Jump to content
Brian Enos's Forums... Maku mozo!

USPSA passwords database has been hacked


Recommended Posts

The level of incompetence currently at uspsa is astounding. Between this and the $144k in question will be why I am canceling my membership.

The level of incompetence is created by members that don't bother to vote, don't bother to run for office, etc. The membership is directly responsible for what USPSA does, we vote the people into office, they hire the staff.

This is not IDPA where you have a dictatorship. I like the game enough to try and make it better. Then again I never was someone that just gives up.

Sure. Let us know when you find out who's responsible for this so we know who to vote out of office.

Link to comment
Share on other sites

  • Replies 157
  • Created
  • Last Reply

Top Posters In This Topic

The level of incompetence currently at uspsa is astounding. Between this and the $144k in question will be why I am canceling my membership.

The level of incompetence is created by members that don't bother to vote, don't bother to run for office, etc. The membership is directly responsible for what USPSA does, we vote the people into office, they hire the staff.

This is not IDPA where you have a dictatorship. I like the game enough to try and make it better. Then again I never was someone that just gives up.

Sure. Let us know when you find out who's responsible for this so we know who to vote out of office.

The ED works for the board. To me the ED is responsible. To get a change in ED you need to change the board.

Link to comment
Share on other sites

USPSA Bylaws 10 Adopted on 12-14-13

7.5 Executive Director:

The Executive Director shall be the chief operating offi

cer of the corporation and shall have general and

active supervision over the property, business, day-to-d

ay operations and affairs of the corporation, and

oversee production of the corporate newsletter at the national office.

The Executive Director shall be knowledgeable of prac

tical shooting, shall be selected by the Board of

Directors and may be removed at any time, with or without cause, only by the Board of Directors.

In addition to the other provisions of

these bylaws, the Executive Director shall

i.)

keep the President advised at all times of all matt

ers affecting the corporation and of all actions

taken by the Executive Director on its behalf,

ii.)

attend and participate in Board m

eetings, but does so without vote,

iii.)

in general, exercise such duties and responsibiliti

es as customarily pertain to the office of chief

administrative officer, and

iv.)

perform such other duties as may be prescribed fro

m time to time by the Board of Directors or

by these bylaws.

The Executive Director may sign, execute and deliver in

the name of the corporation powers of attorney,

contracts, checks, leases, bonds, and other obligations

and cause to be prepared all reports necessary for

governmental agencies and to pay all taxes a

nd other charges against the corporation.

The Executive Director, in conjunction with the Preside

nt, shall direct the preparation of and submit a

draft budget to the Board of Directors by February

1 of each year. The budget shall contain estimated

revenues and expenses of the corporation. It shall incl

ude, but not be limited to, allocation of funds to the

operation of the individual membership program, the

national Range Officers training program, the club

membership program, the publication of the corporate

newsletter, maintenance of corporate office(s), the

holding of the U.S. National Championships, and othe

r items as necessary to attain the purposes of the

corporation. In no event shall the budget exceed anti

cipated revenues on an annual basis. The Board of

Directors has the responsibility of approving the bu

dget after offering such amendments as they may

deem appropriate. That res

ponsibility shall include adjustments during the budget period.

The Executive Director may hold the office of S

ecretary when so appointed by the President.

Link to comment
Share on other sites

I just got an email, well over 12 hours since I found out, from USPSA.

It's been about 17 hours since I let them know (and that's how they found out) and I didn't get a thank you or a pat on the back or anything. Next time I won't bother.

Edited by Stan-O
Link to comment
Share on other sites

I just got an email, well over 12 hours since I found out, from USPSA.

It's been about 17 hours since I let them know (and that's how they found out) and I didn't get a thank you or a pat on the back or anything. Next time I won't bother.

