Info about the recent attack

[Herodes]

Thanks for telling the community what happened. Appreciated.

[neptop]

Don't rely on a forum for secure authentication!  
(or sign your messages and encrypt PMs)

[MatthewLM]

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

[ctoon6]

Don't rely on a forum for secure authentication!  
(or sign your messages and encrypt PMs)

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.

[Vladimir]

Thinking about it with all the information available now. Imagine yourselves in Theymos and Sirius position. I understand that they used 3rd party plugin for simple machine forum to collect donations as such importing SQL injection vulnerability. Than eventually Cosby came to wreck the forum. Once they know it, they shut down the forum. So far so "good".

Now they have no skill to sort it themselves. They do have to bring someone in. Who can they bring? This is already all over the news. Sirius resigns and asks for help from "devs". Mark surely is right here with an offer of help, but there are some voicing privacy and de-decentralisation worries.

What could they do. They surely can not bring someone like me in, since I am being so adversarial here. Who else? not many offers were sent on that mailing list. They have chosen Mark. Even though it is probably a mistake, their choice is perfectly understandable.

They should have brought in some independent security professional instead of mtgox or me or anyone else with clear conflict of interests. They should have been more open and issue at least some kind of statement ASAP. Things could have been handled better. But hey nobody is perfect.

[Raoul Duke]

I'm not aware of PHPBB3 ever having these security problems. My personal opinion is that PHPBB3 is the best out of the free forums software. The only issue id that it doesn't have a plugin interface like with wordpress for example. Modifications can conflict more easily with it's easymod installation system.

But phpbb also lets you auto-update and auto-merge the modifications on the new files.

Yes, it is commercial and from I've read, worth it. I don't believe Canonical would use it for the Ubuntu forums if there was an open source package that was as good. It's also used by WebHostingTalk, one of the biggest web host forums.

PHPBB is free, open source and is used on warez-bb.org, the biggest warez forum and probably the most attacked forum on the whole internet. Ofcourse i suspect they have a good security team taking care of warez-bb.

Our users have posted a total of 38723335 articles | We have 2641227 registered users
Most users ever online was 8594
In total there are 4240 users online :: 3440 Registered, 89 Hidden and about 711 Guests

^^ and it can handle heavy traffic, as the stats show.

[neptop]

9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things.

Still there are tons of better ways for communication than a forum if it's somehow important. So one shouldn't send important stuff via PM and generally keep in mind that an account can be "hacked".

[digibo]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

[pekv2]

I would suggest everyone check their donation address's listed in their sig. Make sure it was never changed.

[ctoon6]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

[digibo]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

[digibo]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

https://i.imgur.com/NrsUc.png

[ctoon6]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue.

You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password.

my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong

Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine.

I did run into the same issue as BkkCoins with my own account, whatever it is.

And, trying once more on the new account, now I'm hitting the issue:

what browser, version and os+version are you using

[joepie91]

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

EDIT: Additionally, if there would be a switch in forum software (which imo isn't really necessary) the best option would probably be XenForo.

[ctoon6]

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.

[joepie91]

I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.

Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.

vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities.

(in fact, SMF is one of the lightest forum platforms there is.)

i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing.

I'd say that vBulletin, IPB, SMF, and phpBB get targeted about equally as much - all of those are used by a LOT of sites.

Also, I'm not sure how it is with the newer phpBB versions, but the old phpBB used a lot of resources as well.

[stsbrad]

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

[ctoon6]

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

[stsbrad]

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?

[ctoon6]

couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.

hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access.

I thought they used the satoshi admin to get root?

i don't know how exactly they have the accounts set up, but they could have gained access to any of the root account, from what is in the post.