I'm putting this into it's own thread as the other security threads really aren't the place for this.
Given the recent issues both MacRumors and vBulleting forums in general have experienced, I think it's only fair that we're at least kept in the loop as to just what exactly MacRumors will be doing to ensure an issue like the recent one does not happen again.
Could you confirm if you are now actively looking into moving away from vBulletin, if so, what sort of timeframe you're expecting.
Failing that, I'd like to request, nay demand that the following basic security measures are put into place - these are not difficult to add (even if it means modifying vB3 manually) and are vital for the protection of member details:
- 2-phase authentication as an option on accounts (this is a must in this day and age)
- Complete elimination of MD5 password hashing in favour of bcrypt
- Enforced minimum length of 8 characters on all passwords
- No maximum length on passwords
- Enforced password resets at least once a year (at least 4 times a year for moderators and admins)
- A server, and software audit by a reputable 3rd party security auditor
- A dedicated security management service on your forum server(s).
- A written plan of action that should be followed in the event such an issue was to occur again.
The reason behind the last three, without meaning to sound like an ass, is that the MacRumors management came across as pretty much having very little in the way of knowledge as to what to actually do to investigate the issue, and instead focused on simply getting the system back up and running again.
This may all seem like overkill, and it would be if we were talking about a forum with a few thousand members, but the fact is that MacRumors is one of the biggest targets out there with 800k members, and ignoring this fact is gross negligence. At this point it shouldn't be a case of "oh its all good...it was only caused by a bad password on a moderator account, we don't need to do anything".
Edit: Screw it, everyone completely missed the point and the lack of response from management makes it clear they dont give a damn.
Given the recent issues both MacRumors and vBulleting forums in general have experienced, I think it's only fair that we're at least kept in the loop as to just what exactly MacRumors will be doing to ensure an issue like the recent one does not happen again.
Could you confirm if you are now actively looking into moving away from vBulletin, if so, what sort of timeframe you're expecting.
Failing that, I'd like to request, nay demand that the following basic security measures are put into place - these are not difficult to add (even if it means modifying vB3 manually) and are vital for the protection of member details:
- 2-phase authentication as an option on accounts (this is a must in this day and age)
- Complete elimination of MD5 password hashing in favour of bcrypt
- Enforced minimum length of 8 characters on all passwords
- No maximum length on passwords
- Enforced password resets at least once a year (at least 4 times a year for moderators and admins)
- A server, and software audit by a reputable 3rd party security auditor
- A dedicated security management service on your forum server(s).
- A written plan of action that should be followed in the event such an issue was to occur again.
The reason behind the last three, without meaning to sound like an ass, is that the MacRumors management came across as pretty much having very little in the way of knowledge as to what to actually do to investigate the issue, and instead focused on simply getting the system back up and running again.
This may all seem like overkill, and it would be if we were talking about a forum with a few thousand members, but the fact is that MacRumors is one of the biggest targets out there with 800k members, and ignoring this fact is gross negligence. At this point it shouldn't be a case of "oh its all good...it was only caused by a bad password on a moderator account, we don't need to do anything".
Edit: Screw it, everyone completely missed the point and the lack of response from management makes it clear they dont give a damn.
Last edited by a moderator: