• Welcome to Simple Machines Community Forum. Please login or sign up.
December 02, 2021, 12:07:09 AM

News:

Want to get involved in developing SMF, then why not lend a hand on our github!


IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Kindred

SimpleSite...

Maybe so... but the point is: we used the internal announcement/mailing system.
To do anything else would have required more delays while we built a mailer to target everyone.

Groovy,

Excuse me? The entire community got informed (as per this announcment) as soon as we had concrete data about what happened, how it happened and what was potentially compromised. Why would we have sent you a special one-off message before we knew enough to make an official notification to everyone?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

xrunner

Since this is theft I assume it's been reported to the authorities?

wynnyelle

So there was no period of time when it was known but the knowledge wasn't divulged?

I'm sorry, then, my bad.

Trekkie101

Quote from: Groovystar on July 23, 2013, 03:41:13 PM
...You guys knew about this hours before you chose to tell me? I could have changed everything pass word wise long before this, then?

All you had to do was let me know there might have been a security issue and to change my passes. I would've just gone and done it, it would've been that easy.

The problem with notifying immediately is that the exploit may have still been live. We had to find the hole and figure out if it could be reused, or if there was anything left behind. If we notified immediately, changing your password could have been ineffective.

I promise you, this was dealt with as fast as it could be.

wynnyelle


Horme Gaming


Kindred

groovy,

Why would we have held off on the announcement?
As I have already said:
We were informed that there had been a breach.
We investigated said report using the logs and investigating files and database details.
We confirmed that the breach was NOT due to a flaw in SMF (which was our biggest concern)
We cleaned up the crap payloads...
We confirmed what was the most likely target data
We composed a message that told the details
We proofread said message (not closely enough, of course, since there are several mistakes that we have ben quietly fixing. :) )
We sent said message.

Frizzle is a just a drama-monger

Quite honestly - a 16 hour turn around for a notification like this is nothing short of stellar activity on the part of our Server Guy!


xrunner - we are investigating our options for reporting this.


edit - ninjad in both responses. :)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Simple Site Designs

Quote from: Kindred on July 23, 2013, 03:43:17 PM
SimpleSite...

Maybe so... but the point is: we used the internal announcement/mailing system.
To do anything else would have required more delays while we built a mailer to target everyone.

Understood. For the record, I'm not questioning the way this is being handled. I always have, and continue to have the upmost respect for the smf team. It's just unfortunately something that can happen.

kat

Even Microsoft got hacked, a while back. They copped a virus, too.

No website is 100% secure, unfortunately.

walker

Thanks for the heads up. why this childish bull is glorified by some folks is beyond me.

FrizzleFried

Quote from: Kindred on July 23, 2013, 03:17:06 PM
So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Emphasis mine.  If being a "DRAMA MONGER" means pointing out when someone in power is attempting to blow smoke up our skirts,  GUILTY AS CHARGED.  16+ hours is NOT "a few hours" no matter how you look at it.  Had you been FORTHRIGHT from the get-go and posted something to the effect of "Yesterday at X:XX" or even "approximately 16 hours ago",  this DRAMA-MONGER wouldn't have to point out these things.

kat

Friz, please... What's done is done.

If you disagree with what was done, fine. But, carping about it isn't going to change things.

The powers that be took what they considered to be the correct actions at the correct times.

You, obviously, disagree. Others don't.

No point in carping-on about it, here, now, is there?

Things may not have been mentioned, for obvious reasons. Things that may well have caused, or been instrumental in, that delay.

Let it go, willya? Please?

wynnyelle

It was going on for 16+ hours?

I could've at least changed my own site's information, though I think we already changed everything recently enough.

I have no site right now. My site went down over an hour and a half ago.

Herman's Mixen

This is an global anouncement, as we are in many different timezones .

diggin' the log files is a pretty time consuming job !!
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

wynnyelle

I'm terrified that my site was destroyed and won't ever be coming back. It went down about an hour and a half after the announcement was made.

Zirkon

Same here, both my sites are down. The Graywebhost front site is down too. No replies from CoreISP or notification as to what is going on.

kat

I suspect Core's VERY busy, at the moment.

kat

I'm on your site, as I type, Groovy.

Liroy's good. But, even he can't be in two places at the same time. ;)

wynnyelle


Colin

It looks just fine from over here, too.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Advertisement: