Info about the recent attack - page 9.

joepie91

sr. member

Activity: 294

Merit: 250

Quote from: BkkCoins on September 11, 2011, 01:37:13 AM

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

EDIT: Additionally, if there would be a switch in forum software (which imo isn't really necessary) the best option would probably be XenForo.

ctoon6

sr. member

Activity: 350

Merit: 251

Quote from: digibo on September 11, 2011, 12:43:33 PM

Quote from: digibo on September 11, 2011, 12:38:13 PM

Quote from: ctoon6 on September 11, 2011, 12:20:10 PM

Quote from: digibo on September 11, 2011, 11:42:57 AM

Quote from: BkkCoins on September 11, 2011, 02:36:13 AM

Quote from: theymos on September 11, 2011, 02:22:28 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

what browser, version and os+version are you using

digibo

newbie

Activity: 23

Merit: 0

Quote from: digibo on September 11, 2011, 12:38:13 PM

Quote from: ctoon6 on September 11, 2011, 12:20:10 PM

Quote from: digibo on September 11, 2011, 11:42:57 AM

Quote from: BkkCoins on September 11, 2011, 02:36:13 AM

Quote from: theymos on September 11, 2011, 02:22:28 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

http://i.imgur.com/NrsUc.png

digibo

newbie

Activity: 23

Merit: 0

Quote from: ctoon6 on September 11, 2011, 12:20:10 PM

Quote from: digibo on September 11, 2011, 11:42:57 AM

Quote from: BkkCoins on September 11, 2011, 02:36:13 AM

Quote from: theymos on September 11, 2011, 02:22:28 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

ctoon6

sr. member

Activity: 350

Merit: 251

Quote from: digibo on September 11, 2011, 11:42:57 AM

Quote from: BkkCoins on September 11, 2011, 02:36:13 AM

Quote from: theymos on September 11, 2011, 02:22:28 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

pekv2

hero member

Activity: 770

Merit: 502

I would suggest everyone check their donation address's listed in their sig. Make sure it was never changed.

digibo

newbie

Activity: 23

Merit: 0

Quote from: BkkCoins on September 11, 2011, 02:36:13 AM

Quote from: theymos on September 11, 2011, 02:22:28 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

neptop

sr. member

Activity: 314

Merit: 251

Quote from: ctoon6 on September 11, 2011, 11:27:34 AM

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.

Still there are tons of better ways for communication than a forum if it's somehow important. So one shouldn't send important stuff via PM and generally keep in mind that an account can be "hacked".

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: MatthewLM on September 11, 2011, 11:18:50 AM

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

But phpbb also lets you auto-update and auto-merge the modifications on the new files.

Quote from: BkkCoins on September 11, 2011, 10:16:45 AM

Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

PHPBB is free, open source and is used on warez-bb.org, the biggest warez forum and probably the most attacked forum on the whole internet. Ofcourse i suspect they have a good security team taking care of warez-bb.

Quote

Our users have posted a total of 38723335 articles | We have 2641227 registered users
Most users ever online was 8594
In total there are 4240 users online :: 3440 Registered, 89 Hidden and about 711 Guests

^^ and it can handle heavy traffic, as the stats show.

Vladimir

hero member

Activity: 812

Merit: 1001

-

Thinking about it with all the information available now. Imagine yourselves in Theymos and Sirius position. I understand that they used 3rd party plugin for simple machine forum to collect donations as such importing SQL injection vulnerability. Than eventually Cosby came to wreck the forum. Once they know it, they shut down the forum. So far so "good".

Now they have no skill to sort it themselves. They do have to bring someone in. Who can they bring? This is already all over the news. Sirius resigns and asks for help from "devs". Mark surely is right here with an offer of help, but there are some voicing privacy and de-decentralisation worries.

What could they do. They surely can not bring someone like me in, since I am being so adversarial here. Who else? not many offers were sent on that mailing list. They have chosen Mark. Even though it is probably a mistake, their choice is perfectly understandable.

They should have brought in some independent security professional instead of mtgox or me or anyone else with clear conflict of interests. They should have been more open and issue at least some kind of statement ASAP. Things could have been handled better. But hey nobody is perfect.

ctoon6

sr. member

Activity: 350

Merit: 251

Quote from: neptop on September 11, 2011, 11:18:35 AM

Don't rely on a forum for secure authentication! Wink

(or sign your messages and encrypt PMs)

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.

MatthewLM

legendary

Activity: 1190

Merit: 1004

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

neptop

sr. member

Activity: 314

Merit: 251

Don't rely on a forum for secure authentication! Wink

(or sign your messages and encrypt PMs)

Herodes

hero member

Activity: 868

Merit: 1000

Thanks for telling the community what happened. Appreciated.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: dvide on September 11, 2011, 09:55:35 AM

Quote from: dvide on September 11, 2011, 09:39:29 AM

Quote from: BkkCoins on September 11, 2011, 01:45:41 AM

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.

It's starting to sound like the password change code uses different validity criteria than the login code.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: LZ on September 11, 2011, 09:58:37 AM

Quote from: ?? on ??

can you migrate the forum to VBulletin ?

vBulletin is a commercial forum software. SMF is really open source and free.

Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

The question is whether content can be brought over.

wknight

legendary

Activity: 889

Merit: 1000

Bitcoin calls me an Orphan

Great to have the forums back. Plain and simple!

Tuxavant

hero member

Activity: 784

Merit: 1000

Bitcoin Mayor of Las Vegas

Quote from: SoreGums on September 11, 2011, 08:31:38 AM

Quote from: EskimoBob on September 11, 2011, 06:15:18 AM

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]'

that's pretty neat little script - cheers Wink

I'm going to stick to lastpass though...

Then there's always 'pwgen'

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.

ctoon6

sr. member

Activity: 350

Merit: 251

Quote from: kokjo on September 11, 2011, 09:54:38 AM

Quote from: ctoon6 on September 11, 2011, 09:52:38 AM

is my password safe if i used a 64char hexadecimal?

do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.

it was a joke, obviously my password is good for at least 100 years for current day technology, mostly due to its sheer length.

although i think i may use base₆₄ anyway just to be on the safe side.

LZ

legendary

Activity: 1722

Merit: 1072

P2P Cryptocurrency

Quote from: ?? on ??

can you migrate the forum to VBulletin ?

vBulletin is a commercial forum software. SMF is really open source and free.

Topic: Info about the recent attack - page 9. (Read 52527 times)