A lot of people have been moving away from MySpace93 after it abruptly closed on June 29th this week, over to SpaceHey, until a new MS93 clone is produced from the old source code. HACKER3000 is currently working on a clone of his own and I've offered to help with the backend if needed, or otherwise, some kind of moderation job.
Janken has finally provided a proper explanation for everything and it not only confirms what I said about him not being a good backend dev, but I personally think it was a sufficient apology and if anything it just makes me feel more sorry for him than disappointed.
Anyway, MySpace93's index.php no longer returns a shutdown message. MySpace93 is kinda sorta maybe back up? But it's frozen, you cannot log in or register. Completely disabled. Your content and fwiends list will still be there as a sort of museum. Here's my page.
Sunday, July 4, 2021 Hello everyone, First of all I would like to apologize in advance because English is not my native language, and I hope that this message will be clearer than the last one. I would like to apologize for coming back to you so late, I have been away from home for the past week and couldn't handle this story the way it should have been handled. I would like to address today all the different communities that gravitate around Windows93 which I have been taking care of daily for more than 7 years. If you are reading these lines, you are probably part of one of these communities. I would like to publicly apologize for my lack of judgment in the initial development of myspace93, as I did not think about encrypting the users' passwords from the start. To be honest, I didn't expect such a huge response to the idea of this site. It was the first time I coded a social network, I naively thought that only a few friends would sign up and that storing the passwords in this way would be enough, knowing that only I knew about the file. At the time it seemed safe enough for a tiny parody site. Afterwards, once the project was in production and with the flow of new members everyday, it was complicated to find the right method but especially the time to encode these sensitive data, it's a critical and very long operation, I had almost finished to do it when tiktok rushes arrived again and again, because of which I had to postpone the operation. In January, some members of the Windows 93 Discord very close to me (mods and trusted) "hacked"(*) an application still in beta (.smash) that I had sent them in private previously to have their opinion about its functioning (it was an experimental program allowing to transform any web page into a platform game) this beta application was absolutely not public. Behind my back and inside a private group chat, these people started to exploit this beta application to display the private files of the server. None of them alerted me immediately to what was going on, on the contrary, they created a program to download our entire server, and it was only a week later that another honest user alerted me to the fact that these people were bragging about having the myspace passwords. They didn't want to tell me the truth and it took me two days to get a confession from them: not only had they downloaded all the source files of windows93 behind my back, but also the unencrypted file containing the passwords of more than 45k myspace users. They had also made their download tool available and had documented its use in their group chat. They had also uploaded multiple stolen files (not myspace related) on different platforms. I removed the .smash app from the server and called them to order. They whimpered and promised me on their honor to delete all the stuff and that things would not go any further. I believed them because at the time we were very close, we talked every day and they regularly helped me to manage the community, to fix bugs, sometimes to code new features for windows93 or to make the services more secure, I really trusted them back in the day and considered them part of my team. I blame myself for being so naive. (*) I still don't consider this as a hack, from my point of view these users (mods and trusted) just used a beta app of the site that I had shared with them in private previously and then betrayed my trust. One of these users state that they bruteforced the .smash url, but as I remember clearly having sent them the app before that doesn't change the sincerity of my previous statement. In June, around 1am I was alerted about a myspace user who was doing xss injections on the site. I spent all night patching the site without understanding where the flaw came from, I barely slept 2 hours before leaving for work, it was a terrible day. When I came back I spent a second night on this case, looking at the access.log of the site I finally realized that someone else than me was using the admin password of myspace to edit pages and make these xss injections. After a few hours of investigation I learned that not only the myspace codes stolen in january by my own mods had been leaked by some anonymous lamer, but also that several veterans of the community knew about it and that nobody had seen fit to alert me of this dramatic situation. Worse, some had lied to me to cover themselves or their friends, sometimes accusing innocent people. I spent the rest of the night coding a mandatory password change (the sus thing) for accounts from before February 2021 so that they would not be compromised anymore. In relation to my previous statement I would like to remind you that "compromise" means that a third party has access, which was no longer the case. I think it would have been better to warn the concerned users explicitly by email but it was just impossible for me to send so much mails at that moment, and with 2 hours of sleep for 48 hours of drama I really needed to go to sleep, especially since I was leaving early the next morning to go to work for a week far from home and with poor internet. I ran out of time and so again I must apologize, for not having explicitly warned the users at that moment. I'm not a fan of discord and had many problems with the Windows 93 Discord server in the past, but after the January affair, the April one (remember microsoft edge?) and then this June one, I actually realized that I couldn't stand this thing anymore, it was wasting my time, causing me serious problems regularly and giving a bad image of windows93. As I was the owner of this discord server, and I had basically let people promote it around my own trollbox project, I decided to stop it. I'm patient by nature, but after so much drama it's just normal to want to cut the ties and move on so I deleted the server in the evening. I apologize for doing it abruptly. After the discord server shutdown it seems that some veterans wanted to get back at me, I guess that's why some lamers appeared to spam all my social services (tb, myspace, /b, etc..) with links to the files stolen in January, including the sources of v1, v2 as well as a collection of obsolete myspace passwords. At that moment, I was away from home to work for a week, with no time to play pseudo hacker with children and no time to deal with a giant myspace drama, so I had to make a quick decision: confess what was going on and pause every social service to prevent the distribution of these files, until I have time to take stock of this case and explain everything to the community. I'm sorry for all the people I've disappointed with my recent mistakes. This is not an excuse but I would like to remind you all that security is not my job at all and that I learned to code in art school. I launched the whole projet 7 years ago and was forced to learn security on the job because of the success of the site, I still have a lot to learn. Security is not a field that really interests me and I am naturally more apt to break machines than to secure them. I always presented Windows93 first as a work of art in which I made room for you to express yourself with relative freedom. Windows93 is punk, it's buggy, it's noisy, it's lively, it's creative, it's wild and that's what people come to the site for. Windows93.net is about 450.000 visitors per month, to give you an idea of my daily life since 7 years, I spend between one hour and three hours per day to do the moderation, to secure, to protect the community from predators and to animate the social life of the site (myspace, tb, /b, etc..). On drama days (which are more and more recurrent with the growth of visitors) it is not rare that I lose a whole day or even my night in the process. In addition to all this, I try to regularly produce new content for the main site (actually I lack of time because of the moderation), all this without ever asking for money, without advertising, without cringe shops and without reselling your data, just because I'm happy to transmit my art and my values to you, to maybe give you the desire to be creative too, and to share cool stuff every day with you. I know that in this world of venality it seems unlikely that some guy would be naive enough to do so many things for strangers on the internet, without asking anything in return, just to try to make people happy, yet this has been my life for the last 7 years. This statement represents my own point of view of these events and I want to admit my faults in good faith. By closing my social services last monday I just wanted to temporize the situation because of its complexity and of the lack of free time I had to to fix things. I realized how little time I have to take care of all of you as I should, mostly because you are too many now. Lovers or haters, your presence is a sign of recognition but it's also a kind of curse sometimes and a source of constant worry for me. It's been great to spend the last few years doing so much for the community but I think I've forgotten myself a bit. I think I need to refocus on me a little bit and on new projects (personal and artistic) because even if I get satisfaction from doing all this, it's become too suffocating now, it's just too much for one person. I decided to leave the community. This means that until further notice the three major social services I'm responsible for will be shutdown: trollbox, /b/ and myspace. Myspace93 will come back online soon but will probably remain frozen for eternity as an online work of art and a css archive. I still plan to offer to the community the original myspace93 source code and it will come later this month (I want to clean and improve my code a little but I can't right now because of my job irl). Right now I'm sending an email to all the people concerned by the leak and I'm launching the final encryption process in order to never compromise any account again in the future. This does not change the development of windows93 v3 which has just begun and is still scheduled for release in early 2022. See you soon for v3 :) - Janken, aka Stive, aka Bill, aka Tom contact @ windows93 dot net
It bothers me that if he just wanted ms93 to be a small thing for a few people why he even made registration public to begin with, and why he would associate it with a big and popular site like Windows93. Otherwise though I think I'm happy with the way things have turned out, they could've been a hell of a lot worse, and as far as I'm aware Janken seems pretty honest.
