News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

2.0 concerns - by Road Rash

Started by Road Rash Jr., June 29, 2011, 11:31:04 PM

Previous topic - Next topic

Road Rash Jr.

Quote from: Illori on June 29, 2011, 06:01:52 AM
2.0 is the stable final release of the 2.0 branch, although there maybe security releases in the future. the team will be working on the next version smf sometime in the future.
Well I hope the security release is not too far in the future because there is a major problem now that needs addressing.
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

mashby

Quote from: Road Rash on June 29, 2011, 11:31:04 PM
Quote from: Illori on June 29, 2011, 06:01:52 AM
2.0 is the stable final release of the 2.0 branch, although there maybe security releases in the future. the team will be working on the next version smf sometime in the future.
Well I hope the security release is not too far in the future because there is a major problem now that needs addressing.
Mind elaborating on the major problem?
Always be a little kinder than necessary.
- James M. Barrie

Road Rash Jr.

Yeah it's posted in several other areas. Do a search.
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Kindred

if there is a problem, please report it to [email protected]

So far, I have seen your intimations and insinuations and no real details or proof that SMF has any security issue.

If there is a security issue, we will address it as soon as someone can identify it...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Road Rash Jr.

You can ignore my reports if you wish but others have reported the same issues, so it's not just me.
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Kindred

I am not ignoring your "reports"

I have just not seen anything other than insinuations. I have seen no details. No facts. no logs. No information other than "I accuse SMF 2.0 of doing something bad"
Give us something to work with.

If there is a problem and we can get ACTUAL data on the issue, we will address it.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Road Rash Jr.

#6
Not insinuations are as you choose to label it to justify your insinuation of its non existence. Facts were posted, what was installed and the resulting affects, as well as a resolution to the security issue.
So yeah you have ignored what others have said if you still think it's non existant. Your history would suggest to me if it was handed to you on a silver platter, you would have some rational for that not being the case so what's the point?
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Kindred

I have made no insinuations. Ihave outright stated that we have not been given any ACTUAL information on any security issue.

I have seen a few " I was hacked" posts, to which you responded, "it was 2.0's fault." Although the first statement may be a fact, the second is not.... A least not without additional information, which has nt been forthcoming from anyone. As a matter of FACT, in all these cases, you seem to be the ONLY one making that accusation. Everyone else is just asking "does anyone know what happened?"

AS I have said, if ANYONE has ACTUAL information, in the form of logs, possible routes of entry or anything more thatn "it is SMF 2.0's fault", please send it to [email protected] as soon as humanly possible.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Road Rash Jr.

I can say no more, facts have been posted, evidence presented, by others not just myself. You can either find the problem and fix it, or continue to ignore what others are telling you and not fix it.
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Kindred

since this is a large forum and you claim to know where this evidence is posted, please provide links. Because I searched through your last 200 posts and have not seen a single instance where you provided any "evidence". Nor have I found a thread in which you posted your "claims of insecurity" where such evidence was posted by anyone else.

Regardless of what I think about you, we take our security seriously.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrGrumpy

RR - if there is a problem with security enlighten use all rather than playing mind games with kindred, if it affects us all then let us know.
the possession of knowledge is worthless unless imparted upon others
My Custom Themes
2.0 themes only - I don't do 1.1.x

Illori

I think rr is upset about the increase is spammers which some forums have seen, and reported on this forum. that is most likely that bots are looking for certain forum versions and trying to spam them this is not a security issue. these people need to use some type of anti-spam mod and that will help to solve the problem.

c23_Mike

Hi there!

I would say the same, pls provide links here right under the statement, without links such posts are not worth the time reading it.

As I see the team here does wonderful work, but ****** happens, if this is so I think they will fix it rather then keep eyes closed.

And if really the bots are the problem, in the SMF2 there is the option for a costum question, that helps a lot!
So long, Mike

http://www.c23.at
c23 - DER Computer Club
~ never play alone ~

Kindred

This was split from the 2.0 announcement thread since it has no bearing on the actual announcement.
I just reviewed the security reports from our security email box and have not seen a single report of any issues.
Additionally, I found several threads in which RR has posted accusations that 2.0 did this but had provided no information on specifically what happened nor any details on what was done by whom, when (e.g. server logs).
Additionally, additionally, he has posted in 4 different threads which reported 4 different issues and he claims that 2.0 caused all of them -- without any presented evidence.

As I say, we take our security seriously... however, if the community does not SHARE reports (and specifics) with us, then, unless we ourselves are targeted, it may be impossible to discover a flaw (which, as I said has yet to be proven to exist)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

oldrow

Spam bots. TONS of spam bots.  I never had this problem before, and now my host provider lunarpages is threatening to close my account because SMF is using like 17% cpu resources when 1.x was using about 2%... we are getting DDOS attacked by these bots and I have installed SEVERAL mods including recaptcha and honeypot to stop them.  They can't post anymore but they still register (cant activate) and bombard my server even after they are banned.  IP blocking them from cpanel doesnt work because they change IP addresses like crazy.

LiroyvH

We have similar issues, we took measures server side rather than SMF side to mitigate the attacks. It's not just SMF forums that are being targetted by (spam)bots unfortunately. phpBB has reported similar issues with extreme bot activity.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Kindred

recaptcha was broken a long time ago, it is as effective (read - not very) as the standard captcha.

Human questions are the best option (standard in 2.0 if you turn them on)

as for DOS, there is very little that SMF can do on the SOFTWARE side to prevent that sort of attack...   nor does a DOS attack indicate any sort of security issue.

Since 2.0 has one unique item (the copyright statement is unique to 2.0 final at this point) it could be the target they are using to FIND sites, but again, the DOS has no relation to any proverbial security issues. Then again, spam activity, in general has seen a HUGE surge in the last 3 months.

I will note that my 2.0 sites do not appear to have these problems (at least I have not been notified of any issues), so either the anti-spam mods that I have installed are doing their job or they just haven't found me.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Aleksi "Lex" Kilpinen

Quote from: Kindred on June 30, 2011, 10:10:09 AM
I will note that my 2.0 sites do not appear to have these problems (at least I have not been notified of any issues), so either the anti-spam mods that I have installed are doing their job or they just haven't found me.
Same here. 2.0 Final, upgraded multiple times - always on the same domain, well linked in google and elsewhere - 2M posts, active userbase... Spammers, hackers, harvesters - not much to mention. I do however block access from TOR, and run HttpBL on top of verification questions, but I even have a board where guests are allowed to post, and I can't remember when I last had to delete a post from there... ;)
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Road Rash Jr.

Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Suki

From the same topic:

Quote from: Miss All Sunday on June 20, 2011, 11:20:17 AM

This is not a security report since you posted it on 2.0 support board instead of filling a security report.


I don't know how you set up your previous installs as you don't provide any data or info....    many spam attacks can be controlled by using  all the mods/tools available for it, as many other users have done so...


Please fill out a Security report:  http://www.simplemachines.org/about/smf/security.php
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

Advertisement: