is smf secure for website novices?

[sheilah]

I hope this makes sense...
Is SMF a good secure choice for a forum for someone that doesn't know much about websites or website programming. I'd like to install a forum, but I am concerned that I have seen other forums get hacked. I'm a novice, so I'm looking for a pretty bullet-proof secure forum program that is safe to have on one's website.
Anyway, does that make sense, and what are your opinions on this?
Is SMF a safe choice for a "beginner"?

[sheilah]

By the way, it took me four tries to get the security number thing right to get my post to work. Arghhh... but then again, is that standard on the program? It would cut down on the people that aren't serious about posting, I suppose.

oh oh, I can see below I have to figure out a new verification code...

[SlammedDime]

Is it safe?  I would say yes, as long as you stay on top of the updates, which is really easy to do as there is a bright red warning when you log into your admin panel if you're not up to date.

But that only covers you from the SMF standpoint, you also have to have a good web host that is secure.  Without that, it doesn't matter what software you use, you're at risk.  Stay away from the 'Unlimited disk space/bandwidth' hosts.  There is no such thing as 'unlimited'.

As for the verification image - it is required here by anyone with less than 10 posts.  It is a standard, configurable, feature of SMF, and there are other options as well as modifications you can install to improve or add to it.

[sheilah]

Is it safe?  I would say yes, as long as you stay on top of the updates, which is really easy to do as there is a bright red warning when you log into your admin panel if you're not up to date.

Thanks! I've used wordpress for blogging, and it is very easy to update. If that's all it takes to keep SMF secure, I should be ok. I asked because it seems some programs are made to be used by everyone, including dummies like myself, but other programs seem to require a programmer's knowledge to use it.
I'd like to have a discussion forum so people can have input on topics on my site (like giveaway ideas), as I think a forum format works better than blog comments, but I just don't want to have or recreate any loopholes for hackers. And I think I understand what you say about webhosts, and if it sounds too good to be true...

[MacGig]

As I found out, SMF 1.12, 1.14?, the captcha has been broken a long time and no one has fixed it. bots bypass it and get on your forums. And SMF still lets people download and install it as is...

Sure their may be mod fixes, if you are able to code and edit many critical files... I tried but it did not work for me.

I don't understand why SMF don't fix this important feature... many forums are suffering from spam and bot attacks because of this long time issue.. I ran a 1.1x forum for years and the bot problems are BIG.

I just upgraded to 2.0 hoping to fix the bot issue... hope I did not waste my time. I recommend not wasting time on 1.1.x versions just because the captcha don't work.

Im no SMF expert, just sharing what my experience has been in the last few years... with 1.1.x...

[Illori]

it is just not an smf issue that CAPTCHA has been broken, it is just not secure. in 2.0 there are further features to keep spammers out. and in 1.1.1* as well as 2.0 for a long time they have only been getting security fixes, this one does not make the list.

[青山 素子]

As I found out, SMF 1.12, 1.14?, the captcha has been broken a long time and no one has fixed it. bots bypass it and get on your forums. And SMF still lets people download and install it as is...

90% of the bypassing is not because it's being broken in an automated manner. Rather, real humans are solving these things. There are services out in the world with names like CaptchaBot that sell human-backed CAPTCHA-solving services for pennies per hundred solved.  Most of the major spamming tools are integrated with these services so spammers can spend $1.00 US and get 1000 broken CAPTCHAs easily.

There is no way you can fix a visual verification system to weed out only the humans you don't want.

[sheilah]

As I found out, SMF 1.12, 1.14?, the captcha has been broken a long time and no one has fixed it. bots bypass it and get on your forums. And SMF still lets people download and install it as is...

90% of the bypassing is not because it's being broken in an automated manner. Rather, real humans are solving these things. There are services out in the world with names like CaptchaBot that sell human-backed CAPTCHA-solving services for pennies per hundred solved.  Most of the major spamming tools are integrated with these services so spammers can spend $1.00 US and get 1000 broken CAPTCHAs easily.

There is no way you can fix a visual verification system to weed out only the humans you don't want.

If I understand what you're saying... someone gets paid a dollar to sit in front of a computer and manually read and enter 1,000 captchas? I've got to believe it would take hours of work just to make a dollar? Man, if that is true, well, those people are being paid a tenth of a cent to enter a captcha... hard to believe.

[sheilah]

As I found out, SMF 1.12, 1.14?, the captcha has been broken a long time and no one has fixed it. bots bypass it and get on your forums. And SMF still lets people download and install it as is...

Sure their may be mod fixes, if you are able to code and edit many critical files... I tried but it did not work for me.

I don't understand why SMF don't fix this important feature... many forums are suffering from spam and bot attacks because of this long time issue.. I ran a 1.1x forum for years and the bot problems are BIG.