Yeah, you will bother... Not because you care about the organization, but because you care about the members... And in case one has said it, thanks for bringing this to light

Link to comment
Share on other sites

I use a unique password for the USPSA site. Personally I think it would be stupid to use the same password on multiple sites. The way I see it, if someone has gotten my USPSA password, the worst they can do is post on the USPSA forum as me. (or horror of horrors, look at my classifications). :roflol: The security breach doesn't affect any of my financial accounts.

Personally, i think it is stupid to have obviously UNQUALIFIED people in charge of the data that is REQUIRED by USPSA to have. Email, home address....good thing there isnt a gun registry as well in that database.

Wasn't there supposed to be a new website this year? Who set that up? What did we pay for it? Why wasn't it done?

Every month or two some new thing comes out of HQ that not only doesnt move the sport forward, it goes backward.

Link to comment
Share on other sites

I just got an email, well over 12 hours since I found out, from USPSA.

It's been about 17 hours since I let them know (and that's how they found out) and I didn't get a thank you or a pat on the back or anything. Next time I won't bother.

Yes, huge thanks to you. I sent an email to our listserve in the section, but if not for someone here, I would have not doing or to much later.

Link to comment
Share on other sites

Also, when you rebuild this, USPSA, please salt and hash our passwords!!!!!!!!!!!!!!!!

It's disgraceful that these were stored in plane text.

+15k

This bears repeating.... I can forgive them for using a weak hash or not salting the hash or poor input validation or poor patch management. Shit happens. But storing the passwords in plain text in 2014? That's the real WTF. I'm changing my password to: ;drop table users;

http://xkcd.com/327/

Edited by blind bat
Link to comment
Share on other sites

USPSA Bylaws 10 Adopted on 12-14-13
7.5 Executive Director:
The Executive Director shall be the chief operating offi
cer of the corporation and shall have general and
active supervision over the property, business, day-to-d
ay operations and affairs of the corporation, and
oversee production of the corporate newsletter at the national office.
The Executive Director shall be knowledgeable of prac
tical shooting, shall be selected by the Board of
Directors and may be removed at any time, with or without cause, only by the Board of Directors.
In addition to the other provisions of
these bylaws, the Executive Director shall
i.)
keep the President advised at all times of all matt
ers affecting the corporation and of all actions
taken by the Executive Director on its behalf,
ii.)
attend and participate in Board m
eetings, but does so without vote,
iii.)
in general, exercise such duties and responsibiliti
es as customarily pertain to the office of chief
administrative officer, and
iv.)
perform such other duties as may be prescribed fro
m time to time by the Board of Directors or
by these bylaws.
The Executive Director may sign, execute and deliver in
the name of the corporation powers of attorney,
contracts, checks, leases, bonds, and other obligations
and cause to be prepared all reports necessary for
governmental agencies and to pay all taxes a
nd other charges against the corporation.
The Executive Director, in conjunction with the Preside
nt, shall direct the preparation of and submit a
draft budget to the Board of Directors by February
1 of each year. The budget shall contain estimated
revenues and expenses of the corporation. It shall incl
ude, but not be limited to, allocation of funds to the
operation of the individual membership program, the
national Range Officers training program, the club
membership program, the publication of the corporate
newsletter, maintenance of corporate office(s), the
holding of the U.S. National Championships, and othe
r items as necessary to attain the purposes of the
corporation. In no event shall the budget exceed anti
cipated revenues on an annual basis. The Board of
Directors has the responsibility of approving the bu
dget after offering such amendments as they may
deem appropriate. That res
ponsibility shall include adjustments during the budget period.
The Executive Director may hold the office of S
ecretary when so appointed by the President.

Like I said, The ED is responsible, the board needs to make the change.

Link to comment
Share on other sites

Doesn't matter who and when.

It may not matter to you but it does to me, because it seems indicative of one the major issues that I see affecting this organization.

From my perspective USPSA is being run the same way now as it was many years ago. It appears that processes/tools are implemented and then never maintained, the sport and the whole world is changing but USPSA seems to be operating as if it's stuck in the 1980's.

