IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Tony Reid

And your member 325360 - the email server hasn't got that far yet.
Tony Reid

Deaks

Frizzle, it was identified to us at late on the 22nd, for some of us it was already the 23rd, we wanted to get as much information before we posted, and even now we are still finding new information.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Kindred

let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Simple Site Designs

Quote
That raises my curiosity, did you not get our email?
We did send out a notification, so please let me know if you received it. It's very important people receive it.

I expect this comment from page 2 is why we thought the emails had already been sent. I now understand they are still sending.

vbgamer45

Hmm other issue I see what if they unsubscribed from announcements then they won't get the announcement or using a different system then the SMF mail system.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

FrizzleFried

Quote from: Kindred on July 23, 2013, 03:17:06 PM
let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Being I was informed of this issue YESTERDAY at approximately 8:30PM (that would be approximately 16+ hours ago) via PM EMAIL [edit-sorry] ... I am at a loss as to why you waited so long.  This is serious business.  I am saddened that it took so long for the official announcement and I am EXTREMELY GRATIFIED that my source informed me in a timely manor. 

16 hours is a long time.

EDIT: I also take issue with the usage of the words "FEW HOURS".  FEW indicates a small number.   16... is not a "FEW".

Sorry... I'm a little angry/disappointed right now.

Kindred

Hey SimpleSiteDesigns...   assume that the emails were started at the time the first post was made and then work forward :)
even at several/10 thousand emails an hour, this will take a while for those newer members

Frizzle - get off your high horse.
I explained why.
Just because you took someone at their word with no actual details or information does not mean that we would make a worldwide announcement based on the same lack of actual detail.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Tony Reid

Quote from: FrizzleFried on July 23, 2013, 03:22:23 PM
Quote from: Kindred on July 23, 2013, 03:17:06 PM
let's be clear here...   it is critical to get this information out in a timely manner - we all agree on that.
It is just as critical, however, to distribute the CORRECT information on what happened and what is at risk and avoid the panic that incomplete information might cause.

So, yes, we took a few hours to examine the logs, to figure out what happened, to confirm that the breach was NOT a flaw in the SMF software and to get a handle on what we expect was the hacker's priority information to acquire.

Being I was informed of this issue YESTERDAY at approximately 8:30PM (that would be approximately 16+ hours ago) via PM EMAIL [edit-sorry] ... I am at a loss as to why you waited so long.  This is serious business.  I am saddened that it took so long for the official announcement and I am EXTREMELY GRATIFIED that my source informed me in a timely manor. 

16 hours is a long time.

EDIT: I also take issue with the usage of the words "FEW HOURS".  FEW indicates a small number.   16... is not a "FEW".

Sorry... I'm a little angry/disappointed right now.


16 hours is very fast.

Googles own advice is to advise users within 7 days .....
http://googleonlinesecurity.blogspot.co.uk/2013/05/disclosure-timeline-for-vulnerabilities.html

Tony Reid

kat

I'd like to emphasise something, if I may...

Change your password on your own site, if a member, here, has been helping you with your site, which involved you giving them log-in details to your site.

If these tossers HAVE got the entire database, they could, possibly, pull that information, from the PM.


Kindred

I believe that has been mentioned a few times, K@-like-one :P
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

kat


LiroyvH

Quote from: vbgamer45 on July 23, 2013, 03:22:03 PM
Hmm other issue I see what if they unsubscribed from announcements then they won't get the announcement or using a different system then the SMF mail system.

True, but overriding that is considered to be spam, unfortunately.
We do our best to inform everyone, but those that chose not to be informed all we can do is pray they read here or on facebook or hear through someone else.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Tony Reid

The admin panel news feed doesn't appear to update with this news? might be worth pushing it there and also via the twitter account.
Tony Reid

vbgamer45

This would not be considered spam this is an important announcement  which could lead to them loosing their account or worse not knowing their password is out there. I would mail those users they should know what is going on
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

danny12345

Quote from: FrizzleFried on July 23, 2013, 03:08:50 PM
I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?
lol your not a very smart man are you

Owdy

I dont get topic notifications from here. Also, im user 272, i havent got any announcement.

edit:i saw this at Facebook.
Former Lead Support Specialist

Tarvitsetko apua SMF foorumisi kanssa? Otan työtehtäviä vastaan, lue:http://www.simplemachines.org/community/index.php?topic=375918.0

FrizzleFried

Quote from: danny12345 on July 23, 2013, 03:35:03 PM
Quote from: FrizzleFried on July 23, 2013, 03:08:50 PM
I think my only question would be that if you detected this "issue" YESTERDAY... why did it take until TODAY to report it?
lol your not a very smart man are you

How do you know I am even a man... troll?


kat

Let's stop the bickering and keep on-topic, please.

Simple Site Designs

Quote from: CoreISP on July 23, 2013, 03:30:58 PM
True, but overriding that is considered to be spam, unfortunately.
We do our best to inform everyone, but those that chose not to be informed all we can do is pray they read here or on facebook or hear through someone else.

I would have thought this goes beyond general announcement. Many EULA's include an exclusion for breach alerts and any user that considers being emailed about this to be spam has their head in the sand.

wynnyelle

...You guys knew about this hours before you chose to tell me? I could have changed everything pass word wise long before this, then?

All you had to do was let me know there might have been a security issue and to change my passes. I would've just gone and done it, it would've been that easy.

Advertisement: