BigMac
Legendary
Offline
Activity: 896
Merit: 1000
|
|
June 05, 2014, 01:27:52 AM |
|
And why hasn't the forum been upgraded and fixed yet. Are the 1000s of Bitcoin donated to Theymos not enough to cover it?
The new forum software costs 1 mil USD (~1500 btc), but no worries, the forum has way more than that.
|
|
|
|
jeffersonairplane
Legendary
Offline
Activity: 1522
Merit: 1000
www.bitkong.com
|
|
June 05, 2014, 02:24:24 AM |
|
I would love avatars to come back. Don't see why they were taken away in the first place.
|
|
|
|
Swordsoffreedom
Legendary
Offline
Activity: 2954
Merit: 1135
Leading Crypto Sports Betting & Casino Platform
|
|
June 05, 2014, 02:27:31 AM |
|
I would love avatars to come back. Don't see why they were taken away in the first place.
It was because bitcointalk got hacked back in 2013 and they needed to disable them
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
BigMac
Legendary
Offline
Activity: 896
Merit: 1000
|
|
June 05, 2014, 02:42:02 AM |
|
I would love avatars to come back. Don't see why they were taken away in the first place.
It was because bitcointalk got hacked back in 2013 and they needed to disable them For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.
Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.
The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.
How the attack was done
I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.
After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.
|
|
|
|
Swordsoffreedom
Legendary
Offline
Activity: 2954
Merit: 1135
Leading Crypto Sports Betting & Casino Platform
|
|
June 05, 2014, 02:47:19 AM Last edit: June 05, 2014, 09:17:40 AM by Swordsoffreedom |
|
Good point will contribute a video of it in practice as well since a picture says a 1000 words and a video is a play by play http://www.youtube.com/watch?v=LKrOHAfMdxIThat said did Theymos finally review the 1XX script the hack was way back in 2013 so there should have been sufficient time to see if the problem was with avatars.
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
SgtMoth
|
|
June 05, 2014, 02:52:06 AM |
|
whats an avatar?
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 05, 2014, 03:31:34 AM |
|
Nginx ehh.. What's wrong with apache?
|
|
|
|
BigMac
Legendary
Offline
Activity: 896
Merit: 1000
|
|
June 05, 2014, 04:05:40 AM |
|
Good point will contribute a video of it in practice as well since a picture says a 1000 words and a video is a play by play http://www.youtube.com/watch?v=LKrOHAfMdxIThat said did Theymos finally review the 1XX script the hack was way back in 2013 so there should have been sufficient time to see if the problem was with avatars. It seems your quotes didn't work very well.
|
|
|
|
CEG5952
|
|
June 05, 2014, 06:45:23 AM |
|
I'd love for avatars to come back. LOL, I'm stuck with this guy. I just randomly picked one when I joined. If I knew I was gonna stick around, I probably would have chosen a better one...
|
|
|
|
Swordsoffreedom
Legendary
Offline
Activity: 2954
Merit: 1135
Leading Crypto Sports Betting & Casino Platform
|
|
June 05, 2014, 09:17:06 AM |
|
It seems your quotes didn't work very well. Sometimes I try to get rid of the quote walls or adjust it to topic and miss one sorry about that and edited . I am not sure if suggesting a pruning method to include certain quotes only would be a software improvement or just being lazy lol.
|
..Stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
gagalady
Legendary
Offline
Activity: 938
Merit: 1000
|
|
June 05, 2014, 03:36:20 PM |
|
I would also like to get avatars back and why they were disabled , for what reason?
|
|
|
|
Yuki1988
|
|
June 05, 2014, 03:59:32 PM |
|
I would also like to get avatars back and why they were disabled , for what reason?
Read a few posts up there, and you will see. I would love avatars to come back. Don't see why they were taken away in the first place.
It was because bitcointalk got hacked back in 2013 and they needed to disable them For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.
Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.
The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.
How the attack was done
I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.
After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.
Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.
It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.
|
|
|
|
ampere9765
|
|
June 05, 2014, 09:42:11 PM |
|
Okay, so we just need to come up with a million bucks for the forum, and then I am no longer stuck being Bruce Willis? Sounds good to me. Let's get on that!
|
|
|
|
hilariousandco
Global Moderator
Legendary
Online
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
|
|
June 05, 2014, 09:54:13 PM |
|
Theymos has previously stated that he will remove avatars for people who don't want theirs anymore but won't change them. Pm him if you want but I'd just keep it for now.
|
|
|
|
Cryptopher
Legendary
Offline
Activity: 1789
Merit: 1008
Keep it dense, yeah?
|
|
June 05, 2014, 10:17:41 PM |
|
and also return "move topic" and "make thread self moderated" to the options please. No reason to remove them, not having them in there just creates more work for mods.
The move topic is still there, in the bottom left when viewing your topic. You can make a thread self-moderated at topic creation time under additional options, but I don't believe that you can subsequently change this. I would love to see the avatar option return - I know that it is in the new forum plans, but it would be nice if they were activated on here again. They stopped allowing avatars by the time I had joined the forum.
|
Sign up to Revolut and do the Crypto Quiz to earn $15/£14 in DOT
|
|
|
oli123123
Legendary
Offline
Activity: 1445
Merit: 1000
|
|
June 07, 2014, 05:46:30 PM |
|
Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.
|
|
|
|
Yuki1988
|
|
June 07, 2014, 05:51:04 PM |
|
Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.
This thread is not new (created in Apr), but it gets bumped...
|
|
|
|
Cryptopher
Legendary
Offline
Activity: 1789
Merit: 1008
Keep it dense, yeah?
|
|
June 07, 2014, 05:55:09 PM |
|
Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.
This thread is not new (created in Apr), but it gets bumped... By new I think that he means that it was decided before then that we won't have custom avatars until at least the forum software upgrade.
|
Sign up to Revolut and do the Crypto Quiz to earn $15/£14 in DOT
|
|
|
oli123123
Legendary
Offline
Activity: 1445
Merit: 1000
|
|
June 07, 2014, 10:50:41 PM |
|
Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.
This thread is not new (created in Apr), but it gets bumped... Oh, my bad, i thought it was a new thread, i've seen many avatar threads in the meta forum recently.
|
|
|
|
AlPutino
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 08, 2014, 06:23:06 AM |
|
yes please!!!!11 I would like to constantly see the flawless image of alPutino there.
|
|
|
|
|