Bitcoin Forum
December 04, 2016, 02:31:45 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: Info about the recent attack  (Read 48882 times)
Herodes
Hero Member
*****
Offline Offline

Activity: 868


View Profile
September 11, 2011, 02:50:17 PM
 #81

Thanks for telling the community what happened. Appreciated.
1480861905
Hero Member
*
Offline Offline

Posts: 1480861905

View Profile Personal Message (Offline)

Ignore
1480861905
Reply with quote  #2

1480861905
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480861905
Hero Member
*
Offline Offline

Posts: 1480861905

View Profile Personal Message (Offline)

Ignore
1480861905
Reply with quote  #2

1480861905
Report to moderator
1480861905
Hero Member
*
Offline Offline

Posts: 1480861905

View Profile Personal Message (Offline)

Ignore
1480861905
Reply with quote  #2

1480861905
Report to moderator
neptop
Sr. Member
****
Offline Offline

Activity: 314


View Profile
September 11, 2011, 03:18:35 PM
 #82

Don't rely on a forum for secure authentication!  Wink
(or sign your messages and encrypt PMs)

BitCoin address: 1E25UJEbifEejpYh117APmjYSXdLiJUCAZ
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
September 11, 2011, 03:18:50 PM
 #83

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.


Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 03:27:34 PM
 #84

Don't rely on a forum for secure authentication!  Wink
(or sign your messages and encrypt PMs)

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.

Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
September 11, 2011, 03:29:10 PM
 #85

Thinking about it with all the information available now. Imagine yourselves in Theymos and Sirius position. I understand that they used 3rd party plugin for simple machine forum to collect donations as such importing SQL injection vulnerability. Than eventually Cosby came to wreck the forum. Once they know it, they shut down the forum. So far so "good".

Now they have no skill to sort it themselves. They do have to bring someone in. Who can they bring? This is already all over the news. Sirius resigns and asks for help from "devs". Mark surely is right here with an offer of help, but there are some voicing privacy and de-decentralisation worries.

What could they do. They surely can not bring someone like me in, since I am being so adversarial here. Who else? not many offers were sent on that mailing list. They have chosen Mark. Even though it is probably a mistake, their choice is perfectly understandable.

They should have brought in some independent security professional instead of mtgox or me or anyone else with clear conflict of interests. They should have been more open and issue at least some kind of statement ASAP. Things could have been handled better. But hey nobody is perfect.

-
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
September 11, 2011, 03:33:20 PM
 #86

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

But phpbb also lets you auto-update and auto-merge the modifications on the new files.


Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

PHPBB is free, open source and is used on warez-bb.org, the biggest warez forum and probably the most attacked forum on the whole internet. Ofcourse i suspect they have a good security team taking care of warez-bb.
Quote
Our users have posted a total of 38723335 articles | We have 2641227 registered users
Most users ever online was 8594
In total there are 4240 users online :: 3440 Registered, 89 Hidden and about 711 Guests

^^ and it can handle heavy traffic, as the stats show.

neptop
Sr. Member
****
Offline Offline

Activity: 314


View Profile
September 11, 2011, 03:42:12 PM
 #87

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.
Still there are tons of better ways for communication than a forum if it's somehow important. So one shouldn't send important stuff via PM and generally keep in mind that an account can be "hacked".

BitCoin address: 1E25UJEbifEejpYh117APmjYSXdLiJUCAZ
digibo
Newbie
*
Offline Offline

Activity: 23


View Profile
September 11, 2011, 03:42:57 PM
 #88

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.
pekv2
Hero Member
*****
Offline Offline

Activity: 770



View Profile
September 11, 2011, 04:16:41 PM
 #89

I would suggest everyone check their donation address's listed in their sig. Make sure it was never changed.
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 04:20:10 PM
 #90

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

digibo
Newbie
*
Offline Offline

Activity: 23


View Profile
September 11, 2011, 04:38:13 PM
 #91

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.
digibo
Newbie
*
Offline Offline

Activity: 23


View Profile
September 11, 2011, 04:43:33 PM
 #92

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

http://i.imgur.com/NrsUc.png
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 04:58:52 PM
 #93

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.
Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:



what browser, version and os+version are you using

joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
September 11, 2011, 04:59:05 PM
 #94

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

EDIT: Additionally, if there would be a switch in forum software (which imo isn't really necessary) the best option would probably be XenForo.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 05:00:51 PM
 #95

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.

joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
September 11, 2011, 05:03:16 PM
 #96

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.
I'd say that vBulletin, IPB, SMF, and phpBB get targeted about equally as much - all of those are used by a LOT of sites.

Also, I'm not sure how it is with the newer phpBB versions, but the old phpBB used a lot of resources as well.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
stsbrad
Full Member
***
Offline Offline

Activity: 168

Brad Willman, SSCP, LTCP, MCTS,SCE,BCE


View Profile
September 11, 2011, 05:23:10 PM
 #97

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 05:26:00 PM
 #98

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

stsbrad
Full Member
***
Offline Offline

Activity: 168

Brad Willman, SSCP, LTCP, MCTS,SCE,BCE


View Profile
September 11, 2011, 05:37:33 PM
 #99

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
September 11, 2011, 05:41:17 PM
 #100

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?

i don't know how exactly they have the accounts set up, but they could have gained access to any of the root account, from what is in the post.

Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!