Link to comment
Share on other sites

Doesn't matter who and when.

It may not matter to you but it does to me, because it seems indicative of one the major issues that I see affecting this organization.

From my perspective USPSA is being run the same way now as it was many years ago. It appears that processes/tools are implemented and then never maintained, the sport and the whole world is changing but USPSA seems to be operating as if it's stuck in the 1980's.

You can request that pastebin remove the content by creating an account and reporting abuse from that page or by emailing admin@pastebin.com with the request. More info here http://pastebin.com/contact

There are unlikely already hundreds or thousands of copies of this in bad guys hands and nothing stops them from posting it again in pastebin or elsewhere but it agree that someone should request that it come down.

Link to comment
Share on other sites

Doesn't matter who and when. What matters is the ED is responsible. The buck stops at the top person

It does matter. I want to know if someone actually got paid for that crap. Even if they didnt, that person should never be allowed to write a single line of code or html for USPSA (or anyone) again.

Link to comment
Share on other sites

This happening doesn't really surprise me. My two cents, but USPSA has a problem with where they are at now as an organization. We started as a volunteer organization and the huge amount of work needed to make the organization work is still done by volunteers. RO's, Match Directors, set up and tear down crews, Area Directors, Section Coordinators etc. The problem, again just my view, is that USPSA relies too heavily on volunteers for some critical things they shouldn't. Much of our IT was done on a volunteer basis by Rob Boudrie and others. As much as I like Rob (and I don't believe he is in any way responsible for the password issue) there are certain things you really need to pay for and maintain control over. Holding up a 40K project for almost a year while waiting for a volunteer to finish his part of the job is no way to run a business. Having people with attitudes that do nothing to promote USPSA and in fact drive members away, but excusing their conduct because they volunteer their time is no way to run a business. For that matter, having paid employees that are not fulfilling their obligations or are not the best people to have in those positions, but excusing it because they are our friends or are part of the "USPSA Family" is a sure way to run any business into the ground. I think that's the rub. There are more members on the BOD that don't think USPSA is a business and still treat it like it is a volunteer based organization. Until that paradigm shifts and people are held accountable for their missteps instead of being excused because they didn't charge us anything for their screw up, or because we like her as a person, screw ups will continue. Why would anyone expect anything different unless something changes?

Link to comment
Share on other sites

This makes things interesting...breach_zps5b333b93.jpg

In April 2012, I told a few USPSA higher highers that I was concerned about the EZWinScore/classifier database "security" because there were state employees who wanted access to our EZWinScore laptop.

Maybe they could download all the then current 20,000 active USPSA members' names and addresses. I really don't know.

Long story short, the USPSA higher highers blew me off with a reply like "Pfffttt....who would ever want that data!? Ha! Ha!"

Then the state employee(s) who asked for the scoring laptop replaced me as Match Director.

I haven't shot a match since April 2012.

Just to put things into perspective or context, just the year before, IL AG Lisa Madigan got in a big fight with the Illinois State Police over the FOID card database. She was planning on publishing all the FOID card holders' names and addresses in the Chicago Tribune.

Link to comment
Share on other sites

This happening doesn't really surprise me. My two cents, but USPSA has a problem with where they are at now as an organization. We started as a volunteer organization and the huge amount of work needed to make the organization work is still done by volunteers.

This just reinforces the post that I made about it being run as if it were the 1980's. USPSA should control the data within our databases, such as classifiers, membership etc, but the framework (the database model itself) has to be handled by professionals, there are too many bad people out there that delight in hacking into things and publishing data. The same applies to the web-site, USPSA can provide the information for the web-site but its design and maintenance should be done by professionals.

This is what I believe happened with Front Sight magazine. USPSA edits the articles, provides the advertisements and photographs and then sends all that data to a professional firm that performs the layout and publishing. That same methodology should be used for the IT side of the organization.

It drives me crazy sometimes... None of the issues facing USPSA are that complex, they could be fixed with the right skills.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...