Hacked, Downtime today from 6am until 2pm.

That's what I'm asking is possible through the 'hacking'. Even if it weren't this time around some people are silly to use the same password for everything. So their password here is also the password to their email, bank, etc.

If you are going to manage a forum, then the protection of its members should be a priority. Judging by the sheer amount of 'hacks' this place gets it is clear that it is not a priority.

How do you know that sections of a governments intelligence isn't behind it? Governments aren't exactly known for their altruism.

*sigh*

Hi guys, I'm PizzaPlanet, and I can use a computer. Some of you may know me as SexWarrior from that other site, the one that doesn't fall on its face every month.

Should any of us be worried about our accounts? (ie passwords

I will start by saying that this was very unlikely to be a hacking incident. Like, very, very unlikely.

But let's assume you guys did get hacked: should people be worried about their passwords being stolen? To some extent, no, to some extent, yes. Let's go into a bit more detail.

Unless John went out of his way to completely cripple SMF (the software this forum is running on), then your password will be stored in the database in a salted and hashed format. In short, your password is not stored anywhere on the server, and thus cannot be easily retrieved, even if someone did directly access the database.

However, anyone with access to the database can attempt to bruteforce your password through what is effectively a very long guessing game. Assuming your password isn't complete garbage, this will be very time-consuming, potentially to the point of being impractical. If your password is fairly short, it will be very easy. You have to make your own judgement call on whether or not this concerns you. Then again, if it does concern you, you shouldn't be using the same password for multiple services anyway.

and email data being stolen?

The e-mail address you've entered as the one associated with your forum account is stored unencrypted and available for the admins (and potentially mods, depending on how things are set up) to see. If the site, or just your account, is compromised, the attacker will be able to see that without much effort.

How do you know that sections of a governments intelligence isn't behind it? Governments aren't exactly known for their altruism.

Oh, don't worry about that possibility. If the forum was hacked by anyone competent, you wouldn't have a clue that it happened at all. There wouldn't be a two-day outage to accompany it. The very fact that this incident was so messy is good evidence that this was just the site administration's or the ISP's incompetence that led to the outage.

Why when there is already one here? Are you happy with your data being mismanaged and compromised needlessly though? I'm just saying that things should and could be better.

Of course she is. This is SCG we're talking about.

You can always start your own forum.

But then all the computer-literate people would migrate away to that forum, leaving you with the likes of John to handle people's concerns. Oh, wait, that already happened 

Why when there is already one here? Are you happy with your data being mismanaged and compromised needlessly though? I'm just saying that things should and could be better.

I do not use the same password for everything. There are easy steps to take to make your data safer.   

I've been a member of several forums for more than 10 years. Some of them have been hacked, they've all experienced downtime. The more popular a forum is, the more likely it is to be targeted.

Ok, thanks for the reassuring explanation.

Just to amend my previous statement: now that we have obvious evidence that the homepage of this forum has been altered, it makes much more sense to assume the worst-case scenario of "everything's been accessed", or even worse. If an attacker can arbitrarily change the website's code, until we get a debrief from the admins, it is completely possible that the "password" field is sending your password in an e-mail to your grandmother.

Now, it's still very unlikely that that's happening - it looks like someone's just having a bit of fun. But we have no real way of knowing.

I'm currently rewriting the forums software and redoing its architecture to follow current security standards and then some. It is taking time.

As Steve points out, whenever there is any breach on a site, it should be assumed that all source code has been breached. When this happens, I get a simple audit of every forum file changed. In this case, it looked to be just the index.php in each directory. We are dealing with a script kiddy that is using the same script as the last guy.

As he also points out, it would take an unrealistic amount of time to crack the password from the salted hash. This will be further changed in the near future to an impossible amount of time.

To a more useful point, we understand and share your concerns about the security of the site. The changes that will be implemented in the new platform will include the option for two factor authentication via text, a better hash and salt algorithm, as well as tighter security across the board.

In the end, you should never reuse your passwords or you can have this issue no matter what. People hack other sites all the time and do so in a less visible way to the aim of stealing passwords. If you are concerned about this, then never use the same password and always make sure your password is suitably complex.

As Steven has pointed out in the past, if they wanted to fish passwords they likely would not have posted a 'lol we hax0red j00' front page and instead aimed for a less noticeable attack so they could harvest as many as possible.

Do you suspect the forum software is the issue here, as opposed to, say, the host OS?

Our hosting is managed now;  I assume if there were vulnerabilities in their setup, they would manifest elsewhere and they would correct them since we report them, but it could have to do with some error on their end I suppose. We may one day look at a new managed setup.

It could also have to do with something misconfigured or an insecure plugin or software element we use.

I'll have to do a search for whatever their 'tag' was, and see if we share software with those other sites.

Whatever the results are, I'm not happy with how SMF is architected both in regards to security and performance but more generally just general use. It has a lot of kitchen sink stuff we really don't need, and is missing some other functionality we would find useful. Theming it is not very friendly; while it boasts of its ability to be integrated from an outside cms, its api for it is rather lacking still.

It also doesn't offer great options for horizontal scaling, something I'm addressing with our new setup along with unifying all the functions of our site (wiki, forum, front content) under one software package.

There are other reasonings behind the decision to move to a new platform and architecture, which I won't go into here.

In the end, it makes sense rather than perform a security audit on the 3 or 4 software systems and their configurations we have in place, and the architecture itself to instead work towards a new architecture that actually fits our needs a bit better.

Or instead of all that, maybe you could just reunite with your fellow brethren and put all the nonsense in the past?

This fixes all your technical issues, as well as bring together the full community again, which is the way it should be.

If someone can state a valid reason for this not making 100 percent sense, I shall admit I am an idiot in a new thread where all can throw rotten fruit at me

You are asking for this forum to be handed over to another forum. All the people who post over there are welcome to post here, they chose to leave.

If someone can state a valid reason for this not making 100 percent sense, I shall admit I am an idiot in a new thread where all can throw rotten fruit at me

I can make an 83% case for non-merger.

This site is more fun.

Not 100%, so no action required on your part.   

I can make an 83% case for non-merger.

This site is more fun.

Not 100%, so no action required on your part.   

I would never disagree with you there, I am here aren't I 

The fun would increase combining power though...That is the point, not to mention fixing the technical issues and making things easier for the admins.

You are asking for this forum to be handed over to another forum. All the people who post over there are welcome to post here, they chose to leave.

I never said just hand it over... I don't know how those things work, but can't it be like any business where you can have multiple owners/people in charge? Make it where neither can force the other out?

Quote from: Babyhighspeed on May 21, 2017, 02:34:00 PM

If someone can state a valid reason for this not making 100 percent sense, I shall admit I am an idiot in a new thread where all can throw rotten fruit at me

I can make an 83% case for non-merger.

This site is more fun.

Not 100%, so no action required on your part.   

I agree with this.

[Edit to add] Thanks, John, for dealing with the headaches.

Whatever the results are, I'm not happy with how SMF is architected both in regards to security and performance but more generally just general use. It has a lot of kitchen sink stuff we really don't need, and is missing some other functionality we would find useful. Theming it is not very friendly; while it boasts of its ability to be integrated from an outside cms, its api for it is rather lacking still.

For what it's worth, I completely agree that SMF is a pile of poop. Our setup is slightly different from yours (I believe you use MySQL while we're on PostgreSQL, for example), which led to some hilarious bugs presenting themselves over the years on our end. I think my favourite was that you could register users with case-sensitive names (e.g. pizzaplanet is a different user from PizzaPlanet), but the login process was case-insensitive. I briefly locked Parsifal out of his own account by creating a parsifal account.

Though I have to say I haven't found outside CMS integration to be all that bad. Our homepage uses it and the code to get it going was relatively simple.

You are asking for this forum to be handed over to another forum.

To be perfectly clear: that is not what was ever proposed, suggested, or even discussed at any considerable length. The only person who thought you guys should hand everything over was Thork.

SCG, we're trying to have a polite discussion here, and for the most part it's going well. Please, could you try to respect that for once?

I'm currently rewriting the forums software and redoing its architecture to follow current security standards and then some.

Shouldn't that be something that's done proactively rather than reactively?

Quote from: Space Cowgirl on May 21, 2017, 02:49:12 PM

You are asking for this forum to be handed over to another forum.

To be perfectly clear: that is not what was ever proposed, suggested, or even discussed at any considerable length. The only person who thought you guys should hand everything over was Thork.

SCG, we're trying to have a polite discussion here, and for the most part it's going well. Please, could you try to respect that for once?

Gimme a break. I haven't been impolite.  I know what was discussed, I read it, and commented on it at the time.  You can try to rewrite history, but some of us memba.  I know you don't want any comments from people who disagree.

Gimme a break. I haven't been impolite.

Well, at least I've tried. Correct me if I'm wrong, but for now I'll assume that you're speaking in your capacity as moderator and that you're not interested in our help. I'll try again later.

I know what was discussed, I read it, and commented on it at the time.  You can try to rewrite history, but some of us memba.  I know you don't want any comments from people who disagree.

