Pages:
Author

Topic: Should we change our passwords? (Read 2078 times)

legendary
Activity: 1092
Merit: 1000
GATCOIN : The New Currency Of Digital Marketing
September 17, 2016, 05:38:25 AM
#31
I am not an expert but all I understand is that DDOS is not hacking it only makes website unavailable by sending huge traffic.The forum is experiencing ddos frequently and It was unavailable yesterday also.I am concerned and want to know if there is a need to change our account password?
I don't know im not that expert too , and i think all about DDOS is sending pockets where the server can't handle that then it will take down the server so the forum will not available temporary we can see that they trying to send huge traffic everyday are they curious about bitcoin talk? i think we are safe because theymos are doing everything he can.
No if they were curious, they wont be sending automated traffic.Moreover we are not some secret cult or society we are open to all community and if anyone is curious and wants to learn, he/she can simply join bitcointalk.org
full member
Activity: 181
Merit: 100
September 16, 2016, 10:57:45 AM
#30
I noticed that changing your password lead to some people here thinking your account was sold, but I still think you should do it. Not only here, but with every important account you own. change your passwords frequently and when possible, activate 2FA. sadly, we don't have that option here yet, which makes changing your password even more important. and of course, never use the same password with different accounts.
sr. member
Activity: 630
Merit: 267
Just follow the rules
September 16, 2016, 09:45:02 AM
#29
I am not an expert but all I understand is that DDOS is not hacking it only makes website unavailable by sending huge traffic.The forum is experiencing ddos frequently and It was unavailable yesterday also.I am concerned and want to know if there is a need to change our account password?
I don't know im not that expert too , and i think all about DDOS is sending pockets where the server can't handle that then it will take down the server so the forum will not available temporary we can see that they trying to send huge traffic everyday are they curious about bitcoin talk? i think we are safe because theymos are doing everything he can.
sr. member
Activity: 644
Merit: 250
September 16, 2016, 04:25:57 AM
#28
Probably yes you can change your password in profile > and go to account related settings. Put your current password and create new password and verify it. And click SAVE. This is for your security is worried in your account I mean if anyone know your account. Just change it before its too late.
hero member
Activity: 1638
Merit: 576
Leading Crypto Sports Betting & Casino Platform
September 15, 2016, 12:25:29 AM
#27
I am not an expert but all I understand is that DDOS is not hacking it only makes website unavailable by sending huge traffic.The forum is experiencing ddos frequently and It was unavailable yesterday also.I am concerned and want to know if there is a need to change our account password?
Im not that expert too, when it comes to securing website but im pretty sure that no one is safe our technology are always upgrading and i read that forum was leaked on dark net and it is in for sale and there are accouts thats dead already and comming back and some of them are requesting loan. I already done changing my email and password i always update my password everyweek
legendary
Activity: 1092
Merit: 1000
GATCOIN : The New Currency Of Digital Marketing
September 13, 2016, 03:42:23 PM
#26
Changing the password isn't hard, so why not?
Yes I agree it  isn't hard but remembering it is
@Sharma. Use Keepass. You can download it here http://keepass.info/

It is what I use and it makes password management easier. You passwords will also be harder to crack since they look something like "SDFT%$EW^Y%ETGYBDE#$^^&$"
Thanks I will download it.Which version you recommend Classic Edition
KeePass 1.31 or Professional Edition
KeePass 2.34?
member
Activity: 98
Merit: 10
September 12, 2016, 03:57:05 PM
#25
Never use same password in every website as now a days website database is not safe and it'll never be. I've lost my social network accounts and my personal email account too because I was using same password on every website just keep changing it every months for your important accounts.

I've read somewhere yahoo's database was leaked too recently then when I tried to login they locked it and asked me too verify security questions and for cell number. So yeah it's good practice to change your passwords frequently.
donator
Activity: 1419
Merit: 1015
September 12, 2016, 03:45:50 PM
#24
Incapsula was willing to do a special deal, but their price was ridiculous.

Have you checked recently? If it has been a while it might be worth asking again.

I've fiddled around with nginx more recently at my day job, but it sounds like if you are talking firewall you are looking for maybe dedicated hardware to do this or provide a global-based service for it. I know nginx recently added UDP load balancing, but I'm not sure if TCP load balancing would work or stop TCP-SYN flooding or half-open attacks if that's what you're mostly having problems with.

Additionally you can adjust settings like net.ipv4.tcp_synack_retries and net.ipv4.tcp_syn_retries or even net.ipv4.tcp_fin_timeout on the firewall or reverse proxy if you haven't already.
hero member
Activity: 826
Merit: 504
September 12, 2016, 03:16:36 PM
#23
Don't change it too often. The more paranoid members on the dt list might mark your account as sold or hacked

So? Let them keep complaining about that, with or without evidence, that claim has no bearing on your Bitcointalk account
hero member
Activity: 555
Merit: 507
September 12, 2016, 02:17:29 PM
#22
Don't change it too often. The more paranoid members on the dt list might mark your account as sold or hacked
hero member
Activity: 826
Merit: 504
September 12, 2016, 01:47:45 PM
#21
I think frequent password changes are needed if you want to keep your account safe.
Even workplaces require you to change them every 3 months so why not here? Roll Eyes

The reason workplaces require you to do that is because they usually run Windows, and compromising a Windows system is as easy as plugging a USB into the machine, lol.
legendary
Activity: 2128
Merit: 1073
September 12, 2016, 11:21:24 AM
#20
I think that someone could make money by buying a few dozen servers distributed across the globe and selling GRE-tunnel-based DDoS protection from SYN floods and maybe also bandwidth leeching (by tracking when new IPs start using way more traffic than anyone else), ideally with anycast IP addresses to distribute traffic among the firewall servers. I think that you could do it largely with standard iptables rules, though it'd be very complicated. If I was setting up a service like this, I would oversell like crazy -- each site is only actually DDoSed a very small percentage of time, so you only need enough ordinary capacity to protect against one or two active attacks --, but then have some sort of backup plan to add more servers in an emergency (maybe by spinning up EC2/DigitalOcean/Vultr instances, which are expensive compared to a dedicated server but quickly available in case more capacity is needed now).
Anycast to distribute state-full traffic? Anycast only really works with stateless/connectionless services like DNS over UDP. Anything else requires a modified client side to recover the hidden state.

And in addition to the above modifying the routing rules after the DDoS started to add more firewall servers? Guaranteed failure because it will prolong the instability and limited availability.

"standard iptables rules, though it'd be very complicated" - this claim is such a deep bullshit, that I can't believe a sane person with IT knowledge would utter it. What about the state of the TCP/IP socket required to track sequence numbers?

To me it seems like you've talked to too many professional bullshit salesmen in the DDoS mitigation industry and they successfully managed to turn your brain to mush to prepare you for closing a sale.

Four days ago you had a generally correct idea. Within AWS the GRE tunnels are not required because EC2 offers a private LAN segment for free to allow connections between instances spawned from the same account. Maybe just get some sleep and then implement it yourself.
legendary
Activity: 3318
Merit: 1247
Bitcoin Casino Est. 2013
September 11, 2016, 10:11:57 PM
#19
I think frequent password changes are needed if you want to keep your account safe.
Even workplaces require you to change them every 3 months so why not here? Roll Eyes
copper member
Activity: 2996
Merit: 2374
September 11, 2016, 10:03:35 PM
#18
I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Currently there's no regional filtering. It hasn't been necessary in the past, since attacks have either been easy to detect and block or SYN floods which use fake IP addresses. On a few occasions in the past I've had to block a few /16 networks for a while, but there's nothing like that active now.
I was referring to some kind of hypothetical spoofing attack whose success hinges on the *real* bitcointalk.org (and/or bitcoin.org) server being unresponsive in order to be successful.

It would be something along the lines of the GFW would, during DDoS attacks, route traffic intended for bitcointalk.org (and/or bitcoin.org) to a spoof server from a very specific subset of traffic. Only "high value" targets would have their traffic to the spoof server, or traffic that comes from a proxy/VPN/a source that may have originated outside of China (if you assumed a state sponsored attack by the Chinese government) in order to hide the fact that some traffic is being routed to a spoof server.

I really like the idea of having a bunch of firewall servers which handle the TCP handshake and then send real traffic to the real server(s) via a GRE tunnel. Since it works at the TCP level, the firewall servers do not need the HTTPS key and aren't particularly sensitive security-wise. It doesn't protect against application-level attacks, but generally those are easier to protect against by just blacklisting or limiting misbehaving IPs.
Is there a reason why you can't do something similar to this yourself? Or, will this only be economical if you have multiple clients?
administrator
Activity: 5222
Merit: 13032
September 11, 2016, 08:41:28 PM
#17
I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Currently there's no regional filtering. It isn't usually necessary, since attacks have either been possible to detect and block (automatically or manually) or SYN floods which use fake IP addresses. On a few occasions in the past I've had to block a few /16 networks for a while, but there's nothing like that active now.

I really like the idea of having a bunch of firewall servers which handle the TCP handshake and then send real traffic to the real server(s) via a GRE tunnel. Since it works at the TCP level, the firewall servers do not need the HTTPS key and aren't particularly sensitive security-wise. It doesn't protect against application-level attacks, but generally those are easier to protect against by just blacklisting or limiting misbehaving IPs. I wish that more companies would offer this service. The forum's previous DDoS protection did this, but it was some amateur operation which had its own reliability issues, making it unacceptable. Incapsula was willing to do a special deal, but their price was ridiculous. I think that someone could make money by buying a few dozen servers distributed across the globe and selling GRE-tunnel-based DDoS protection from SYN floods and maybe also bandwidth leeching (by tracking when new IPs start using way more traffic than anyone else), ideally with anycast IP addresses to distribute traffic among the firewall servers. I think that you could do it largely with standard iptables rules, though it'd be very complicated. If I was setting up a service like this, I would oversell like crazy -- each site is only actually DDoSed a very small percentage of time, so you only need enough ordinary capacity to protect against one or two active attacks --, but then have some sort of backup plan to add more servers in an emergency (maybe by spinning up EC2/DigitalOcean/Vultr instances, which are expensive compared to a dedicated server but quickly available in case more capacity is needed now).
hero member
Activity: 826
Merit: 504
September 11, 2016, 10:52:37 AM
#16
Changing passwords does not help if your forum represents swiss cheese.

You know, I have been on this forum for a long, long time. I have yet to be scammed or get hacked by another Bitcointalk user, and there have been plenty of opportunities for that (Can't go into detail about it though). Some people are just unlucky, that's all.
sr. member
Activity: 412
Merit: 251
September 11, 2016, 06:55:29 AM
#15
You should always change your password once in a while. That way, if someone is trying to brute force into your account, you will keep them out.

A DDoS will not allow the hacker to see your password. In fact, it locks the hacker out as much as it locks you and me out.
newbie
Activity: 8
Merit: 0
September 11, 2016, 05:48:27 AM
#14
As mentioned above, a DDoS attack, by itself does not do anything to compromise data. Although I understand that DDoS attacks are sometimes used as a distraction to prevent/delay detection of a more serious breach. I am confident that if there was a breach that theymos would be able to quickly detect it and take corrective action.

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.

Can you reply to the question of this post?

Quoting the question:
Quote
bitcointalk.org, are you hacked or not? How many times have you been hacked since Jan/1/2016?

Changing passwords does not help if your forum represents swiss cheese.
copper member
Activity: 2996
Merit: 2374
September 11, 2016, 12:00:29 AM
#13
As mentioned above, a DDoS attack, by itself does not do anything to compromise data. Although I understand that DDoS attacks are sometimes used as a distraction to prevent/delay detection of a more serious breach. I am confident that if there was a breach that theymos would be able to quickly detect it and take corrective action.

I am curious to know what happens when someone attempts to access the forum from behind the GFW during times of DDoS attacks, especially when it is non-obvious that the request is coming from a VPN/VPS, and especially when the request appears to be from what could be "high value" potential hacking targets.
legendary
Activity: 1526
Merit: 1179
September 10, 2016, 03:40:01 PM
#12
There is no real point into asking whether or not we should change our password when you can do it directly yourself if you have an unsafe feeling about the security of your account.
Pages:
Jump to: