Bitcoin Forum
December 03, 2016, 04:49:16 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: Info about the recent attack  (Read 48870 times)
Bert
Full Member
***
Offline Offline

Activity: 126



View Profile
September 11, 2011, 05:53:08 PM
 #101

Thanks for informing us of the issue (a lot of sites don't) and especially for the work involved in bring the site back online.

Tip jar: 1BW6kXgUjGrFTqEpyP8LpVEPQDLTkbATZ6
Transactions must be included in a block to be properly completed. When you send a transaction, it is broadcast to miners. Miners can then optionally include it in their next blocks. Miners will be more inclined to include your transaction if it has a transaction fee.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Christian Pezza
Member
**
Offline Offline

Activity: 98



View Profile WWW
September 11, 2011, 06:01:57 PM
 #102

thanks u

If you like this tread consider to donate some to https://bitcointalk.org/donate.html
FAtlas
Jr. Member
*
Offline Offline

Activity: 56


Violenth ith not compathion.


View Profile WWW
September 11, 2011, 06:20:01 PM
 #103

Why won't you bring back Cosby?  Is it a racial thing?

1KKptP9dKU6mZ6DkmwTmPERG7je7rStiuR

“Thith ith where I live. Thith ith me. I will not allow violenth againsh thith houth.”
w1R903
Full Member
***
Offline Offline

Activity: 218


View Profile
September 11, 2011, 06:46:16 PM
 #104

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.

4096R/F5EA0017
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
September 11, 2011, 06:54:27 PM
 #105

I don't know what the problem is with password changes. I tried passwords with many different special characters, and it always works.

Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.

I don't have access to DNS and I lost ssh access after taking down the forum.

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

It was not a bug in the donator code. Core SMF is always vulnerable to this, but because I had added additional restrictions for non-donators, the attacker had to be donator to exploit it.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
September 11, 2011, 07:02:30 PM
 #106

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
September 11, 2011, 07:16:05 PM
 #107

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
no but the freamwork is better for handling fuck-ups. Smiley

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
arsenische
Legendary
*
Offline Offline

Activity: 1116


View Profile
September 11, 2011, 07:17:30 PM
 #108

no but the freamwork is better for handling fuck-ups. Smiley

php has plenty of frameworks

phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
September 11, 2011, 08:22:23 PM
 #109

I am surprised that everybody here is tossing out PHP-based solutions as alternatives to SMF.  Why not save yourself a ton of security concerns and use a Python-based bulletin board?  There are several reputable, mature, open source products available.  I haven't used any of them personally but most of them use Django, so they would come with great security features out of the box like auto escaping all template content, with which you would not have been vulnerable to the vector used by this attacker.

When you look at OWASP and other security organizations' evaluations of web frameworks, it's amazing how many vulnerabilities are found in PHP-based software, and how few are found in Python-based software.  So if you decide to go with another solution, as opposed to upgrading SMF, why not give a Python-based bulletin board a try?

Specific recommendation: pyForum http://www.pyforum.org/  It's based on web2py framework.  I have used web2py and I highly recommend it.  Migrating from SMF should not be terribly difficult for someone who understands databases.
Which means you're fucked if there's a vulnerability in Django.

Tip: a language is just a language. PHP is a language, Python is a language, and it's ridiculous to even imply that something in a different language would somehow be magically more secure.
no but the freamwork is better for handling fuck-ups. Smiley

+1 to Django   and Python btw


blockchained.com ■ bitcointalk top posts
OCedHrt
Member
**
Offline Offline

Activity: 98


View Profile
September 11, 2011, 08:28:16 PM
 #110

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

And also possible that simply logging in sends out your password. Good thing I use junk passwords for forums.
ErgoOne
Full Member
***
Offline Offline

Activity: 126


View Profile
September 11, 2011, 08:49:27 PM
 #111

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

NO!  Everybody should use a long (16+ character) password with mixed upper- and lower-case letters, numerals, and symbols, but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

Instead, use a password vault or a simple GPG-encrypted text file on your own laptop or personal computer, backed up to a CD/DVD or a USB dongle that is kept offsite.  Encrypt that one file with a long passphrase, and do the work to memorize the passphrase.  Voila -- actual security instead of security theater.

(I'm shaking my head at nutty idea that passwords should be entrusted to a third party that you don't even know.) Sad



CanaryInTheMine
Donator
Legendary
*
Offline Offline

Activity: 1512


between a rock and a block!


View Profile
September 11, 2011, 08:55:07 PM
 #112

how about some beefed up infrastructure with a good firewall, ids, virus etc... etc...?

no way bitcoin is becoming mainstream until, we (as in all of us, open-source anything lovers), take security seriously.

as long as there's an opportunity to create PR damage to bitcoin, it will be done and the only press and info that mainstream folks hear about bitcoin will be negative.

you can hiss at me, say whatever, i don't give a shit about your negative-all-knowing pontification that is coming at this post....

BUT

bitcoin will become mainstream not because of it's technical wow/genius or libertarian fuck-the-government connotations... whatever the hell you want to insert here... BUT only if there is positive PR and good perception with public.

There ain't enough of us here to make it mainstream.  You tell me what non-technical people, when you ask them about bitcoin, tell you?  I bet it's only the negative crap that has been put out BECAUSE of security lapses with peripheral, supporting, indirect bitcoin related services.  Nobody cares that it's not bitcoin suffering directly.  people do not understand the difference...

So, whenever you all (those who are in position to take security-related actions) take this seriously, then maybe bitcoin will have a shot.

Until then, get your pop corn out, every few weeks we will see another nail put into bitcoin "Security"

control the message, control opinion, perception and ultimately reality.

| In Default we Trust | Need gold/silver for btc? | Buy bitcoins |
Desolator
Sr. Member
****
Offline Offline

Activity: 392



View Profile
September 11, 2011, 09:45:34 PM
 #113

I've heard a lot of really unwise suggestions for password management.  A piece of software holding all your passwords or a website or some generator that generated such unmemorable passwords that you have to store them in a text file somewhere are all REALLY bad ideas.  Here's a secure password:

1. make up some long, symbol-inclusive password like Thi$izmypa$$w0rd!mmmk
2. get a fire and flood proof safe/lockbox for like $30
3. write the password on a piece of paper and put it in the safe
4. don't lose the key

Tada, secure password.  A hacker would have to get inside your house to get it, not counting some specific keylogger attack.
TTBit
Legendary
*
Offline Offline

Activity: 1136


View Profile
September 11, 2011, 11:32:05 PM
 #114

What does not kill bitcoin will make it stronger.

good judgment comes from experience, and experience comes from bad judgment
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
September 12, 2011, 12:02:37 AM
 #115

no but the freamwork is better for handling fuck-ups. Smiley

Coders don't use frameworks, Lego makers do. It "speeds up «development»" (yeah, right! Put some pieces of Lego together is now called "developing"... go figure!) but nags hardly performance by loading interpreters filled up with "resources" (which you normally will not even be using 1%).
Still, Python is somewhat better than the mother of all framework fuck ups so far; Java.

And obviously you have more bugs found on PHP applications than anything else, PHP has 76,9% of the dynamic web content share... that's like saying there're more car accidents than motorcycle, no wonder, there're way more cars in the road than motorcycles!

Quote from: W3C link=http://w3techs.com/technologies/details/pl-php/all/all
PHP is used by 76.9% of all the websites whose server-side programming language we know.
Inaba
Legendary
*
Offline Offline

Activity: 1260



View Profile WWW
September 12, 2011, 12:07:05 AM
 #116

Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.

If you're searching these lines for a point, you've probably missed it.  There was never anything there in the first place.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
September 12, 2011, 12:17:12 AM
 #117

Can we please, please stop using this ultra crappy forum software?  It's horrible from every single standpoint, security included.  Please upgrade to a modern piece of software.  This junk from the early part last decade has REALLY got to go.


So, you don't like this phpBB fork and want another... well... phpBB fork?  Tongue

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).
RodeoX
Legendary
*
Offline Offline

Activity: 2100


The revolution will be monetized!


View Profile
September 12, 2011, 12:45:18 AM
 #118

Thank you theymos for brining this to our attention. Since there is no practical way to guarantee security, it's nice that you keep us in the loop.

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin=https://bitcointalk.org/index.php?topic=1610684
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
September 12, 2011, 12:54:34 AM
 #119

but SHOULD NOT generate or store that password on lastpass.com or ANY third-party password service.  Use of such a service is placing the security of your information in the hands of a third party.  That's NUTs. 

First study how LastPass works, then post. They don't hold your passwords. They cannot retrieve them.

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.

Your browser store is at risk of being easily broken into by a client side web browser exploit.

I'll just repeat what so many have already posted: Use LastPass. Generate a new 12+ char password for each site you use. Sleep well.
pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
September 12, 2011, 01:03:33 AM
 #120

Yea, lastpass application encrypts your passwords before they leave your pc to be stored online through SSL and decrypts them on your pc.

Only you, that have the master password, can access your passwords. Even if some how someone gained access to you password database, it is encrypted.

There is also that thought if your pc has a keylogger, well your screwed for not securing your pc correctly/properly.
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!