Welcome to the Temple of Kraden! This site is a message board all about the Golden Sun games and the best character in them, Kraden the sage. By registering, you'll be joining an active and fun-loving community that is always hopping.
If you're a new member, some things about the Temple can be daunting. What's a clan? What's a tribe? Why are all these people joking about incest? Well, clans are elemental usergroups that you can choose to be affiliated with. They are based on the elements in the Golden Sun games, but we have two extra elements here. You can also choose to remain clanless. Tribes are smaller groups that are focuses around concepts like rock music or ducks and pie. And as for Incest (it's capitalized), well, it's one of those running jokes. Don't worry, though. Members will be falling over themselves to explain it to you. When you sign up, just concentrate on diving into the discussions and enjoying yourself. Everything else will come with time.
If you're still confused or have questions, just contact a staff member.
Posted by Kentington - 11-14-09 08:15 - 53 comments
Pre-emptive tl;dr: Change your passwords. Yes, really.
Given the rate at which miscreants try to destroy the Temple, I'm sure the TurdJr. saga must seem like old news to many of you now; however, I assure you that my investigation is ongoing. There are certain aspects of the incident that I don't feel ready to make public yet as I am still not 100% sure of TurdJr's identity, and this incomplete knowledge would no doubt inspire some of our more conspiratorially-inclined members. Nevertheless, a synopsis of the latest hacking:
Last Thursday, cookies were stolen. This would have been an unremarkable occurrence except that in addition to Kharybdose's account placing the cookiemonster script in her signature (after enabling HTML using the admin CP) it appears to have been inserted into the board wrapper itself, judging by how the admin logs show her account having been used to edit the wrapper. This would explain how she acquired my cookie; the relevance of this fact will soon become apparent. None of this was noticed immediately. The Kraden account also has several personal messages from her account send during this time period, indicating that the account's user (who was almost certainly not Kharybdose herself) tried to obtain Kraden's password in this manner; however, thanks to our paranoia from previous hacking incidents (no, I will not share with you exactly how long we have decided to make the root password), it's safe to say that this proved fruitless.
At this point, the hacker had access to several of our passwords' md5 hashes. A note about password cracking; short of a successful dictionary attack, trying to crack a password over 8 ASCII characters long is not feasible with ordinary computing resources. It is here that I confess my role in all this; after all the recent incidents and the resulting password changes, I was lazy enough to use one exactly eight digits in length. Since my memory is so fallible, I tend to use permutations of the same word with numbers and symbols judiciously inserted for all my online activities; once the hacker compromised my password (I don't know if any other admins were affected; since nothing was done with my account, I assume he was looking for an alias to use to trick Saturos into giving up the root account) he also had, with a bit of work, access to my Gmail, Facebook, and MSN Messenger accounts. (What he did with them is my personal headache and none of your business, except see below.)
Apparently taking a page from Gimmick's book (though she claims to not have been involved), the hacker used my Facebook and MSN accounts to pass a malicious bit of javascript onto Satty; by claiming that it would disable a scripting trap that the hacker had laid in the admin CP (false, since user HTML can't be displayed in the ACP), he apparently managed to steal Kraden's admin session. Since IF, for some idiotic reason, does not validate IP addresses in the admin console, he was then able to change Kraden's password, and we all know what occurred from then on.
During the IM conversation, TurdJr apparently dropped some revealing information; he'd had "contact" with Kharybdose in the form of driving several hundred miles to satisfy her scat fetish (yes, her. I was willing to respect her privacy and lie for her when she was still ostensibly our ally, but not anymore. She's female) and had been given control of her admin account (which, if you'll recall, was created as part of her condition for helping us back during the Bakkanal incident). As interestingly, he confessed to being Mr. Nothing and responsible for the previous incident. He also mentioned that Kharybdose's name was Eileen, but a search of Facebook (by Satty) and the student directory (by me) brought up nobody who matched the known facts or face, so I'm certain he was lying. He may have revealed additional information, but you'd have to ask Satty. Besides, I have reason to suspect that just about everything he said other than his confession was a lie. All that can be known for certain is that he had some sort of contact with Kharybdose.
I don't need to remind anyone of what happened next on the forum end; epic countertrolling was epic. On my end, throughout the weekend (after my physics GRE, of course), I checked all the usual avenues of attack and came up empty. Besides the impregnability of IF itself (he'd been clever enough to re-disable HTML), his ymail account was not susceptible, nor could I glean a password from another source and hope he was lazy enough to use it for everything. I was secretly hoping to regain the root account before he made his appearance (he mentioned to Satty that he had other forums to compromise before unleashing his plans on the ToK), but try as I might, I still couldn't find Khary's exploit. Besides struggling against a backlog of homework, I tried every other approach I could, up to but not including finding Kharybdose herself and smacking the crap out of her.
At this point, we were getting desperate. Surprisingly, the password I'd obtained for Reapist's email account during the first Kharybdose incident still worked. Satty and I hatched an epic plan to email the Bakkanal from his account. Of course they wouldn't be receptive to any offer the Kradenettes might make, not after their humiliation here, but from Reapist... As incentive, I offered knowledge of Khary's scat fetish and said I would present "proof" after the forum was mine; if I didn't, they were free to do what they wanted to "my" (Reapist's) computer and online life. At that point, I would password-reset and use my control over Reapist's account to recover the forums. Nice plan to kill two birds with one stone, but it didn't work; the Bakkanal never responded.
Once "Grim Reapist" showed up, I'm sure you were all as worried as I was. The good news is that nothing was permanently deleted, since such an act would no doubt attract the attention of InvisionFree; apparently TurdJr guessed that we would report the incident and sent a pre-emptive support ticket telling them that this incident was a misunderstanding resulting from a URL change. At the time, of course, none of us knew this, and so the arrival of Reapist and his "Forum Troll Army" managed to get under our skin in a way that TurdJr himself hadn't. It would later be confirmed that all of these accounts had different IP addresses, but my final successful attack proved that TurdJr was, in fact, masquerading as Reapist. My suspicions were raised when my attempt at uploading a malicious image in the "bumrape" topic was met with a ban; Reapist is nowhere near intelligent enough to suspect that sort of counter-hacking.
This failure gave me an idea, however. I didn't have the ability to upload images to the ToK directly, but when viewing the board's source, I realized that several of the images were linked to from Dracobolt's Photobucket account. After unsuccessfully attempting to contact her, I broke into her account (sorry about that, D-Bolt) and replaced the psynergy stone with a malicious image that successfully nabbed "Reapist"'s cookie. Not only was it an easily-crackable six-letter alphabetical password, but it was shared amongst the Kraden, TurdJr, Grim Reapist, and Captain Skull[radio edit] accounts - proof positive that TurdJr impersonated Reapist when his initial attempts at trolling got him pelted with the online equivalent of rotten fruit. With control over the root account, well, that was that.
A few questions still remain to be answered. Assuming he was lying about the scat fetish - probably a good assumption - how did he contact Kharybdose? How did TurdJr know about Reapist's plans for a Forum Troll Army (I'm guessing Reapist tried to recruit him after seeing his initial trolling?) More interestingly, I have evidence that suggests that TurdJr is a former member of at least one now-defunct Golden Sun community. I'm still investigating and will let you know if anything comes up.
Anyway, assuming that Saturos doesn't give his root admin session to anyone else (don't worry, we all love you anyway), all we have to worry about is this mysterious "Kharybdose Exploit." If I do see her anywhere on campus, some smack is getting laid down, and maybe I'll be able to beat it out of her. >=D
Site Navigation
Help
Search
Members
Calendar
Chat Box
