Info about the recent attack

[repentance]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

If your password had been changed I don't think you'd have still been logged into the forum when it came back online.

[1714045159]

1714045159

[1714045159]

1714045159

[molecular]

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

+ 1

I started using lastpass.com (there are alternatives too, like keypass and others) after the mtgox incident. I have come to love it.

[tsupp4]

Change of hosting

Mark Karpeles is now hosting the forum's server. The forum is still owned by Sirius, as it has always been. There will be no policy changes.

Signed version of this message

Your statement sounds kind of different to this info:
http://bitcoinmedia.com/mt-gox-taking-over-bitcointalk-the-official-u

Mark Kapeles aka MagicalTux is part of Mt.Gox, right?

[theymos]

Mark Kapeles aka MagicalTux is part of Mt.Gox, right?

Yes.

Your statement sounds kind of different to this info:
http://bitcoinmedia.com/mt-gox-taking-over-bitcointalk-the-official-u

He is providing free hosting. He is not "taking over Bitcointalk". In that IRC excerpt I even say that Sirius will retain control of the DNS.

[theymos]

Also, that "security advisory" is inaccurate. The security breach had nothing to do with Flash. That was misinformation spread by the attacker, probably. They used a fake quote purporting to be from Sirius.

[arsenische]

I'd like to see the file with leaked hashes

[nhodges]

Everyone should use lastpass.com and generate the longest password a site will accept (or just 32 random characters/numbers is sufficient imo) plus save that on lastpass.com

It's too easy and there is no excuse not to do it.

Online password stores are still a single point of failure, IMO. Great idea, but use KeePass or some other local solution that you can back up and secure with ease.

[BkkCoins]

I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.

You have the same password that you had before the attack.

Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on".

If your password had been changed I don't think you'd have still been logged into the forum when it came back online.

I'm pretty sure the password wouldn't matter.
Usually a session id is stored in the login cookie not a password.

I've used Keepassx on Ubuntu for years and never had it mis-remember a password. I guess I should go thru the "lost password" process now...

[pekv2]

Online password stores are still a single point of failure, IMO.

A solution like lastpass is great for a few reasons.

You passwords are encrypted.

LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic

Lastpass has a backup method, securely and not securely. I use not securely and rar them password protected encrypted.

WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.

My passwords are always accessible to me whether lastpass is offline or not.

[TiagoTiago]

Why upgrading to the most recent version of SMF is worse than switching to a whole'nother forum backend? They didn't make it backward compatible?

[theymos]

Why upgrading to the most recent version of SMF is worse than switching to a whole'nother forum backend? They didn't make it backward compatible?

There are many modifications that are incompatible.

[TiagoTiago]

They don't provide a way to convert the data to the new format or somthing like that?

Or you mean there are some addons you use that are essential that haven't been updated to be compatible with the latest version nor have equivalent alternatives made for the latest version?

[d33tah]

If he could run arbitrary PHP code, maybe it's not just the hashes he collected... He might have also injected some code BEFORE hashing, thus gaining plaintext. I don't know all the hack details, but does it sound possible to you?

Also, it took you a while to recover.

[opticbit]

so when an attacker finds that you have an extremely secure password, they can now guess that you have a password wallet somewhere, and go after that

[JonHind]

The vulnerabilities in 1.1.14 have been known for a LONG time. You can hardly call what SA did a 0-day exploit. While 1.1.14 might still be 'supported', it is full of security holes. The admins of this site have been aware of these vulnerabilities for a while, as quite a few people (myself included) have pointed out the dangers of using 1.1.14.

Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.

As for giving the database, including all PM's, and also the hosting of the site to the owner of the largest bitcoin exchange, I'm gobsmacked.

I took my $$$'s and BTC's out of Mt:Gox at the time when Bruce was visiting their company. I stopped trusting Mt:Gox when MagicalTux was white-knighting Bruce, refusing to address the evidence that was being provided (not the rumours I might add, just the evidence), and for allowing a convicted fraudster into his company's HQ. After this silent take-over of the forums, I trust Mt:Gox as much as I trust PayPal.

I have my $$$'s in my account now, and my BTC's are sitting in an offline USB stick in the gamble that they will be worth something after all this shit settles down. I'm sitting this one out.

[theymos]

If he could run arbitrary PHP code, maybe it's not just the hashes he collected... He might have also injected some code BEFORE hashing, thus gaining plaintext. I don't know all the hack details, but does it sound possible to you?

It is possible.

[Dusty]

thanks for the info, theymos. please continue to keep things as transparent as possible.

+1

[theymos]

Any admin hosting a site which deals with discussions of a financial nature who couldn't even be bothered to upgrade along the 1.1.xx path (yet alone switch to v.2) should hang their head in shame.

What are you talking about? This is the latest upgrade in the 1.1.xx path.

I am not aware of any other vulnerabilities. If vulnerabilities exist, report them to me and I will take the forum down until they are fixed.

[TiagoTiago]

Though if the intention was to steal data, the defacement stuff would be a dumb move, if they stayed hidden they could have stole shit for much longer.

[molecular]

Also, it took you a while to recover.

I'm sure you could've done it much faster and you would run such a site much more securely than theymos.
I'm also sure you'd gladly give up your weekend for no money to recover from a hack.
And I'm also pretty sure you would easily take a bashing from 11-post-know-it-alls without whining.

Thanks to theymos, sirius and whoever else helped in recovery and running the site. I hope you'll keep the forums up in the future. You're doing a great job! Thanks for the transparency, too.