The thread is still up there for everyone to read, no need to rewrite anything. I'd link it, but we've been "asked" not to do it. Luckily, people like babyhighspeed have had an opportunity to see it, so hopefully your lie won't have much of an effect.

And we're still happy to discuss a bilateral agreement. Hopefully one day we can have a reasonable and polite discussion about that.

I'm only interested in bi-flat-eral agreements.

It seemed like little interest was had over on your side last time we talked about it. Likewise, few folks here were really interested in it either - and some were very against it.

Like you said, we can hopefully one day have a discussion about that.

I'm only interested in bi-flat-eral agreements.

Ha!

It seemed like little interest was had over on your side last time we talked about it.

You know, I disagree. I hope you'll forgive me for circumventing the filter, but: here's the thread, everyone can see for themselves without taking anyone's word for it. Sure, there was a handful of disagreements, but the support was overwhelming. When we took it to a vote, the results were 17-2 in favour of proceeding (my count seen on page 5, votes were simply posts so you can recount them by yourself).

Obviously I can't comment on the consultation process on your end. I haven't seen much of it, and all I know was that Daniel and Wilmore were happy to proceed until suddenly all communications with us was cut.

I don't believe we've been seriously approached since then. We had a brief exchange about how the old deal would no longer work because we've improved our services and wouldn't want to downgrade (e.g our shop or homepage). Similarly, you have since run multiple laps around us on social media (previously we had 5 times the followers you do, now it's the other way around). Any support of a new deal could only be measured once we actually reached a proposal. You stopped by once and talked about how you're gonna give people ice cream. I think everyone took that as a joke, and I hope you can understand why that was.

Last I talked to Daniel concerning this, I believe his words were something along the lines of he was all for it at first, but now he's more of the 'more the merrier' standpoint. Last time I talked to Wilmore, he had very little interest in the forum side of things at all, though supported the idea because we risked losing our 'hodgepodge' community we've cultured over the years. I think these concerns have been shown to be erroneous. There are now two hodgepodge communities, each with their own identity and value.

While there may have been interest in 2014, we can see from the second thread you linked that interest had waned significantly by 2016 as well as iirc the thread that led to that second thread. The other threads and discussions between then performed mostly by myself showed to me about the same thing in spite of myself pushing it against the advice of our entire site and moderation staff save a few. Further, interest is seldom if ever brought by the members of these forums, or this society. It almost always comes from your forum members coming here and rabble-rousing whenever we get hacked or have some other minor interruption of service. To me, it sounds a bit like sour grapes.

At this point, my feelings on the matter are that letting anybody from outside our forums run our website would be much like the farmer who let the wolf guard the henhouse.

I'm also not sure our groups meet up ideologically. There are several views your group continues to hold, as far as I know, that we have publicly distanced ourselves from. I more than most appreciate that those views should have their own place to live - and you guys seem to be doing a great job at cultivating them. They just are harmful here.

Other concerns exist. The reason I was suggesting a soft merger was so that we could learn to work with each other after such a long history behind us. My concerns are still alive and well; we can hardly play well enough for you personally to follow our rules on our forum while discussing merging with us or for myself to not offer you ice cream sandwiches in a serious discussion. Perhaps I just negotiate oddly.

I am failing to see how there is any ground to walk forward on, let alone the terra firma we zetetics are accustomed to given our natural, lawful, and holy skepticism. Our members fail to see the benefit. The community at large is vehemently against some of your more ridiculous views that I have argued against personally for the past decade or so.

One of the main issues with our forums that came up again and again during discussions were their speed. That seems to have been resolved. Another is security, and I am currently working on solutions.

At this point, my feelings on the matter are that letting anybody from outside our forums run our website would be much like the farmer who let the wolf guard the henhouse.

Well, currently there is not even a fence to defend the chickens, so what does it matter?

Further, interest is seldom if ever brought by the members of these forums, or this society. It almost always comes from your forum members coming here and rabble-rousing whenever we get hacked or have some other minor interruption of service. To me, it sounds a bit like sour grapes.

This is simply false.

The reason why the topic gets raised every time you get hacked or go down is because your members come to our forum and start asking us about the merger, at which point we have to explain to them all over again that we're all for it and will be right there if discussions ever reopen. I try as much as possible not to stir shit here, but I can hardly blame people for having "sour grapes", given that some of the members here seem to treat our forum as a punching bag to take out their frustration with this one's downtime.

Here is a recent thread of that nature, if you don't believe me.

I should speak for myself, since it's most often me who ends up stopping here when this happens. But yes, I can confirm what Parsifal has said. Every time I'm attracted to come back and talk to you guys, it's because an influx of your members comes over to ask us what happened (how are we to know?!), why it happened (ditto), and what can be done to improve things over here.

You may want to note that this time the merger was brought up by Babyhighspeed and SCG:

Or instead of all that, maybe you could just reunite with your fellow brethren and put all the nonsense in the past?

This fixes all your technical issues, as well as bring together the full community again, which is the way it should be.

If someone can state a valid reason for this not making 100 percent sense, I shall admit I am an idiot in a new thread where all can throw rotten fruit at me

You are asking for this forum to be handed over to another forum. All the people who post over there are welcome to post here, they chose to leave.

Before that, I was discussing matters that were purely technical, and which related to your recent hack. It is your members who keep coming to us and expressing interest.

Can you really blame me for stopping by and offering an olive branch over and over again when this happens? Can you not see the frustration that arises when I do that and receive lies and slander from SCG as thanks? It would be dishonest to both allow her to spread untruths about what was and wasn't discussed and to demand that we don't refer to the written record of the discussion as part of a rebuttal - don't you agree?

Quote from: John Davis on May 27, 2017, 10:58:20 AM

Further, interest is seldom if ever brought by the members of these forums, or this society. It almost always comes from your forum members coming here and rabble-rousing whenever we get hacked or have some other minor interruption of service. To me, it sounds a bit like sour grapes.

This is simply false.

The reason why the topic gets raised every time you get hacked or go down is because your members come to our forum and start asking us about the merger, at which point we have to explain to them all over again that we're all for it and will be right there if discussions ever reopen. I try as much as possible not to stir shit here, but I can hardly blame people for having "sour grapes", given that some of the members here seem to treat our forum as a punching bag to take out their frustration with this one's downtime.

Here is a recent thread of that nature, if you don't believe me.

I can't seem to access that thread.

Its very possible I misread the situation. However, I have yet to hear these kinds of complaints here or to me. Last time I suggested this route of action, I was one of two on the entire user base and mod staff that agreed with it. I have heard nothing that has changed my mind that this is still the case.

Quote from: John Davis on May 27, 2017, 10:58:20 AM

At this point, my feelings on the matter are that letting anybody from outside our forums run our website would be much like the farmer who let the wolf guard the henhouse.

Well, currently there is not even a fence to defend the chickens, so what does it matter?

Your solution to a supposed lack of fence is to throw wolves into the mix?

I can't seem to access that thread.

gotham chose to start that thread in the Lounge, which is accessible to users only. You have like three accounts, I'm sure you can get there

Its very possible I misread the situation. However, I have yet to hear these kinds of complaints here or to me.

What about the recent S&C thread right here? Or the discussion that transpired in this very thread, where babyhighspeed suggested a merger? The one I quoted right above your post?

Last time I suggested this route of action, I was one of two on the entire user base and mod staff that agreed with it. I have heard nothing that has changed my mind that this is still the case.

And that's fine. I'll stop by every now and then and ask how you're feeling about it. But if you could ask your mods not to slander us every time that happens, that would be grand.

While there may have been interest in 2014, we can see from the second thread you linked that interest had waned significantly by 2016

Wow, I wonder how that happened. Just spitballing here, but I think it might have something to do with the fact that the last time we got invested in the idea and spent considerable time and energy discussing, negotiating terms, and collecting votes, your side abruptly pulled the rug out from under us at the last second and treated us to two years of dead air.

Lies and slander, OH MY!

You guys are happy with your forum, and I think that is great. You're still welcome to come back here any time as far as I'm concerned. I got no control over the noobs who show up there to ask about the merger every time something happens here.

This is simply false.

The reason why the topic gets raised every time you get hacked or go down is because your members come to our forum and start asking us about the merger, at which point we have to explain to them all over again that we're all for it and will be right there if discussions ever reopen. I try as much as possible not to stir shit here, but I can hardly blame people for having "sour grapes", given that some of the members here seem to treat our forum as a punching bag to take out their frustration with this one's downtime.

I personally am fine with or without a merger. I'm just posting to say that Parsifal is correct in stating the above.

You guys are happy with your forum, and I think that is great. You're still welcome to come back here any time as far as I'm concerned. I got no control over the noobs who show up there to ask about the merger every time something happens here.

That's okay. You also don't like me, and that's also okay. But plz try not to lie

Quote from: Space Cowgirl on May 27, 2017, 03:11:59 PM

You guys are happy with your forum, and I think that is great. You're still welcome to come back here any time as far as I'm concerned. I got no control over the noobs who show up there to ask about the merger every time something happens here.

That's okay. You also don't like me, and that's also okay. But plz try not to lie

I don't know what lie you're referring to. Everything I've said about the merger is out in the open on this forum, and you replied to my comments every time.