Originally Posted by Eagleon
So who does?
That would be hampa - game owner/developer.
Telling people to change their passwords etc is about the most that the staff here can do. As moderators and community managers they don't predominantly deal in firefighting and security things.
I'm guessing full details haven't been released because they're not fully know. It's possible that the perpetrator obtained an old copy of /a part of the database - in which case they would have access to birthdays, emails etc etc if that data has been provided here. Contrast that to if they managed to abuse XSS somehow or used phishing then they would typically only obtain login info (and full details of specific targeted/compromised accounts).
I agree that it hasn't been handled optimally and to be frank the security here could be a lot better and seems to just be kept the way it is for...some reason? I don't know really. Security changes seem to be reactionary instead of precautionary as they should be.
Examples of obvious stuff: Toribash uses a vbulletin version from 2009. We don't have SSL (though it's hopefully on the way). There's no login attempt limit in the game client. Etc etc. So if you want to get angry at anyone aim for the top. Put enough pressure on and maybe it'll be enough to incite change.
I don't know if it was disclosed at the time and maybe I didn't notice, but the full db getting leaked is something that should have been disclosed for sure.
At the very least staff should disclose the extent of the damage. In this thread some new information about the recent attacks has been released, but why isn't that info compiled in a news thread or on the notices?
At the very least staff should disclose the extent of the damage. In this thread some new information about the recent attacks has been released, but why isn't that info compiled in a news thread or on the notices?
<Faint> the rules have been stated quite clearly 3 times now from high staff
~
Originally Posted by Eagleon
"And please, while I recognise that this is frustrating, let me remind everyone not to take this out on the smods or even the administration. Contrary to popular belief we have little control and say over security/servers/more complex developmental matters and additions/logs etc. We work with and deal with lots of front end forum and community matters and that's pretty much what we're limited to. :s "
So who does? I got a very short email from toribash three days ago. I've waited for more information, but I'm not seeing anything else about the breach. That's not acceptable.
:s
http://blog.eyewire.org/security-dat...on-2016-02-23/ <- this is how you handle a security breach. Not "Change your password, everywhere. We're looking into it, we promise. We hope nothing bad is happening!" Details about whether the passwords were encrypted, whether the encryption used salted hashes, what information might be compromised other than generic "privacy", etc. This isn't information that you keep to yourselves to further your "investigation," you can't keep it to yourself to catch the bad guy (if the police are requesting that you not release it, say so!) this is vital information for your user's own security. I gather passwords "may or may not" be compromised, but emails? Names? Birthdays? All of these things can be used to steal a person's identity and ruin their lives using other breached databases, and the only defense is rapid response from the individuals affected. Worst yet, game websites are often places kids congregate, kids that may not even know that something as innocuous as their birthday can be used to <i>destroy</i> them years later. Criminal negligence is a thing.
If you can pass this on to the people that have the information behind this breach, that would be appreciated. I really love your game, I think it should be on school computers for what it does to teach analytical thinking about motion, but if you don't understand how serious people's personally identifiable information is, I seriously question whether you should be collecting it.
Yes, passwords are encrypted. Yes, it is a salted hash algorithm. It's definitely safer to assume the passwords are compromised still. As for personally identifiable information, the only thing we actively attempt to require of users is an email address; everything else is optional (though I will bring up the possibility of disabling that collection entirely, since it is true that there isn't terribly much point to it). It is unfortunately safe to assume that the user table was compromised, meaning that anything directly associated with your profile is at least somewhat suspect.
That is the information I can give out without adversely affecting our attempts to improve our security and with the knowledge I have on hand. A staff member more directly associated with server security almost certainly knows more about the situation.
Squad Squad Squad lead?
The standardization of Toribash Squad roles may have gone too far!
The standardization of Toribash Squad roles may have gone too far!
Originally Posted by ImmortalPig
Not even national security clearance in my country requires 7 day / 14 day password expiry, actually I think most people in security would agree that's far too aggressive. At best it's a bandaid fix, the underlying problem is lack of security on the server side.
For example, cooldown on repeated guesses is not aggressive enough allowing people to bruteforce. Or allowing people to login with far away IPs without email verification (which is weird because we used to have that feature, I used to get location verification emails). Or allowing a password change without email verification (why does this exist?!).
These are very basic security measures, and I know that there is the capacity to carry them out because either they are done already (but badly), they were done in the past (but apparently removed), and because all the information exists (email has been a required field for a few years now).
This is the very basics that I would expect from any website, let alone one that has had consistent problems and regular forced global password resets...
If you rely on volunteer staff with limited power to manually enforce your security that is worrying in itself!
Originally Posted by Solax
That would be hampa - game owner/developer.
Telling people to change their passwords etc is about the most that the staff here can do. As moderators and community managers they don't predominantly deal in firefighting and security things.
I'm guessing full details haven't been released because they're not fully know. It's possible that the perpetrator obtained an old copy of /a part of the database - in which case they would have access to birthdays, emails etc etc if that data has been provided here. Contrast that to if they managed to abuse XSS somehow or used phishing then they would typically only obtain login info (and full details of specific targeted/compromised accounts).
I agree that it hasn't been handled optimally and to be frank the security here could be a lot better and seems to just be kept the way it is for...some reason? I don't know really. Security changes seem to be reactionary instead of precautionary as they should be.
Examples of obvious stuff: Toribash uses a vbulletin version from 2009. We don't have SSL (though it's hopefully on the way). There's no login attempt limit in the game client. Etc etc. So if you want to get angry at anyone aim for the top. Put enough pressure on and maybe it'll be enough to incite change.
I agree with Immortal pig and what worry's me is the fact that he hacked staff that is either him proving a point or he/she has balls down to the floor,
but i do trust the Toribash staff it is just worrying to all of us that have invested alot of time here just to have it taken away by some asshole that doesn't care, and Solax i realize hampa can do stuff like that but being Erth and all of them are Admins wouldn't they have some higher degree of power than the rest of the staff members trying to help this?
Last edited by TyphoN; Feb 26, 2016 at 02:07 PM.
I'm the Event Squad Admin. I am also an ex-Clan Squad member. Have any questions about clans or otherwise? PM me.
[sigpic][/sigpic]
Discord: Typhus#0201
splish splash Aeon is still trash
Uhm, another thing: "7 days old password change". This is getting seriously weird. 7 days and you make us change our passwords again? That's insanity.
A forced password change every week? Has there been more hackings?
There has to be something other then that we can do.
A forced password change every week? Has there been more hackings?
There has to be something other then that we can do.
i suck
