Development Discussion Board

[Stallyon]

ahh i got it yeah

i just a thought phpBB need new up to date 3.0.5 and im wrong.

but i think phpBB should up to date

is there any new software to make more sercurity add like hard Password provice

There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressed

[ToonArmy]

I hope this helps clear up some questions. Mods/admin of this forum are welcome to change/remove this message or comment on/correct if information is incorrect.

Very informative post, it is regrettable to correct you that the attacker stole the users database (containing the usernames, emails and password hashes) and the mailing list subscribers address list.

Hmmm I thought I covered that in #5? My apologies.

You said 'possibly' its fact, we know the attacker does.

[Stallyon]

Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.

[RabXI3oX]

ahh i got it yeah

i just a thought phpBB need new up to date 3.0.5 and im wrong.

but i think phpBB should up to date

is there any new software to make more sercurity add like hard Password provice

There is no problems in phpBB 3.0.4, and thus no reason to update. The password security used in phpBB 3.x has already been addressed

cool i cant wait go phpBB back online that i can have need some download for my site php code

[shahinavthal]

Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.

So what do you suggest we do now I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me )...Lets do it once more!!!

If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...

Just pray that nobody used their email passwords the same as the one on phpbb

[Nicholas the Italian]

The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.

Exactly.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.

A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.

[v1R]

Erik Frèrejean: Removed

The hacker release some notes here, check it out !

Ohhh OK I was just covering my butt/your butt just in case you were still unsure. Well, then it's a fact then. They have that data.

So what do you suggest we do now I am not sure if we should wait and see what level of information the hacker has, isnt it? I think we need to get over with the data acquired, reset the necessary fields and get back to business..RESET is what we all have been doing since a very long time (especially WINDOWS users like me )...Lets do it once more!!!

If we have lost email lists, so be it...I am not sure if the hacker would not use it anyways..So lets move on...

Just pray that nobody used their email passwords the same as the one on phpbb

[Erik Frèrejean]

v1R,
We are aware of those releases. Please don't post them in public view.
If you find anything suspicions please send the link in a pm to myself or any other phpBB team member.

Thank you .

[Phil]

Indeed, the most you guys can do to help right now is please forward us the link (via PM) of any website found copying the malicious user's blog post or any of the data he uploaded so the proper channels can be contacted to have it removed.

[ToonArmy]

The problem with a single md5 hash is that, if the hash is known, there are ways to find a string that maybe is not the same as the actual password, but that does generate the same hash (a so-called collision). A common way to do that is to use rainbow tables; huge tables that map from every possible (hence: rainbow) md5 hashed value to a string of characters that yields that particular hash when hashed. If the attacker would put in the colliding string, they could get into the user's account. If that same user used the same password on a different site that too used single md5 hashing, they could get into the user's account on those sites as well.

Exactly.
If I'm correct, this is particoularly true if you use some common word as your password (i.e. vocabulary words, common names, number sequences, dates, inverted words, qwerty-like things, etc.).
Reverse-MD5 tables are freely available even in the public Internet.

A part of the old suggestion of using a different pw for each site, using somewhat complex passwords is also a good advice, for example !waHt+eVer? instead of whatever.

Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.