101
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
102
Announcements / Password hashing update and withdrawal of Tapatalk support
« on: February 02, 2019, 01:20:15 PM »
We've made some changes to the forum's password security. This is a proactive move to resolve a potential SMF vulnerability which the software's original maintainers appear to be ignoring. I've covered this in slightly more detail in this Technology & Information thread.
To benefit from the update, please log out from the forum and log back in. You shouldn't notice any changes, but if anything does go wrong, please post here or e-mail admin@tfes.org.
While working on this, we also decided to withdraw support of Tapatalk. It appears that this service is not popular (with only 1 active user over the past 5 months, and 0 users in the last month), and it's proving to be a continuous maintenance burden. Tapatalk's use case should be pretty much entirely covered by our mobile design, but if you have any concerns with this, please let us know and we'll investigate alternatives.
To benefit from the update, please log out from the forum and log back in. You shouldn't notice any changes, but if anything does go wrong, please post here or e-mail admin@tfes.org.
While working on this, we also decided to withdraw support of Tapatalk. It appears that this service is not popular (with only 1 active user over the past 5 months, and 0 users in the last month), and it's proving to be a continuous maintenance burden. Tapatalk's use case should be pretty much entirely covered by our mobile design, but if you have any concerns with this, please let us know and we'll investigate alternatives.
103
Technology & Information / Fixing the forum's password hashing
« on: February 02, 2019, 01:10:36 PM »
Hi all,
This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.
As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned, has covered this in quite some detail here.
Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:
Should.
As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.
So where does TFES fit in all this?
The forum software we're using, SMF, is currently using SHA1 hashing of passwords (with a sloppy attempt at salting). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.
Big deal. What are they gonna do, log in to TFES and write a mean post?
It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.
Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?
We rewrote most of SMF's password hashing to use the current PHP default - bcrypt. Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo.
So, what do I need to do?
Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.
Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.
This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.
As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned, has covered this in quite some detail here.
Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:
- The website (and its owners) don't know what your password actually is (this is also why you generally can't get a password reminder online - merely a password reset).
- If the website gets hacked and the attacker steals the database, they don't get a list of passwords, but rather something that should be much more difficult to handle.
Should.
As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.
So where does TFES fit in all this?
The forum software we're using, SMF, is currently using SHA1 hashing of passwords (with a sloppy attempt at salting). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.
Big deal. What are they gonna do, log in to TFES and write a mean post?
It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.
Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?
We rewrote most of SMF's password hashing to use the current PHP default - bcrypt. Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo.
So, what do I need to do?
Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.
Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.
104
Flat Earth Investigations / MOVED: Discussion thread for "Former NASA Rocketdyne Engineer Says NASA Didn't Go To Th
« on: February 01, 2019, 07:14:25 PM »105
Suggestions & Concerns / MOVED: Flat Earth March at Millersville University
« on: January 28, 2019, 08:07:06 PM »106
Flat Earth Investigations / MOVED: Nice photos of California mountains disprove the flat earth notion
« on: January 25, 2019, 08:08:05 AM »107
Flat Earth Media / MOVED: Flat Earth Documentary in Toronto
« on: January 22, 2019, 04:04:04 AM »110
Flat Earth Investigations / MOVED: Drone footage across a lake: flat earth explanation?
« on: December 16, 2018, 01:02:44 PM »111
Flat Earth Investigations / MOVED: Question about Mount Everest
« on: December 04, 2018, 09:42:24 PM »113
Flat Earth Investigations / MOVED: The physical impossibility of its creation.
« on: December 04, 2018, 09:41:29 PM »115
Flat Earth Investigations / MOVED: Is there a Flat-Earth map I can use to actually navigate from A to B to C?
« on: December 04, 2018, 09:41:04 PM »117
Suggestions & Concerns / Ban policy discussion - abuse from organisations
« on: November 29, 2018, 06:07:05 PM »
So this is something that's been cropping up recently, and while I think we're justified in doing this under moderator discretion, I'd rather put it forward for our userbase to discuss.
Basically: every now and then a group of kids/university students/bored 9-5 workers decide it's a good idea to come here and abuse the forum. Usually, we end up getting a slow trickle of low-quality posters, often registering from the same IP (range) or e-mail addresses from the same institutional domain. Sometimes, it's a bit of a burden from a moderation perspective. Just yesterday I've had to ban Kingsway College School because new kids kept joining the forum just about as fast as I could clean up their posts. Today, it's Mariemont City Schools whose students had the same idea.
I suggest that, as a policy, we should reserve the right to temporarily block access from institutions whose members choose to abuse our forum. For example, if a group of schoolkids chooses to post about how the Earth is totally a cube (lacking the decency to do so in CN), we should have a well-defined right to ban that school for some time. Individual posters, of course, should still be handled separately to this - this is more an idea to throttle brigading a bit.
Obviously this is a very rough idea, and a lot of the specifics would have to be agreed, but I'd like to at least get an idea of whether or not this is something that users here would be willing to accept.
Basically: every now and then a group of kids/university students/bored 9-5 workers decide it's a good idea to come here and abuse the forum. Usually, we end up getting a slow trickle of low-quality posters, often registering from the same IP (range) or e-mail addresses from the same institutional domain. Sometimes, it's a bit of a burden from a moderation perspective. Just yesterday I've had to ban Kingsway College School because new kids kept joining the forum just about as fast as I could clean up their posts. Today, it's Mariemont City Schools whose students had the same idea.
I suggest that, as a policy, we should reserve the right to temporarily block access from institutions whose members choose to abuse our forum. For example, if a group of schoolkids chooses to post about how the Earth is totally a cube (lacking the decency to do so in CN), we should have a well-defined right to ban that school for some time. Individual posters, of course, should still be handled separately to this - this is more an idea to throttle brigading a bit.
Obviously this is a very rough idea, and a lot of the specifics would have to be agreed, but I'd like to at least get an idea of whether or not this is something that users here would be willing to accept.
118
Announcements / On the notion of Logan Paul
« on: November 18, 2018, 05:35:09 PM »
As most of our regulars will be aware by now, YouTube celebrity Logan Paul has recently attended the Flat Earth International Conference in Denver and publicly voiced his support of the Flat Earth Movement. This announcement came as a surprise to most, given a complete lack of Logan's prior interest in the subject, and the nature of the content he usually produces. Understandably, this has raised a number of questions from the general public, and we have been repeatedly contacted with requests for comments.
As the organisers of FEIC have made abundantly clear on their own website, they are in no way affiliated with the Flat Earth Society. As such, we have no influence over who they invite to the conference or how they schedule their talks. While we respect all parts of the movement and wish them nothing but the best of luck, maintaining this distinction is particularly important in light of recent events.
As of the time of publishing this statement, the Flat Earth Society has not been in contact with Logan Paul or anyone acting as his representative, and we have no intention of offering him membership or otherwise affiliating with him or his recent statements. Any claims that Logan Paul is a member of the Flat Earth Society or that he may have been considered for membership are simply untrue.
As the organisers of FEIC have made abundantly clear on their own website, they are in no way affiliated with the Flat Earth Society. As such, we have no influence over who they invite to the conference or how they schedule their talks. While we respect all parts of the movement and wish them nothing but the best of luck, maintaining this distinction is particularly important in light of recent events.
As of the time of publishing this statement, the Flat Earth Society has not been in contact with Logan Paul or anyone acting as his representative, and we have no intention of offering him membership or otherwise affiliating with him or his recent statements. Any claims that Logan Paul is a member of the Flat Earth Society or that he may have been considered for membership are simply untrue.
119
Flat Earth Community / Logan Paul allegedly comes out as a Flat Earther
« on: November 17, 2018, 10:02:48 AM »
Logan Paul, a YouTuber famous for the fact that he's famous, claims to now be a Flat Earther.
I hope I'm not the only one who's extremely sceptical of this. My contentions with FEIC aside, Logan Paul has a long history of saying whatever controversial crap he thinks would get him more views on YouTube. A "surprise announcement" like this would be par for the course. Perhaps I'm over-reacting, but this just sounds fishy on so many levels.
Of course, as with every subject remotely connected to FET, people assume that we're directly linked. I propose that we put out an Announcement to the contrary. I'm not sure whether we should outright question his sincerity, or merely state that he has not been in contact with us and that we have no current intention of affiliating with him.
Thoughts?
I hope I'm not the only one who's extremely sceptical of this. My contentions with FEIC aside, Logan Paul has a long history of saying whatever controversial crap he thinks would get him more views on YouTube. A "surprise announcement" like this would be par for the course. Perhaps I'm over-reacting, but this just sounds fishy on so many levels.
Of course, as with every subject remotely connected to FET, people assume that we're directly linked. I propose that we put out an Announcement to the contrary. I'm not sure whether we should outright question his sincerity, or merely state that he has not been in contact with us and that we have no current intention of affiliating with him.
Thoughts?
120
Announcements / Statement on recent BBC Ideas video
« on: November 09, 2018, 07:46:40 PM »
We have been approached by multiple members of the public and media organisations regarding BBC Ideas' recent video "What's behind denialism?", specifically the implicit suggestion that the Flat Earth Society has links to climate change or Holocaust deniers.
In response, we have reached out to the BBC who removed our logo from the video to avoid further misleading of the public. The Flat Earth Society, as an entity, prides itself in its commitment to counteracting climate change, and we are glad to see that the BBC has acknowledged their error by altering the material, although we regret the damage that's already been caused.
Any FES members who have been affected by this development are encouraged to get in touch with Pete who will be happy to answer your questions.
In response, we have reached out to the BBC who removed our logo from the video to avoid further misleading of the public. The Flat Earth Society, as an entity, prides itself in its commitment to counteracting climate change, and we are glad to see that the BBC has acknowledged their error by altering the material, although we regret the damage that's already been caused.
Any FES members who have been affected by this development are encouraged to get in touch with Pete who will be happy to answer your questions.