storing passwords in the clear. Also, at this point I wonder about my credit card I use to pay for classifiers and the like. How much confidence do I now have that they also don't store that somewhere in dubious fashions? I asked Val if there're going to be repercussions to the individual/company which designed the buggy code and the system which stored plain text passwords but didn't have this question addressed. For the credit card info they said to be using a "separate vendor" which was not affected by this attack.

Oh, I ran a few IT startups, you pick stuff up real quick if you rely on your web-sites for living. I use a specialty service to alert me if my credentials have been compromised. Once I've received a notification and verified it's real I've forwarded the link to dump to all contacts at USPSA I've had -- Val & Rick. My biggest concern now is that hacker's note mentions some of those leaked credentials are proven to work on e-commerce/finance sites I think USPSA should do the mass-mailing to everyone and advise them to remember if those e-mail/password combinations were used on other sites and change the passwords there immediately.

Got an e-mail from Val, they acknowledged the leak and are going to fix the problem. I'm glad that pretty much everything I've suggested in my e-mail (take the server down, fix the bug, store passwords hashed/salted) has either happened or going to happen. My guess that if they rush it, they can get the web-site back before the end of the day today. If they're thorough it'll probably be at least two working days to inspect all the existing code for vulnerabilities and implement the changes for storing passwords salted/hashed and password reset. But seriously, storing plain text passwords in 2014 (almost in 2015) is like drawing facing uprange.

The notification I've got didn't come from USPSA. I'm pretty sure they didn't know when I emailed Rick and Val. So I'm not sure what you meant by saying you got the same email. I don't think it would be beneficial to share the link to the dump. USPSA people have it and sharing it beyond them would do more harm than good. There are people with .gov and .mil addresses there and their passwords which may still be valid at other web sites.

To me it looks like either the DB is down or it's been put offline by USPSA. At the moment I cannot even login. I haven't received a reply to my e-mail sent to USPSA web-master, but if they took the DB down it's a great move I think, at least no one will be able to abuse to published passwords at uspsa.org.

What happened? The USPSA passwords database has been hacked and about 15,000 records (emails + passwords) have been published by hackers. I found out about midnight on November 25th and notified USPSA. About 6 hours later the USPSA web-site was taken down until the code was updated. It is now back up with the limited functionality until the proper fix is implemented. What do you need to do now? If you used the same password at any other web-site (besides uspsa.org) you need to log in to that website and change your password ASAP. The reason hackers even tried to obtain your USPSA password is that they hoped some of those e-mail/password combinations will work for other sites -- like eBay, PayPal, online banking, iCloud. The link to the database dump is available further down in this thread, but if your e-mail address isn't there it doesn't mean you're safe. That dump is not necessarily everything hackers got. Is my credit card info I've used to pay at uspsa.org safe? USPSA payments are handled thru a third-party vendor and their infrastructure has not been affected by this attack. What to expect in the future? When the USPSA.org is back online with the full membership functionality -- make sure you update your password there too. Do not use the password you use anywhere else. Below is my original post I'm keeping for posterity reasons and so that some of the discussion below doesn't seem completely out of context. Well, I didn't feel like it's appropriate to post in USPSA shooting or USPSA rules sections, but I'm sure there's plenty of the USPSA members here and if Brian/mods feel like this topic should be moved, they can do so. I have received a notification that the USPSA.org passwords database has been hacked and the DB dump containing about 15,000 account records (e-mail + password) has been posted online for the world to see. For obvious reasons I'm not including the link to the DB dump, but I'd welcome first 10-15 people who reply here to PM me with an e-mail address so I can confirm if their passwords have been leaked (unless there's a clear correlation between the BE username and the e-mail address I'll obscure a few characters from the password with asterisks to prevent abuse). I have found my own password in the plain-text in the leaked DB dump and a few passwords of my fellow USPSA members as well, although as it's late I haven't confirmed with them their passwords are real. For now, I'm fairly certain the vulnerability has not been fixed, however it would be beneficial to log in to uspsa.org and update your password there (especially if you're a primary contact for a club). If you have used the same e-mail/password combination at any other web-site I would strongly advise you to log in to those and update your passwords there as well (especially if it's an iCloud and you're a celebrity and have some private photos there ). UPDATE 1: Forgot to mention, the note posted along with the dump claimed that at least 1,000 of those records are working logins for ebay/paypal too! So do not ever use the same password across multiple sites. UPDATE 2: Out of 8 e-mail addresses sent to me 4 were in the dump along with the correct passwords and 4 were not in the dump. However I believe not all the stolen records made it to the public dump, so even if your e-mail is not there I wouldn't rest easy. UPDATE 3: Looks like the uspsa database is down or offline, nobody can login. UPDATE 4: uspsa.org is down.

