Notice: AnandTech Forums User Data Compromised

Page 7 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
618
121
This site will more than likely just move to phpBB or XenForo. Using any one of those forum software installs will use bcrypt which is 10x better in terms of guarding against cracking weak MD5 hashed passwords that this forum currently uses. Also, Xenforo has a two-factor option using either Google Authenticator or Authy I guess. I'm a member of a site that uses Xenforo and I never really tried it. It's not something I care about for a dumb forum. Especially when my long, complicated password is hashed with bcrypt.

Now I gotta wonder. Is your cell phone number stored in the database as plain text using the two factor option? I should install Xenforo in Xampp and have a peak.

I use phpBB myself, and I like its interface a lot better. I especially like the notifications. In Xenforo it's all messed up.

I would hope that the IT people of Purch would run phpBB and Xenforo in a local Xampp install and see what each do in terms of options.
 
Last edited:
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
618
121
Tim said:
^This

I'm providing false e-mail (in violation of the TOS) and a weak password until we are updated. Even then I may never trust them with my personal information again.

Would actually prefer my account here to be deleted, but they're too hardcore to allow that to happen...
Click to expand...


What "personal information?" It's not like this site is a bank or some other escrow. They have an E-mail and that's it! Frankly I use several E-mail addresses. And one of those is for forums and other online crap I don't care about.
 
T

Tim

John Connor said:
What "personal information?" It's not like this site is a bank or some other escrow. They have an E-mail and that's it! Frankly I use several E-mail addresses. And one of those is for forums and other online crap I don't care about.
Click to expand...



A password is personal information.

/mic drop
 
Titillating

Titillating

Assistant Community Manager
Sep 9, 2014
423
70
66
While I can't give precise details at this moment, I can tell you that we (Purch) are working to bring the AT forums to a more modern era with many of the securities and features that can and should be commonplace on an internet forum. There are limitations to the improvements we can make to this version of vB, so we are looking elsewhere for our needs, which will hopefully align with all of yours as well.

We hope to have something to show for it before the end of summer and you will all be given notice well in advance of any releases. Until then, sit tight and rest easy knowing that this issue is not being overlooked :)
 
Platypus

Platypus

Lifer
Apr 26, 2001
31,046
321
136
well at least something is happening?

The same bugs are still out there for this site, so hopefully no one is using the same email/pass combo anywhere else. You are asking for problems if you do.

Happy to help with anything if you guys are interested, I do security consulting for a living (and would hand you a really nasty report for this site ;) )
 
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
618
121
It's not a bank website. It's a stupid place to argue with strangers you never met.

My bank, needs a good security IT team though. I E-mailed them numerous times to tell them to get rid of RC-4 and it fell of deaf ears. Then when they finally did upgrade the website it was a masterful redacted. I couldn't access my account, etc. And to top it off they don't even offer Two-factor Auth! I guess such is the case for a small town bank, but seriously. I implemented Authy in my own crappy Wordpress blog FFS! The API is there, freaking use it!




You continue to use profanities in areas where it is not allowed.



esquared
Anandtech Forum Director
 
Last edited by a moderator:
MongGrel

MongGrel

Lifer
Dec 3, 2013
38,466
3,067
121
John Connor said:
It's not a bank website. It's a stupid place to argue with strangers you never met.

My bank, needs a good security IT team though. I E-mailed them numerous times to tell them to get rid of RC-4 and it fell of deaf ears. Then when they finally did upgrade the website it was a masterful cluster fuck. I couldn't access my account, etc. And to top it off they don't even offer Two-factor Auth! I guess such is the case for a small town bank, but seriously. I implemented Authy in my own crappy Wordpress blog FFS! The API is there, freaking use it!
Click to expand...

You were still using dial up in 2010 and you seem to have problems fixing a laptop a lately.

Stop trying to sound like an expert and post somewhere else if you do not like it.

You would make many people happy.

