[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by a_o_c » Mon Feb 02, 2009 10:04 pm

about the email addresses...

i read the hackers blog and he claims he was able to dump the users table for _community and get the 400,000 + emails contained within (along with "other" data that i wont talk about). obviously, these could easily find their way on spam lists. what do the teams have to say about having everyone change their email address?

Marshalrusty
Project Manager
Project Manager
Posts: 272
Joined: Thu Oct 27, 2005 1:45 am

Re: [Discussion] Downtime and Server Compromise

Post by Marshalrusty » Mon Feb 02, 2009 10:18 pm

There's nothing that can be said. It is not unreasonable to suggest that those emails will find their way onto spam lists.

Having said that, most people already get dozens of spam emails daily. My mother was recently very surprised when I showed her that Yahoo had been automatically junking 30+ junk emails on a daily basis in her account.

My point is that if you use your email enough, then you're going to be added to spam lists. This is precisely why I use a separate email address for every site I register on, with the user being the site's domain.

We are very sorry that this may add to the spam people receive. It is, however, not necessarily the worst part of this event.

a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by a_o_c » Mon Feb 02, 2009 10:20 pm

Marshalrusty wrote:It is, however, not necessarily the worst part of this event.
yes, i definitely understand the severity of what was compromised. thanks for the response!

Pasqualle
Registered User
Posts: 1
Joined: Sat Feb 03, 2007 7:56 pm

Re: [Discussion] Downtime and Server Compromise

Post by Pasqualle » Tue Feb 03, 2009 1:28 am

It seems like a serious security issue with the PHPList application.. Will you still use it further or do you plan to use another newsletter manager?

wGEric
Registered User
Posts: 521
Joined: Wed Jun 11, 2003 2:07 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by wGEric » Tue Feb 03, 2009 2:27 am

Pasqualle wrote:It seems like a serious security issue with the PHPList application.. Will you still use it further or do you plan to use another newsletter manager?
There is a risk of running any software. As long as the software is actively maintained and not a total piece of crap then it is something we will consider using to fit our needs. If phplist fits our needs then we might use it. If it doesn't fit our needs then we won't use it.
Eric

idiotnesia
Registered User
Posts: 29
Joined: Thu May 22, 2008 2:46 am

Re: [Discussion] Downtime and Server Compromise

Post by idiotnesia » Tue Feb 03, 2009 3:23 am

I think it's better if you guys develop the mailing list manager script by your self. I know you have knowldege about it.
idiotnesia wuz here

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Eelke » Tue Feb 03, 2009 8:28 am

You can't develop everything by yourself. I don't suppose you are suggesting that the phpBB developers are the only good developers out there? :) Like wGEric said, just because a certain piece of software was used to compromise your site does not mean it is a piece of... well, something nastier than software :) Any software has bugs and, unfortunately, in case of software that is opened up on the internet, many of these bugs will be security flaws. Heck, phpBB has had its "fair" share of them.

phpBB also uses Wordpress on this site. Can a security issue in Wordpress be discovered tomorrow that would allow the same kind of compromise? Yes. Should the phpBB project develop their own blogging solution for that reason? No, because it would be exceptionally arrogant to assume that you can produce a better and more secure blogging package than the Wordpress project can, who have already invested a lot of time and manpower into it.

That is not to say that I fully understand the choice for Wordpress, because I would imagine that with only a little effort, phpBB can be used to implement the phpBB blog with much better integration into the community forums. But that's a totally different subject - those would be functionality related reasons, not security related reasons (which is what we were discussing), and I don't know all considerations that went into the selection of Wordpress. Or phpList, for that matter. My reasons for bringing this up? To emphasize this is not the time or place to discuss those, should anyone else feel the need to continue into the topic of Wordpress being used on phpBB.com :)

parasolx
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 3:07 am

Re: [Discussion] Downtime and Server Compromise

Post by parasolx » Tue Feb 03, 2009 10:34 am

i agree with you..

User avatar
RMcGirr83
Registered User
Posts: 357
Joined: Fri Mar 09, 2007 1:51 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by RMcGirr83 » Tue Feb 03, 2009 11:27 am

All I know is that I'm going through withdrawls...someone is going to pay!! :mad:
Do not hire Christian Bullock he won't finish the job and will keep your money

User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ChrisRLG » Tue Feb 03, 2009 11:35 am

RMcGirr83 wrote:All I know is that I'm going through withdrawls...someone is going to pay!! :mad:
One day at a time.

First day you will have the shakes - this is normal.

Second day they will be more violent - again this is normal.

To get help you will need to use some of the old established remedies, find a copy of windows and check out the games folder in the start menu - you will find a game called Minesweeper - play that for 1 hour, after which you will find the pain of not being able to get to phpBB.com will be a Little less violent.

So take each day at a time, try the Minesweeper 'tablet' and you might just be able to bare the pain and shakes till phpBB.com is available again.

It will be hard, but we (and Minesweeper) are here to help you.

Post Reply