Pages:
Author

Topic: Info about the recent attack - page 9. (Read 52592 times)

sr. member
Activity: 294
Merit: 250
September 11, 2011, 11:59:05 AM
#94
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

EDIT: Additionally, if there would be a switch in forum software (which imo isn't really necessary) the best option would probably be XenForo.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 11:58:52 AM
#93
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:



what browser, version and os+version are you using
newbie
Activity: 23
Merit: 0
September 11, 2011, 11:43:33 AM
#92
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

http://i.imgur.com/NrsUc.png
newbie
Activity: 23
Merit: 0
September 11, 2011, 11:38:13 AM
#91
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 11:20:10 AM
#90
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong
hero member
Activity: 770
Merit: 502
September 11, 2011, 11:16:41 AM
#89
I would suggest everyone check their donation address's listed in their sig. Make sure it was never changed.
newbie
Activity: 23
Merit: 0
September 11, 2011, 10:42:57 AM
#88
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.
sr. member
Activity: 314
Merit: 251
September 11, 2011, 10:42:12 AM
#87
9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.
Still there are tons of better ways for communication than a forum if it's somehow important. So one shouldn't send important stuff via PM and generally keep in mind that an account can be "hacked".
legendary
Activity: 1358
Merit: 1002
September 11, 2011, 10:33:20 AM
#86
I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

But phpbb also lets you auto-update and auto-merge the modifications on the new files.


Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

PHPBB is free, open source and is used on warez-bb.org, the biggest warez forum and probably the most attacked forum on the whole internet. Ofcourse i suspect they have a good security team taking care of warez-bb.
Quote
Our users have posted a total of 38723335 articles | We have 2641227 registered users
Most users ever online was 8594
In total there are 4240 users online :: 3440 Registered, 89 Hidden and about 711 Guests

^^ and it can handle heavy traffic, as the stats show.
hero member
Activity: 812
Merit: 1001
-
September 11, 2011, 10:29:10 AM
#85
Thinking about it with all the information available now. Imagine yourselves in Theymos and Sirius position. I understand that they used 3rd party plugin for simple machine forum to collect donations as such importing SQL injection vulnerability. Than eventually Cosby came to wreck the forum. Once they know it, they shut down the forum. So far so "good".

Now they have no skill to sort it themselves. They do have to bring someone in. Who can they bring? This is already all over the news. Sirius resigns and asks for help from "devs". Mark surely is right here with an offer of help, but there are some voicing privacy and de-decentralisation worries.

What could they do. They surely can not bring someone like me in, since I am being so adversarial here. Who else? not many offers were sent on that mailing list. They have chosen Mark. Even though it is probably a mistake, their choice is perfectly understandable.

They should have brought in some independent security professional instead of mtgox or me or anyone else with clear conflict of interests. They should have been more open and issue at least some kind of statement ASAP. Things could have been handled better. But hey nobody is perfect.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 10:27:34 AM
#84
Don't rely on a forum for secure authentication!  Wink
(or sign your messages and encrypt PMs)

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.
legendary
Activity: 1190
Merit: 1004
September 11, 2011, 10:18:50 AM
#83
I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

sr. member
Activity: 314
Merit: 251
September 11, 2011, 10:18:35 AM
#82
Don't rely on a forum for secure authentication!  Wink
(or sign your messages and encrypt PMs)
hero member
Activity: 868
Merit: 1000
September 11, 2011, 09:50:17 AM
#81
Thanks for telling the community what happened. Appreciated.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 11, 2011, 09:17:54 AM
#80
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)
I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.
Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.

It's starting to sound like the password change code uses different validity criteria than the login code.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 11, 2011, 09:16:45 AM
#79
can you migrate the forum to VBulletin ?
vBulletin is a commercial forum software. SMF is really open source and free.
Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

The question is whether content can be brought over.
legendary
Activity: 889
Merit: 1000
Bitcoin calls me an Orphan
September 11, 2011, 09:02:42 AM
#78
Great to have the forums back. Plain and simple!
hero member
Activity: 784
Merit: 1010
Bitcoin Mayor of Las Vegas
September 11, 2011, 09:01:44 AM
#77
Create 4 random passwords which contains no special characters and are 10 characters long:
Code:
cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4
Create 4 random passwords which DO contains special characters and are 12 characters long:
Code:
$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 
that's pretty neat little script - cheers Wink

I'm going to stick to lastpass though...

Then there's always 'pwgen'

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.
sr. member
Activity: 350
Merit: 251
September 11, 2011, 09:01:16 AM
#76
is my password safe if i used a 64char hexadecimal?
do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.

it was a joke, obviously my password is good for at least 100 years for current day technology, mostly due to its sheer length.

although i think i may use base64 anyway just to be on the safe side.
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
September 11, 2011, 08:58:37 AM
#75
can you migrate the forum to VBulletin ?
vBulletin is a commercial forum software. SMF is really open source and free.
Pages:
Jump to: