Topic: Info about the recent attack - page 8. (Read 52527 times)
What does not kill bitcoin will make it stronger.
I've heard a lot of really unwise suggestions for password management. A piece of software holding all your passwords or a website or some generator that generated such unmemorable passwords that you have to store them in a text file somewhere are all REALLY bad ideas. Here's a secure password:
1. make up some long, symbol-inclusive password like Thi$izmypa$$w0rd!mmmk
2. get a fire and flood proof safe/lockbox for like $30
3. write the password on a piece of paper and put it in the safe
4. don't lose the key
Tada, secure password. A hacker would have to get inside your house to get it, not counting some specific keylogger attack.
1. make up some long, symbol-inclusive password like Thi$izmypa$$w0rd!mmmk
2. get a fire and flood proof safe/lockbox for like $30
3. write the password on a piece of paper and put it in the safe
4. don't lose the key
Tada, secure password. A hacker would have to get inside your house to get it, not counting some specific keylogger attack.
how about some beefed up infrastructure with a good firewall, ids, virus etc... etc...?
no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.
as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.
you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....
BUT
bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.
There ain't enough of us here to make it mainstream. You tell me what non-technical people, when you ask them about bitcoin, tell you? I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services. Nobody cares that it's not bitcoin suffering directly. people do not understand the difference...
So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.
Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"
control the message, control opinion, perception and ultimately reality.
no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.
as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.
you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....
BUT
bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.
There ain't enough of us here to make it mainstream. You tell me what non-technical people, when you ask them about bitcoin, tell you? I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services. Nobody cares that it's not bitcoin suffering directly. people do not understand the difference...
So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.
Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"
control the message, control opinion, perception and ultimately reality.
Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com
It's too easy and there is no excuse not to do it.
It's too easy and there is no excuse not to do it.
NO! Everybody should use a long (16+ character) password with mixed upper- and lower-case letters, numerals, and symbols, but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service. Use of such a service is placing the security of your information in the hands of a third party. That's NUTs.
Instead, use a password vault or a simple GPG-encrypted text file on your own laptop or personal computer, backed up to a CD/DVD or a USB dongle that is kept offsite. Encrypt that one file with a long passphrase, and do the work to memorize the passphrase. Voila -- actual security instead of security theater.
(I'm shaking my head at nutty idea that passwords should be entrusted to a third party that you don't even know.)
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.
Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?
BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...
(Not a big problem for me as all my passwords are different and random 25 char strings)
So I cannot change to a new one now.
Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?
BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...
(Not a big problem for me as all my passwords are different and random 25 char strings)
And also possible that simply logging in sends out your password. Good thing I use junk passwords for forums.
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF. Why not save yourself a ton of security concerns and use a Python-based bulletin board? There are several reputable, mature, open source products available. I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.
When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
+1 to Django and Python btw
no but the freamwork is better for handling fuck-ups.
php has plenty of frameworks
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF. Why not save yourself a ton of security concerns and use a Python-based bulletin board? There are several reputable, mature, open source products available. I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.
When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF. Why not save yourself a ton of security concerns and use a Python-based bulletin board? There are several reputable, mature, open source products available. I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.
When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
I don't know what the problem is with password changes. I tried passwords with many different special characters, and it always works.
I don't have access to DNS and I lost ssh access after taking down the forum.
It was not a bug in the donator code. Core SMF is always vulnerable to this, but because I had added additional restrictions for non-donators, the attacker had to be donator to exploit it.
Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?
actions like simply taking the forum offline hurt the confidence of people in bitcoin.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?
actions like simply taking the forum offline hurt the confidence of people in bitcoin.
I don't have access to DNS and I lost ssh access after taking down the forum.
Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)
It was not a bug in the donator code. Core SMF is always vulnerable to this, but because I had added additional restrictions for non-donators, the attacker had to be donator to exploit it.
I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF. Why not save yourself a ton of security concerns and use a Python-based bulletin board? There are several reputable, mature, open source products available. I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.
When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software. So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?
Specific recommendation: pyForum http://www.pyforum.org/ It's based on web2py framework. I have used web2py and I highly recommend it. Migrating from SMF should not be terribly difficult for someone who understands databases.
Why won't you bring back Cosby? Is it a racial thing?
thanks u
Thanks for informing us of the issue (a lot of sites don't) and especially for the work involved in bring the site back online.
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.
I thought they used the satoshi admin to get root?
i don't know how exactly they have the accounts set up, but they could have gained access to any of the root account, from what is in the post.
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.
I thought they used the satoshi admin to get root?
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.
Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
(in fact, SMF is one of the lightest forum platforms there is.)
i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.
Also, I'm not sure how it is with the newer phpBB versions, but the old phpBB used a lot of resources as well.
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.
Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
(in fact, SMF is one of the lightest forum platforms there is.)
i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.
Jump to: