Welcome back everyone
-
[quote name=“MrWyrm” post=“53618” timestamp=“1390313528”]
[quote author=chrisj link=topic=7041.msg53588#msg53588 date=1390310879]
[quote author=MrWyrm link=topic=7041.msg53587#msg53587 date=1390310725]
I use PHPbb, can’t help but feel it’s lagging behind others in terms of features these days though.
[/quote]What other ones do you like?
[/quote]I’d guess the truth is that doesn’t really matter, and I know that’s a bit of a cop out, I think ultimately the requirements of this forum are very different from most others forums. The ‘shoe and shoe polish appreciation’ forum, for example, might prize the ability to post and host media over forum security and uptime. I think that anecdotal evidence from anyone of reliability is going to be useless.
There’s two things that spring to my mind, which is the ‘most secure’ out of the box and which has the most vanilla features that we ‘need’ (to prevent the need for additional mods creating security holes). Forget pretty haha.
But we could pick the most secure package available, whilst it would seem that it’s the forum that had the weakness, it still worries me that I’ve read elsewhere that ‘not all packages’ were up to date. I understand how easy it is to let these things slide, but if the community is one of the most prized features of the FeatherCoin, then it must have all it’s bases covered as a priority. :)
Perhaps we could also benefit from a ‘disaster plan’, so that you can respond to these problems quickly whilst singing form the same hymn sheet? Things have been handled ok all in all, and you don’t need me to tell you, the forum should have been pulled and shutdown much earlier pending enquiry. :D
[/quote]+1 rep, great post.
2 of these things are covered in the famous 7 deadly sins of the Linux administrator: http://searchenterpriselinux.techtarget.com/news/904844/Linux-security-The-seven-deadly-sins
Specifically #3: Running old software versions, and #4: Running insecure and badly configured programs.
From the article:
[quote]
Do use good programming practices, and run audits of common gateway interfaces (CGIs) regularly, Toxen said. Many programmers don’t know secure programming techniques. The auditor should.On Toxen’s “don’ts” list: [b]Don’t use PHP, even though it’s convenient.[/b] Don’t run DNS, auth (ident) or Apache as root. But, do user suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs.
[/quote]There’s a REALLY good reason to NOT use PHP, as was demonstrated with this hack: The entire security model for PHP is completely broken. PHP is by far and away the most security problematic platform for the web in existence.
PHP accounts for 29% of all vulnerabilities in the National Vulnerability Database. 99% of PHP-related vulnerabilities can be exploited remotely. PHP vulnerabilities account for about 33% of vulnerabilities which allow a remote access.
PHP only works as a CGI interface, which means that the code must be compiled and executed off the file system as a response to a web request. That means that all an attacker has to do is modify a file on the file system, and issue a web request to get it to run. This is basically impossible to lock down, since the only requirement is a file system change, and not even privilege escalation is required. This problem is exacerbated by the fact that the default way of stringing two pieces of functionality together is via an ‘include’ statement, which is the automated equivalent of cutting and pasting code around in files in real time. You combine this with functionality that requires a file system change, like custom avatars, and you’ve got a guaranteed recipe for insecure code that even the most seasoned of developers will overlook. Add into this mess using PHP’s global namespace as a storage mechanism for query parameters, and a lack of support for stored procedures, and you’ve got a SQL injection attack on your hands that’s just waiting to be uncovered. Or how about PHP’s handling of nulls in strings? Or how it completely fucks up string comparison of numerical values?
Don’t believe me? How do you think the hacker got in???
It WILL happen again. It’s only a matter of time. Heed my warning: Avoid insecure platforms that get hacked all the time.
-
Coming from someone ignorant about what forum software is available and doesn’t use PHP … what would you recommend?
-
[quote name=“justgeig” post=“53781” timestamp=“1390341816”]
@KevlarComing from someone ignorant about what forum software is available and doesn’t use PHP … what would you recommend?
[/quote]NodeBB is gaining a lot of popularity. It works on all devices, has tons of plugins, a great feature set, and perhaps most importantly, has a hosted plan. https://nodebb.org/
I’ve heard some GREAT things about Discourse: http://www.discourse.org/
Specifically that it would be ideal for a community like ours because of the way it treats discussions as ongoing conversations. It’s very forward thinking, and would be a welcome change to the static, non-threaded approach we’re currently using.Hosted plans are by far and away the best way to administer these things: The administrators deal with code updates for you, and it ensures isolation from other services, because if they hack the forum, they don’t get access to all the other services that would otherwise be running on the same box.
-
On a pleasant note, nice Feathercoin Community shout out on Twitter by CNNMoney writer David Z. Morris: https://twitter.com/davidzmorris
-
[quote name=“Kevlar” post=“53768” timestamp=“1390340574”]
[quote author=MrWyrm link=topic=7041.msg53618#msg53618 date=1390313528]
[quote author=chrisj link=topic=7041.msg53588#msg53588 date=1390310879]
[quote author=MrWyrm link=topic=7041.msg53587#msg53587 date=1390310725]
I use PHPbb, can’t help but feel it’s lagging behind others in terms of features these days though.
[/quote]What other ones do you like?
[/quote]I’d guess the truth is that doesn’t really matter, and I know that’s a bit of a cop out, I think ultimately the requirements of this forum are very different from most others forums. The ‘shoe and shoe polish appreciation’ forum, for example, might prize the ability to post and host media over forum security and uptime. I think that anecdotal evidence from anyone of reliability is going to be useless.
There’s two things that spring to my mind, which is the ‘most secure’ out of the box and which has the most vanilla features that we ‘need’ (to prevent the need for additional mods creating security holes). Forget pretty haha.
But we could pick the most secure package available, whilst it would seem that it’s the forum that had the weakness, it still worries me that I’ve read elsewhere that ‘not all packages’ were up to date. I understand how easy it is to let these things slide, but if the community is one of the most prized features of the FeatherCoin, then it must have all it’s bases covered as a priority. :)
Perhaps we could also benefit from a ‘disaster plan’, so that you can respond to these problems quickly whilst singing form the same hymn sheet? Things have been handled ok all in all, and you don’t need me to tell you, the forum should have been pulled and shutdown much earlier pending enquiry. :D
[/quote]+1 rep, great post.
2 of these things are covered in the famous 7 deadly sins of the Linux administrator: http://searchenterpriselinux.techtarget.com/news/904844/Linux-security-The-seven-deadly-sins
Specifically #3: Running old software versions, and #4: Running insecure and badly configured programs.
From the article:
[quote]
Do use good programming practices, and run audits of common gateway interfaces (CGIs) regularly, Toxen said. Many programmers don’t know secure programming techniques. The auditor should.On Toxen’s “don’ts” list: [b]Don’t use PHP, even though it’s convenient.[/b] Don’t run DNS, auth (ident) or Apache as root. But, do user suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs.
[/quote]There’s a REALLY good reason to NOT use PHP, as was demonstrated with this hack: The entire security model for PHP is completely broken. PHP is by far and away the most security problematic platform for the web in existence.
PHP accounts for 29% of all vulnerabilities in the National Vulnerability Database. 99% of PHP-related vulnerabilities can be exploited remotely. PHP vulnerabilities account for about 33% of vulnerabilities which allow a remote access.
PHP only works as a CGI interface, which means that the code must be compiled and executed off the file system as a response to a web request. That means that all an attacker has to do is modify a file on the file system, and issue a web request to get it to run. This is basically impossible to lock down, since the only requirement is a file system change, and not even privilege escalation is required. This problem is exacerbated by the fact that the default way of stringing two pieces of functionality together is via an ‘include’ statement, which is the automated equivalent of cutting and pasting code around in files in real time. You combine this with functionality that requires a file system change, like custom avatars, and you’ve got a guaranteed recipe for insecure code that even the most seasoned of developers will overlook. Add into this mess using PHP’s global namespace as a storage mechanism for query parameters, and a lack of support for stored procedures, and you’ve got a SQL injection attack on your hands that’s just waiting to be uncovered. Or how about PHP’s handling of nulls in strings? Or how it completely fucks up string comparison of numerical values?
Don’t believe me? How do you think the hacker got in???
It WILL happen again. It’s only a matter of time. Heed my warning: Avoid insecure platforms that get hacked all the time.
[/quote]Great, we are back! :) PHP is Frankenstein’s Monster and is really the biggest player out there. If you need stable platform then try using it with best practices for it, if you need performance compile it with hiphop / add caching, set loadbalancer, configure your linux box, set IDS, …
Also good option for forum software is punBB, but i’m not quite sure if it has all of the features that could be offered by another board systems or are already live on this current platform.
Anyway I’m happy we are back online :)
-
[quote name=“slavco” post=“53811” timestamp=“1390350236”]
PHP is Frankenstein’s Monster
[/quote]Totally off topic:
Am I the only one bothered by the new Frankenstein movie, where they constantly refer to the monster as Frankenstein?
Dr. Frankenstein created a monster. The monster’s name is Frankenstein’s monster, or simply, the monster. At no point was the monster ever referred to as Frankenstein.
Anyway… as you were. And +1 rep for you. :)
-
[quote]Am I the only one bothered by the new Frankenstein movie, where they constantly refer to the monster as Frankenstein?[/quote]
Finally someone who understand me. It is like no one has ever read mary shelley book so it is easier to call the monster Frankenstein…
-
[quote name=“Kevlar” post=“53768” timestamp=“1390340574”]
Don’t believe me? How do you think the hacker got in???
[/quote]There was [i]a guy[/i] on here talking about how bad PHP was a while back.
-
Vanilla SMF is secure as the system gets and I will harden it further. We had several site modifications like SimplePortal, reCAPTCHA, the chatbox, the SMF API was used for the local Feathercoin page and there was a custom to-do list. SMF put out bug and security fixes when needed but the community development around SMF seems to be on a decline and many packages go unmaintained. Let’s keep us vanilla for the time being.
As for PHP, it’s a crazy language where anything goes :)
The site migration is now finished and the old server has been turned off an cancelled. We have a copy of the server from just before we got defaced if we need to get anything else off of it.
-
Forum just got downgraded to 2.0.6 from 2.0.7 following advice from the SMF team. A couple of problems were discovered in the latest version and we will wait for them to be resolved before updating again.
A bigger problem is that some of the language boards got scrambled during the move due to the export not handling Russian and Chinese chars properly. I will disable the boards until they can be restored from backup intact.
-
Thanks again for all your hard work Bushstar I know it doesn’t count for much but +1 to you
UM
-
It feels GOOD to be back 8)
-
[quote name=“uncle_muddy” post=“53935” timestamp=“1390398712”]
Thanks again for all your hard work Bushstar I know it doesn’t count for much but +1 to youUM
[/quote]BIG UPS to BUSHSTAR! 8)