[Discussion] Downtime and Server Compromise

[a_o_c]

about the email addresses...

i read the hackers blog and he claims he was able to dump the users table for _community and get the 400,000 + emails contained within (along with "other" data that i wont talk about). obviously, these could easily find their way on spam lists. what do the teams have to say about having everyone change their email address?

[Marshalrusty]

There's nothing that can be said. It is not unreasonable to suggest that those emails will find their way onto spam lists.

Having said that, most people already get dozens of spam emails daily. My mother was recently very surprised when I showed her that Yahoo had been automatically junking 30+ junk emails on a daily basis in her account.

My point is that if you use your email enough, then you're going to be added to spam lists. This is precisely why I use a separate email address for every site I register on, with the user being the site's domain.

We are very sorry that this may add to the spam people receive. It is, however, not necessarily the worst part of this event.

[a_o_c]

It is, however, not necessarily the worst part of this event.

yes, i definitely understand the severity of what was compromised. thanks for the response!

[Pasqualle]

It seems like a serious security issue with the PHPList application.. Will you still use it further or do you plan to use another newsletter manager?

[wGEric]

It seems like a serious security issue with the PHPList application.. Will you still use it further or do you plan to use another newsletter manager?

There is a risk of running any software. As long as the software is actively maintained and not a total piece of crap then it is something we will consider using to fit our needs. If phplist fits our needs then we might use it. If it doesn't fit our needs then we won't use it.

[idiotnesia]

I think it's better if you guys develop the mailing list manager script by your self. I know you have knowldege about it.

[Eelke]

You can't develop everything by yourself. I don't suppose you are suggesting that the phpBB developers are the only good developers out there? Like wGEric said, just because a certain piece of software was used to compromise your site does not mean it is a piece of... well, something nastier than software Any software has bugs and, unfortunately, in case of software that is opened up on the internet, many of these bugs will be security flaws. Heck, phpBB has had its "fair" share of them.

phpBB also uses Wordpress on this site. Can a security issue in Wordpress be discovered tomorrow that would allow the same kind of compromise? Yes. Should the phpBB project develop their own blogging solution for that reason? No, because it would be exceptionally arrogant to assume that you can produce a better and more secure blogging package than the Wordpress project can, who have already invested a lot of time and manpower into it.

That is not to say that I fully understand the choice for Wordpress, because I would imagine that with only a little effort, phpBB can be used to implement the phpBB blog with much better integration into the community forums. But that's a totally different subject - those would be functionality related reasons, not security related reasons (which is what we were discussing), and I don't know all considerations that went into the selection of Wordpress. Or phpList, for that matter. My reasons for bringing this up? To emphasize this is not the time or place to discuss those, should anyone else feel the need to continue into the topic of Wordpress being used on phpBB.com

[parasolx]

i agree with you..

[RMcGirr83]

All I know is that I'm going through withdrawls...someone is going to pay!!

[ChrisRLG]

All I know is that I'm going through withdrawls...someone is going to pay!!

One day at a time.

First day you will have the shakes - this is normal.

Second day they will be more violent - again this is normal.

To get help you will need to use some of the old established remedies, find a copy of windows and check out the games folder in the start menu - you will find a game called Minesweeper - play that for 1 hour, after which you will find the pain of not being able to get to phpBB.com will be a Little less violent.

So take each day at a time, try the Minesweeper 'tablet' and you might just be able to bare the pain and shakes till phpBB.com is available again.

It will be hard, but we (and Minesweeper) are here to help you.