Last_Mile2002 Posted November 27, 2014 Share Posted November 27, 2014 Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years. Stuxnet freaked people out a couple a years ago and now Regin is freaking people out this week. Putting anything on the internet, you generally have to assume it is insecure. Unless you strongly encrypt at the source, tunnel through a VPN and decrypt at the destination, your data is not secure. Anything that is convenient, not requiring you to be an active participant, is probably compromised now or will be in the next year or two. Just be very careful. Certificate Authorities - VeriSign, DigiNotar, KPN and others hacked. OpenSSH - early versions hacked Windows 95 to present - ALL versions of windows have an "in plain site security issue". (CVE-2014-6332) There are many others. Treat your personal data just as money left on a table at a restaurant, anybody can see it, the honest people will remain honest, but you don't know after you leave. (No traces leading back to you either.) Link to comment Share on other sites More sharing options...
MarkCO Posted November 27, 2014 Share Posted November 27, 2014 Cleaning out the basement... Simple and hard at the same time. Link to comment Share on other sites More sharing options...
peterthefish Posted November 27, 2014 Share Posted November 27, 2014 Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years. Stuxnet freaked people out a couple a years ago and now Regin is freaking people out this week. Putting anything on the internet, you generally have to assume it is insecure. Unless you strongly encrypt at the source, tunnel through a VPN and decrypt at the destination, your data is not secure. Anything that is convenient, not requiring you to be an active participant, is probably compromised now or will be in the next year or two. Just be very careful. Certificate Authorities - VeriSign, DigiNotar, KPN and others hacked. OpenSSH - early versions hacked Windows 95 to present - ALL versions of windows have an "in plain site security issue". (CVE-2014-6332) There are many others. Treat your personal data just as money left on a table at a restaurant, anybody can see it, the honest people will remain honest, but you don't know after you leave. (No traces leading back to you either.) This is a red herring. Yes, even well protected data is vulnerable (ie Target, Home Depot) but USPSA didn't have the data well protected only to be thwarted by a group of expert hackers. They left the doors unlocked and three weeks of newspapers on the steps. Link to comment Share on other sites More sharing options...
Stan-O Posted November 28, 2014 Author Share Posted November 28, 2014 Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years. It's like saying don't blame the last person who didn't lock the door leaving the office which got robbed, because there're lock picks. Link to comment Share on other sites More sharing options...
CZinSC Posted November 29, 2014 Share Posted November 29, 2014 This happening doesn't really surprise me. My two cents, but USPSA has a problem with where they are at now as an organization. We started as a volunteer organization and the huge amount of work needed to make the organization work is still done by volunteers. RO's, Match Directors, set up and tear down crews, Area Directors, Section Coordinators etc. The problem, again just my view, is that USPSA relies too heavily on volunteers for some critical things they shouldn't. Much of our IT was done on a volunteer basis by Rob Boudrie and others. As much as I like Rob (and I don't believe he is in any way responsible for the password issue) there are certain things you really need to pay for and maintain control over. Holding up a 40K project for almost a year while waiting for a volunteer to finish his part of the job is no way to run a business. Having people with attitudes that do nothing to promote USPSA and in fact drive members away, but excusing their conduct because they volunteer their time is no way to run a business. For that matter, having paid employees that are not fulfilling their obligations or are not the best people to have in those positions, but excusing it because they are our friends or are part of the "USPSA Family" is a sure way to run any business into the ground. I think that's the rub. There are more members on the BOD that don't think USPSA is a business and still treat it like it is a volunteer based organization. Until that paradigm shifts and people are held accountable for their missteps instead of being excused because they didn't charge us anything for their screw up, or because we like her as a person, screw ups will continue. Why would anyone expect anything different unless something changes? Agree with this 100%. Link to comment Share on other sites More sharing options...
JulieTheCat Posted November 29, 2014 Share Posted November 29, 2014 Any idea what this means? I get it everytime I try to reset the pw on uspsa. Warning: mysql_pconnect() [function.mysql-pconnect]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9Warning: mysql_pconnect() [function.mysql-pconnect]: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9Warning: trigger_error() [function.trigger-error]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9Fatal error: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9 Link to comment Share on other sites More sharing options...
BritinUSA Posted November 29, 2014 Share Posted November 29, 2014 Try emptying cache and stop/restart your browser. If it still throws out that error then try contacting USPSA directly there may be another issue. Link to comment Share on other sites More sharing options...
alma Posted November 29, 2014 Share Posted November 29, 2014 It means that debug messages are turned on for one which gives attackers more information about the database structure that can be used to craft better attacks. Link to comment Share on other sites More sharing options...
Shadowrider Posted November 29, 2014 Share Posted November 29, 2014 What a pain in the ass! I didn't use that password on anything financial but it was a similar scheme but a bit stronger. I said screw it. I installed Lastpass and now ALL my passwords are gibberish. I'll never remember a single one! But they are backed up on a memory stick in an Excel file. This just sucks... Link to comment Share on other sites More sharing options...
NewColonial Posted November 29, 2014 Share Posted November 29, 2014 Two days ago they dumped the SQL table structure to the web site. Now we're getting error messages posted. The USPSA membership roster would be a big score for anti-gun activists. I don't see why the site isn't taken offline until USPSA can guarantee the security of the site. Attempting to apply fixes on a live site, with live data, is just stupid. Link to comment Share on other sites More sharing options...
NewColonial Posted November 29, 2014 Share Posted November 29, 2014 Interestingly, after attempting to login with new my new password (which I have no reason to believe is secure) and getting the error message, if I close the window and reload the site I'm actually logged in. Link to comment Share on other sites More sharing options...
Jeff9mmM&P Posted November 29, 2014 Share Posted November 29, 2014 Is the membership renew page not working for anybody else ???? I am getting a "This webpage is not available" Thanks Link to comment Share on other sites More sharing options...
NewColonial Posted November 30, 2014 Share Posted November 30, 2014 Is the membership renew page not working for anybody else ???? I am getting a "This webpage is not available" I get: Fatal error: Cannot break/continue 1 level in /home/uspsa/public_html/uspsa-join-renew.php on line 141 Probably not a good time to be giving USPSA any personal or financial information anyway. :-) Link to comment Share on other sites More sharing options...
NewColonial Posted November 30, 2014 Share Posted November 30, 2014 The only info that we've been told has been leaked are email addresses and passwords. Is anyone at USPSA qualified to assure us that other table in the database, like name and addresses, weren't also dumped? Link to comment Share on other sites More sharing options...
Stan-O Posted November 30, 2014 Author Share Posted November 30, 2014 Oh, so you guys actually got the password reset links? I've requested them a few times, never got an e-mail. Checked spam folder of course (because really, why wouldn't the password reset link end up in spam folder, right?) and nothing. Link to comment Share on other sites More sharing options...
BritinUSA Posted November 30, 2014 Share Posted November 30, 2014 I did not get mine either. I think I have two email addresses coded somewhere, my old one and the new one that I am using now. I suspect that it is reading the old email address and because its no longer valid then I don't get the email. Did you change your email address since you joined USPSA ?? Link to comment Share on other sites More sharing options...
Stan-O Posted November 30, 2014 Author Share Posted November 30, 2014 No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail. Link to comment Share on other sites More sharing options...
wgnoyes Posted November 30, 2014 Share Posted November 30, 2014 Any idea what this means? I get it everytime I try to reset the pw on uspsa. Warning: mysql_pconnect() [function.mysql-pconnect]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9 Warning: mysql_pconnect() [function.mysql-pconnect]: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9 Warning: trigger_error() [function.trigger-error]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9 Fatal error: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9 This is still going on today when you try to go to your user profile page. Link to comment Share on other sites More sharing options...
blueeyedme Posted November 30, 2014 Share Posted November 30, 2014 I hope everyone has made sure their USPSA PW was changed anywhere else that it might have been used. Since the site was hacked/published, there have been attempts to access my Microsoft email from Thailand, Indonesia, Chile, Bangladesh, Dominican Republic, Italy, Chicago & Russia. Fortunately, I did not use the same pw for my email or anywhere else. Link to comment Share on other sites More sharing options...
JulieTheCat Posted November 30, 2014 Share Posted November 30, 2014 Is everyone getting that error when they go to "personal profile?" Link to comment Share on other sites More sharing options...
Round_Gun_Shooter Posted November 30, 2014 Share Posted November 30, 2014 The level of incompetence currently at uspsa is astounding. Between this and the $144k in question will be why I am canceling my membership. This will explain it for you Adam https://www.princeton.edu/~achaney/tmve/wiki100k/docs/Peter_Principle.html Link to comment Share on other sites More sharing options...
j2fast Posted December 1, 2014 Share Posted December 1, 2014 I don't think anyone else posted this, folks may want to check out https://pwnedlist.com. It's a service that will tell you if any of your email addresses, etc have been part of a public data breach. The site/service has been featured by a number of major publications and is used by Lastpass which I use for password management Since I've received nothing about the breach from the USPSA, I wasn't sure what email address I had used for the USPSA site and as a bonus the reset password option has yet to work for me. So I plugged a couple of the likely addresses into pwnedlist and sure enough, one came back as part of the USPSA breach. I feel like I'm just piling on at this point but as someone that advises firms on IT matters, I don't think this whole thing could have been handled more poorly by the USPSA. Link to comment Share on other sites More sharing options...
NewColonial Posted December 1, 2014 Share Posted December 1, 2014 I use pwnedlist. I actually got an alert on the USPSA hack from pwnedlist BEFORE USPSA decided to alert users. Link to comment Share on other sites More sharing options...
Jeff9mmM&P Posted December 2, 2014 Share Posted December 2, 2014 No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail. My membership expired on 11/30. I called HQ today and was able to pay over the phone. Link to comment Share on other sites More sharing options...
Stan-O Posted December 2, 2014 Author Share Posted December 2, 2014 No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail. My membership expired on 11/30. I called HQ today and was able to pay over the phone. Thanks, I'll call them tomorrow. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now