Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums Downtime - Security Issue

jav6454 said:
Did the hacker using moderator privileges get to do some banning or un-banning of users? Curious here....
Click to expand...

Arn restored to a backup so any account changes that may have occurred would have been rolled back. I have no information as to what the hackers may or may not have done but since arn posted he restored the forums from a back up anything the hackers did was reversed.
 
I've used to same password and email on a couple of forums, but different identities. I've since changed all identical passwords using lastpass's password generator. Anything important such as banking, etc, I use a different email and have been using lastpass to create my passwords.
 
Well, there's a reason why MacRumors is stuck in vBulletin 3.x and haven't upgraded to 4 and 5.

Both are complete **** (especially 5)

Also, arn has to rewrite all the code from the CMS systems to the small little features like the upvotes. Jelsoft has this thing on re-writting to the whole thing every major releases. Migrating from 3 to 4 is a pain in the bottoms.

I'd like to see MacRumors migrate to something like xenForo or IPB instead of using EOL'd software. It will be difficult but eventually it has to happen.
 
johnhw said:
Well, there's a reason why MacRumors is stuck in vBulletin 3.x and haven't upgraded to 4 and 5.

Both are complete **** (especially 5)

Also, arn has to rewrite all the code from the CMS systems to the small little features like the upvotes. Jelsoft has this thing on re-writting to the whole thing every major releases. Migrating from 3 to 4 is a pain in the bottoms.

I'd like to see MacRumors migrate to something like xenForo or IPB instead of using EOL'd software. It will be difficult but eventually it has to happen.
Click to expand...

I agree. I don't really mind what we update to, as long as we update to something.
 
johnhw said:
Well, there's a reason why MacRumors is stuck in vBulletin 3.x and haven't upgraded to 4 and 5.

Both are complete **** (especially 5)

Also, arn has to rewrite all the code from the CMS systems to the small little features like the upvotes. Jelsoft has this thing on re-writting to the whole thing every major releases. Migrating from 3 to 4 is a pain in the bottoms.

I'd like to see MacRumors migrate to something like xenForo or IPB instead of using EOL'd software. It will be difficult but eventually it has to happen.
Click to expand...
I'd accept that as an excuse if MacRumors was a not-for-profit with little to no cash. As it stands it's a profitable business and as such can afford to hire a developer to do the recode on XenForo or IBP for them.

Either way I'd probably never visit this place again if it ends up on vB4 or 5. Terrible, terrible software.
 
Why did it take me two days of browsing to find out, not only why the site was down, but that MY password, username, and email address was compromised? Even a small thing like an email address is a huge deal if it is sold for marketing purposes. I never publicly post my email address for that very reason. I got an email about the security breach an hour ago which I think is a little late to the game. A PM, Front Page Announcement (which I was checking periodically), AND a stickied post across all forums should have been what action was taken.

I'm very disappointed, especially since I used to pay the $20 a year to support the site.
 
imaketouchtheme said:
Why did it take me two days of browsing to find out, not only why the site was down, but that MY password, username, and email address was compromised? Even a small thing like an email address is a huge deal if it is sold for marketing purposes. I never publicly post my email address for that very reason. I got an email about the security breach an hour ago which I think is a little late to the game. A PM, Front Page Announcement (which I was checking periodically), AND a stickied post across all forums should have been what action was taken.

I'm very disappointed, especially since I used to pay the $20 a year to support the site.
Click to expand...

There is a front-page announcement - it was posted yesterday: https://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/

The email on the other hand only came through a couple of hours ago for me too - there's no excuse for that. There are a ton of 3rd party bulk mail services and pulling email addresses (even if it is 800k rows) from a mysql database is not hard. It could have been pushed through to Amazon SES or Mandrill and all would have been done within 15-20 minutes.
 
rmwebs said:
There is a front-page announcement - it was posted yesterday: https://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/

The email on the other hand only came through a couple of hours ago for me too - there's no excuse for that. There are a ton of 3rd party bulk mail services and pulling email addresses (even if it is 800k rows) from a mysql database is not hard. It could have been pushed through to Amazon SES or Mandrill and all would have been done within 15-20 minutes.
Click to expand...

fwiw. it's not quite that easy to send out 800,000 emails. We spoke to our mail sender (sendgrid), and if our bounce rate is high, the account gets automatically suspended. this is 10 years of emails - so, figure a high bounce rate. Also, they say if you send a huge burst like that out of the blue, they will get blocked automatically by receiving isps. So ,you have to trickle them out.

We could send them out all at once to say we did... but it's not clear if people would actually get them. So, we're trickling.

arn
 
arn said:
fwiw. it's not quite that easy to send out 800,000 emails. We spoke to our mail sender (sendgrid), and if our bounce rate is high, the account gets automatically suspended. this is 10 years of emails - so, figure a high bounce rate. Also, they say if you send a huge burst like that out of the blue, they will get blocked automatically by receiving isps. So ,you have to trickle them out.

We could send them out all at once to say we did... but it's not clear if people would actually get them. So, we're trickling.

arn
Click to expand...

That makes much more sense. Maybe that should have been included in the email to prevent *******s like me from flipping out. :p

At any rate, thank you for fixing it quickly. Hopefully whoever made the attack was after something (or someone) specific and it's been circumvented.
 
rmwebs said:
I'd accept that as an excuse if MacRumors was a not-for-profit with little to no cash. As it stands it's a profitable business and as such can afford to hire a developer to do the recode on XenForo or IBP for them.

Either way I'd probably never visit this place again if it ends up on vB4 or 5. Terrible, terrible software.
Click to expand...

It's difficult in a way that we have millions of posts and hundres of thousands of users to migrate to another platform. I'm sure they could handle the license fee. Lol.

----------
snowleopard48 said:
Well, this isn't good.

My recommendation: MacRumors badly needs to update the software version of the forums. Even if the UI remains mostly the same, security should be #1 priority. And even if this exploit was not caused by outdated software, this is a good time to bring up the possibility of old software being hacked, which is a very real possibility.

Anyway, thanks to the MR team (especially Arn) for getting things up and running again.
Click to expand...

I think MR is already running the latest vB 3.8 version. If they have to upgrade to 4 or 5 it calls for a UI change, since those 2 softwares are both completely different versions of the software.
 
johnhw said:
It's difficult in a way that we have millions of posts and hundres of thousands of users to migrate to another platform. I'm sure they could handle the license fee. Lol.
Click to expand...

The conversion for big boards to XenForo has been proven to be very quick and easy.

DigitalPoint (705k members)
AVForums (272k members)
IGN (984k forums)

There are a group of well respected members on the XenForo forums who convert big boards for a living.

Take a look at this list of 'big boards' on XenForo: http://www.bigboards.org/

Most if not all of those moved from vB3.x as they knew how crap 4.x and 5.x are.
 
rmwebs said:
Reverse is probably the wrong word - more like you can match it. A simple bruit force attack on a md5 hash will allow you to find a matching reversal. Given that these strings are salted you've got a slightly better chance of the match not being your actual password though.

An example of this being used would be in the large rainbow tables that have billions of records. These often contain a lot of passwords and the matching hashes. Obviously it's a lot less likely that their database of hashes/matches will contain password+salt however.

A lot of the MD5 tables have a 99.9% success rate - if you take a look here, you'll see them all available for public download: http://project-rainbowcrack.com/table.htm

Some online sites use these lists along with their own, and when you enter a hash will first check if its already been matched, and if it hasn't it adds it to the queue for matching.

I started trying to reverse the one I listed in my post yesterday (6ff01f01a2b090ce34acf1fbc28d04cd) at cmd5.org and it's currently showing as 11% complete - bearing in mind that's likely running multiple hash matches at once, and its only been about 6 hours. It'll have a match within 48 hours. It'll be interesting to see if it actually gets the 'real' password as a match, or a random string.
Click to expand...

Oh wow, you actually brute force MD5.. that's crazy!
 
Giuly said:
Your Varnish server has Guru Meditations again like it had shortly before the forums went on maintenance.

Is the schmuck back?
Click to expand...

It's just a bad error screen.

I'll try to pretty it up when I get a chance.

That just means the server's not responding fast enough. We are still running under capacity.

arn
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back