« F**k the SMF project. F**k it up its stupid a**. <-- says Ar…
SM.org compromised
Arguments about the credits »

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #15, on July 24th, 2013, 09:28 AM »
It is borderline to impossible to do it sanely, yes. You need to be able to keep the original content in an accessible fashion and whatever you do, the decryption key must by definition still in the database too... a hacker by definition can obtain all the content in the database to deal with it. Now, that doesn't rule out things like private/public key pairs but that does significantly ramp up the user usability issues, and that reduces their usability to only a few people; it would actually be easier just to remove the feature than worry about that because a feature that is so obtuse for users probably shouldn't exist; most people don't understand what private/public keys are, or why they would have to use them.

I don't really see how a site owner can be sued when he is legally responsible for all content on the site including private messages but the easiest way to solve that is to have a clause in the registration agreement that says the site owner has the ability to do so should it be necessary... users agree to it when they register. That said, investigating PMs without due cause is always tricky ground.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Re: SM.org compromised
« Reply #16, on July 24th, 2013, 09:46 AM »
No, there's no way here in Germany to deal with it by adding a clause in registration agreement. This will be an infringement of privacy for which you can easily get punished by law.
The only way it is allowed to read PM's is that the user explicitly grant you access to it. This don't work globally!



There is a very good LAW-Podcast here ein Germany for all that are interested:
http://www.law-podcasting.de/darf-ein-foren-admin-die-privaten-nachrichten-der-user-lesen


So i think this will grow up to an serious problem in the near future.


Removing PM is not the way to go, because everyone loves PM :)
# dpkg-reconfigure brain
error: brain is not installed or configured

Dragooon

  • I can code! Really!
  • polygon.com has to be one of the best sites I've seen recently.
  • Posts: 1,841
Re: SM.org compromised
« Reply #18, on July 24th, 2013, 11:00 AM »
One thing that can probably work is having a separate password for PM acting as a private key, anything else is more or less slowing things down.
The way it's meant to be

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #19, on July 24th, 2013, 05:40 PM »
If you do that per user, you have to maintain copies for each PM/each user. And if you then change the password you have to rebuild the message (decrypt it with the old password, reencrypt it with the new one)

Doing it per message does the job but if they already get the database and get the encrypted data, boom, they already get all the keys too.

Regarding the legal status of PMs, I'm not being funny but that really isn't our problem. We cannot police what users do or don't do with our software. It is the user's responsibility to comply with their local laws. We don't give them anywhere that they can actually do it so they have to access the database. Now, if they do, that's up to them. The chances of *accidentally* seeing it in the database are so negligible it's not even worth contemplating (the only way it is possible is if you accidentally see it in the database backup SQL file... and we don't have a database backup feature)

The method described in that mod for vBulletin is one that has been discussed before and if you bothered to even read it properly it would tell you what it does and why it simply isn't suitable. All it does is encipher (not even encrypt) the content and since it's decodable trivially, it really is no better than leaving it unencoded in the first place. And if we add it to Wedge, the method by which this is handled will be entirely visible anyway... so all it actually prevents is admins who aren't entirely above board in the first place (who wouldn't actually install it)... in other words, for every use for which the plugin is designed, it's actually useless from a practical standpoint and constitutes security theatre.[1]

I realise this is important to you but I feel you're just not listening to the points I'm making.
 1. Something which by its existence and use leaves people believing they are more secure than they actually are. It is one thing to be insecure, it is something else to be insecure whilst believing you are secure. This is mostly the latter.

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Re: SM.org compromised
« Reply #20, on July 24th, 2013, 06:43 PM »
I can totally understand your point of view and I'm with you.



For me (and perhaps others) this would be a chance to be compliant with the (local) law.
Even if you don't do it, nevertheless there's a way to do you evil and to bring you in trouble.
Just a thought:
How can you prove that you don't do it if someone else accused you to do it? ;)



xrunner

  • Posts: 192
Re: SM.org compromised
« Reply #21, on July 25th, 2013, 12:18 AM »
My bank uses some kind of extra check where if you log in from an "unknown" computer, it asks you verification questions. So even if your password is stolen it can't be used on another computer without knowing the answers to very specific personal security questions. It's too bad that technology isn't available to all, but it probably adds a lot of complexity.
My Forum - Atheist Think Tank

