Show Likes

This section allows you to view all posts where this member received or gave a like to.

1
The Pub / Re: So where can I download Wedge?
ChalkCat « on August 26th, 2013, 10:05 PM »
Umm... you all do realise that this is just my daft hello topic, and the ironic thread title was chosen just to make the devs roll their eyes in despair then chuckle with relief as they realised I was only pulling their legs..., don't you?  :whistle:
2
Other software / Re: SM.org compromised
markham « on August 4th, 2013, 07:06 PM »
Quote from Arantor on August 4th, 2013, 06:55 PM
Quote
This is my last post here over a year ago
Yes, because May 12, 2013 is more than one year ago.
So you are the new Doctor Who and posting from the future! :eheh:(Sorry, Pete, I couldn't resist!)

3
Other software / Re: SM.org compromised
Kindred « on August 4th, 2013, 09:53 PM »
rotflmfao...


OOPS.... caught out.

1- http://www.simplemachines.org/community/index.php?action=profile;u=204928
Last Active:    July 20, 2013, 01:30:42 PM
(also, the IPs used to access this account have not varied)

2- yup... as Arantor says, you've been consistently telling us how terrible the team is because we wouldn't believe that your dad was dead.

3- Nope... 2.0.4 did not patch anything that "your father" reported... Do you know why? Because he complained and moaned, but never ONCE gave anyone on the SMF team and actual security report with any evidence of a vulnerability except for his continual claim that "it is there, I just can;t tell you where"

4- Interesting that, if your account was compromised, all of the posts continued to use the exact same posting style and complaints that both you and "your father" use...

5- ...  well, I'll just call BS at this point.\







Arantor,  to get back to the actual point.  Yeah, we all agree that there was a slip up there as well.  Sleepy has actually just rejoined the site team with some ideas about doing something about that and some ideas on adding a double layer security protocol for the admin, if not for anything else.

While this was not a vulnerability in SMF itself, we all admit that we have some egg on our faces...   our only consolation is that we're not the only ones in this boat.
4
Other software / Re: SM.org compromised
Arantor « on August 4th, 2013, 09:59 PM »
Nice summary, Kindred, covers everything that's been going on ;)

Yeah, the whole writable-files thing is an issue and it's been an issue since forever. Part of the reason I guess I'm more hardline about it is because I deliberately spent time making that a non-issue in Wedge; every step in Wedge's plugin chain is about not having files be modified, specifically to ensure permissions never get elevated. But the price, of course, is flexibility, and I've not exactly lost sleep over that decision.

I'm interesting in the concept of a double layer security protocol, essentially forcing admin access to be either IP bound (or at least white listed) and/or two-factor authentication. Unfortunately it's not something we can easily adopt as standard beyond IP whitelisting for the obvious reason that both SMF and Wedge typically get deployed on shared hosts and shared hosts typically are the lowest hanging fruit.