Comments
Displaying 4 of 4 comments ( View all | Add Comment )
Generic_Dev
It's a shame it closed, it really was great, the good thing is that there is SpaceHey, which I think is 100 times better, although I miss MYSPACEWINDOWS93 :(
Report Comment
Ryan
I'm glad I didn't find any of the modern mySpace clones during the time this one was up. Data security is incredibly important and I am also wondering why you wouldn't consider encrypting passwords from the start if registration was public. It's not very expensive to get simple SSL cerificates, iirc. I'm glad SpaceHey seems to be decently encrypted so far.
Report Comment
For sure. MS93 was a disaster.
Not to come off as pedantic, but passwords actually aren't encrypted because then you have issues with encryption keys lying around making the whole system moot. What they do is store hashes of them (generate a mathematically irreversible ID that determines if the password you entered matches the password you have set), and then salt those hashes with a known salt added to the end so that matching passwords aren't cracked together.
MySpace93 had encryption keys for SSL/TLS over the internet and had secure HTTPS, the real issue was that their PHP backend had zero code for hashing the passwords at all. They just had a massive JSON file with every user's login info dumped into it in raw plaintext.
Thing is, you don't need encryption keys to do safely secure your passwords on a website. You just need a hashing algorithm, which PHP comes with built-in for this very purpose. Tom didn't do any research on data retention security before building the website and that's why he had these issues.
by bonkmaykr; ; Report
Ah, thank you for the pointers. I didn't know that HTTPS and hashing didn't go hand-in-hand. Do you know anything about how SpaceHey handles their passwords? If they're encrypted/hashed properly?
by Ryan; ; Report
No idea. Can't tell 100% without having access to their servers, and that's a no-go. Judging by how much better it's coded on the outside though I would assume so.
by bonkmaykr; ; Report
That's good to hear at least :)
by Ryan; ; Report
pamelatodd
There is no longer any need to maintain myspace93 because the majority of its users have moved on to friendproject and spacehey, bubble shooter where they can take advantage of the enhanced functionality and increased safety those sites provide.
Report Comment
this post is over a year old
by bonkmaykr; ; Report
I never wondered if our data was private, was there any kind of security? Surely yes, but it's true, there are alternatives like SpaceHey that are safer and more functional
by Generic_Dev; ; Report
cybervenus
Phew, this was quite a read! I think honestly (and this might be an unpopular opinion) myspace93 is better off as a css archive and not a working site anymore. There's already been a huge migration to friendproject and spacehey, and most of myspace93's userbase has already settled in these two platforms, therefore there is no reason to keep myspace93 anymore as these two sites have more features, a more secure system, and now most of the userbase as well. Once people have seen what features spacehey and friendproject have to offer, I doubt they'd want to go back to the quirky limits of myspace93, although many might do so still to reconnect with friends they had on there. Personally, I much prefer spacehey as well because it has a much more mature userbase looking past all the tiktok scenecore kids who have hardly anything to add to the platform other than spam.
Report Comment
100%, for sure. i agree
by bonkmaykr; ; Report
I got useful information from your post. There are some issues that I need to save from your suggestions. Thank you very much for this information. Besides that, I also want to bring you a new topic about cookie clicker which is an online game. Here you can refer to the latest click game update.
by jillian montague; ; Report
I think Janken tried to handle the situation honestly and took responsibility. cookie clicker
by StevenEric12; ; Report
This situation will be handled faster if you know how to apply capybara clicker in a timely manner.
by elonnmusk; ; Report