 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| 0 user currently in Acmlmboard support?. |
| Acmlm's Board - I2 Archive - Acmlmboard support? - Hey motherfucker |
 |  |  |
| Pages: 1 2 3 4 | Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
MathOnNapkins Math n' Hacks Level: 67  Posts: 1544/2189 EXP: 2495887 For next: 96985 Since: 03-18-04 From: Base Tourian Since last post: 1 hour Last activity: 32 min. |
| ||
| Well, not that I like seeing boards torn to shit and deletered, at least the hackers do one good thing, which is raise awareness for security issues. Bitching and moaning won't do any good, hunkering down and learning about security will. I mean I don't approve of what the hackers do, but using Acmlmboard you're pretty much a sitting duck unless you work to keep it safe or are this board. I don't think y'all should depend upon this board for security updates that trickle down every now and then. Good to see people like Dekker making things available to the community. I don't code PHP, but I'd like to learn at some point and figure out just why the hell these things are so easy to exploit. | |||
Xeolord - B l u e s - Power Metal > All Level: 81  Posts: 1438/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
Originally posted by NarfOriginally posted by Randy53215Most of those issues are already known and fixed long ago, just not in the distribution. All of the times I found exploits I warned this board's staff (mainly Acmlm and Jesper) about it and it got fixed here right away, which is what also happened with most other people as far as I know. Still, the distributed version is not fixed, which is a bad thing. That's the thing, this board is highly securitive, while the released version is just ... whatever. You don't see that happening with phpBB, and other board systems ... but then again maybe it's because there's what ... one active programmer here now these days? (Jesper) And yes, I still don't understand what the problem is with posting problems about Acmlmboards in ... hmmm "Acmlmboard Programming", isn't that the point? I mainly posted this because: - I was pissed at the time. - The hacker is obviously a member here, and won't show himself. No dignity. - Warning other Acmlmboards that they are still vunerable to these kinds of attacks. And for the record, I've never seen a long lasting Acmlmboard, even this place was hit was something eventually last year ago ... But I guess I won't argue that point, since I still use them. And this got Dekker active about this issue, thankfully I've known him for awhile so he's been helping me out lately. Yes it was necessary. If you don't like this thread, nobody ever forced you to read it. (edited by Xeogred on 03-03-05 08:39 AM) (edited by Xeogred on 03-03-05 09:09 AM) |
|||
windwaker Ball and Chain Trooper WHY ALL THE MAYONNAISE HATE Level: 61  Posts: 1246/1797 EXP: 1860597 For next: 15999 Since: 03-15-04 Since last post: 4 days Last activity: 6 days |
| ||
| The most secure acmlmboard is this one, because for some reason it hordes security updates. - The hacker is obviously a member here, and won't show himself. No dignity. What do you expect? No dignity? Does whoever did it have some unwritten obligation to post that they did it? And for the record, I've never seen a long lasting Acmlmboard, even this place was hit was something eventually last year ago ... Hacked? Nobody said this board was hacked. Because, it wasn't. Yes it was necessary. If you don't like this thread, nobody ever forced you to read it. rfl i d0nt h4v3 t0 r33d it hez rite. But seriously, discussing acmlmboard insecurities in public = against the rules. Bringing dramatic BS from another board = against the rules. |
|||
|
Sandy53215 Acmlm (10:55:31 PM): they're having fun for the first time in so long Level: 47  Posts: 371/948 EXP: 713034 For next: 53169 Since: 03-15-04 From: Milwaukee, Wisconsin (U.S.A) Since last post: 1 day Last activity: 4 hours |
| ||
Originally posted by windwaker |
|||
|
DarkSlaya POOOOOOOOOOOORN! Level: 88 Posts: 3474/4249 EXP: 6409254 For next: 241410 Since: 05-16-04 From: Montreal, Quebec, Canada Since last post: 8 hours Last activity: 5 hours |
| ||
| windwaker: Shut up, please. How do you think that those Acmlmboard's are going to become more secure? By using magic? By being an idiot? I don't think so. Beside, we're not saying HOW to exploit the board, we're saying where those exploits are. (Note: These aren't the same. Those who could really hack already know were the exploits are, the other who dont much about PHP wouldn't know unless they were told HOW to do it). | |||
|
windwaker Ball and Chain Trooper WHY ALL THE MAYONNAISE HATE Level: 61 Posts: 1247/1797 EXP: 1860597 For next: 15999 Since: 03-15-04 Since last post: 4 days Last activity: 6 days |
| ||
| How do people learn about exploits? By randomly entering -- into a cookie, or by word of mouth/forum posts? Yeah, that's what I thought. |
|||
|
Sandy53215 Acmlm (10:55:31 PM): they're having fun for the first time in so long Level: 47 Posts: 372/948 EXP: 713034 For next: 53169 Since: 03-15-04 From: Milwaukee, Wisconsin (U.S.A) Since last post: 1 day Last activity: 4 hours |
| ||
Originally posted by windwaker Originally posted by Jesper in the Announcements Only problem with that.  Plus we are conversing amongst eachother about all these hackings that have happend. |
|||
|
windwaker Ball and Chain Trooper WHY ALL THE MAYONNAISE HATE Level: 61 Posts: 1252/1797 EXP: 1860597 For next: 15999 Since: 03-15-04 Since last post: 4 days Last activity: 6 days |
| ||
... Exactly why the exploits shouldn't be spoken about on these boards. There're handfuls of vulnerable acmlmboards.  |
|||
|
Sandy53215 Acmlm (10:55:31 PM): they're having fun for the first time in so long Level: 47 Posts: 373/948 EXP: 713034 For next: 53169 Since: 03-15-04 From: Milwaukee, Wisconsin (U.S.A) Since last post: 1 day Last activity: 4 hours |
| ||
| They are already known about. Its not that big of a deal. Just relax let one of the admins decide. | |||
dan Snap Dragon Level: 43  Posts: 467/782 EXP: 534516 For next: 30530 Since: 03-15-04 Since last post: 20 hours Last activity: 14 hours |
| ||
| Personally, I think you should discuss exploits on this board. Let's look at the options: Option #1: No talking about exploits - people find out about them anyway through IRC/AIM/whatever, and cause chaos on people's boards. The "victim" doesn't know how to fix it, and as nobody is talking about it, nobody steps forward to fix it. Option #2: Talking about exploits - People find out about them through the posts on the board, and IRC/AIM/whatever. However, as people talking about them, the would be victims know what to fix or where the hole is, and they fix it. Personally, I prefer option #2. I feel tempted to repost a link to that security over obscurity article on Wikipedia, but I won't. (edited by dan on 03-04-05 06:27 AM) |
|||
|
Xeolord - B l u e s - Power Metal > All Level: 81 Posts: 1443/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
| Sorry windwaker, but you've obviously missed something. These attacks happend -------------->BEFORE<-------------- this thread was started. So, thus the hacker didn't come here and "Read" anything on how to "hack" a board, they knew how to, and already knew what they were doing. If we don't use this forum for it's purpose, than you can expect Acmlmboards to just sit there and wait more than several months for whenever the next releases release ... and we all know that, is something that takes awhile to be put in affect. And like I've already said, if you don't like this thread, nobody is forcing you to agree with us. (edited by Xeogred on 03-04-05 05:02 PM) |
|||
Laxidman Micro-Goomba Level: 7 Posts: 9/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by dan #1-Didn't the attacks continue even after someone posted a fix? I'd consider it not so bad to have the information spread through irc/aim/whatever since you'll likely hit less people that information is relative to than on the site the hole affects. #2-The victims would know how to fix the problem, but now you guys have open the door for others to hack unpatched boards. I see people will be having fun with that editprofile hole now. I'm more of a fan of the "bother the damn dev team" option. These are *capable* people who are aware of most of the bugs and I would like to think are actually working to fix them. It sucks to have to wait for them to release new versions but I'm assuming that with these recent attacks, they're working as fast as possible to bring a new version out that addresses these issues. Least the information goes where it counts without adding more victims to the list. Unfortunately, I figure with these holes now open to the public, you guys have now added more stress to their work. ----------------------------- Originally posted by Xeogred Shouldn't matter to you since you already got help from the dev team regarding the editprofile issue. If it's fixed in the next version, you would've already gotten it fixed, otherwise, that next version is as vulunerable as the last. What you could've done was alert the dev team the fix didn't work and as this board is running off the newer versions whatever exploit exists likely affects this and considering that they should know the code better than any of us, actually fix the problem. I would say anybody who had read this thread with malicious intent now knows how to exploit a few boards. I say this because if I didn't already know of these holes, I would know what to attack and how by simply looking at what the patch fixes. That is, if I had malicious intent. The patch explains what the hole is and the affected areas. Since SQL Injection has already been discussed here, anybody could figure out how to do it with a google search. There are even examples in the PHP.net article that was linked from one of the posts. ---- Remember this? Originally posted by Jesper Sucks for them. You can still get shit fixed without making the information public, just talk to the dev team. Anyways, they request you talk to them instead of making the problem worse. Granted, the problem was already bad enough before you posted about it, but you guys just now created a few more hackers that could destroy boards. --- Pretty cruel of me to say this, but with all of information about exploits, nothing was fixed since the hacker still ended up exploiting boards. You guys only succeeded in making the problem worse. (Sorry for all of the edits, I keep realizing that I'm missing details to produce a decent argument.) (edited by Laxidman on 03-04-05 08:46 PM) (edited by Laxidman on 03-04-05 08:58 PM) (edited by Laxidman on 03-04-05 09:02 PM) (edited by Laxidman on 03-04-05 09:28 PM) (edited by Laxidman on 03-04-05 09:47 PM) (edited by Laxidman on 03-04-05 09:51 PM) |
|||
|
MathOnNapkins Math n' Hacks Level: 67 Posts: 1552/2189 EXP: 2495887 For next: 96985 Since: 03-18-04 From: Base Tourian Since last post: 1 hour Last activity: 32 min. |
| ||
| So what if somebody else gets attacked? If they didn't know about the problem, they will after the attack. I don't think it's better to let people idle away in ignorance of the insecurity of their boards. Like I said earlier, getting attacked by hackers, while a major pain in the ass, as I saw what it did to TEK which eventually switched over to phpbb as a result of them, brings these issues to the forefront. As Dan has pointed, security by obscurity is not a good idea, and that is what you are proposing, Laxid. | |||
|
Laxidman Micro-Goomba Level: 7 Posts: 10/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by MathOnNapkins You're right, and I'm sure that the posts here have spelled how insecure the board is but there's quite a difference between telling the people the board is insecure and telling people how it is insecure. Most people just need to see a dead board (or many) and know this software is insecure. What people don't need are basically instructions on how to ruin more boards. As Dan has pointed, security by obscurity is not a good idea, and that is what you are proposing, Laxid. Sorry, but these holes have existed for many many versions. Good idea or not, this is why more boards haven't been attacked. That editprofile one should work on all versions of acmlmboard which is why it was particularly bad to leak it. I guess it all comes down to responsibility, how much fault does Dekker take if someone uses his good-intention to fuck over another board? Hypothetically, if it was me who told the hacker that fucked over Xeogred's board how to do it, would he hold anything against me? (Considering I'm a suspect in all of this, I stress hypothetically!) --- Originally posted by DarkSlaya I'm not windwaker, but I could answer that. Acmlmboards tend to be more secure by people communicating with the dev team to patch up holes. As most people tend to go to the source to get new versions, sending your information there benefits more people and keeps that information to those who can actually do something about it. And considering someone posted a link with examples on SQL injection and the patch discusses those exact areas, you guys basically told them how to use the exploit. Also, I'd disagree with anybody who already knows how to hack would already know the exploits. If that was the case, all of these exploits would already be fixed within the 4 years this board has been up around (edited by Laxidman on 03-05-05 01:39 AM) |
|||
|
dan Snap Dragon Level: 43 Posts: 471/782 EXP: 534516 For next: 30530 Since: 03-15-04 Since last post: 20 hours Last activity: 14 hours |
| ||
| Yes, but the problem is, AcmlmBoard doesn't have a release schedule of any sort at all. Sure, the dev team could be fixing the holes, but it might be a year before a distributable version is available, if at all. Which is no use at all to anyone really. So therefore, the only viable option is to talk about it, and hope knows how to fix the exploits. As for posting that link about SQL injection, last I checked, the PHP manual contains an article about SQL injection (hell, it may even be the same one, I'm not sure what link it is). Anyone with half a brain could find that article, as it is in a section with the heading 'security'. |
|||
|
Laxidman Micro-Goomba Level: 7 Posts: 11/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
| True, but people could do what Xeogred did and contact the dev team to get the fixes from them. Talking about it isn't much of an issue either unless you're giving too much information. Saying holes exist that turn people into admins is not much of an issue, but telling people how to turn themselves into admins is quite a problem. I believe that post said it was done through sql injection but didn't specify where as opposed to this post that gives the exact problem areas. As for posting that link about SQL injection, last I checked, the PHP manual contains an article about SQL injection (hell, it may even be the same one, I'm not sure what link it is). It's that one that was posted here. Anyone with half a brain could find that article, as it is in a section with the heading 'security'. Same could be said with finding these exploits but you're overestimating people. I can say that because this board has been around for 4 years and we're now just being concerned over that topic and just as they finally gotten around to fixing XSS attacks. These are things that have been problems for many many years which is why I was surprised this board never protected against them. (edited by Laxidman on 03-05-05 05:43 AM) |
|||
|
Xeolord - B l u e s - Power Metal > All Level: 81 Posts: 1448/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
| Although you prove more than a few strong points Laxidman, seriously though, the "dev team" what is it? Jesper? ... And I'm pretty sure I've contacted Jesper before about exploits I've found myself, and Dekker has too, since I talk to hiim regurarly on AIM. And sure, the dev team might be working on patching the board up, but as you can see this board recieved an upgrade recently, while there was no released version. So, as dan said, how do we really know when to expect another release? And you are contridicting yourself Laxidman, since you stated "you" were the person who told whomever who messed with my board "how" to do so, yet you're argueing against that factor that people shouldn't discuss these things with anyone else other than those of the dev team. (edited by Xeogred on 03-05-05 11:22 AM) (edited by Xeogred on 03-05-05 11:23 AM) |
|||
|
Jesper Busy, busy, busy. Level: 69  Posts: 2167/2390 EXP: 2856000 For next: 13743 Since: 03-15-04 From: Sweden. Since last post: 176 days Last activity: 79 days |
| ||
| Read this, if you haven't already. It covers ground on how to fix the most serious exploits - as a general method rather than specific places, because specific places are *everywhere* - and what the dev team (which is currently just me, yes, but that might expand) is doing in terms of putting out a new dist. | |||
|
Laxidman Micro-Goomba Level: 7 Posts: 12/13 EXP: 985 For next: 463 Since: 08-17-04 From: San Diego, CA. USA Since last post: 240 days Last activity: 22 days |
| ||
Originally posted by Xeogred I used that argument as a reason NOT to discuss it with other people outside the dev team. I guess it all comes down to responsibility, how much fault does Dekker take if someone uses his good-intention to fuck over another board? Hypothetically, if it was me who told the hacker that fucked over Xeogred's board how to do it, would he hold anything against me? (Considering I'm a suspect in all of this, I stress hypothetically!) Read again. ---- I thought about your post a bit and realized something, do you actually think I actually told this hacker how to break into your board? I mean, unless I'd assume you came to that conclusion if you didn't know what hypothetically meant, otherwise, this should have said I have no idea who this person is. Think about it for a second, if I actually taught someone how to hack your board, would I be stupid enough to mention it? This hacker has probably said nothing in this thread because he's smart enough not to get caught. I knew saying that hypothetical bullshit would've bit me in the ass, but I hoped you had enough sense to know I was making an argument. One thing I'd have to ask though- what is your problem? Would it satisfy you if I was involved in an attack on your board? Because we can have a repeat of the Xkeeper incident, I should be covered in a legal sense because you gave me permission to, I'll invite Thaddeus and we'll have a grand ol' time. Considering that all of the holes I exploited in 1.8 have been likely fixed, I'll have to check for holes in whatever version you're using. I just want to state this is not a threat, it is an offer to satisfy whatever grudge you have against me. All of these posts you seem to be dead set against me for reasons unknown. I thought I covered this shit already, but apparently, you choose to ignore it. So, I'm giving you an offer, do you want me to attack your board? With the attitude you're giving me, I have no problem complying. You'll have a security test that results in posts under Xeogred whose account name has been changed to <insert person you don't like here, which I suppose would be me>. Listen, the only reason I even posted in this thread is because I expected people to point fingers at me since Tamarin had no qualms about doing so. As with Randy's case and usually with everyone else, they all got this long spiel about how it's their fault for being an idiot and using acmlmboard, but it seemed you already were aware of that kind of response so I didn't bother. I'm just trying to defend myself while arguing my beliefs. (edited by Laxidman on 03-05-05 10:55 PM) (edited by Laxidman on 03-06-05 05:30 AM) (edited by Laxidman on 03-06-05 05:32 AM) (edited by Laxidman on 03-06-05 05:33 AM) (edited by Laxidman on 03-06-05 05:45 AM) |
|||
|
Xeolord - B l u e s - Power Metal > All Level: 81 Posts: 1459/3418 EXP: 4884196 For next: 108653 Since: 03-15-04 From: Yeah Since last post: 15 hours Last activity: 15 hours |
| ||
| Laxidman: Didn't know my post was that offensive. Honestly, I thought you said "Hypocritically" ... And no, I don't have anything agains't you, and I don't know where you got that. I was only argueing, again and again, and I probably shouldn't have even made this thread. So YES, I completely misunderstood your original post there and by myself thinking you said "Hypocritically" I did believe you meant you told this hacker what to do ... whether or not you want to believe my humane mistake, is up to you. But I guess I'm too late ... Yay, for misunderstanding a post. (edited by Xeogred on 03-06-05 01:16 PM) |
| Pages: 1 2 3 4 | Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Acmlmboard support? - Hey motherfucker |
| | |
