News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

NanoSector

Quote from: DragoN_SAMP on July 26, 2013, 12:19:48 PM
Quote from: Yoshi on July 26, 2013, 11:52:53 AM
For one, use full words. "ppl" is not a word, write "people". It's not so damn hard to hit those few extra keys.

Why should i write like you want? Is that stated in the TOS? Maybe you should worry with other *more important* stuff instead, like helping SMF to protect themselfs.

It's not what I want, it is what everyone understands. Not everyone understands chatspeak.
Besides, even though I am a staff member, I can't do anything except hope for the best, which is about what everyone can do. It's done, whining about it isn't going to help, neither is deleting your account or anything in that area.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

ARG01

QuoteMaybe thats because they dont have any real bounds with ppl here (friends or wtv) and they see this like it really is: an SMF (admin) fault that compromised many ppl data. And the password isnt really the only thing affected since they (or he) could got, for instance, the "secret question" and with it get access to many other websites (since those questions usually are the same or similar).

You have friends here and feel the need to step up for them, its all good and go ahead with it, but dont forget that any member  registered before 20th of July (even if he has 0 posts) have the right to speak since they got affect by this.

Nobody's personal "data" was compromised, only passwords. If one would actually read through this thread before expressing their opinion then they would know that. I never said that you don't have the right to speak. It's very simple (uncomplicated) to just change your password, stop pointing fingers and move on. I cant be that hard to do.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Kindred

well, you should write in standard English, not textspeak because that is the correct language for communication here.

additionally, for people like you who do not use English as a primary language, stupid txtspeak abbreviations don't get translated well.

Also... we basically assume that anyone who continues to use textspeak after being "warned" is just too lazy to bother writing correct language and thus, we are justified in being lazy ourselves and ignoring said user's requests.


As for the complainers.....
They were notified.
We (SMF) accepts the blame that this happened and we've worked to make sure that it doesn't happen again.
However, the whiners and maoners don't seem to understand or accept that
a) this was not a vulnerability in the software
b) this same issue happened to dozens of "professional" sites. So while we admit that the admin who re-used a password was wrong, attempting to make it seem like SMF did something earthshatteringly incompetent is rather excessive...
c) Really, if they were not also using the same password between here and other sites, this hack will have very little effect on anyone outside of this forum (and we're fairly certain that the hacker is not interested in coming back here to log into any user's account.) The only exception to that is if the users here have exchanged personal connection information like passwords, etc in PM. (and, as noted, most of the loud mouth whiners have a low to zero post count, so it's unlikely that they did that - which means that they are, for most intents and purposes, unaffected, the the breach.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Eudemon

#303
*removed for my own sake*

Kindred

well, that right there is a no-no, for this very reason.

Take this as a wake-up call to use better security protocols for your own sake. :)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Eudemon

#305
:-\ but if i use all different passwords then i'm not gonna be able to remember it
my boss uses excel sheet to store all passwords of her account, but i feel it's very unsecured

DragoN_PT

Quote from: Yoshi on July 26, 2013, 12:25:49 PM
It's not what I want, it is what everyone understands. Not everyone understands chatspeak.
Besides, even though I am a staff member, I can't do anything except hope for the best, which is about what everyone can do. It's done, whining about it isn't going to help, neither is deleting your account or anything in that area.
I wasnt whining about what happened and i know that now we cant do anything more than change our passwords here and there. Its a pain in the ass but theres nothing we can do more atm..

And I couldnt care less about what admin did fail or whats going to happen with him.. Ive just talked about the way ARG spoke about the non active members, thats all.


Quote from: ARG on July 26, 2013, 12:28:19 PM
Nobody's personal "data" was compromised, only passwords. If one would actually read through this thread before expressing their opinion then they would know that. I never said that you don't have the right to speak. It's very simple (uncomplicated) to just change your password, stop pointing fingers and move on. I cant be that hard to do.

Im not whining about the breach.. I only didnt like the way you speak about the "not so active" members.

About the "only passwords" if you read CoreISP opening post you will find:

Quote from: CoreISP on July 23, 2013, 12:45:08 PM
One of the admins account password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

You can say "go read all 15 pages before this one" but if CoreISP stated that in the 1st post and havent changed it till now its cus that still remains has the guideline.


Quote from: Kindred on July 26, 2013, 12:34:26 PM
well, you should write in standard English, not textspeak because that is the correct language for communication here.

additionally, for people like you who do not use English as a primary language, stupid txtspeak abbreviations don't get translated well.

Also... we basically assume that anyone who continues to use textspeak after being "warned" is just too lazy to bother writing correct language and thus, we are justified in being lazy ourselves and ignoring said user's requests.

So many things to worry about and you worry about a non english guy grammar.. Nice work mate. And afair (can you read this..?) i didnt  request anything.

Cumpz.

青山 素子

Quote from: Eudemon on July 26, 2013, 12:43:03 PM
:-\ but if i use all different passwords then i'm not gonna be able to remember it

Then compromise and use a high/low password set. For stuff that doesn't need very much security and won't harm you if it's hacked, use a shared password among them all. For more important things like e-mail accounts, online banking, etc use a different password or a unique password for each of those systems.


Quote from: Eudemon on July 26, 2013, 12:43:03 PM
my boss uses excel sheet to store all passwords of her account, but i feel it's very unsecured

Keepass. It stores all your passwords, and you protect it with a keyphrase. It works very well and there are applications that are compatible with it on nearly every platform (KeepassX for OS X and Linux, KeePassDroid for Android, etc.).

Also popular is Lastpass.


