Time to bring back avatars

[BigMac]

And why hasn't the forum been upgraded and fixed yet. Are the 1000s of Bitcoin donated to Theymos not enough to cover it?

The new forum software costs 1 mil USD (~1500 btc), but no worries, the forum has way more than that.

[jeffersonairplane]

I would love avatars to come back. Don't see why they were taken away in the first place.

[Swordsoffreedom]

I would love avatars to come back. Don't see why they were taken away in the first place.

It was because bitcointalk got hacked back in 2013 and they needed to disable them

[BigMac]

I would love avatars to come back. Don't see why they were taken away in the first place.

It was because bitcointalk got hacked back in 2013 and they needed to disable them

For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0

On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

[Swordsoffreedom]

It was because bitcointalk got hacked back in 2013 and they needed to disable them

For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0

Good point will contribute a video of it in practice as well since a picture says a 1000 words and a video is a play by play
http://www.youtube.com/watch?v=LKrOHAfMdxI

That said did Theymos finally review the 1XX script the hack was way back in 2013 so there should have been sufficient time to see if the problem was with avatars.

[SgtMoth]

whats an avatar?

[jonald_fyookball]

Nginx ehh.. What's wrong with apache?

[BigMac]

It was because bitcointalk got hacked back in 2013 and they needed to disable them

For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0

Good point will contribute a video of it in practice as well since a picture says a 1000 words and a video is a play by play
http://www.youtube.com/watch?v=LKrOHAfMdxI

That said did Theymos finally review the 1XX script the hack was way back in 2013 so there should have been sufficient time to see if the problem was with avatars.

It seems your quotes didn't work very well.

[CEG5952]

I'd love for avatars to come back. LOL, I'm stuck with this guy. I just randomly picked one when I joined. If I knew I was gonna stick around, I probably would have chosen a better one...

[Swordsoffreedom]

It seems your quotes didn't work very well.

Sometimes I try to get rid of the quote walls or adjust it to topic and miss one sorry about that and edited  .
I am not sure if suggesting a pruning method to include certain quotes only would be a software improvement or just being lazy lol.

[gagalady]

I would also like to get avatars back and why they were disabled , for what reason?

[Yuki1988]

I would also like to get avatars back and why they were disabled , for what reason?

Read a few posts up there, and you will see.

I would love avatars to come back. Don't see why they were taken away in the first place.

It was because bitcointalk got hacked back in 2013 and they needed to disable them

For those interested, you can refer to the thread https://bitcointalk.org/index.php?topic=306878.0

On October 3, it was discovered that an attacker inserted some JavaScript into forum pages. The forum was shut down soon afterward so that the issue could be investigated carefully. After investigation, I determined that the attacker most likely had the ability to execute arbitrary PHP code. Therefore, the attacker probably could have accessed personal messages, email addresses, and password hashes, though it is unknown whether he actually did so.

Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password). Each password would need to be individually attacked in order to retrieve the password. However, even fairly strong passwords may be crackable after a long period of time, and weak passwords (especially ones composed of only a few dictionary words) may still be cracked quickly, so it is recommended that you change your password here and anywhere else you used the password.

The attacker may have modified posts, PMs, signatures, and registered Bitcoin addresses. It isn't practical for me to check all of these things for everyone, so you should double-check your own stuff and report any irregularities to me.

How the attack was done

I believe that this is how the attack was done: After the 2011 hack of the forum, the attacker inserted some backdoors. These were removed by Mark Karpelles in his post-hack code audit, but a short time later, the attacker used the password hashes he obtained from the database in order to take control of an admin account and insert the backdoors back in. (There is a flaw in stock SMF allowing you to login as someone using only their password hash. No bruteforcing is required. This was fixed on this forum when the password system was overhauled over a year ago.) The backdoors were in obscure locations, so they weren't noticed until I did a complete code audit yesterday.

After I found the backdoors, I saw that someone (presumably the attacker) independently posted about his attack method with matching details. So it seems very likely that this was the attack method.

Because the backdoors were first planted in late 2011, the database could have been secretly accessed any time since then.

It was initially suspected by many that the attack was done by exploiting a flaw in SMF which allows you to upload any file to the user avatars directory, and then using a misconfiguration in nginx to execute this file as a PHP script. However, this attack method seems impossible if PHP's security.limit_extensions is set.

[ampere9765]

Okay, so we just need to come up with a million bucks for the forum, and then I am no longer stuck being Bruce Willis? Sounds good to me. Let's get on that!

[hilariousandco]

Theymos has previously stated that he will remove avatars for people who don't want theirs anymore but won't change them. Pm him if you want but I'd just keep it for now.

[Cryptopher]

and also return "move topic" and "make thread self moderated" to the options please.  No reason to remove them, not having them in there just creates more work for mods.

The move topic is still there, in the bottom left when viewing your topic. You can make a thread self-moderated at topic creation time under additional options, but I don't believe that you can subsequently change this.

I would love to see the avatar option return - I know that it is in the new forum plans, but it would be nice if they were activated on here again. They stopped allowing avatars by the time I had joined the forum.

[oli123123]

Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.

[Yuki1988]

Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.

This thread is not new (created in Apr), but it gets bumped...

[Cryptopher]

Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.

This thread is not new (created in Apr), but it gets bumped...

By new I think that he means that it was decided before then that we won't have custom avatars until at least the forum software upgrade.

[oli123123]

Guys please stop creating threads like this, you won't be able to change your avatar until the forum software upgrade.

This thread is not new (created in Apr), but it gets bumped...

Oh, my bad, i thought it was a new thread, i've seen many avatar threads in the meta forum recently.

[AlPutino]

yes please!!!!11 I would like to constantly see the flawless image of alPutino there.