Avast Forum Hack - Results of Analysis

Started by Kindred, June 05, 2014, 07:43:06 PM

Previous topic - Next topic

Scripty

This was actually interesting and well explained.

Arantor

Yup, Kindred did a good job of nailing the important details.
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

firemun

Good statement issued, Kindred! I'm Team SMF all the way!

AtzeX

QuoteIf you run a forum, lock your file permissions down.
Good point.
Is there a tutorial anywhere for doing this?
Would appreciate it.


firemun

Quote from: K@ on June 10, 2014, 05:42:10 AM
Quote from: firemun on June 08, 2014, 11:49:07 PM
I'm Team SMF all the way!

Really, Shawn?

Golly. ;)

Yeah, really :) Avast was just looking for a scape goat from what I can tell. It would be embarrassing for a security company to admit to having horrible security practices. So they turned it on SMF without really considering their own fault in it all. I am with y'all on this one :)

Ninja ZX-10RR

Quote from: firemun on June 11, 2014, 01:33:50 AM
Quote from: K@ on June 10, 2014, 05:42:10 AM
Quote from: firemun on June 08, 2014, 11:49:07 PM
I'm Team SMF all the way!

Really, Shawn?

Golly. ;)

Yeah, really :) Avast was just looking for a scape goat from what I can tell. It would be embarrassing for a security company to admit to having horrible security practices. So they turned it on SMF without really considering their own fault in it all. I am with y'all on this one :)
I believe everyone here thinks the same ;) probably they made a pretty good anti-virus (even if it detects way too many false-positives) but they proved they suck hard with their own security...
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Antechinus

Yeah well no point rubbing it in. Everyone gets hacked sooner or later.
Sources code: making easy front end changes difficult since 1873 :P

Mods & Themes | Revamped theme for this site | Dark theme for this site | GitHub for n00bz

Ninja ZX-10RR

Quote from: Antechinus on June 11, 2014, 03:24:07 AM
Yeah well no point rubbing it in. Everyone gets hacked sooner or later.
Well if you build up a system with no security flaws you can't get hacked through the system itself :) the only way that such a thing can happen could be that another site gets hacked and an admin using the same password on multiple websites, exactly the same thing that happened here but that was human fault not system's ;)
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

青山 素子

Quote from: Flavio93Zena on June 11, 2014, 03:32:49 AM
Well if you build up a system with no security flaws you can't get hacked through the system itself :)

There is no such thing as a system with no security flaws. The best you're going to get is software that can be mathematically proven to match your requirements, but that only holds up if the assumptions underlying the proof are correct. It's also really expensive and doesn't scale well with complexity.

Securing a system is a practice in balancing accessibility and ease of use with prevention of malicious use. The most secure system is one encased in concrete and dumped in a trench in the ocean, but it's not usable.

It's sad that Avast disengaged in the investigation process after the SM investigators found some problems that didn't point to SMF itself.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


kat

We have about as much chance of them fessing-up as the British government have of fessing-up that they're idiots. ;)

If I was the boss, at Avast, I'd've fessed-up, particularly if it'd been the "fault" that it seems to be.

"See? No matter how good your security is, human-error is something that even we can't secure against. Watch yourself". :)

Ninja ZX-10RR

Quote from: 青山 素子 on June 11, 2014, 01:12:44 PM
Quote from: Flavio93Zena on June 11, 2014, 03:32:49 AM
Well if you build up a system with no security flaws you can't get hacked through the system itself :)

There is no such thing as a system with no security flaws.
Well I was saying that because SMF 2.0.7 has no (known) security issues ;)
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Arantor

Remember they said they were going to go to a new forum software, one that's more secure than SMF?

Their forum is again open - https://forum.avast.com/ - oh look... ;D
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

Dragooon

I swear I've seen that forum software before.

Lou69

 ;)  Well, it does look familiar. Something about the blue and orange colors?

Anyway, glad they are back online and using SMF. So far the mods/admins/CSR are being helpful to their membership and not trashing SMF. A couple of members did express a bit of angst about SMF but that will always be the case. Every software have those that do not like it for one reason or the other.

https://forum.avast.com/index.php?topic=150636.0

Arantor

Oh there are several people in that thread trashing SMF and I wouldn't entirely disagree - the methods used to get in were certainly not helped by what could be done once inside, but all of the salient points stand: it's not ultimately SMF's fault.
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

SaltedWeb


I have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.
Ive been using the internet since before BBS were used. I was a security adviser for a well known
email program. Now this was oldschool But what I can say is that 9 out 10 times or more when there was
a security issue ( and this has not changed) it was because a user did something not the software. Its like people that download torrents and then ****** they get hacked.   Not bashing Xenforo, but I find it to allow allot of spam through. I get none on my SMF forums. I have no doubt that SMF is not a security risk, I find it suspect perhaps this story was planted, infiltrated or plain made up and there may be a more hidden agenda.  Its not like some one would not make this up to and whom else to go after then the best bar-none free forum on the web. Most paid version never come close.
Thats because SMF is built with passion, not dollar signs. And it reflects it users whom most are the same way makings money is great, but also enjoying it why you do is the base for SMF and her community.

Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Arantor

QuoteI have a dozen smf forums, and one xenforo, the xenforo gets more spam and security issues.

Spam is not a security issue, nor has XenForo ever had any known security issues.

* ‽ is a licence holder btw

QuoteMost paid version never come close.

On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.
No good deed goes unpunished / All helpful urges should be circumvented

I have something to say: it's better to burn out than to fade away. There can be only one.

青山 素子

SMF is an awesome product, and we're (everyone involved in some way) rightly proud of our security record. That's why we were so hurt when the rumors started about there being an issue. We're still very open to anyone who wants to approach us because of a security issue they found.

Quote from: ‽ on June 14, 2014, 12:49:21 PM
On the contrary, I consider XenForo a superior platform in a number of respects, even as much as I like SMF.

That's not a bad thing, either. XF is maintained by a dedicated paid team, which means it gets solid focus with smaller resources. Open source projects only work that way when you have a large team working on spare time, or a lot of people who are extremely dedicated and active.

Also, competition is good. It's what keeps things getting better. For some time, SMF was perhaps the strongest forum solution free or paid (outside niche cases). That led to some serious lack of effort to improve. Combine that with developer burn-out for various reasons causing slow development, and SMF now has some very strong competition that the team let get ahead. It can be hoped that now the team will be hungry for success and to re-live the moments of being the best. I can only hope that the team can come together to plan an even better future and deliver on it. I know I'll be doing my small part to support them.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


a10

QuoteSMF is an awesome product, and we're (everyone involved in some way) rightly proud of our security record -/-

^^^ good post.
2.0.19, php 7.4.26, MariaDB 10.3.32. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Advertisement: