Info about the recent attack

[Bert]

Thanks for informing us of the issue (a lot of sites don't) and especially for the work involved in bring the site back online.

[Christian Pezza]

thanks u

[FAtlas]

Why won't you bring back Cosby?  Is it a racial thing?

[w1R903]

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

[theymos]

I don't know what the problem is with password changes. I tried passwords with many different special characters, and it always works.

Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.

I don't have access to DNS and I lost ssh access after taking down the forum.

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

It was not a bug in the donator code. Core SMF is always vulnerable to this, but because I had added additional restrictions for non-donators, the attacker had to be donator to exploit it.

[joepie91]

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.

[kokjo]

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.

no but the freamwork is better for handling fuck-ups.

[arsenische]

no but the freamwork is better for handling fuck-ups.

php has plenty of frameworks

[phelix]

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.

no but the freamwork is better for handling fuck-ups.

+1 to Django   and Python btw

[OCedHrt]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

And also possible that simply logging in sends out your password. Good thing I use junk passwords for forums.

[ErgoOne]

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

NO!  Everybody should use a long (16+ character) password with mixed upper- and lower-case letters, numerals, and symbols, but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

Instead, use a password vault or a simple GPG-encrypted text file on your own laptop or personal computer, backed up to a CD/DVD or a USB dongle that is kept offsite.  Encrypt that one file with a long passphrase, and do the work to memorize the passphrase.  Voila -- actual security instead of security theater.

(I'm shaking my head at nutty idea that passwords should be entrusted to a third party that you don't even know.)

[CanaryInTheMine]

how about some beefed up infrastructure with a good firewall, ids, virus etc... etc...?

no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.

as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.

you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....

BUT

bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.

There ain't enough of us here to make it mainstream.  You tell me what non-technical people, when you ask them about bitcoin, tell you?  I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services.  Nobody cares that it's not bitcoin suffering directly.  people do not understand the difference...

So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.

Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"

control the message, control opinion, perception and ultimately reality.

[Desolator]

I've heard a lot of really unwise suggestions for password management.  A piece of software holding all your passwords or a website or some generator that generated such unmemorable passwords that you have to store them in a text file somewhere are all REALLY bad ideas.  Here's a secure password:

1. make up some long, symbol-inclusive password like Thi$izmypa$$w0rd!mmmk
2. get a fire and flood proof safe/lockbox for like $30
3. write the password on a piece of paper and put it in the safe
4. don't lose the key

Tada, secure password.  A hacker would have to get inside your house to get it, not counting some specific keylogger attack.

[TTBit]

What does not kill bitcoin will make it stronger.

[BCEmporium]

no but the freamwork is better for handling fuck-ups.

Coders don't use frameworks, Lego makers do. It "speeds up «development»" (yeah, right! Put some pieces of Lego together is now called "developing"... go figure!) but nags hardly performance by loading interpreters filled up with "resources" (which you normally will not even be using 1%).
Still, Python is somewhat better than the mother of all framework fuck ups so far; Java.

And obviously you have more bugs found on PHP applications than anything else, PHP has 76,9% of the dynamic web content share... that's like saying there're more car accidents than motorcycle, no wonder, there're way more cars in the road than motorcycles!

PHP is used by 76.9% of all the websites whose server-side programming language we know.

[Inaba]

Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.

[BCEmporium]

Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.

So, you don't like this phpBB fork and want another... well... phpBB fork? 

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).

[RodeoX]

Thank you theymos for brining this to our attention. Since there is no practical way to guarantee security, it's nice that you keep us in the loop.

[defxor]

but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

First study how LastPass works, then post. They don't hold your passwords. They cannot retrieve them.

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.

Your browser store is at risk of being easily broken into by a client side web browser exploit.

I'll just repeat what so many have already posted: Use LastPass. Generate a new 12+ char password for each site you use. Sleep well.

[pekv2]

Yea, lastpass application encrypts your passwords before they leave your pc to be stored online through SSL and decrypts them on your pc.

Only you, that have the master password, can access your passwords. Even if some how someone gained access to you password database, it is encrypted.

There is also that thought if your pc has a keylogger, well your screwed for not securing your pc correctly/properly.