Quote from: DragoN_SAMP on July 26, 2013, 12:49:59 PM
So many things to worry about and you worry about a non english guy grammar.. Nice work mate. And afair (can you read this..?) i didnt  request anything.

I'm a native English speaker (California, USA) with a BA in Literature and even I am not sure what "afair" is. The only thing I can think is maybe affair, but that makes no sense in context...

Please keep in mind that online, the only thing people have to go by when you communicate is the quality of your writing. Using slang, abbreviations, uncommon initialisms, or other kinds of non-formal writing will make you seem a bit less educated, or at least a little lazy. It's not a very good position to put yourself in if you want to be persuasive. Also, people unfamiliar with the terms will be confused and will either not participate or misunderstand what you are trying to communicate.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Tuesday

So I have changed my password here. Do I need to change my password on all smf sites I have registered on, even if I do not have the same password there as I do here?

Eudemon

Quote from: Tuesday on July 26, 2013, 01:00:16 PM
So I have changed my password here, do I need to change my password on all smf sites I have registered on even if I do not have the same password here as I do there?

you don't have to change if you use different passwords on other sites

青山 素子

Quote from: Tuesday on July 26, 2013, 01:00:16 PM
So I have changed my password here, do I need to change my password on all smf sites I have registered on even if I do not have the same password here as I do there?

No. Only if you shared this password with any other accounts do you need to change your password on those places.

Please note that the concern is not so much other SMF sites, but some people register with the same e-mail address and password on places like PayPal, their bank, or their e-mail provider. Sharing passwords like that is a bad idea because if a compromise happens on any one site, the attackers potentially have access to sensitive accounts.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Eudemon

Quote from: 青山 素子 on July 26, 2013, 12:54:13 PM
Keepass. It stores all your passwords, and you protect it with a keyphrase. It works very well and there are applications that are compatible with it on nearly every platform (KeepassX for OS X and Linux, KeePassDroid for Android, etc.).

Also popular is Lastpass.

thanks, where do they store data? local machine or in their database

DragoN_PT

Quote from: 青山 素子 on July 26, 2013, 12:54:13 PM
I'm a native English speaker (California, USA) with a BA in Literature and even I am not sure what "afair" is. The only thing I can think is maybe affair, but that makes no sense in context...

Please keep in mind that online, the only thing people have to go by when you communicate is the quality of your writing. Using slang, abbreviations, uncommon initialisms, or other kinds of non-formal writing will make you seem a bit less educated, or at least a little lazy. It's not a very good position to put yourself in if you want to be persuasive. Also, people unfamiliar with the terms will be confused and will either not participate or misunderstand what you are trying to communicate.

afair= as far as i remember/recall

As for the rest there isnt much more to say. If i break any TOS rule just warn me.

Quote from: 青山 素子 on July 26, 2013, 01:03:21 PM
No. Only if you shared this password with any other accounts do you need to change your password on those places.

Please note that the concern is not so much other SMF sites, but some people register with the same e-mail address and password on places like PayPal, their bank, or their e-mail provider. Sharing passwords like that is a bad idea because if a compromise happens on any one site, the attackers potentially have access to sensitive accounts.

Can you guys tell for sure that only passwords and emails got stolen? Not any other data?

LiroyvH

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Local machine :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Eudemon

Quote from: CoreISP on July 26, 2013, 01:09:16 PM
Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Local machine :)

yeah, just browsed around and figured, that means have to carry the files if not using same PC
and in the future when they update the way for encrypting files, i then have to update every single files here and there, which is bit trouble

Peregrinus

Hopefully non of the poor noobs use the same password as their machine, because I assume the hacker will have ip's of posts as well?

青山 素子

Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Keepass is entirely offline. If you want to access from multiple locations, you'll need to configure a way to sync the master password file. I use an Android phone and just use Dropbox + Dropsync to mirror my KeePass database across my machines and my phone.

Lastpass stores the password file on the LastPass servers, I believe. This allows it to work on multiple devices without any effort on the user's end. There are ways to use LastPass as an "offline only" system.

Both systems encrypt the password file using the passphrase you create. I believe both use AES128 as the encryption type, so it's pretty strong at the present moment.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


LiroyvH

Quote
yeah, just browsed around and figured, that means have to carry the files if not using same PC
and in the future when they update the way for encrypting files, i then have to update every single files here and there, which is bit trouble

There is a mobile version for Android. :) Not sure if there's one for iOS.


Quote from: Peregrinus on July 26, 2013, 01:11:01 PM
Hopefully non of the poor noobs use the same password as their machine, because I assume the hacker will have ip's of posts as well?

That's a bit harder.
Most people these days get a modem/router combo that is a firewall by itself. If not, they do have a firewall on their machine.
Next to that the hacker must know the username to use on the local machine.

The risk on that possibly happening is extremely low.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Eudemon

Quote from: 青山 素子 on July 26, 2013, 01:15:13 PM
Quote from: Eudemon on July 26, 2013, 01:03:42 PM
thanks, where do they store data? local machine or in their database

Keepass is entirely offline. If you want to access from multiple locations, you'll need to configure a way to sync the master password file. I use an Android phone and just use Dropbox + Dropsync to mirror my KeePass database across my machines and my phone.

ok, thanks for tip, will dig around later

FrizzleFried

Dragon: As the guy who sort of started the whole "low post users" fork of discussion... if you read back... and keep things in context... I clearly said "single digit" posters.

You're a "two digit" poster.  Your righteous indignation is unfounded.

PS: Textspeak only makes people look ignorant when used on a forum/board... that said,  there have been plenty of other things you've said that does the same... so carry on... it makes no different at this point.

Advertisement: