• We did not send an email asking for donations - please read this post.

Important: We did not send an email asking for donations - scam alert

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,130
Reaction score
4,309
Credits
30,199
I made comment up above. I note that @f33dm3bits asked a similar question.

 


OP
Rob

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
925
Reaction score
1,778
Credits
1,201
@Rob I think it would be a good idea to have the admin accounts use two-factor authentication, I actually use it for my account here as well since it's an option. That way if they get your password if you have a weak one they won't be able to login since the second factor is still needed. And if possible it may be a good idea to limit admin access to white listed ip adresses.
Yes, all mods/admins are now using 2fa .. i had been for a while, but didn't enforce it
 
OP
Rob

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
925
Reaction score
1,778
Credits
1,201
Thanks @Rob for all you do that many will never see. Hope the one who did this will be rewareded by being banished from all forums some day. In any event, it is good to have the forum back up and running. Again thank you!
Thanks, but I don't do very much - it's the @KGIII's and @wizardfromoz's and you guys that keep this forum going
 
OP
Rob

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
925
Reaction score
1,778
Credits
1,201
@Rob has our e-mail addresses been compromised, do I need to change my e-mail address so that I don't get future spam? I know this message was sent through the board forums but not sure if this person who had admin access also made a database dump?
Luckily our "user exporter" within xenforo seems to be broken lol .. so i'm gonna say, since it was just the backend and not actual db access we're all good.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,374
Reaction score
6,361
Credits
59,785
I connect with a VPN, often from America!

I am right this minute using a US server!

(It wasn't me. I'd never spell that poorly.)
 

Brickwizard

Well-Known Member
Joined
Apr 28, 2021
Messages
3,137
Reaction score
2,028
Credits
23,350
(It wasn't me. I'd never spell that poorly.)
What immediately grabbed me was the "Z" instead of "S" all block caps, and shite punctuation, I dismissed spelling as most people [including I] make mistakes
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,374
Reaction score
6,361
Credits
59,785
Also, I think it goes without saying - but I'll say it anyhow, I'd never do anything to harm the site. My days of misbehaving online are well behind me.
 

Brickwizard

Well-Known Member
Joined
Apr 28, 2021
Messages
3,137
Reaction score
2,028
Credits
23,350
was there any data leaked
from Robs earlier post
@Rob has our e-mail addresses been compromised, do I need to change my e-mail address so that I don't get future spam? I know this message was sent through the board forums but not sure if this person who had admin access also made a database dump?
Luckily our "user exporter" within xenforo seems to be broken lol .. so i'm gonna say, since it was just the backend and not actual db access we're all good.

From what has been said, we lost a day's worth of posts when the system was re-booted to the last time stamp
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,374
Reaction score
6,361
Credits
59,785
That is correct. The email exporter doesn't work, so the jackass wasn't able to escape with email addresses.

It is also correct that we lost a "day's worth of posts", give or take a few hours. As far as outcomes go, it wasn't too terrible.

Changes have been made to at least close the hole used by the jackass (they don't rise to the level of 'hacker' in my view).

If you care about your account, I strongly urge you to use a complex password that you do not use at any other site, and that you enable 2FA for your account. You can have the code sent to your email, or you can use an application on your phone as your second 'factor' in authentication. If you're doing it with your email, and I can't stress this enough, do not reuse the same password you used here.

Even though the passwords here are almost certainly salted and hashed, they can still be recovered with something known as a 'rainbow table attack'. Then, one of the worst things people do is use the same password for multiple accounts. That's a horrible idea, for what should be obvious reasons.
 

CrazedNerd

Well-Known Member
Joined
Mar 31, 2021
Messages
797
Reaction score
313
Credits
6,795
I have email notifications turned off for this site, which is probably why i didn't get one. It wouldn't have worked anyway because my net worth in bitcoin is exactly 0$
 

MikeWalsh

Member
Joined
Aug 29, 2022
Messages
93
Reaction score
92
Credits
1,157
@Rob I think it would be a good idea to have the admin accounts use two-factor authentication, I actually use it for my account here as well since it's an option. That way if they get your password if you have a weak one they won't be able to login since the second factor is still needed. And if possible it may be a good idea to limit admin access to white listed ip adresses.
Not a bad idea at all. When BleepingComputer set-up their own Discord server a couple of years back, those of us mods who regularly drop-in can only do so via.....you guessed it!.....2FA.

One of our number is currently bemoaning the fact that she can't log-in, due to NOT having a smart-phone.....and Discord only do smartphone authentication. Used be via SMS or email too, till around 18 months ago, then it was all change overnight.

I also possess only a dumb-phone, but I last logged-in via 2FA thru a text message nearly a year ago. 'Twas around that time I discovered the availability of Discord's 'backup codes'; so long as you keep a 'current' list of 10 backup codes, every one of those codes will log you back in with the same 2FA 'status' as your last official login.

Works for me.


Mike. ;)
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,130
Reaction score
4,309
Credits
30,199
The only drawback I see with the current 2fa on L:inux.org, is it keeps you logged in via 2fa for a certain number of days....30??

Does that mean if a password is on the weak side and is cracked/guessed, that the perpetrator can log into the site/steal the email address.... and create mayhem because the 2fa is taken care of for a period of time ?

I hope that was explained clearly enough !
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,374
Reaction score
6,361
Credits
59,785
Does that mean if a password is on the weak side and is cracked/guessed, that the perpetrator can log into the site/steal the email address.... and create mayhem because the 2fa is taken care of for a period of time ?

No. They'd be logged out and have to log in. The login will require 2FA. You can test this by going to another browser instance and attempting to login. It will require the second factor.

Now, if they had access to your email (not just the name, but password and all) they could certainly login as you - unless you use the phone app. In which case they'd need your phone in an unlocked state to provide the second factor.

If they could perform some sort of cookie hijack, they might be able to login as you, but that's asking a little much. While possible, it usually requires some vulnerability in the underlying software and something like CSS (cross site scripting) to collect your cookies. While possible, that's not all that likely.

I'm pretty sure...
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,130
Reaction score
4,309
Credits
30,199
Last edited:

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,792
Reaction score
6,613
Credits
28,689
The only drawback I see with the current 2fa on L:inux.org, is it keeps you logged in via 2fa for a certain number of days....30??

Brian I am currently using the 2FA directed to email, and of course I have a different password. Under that regime, it offers for me to check a box if I want to allow device for 30 days, does it not do that with mobile (cell) phone?

Wiz
 

rado84

Well-Known Member
Joined
Feb 25, 2019
Messages
647
Reaction score
518
Credits
3,613
using a weak password from one of our administrators
Yeah, that's a common problem with many system administrators - the use of a ridiculously weak password. :D :p
 

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,130
Reaction score
4,309
Credits
30,199
Chris, yes it does give that option. i wondered if that was, in fact, a weakness. As David pointed out, it is not.

I use Bitwarden for storing passwords

I also use pwgen in terminal to generate them (bitwarden has a password generator as well)

I created an alias to save typing out the blurb each and every time i need a new password.

pwgen -snycB1 21 6 ....gives me...

[email protected]:~$ pwgen -snycB1 21 6
zn3b]NY*/&*+*#x9|J:,,
3=(UNkMj(|MvE{'i|%TY,
h%J"!j<3ar&^/[%/.b|w;
9(veVeesNsJgv('<Nn"{}
:"T/pXj%ohL./u$o)?h;7
[NvoecuC<w4P*d>MuXzgF
[email protected]:~$

6 passwords....21 characters long.

BitWarden remembers them with ease.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Staff online

Members online


Top