Possible closure of STF

Wear your anorak proudly here! The place to discuss website & forum developments, administration, wish-lists, bugs, abuse etc

Moderator: frenzarin

Post Reply
admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Possible closure of STF

Post by admin » 15 Dec 2014 10:03

Two hours ago phpbb.com - the authors of our forum software - was taken down due to their servers being compromised. Details are currently unclear. If the compromise was due to a vulnerability in the forum software I would have to take down STF until it is fixed. Meanwhile I'm doing an extra backup of everything relevant.

So please keep on posting and watch for updates.

Admin

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: Possible closure of STF

Post by admin » 17 Dec 2014 11:25

phpBB.com have released more information and it is good news for us. Hence I'm standing down any consequent threat to take STF offline:

"At this time we are proceeding with recovery efforts and have some additional important information. We have confirmed that initial entry was made via a team member's compromised login details and not as the result of a vulnerability in the phpBB software."

To make your logins more secure here I will be doing some extra testing over the next few days and, if successful, will be bringing forward the planned move to encrypted transmission (https://) to January 1st. Anybody still using Internet Explorer 8 or earlier on Windows XP will need to move to a more secure browser. Firefox and/or Chrome are recommended for XP users. Modern browsers including Internet Explorer 8 and above on other operating systems (Windows 7/8, Apple, Linux etc) should continue to work just fine.

You can test it now by clicking on the green padlocked Image TOWN FORUM link at the top of the page. PM me if you experience any issues.

Admin

Sydenham
Posts: 268
Joined: 2 Sep 2007 09:08
Location: Wells Park

Re: Possible closure of STF

Post by Sydenham » 17 Dec 2014 13:13

Any plans for two factor authentication (TFA) being implemented - just so we can be sure that posts are actually made by the registered posters? And that identities are not being hijacked, or compromised.

These days it seems that TFA is all the rage and is being actively adopted and encouraged by go ahead companies as a means of demonstrating commitment to security.

Does the software being used allow for TFA?

admin
Site Admin
Posts: 2534
Joined: 20 Sep 2004 21:49

Re: Possible closure of STF

Post by admin » 17 Dec 2014 13:53

Sydenham wrote:Does the software being used allow for TFA?
No.

Actually in a forum of this type the possibility of impersonation is not really serious. It would be quickly spotted and sorted and there would be no loss (apart from a momentary red face). Hence I doubt it would appear very high up in any forum admin's wish list.

Encrypting is addressing another issue. Currently your username & password are passed in plain text from your device to our servers. Anybody along the way can eavesdrop on the traffic. This may include anyone in a internet cafe with an 'open' wifi service or professionals further along the route. We know this includes GCHQ & NSA. Their technology is used by other governments and their mafias. Encrypting makes it impossible to capture encrypted logins and other private information unless they have massive computer power which even the most well funded agency could only use on a selected number of targets. This rules out mass surveillance/collection.

The Russian & Ukrainian mafias aren't interested in impersonating people here. They can just register anonymously and try and spam. They do that right now (but nearly all are caught just before or after registration). No, the real danger is that our posters use the same or similar usernames/passwords across other accounts. When that is PayPal or your Bank its serious. Hence capturing as many logins from our posters is of interest. Its also why the system will not let even me see your passwords.

We tell people to always use different login credentials for each account but human frailty means this doesn't always happen. I'm sometimes guilty! Encryption solves the transit problem. It doesn't protect your password if you clicked on a naughty link which installed a key logger. But that's a problem for you and your computer and only impacts you.

No - its a public duty for us to protect your credentials when they in our care - which from the New Year will mean from when they leave your computer.

Where there is substantial possibility of monetary or information loss then many of those organisations are rolling out TFA where the added inconvenience to the user is seen by both as worthwhile. Here it isn't. If you disagree - come and make your point after 8pm tonight. The Dolphin. Pink FT and folded bike marks the table.

Admin

Post Reply