This is complete and utter bullshit and just paints all you mods who are trying to White Knight for Theymos as scummy sycophants. You can't ban someone for trolling and leave Crumbs to post. That proves beyond a shadow of a doubt that the ban is not for trolling, which makes the ban for personal reasons. Since I was the one to initially put in the request, I feel that I can disclose this. Crumbs has already been temp banned in the past and is currently on the chopping block for a permanent ban. |
|
|
|
|
If you can show extremely strong proof that this is an extortionist and that the guy is lying, I will remove any post that even hints that he looks down on something. The bar for me to do this is higher than the bar for proving libel in the U.S., so keep that in mind. There must be evidence that he is lying and that he is doing so with a malicious intent.
|
|
|
|
The hack was not an inside job. I find people who accuse that insulting.
The mere fact that you were using Linode is a definitive proof that it was an inside job. It is a well known fact that virtual private servers are not secure enough to host Bitcoin wallets. Moreover, Bitcoinica was hacked via Linode: http://bitcoin.stackexchange.com/questions/3629/what-is-the-story-behind-the-linode-problemhttps://bitcointalk.org/index.php?topic=66979.0Obviously, you knew about that, so you used Linode as a convenient disguise for an inside job. There are two possibilities: either you're a complete moron who ignored a well-known attack, which was already demonstrated a couple of times; or it was an inside job. Is this insulting? Well, you stole money from people, you deserve to be insulted. Absolutely agreed. Using Linode, which has been compromised on many occasions by their own technicians, goes beyond incompetence. You really have to wonder if this hack was intentional. |
|
|
|
i.e. I can't leave a negative feedback to someone in that list, because if he'll reitaliate (and he'd likely do, if he deserved the negative feedback in the first place) I'll be labeled as untrustworthy for most users, who likely don't know or care how to setup trust properly.
If that happened, that person would not remain on the DefaultTrust list for very long. People who are on DefaultTrust have to be very careful with the ratings they give, because a single bad rating could result in them being dropped from the list. Theymos has dropped people from the list on several occasions for much less than what you are describing. |
|
|
|
What is the requirements being a mod?  Make a bunch of accurate reports of things that violate our policies (which, for the most part, our policies boil down to staying on topic and posting topics in the correct board). Keep doing that and wait until we need an additional moderator. Theymos will then select people from the topish of the list (he will check your posting history and such to make sure that you're a good person, so being at the top of the list isn't everything). He will usually start you off on a single board. If you do well there and keep reporting posts elsewhere, he'll make you a global mod when we have a need for one. |
|
|
|
|
Sadly, the ability for new people since the hack to post in the main forum has been disabled until the script that upgrades accounts can be reviewed for security and backdoors.
|
|
|
|
I'm guessing it has something to do with not all functionality being enabled on the site right now.
Exactly. The script that updates activity is currently not active, pending a code review. It was either disable things like this, or keep the forum down until they could all be checked. |
|
|
|
I wonder how far back do the backups go?
Satoshi's might go back further, but we believe that the oldest backup we have is from August 2011. There is no evidence that we were hacked prior to September 3, 2011. Therefore, the database from that backup shouldn't have been tampered with. I personally have a copy of this. Automatic daily backups started in February, 2012. Most, if not all, of these backups have a timestamped sha-256 hash recorded by me. Therefore, even though I personally only keep a small percentage of the backups, I can still verify that the backup wasn't modified. At some point, a MD5 hash was added on the server side. This was additionally recorded by me, although anyone with copies of the database probably have it as well. Unlike me (because, for me as a non-admin, the database is only useful for disaster recovery), theymos keeps the vast majority of these backups. |
|
|
|
Because it will be fixed if you reveal it and you lose access.
Not if you've got more than the backdoor you revealed. You would have to have an additional whole SMF exploit to safely reveal your access, because when backdoors are suspected, people usually sanitize everything - just as we did here. Not even a backdoor embedded in the BIOS would have survived the cleanup that theymos did, since we completely changed hardware and rebuilt everything from the ground up. A backdoor in the database might still exist, but theymos looked pretty hard for those. So, other than that, the only way this guy is getting back in is if he has an exploit that anyone could have found. The backdoor is specific to the forum. It's probably something as simple as eval() with certain arguments passed in obscure and unintended methods.
Probably... |
|
|
|
Besides a password, a user profile also has a secret question that alone can be used to reset a password and takeover an account. Secret questions are also hashed; a simple or short answer may be easily obtained by a database leak from brute force cracking. Besides resetting passwords, users should also reset the secret question and ensure that it is as difficult in length and complexity as a secure password would be. Users should reset their password on any other service where they may have reused the same password (and take the advice to not reuse passwords). Other information that cannot be guaranteed to be uncompromed includes email addresses associated with user names, or the contents of any PMs now or in the past. Understand that although not reported yet, a leak of email addresses may result in any number of attempts at phishing for information, scams, or computer infection by attachment or web links. Changing the email address associated with your user account will allow you to more easily discern scam attempts from legitimate forum communication and notices. Of course best is if you had treated PMs as non-private to start with, along with using a unique email address and a unique forum password over 16 characters long...: You should PM me an email address to send the private key, preferably one where you use pop3/smtp, not webmail. Having the private key means someone would have access to any bitcoins in that address, so you don't want them stored on a webmail or forum message database where curious eyes might snoop. Generating your own is even better than letting an internet stranger make you an address. Of course, if you send me your pgp public key, I could encrypt the email too (or even post it anywhere and only you could decrypt the contents). Getting pgp or gnupg set up would be a good newbie task to learn about encryption... (Thanks to deepceleron for this addition!) |
|
|
|
In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. I read that we moved to different hardware, but it didn't seem like the forum was re-installed using fresh files based on what was written. Theymos reviewed a diff between the files from a fresh SMF install and our setup. Therefore, we effectively reinistalled and re-applied our modifications. Theymos then went on to do a full code review and only re-enabled the absolute minimum functionality for the forum to operate. If you had access to the moderation tools, you'd realize just how much is missing... |
|
|
|
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then. The attacker could have potentially made a lot of money by monitoring our personal messages and getting insider information. I'm sure a lot of people on this forum send important information to each through the PM system, and don't take the time to encrypt it or secure it in any way. I'm pretty sure that they did. In my opinion the forum software cannot be considered secure until a completely fresh version of SMF has been installed. The database doesn't need to be reset but the files need to be re-installed. If every single line of code cannot be reviewed carefully then that is what needs to happen.
My understanding is that that's exactly what we did. We even moved to different hardware. Hence why it took several days for us to return. |
|
|
|
|
Many features have been temporarily disabled as a result of the hack pending a code review. As we review the code for security holes, features will be re-enabled.
|
|
|
|
Hello can I change my username here to "samulak" That is same as my bitmit.net username https://www.bitmit.net/en/user/samulakand my web-otc username is same I registered here under my common forum "nickname" long ago Contact theymos with this request. While you are allowed to make a new account, for your sake I would suggest just renaming this one so that you don't have to start over. |
|
|
|
Welcome back! It would be nice to have a sticky explaining what happened (and if any sensible data has leaked) and what have been done to solve the problem.. nice to be here again It's not a sticky, but there's a thread about it in Meta: https://bitcointalk.org/index.php?topic=306878.0Great, thanks a lot Maged! Maybe it would be good to have it more visible but... as you like!! Cheers Yeah, I realized that and cross-posted it to Important Announcements. |
|
|
|
Was the javascript they entered in the forums harmful? I'd like to know more about that.
No, we determined that it was merely fun and completely harmless. We lucked out big time... |
|
|
|
On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so. Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password. The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me. How the attack was doneI believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday. After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method. Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then. It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set. The futureThe forum is now on a new server inside of a virtual machine with many extra security precautions which will hopefully provide some security in depth in case there are more exploits or backdoors. Also, I have disabled much SMF functionality to provide less attack surface. In particular, non-default themes are disabled for now. I'd like to publish the forum's current code so that it can be carefully reviewed and the disabled features can be re-enabled. SMF 1.x's license prohibits publishing the code, though, so I will have to either upgrade to 2.x, get a special copyright exception from SMF, or do the auditing myself. During this investigation, a few security disadvantages to 2.x were brought to my attention, so I don't know whether I want to upgrade if I can help it. (1.x is still supported by SMF.) Special thanks to these people for their assistance in dealing with this issue: - warren - Private Internet Access - nerta - Joshua Rogers - chaoztc - phantomcircuit - jpcaissy - bluepostit - All others who helped -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
As of October 7 2013, the Bitcoin Forum has been restored to bitcointalk.org.
-----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlJSRF8ACgkQxlVWk9q1keemWgD/WcvrsikPq6AHpEo20KGmQInp
FlyAWNbX74z65KJrsUEBAIcCzYnHZ7gAs49mlhSq1fR9o2LZCETV3BJveCTu7lAi
=b9Xb
-----END PGP SIGNATURE----- |
|
|
|
Welcome back! It would be nice to have a sticky explaining what happened (and if any sensible data has leaked) and what have been done to solve the problem.. nice to be here again It's not a sticky, but there's a thread about it in Meta: https://bitcointalk.org/index.php?topic=306878.0 |
|
|
|
|
Sadly, these usually end up in the spam folder...
|
|
|
|
That being said, it's not worse than before. For the last several months, the hackers had access to any account they pleased.
Since 2011. Some of us were still out of the loop  |
|
|
|
|
Show Posts
