Pages:
Author

Topic: Info about the recent attack - page 8. (Read 52592 times)

legendary
Activity: 1137
Merit: 1001
September 11, 2011, 06:32:05 PM
What does not kill bitcoin will make it stronger.
sr. member
Activity: 392
Merit: 250
September 11, 2011, 04:45:34 PM
I've heard a lot of really unwise suggestions for password management.  A piece of software holding all your passwords or a website or some generator that generated such unmemorable passwords that you have to store them in a text file somewhere are all REALLY bad ideas.  Here's a secure password:

1. make up some long, symbol-inclusive password like Thi$izmypa$$w0rd!mmmk
2. get a fire and flood proof safe/lockbox for like $30
3. write the password on a piece of paper and put it in the safe
4. don't lose the key

Tada, secure password.  A hacker would have to get inside your house to get it, not counting some specific keylogger attack.
donator
Activity: 2352
Merit: 1060
between a rock and a block!
September 11, 2011, 03:55:07 PM
how about some beefed up infrastructure with a good firewall, ids, virus etc... etc...?

no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.

as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.

you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....

BUT

bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.

There ain't enough of us here to make it mainstream.  You tell me what non-technical people, when you ask them about bitcoin, tell you?  I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services.  Nobody cares that it's not bitcoin suffering directly.  people do not understand the difference...

So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.

Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"

control the message, control opinion, perception and ultimately reality.
full member
Activity: 126
Merit: 100
September 11, 2011, 03:49:27 PM
Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

NO!  Everybody should use a long (16+ character) password with mixed upper- and lower-case letters, numerals, and symbols, but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

Instead, use a password vault or a simple GPG-encrypted text file on your own laptop or personal computer, backed up to a CD/DVD or a USB dongle that is kept offsite.  Encrypt that one file with a long passphrase, and do the work to memorize the passphrase.  Voila -- actual security instead of security theater.

(I'm shaking my head at nutty idea that passwords should be entrusted to a third party that you don't even know.) Sad



member
Activity: 111
Merit: 10
September 11, 2011, 03:28:16 PM
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

And also possible that simply logging in sends out your password. Good thing I use junk passwords for forums.
legendary
Activity: 1708
Merit: 1020
September 11, 2011, 03:22:23 PM
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
no but the freamwork is better for handling fuck-ups. Smiley

+1 to Django   and Python btw

legendary
Activity: 1199
Merit: 1012
September 11, 2011, 02:17:30 PM
no but the freamwork is better for handling fuck-ups. Smiley

php has plenty of frameworks
legendary
Activity: 1050
Merit: 1000
You are WRONG!
September 11, 2011, 02:16:05 PM
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
no but the freamwork is better for handling fuck-ups. Smiley
sr. member
Activity: 294
Merit: 250
September 11, 2011, 02:02:30 PM
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
administrator
Activity: 5222
Merit: 13032
September 11, 2011, 01:54:27 PM
I don't know what the problem is with password changes. I tried passwords with many different special characters, and it always works.

Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.

I don't have access to DNS and I lost ssh access after taking down the forum.

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

It was not a bug in the donator code. Core SMF is always vulnerable to this, but because I had added additional restrictions for non-donators, the attacker had to be donator to exploit it.
full member
Activity: 218
Merit: 100
September 11, 2011, 01:46:16 PM
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
newbie
Activity: 56
Merit: 0
September 11, 2011, 01:20:01 PM
Why won't you bring back Cosby?  Is it a racial thing?
member
Activity: 154
Merit: 10
September 11, 2011, 01:01:57 PM
thanks u
full member
Activity: 126
Merit: 100
September 11, 2011, 12:53:08 PM
Thanks for informing us of the issue (a lot of sites don't) and especially for the work involved in bring the site back online.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 12:41:17 PM
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?

i don't know how exactly they have the accounts set up, but they could have gained access to any of the root account, from what is in the post.
full member
Activity: 168
Merit: 100
Brad Willman, SSCP, LTCP, MCTS,SCE,BCE
September 11, 2011, 12:37:33 PM
#99
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?
sr. member
Activity: 350
Merit: 251
September 11, 2011, 12:26:00 PM
#98
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.
full member
Activity: 168
Merit: 100
Brad Willman, SSCP, LTCP, MCTS,SCE,BCE
September 11, 2011, 12:23:10 PM
#97
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
sr. member
Activity: 294
Merit: 250
September 11, 2011, 12:03:16 PM
#96
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.
I'd say that vBulletin, IPB, SMF, and phpBB get targeted about equally as much - all of those are used by a LOT of sites.

Also, I'm not sure how it is with the newer phpBB versions, but the old phpBB used a lot of resources as well.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 12:00:51 PM
#95
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.
Pages:
Jump to: