Possible closure of STF

Wear your anorak proudly here! The place to discuss website & forum developments, administration, wish-lists, bugs, abuse etc
Post Reply
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Possible closure of STF

Post by admin »

Two hours ago phpbb.com - the authors of our forum software - was taken down due to their servers being compromised. Details are currently unclear. If the compromise was due to a vulnerability in the forum software I would have to take down STF until it is fixed. Meanwhile I'm doing an extra backup of everything relevant.

So please keep on posting and watch for updates.

Admin
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: Possible closure of STF

Post by admin »

phpBB.com have released more information and it is good news for us. Hence I'm standing down any consequent threat to take STF offline:

"At this time we are proceeding with recovery efforts and have some additional important information. We have confirmed that initial entry was made via a team member's compromised login details and not as the result of a vulnerability in the phpBB software."

To make your logins more secure here I will be doing some extra testing over the next few days and, if successful, will be bringing forward the planned move to encrypted transmission (https://) to January 1st. Anybody still using Internet Explorer 8 or earlier on Windows XP will need to move to a more secure browser. Firefox and/or Chrome are recommended for XP users. Modern browsers including Internet Explorer 8 and above on other operating systems (Windows 7/8, Apple, Linux etc) should continue to work just fine.

You can test it now by clicking on the green padlocked Image TOWN FORUM link at the top of the page. PM me if you experience any issues.

Admin
Sydenham
Posts: 318
Joined: 2 Sep 2007 09:08
Location: Wells Park

Re: Possible closure of STF

Post by Sydenham »

Any plans for two factor authentication (TFA) being implemented - just so we can be sure that posts are actually made by the registered posters? And that identities are not being hijacked, or compromised.

These days it seems that TFA is all the rage and is being actively adopted and encouraged by go ahead companies as a means of demonstrating commitment to security.

Does the software being used allow for TFA?
admin
Site Admin
Posts: 2575
Joined: 20 Sep 2004 21:49

Re: Possible closure of STF

Post by admin »

Sydenham wrote:Does the software being used allow for TFA?
No.

Actually in a forum of this type the possibility of impersonation is not really serious. It would be quickly spotted and sorted and there would be no loss (apart from a momentary red face). Hence I doubt it would appear very high up in any forum admin's wish list.

Encrypting is addressing another issue. Currently your username & password are passed in plain text from your device to our servers. Anybody along the way can eavesdrop on the traffic. This may include anyone in a internet cafe with an 'open' wifi service or professionals further along the route. We know this includes GCHQ & NSA. Their technology is used by other governments and their mafias. Encrypting makes it impossible to capture encrypted logins and other private information unless they have massive computer power which even the most well funded agency could only use on a selected number of targets. This rules out mass surveillance/collection.

The Russian & Ukrainian mafias aren't interested in impersonating people here. They can just register anonymously and try and spam. They do that right now (but nearly all are caught just before or after registration). No, the real danger is that our posters use the same or similar usernames/passwords across other accounts. When that is PayPal or your Bank its serious. Hence capturing as many logins from our posters is of interest. Its also why the system will not let even me see your passwords.

We tell people to always use different login credentials for each account but human frailty means this doesn't always happen. I'm sometimes guilty! Encryption solves the transit problem. It doesn't protect your password if you clicked on a naughty link which installed a key logger. But that's a problem for you and your computer and only impacts you.

No - its a public duty for us to protect your credentials when they in our care - which from the New Year will mean from when they leave your computer.

Where there is substantial possibility of monetary or information loss then many of those organisations are rolling out TFA where the added inconvenience to the user is seen by both as worthwhile. Here it isn't. If you disagree - come and make your point after 8pm tonight. The Dolphin. Pink FT and folded bike marks the table.

Admin
Post Reply