Bitcoin Forum
August 17, 2022, 05:25:52 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 ... 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 [115] 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 ... 416 »
2281  Other / Meta / Re: Was the forum database modified? on: May 26, 2015, 08:06:49 PM
Nothing was taken from the compromised server except the database. Backups were used for the code and configuration. Some moderators and I checked (partly manually and partly automatically) the differences between the backed up database and the live database and found no backdoors or anything obvious wrong. It is possible that the content of some posts and things were modified, though I don't think so.
2282  Other / Meta / Re: no email to reset the password on: May 26, 2015, 08:30:07 AM
received 1 email at 7AM(dunno what GMT)

followed the link in the email

chose the new password, reinsert for verification

i get this:
An Error Has Occurred!
Invalid activation code

Try it again.
2283  Other / Meta / Re: no email to reset the password on: May 26, 2015, 08:28:51 AM
I just sent half a million "change your password" emails, so a lot of email providers aren't too happy with me. Emails might be delayed for a few days, and when they finally do get delivered they'll probably end up in your spam folder.
2284  Other / Meta / Re: Slow forum on: May 26, 2015, 02:50:48 AM
I'm still working on getting everything settled in. If it's still slow in a week then maybe better hardware will be needed.
2285  Other / Meta / Re: The New Altcoin Board Placement is Elegant and Understated. :) on: May 26, 2015, 02:47:25 AM
That's a bug. The categories keep moving around, I'd guess because SMF is relying on undefined MySQL behavior that I messed up by switching to a different version of MySQL. I will fix it in the near future.
2286  Other / Meta / Re: theymos is a government agent | do not use this forum it is honeypot on: May 26, 2015, 01:51:46 AM
OP: That's not me.

Another hacked / modified account... was the DB even checked?

Cøbra's account was not hacked/modified. As far as I can tell, there were no modifications to the database.
2287  Other / Meta / Re: Post here if your account was *NOT* hacked on: May 26, 2015, 01:45:50 AM
Hash: SHA256

My account isn't compromised.

2288  Other / Meta / Re: About the recent server compromise on: May 25, 2015, 04:43:38 PM
If our account still gets compromised, are you still able to revert permissions back with a PGP btc address to confirm user?

Yes. I also have a database snapshot from a little before the attack which I can use to verify people by email if necessary.
2289  Other / Meta / Re: About the recent server compromise on: May 25, 2015, 04:20:02 PM
I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Right, you should change your password again.

Also, is it just me or the forum looks plain to everyone? Like I am not able to identify what has changed by the layout looks a bit flat.

Your eyes got used to looking at other websites besides this one.
2290  Other / Meta / Re: New HTTPS keys on: May 25, 2015, 02:54:22 PM
Hash: SHA256

Exponent: 65537 (0x10001)

2291  Other / Meta / About the recent server compromise on: May 25, 2015, 02:39:49 PM
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Estimated time (conservative) for an attacker to break randomly-constructed passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
2292  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 08:07:42 PM
In situations like TECSHARE's, you can (if you trust TECSHARE and disagree with Vod) post an additional positive rating responding to whatever Vod said. This will counteract Vod's negative rating.

The meaning of having "green" trust is now diminished and will be similar to what was previously the meaning of having black positive trust. 

Oh, good point. I changed it so that you have dark green trust if your score is 5 and dark green if your score is 15.
2293  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 07:21:38 PM
It looks like no matter what if the last feedback you receive is negative then you will either have a ?? ? Trust score or a negative score.

Correct. Your trust network is assumed to consist of people who are basically reasonable. So if any trusted ratings are negative (which means "this person is probably a scammer, watch out!"), then this should be taken very seriously. That's why a single negative rating can easily cause a loss of 100+ trust points in this new algorithm. And if the most recent rating is negative, then this is a strong indicator that the person may have been running a long con which has turned into a full-blown scam.

If anyone is abusing this by reposting negative trust unnecessarily or giving out negative trust too easily, then you should remove them from your trust network.

@theymos what is the thinking behind increasing the numbers? It makes changes too much. Was it to increase the strength of DefaultTrust?

You'll get used to the larger numbers. DefaultTrust doesn't get any sort of advantage as far as I can tell.
2294  Other / Meta / Re: Minor trust score algorithm change on: May 20, 2015, 06:57:19 PM
??? is a valid score in the new algorithm.

Doesn't that mean if someone receives a positive and a negative rating, they'll go negative if the negative is newer?

If someone has 1 positive and 1 negative, then the time doesn't matter. They'll have a score of -1.

Old -> New
+ - : -1
- + : -1
+ + - : ???
+ - + : 0
- + + : 1
+ + + : >=3
- - + : -3
+ - - : -3
- - - : -8

That seems like quite an extreme decay, ratings after 10 months are worthless? Its going to lead to a lot of reposted ratings to refresh them.

There is no decay. Ratings grow in weight from 1 to 10, then stay at 10 forever. (If the rated person has no negatives.)
2295  Other / Meta / Minor trust score algorithm change on: May 20, 2015, 06:23:29 PM
The trust score numbers are now slightly different:
- The first number is the trust score.
- The second number is the number of unique users who have given that person negative feedback.
- The third number is the number of unique users who have given that person positive feedback.
- The fourth number was removed.

I also completely changed the trust score algorithm to this:
if there are no negative ratings
score = 0
for each rating, oldest to newest
if this rater has already been counted
score += min(10, round_up(months since rating))
score = unique_positive - 2^(unique_negative)
if score >= 0
start_time = time of first negative
score = unique_positive since start_time - unique_negative since start_time
if(score < 0)
return ??? (orange)

move score to range [-9999,9999]
return score

This algorithm is a little slower than the previous one. Post here if you think you see extra slowness due to this change. Maybe I need to add extra caching to compensate.

Also post here if someone has a trust score that seems wrong.

I was going to change it so that everyone with 0 trust had orange trust, but I decided that this looked bad and changed it back.
2296  Other / Meta / Re: Something's wrong with BCT on: May 20, 2015, 06:18:47 PM
I was changing something. It should be fixed now. Nothing to worry about.
2297  Economy / Scam Accusations / Re: MRKLYE is a scammer, scammed 20 BTC and yet has GREEN trust, FIX! on: May 20, 2015, 05:05:12 AM
People with the same trust lists can sometimes see different trust scores due to caching. Whenever your trust network (ie, the list of everyone whose ratings you trust) is calculated, this result is cached for a few hours, and the cache doesn't get invalidated even if people on your trust list update their trust lists. You can force your trust network to be recalculated by clicking "update" on the trust settings page.

Also, the trust score algorithm is pretty bad in general, so it often doesn't make much sense.
2298  Other / Meta / Re: Time limits problem on: May 20, 2015, 04:36:52 AM
In my experience, the 360 second limit is reset any time, any account performs an action from a particular IP address.
Additionally, I believe that you can get around the 360 second limit by switching IP addresses

That's how stock SMF handles it, but I fixed this some time ago.
2299  Other / Meta / Re: Time limits problem on: May 20, 2015, 03:41:29 AM
You must have been doing something to reset the limit. Searching, reporting, etc. Your IP doesn't matter for that once you're logged in.
2300  Other / Meta / Re: Why don't I get an error message while messaging/trusting myself? on: May 17, 2015, 06:40:38 PM
It's useful if you want to send yourself a note.

Adding yourself to your trust list is harmless, do I didn't prevent it.
Pages: « 1 ... 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 [115] 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 ... 416 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!