I just upgraded to 2.0 hoping to fix the bot issue... hope I did not waste my time. I recommend not wasting time on 1.1.x versions just because the captcha don't work.

Im no SMF expert, just sharing what my experience has been in the last few years... with 1.1.x...

MacGig,
Thanks for your input. I'm more worried about hackers than spammers. If what you say about the captcha is true and I have to manually do programming, that would be beyond me. But if this is only about spammers, and not hackers, I'm not as worried.

[Kindred]

Captcha has no effect on hackers.

SMF has no known security issues with either 1.1.14 or 2.0


As for the catchable/spammer issue, there is very little that SMF can do about it, as already explained. There are several mods which use third party add-ins 0(and so would not be suitable for distribution wit the core product) which are very good at cutting down spamming.

[青山 素子]

If I understand what you're saying... someone gets paid a dollar to sit in front of a computer and manually read and enter 1,000 captchas? I've got to believe it would take hours of work just to make a dollar? Man, if that is true, well, those people are being paid a tenth of a cent to enter a captcha... hard to believe.

Yep. Keep in mind that these people are in countries with a fairly lower standard of living. In places like Cambodia, Vietnam, India, and such a US dollar is good pay.

An older article, but still valid: Inside India's CAPTCHA Solving Economy

[sheilah]

If I understand what you're saying... someone gets paid a dollar to sit in front of a computer and manually read and enter 1,000 captchas? I've got to believe it would take hours of work just to make a dollar? Man, if that is true, well, those people are being paid a tenth of a cent to enter a captcha... hard to believe.

Yep. Keep in mind that these people are in countries with a fairly lower standard of living. In places like Cambodia, Vietnam, India, and such a US dollar is good pay.

An older article, but still valid: Inside India's CAPTCHA Solving Economy

wow, that article is an eye-opener. And to think it was written not this year, but in 2008, so this has been going on for at least three years? I had no idea. wow.

[sheilah]

Just read the article a second time and noticed this at the end:
"The bottom line - is text based CAPTCHA dead? It's definitely in pain thanks to evil marketers recruiting low-waged Indian data processing workers, who according to some of the statistics obtained, earn over ten times more while solving CAPTCHAs, than through their legitimate data processing jobs."
I also noticed a quote that someone could do about 800 captchas an hour. So at $1/1,000 you're making about 80 cents and hour. Does that mean someone doing data entry is making only 8 cents an hour???

[青山 素子]

wow, that article is an eye-opener. And to think it was written not this year, but in 2008, so this has been going on for at least three years? I had no idea. wow.

Well, automated solving has been more effective for the majority of sites until recently, so the use of humans for solving hasn't had a large demand in the past. Large services with complex systems like Yahoo!, Google, and Microsoft were originally the primary targets (for their free e-mail accounts) for users of those services. Now, with more competition in that particular sector and much more complex image puzzles, use of humans has become more economical for wide targets.

Does that mean someone doing data entry is making only 8 cents an hour???

Potentially, yes. The per-capita GDP for India in 2010 was $3,290 US. Per-capita income is only $1000 US. I'll note that there are very huge imbalances within the country, so while tech workers in places like Mumbai get paid very well for India (still cheap compared to US), others are paid very low wages. As data entry is a menial task, not skilled labor, it would get very low pay normally.



As I've said before, spam is an economic issue. That means as long as one can fairly easily profit from it, you'll be battling against it. The only real solution is to make it economically unfeasible to spam. Basically, make it too expensive. Using something that can't be easily automated out-of-context like registration/post questions and your site will be much less attractive to spammers. Sure, you'll get a few still who are actually manually doing all the steps, but it'll be very manageable.

[xrunner]

You can always place the forum on Admin Approval, rather than email activation, if you don't have tons of new users.

I did this for a while. You can't stop all of them but you can catch a few. A lot of my spammers had names like Jenny12 or Robert 55, and the email that they used had the same name in it - like [email protected]. Most non-spammer don't register like that. Just look at the pending registrations and don't approve suspicious accounts.

[MordyT]

TBH, what I have found is that questions and answers work the best. Yes, they could still be broken, but....

I started using SMF in v 2.0 RC2. I had smf captcha setup and running. Got a few spammers a day. switched over to reCaptcha by Google. Killed them all it seemed, until RC4 came out... Back to a few spammers a week. Added a simple math security questions, helped but not perfect. Added several security questions that were a little out of the box, no more spam since...

Questions like: The meaning of life is 42. What is the meaning of life?

[sheilah]

TBH, what I have found is that questions and answers work the best. Yes, they could still be broken, but....

Questions like: The meaning of life is 42. What is the meaning of life?

LOL. I'm tempted to join your forum just so I can have the satisfaction of correctly answering your question.

[MordyT]

LOL. Currently I have it closed due to issues with the update from RC3 to 2.0 Gold... Check it in 3 days, then you can see all the out of the box questions I have...