poto

so far it's just rumors...

but as I hear it some threads were deleted on other boards... and the NATS people are trying to do damage control now, saying it was pure misinformation...

but maybe somebody at last found an XSS exploit with NATS?? who knows...

if I find out anything more I'll post it... anything real juicy will go in the private forums tho...

and if you hear anything or have any more info on this please do share it with me

pussyluver

All that XSS exploit stuff and its prevention gets petty techie fast. Helps to know python. Plus not familiar with NATs security architecture (like they're gonna draw a map...).

Anyone know of a good reference on "Avoiding Exploits for Dummies"? I find tons of articles, white papers and info in general with google searches. All together it gives me a fucking head ache.

poto

rumors so far is that it this is a security exploit...

admin passwords may have been compromised...

more details to come if I learn anything new...


there's a white paper on XSS exploits in the private forums... worth a read if you've got some free time...

mostly it's script issues that cause these vulnerabilities... it does take some knowledge of code... of which I am slowly learning... just wish I had more time to dig deeper into it...

for those reading this that don't know what we're talking about guess I should explain a bit... basically, XSS means cross site scripting... so, it's being able to run code on one site from another site... an example would be an auto-Digg submission, like the script posted in the private area... you load a script in a hidden frame that runs code to auto-Digg a selected story of your choice... all of which happens without the surfer knowing what's going on... of course the surfers have to be logged into Digg to make it work... but the same concept can be used for lots of form submissions and other nefarious things...

basically just try to run scripts that you know are solid... stuff like joomla I don't trust cuz it just looks like it has way too many security issues, at least it did the last time I did a joomla install to play with it... you can have issues with any script really... but if you stay on top of it and try to patch the known holes, you should be ok...

I think the more attention/traffic you get the bigger a target your sites become for h@X0rZ... imho, it just comes with the territory...

pussyluver

Here's the Wikipedia link (not bad intro): Cross-site scripting - Wikipedia, the free encyclopedia

Haven't been in the private area in days. My bad cause I need the info.

poto

you should check the private area more often... I'm still working on adding a bunch of stuff there... could use some more input on some of it...

pussyluver

A ton of tech knowledge to catch up on. My traffic is growin. Maybe it is getting close to getting some tech support. I grewup on Fortran, Cobol, Basic, QBasic, Snoball, PL/I, Univac assembler....... So you go to school today and your start with javascript, perl, visual basic, object oriented programs etc.

It is becoming abundantly clear that unless you really, really know a trading partner, it's not worth the risk. I am positive that some are ripping me. Now when I review galleries for the one real TGP I have, I look at the source code. Anything I don't understand gets rejected.

pussyluver

I will cut some time out for that!!! Important. Appreciate the effort you're doing there. Acually saves time from hitting the SEs and reading forums with a ton of fluff.

poto

heh, yea I guess if you're banking enough it's time to expand... tho, I like running things lean and mean... doing things myself...

as for trading partners... I'm really glad I never opened my network to trades... one less thing to worry about... might have generated more hits early on, but I wonder what it would have cost me... sometimes I think I just worry too much, but then I read up about the spyware and fake codec installs, meh...

cool... of course a lot of stuff posted in there isn't in the SEs... some of it I grabbed from other private forums

plus, a lot of the good info by the time it makes it to the public is too spammed out to be of much use...

poto

to update this thread

I just popped over to gfy and managed to catch a big thread about the NATS exploit/hole...

Paycom or NATS spamming our members? - GFY Webmaster Board

seems the NATS people really dropped the ball since this was known months ago...

nice to know that NATS was basically sitting on their hands this whole time while hackers have been stealing member data and possibly affiliate data too...

I was leaning towards using NATS for a project I have in the works, but after seeing this and those douchebag responses by John I'm going to stay far far away from NATS...

__________________
My Ratios :: My Blacklist

pussyluver

Time to check all your accounts and change passwords.... then still no guarantees.

Something in what's left of my mind says: "I wonder if statsremote has been compromised too". don't have proof, just some sort of gut karma feeling I heard when I was drinking heavily.

Just interested in comments about how solid all think statsremote is. After all, your passwords are hanging out there potentially.

Post is not intended to slam statsremote. Just point out that a lot of your key data as in user-name/passwords are in one convenient place to hack.

poto

yea, of course changing your passwords before the hole is fixed might not do much good... from what I understand they were doing regular if not hourly database dumps...

call me paranoid, but I've never trusted statsremote... nothing against them, just never trusted any 3rd party with passwords to anything that makes me money...

__________________
My Ratios :: My Blacklist

pussyluver

Agree, still a useful tool. I didn't put all sponsors making money on statsremote as away to limit risk a bit. Can check those not on statsremote manually. checking all of them manually would take to long.

mule

Never signed up for statsremote, I guess because I'm paranoid.
Being swamped by emails from sponsors telling me to change my nats password now, did a quick tally, turns out I'm signed up with over 400 sponsors using nats. Now the suggestion is to use a unique, long, strong password for every sponsor. I think it'll take me a week, plus I'd have to use something like statsremote to keep track of them all. Seriously contemplating suicide or a sex-change.

__________________
Want excellent conversions on your exit/404 traffic?
Got free trial/free email traffic?
Check this out!

poto

holy shit... 400 NATS sponsors... daayyyuuuummm, that is a lot...

are you signed up to almost every NATS sponsor out there mang?

__________________
My Ratios :: My Blacklist

pussyluver

Suicide is cheaper, less painful and quicker - your call.


Rather have you around to post though.

Oh, the hackers already changed all my passwords.... kidding of course.

TheButcher

saw a thread or two on another board about this topic but if her's my take on this, if you use a third party software then there's always a chance something might go wrong. Surprised some of the really big affiliate programs that do millions of bucks in business a year don't hire a programmer to write a custom program for them, what would it cost $10k-$15K?

poto

for a custom coded solution you'd be looking at a minimum of $100-200K... just one programmer wouldn't be able to do it, unless you gave him several years to complete it... and a lot of amphetamines...

realistically you'd be looking at a team of programmers... plus months of development with bug fixes and testing... which is why so many opt for a 3rd party solution...

I heard one major program looked into NATS and some of the other 3rd party software but decided to go ahead and write their own custom software instead and dropped a little over $250k on it...

you can't outsource stuff that complicated to the 3rd world for pennies anymore... those days are long gone... you'll end up with half-assed programmers writing buggy code that doesn't work half the time... all the good outsourced programmers are earning wages comparable with US peeps and most have been snapped up by the larger outfits...

it's gotten to the point where some of the software companies are moving their outsourced programming operations back to the US...

__________________
My Ratios :: My Blacklist

TheButcher

Not to disagree with you Poto but I know the owner of a well known program who hired an fellow in India last year and got his own stats/cascading program written for just under $15K. It took about 9 months in all I guess the guy writing it was doing it part time as a side job or something.

I'd mention the name of the program but don't want to burn bridges letting everyone know what his program cost, I know he made a big deal about how it was custom and great so don't want to let the cat out the bag.


Isn't CCBill comming out (or beta testing) some sort of cascading billing system now?
Not sure what their new thing is but I did read something about it on one of the adult boards the other day.

poto

maybe he got lucky and found a good programmer for cheap... if he's done with that programmer I might want to hire him for a project or 2... heh, you wouldn't happen to have that programmer's info?

hasn't CCBill been planning to roll out their own software for a few years now? be great if they finally did come out with something... but I'm not holding my breath...

__________________
My Ratios :: My Blacklist