Hristo

  • Posts: 19
Re: SM.org compromised
« Reply #22, on July 25th, 2013, 04:14 AM »
@xrunner My bank used to require from us to download a certificate file and to install it in the browser. If you are using browser without certificate you can't login. But this method was deprecated, now they require digital sign. SMF's Login Security mod offers some additional protection - user defined IP range of which he/she can login.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #23, on July 25th, 2013, 07:25 AM »
Quote from Pandos on July 24th, 2013, 06:43 PM
For me (and perhaps others) this would be a chance to be compliant with the (local) law.
Even if you don't do it, nevertheless there's a way to do you evil and to bring you in trouble.
Just a thought:
How can you prove that you don't do it if someone else accused you to do it? ;)
You can't, of course. But however it is encrypted, it must be design be decryptable, and by consequence it must be accessible by the admin. All we're dancing around right now is how difficult it is for the admin to do that. Right now there's no block other than the knowledge simply to access the relevant part of the database. Enciphering or encoding elevates the bar but it just means someone will write a plugin to bypass it. Just because such a plugin is not permitted on sm.org does not mean it does not exist (in fact it was even written and published on sm.org for 1.0.x many moons ago), and a PM spy type mod will exist anyway. Ultimately this is still security theatre and if it ever comes up that someone has to defend it for Wedge, I will explain the issues with it from our point of view. There should not be an expectation of privacy beyond whatever the admin wants to give.
Quote from xrunner on July 25th, 2013, 12:18 AM
My bank uses some kind of extra check where if you log in from an "unknown" computer, it asks you verification questions. So even if your password is stolen it can't be used on another computer without knowing the answers to very specific personal security questions. It's too bad that technology isn't available to all, but it probably adds a lot of complexity.
That's sort of the point. How much security is too much security? There is also a world of difference between a typical forum and a typical bank. But it's possible to have a bank too secure to allow you to use it, which is not really that much use to you, and a feature that's too complicated to use is not really worth it.
Quote from Hristo on July 25th, 2013, 04:14 AM
@xrunner My bank used to require from us to download a certificate file and to install it in the browser. If you are using browser without certificate you can't login. But this method was deprecated, now they require digital sign. SMF's Login Security mod offers some additional protection - user defined IP range of which he/she can login.
It's interesting, sure. One thing I would note is that it would be possible to add these sorts of things to Wedge as a plugin. The Login Security mod is actually not as effective as it might sound, depending on how flexible your IP address is and it is entirely possible to lock yourself out of your admin panel and have to resort to DB edits to get back in... the problem then with us adding that is that we'll be the ones who have to help people who get into that situation and to be honest that's really not something I want to encourage.
Re: SM.org compromised
« Reply #24, on July 25th, 2013, 10:00 AM »
Just to add, I posted this to the end of the debate where people are talking about making the hashes harder.
Quote
Much as I hate to get involved, someone who I owed a favour to asked me to comment.

Firstly, you're incorrect about some of your assertions. The salt you're referring to is not used to compute the password hash. The password in the database is stored as SHA1(strtolower(username) . password) and has been for a very long time in SMF. No extra table is required for this. Oh, and if you notice, it's not actually 'rolling their own'. It's following standard practice (take the password, add something that's account specific and hash that)... and in ANY case the salt would be useless if it were used because it's RIGHT THERE IN THE TABLE. It's only any use if it's otherwise an unknown, but since it's not an unknown element, because it's right there in the table, it doesn't really help any since you already have to construct a rainbow table for every account in the first place.

Secondly, not all hosts are currently using 5.3.7 and up. There are still some very major hosts running 5.2 and in fact some hosts still offering 4.4 hosting for the time being, even though 5.3 itself is officially maintenance only now, and most of SMF's typical demographic applies to those because they're the budget end of the market. So that's not really something SMF can implement in a realistic fashion, but I guess reality of lots of support requests (and there are already multiple requests per day related to one really poor free host and their limitations, but hey, let's add a crap ton more!) is irrelevant.

Thirdly, I don't believe you understand what it means by 'decrypting the password'. It is mathematically impossible to actually decrypt the password hashed by a digest hash like SHA1. What you do is find something that when combined with the username and then hashed will give you the same hash as what you're looking for... that means potentially multiple passwords will actually work because you're not looking to find the original, you're merely looking for a collision. You may want to search for multiple collisions for this very reason.

Fourthly, it is well researched and documented that most people suck at choosing passwords. A 2011 study (whose link I can't immediately find) found that 'password' was still by far the most common password, followed by '123456' and direct variations of that. Breaking into systems can be done with that fairly easily.

