Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Pete Svarrior

Pages: [1] 2 3 ... 7  Next >
3
Flat Earth Investigations / MOVED: Question about logic.
« on: February 05, 2019, 03:38:48 PM »

5
Announcements / Password hashing update and withdrawal of Tapatalk support
« on: February 02, 2019, 01:20:15 PM »
We've made some changes to the forum's password security. This is a proactive move to resolve a potential SMF vulnerability which the software's original maintainers appear to be ignoring. I've covered this in slightly more detail in this Technology & Information thread.

To benefit from the update, please log out from the forum and log back in. You shouldn't notice any changes, but if anything does go wrong, please post here or e-mail admin@tfes.org.

While working on this, we also decided to withdraw support of Tapatalk. It appears that this service is not popular (with only 1 active user over the past 5 months, and 0 users in the last month), and it's proving to be a continuous maintenance burden. Tapatalk's use case should be pretty much entirely covered by our mobile design, but if you have any concerns with this, please let us know and we'll investigate alternatives.

6
Technology & Information / Fixing the forum's password hashing
« on: February 02, 2019, 01:10:36 PM »
Hi all,

This post is mostly here to serve as a slightly more detailed explanation for an Announcement I'll be writing momentarily, but I guess there's an off chance one or two of you will find it interesting. In short, I'm here to explain why we should care about password security on TFES (and everywhere else), and what steps we took to make this place a little bit more secure.

As some of you may have heard, a very large database (commonly referred to as Collection #1 or Collection 1) of email addresses and associated password hashes from all over the Internet has recently been leaked on several hacker forums. It's not an entirely uncommon occurrence, but the magnitude and scope of this particular collection makes it notable. Rumour has it that more leaks are to follow. Troy Hunt, the guy behind Have I Been Pwned, has covered this in quite some detail here.

Password hashes are what most reasonable websites will store in their database to allow users to log in. It's not the user's actual password, but rather the result of passing the password through a mathematical function that's very difficult to reverse. If you hash the same password in the same ways on two occasions, you should receive the same output. The benefits of that approach are numerous, but most importantly:
  • The website (and its owners) don't know what your password actually is (this is also why you generally can't get a password reminder online - merely a password reset).
  • If the website gets hacked and the attacker steals the database, they don't get a list of passwords, but rather something that should be much more difficult to handle.

Should.

As computers become better and faster, figuring out hashes of common passwords becomes easier. For example, a function called MD5 was once the standard for password storage, but is nowadays considered very insecure, because (among other reasons), you can simply keep generating MD5 hashes of potential passwords until you find the one that matches, and you can do so quickly. In essence, it's an arms race - computers become faster, so we need mathematical functions that take longer to compute.

So where does TFES fit in all this?

The forum software we're using, SMF, is currently using SHA1 hashing of passwords (with a sloppy attempt at salting). It's a dated function that's not been recommended for quite some time, and it doesn't look like SMF are currently thinking about transitioning to anything else. If our database was accessed by an attacker, some of our users' passwords could be easy pickings.

Big deal. What are they gonna do, log in to TFES and write a mean post?

It's important to remember that some (Many. You know who you are.) people use the same password on multiple services. That's what attackers are usually after. Find a place that's easy to attack, figure out people's passwords from there, and then try those same passwords elsewhere. We don't ever want to be the first stage of such an attack, so we're taking the possibility seriously.

Okay, Pete, I am convinced by your vast knowledge. So what are you doing about this problem?

We rewrote most of SMF's password hashing to use the current PHP default - bcrypt. Furthermore, we altered the code so that if the current standards change in the future, your password will be rehashed on first login, keeping the arms race going without anyone lifting a finger. As always, you can review the changes yourself on our GitHub repo.

So, what do I need to do?

Log out and log in. Or change your password. Either of these actions will purge your old password hash and replace it with a newer, better, sexier one.

Well, that's it for now! If you have any questions, technical or not, feel free to give me a shout.

11
Flat Earth Theory / MOVED: Why do you believe in the FE?
« on: January 10, 2019, 11:01:39 PM »

12
Flat Earth Theory / MOVED: FET popularity
« on: December 27, 2018, 10:11:09 AM »

14
Flat Earth Investigations / MOVED: Question about Mount Everest
« on: December 04, 2018, 09:42:24 PM »

15
Flat Earth Investigations / MOVED: The Celestial Sphere
« on: December 04, 2018, 09:42:07 PM »

17
Flat Earth Investigations / MOVED: Map Projections
« on: December 04, 2018, 09:41:14 PM »

19
Flat Earth Investigations / MOVED: How do sunsets work?
« on: December 04, 2018, 09:40:51 PM »

20
Suggestions & Concerns / Ban policy discussion - abuse from organisations
« on: November 29, 2018, 06:07:05 PM »
So this is something that's been cropping up recently, and while I think we're justified in doing this under moderator discretion, I'd rather put it forward for our userbase to discuss.

Basically: every now and then a group of kids/university students/bored 9-5 workers decide it's a good idea to come here and abuse the forum. Usually, we end up getting a slow trickle of low-quality posters, often registering from the same IP (range) or e-mail addresses from the same institutional domain. Sometimes, it's a bit of a burden from a moderation perspective. Just yesterday I've had to ban Kingsway College School because new kids kept joining the forum just about as fast as I could clean up their posts. Today, it's Mariemont City Schools whose students had the same idea.

I suggest that, as a policy, we should reserve the right to temporarily block access from institutions whose members choose to abuse our forum. For example, if a group of schoolkids chooses to post about how the Earth is totally a cube (lacking the decency to do so in CN), we should have a well-defined right to ban that school for some time. Individual posters, of course, should still be handled separately to this - this is more an idea to throttle brigading a bit.

Obviously this is a very rough idea, and a lot of the specifics would have to be agreed, but I'd like to at least get an idea of whether or not this is something that users here would be willing to accept.

Pages: [1] 2 3 ... 7  Next >