Wait, doesn't the rule only stipulate requirements prior to the start signal? For example magazines on the table start, I have some magnets on my belt/pouches -- if I grab magazines and stick them onto magnets after the start signal I'm bumped to open in USPSA?

Three reasons not to like steel: 1. Poppers may not fall after being shot 2. Texas star 3. Oregon star

Wait, what kind of class it was she went to that she was told she can borrow a magazine from another shooter when shooting the stage? While not a safety concern like breaking 180 -- is it still not a DQ for both?

David, that's a bummer about LHS, I was going to see if I can get Mk12-compatible spacers for my old (made for Mk7) holster thru you. If it helps any, I can drive over to Blade-Tech with Mk12 X-Cal -- I really need something for IDPA, even considering asking my buddy to make me a custom Kydex holster. And just to confirm -- the CR Speed mag pouches with the CZ inserts work just fine for all generations of the GP magazines I have.

Considering the forum we're on, if you intend to shoot it in USPSA Production *now* you may be better off getting the Mk7 gun (the Target model) if it's available -- last time I checked even the Mk12 K100 models were not on the USPSA Production list.

Not that I'm attached to the Tachyon, but I have to ask -- where did you see those videos? If it was on youtube or played back on the cell phone -- it could very well be that youtube by default down-sample videos and not all cell phones have 1080p-capable screens. However, there's no argument that Sony's sensor is superior. *Just* for shooting sports I would gladly trade video quality for more compact and easier to mount camera tho.

Tachyon OPS HD with the Eric-style mount.

I've used Contour for a year or so, sold it shortly after they went out of business (a shame I've had a ton of different mounts I bought separately at the time)t. Just got a Tachyon OPS HD cam (the link was either on the USPSA web-site or in the newsletter) and it's a big improvement in technology, it's super-light and can be mounted on the brim of the hat where I don't even feel it's there. The *only* gripe I have is that it doesn't have the physical feedback on the on button. It sounds an audible signal on power on and power off, but it doesn't have that tactile slide switch of the Contour. Here's a most fun stage from the recent match I shot with the Tachyon (youtube starts streaming at 360p, but you can switch to the 720p):

I couldn't find these in local stores, so I want to order them online (just wore out my Adidas cleats which served me for more years than I care count), but I've discovered Dick's sells two models of this shoe: Model 1: http://goo.gl/kWjp59 Model 2: http://goo.gl/czPdJP I suspect the model 2 is the newer generation (so it should be better, right), but I quite dislike the very loud logo at the heel. I know there're lots of people on this forum who wear Turf Hogs -- has anyone had a chance to compare the two? Even if you haven't and don't know for sure which model is newer, please post which one you have and when did you buy it. Thanks!

Dave, are you loading 4.2gr for X-Cal or is it your estimate what should work for the shorter barrel of X-Trim?

I don't have an easy access to a chronograph and I just switched to Clays Universal so if anyone has chronoed the loads with Berry's plated 124gr bullets, please do share. You guys who experiment with the hammer spring -- any chance you could measure the difference in DA/SA with the trigger gauge? PS. I do have a problem chambering reloads as well -- my X-Trim is sensitive to the cases not being resized full-length and being a bit thicker towards the bottom. My GP6C was the same with both barrels (I've had a 4.25" and 5" barrels for it). PPS. Regarding the holsters -- I've had no major problems (besides loosening some screws) fitting my X-Trim into Blade-Tech GP6 holster, but the LHS X-Calibur holster I have received very recently works better. It would also fit X-Calibur when I get it.

Well, I started Unclassified (classifiers only happen once a year where I shoot) but I won my first match I've shot with the STI GP6C in ESP/UN and won one of 7 stages overall. So one point for GP6C in IDPA.