Jump to content

Recommended Posts

Posted

This was, of course, an April Fool's joke.

I assumed it would be obvious, given the relative simplicity with which the alleged "defacement" could be remedied and the tongue-in-cheek nature of graffiti-ing forum buttons, but unfortunately the prank sailed over some people's heads. I felt slightly remorseful when I discovered two helpful PMs in my inbox from members making recommendations as to how the problem could be solved.

I'm glad some did enjoy it though. Last year's stunt proved a tough act to follow!

It's all been taken down now, anyway. Thanks for playing, everyone, and happy April Fool's day! :)

Posted
I felt slightly remorseful when I discovered two helpful PMs in my inbox from members making recommendations as to how the problem could be solved.

I was one of those people! :o

:) Good joke though. I could not resist spoofing either. Today I sent a spoof email to class from school Administration stating that there's free pizza and beer party tomorrow in class. The from address is in the form of from administration@someschool.com, where someschool is the name of my college, and the title is "Free Pizza and Beer." If anyone shows up to lab expecting free pizza and beer I may have some remorse...umm... probably not :D

Happy April Fools Day!

Posted

So....what, now, is going to happen to the "culprits" who had to be winkled out, as per the banner above individual forums? You going to ban yourself for a month?

Ah well....

:P

(Let's face it, it would have to be someone who knew the code for the site very well...)

Guest JohnGalt
Posted

(Let's face it, it would have to be someone who knew the code for the site very well...)

Not true. VBulletin is widely used forum software. Not only could any amateur pull that hack off in a few minutes, but there's actually software written for the automatic/systematic hacking of vBulletin, Invisionboard, and other popular forum software, not to mention entire websites/webrings that willingly divulge information/help to participants. I feel I've said too much, but if it's one thing I've learned from using forums for nearly a decade, especially high-profile ones, it's how vulnerable they can be.

Luckily, I used the buttons enough over my past 6 years of experience with vB to know what they were by reflex. :P

Posted
So....what, now, is going to happen to the "culprits" who had to be winkled out, as per the banner above individual forums? You going to ban yourself for a month?

Ah well....

:D

My tongue remains firmly in my cheek. :)

Not true. VBulletin is widely used forum software. Not only could any amateur pull that hack off in a few minutes, but there's actually software written for the automatic/systematic hacking of vBulletin, Invisionboard, and other popular forum software, not to mention entire websites/webrings that willingly divulge information/help to participants. I feel I've said too much, but if it's one thing I've learned from using forums for nearly a decade, especially high-profile ones, it's how vulnerable they can be.

Luckily, I used the buttons enough over my past 6 years of experience with vB to know what they were by reflex. :thumbsup:

You've misrepresented the truth slightly, here. While there do exist readily available automated scripts that allow any old sod to exploit security vulnerabilities in forum software, they rely on websites running the particular version of the software which is vulnerable to the exploit. The latest version of all well-maintained software like vBulletin is always impervious to previous known security holes.

And let's be clear: extensive, complex pieces of software almost always have security holes. That's because the humans who create them aren't perfect. It's also because hackers can be pretty smart at poking holes in code (there was a Russian hacker group who concentrated their efforts on locating exploits in IPB 2.1 a few months ago...they found many, the ingenuity behind some being readily apparent). However, so long as software developers plug holes when they're discovered (which they do, usually within a few hours of being notified) and website owners keep their software up to date (which we do), there is little to worry about.

YC also maintains a few extra safeguards that aim to minimize the extent of damage were an exploit to be successfully carried out.

As for "any amateur" being able to pull off that hack in a few minutes (altering images and skin templates), that's patently false. Pulling off that feat would take someone with a much larger skills set than a mere amateur.

Just thought I'd elucidate to put people's minds at rest. :D

Guest JohnGalt
Posted

You've misrepresented the truth slightly, here. While there do exist readily available automated scripts that allow any old sod to exploit security vulnerabilities in forum software, they rely on websites running the particular version of the software which is vulnerable to the exploit. The latest version of all well-maintained software like vBulletin is always impervious to previous known security holes.

Not entirely true. "Always impervious to previous known security holes" gets thrown around a lot, and holds little to no meaning in the software business. Anyone who says their software is "impervious to previous known security holes" is most probably lying about their software, very few companies have the resources to completely fix them, and it ends up being a prioritized system. I have personally seen high-profile vB boards fall to old, known security issues immediately after a major update.

As for "any amateur" being able to pull off that hack in a few minutes (altering images and skin templates), that's patently false. Pulling off that feat would take someone with a much larger skills set than a mere amateur.

Just thought I'd elucidate to put people's minds at rest. :thumbsup:

"Amateur" is a bit of a misnomer. I meant amateur in the exploitative department, which is certainly much more knowledgeable than the average user. No one, of course, was suggesting that YC was in danger of being hacked, the possibility just always remains, especially with widely used software. And, no matter how quickly a hack can be done (several only take mere minutes after a hole has been identified) a fix is almost always a fairly simple manner. Of course, data loss isn't something that's too avoidable.

Posted
Not entirely true. "Always impervious to previous known security holes" gets thrown around a lot, and holds little to no meaning in the software business.
It holds a very clear meaning here: security exploits which only work with older (i.e. not the latest) versions of vBulletin, for example, will not work with the latest version, because the vendors have addressed the past problems. Keeping up-to-date with the very latest version at all times is, therefore, crucial for security.
"Amateur" is a bit of a misnomer. I meant amateur in the exploitative department, which is certainly much more knowledgeable than the average user.
Is your amateur devising the exploit, or running an automated script prepared by someone else to perform it? A trained monkey could practically do the latter - it takes knowledge and a sizeable intellect to do the former.
No one, of course, was suggesting that YC was in danger of being hacked, the possibility just always remains, especially with widely used software.
Of course. It would be foolish to deny that. That's just the way things are, unfortunately.
Of course, data loss isn't something that's too avoidable.
If you take regular backups (which we do) then it often is. :thumbsup:
Guest JohnGalt
Posted
It holds a very clear meaning here: security exploits which only work with older (i.e. not the latest) versions of vBulletin, for example, will not work with the latest version, because the vendors have addressed the past problems. Keeping up-to-date with the very latest version at all times is, therefore, crucial for security.

Right. But no one's perfect. I've personally seen vB boards taken offline for days after a major update due to old security issues. It wasn't just old issues, and was compounded by new exploits, but again, no one's perfect, no matter how much their clients depend on them.

Is your amateur devising the exploit, or running an automated script prepared by someone else to perform it? A trained monkey could practically do the latter - it takes knowledge and a sizeable intellect to do the former.

Preferably manually. I'd imagine it's mostly the teens that are attracted to things like that. You know, the whole email crack programs, messenger attacks, keyloggers, etc. There really is an art form to security exploitation, and it passes a lot of people up.

If you take regular backups (which we do) then it often is. :thumbsup:

Good, I've seen entire server farms have to be rolled back days because of not only bad backup policy, but problems with the backed up data. Oh the poor world of an IT technician at a high-profile site.

Posted

Mike,

I'm surprised you waste your time with someone who's got their booleans in such a twist. I thought that in logical terms something was either true or not-true. Since I wouldn't have a clue how to invade a web-site what I said was obviously not not-true so either mr galt is talking bool-ox or he's come up with a workable logical maybe. I'd love to see a truth table for the output of a two input maybe gate.

Posted

This thread is in danger of needing to be moved to serious discussions methinks :thumbsup:

EDIT:

I'd love to see a truth table for the output of a two input maybe gate.

:)

Posted
Mike,

I'm surprised you waste your time with someone who's got their booleans in such a twist. I thought that in logical terms something was either true or not-true. Since I wouldn't have a clue how to invade a web-site what I said was obviously not not-true so either mr galt is talking bool-ox or he's come up with a workable logical maybe. I'd love to see a truth table for the output of a two input maybe gate.

Well, it's kinda like this:

$hack == true;

As opposed to:

$hack === true;

:thumbsup:

Posted

I see you added to your previous post and that there was another directly above montpellier's that I missed, Galt...

Anyone who says their software is "impervious to previous known security holes" is most probably lying about their software, very few companies have the resources to completely fix them, and it ends up being a prioritized system.

This may be true for companies such as Microsoft, with software such as Windows, but the developers of forum software generally fix each and every security hole they are made aware of. If they didn't, they would lose customers as everyone would be getting hacked: they lose customers, they lose money. It's in their best interests to keep everything secure.

Case in point: vBulletin Community Forum - View Single Post - Security

Bear in mind that Windows users are at less of a risk than publicly-accessible websites. If there were security problems with the code we were running right now, we would've likely been hacked already. But there aren't any, any known problems, that is, hence we're still standing.

Let's not forget that there many other more high profile sites running the exact same software, of course.

I have personally seen high-profile vB boards fall to old, known security issues immediately after a major update.

Then the upgrade wasn't performed properly, or the upgrade somehow re-opened an old security hole (which seems extremely unlikely), or the exploit used was not in fact a previously known one. Stuff like this is generally fixed as soon as the developers hear about it - as I've stated, they have no choice but to do so, otherwise they will lose custom and reputation.

Guest JohnGalt
Posted

This may be true for companies such as Microsoft, with software such as Windows, but the developers of forum software generally fix each and every security hole they are made aware of. If they didn't, they would lose customers as everyone would be getting hacked: they lose customers, they lose money. It's in their best interests to keep everything secure.

I'd hope that hackers aren't that common!

Bear in mind that Windows users are at less of a risk than publicly-accessible websites. If there were security problems with the code we were running right now, we would've likely been hacked already. But there aren't any, any known problems, that is, hence we're still standing.

I don't think that's actually true.

Then the upgrade wasn't performed properly, or the upgrade somehow re-opened an old security hole (which seems extremely unlikely), or the exploit used was not in fact a previously known one. Stuff like this is generally fixed as soon as the developers hear about it - as I've stated, they have no choice but to do so, otherwise they will lose custom and reputation.

Always a possibility. However, I do not believe hackers are as prevalent and on-the-whole as dangerous as they sound from your posts.

Posted

You'd better believe that the threat of hacking is a real and present danger for public websites, especially those which use common software like vBulletin or IPB.

Actual targeted hack attempts due to persons harbouring animosity towards the site, whoever runs it etc. are actually relatively rare. The only exception might be if the site in question is controversial in some way, and as a consequence likely to rub a lot of people up the wrong way. Opportunistic, "for the sport of it" hack attempts are far more common. Often you find that all a hacker's done is searched "Powered by vBulletin" or similar generic search terms on Google and attacked the site just to see if they can be successful. Yup, there are people out there who are that sad.

In the past, I've seen things in our raw access logs that reveal a hack attempt has taken place. In one such case, I contacted the relevant authorities. Luckily, the person concerned was attempting to exploit a classic hole in the old shoutbox add-on that had been fixed a very long time ago.

This is just one example of why keeping up-to-date with patches and software is both effective and mandatory.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...