Raised This Month: $158 Target: $400
 39% 

data breach? stop using EOL forum version


Post New Thread Reply   
 
Thread Tools Display Modes
BAILOPAN
Join Date: Jan 2004
Old 06-13-2014 , 03:40   Re: data breach? stop using EOL forum version
Reply With Quote #11

asherkin pretty much covered it, but I'd like to re-iterate on what the e-mail said. (1) An administrator account was compromised (2) vBulletin is too permissive in what administrators can do (3) it insecurely hashes passwords. The weakest link in the chain is more complex than a forum upgrade.

If you had asked me a week ago, "Bail, did you know admins can log in, then modify plugins to introduce GET hooks that run arbitrary code?" I probably would have said, "No, I didn't know that. That's crazy, and only a fleet of catatonic lunkfish would ever design software that way."

The latest vBulletin is almost unchanged underneath the hood. Upgrading wouldn't give us much except a theme that looks like someone spent years in a lab and figured out the worst possible way to display user-generated content, then barfed on it.

There's other forum software out there, the most likely target is Xenforo which was written by the aforementioned lunkfish and is still PHP. That's not terribly compelling, but it does look better. Anyway, that's something we've already evaluated in the past and it's just a matter of finding the time.

We have a setup now that I think is pretty good. I receive an SMS if the deployed forum software doesn't match our internal source copy. Admin accounts are locked down. The password hashing is way, way more secure now. And vB 3.x still gets emergency security updates - and we apply those right away.

The forum database doesn't have real names, or credit card numbers, or personal addresses. So - doomsday scenario, someone breaks into the colocation center and squirrels away the hard drive in their cheeks - where we're at now, you won't be as compromised.
__________________
egg

Last edited by BAILOPAN; 06-13-2014 at 03:43.
BAILOPAN is offline
friagram
Veteran Member
Join Date: Sep 2012
Location: Silicon Valley
Old 06-13-2014 , 05:22   Re: data breach? stop using EOL forum version
Reply With Quote #12

It would also be bad if admins can edit attachment content, source files, or autocompiled stuff
__________________
Profile - Steam Group - Plugins - Blog - Donate
Add me on steam if you are seeking sp/map/model commissions.
friagram is offline
Jelle
[b]MOAR CANDY[/b]
Join Date: Aug 2009
Location: Denmark
Old 06-13-2014 , 05:55   Re: data breach? stop using EOL forum version
Reply With Quote #13

Quote:
Originally Posted by hleV View Post
I never said the staff has to do it.
If the staff isn't going to update, then who is?
__________________
No idea what to write here...
Jelle is offline
Send a message via MSN to Jelle
Backstabnoob
Veteran Member
Join Date: Feb 2009
Location: Iwotadai Dorm
Old 06-13-2014 , 09:30   Re: data breach? stop using EOL forum version
Reply With Quote #14

I always liked the IPB forums, how they looked and the features they had. Almost too slick.
__________________
Currently busy working on a very large scale anime database project.
Backstabnoob is offline
Oshizu
Veteran Member
Join Date: Nov 2012
Location: Warsaw
Old 06-13-2014 , 10:26   Re: data breach? stop using EOL forum version
Reply With Quote #15

Quote:
Originally Posted by friagram View Post
It would also be bad if admins can edit attachment content, source files, or autocompiled stuff
But wouldn't an ability to edit other users posts already mean that it's possible to do this?
__________________
...

Last edited by Oshizu; 06-13-2014 at 10:27.
Oshizu is offline
hleV
Veteran Member
Join Date: Mar 2007
Location: Lithuania
Old 06-13-2014 , 10:34   Re: data breach? stop using EOL forum version
Reply With Quote #16

Quote:
Originally Posted by Jelle View Post
If the staff isn't going to update, then who is?
Volunteers.
__________________
hleV is offline
Backstabnoob
Veteran Member
Join Date: Feb 2009
Location: Iwotadai Dorm
Old 06-13-2014 , 16:09   Re: data breach? stop using EOL forum version
Reply With Quote #17

Quote:
Originally Posted by Oshizu View Post
But wouldn't an ability to edit other users posts already mean that it's possible to do this?
It is, you just remove the old attachment and upload yours with the changes.
__________________
Currently busy working on a very large scale anime database project.
Backstabnoob is offline
Jhob94
AMX Mod X Donor
Join Date: Jul 2012
Location: Portugal
Old 06-13-2014 , 17:07   Re: data breach? stop using EOL forum version
Reply With Quote #18

Why dont you use vbulletin in another website and fix it out with time? You could work on it with time, 1 month, 2 months, 6 months, doesn't matter, but if it is better to update the vbulletin version, you should do it. But if it isnt necessary to change the version, then dont change. I am gonna be honest, i prefer this version. But if this has bugs and is better to update, than you should update, using a beta site till the software is ready to be installed here.
__________________
Jhob94 is offline
Neeeeeeeeeel.-
Some Guy Yellin'
Join Date: Jul 2010
Location: Argentina
Old 06-13-2014 , 17:58   Re: data breach? stop using EOL forum version
Reply With Quote #19

Quote:
Originally Posted by Jhob94 View Post
Why dont you use vbulletin in another website and fix it out with time? You could work on it with time, 1 month, 2 months, 6 months, doesn't matter, but if it is better to update the vbulletin version, you should do it. But if it isnt necessary to change the version, then dont change. I am gonna be honest, i prefer this version. But if this has bugs and is better to update, than you should update, using a beta site till the software is ready to be installed here.
Bailopan said that they have already fixed it.
__________________
Neeeeeeeeeel.- is offline
Send a message via Skype™ to Neeeeeeeeeel.-
Jelle
[b]MOAR CANDY[/b]
Join Date: Aug 2009
Location: Denmark
Old 06-14-2014 , 07:47   Re: data breach? stop using EOL forum version
Reply With Quote #20

Quote:
Originally Posted by hleV View Post
Volunteers.
Good luck finding people with the knowledge and time to do it for free.
__________________
No idea what to write here...
Jelle is offline
Send a message via MSN to Jelle
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 07:53.


Powered by vBulletin®
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Theme made by Freecode