Again? No.
admin allisolm
 
Last edited by a moderator:
JimKiler

JimKiler

Diamond Member
Oct 10, 2002
3,561
206
106
Titillating said:
While I can't give precise details at this moment, I can tell you that we (Purch) are working to bring the AT forums to a more modern era with many of the securities and features that can and should be commonplace on an internet forum. There are limitations to the improvements we can make to this version of vB, so we are looking elsewhere for our needs, which will hopefully align with all of yours as well.

We hope to have something to show for it before the end of summer and you will all be given notice well in advance of any releases. Until then, sit tight and rest easy knowing that this issue is not being overlooked :)
Click to expand...

thank you for the update.
 
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
618
121
My laptop works perfectly well. Using it right now! HAHAHA

And I wasn't using Dial-up in 2010. :rolleyes:

Edit- Not sure what dial-up has anything to do with forum software and the security that surrounds it. I've been running phpBB for over a year now. Have two phpBB driven forums and two WordPress websites. I have read a lot on hardening those CMS platforms and web application firewalls, etc. Which is more than you can say.
 
Last edited:
Phynaz

Phynaz

Lifer
Mar 13, 2006
10,140
819
126
Titillating said:
While I can't give precise details at this moment, I can tell you that we (Purch) are working to bring the AT forums to a more modern era with many of the securities and features that can and should be commonplace on an internet forum. There are limitations to the improvements we can make to this version of vB, so we are looking elsewhere for our needs, which will hopefully align with all of yours as well.

We hope to have something to show for it before the end of summer and you will all be given notice well in advance of any releases. Until then, sit tight and rest easy knowing that this issue is not being overlooked :)
Click to expand...

"We know we've got a huge security hole, we aren't going to address it for MONTHS".

Nice going Purch.
 
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
Titillating said:
While I can't give precise details at this moment, I can tell you that we (Purch) are working to bring the AT forums to a more modern era with many of the securities and features that can and should be commonplace on an internet forum. There are limitations to the improvements we can make to this version of vB, so we are looking elsewhere for our needs, which will hopefully align with all of yours as well.

We hope to have something to show for it before the end of summer and you will all be given notice well in advance of any releases. Until then, sit tight and rest easy knowing that this issue is not being overlooked :)
Click to expand...
At least we got a nugget of information, thanks.

It is just puzzling to know why this forum is still using vBulletin version 3.8.8 Alpha 1(from 2013?), and hasn't been updated to something like vBulletin version 5.2.3 RC1 or whatever.
 
Carson Dyle

Carson Dyle

Diamond Member
Jul 2, 2012
8,173
524
126
Elixer said:
At least we got a nugget of information, thanks.

It is just puzzling to know why this forum is still using vBulletin version 3.8.8 Alpha 1(from 2013?), and hasn't been updated to something like vBulletin version 5.2.3 RC1 or whatever.
Click to expand...

What's puzzling about it?

A close parallel: An out of town investor group bought a large older house down the street from me a couple years ago to rent out rooms to college students. The house has since fallen into disrepair, with pieces of it literally falling off, the paint peeling, the lawn gone to dirt and weeds. It's a total dump.

Same thing here. Absentee landlords maximizing their investment by supplying the absolute minimum amount of maintenance and capital reinvestment. And the place has become a dump.


.
 
Last edited:
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
Carson Dyle said:
What's puzzling about it?
Same thing here. Absentee landlords maximizing their investment by supplying the absolute minimum amount of maintenance and capital reinvestment. And the place has become a dump.
Click to expand...
Purch did work on the forum software though, and upgrading from alpha to beta to release isn't that complicated, yeah, it will take awhile to redo the database, but, other than that, not willing to update because of time/$$$ vs losing time/$$$ because of trying to plug the security holes seems silly.
 
Carson Dyle

Carson Dyle

Diamond Member
Jul 2, 2012
8,173
524
126
Purch lost nothing to the security breach. If they had, you can be sure they wouldn't be taking months to address it, and might have even invested a few dollars into an upgrade well before it could happen. So someone got hold of the forum users' email and perhaps their passwords? That costs them nothing. Heck, they've probably already sold the email list many times over.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom