As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Hackz0rs?
Älphämönkëy
Registered User regular
Registered User regular
Yeah.
The paranoid among you will probably change your password as there is a (albeit small) chance they could have read your password hash, so they could take that hash and try and break it.
Sorry about the downtime, its all good now.
I'm going to be afk for a few days, the mods know who to contact if things go bad. If you have any thing to note, post it here and Ill respond to it as time allows.
Oh and a big thanks to the mods for testing everything. You guys really do have an awesome set of mods, as they adapted very quickly and helped me out a ton.
-Alpha
For nostalgia, here is the downtime page.
The paranoid among you will probably change your password as there is a (albeit small) chance they could have read your password hash, so they could take that hash and try and break it.
Sorry about the downtime, its all good now.
I'm going to be afk for a few days, the mods know who to contact if things go bad. If you have any thing to note, post it here and Ill respond to it as time allows.
Oh and a big thanks to the mods for testing everything. You guys really do have an awesome set of mods, as they adapted very quickly and helped me out a ton.
-Alpha
For nostalgia, here is the downtime page.
The Forum Downtime Page wrote:Sorry about the delay guys.
Rumor going around is that I was killed by ninja zombie dogs or something. The truth is we got bit by a hole in phpBB that was not patched. I've been spending the weekend looking over our code and patching things. I've also been taking a look at exactly how much access the hacker was able to get.
Some crafty users figured out I was hiding the forums in a different directory, to Kevin Crist and Kayne Red Robe you guys get some serious props.
Right now I think I repaired everything. The permissions all check out and everything works for the most part. The mods have a password to login to the forums and stress test things. If they think it works ok, then I'll open it all up.
(Mods, if you forgot the password, I hate you and it is the one we use to get into the reports)
I'm going to be driving back down to school Tuesday at 6am so you guys basically are going to get your forums back Monday. Again, sorry about the delays, shit happens and phpBB isn't written well.
Ah, to answer questions. This isn't related to the gay porn incident. That was solved pretty easily, that was photobucket admins giving away a moderators password that he used for both photobucket and the forums. I yelled at photobucket, but they don't seem to care. I honestly don't think this is connected to any previous attacks, it is quite possible a bot just ran through the list of large phpBB boards and tried a bunch of exploits on them (all available on bugtraq or full disclosure), we just happened to have two things unpatched.
-Alpha
alphamonkey [at] penny [dash] arcade [dot] com
For the programmers out there, Alpha says, "Always remember to type-cast your variables!"
Älphämönkëy on
0
This discussion has been closed.
Posts
...AND SUCH
It's like putting up a sign in a coffee shop that says, "free coffee tomorrow" and never taking it down.
Thanks!
Go buy cool shirts | My beautiful art | What I'm Listening to (Because you care)
I, and all the people I IM when I'm going through Forum Withdrawal thank you greatly.
I am kinda concerned as it seems you said one of the admins for that site, gave out (one of our) mod's passwords for his photobucket account, which also happened to be his pass for here?
how can a site like photobucket do something like that? it seems like a major violation of policy
Yeah, like people never do anything wrong, ever. :roll:
My sweet, untouched Miranda
And while the seagulls are crying
We fall but our souls are flying
I've not heard of something like this, ever. No need to patronize.
Also a concern because I thought passwords were always encrypted and couldnt be accessed like that. Now I'm just sorta worried about various sites I've set up accounts for.
I imagine that the passwords are encrypted, but I seriously doubt phpBBs encryption is anything even resembling unbreakable.
My sweet, untouched Miranda
And while the seagulls are crying
We fall but our souls are flying
Just changed it to a nice senseless combination of characters. Now to store that password list at a safe place..
phpBB uses md5 encryption for storing passwords. It is difficult to crack, but far from uncrackable, especially with huge databases of md5 hashes out there.
I think Deusfaux is more concerned about the Photobucket side, since it would seem the PB admins have access to their user's passwords.
Yeah sure.
A user made an email address like (it wasn't my account, I don't use photobucket)
alphamonkey@mail.com
and wrote to them saying Photobucket replied
I can see how it happens. Kind of. The goal there is to help out users, and 99% of the time the user is not malicious in their intent. However to protect against that 1% things like security questions and answers are used. Barring that, in that situation the proper solution is to either tell the user sorry, or change the email address associated with the account and then let them run through the password reset wizzard.
As Senor mentioned phpBB uses MD5 hashing*, while I have thought about moving to SHA1 (a better way of "hashing" passwords) I decided that it really wasn't worth it. A better protection would be to "pad" the hash with a secret key, so MD5(SECRET KEY + MD5(PASSWORD))
By releasing the password it is actually a danger to the user (as seen here). This also tells us a bit about photobucket's database schema. They store their passwords in plaintext on the database (otherwise how would they know?) I would not reccomend anyone use a password they care about on photobucket, as I simply don't trust their administrative team and more importantly, if they don't follow a simple convention like hashing passwords, it says volumes about the strength of the rest of their code.
I'm sure eventually this will get back to a photobucket admin that I was ripping on their setup. To be honest, I don't care. Their failure as developers and administrators is putting users at risk and it bugs me. The worst part is, they don't even care.
The design spec for the new forum software uses SHA1 (reccomended for all new applications) and a hash pad for added security. It also will ignore input given unless the script specifically asks for it, and it matches the given sanitizing checks (type casting, regular expressions, etc)
Ok, thats enough of me ranting. Feel free to reply to sections of this and I'll get back to you guys when I can (I'm moving into a new place so my internet is all goofy).
-Alpha
* Don't know what hashing is? Wikipedia knows. Simply, take a password and store it in a way that you can't decipher the original from the stored version. People are defeating this using rainbow tables, I go on to explain how I would like to use a hash pad or a hash token to increase security. If you don't get it, don't worry, it won't be on the test.
chair to Creation and then suplex the Void.
i am a little comforted that the admin was essentially "duped" into giving the password, and didnt simply hand it out to a random stranger who asked for it.
but damn them for not caring!
Thanks for your time...:)