Bargain Center: discussion, gossip, etc.

Buy and sell, post special offers, group buys, etc. NOT product announcements.
User avatar
WatchTheGuitar
KVRAF
2245 posts since 30 Apr, 2019

Post Sat Aug 01, 2020 1:50 pm

cprompt wrote:
Sat Aug 01, 2020 12:55 pm
Like I say, we don't really know what happened and we may never be told. I sincerely hope Uncle E makes a full recovery from this and learns how to host his store-front better next time so he never experiences a repeat of this disaster.
Agreed. We have disaster recovery servers at my place and have to test the DR backups every few months to ensure we can restore our databases to the last night's backup ASAP. It's in a completely different location in case our building burns down or, as happened once, someone working on the road outside decides to cut through all our internet cables and force us offline for a few days.

Forcing yourself to go through the motions of a full restore on a test instance of your production server every once in a while is a great way to ensure you can rollback if tragedy strikes.

I'm glad Uncle E actually responded and seems OK, but nothing in that response puts my mind completely at rest about his business so I'll hang back and let other people be guinea pigs for a month or two while he sorts out trying to restore accounts.

I remember someone I used to work with telling me how when they worked in IT as a contractor and were approached to restore Small Company X's database, they arrived at the company and was told "we back up nightly, but the database is corrupted today and we can't find last night's files".
Asked how long the backup procedure took he was told "almost instantaneous".
He asked this guy to demonstrate what he did each night and the guy double-clicked the backup application shortcut then a dialog box appeared that said something like "No drive found, please reconfigure". Then he dismisses the dialog and says "Yeah it's been saying that for two years, since we did the database upgrade, but seems to be OK afterwards".
They also had no backup younger than 2 years old.

User avatar
MasterTuner
KVRist
284 posts since 30 May, 2018

Post Sat Aug 01, 2020 2:13 pm

If JRR has had a website crash, then OK, but if its a data breach, then users with accounts need to know there's been a hack so they can contemplate changing their passwords. Is it simply a crash or breach?
Reaper (win), i7-7700k, 16GB

User avatar
kidslow
KVRist
201 posts since 26 Aug, 2019

Post Sat Aug 01, 2020 2:49 pm

Two lessons here that I would impress on everyone reading this, regardless of whether JRR is down due to a hack or their db corrupted from load and backup was ancient

1. The IT guys understand this first one. You do NOT have a reliable backup until you've tested a restore from your backup. End of story!

2. Always use a unique password for every web site. No ifs ands or buts. I have worked as a penetration tester, and from my observations some of the sites I've dealt with in the audio world are not locked down all too well. Assume that your password for any given website may ended up traded on the dark web for fractions of a penny. How many of you would have your KVR passwords exposed if your JRR password was compromised? I bet more than two.

Depending on the geography and the industry, some businesses who have been hacked are ethically (if not legally or contractually) obligated to disclose whether your data has been compromised because they were hacked. I don't know if JRR falls under this, but I will take Uncle E at his word and he is probably more frustrated than any of the rest of you.

simmo75
KVRAF
2166 posts since 25 Mar, 2016 from Seattle

Post Sat Aug 01, 2020 2:50 pm

MasterTuner wrote:
Sat Aug 01, 2020 2:13 pm
If JRR has had a website crash, then OK, but if its a data breach, then users with accounts need to know there's been a hack so they can contemplate changing their passwords. Is it simply a crash or breach?
I’m thinking that JRR being a reputable music store , they probably thought of that.

User avatar
MasterTuner
KVRist
284 posts since 30 May, 2018

Post Sat Aug 01, 2020 3:02 pm

kidslow wrote:
Sat Aug 01, 2020 2:49 pm
I have worked as a penetration tester, and from my observations some of the sites I've dealt with in the audio world are not locked down all too well. Assume that your password for any given website may ended up traded on the dark web for fractions of a penny.
SQL passwords are stored encrypted aren't they? My JRR password is 15 char long. If its enctypted, thats a lot of time to crack that. If its non-encrypted text, I might have to look seriously at changing passwords. I use a unique password for every site, but its actually the same one with variations based on the site I am on, if you know what I mean.
Anyway... didn't want to get off onto this rabbit trail, so...
Last edited by MasterTuner on Sat Aug 01, 2020 3:20 pm, edited 1 time in total.
Reaper (win), i7-7700k, 16GB

User avatar
sqigls
KVRAF
4360 posts since 25 Dec, 2004 from Melbourne, Australia

Post Sat Aug 01, 2020 3:20 pm

best to not fill the bargains chat with speculation.
there's a 'JRR shop' thread here, and Uncle E is active...

viewtopic.php?f=1&t=549392

User avatar
kidslow
KVRist
201 posts since 26 Aug, 2019

Post Sat Aug 01, 2020 3:35 pm

MasterTuner wrote:
Sat Aug 01, 2020 3:02 pm
SQL passwords are stored encrypted aren't they?
Depends on the architecture of the site. No way of knowing without seeing how they've set it up, underneath the kimono if you will. There is one certain way you can know that your password is NOT encrypted -- If you are emailed the password in plaintext. If it's properly encrypted, there should be no means for them to do that. The more secure sites will email you a link to change your password.
MasterTuner wrote:
Sat Aug 01, 2020 3:02 pm
I use a unique password for every site, but its actually the same one with variations based on the site I am on, if you know what I mean.
Unless you are the specific target of a nation state level hack, think Jamal Khashoggi and the Saudis, then your method is completely safe. Even with a password manager, if you're like me, a complex password can get transformed between chair and keyboard, so using themes is one way to commit it to short term memory long enough to get it input. Or you use a password manager like lastpass that does the work for you ... and trust them to get the security right (which they have failed at repeatedly in the past, YMMV). If you were the target of, for example the NSA or Mossad, then a human could try to obtain multiple decrypted variants of your password and look for patterns in your variations. But most of us are not such targets, at least for now. :borg:

IMHO 99.9% of the risk of a password compromise is having it linked to an ID and re-using the exact same password with the exact same username/email across websites. From what I've learned over the years (reading Brian Krebs among others, and just knowing how the Internet and hacking work) is that compromised passwords end up being collected, curated, and there are these long tables of them (one example prehashed is called a rainbow table). These exist as passwords alone and paired with user IDs. The latter are obviously more valuable. It's far easier to have a unique password per site than it is to have a unique ID, and a unique password affords more security in any event.

User avatar
c_voltage
KVRAF
1698 posts since 16 May, 2004 from Soviet Union

Post Sat Aug 01, 2020 3:40 pm

sqigls wrote:
Sat Aug 01, 2020 3:20 pm
best to not fill the bargains chat with speculation.
there's a 'JRR shop' thread here, and Uncle E is active...

viewtopic.php?f=1&t=549392
Oh i forgot about this thread, tnx for remind.

User avatar
monomox
KVRist
401 posts since 27 Nov, 2017 from CO, USA

Post Sat Aug 01, 2020 5:46 pm

sqigls wrote:
Sat Aug 01, 2020 3:20 pm
best to not fill the bargains chat with speculation not related to bargains.
fixed it for you
:wink: :hihi: :clown:

VitaminD
Pick Me Pick me!
8890 posts since 12 Mar, 2002 from a state of confusion

Post Sat Aug 01, 2020 7:39 pm

sqigls wrote:
Sat Aug 01, 2020 3:20 pm
best to not fill the bargains chat with speculation.
there's a 'JRR shop' thread here, and Uncle E is active...

viewtopic.php?f=1&t=549392
Considering how he's embedded himself in the Bargains chat threads as an extension of his business, it makes sense to discuss it here.

User avatar
telecode
KVRAF
1935 posts since 24 Mar, 2015 from Toronto, Canada

Post Sat Aug 01, 2020 8:08 pm

kidslow wrote:
Sat Aug 01, 2020 2:49 pm
Two lessons here that I would impress on everyone reading this, regardless of whether JRR is down due to a hack or their db corrupted from load and backup was ancient

1. The IT guys understand this first one. You do NOT have a reliable backup until you've tested a restore from your backup. End of story!

2. Always use a unique password for every web site. No ifs ands or buts. I have worked as a penetration tester, and from my observations some of the sites I've dealt with in the audio world are not locked down all too well. Assume that your password for any given website may ended up traded on the dark web for fractions of a penny. How many of you would have your KVR passwords exposed if your JRR password was compromised? I bet more than two.

Depending on the geography and the industry, some businesses who have been hacked are ethically (if not legally or contractually) obligated to disclose whether your data has been compromised because they were hacked. I don't know if JRR falls under this, but I will take Uncle E at his word and he is probably more frustrated than any of the rest of you.
those are all industry standard practices. but as we all know, what the books state, and how its done in real list are totally different things. no one knows what happened or the state of their IT setup. I am in IT. i used to do consulting long time ago. you will be amazed how many high profile pretty high revenu companies run a pretty sloppy ship and dont test backups. its one thing to be in a startup where they all care about perfect tech. its another to be in a car factory where they care about is metal and machines. i say wait to see how JJR comes back. i hear people are able to login. so odds are, they had to restore, and they couldn't use a recent restore, so would up using an old one.

User avatar
Gamma-UT
KVRAF
5783 posts since 8 Jun, 2009 from UK

Post Sat Aug 01, 2020 10:45 pm

kidslow wrote:
Sat Aug 01, 2020 3:35 pm
There is one certain way you can know that your password is NOT encrypted -- If you are emailed the password in plaintext. If it's properly encrypted, there should be no means for them to do that. The more secure sites will email you a link to change your password.
That’s nor necessarily true. In older versions, Wordpress used to email an automatically generated password on account creation in plaintext but hash the password it then stored in the database. However, for later changes, it would use the magic-link method.

Ploki
KVRAF
2462 posts since 17 Dec, 2009

Post Sun Aug 02, 2020 1:15 am

2020-08-25-2MJ8A
USED
Last edited by Ploki on Sun Aug 02, 2020 3:40 pm, edited 1 time in total.

User avatar
LoveEnigma18
KVRAF
2435 posts since 12 Jan, 2018

Post Sun Aug 02, 2020 1:16 am

Black Box Analog Design HG-2

A professional analog mastering desk in your box, easy to use.
Now YOU can master your own music!
PA subscribers will get it. ;)
Never imagined we would get to play with toys in adulthood. :)

User avatar
El°HYM
KVRist
434 posts since 21 Nov, 2015

Post Sun Aug 02, 2020 2:43 am

The #hardware version of the HG2 automatically masters YOUR Track; while brewing up a fresh cup of coffee with your new midi - coffee - machine. :tu:

@Ploki you will regret this, when the Knifforium first gets an Update &
then goes on Sale for $25 in the end of this month. :arrow: :D
The art of knowing is knowing what to ignore.

Return to “Sell & Buy (+Special Offers, Deals & Promos)”