Incidentally, pushing everything to bcrypt may not be the smartest idea in the world. If everything is pushed to bcrypt and a *single* vulnerability is found, suddenly a lot more targets are actually located. Having everything in a slightly different form does at least have some benefits with respect to lowering the immediate attack vector options. There is a little comfort - but very certainly not a lot - from security through obscurity, but it is no substitute by any means for real security.

Thing to note: the system is only ever as strong as the people who hold the keys to it. It is often significantly easier to leverage a weakness in a person rather than in the technology under them, as was done here, to leverage the access to perform queries on the database. Once the database is compromised, best security practice is to assume it is *always completely compromised* even if the data is encrypted with the strongest possible methods, because you never know what resources the intruder has to break that.

Consider: this attack was to force an admin's account. If there was no way to run arbitrary code through some fashion with an admin's account or to pull a database backup of some kind, there would be less risk. In fact, if there is no method by which to run arbitrary code or pull a database backup without server access directly, you need to do more than brute force that account, and proceed to brute force a server account. If someone's already gotten into the server itself, assume everything is compromised anyway because by definition it is.

The whole thing about hashes is only an issue if someone gets into the server or otherwise can obtain raw access to the tables and right now there are ways by which an admin can do just that, either by splicing code into template files, or by uploading a package. Stronger controls need to be added to these to prevent arbitrary code being able to be run with just an admin's account, for example enforcing upload via FTP of plugins (as other software does), as well as limiting the ability to run arbitrary code from the admin panel by removing the ability to edit files from said admin panel and enforcing use of either hosting control panel or FTP download/local editing.

I see where you're going but honestly you're picking on one of the stronger links in the chain. There are far, far many more issues to consider... like how on a number of shared hosting setups it is actually possible for your setup to be hijacked as soon as you install a mod. Or how in a number of shared hosting setups it's possible for your entire database to be compromised and with you not being able to do *anything* about it whatsoever. But of course these are minor considerations when compared to worrying about what will happen when a hacker gets in... I'd personally prefer to keep them out in the first place where possible, rather than tightening up what happens when they already have. (Not that you shouldn't ALSO do that, but in terms of priority, it's really a secondary consideration. Don't worry about locking up the family silver if the front door is already unlocked.)
You'll note that at least some of those things I talk about are already done in Wedge ;) There is no backup facility and plugins have to be uploaded via FTP (even if Wedge does it for you, it's still doing it via FTP and inheriting permissions while doing so, there's no point where files are made writable)

On this matter, I can make the case for upgrading to bcrypt just as I can (and did) make the case against it. I'm not averse to upgrading the password security at all, and I do believe the benefits outweigh the cons here, but there are more changes to the architecture that I want to make to support this. I don't want to discuss my changes at this time because I don't believe it is relevant to this discussion and I'd really rather not divert this discussion too far.

nend

  • When is a theme, no longer what it was when installed?
  • Posts: 165
Re: SM.org compromised
« Reply #25, on July 26th, 2013, 11:03 PM »
I noticed the post at SMF shared on my FB. Seems like I have been away for far too long. However the attitude is still the same.

You would think they would of had the database dump and package manager disabled. But SMF can do no wrong and everything is OK how it is. According to them this is not the way they got the information, I don't know of any other way at this time.

Idea to mind why not create fake admin accounts with fake stats and anybody that tries to log into it ban them for a while.
SI Community

Auk

  • Can I get a Box?
  • Posts: 64
Re: SM.org compromised
« Reply #26, on July 27th, 2013, 02:02 AM »Last edited on July 27th, 2013, 02:36 AM
@nend, why would they need fake admin accounts? I read about security practice of this, known as "honey pot" IIRC. While there are some benefits, I do not like the idea of having traps set up for would-be hackers. IMO, in a way, it's like a false sense of security. If anything, the would-be hackers will learn what happened and figure your game, then to try something else.

Nothing is more despicable than respect based on fear.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: SM.org compromised
« Reply #27, on July 28th, 2013, 03:02 AM »
I know more of the story but cannot reveal details without breaking certain confidences.

What I will say, though, is that the DB backup on a database that size is useless and the package manager was not the method by which the database contents were exploited. The method by which arbitrary PHP code was run is a method I've long known about and suggested as a possible vector on more than one occasion, and it is a feature in the admin panel that I have thought should have been revoked by now. Wedge hasn't because there are still a number of questions around that particular feature.

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,670
Re: SM.org compromised
« Reply #28, on July 28th, 2013, 03:45 AM »
Quote
I know more of the story but cannot reveal details without breaking certain confidences.
And I think I can guess it.
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
« F**k the SMF project. F**k it up its stupid a**. <-- says Ar…
Arguments about the credits »