Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Pete Svarrior

Pages: [1] 2 3 ... 7  Next >
3
Flat Earth Community / MOVED: User Introductions Thread
« on: April 13, 2019, 09:39:31 AM »

4
Status Notices / [12/04/2019] Changes to avatar upload functionality
« on: April 12, 2019, 10:25:37 PM »
As of today, we have revised the way avatar uploads work on the forum. Without going into too much detail, this means that resized images should be of slightly higher quality, and animated GIF avatars should now work correctly.

As per usual, do let us know if anything seems to be broken. :)

5
Flat Earth Investigations / MOVED: Size of the Flat Earth
« on: April 10, 2019, 05:50:15 PM »

9
Flat Earth Media / MOVED: Need help with map
« on: March 21, 2019, 10:11:30 AM »

10
Flat Earth Media / MOVED: Logan Paul FE Trailer
« on: March 14, 2019, 01:55:46 PM »

12
It's no secret that your generic warning templates are unpopular with users. The mods get to pick between "spamming", "insulting members/staff" and "posting offensive material", none of which are particularly relevant for most warnings issued around here.

It is my intention to fix those at some point, but admittedly it's a low-priority task for me - I don't get much TFES development time in these days, and there are more important issues to resolve, at least from my perspective. The alternative is to accept contributions from the community, which we're always keen on. Since AATW has kindly volunteered to help, I'm opening this thread to describe the process and to accept any potential submissions

If you'd like to submit a template for us to incorporate, please write a short paragraph per offence following the rough format of:

Quote
{MEMBER},

You have received a warning for inappropriate activity. Please cease these activities and abide by the forum rules otherwise we will take further action.

{REGARDS}

You may use the following tags:
  • {MEMBER} - Member Name.
  • {MESSAGE} - Link to Offending Post. (If Applicable)
  • {FORUMNAME} - Forum Name.
  • {SCRIPTURL} - Web address of forum.
  • {REGARDS} - Standard email sign-off.
  • and any standard BBCode that you would in a post

Any template that uses {MESSAGE} will only be available if the offending message is being properly linked against. This can be a bit awkward to do, especially on mobile, so it would be preferable if it was easy to edit out from the final product.

As a reminder, the rules can be found here. We'd probably need one generic template per rule, and perhaps a few more specific ones for common offences (e.g. "hi, it looks like you're angrily ranting outside of angry ranting. If you want to express yourself, that's fine, but please do so in the designated thunderdome".

If you choose to contribute, thanks! If not, I'll get around to it myself eventually.

15
Flat Earth Investigations / MOVED: Question about logic.
« on: February 05, 2019, 03:38:48 PM »

17
Announcements / Password hashing update and withdrawal of Tapatalk support
« on: February 02, 2019, 01:20:15 PM »
We've made some changes to the forum's password security. This is a proactive move to resolve a potential SMF vulnerability which the software's original maintainers appear to be ignoring. I've covered this in slightly more detail in this Technology & Information thread.

To benefit from the update, please log out from the forum and log back in. You shouldn't notice any changes, but if anything does go wrong, please post here or e-mail admin@tfes.org.

While working on this, we also decided to withdraw support of Tapatalk. It appears that this service is not popular (with only 1 active user over the past 5 months, and 0 users in the last month), and it's proving to be a continuous maintenance burden. Tapatalk's use case should be pretty much entirely covered by our mobile design, but if you have any concerns with this, please let us know and we'll investigate alternatives.

18
Technology & Information / Fixing the forum's password hashing
« on: February 02, 2019, 01:10:36 PM »
Hi all,

This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.

As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned, has covered this in quite some detail here.

Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:
  • The website (and its owners) don't know what your password actually is (this is also why you generally can't get a password reminder online - merely a password reset).
  • If the website gets hacked and the attacker steals the database, they don't get a list of passwords, but rather something that should be much more difficult to handle.

Should.

As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.

So where does TFES fit in all this?

The forum software we're using, SMF, is currently using SHA1 hashing of passwords (with a sloppy attempt at salting). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.

Big deal. What are they gonna do, log in to TFES and write a mean post?

It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.

Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?

We rewrote most of SMF's password hashing to use the current PHP default - bcrypt. Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo.

So, what do I need to do?

Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.

Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.

Pages: [1] 2 3 ... 7  Next >