Info about the recent attack

[FalconFour]

for christ's sake,

Why the f**k are we still using the same exact - the same HACKED - version of the forum software?

I was pissed when I saw the forum come back online and saw we're still on the same version. So I posted, "why the hell are we still using the same version?". And nothing was said. Now, again, I ask, why the f**k are we still using the same version?!

First, use KeePass or something. I don't have to worry about changing my password since this is the only site that gibberish password is used on. Anyone worried about security oughtta do the same.

Second, WHAT THE HELL IT IS NOT THAT HARD TO UPGRADE TO A NEW VERSION OF SMF. This old legacy version of SMF isn't even available to download anymore. What the hell. My head hurts thinking about how unfathomably irresponsible that is.

Third, did I read back a few pages ago that you're looking for some web admin help? Here. Right here. This is me e-raising my hand. Am I a little douchy in this "volunteering" process? Fuck yeah I am, but what experienced sysadmin would NOT be pissed as they watch a popular forum flail its arms in catastrophic misery? It's the "Why wasn't I there? Oh that's right, none of my projects ever got this big, but they also never got hacked" effect. Take it or leave it.

But do something about it. I really don't want to F5 this page and see someone belching up some manufactured excuse/response, and still see the same version-banner at the bottom. That'll just go to prove how immature Bitcoin admins/techs are... oh, what's that falling over there? Price of Bitcoin. Steve Jobs resigned as CEO of Apple. Apple stock fell like a rock. Did Apple do anything tangibly wrong? No, their fucking CEO resigned. You see how related-but-technically-unrelated things affect prices? Why do you think these Cosby clowns attacked the site? derp.

[1714079015]

1714079015

[1714079015]

1714079015

[dlb76]

Good to know! Thanks theymos!

[Inaba]

So, you don't like this phpBB fork and want another... well... phpBB fork?  

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).

Please.  You obviously have no experience with web development if you think a feature rich, secure forum software is easy to code.  Literally you have absolutely no idea what you are talking about.  The fact that you see nothing wrong with this software also lends further credence to the fact that you are talking about a topic you have absolutely no, none, zip, zero experience in, either as a user, an administrator/moderator or a system administrator.  Please do NOT throw your .02c into the pot, as all you do is muddy the waters and confuse the current operators with posts like this.  You have no experience and no comprehension as to what goes into coding, running and administrating a popular web forum and your opinion does nothing but damage the cause of moving this forum to a more secure, robust and feature rich future that can handle future expansion and growth.

Before you tell me how qualified you are to make your assessments, http://communityhosting.net is my company and I invite you to read what we have specialized in for over 12 years and then feel free to come back and tell me how your qualifications and judgement are superior to mine in this matter.

I would say modern forum software with all the features you expect from said software is probably one of the most difficult pieces of code to write securely in existence as a web application today.  It is anything but "easy to code."  It is utterly laughable that you'd even put fingers to keyboard to write that.

for christ's sake,

Why the f**k are we still using the same exact - the same HACKED - version of the forum software?

I was pissed when I saw the forum come back online and saw we're still on the same version. So I posted, "why the hell are we still using the same version?". And nothing was said. Now, again, I ask, why the f**k are we still using the same version?!

First, use KeePass or something. I don't have to worry about changing my password since this is the only site that gibberish password is used on. Anyone worried about security oughtta do the same.

Second, WHAT THE HELL IT IS NOT THAT HARD TO UPGRADE TO A NEW VERSION OF SMF. This old legacy version of SMF isn't even available to download anymore. What the hell. My head hurts thinking about how unfathomably irresponsible that is.

Third, did I read back a few pages ago that you're looking for some web admin help? Here. Right here. This is me e-raising my hand. Am I a little douchy in this "volunteering" process? Fuck yeah I am, but what experienced sysadmin would NOT be pissed as they watch a popular forum flail its arms in catastrophic misery? It's the "Why wasn't I there? Oh that's right, none of my projects ever got this big, but they also never got hacked" effect. Take it or leave it.

But do something about it. I really don't want to F5 this page and see someone belching up some manufactured excuse/response, and still see the same version-banner at the bottom. That'll just go to prove how immature Bitcoin admins/techs are... oh, what's that falling over there? Price of Bitcoin. Steve Jobs resigned as CEO of Apple. Apple stock fell like a rock. Did Apple do anything tangibly wrong? No, their fucking CEO resigned. You see how related-but-technically-unrelated things affect prices? Why do you think these Cosby clowns attacked the site? derp.

This.

Pretty much what I was thinking but didn't want to come out and say.  I have been advocating for months for a new forum software and nothing has been done.  Reading over the first post and subsequent posts I see that it's because of a lack of technical knowledge, not some other deep seated and ill-thought out need to keep with forum software developed over a half decade ago.  

I've also volunteered my services and also web hosting for the forums.  I don't particularly want to admin the forums, but if it's a choice between continuing with SMF and me having to do it, I would choose me having to do it.  Or FalconFour, or someone else technically inclined.  Whatever... just stop using this shitty piece of software and harden your web server.

The more I read this thread, the more pissed off I get at the complete mismanagement of this forum and especially the utterly piss poor handling of this incident.  No, we don't expect to be incident free 100% of the time (though that should be the goal), but when there is an incident, how you handle it during and after the crises is just as important as what you do to prevent it in the first place. On both accounts, the before and after, it has been utter and complete fail.  Please stop the cycle of failure.  If you aren't ready or prepared to take steps right now to solve the issues, let someone who is handle it.    

Engaging Mark, with the complete mess and incredibly poor handling of his own hacking incident at MtGox is also so incredibly questionable as to be almost mind boggling.  It would be like hiring the Sony security team to head up your security.  Why would you do that?  MtGox and Sony have both shown they can't handle security before a crisis and are unable to handle it during or after a crisis, so you hire them to... handle security?!  Wait, what?   

Stop making the, quite literally, worst decision that is possible to make short of giving out your passwords publicly. Stop damaging the credibility of Bitcoin. 

[FalconFour]

Heh, well, now that my attention's been brought to this post (whatever dimwit is responsible for keying it in):

So, you don't like this phpBB fork and want another... well... phpBB fork? 

forums are somewhat easy to code, I don't see nothing wrong with this one, just cover the security holes and double check before "add components or features" (usually the mother of all holes to exploit).

Lulz are necessary. Forums are somewhat easy to code? I invite you to look at this page:
http://hostfile.org/viewtopic.php?id=148
As you take a look around at that rather eyesore-tastic, yet somehow very zippy-loading, website... keep this in mind: I wrote that whole thing, with the exception of the BBcode engine that turns a smiley into a graphic, or a URL into a link, but the entire layout/structure/function/etc., that's all hand-crafted in Notepad++. The forum is built on the comments engine, which is tied into the rest of the site. It hasn't yet been "hacked" in all its 4-5 years of running. Of course, given the topic, it also hasn't been very popular, either (hence the "Oh that's right, none of my projects ever got this big, but they also never got hacked" thing). And I still invite someone to try "hacking" it. Good f'ing luck. One thing you won't find in a single line of my code is the potential for an SQL injection exploit. Cheap, first-grade-coding shit there. I even made a function alias for mysql_real_escape_string, since I used it so often and didn't want to type the whole thing out every time.

But lemme tell you: building those systems was a bitch. Even a forum as dumb-basic as that, is a bitch to code. Simple? Yeah, it's easy as hell to take a distribution package of some forum software, and drop its archive onto your server and set it up (hey, admins? yeah, it's really easy to upgrade. that's our point). That's because the programmers MADE it easy to install. Writing it in the first place? Not easy.

[tasarz]

The more I read this thread, the more pissed off I get as the complete mismanagement of this forum and especially the utterly piss poor handling of this incident.  No, we don't expect to be incident free 100% of the time (though that should be the goal), but when there is an incident, how you handle it during and after the crises is just as important as what you do to prevent it in the first place. On both accounts, the before and after, it has been utter and complete fail.  Please stop the cycle of failure.  If you aren't ready or prepared to take steps right now to solve the issues, let someone who is handle it.    Stop damaging the credibility of Bitcoin.

Considering that the forum is comprised of 30% pro/anti-bitcoin trolls, and that the moderators seem to be incapable of doing anything but moving critical threads to off-topic, I'm not at all surprised that the administrators are failing as well.  This place is rotten from the ground up.  I know what a pain updating old software can be.  I also know that it's part of the fucking job.  And now it seems the reins have been handed over to MtGox, who has yet to respond to the obvious problems with his own product today.  How many more shitty pieces of software is the Bitcoin going to have to use before people realize that anything Bitcoin-related is a giant target?  If you can't be bothered to fix the obvious holes I'd rather you don't even bother at all.

[FalconFour]

Wait, my head exploded when I read this line:

SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

F... fucking... REALLY?! No, no, not what it's saying, but... that you're actually SAYING THIS? It's like, let's see here, some clown sneaks onto a military base and puts on some kind of demonstration in middle of a road there. Ouch, that's embarrassing. But in the official response, they say...
"Well, we only have one guard stationed at the gate between 4am and 8am, and the rest of the time there are 2 guards except during their lunch break at 12pm and 1pm. And one of them really likes F-16s and is easily distracted by the launches."

WHAT THE FUCK KIND OF SECURITY RESPONSE IS THAT?! What user needs to know those intricate details?

Harm versus Benefit analysis. Assume, for example, that the script kiddie(s) responsible for the hack weren't thinking of stealing any passwords. They just wanted to make some lulz. In the process, they got the passing idea to back up the database. They came, they lul'd, they left, watching the aftermath (server shut down for what, almost 2 days?). Now they come along and see that post, and say "OH WOW! I DIDN'T EVEN THINK TO CHECK THE PASSWORDS, LOL, BUT THIS MORON JUST GAVE US THE KINGDOM FOR FREE!". No Googling necessary... in fact, it PROMOTES the idea of curiously trying this theory on their backup database they stole for the lulz. Sure enough, it reveals some admin password, "penis" (which would TYPICALLY be too short to use, but with this lack of security... who knows!). O LOL WOW, IT WORKS, LETS CRACK ALL THESE PASSWORDS WITH OUR MINING GPUs

Srsly?

[Crypt_Current]

For what it's worth, my .02 BTC is:

My login/pass still work, there hasn't been any unauthorized use of my login/pass, and this place is still my go-to (atm) for info on mining.  Thanks to the admins and owners/operators for everything they do here; personally I TRULY fucking appreciate it.

I just want to throw out a special thanks to jondecker76 for his one on one help.

I truly believe in a world-changing potential for crypto-currencies, especially BTC, and now my faith in the surrounding community is becoming about as strong.

[ctoon6]

Wait, my head exploded when I read this line:

SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.

F... fucking... REALLY?! No, no, not what it's saying, but... that you're actually SAYING THIS? It's like, let's see here, some clown sneaks onto a military base and puts on some kind of demonstration in middle of a road there. Ouch, that's embarrassing. But in the official response, they say...
"Well, we only have one guard stationed at the gate between 4am and 8am, and the rest of the time there are 2 guards except during their lunch break at 12pm and 1pm. And one of them really likes F-16s and is easily distracted by the launches."

WHAT THE FUCK KIND OF SECURITY RESPONSE IS THAT?! What user needs to know those intricate details?

Harm versus Benefit analysis. Assume, for example, that the script kiddie(s) responsible for the hack weren't thinking of stealing any passwords. They just wanted to make some lulz. In the process, they got the passing idea to back up the database. They came, they lul'd, they left, watching the aftermath (server shut down for what, almost 2 days?). Now they come along and see that post, and say "OH WOW! I DIDN'T EVEN THINK TO CHECK THE PASSWORDS, LOL, BUT THIS MORON JUST GAVE US THE KINGDOM FOR FREE!". No Googling necessary... in fact, it PROMOTES the idea of curiously trying this theory on their backup database they stole for the lulz. Sure enough, it reveals some admin password, "penis" (which would TYPICALLY be too short to use, but with this lack of security... who knows!). O LOL WOW, IT WORKS, LETS CRACK ALL THESE PASSWORDS WITH OUR MINING GPUs

Srsly?

what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping.

[defxor]

Srsly?

So, in short. You belong to the crowd who believe your own non-vetted coding to be vastly superior to the joint work of others, when it comes to writing secure online software, yet you have no idea what salt is or why it's used?

Your posts contain nothing of value.

[FalconFour]

what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping.

I stopped taking you seriously at that "your" part, but continued to read through your self-perpetuated lack of capitalization* just for entertainment value. And for similar entertainment value, I figure I should tell you that it would've been just as effective, and much less damaging, to have just left out the part about "how the passwords are stored" and just cut to the "if your password is this long" part. There was absolutely no benefit to blurting out exactly how the passwords are stored.

* - that is, "what does it matter to me what some idiot forum noob thinks about my spelling" / "i don't need to be in grammer class whenever i go onlien, fukk you" / "i feel like relaying my low mood and chronic depression through the use of nocaps" / "I Swear i could write Proper Grammar when I need too, I don't need some Stupid forum troll telling me what too do!"

Srsly?

So, in short. You belong to the crowd who believe your own non-vetted coding to be vastly superior to the joint work of others, when it comes to writing secure online software, yet you have no idea what salt is or why it's used?

Salting bascially changes the original value and the comparison value with a known figure so the hashes can't be referenced to a lookup table, and so they can't be broken without knowing the salt value. Oh wait, we know the salt value now. Haha, that was easy™.

Again, with the big exclamation of, "Everyone lock your doors, they might have gotten a copy of the KEY TO THE KINGDOM! *attachment: high-res picture of key to the kingdom.jpg*"

[BCEmporium]

funny, I don't use php ready made software (the open in open source doesn't stand for open for the right folks amd I'm no lego maker.) and still a "full featured forum" falls under the easy category. My "medium difficulty" cat starts at FB and hard when things like socket_listen() comes to the scene.

[gat3way]

Well, those are the bruteforce cracking speeds for the most popular forum engines' password hashes on AMD Radeon HD6870:

IPB/MyBB: ~500M/s
vBulletin: 700M/s (older versions with short salts) - 512M/s (newer versions with 30-byte salt).
SMF: 980M/s

Those are bruteforce speeds, single-hash, using my own software. oclHashcat has nearly the same speeds, +/- 1-2%. 

Note that since those are salted hashes, speeds are proportional to the number of hashes. E.g cracking two IPB hashes would run at 250M/s, cracking 1000 IPB hashes would run at 500K/s.

Bruteforcing thousands of salted hashes is not very practical. However, with dictionary and rule-based attacks, things are kinda different. And long passwords are not necessarily strong ones.

P.S I did not mention phpbb3 as I haven't implemented it yet, but I can make projections about speed (as it is iterated MD5 in fact) - it should be about 3M/s on 6870 which is significantly slower. PHPBB3's password hashing is much better as compared to IPB/vBulletin/SMF in fact.

[Raoul Duke]

I just don't understand why the forum needed to be moved to a new server if the fuckin exploit was on the forum script and not on the server, but i guess that's how shit is managed around here...

[Nesetalis]

my suspicion  psy is that they move the site so the original site can be worked on.. fixed, maybe ugpraded... while everyone is able to talk here :p then once the old server is back up, working how it should.. merge the database back in, possibly convert to a new forum type (there are alot of conversion tools out there)

[dvide]

Salting bascially changes the original value and the comparison value with a known figure so the hashes can't be referenced to a lookup table, and so they can't be broken without knowing the salt value. Oh wait, we know the salt value now. Haha, that was easy™.

Again, with the big exclamation of, "Everyone lock your doors, they might have gotten a copy of the KEY TO THE KINGDOM! *attachment: high-res picture of key to the kingdom.jpg*"

It doesn't really matter if you know the salt value. The salt doesn't have to be a secret; that's not the point of it. It's just so that a mapping of passwords to hashes can't be pre-computed ahead of time (which would then turn brute force attempts into a simple lookup). With a salt, you'd have to compute a table for each user separately, even if you know the salt for the each user, which is infeasible to do; and it's doubtful that any such tables already exist in the wild for any salted password on this forum, which, if you use a decently strong password, gives you ample time to go and change it wherever you used it before somebody cracks it.

That's because hash functions give very unpredictable result outputs by design. If you change even the slightest thing in the password it will hash to something completely different and unpredictable. And they are infeasible to reverse, so you can't just take the salt away from the hashed password after the fact. It's like trying to uncook a meal to get the raw ingredients back out again.

[FalconFour]

Well, basically, if the salt value is known, it's much easier to generate a table (we all know how quick THAT goes with Bitcoin mining - not necessarily a table, but a shitload of hashes), than it would be to try to brute-force the thing from scratch. It went from being "nearly impossible" to "just a minor inconvenience", by spewing out how to get the salt values for each password. All that, and it didn't even have to be said - simply, "change your passwords" and if so desired, "if it's less than x digits long" or whatever. It didn't need to be said how the salts work or what algorithm they were stored in - up to that point, they were still gibberish until someone decided to look up how SMF stores password hashes... *or* in the guard analogy, they just know there are guards there, until someone stands there all day and watches their behavior, OR until someone just blabs it out in a public announcement.

[repentance]

I just don't understand why the forum needed to be moved to a new server if the fuckin exploit was on the forum script and not on the server, but i guess that's how shit is managed around here...

Sirius wanted to hand the hosting over to someone else.

Thread about emails discussing the change

[gat3way]

Well, basically, if the salt value is known, it's much easier to generate a table (we all know how quick THAT goes with Bitcoin mining - not necessarily a table, but a shitload of hashes), than it would be to try to brute-force the thing from scratch.

That's completely wrong.

It went from being "nearly impossible" to "just a minor inconvenience", by spewing out how to get the salt values for each password.

No, it did not.

All that, and it didn't even have to be said - simply, "change your passwords" and if so desired, "if it's less than x digits long" or whatever. It didn't need to be said how the salts work or what algorithm they were stored in - up to that point, they were still gibberish until someone decided to look up how SMF stores password hashes... *or* in the guard analogy, they just know there are guards there, until someone stands there all day and watches their behavior, OR until someone just blabs it out in a public announcement.

SMF is an opensource product and the way it hashes user password is well known.

[FalconFour]

That's, again, the guard analogy. You could either have the security hole/method laid out right in front of you with reckless abandon, splayed out to everyone in a public message... and then the attacker is TOLD about the method/hole... or they could NOT be told, and at least have the *possibility* that the attacker was unaware of how "easy" it would be to break the hashes. Either way, they could just stake out the guard spot for a night and find out for themselves if they REALLY wanted to. Same as they could've just Googled it, had the information not been laid out right in front of 'em.

The point is, THERE WAS NO REASON TO WRITE THAT STATEMENT IN THIS MESSAGE. NOBODY NEEDED THAT KIND OF DETAIL.

It's irrelevant if the detail itself is important - I could say "Hi, my name is Bob", and that's more information than is needed; I could have accomplished the same thing with a simple "Hi!". It's volunteering unnecessary information that's the problem here. It's easily known that my name was Bob if they REALLY WANTED TO KNOW (e.g. "SMF is an opensource [sic] product"), and it's also irrelevant if that information would have been of any malicious use ("No, it did not"). It's just the fact that the information was not necessary to begin with, it shouldn't've been said.

[gat3way]

So you think mentioning the SMF password hashing algorithm helped the attacker to crack the hashes? I don't think so. Actually just posting them on a site like hashkiller.com or insidepro.com would be enough to get a decent part of them cracked.

But hey I just gave out more sensitive data to the potential attacker. Damn