Info about the recent attack

[ShadowOfHarbringer]

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.

[JeffK]

Where can i find more information on what exactly is in the way of upgrading to 2.somthing?

I need updated versions of these mods (some of them might already exist or be covered by the new core):
Custom Profile Field Mod
Edit_Display_Name_Permission
Ignore Boards
Prevent Adding Signature Images And Links
Ignore user

There are also two major custom modifications:
- Membergroup membership based on time online as well as posts
- Advanced CAPTCHAs

I'd also like to use the same theme we have now.

I'd really prefer to move to some other forum software rather than upgrade, though. SMF is not well-written.

Apparently.

Moving to PHPBB or vBulletin is a solution to only one of your problems.
Another one is that the forums are so heavily trolled & flooded with pointless/spam post that it has become difficult to actually discuss about something seriously here.

This forum lacks a Slashdot-like moderation system. Slashdot has probably the best moderation system in the world. It automatically filters out all spam & scam messages with high effectivness. Also, it severely decreases the level of trolling.

Slashdot's moderation system, much like reddit's, only filters out non-groupthink.


I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.

[mikeo]

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

@theymos,

I own a copy of VBulletin that is not in use and would gladly donate it to you for use here if you want to pursue migrating.

[SoreGums]

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 

that's pretty neat little script - cheers

I'm going to stick to lastpass though...

[bitstarter]

Just glad to have it back

[superpc]

How could they let this happen?  The security of this forum is vital to your users.  This should have not happened today.  The admins need to upgrade the version of this forum's software(well, PHP) to SMF 2.0 or switch to PHPBB or VBulletin.

[makomk]

I really have a hard time believing this was a 0-day, especially with the last version of the forum being so dated - it sounds like a CYA excuse.

If it was a security vulnerability in the forum software, and it wasn't caused by one of the mods they installed, it pretty much has to be. There are no relevant public vulnerabilities for SMF 1.1.14 or 1.1.13. (Though having looked closer, I'm not sure if it is a vulnerability at all... decidedly dodgy code at the very least though.)

[dvide]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

[antares]

Simple Question, besides it's beyond that other things that have been said in this thread.
This one is @theymos directly:
Would it have been so damn hard to take the forum down and insert a little static HTML page, indicating to users that the site was offline and being worked on?

actions like simply taking the forum offline hurt the confidence of people in bitcoin.

[ctoon6]

is my password safe if i used a 64char hexadecimal?

[kokjo]

is my password safe if i used a 64char hexadecimal?

do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.

[dvide]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.

[Gabi]

Basically in the whole forum we keep discussing about security and guess that? The forum itself get HACKED  

Basically everything keep getting hacked despite all our security discussion and almost always due to ridicolous negligences (yay the bug in the forum was in the thing that modify tags for donators, a thing added some week ago and guess what? hackable!)

[Phinnaeus Gage]

I'm done with this bullshit. Every month my password is leaked by fail bitcoin sites and their shit security.

Yes, I use different passwords for each site. I don't give a flying fuck.

This is unacceptable,
bye

Keep in mind, the annualized inflation rate of bitcoin is ~37.6% at the moment.  If the price holds steady it means that there is enough new demand to keep up with this pace of inflation.  To me, it seems quite natural that the variance in demand relative to the rate of inflation in such a small market is bound to create substantial volatility in both directions.  People should be more surprised that the price stuck at around $14 or $15 for so long.  

The absolute number of miners has nothing to do with it...the question is simply to what degree the net demand is increasing in relation to the supply.  A miner that sells all of their generated bitcoins are reducing net demand (just like anyone else selling bitcoins) while a miner that holds all of their generated bitcoins and increasing net demand (just like anyone else buying bitcoins).

The breaches, the hacks, and the fading media attention are probably all contributing to a lull in demand at the moment.

Somebody buy this man a beer.

Smart Money Drives the Financial Markets?
Let's hear what Tom Williams has to say about all this: http://www.youtube.com/watch?v=6jwEwlZnSFY

Tom and Gavin being interviewed: http://www.youtube.com/watch?v=wYowjdORSNQ

[LZ]

can you migrate the forum to VBulletin ?

vBulletin is a commercial forum software. SMF is really open source and free.

[ctoon6]

is my password safe if i used a 64char hexadecimal?

do the math yourself.

serrouisly you guys, learn about password strength, and hashing algo's.

it was a joke, obviously my password is good for at least 100 years for current day technology, mostly due to its sheer length.

although i think i may use base₆₄ anyway just to be on the safe side.

[Tuxavant]

Create 4 random passwords which contains no special characters and are 10 characters long:

Code:

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Create 4 random passwords which DO contains special characters and are 12 characters long:

Code:

$ cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:<>?=]' 

that's pretty neat little script - cheers

I'm going to stick to lastpass though...

Then there's always 'pwgen'

Can someone explain to me how/why lastpass.com is better than your browser's password store? I use pwgen to generate seriously crazy passwords for each individual site and let my browser remember the passwords. Nobody has access to my computer except me, and even when they do, it's through their own account.

[wknight]

Great to have the forums back. Plain and simple!

[BkkCoins]

can you migrate the forum to VBulletin ?

vBulletin is a commercial forum software. SMF is really open source and free.

Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

The question is whether content can be brought over.

[BkkCoins]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

Is it likely that passwords were changed on many/most accounts or did you wipe out old ones at some point?

BTW if the hacker still has some fingers in here then forcing us to enter our password for changing would expose the password. So hopefully some script wasn't modified to send passwords to him when an attempt was made to change it...

(Not a big problem for me as all my passwords are different and random 25 char strings)

I'm also having this problem. Funny thing is, if I use incognito mode to get a new session I can log in using my old password, but it's not accepting it for changing my password.

Ok something is definitely broken. I just used the forgot password function to reset my password, because it wasn't working from within my account, but then I could not log in at all using either my new password or my old one. Both passwords were 25 characters with special characters and spaces. I used the forgot password again to reset it to a 16 char password without special characters or spaces, and then I was able to login.

So something WRT to either length, special characters or spaces has a problem. Also none of the passwords I tried used a space at either the start or the end, so it's not trimming the string that is my problem.

It's starting to sound like the password change code uses different validity criteria than the login code.