| Author |
 Topic  |
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
 Posted - 05 December 2002 : 03:16:14
|
| What would you suggest that we test? You mention a vulnerability, do you know what it is? Because I sure don't. |
 |
|
|
richfed
Average Member
United States
999 Posts |
Posted - 05 December 2002 : 05:50:02
|
Richard ...
I have no idea what is going on, nor can I claim to fully understand the frustrations you appear to be feeling ...
All I can say is, since I have been a part of the web community that uses Snitz Forums, you have seemed to be the glue that holds this place together. Don't think for a minute that your "services" go unappreciated!
Thanks for all you do! |
Rich
[size=1]A Complete Idiot's Guide to MOD Implementation || On the Trail of the Last of the Mohicans[/size=1] |
|
|
|
LadyTatjahna
Starting Member
Canada
6 Posts |
Posted - 05 December 2002 : 07:02:48
|
I am really sorry to know that Richard..
Hum.. Let me ask you a question : Why did you, one day, woke up and decided to build the Snitz Forums? Because of the "Challenge" of doing it, no? Why not just take this "event" and treat it just like the same as you did for your forums : A challenge ?
They challenge by hacking the forums? Okay! .. We will challenge by protecting it, the best we can!
Take a look around you, I am sure within all the members around here, there's someone that can be able to help you with this problem  , but please, just don't let the babies win over you, not after all this big work!!!
Let's go!  Don't give up!
(just some words from a little user of the big Snitz Forums!)
p.s. I have contributed for this big monster that is Snitz Forum. |
Edited by - LadyTatjahna on 05 December 2002 16:54:10 |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 05 December 2002 : 13:02:19
|
Just a reminder to all of you that the donations page exists (http://forum.snitz.com/donations.asp). If you like what goes on here at this site, and you want to give either/both Huw and Richard a donation of any kind, you can do so at the donations page (http://forum.snitz.com/donations.asp).
Your not obligated to do so in any way, this product is free, but if you feel that giving something to them for some of the many hours they spend here helping everyone out, feel free to do so. |
Reinsnitz (Mike) |
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2084 Posts |
Posted - 05 December 2002 : 14:36:31
|
I know I did give a donation some time ago (about 4 months ago).
quote:
Originally posted by reinsnitz
Just a reminder to all of you that the donations page exists (http://forum.snitz.com/donations.asp). If you like what goes on here at this site, and you want to give either/both Huw and Richard a donation of any kind, you can do so at the donations page (http://forum.snitz.com/donations.asp).
Your not obligated to do so in any way, this product is free, but if you feel that giving something to them for some of the many hours they spend here helping everyone out, feel free to do so.
I can not see why others could not donate...
On the part of Richard thinking about giving it away... Don't, please. You have done so much to give it all away now for a couple of jumped up little egg farts (sorry eggyfarts, not you  ), who get their kicks by trying to destroy it for you and us.
As LadyTatjahna said, put it as a challenge. Find the hole that these little $@^% sticks did, and Snitz will be the most secure ASP forums around, and that is your challenge to find the hole until the next challenge. And treat them that way as a challenge.
Just my 1/2 a cent US worth.... 
|
Cheers,
David Greening |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 05 December 2002 : 18:32:30
|
also, the idea would be for the dev team to kick it into gear and look for a hole, Richard and Huw can't be expected to do everything... thought they prety nearly do... they are unreal... totaly awesome! Lets help them out and poke arround and see what the dev team can do, also, if the person who did this to the forum would not mind contacting us directly and leting us know how it was done, we can go about fixing the hole (without any repercussions).
Cheers!
|
Reinsnitz (Mike) |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 05 December 2002 : 19:47:08
|
Hi Richard,
I love your work! I hope you got my email that I sent to you a little over a week ago. I finally got an account with Huwr this week! I love his service ... very prompt and considerate! Reinsnitz ... thanks so much for getting Snitz on the web and offering it as open-source!! All of you are remarkable individuals!
I read a book about a year ago that opened my eyes greatly. The book was written by the author of the 128-bit encryption method ... Bruce Schneier. The title of the book is:
Secrets & Lies
Digital Security in a Networked World
This is a link to the book:
http://www.counterpane.com/sandl.html
This is an excerpt from the author:
http://www.counterpane.com/sandlmsg.html
This is the tail end of a review of the book:
Think that open source software is more secure than proprietary code? Guess again. Think that using smart cards or biometrics is going to save your network? Not if your users don't understand a thing about security. Relying on any vendor's box to help you sleep at night? You won't anymore. Schneier pounds most security myths to dust, and there are many things that he has to say that you won't like, especially if you think you've got security on
your network taken care of.
Having said that, Schneier's book is more about the overt awareness required to achieve a high degree of security on a network rather than living under the illusion that anything close to complete security is truly possible. The concept of security as a constantly changing system is paramount to the education of any serious system administrator. Having said that, I would sincerely recommend this book to not only system administrators, but also IT managers, and anyone thinking about branching into any part of network security for a living. This isn't about building a firewall -- it's about truly understanding the issues and what they mean to you and your business. The best part is, after reading this book you'll be able to scare the heck out of just about everyone.
http://www.serverwatch.com/tutorials/article.php/1473971
"Secrets and Lies" is an effective book. It is very depressing because like the author said ... it does seem hopeless. But like Bruce, I think there is a lot of hope!
I highly recommend it.
Please don't give up, Richard.
Sincerely,
Etymon
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 05 December 2002 : 19:54:31
|
quote:
Originally posted by Etymon
I hope you got my email that I sent to you a little over a week ago.
could you resend it? I don't think I received it. |
|
|
|
sy
Average Member
United Kingdom
638 Posts |
Posted - 05 December 2002 : 20:25:16
|
wow, i am just taken aback by the callousness of these folks to hurt such a great project as snitz.
I hope whatever watches over them ensures they have a miserable christmas.
don't give up Richard, it's entirely your call, if you do, then they win.
let us know what can be done to help. |
The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails
|
|
|
|
LadyTatjahna
Starting Member
Canada
6 Posts |
Posted - 05 December 2002 : 20:40:14
|
I was thinking about the possibility of encryption too, but I know nothing about that and about network security, but there's someone else in there that surely knows.. uh? ..
I think this thread should become a call to all of the guys who have knowledge about network security to help the development team in "securing?" the forums...
To all : The snitz forum's team was always there for us? Why we wouldn't be there , when they need our help ? |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 05 December 2002 : 21:01:44
|
Message sent, Richard. |
|
|
|
Etymon
Advanced Member
United States
2385 Posts |
Posted - 05 December 2002 : 21:05:27
|
Question: Does this problem also effect Snitz version 3.3.05 forums?
|
|
|
|
donburch
Starting Member
Australia
19 Posts |
Posted - 05 December 2002 : 21:13:14
|
I would also like to express my thanks to the Snitz team for making such a great product, and for supporting it in such a way that has built such a helpful and enthusiastic user community.
quote:
Originally posted by RichardKinser
What would you suggest that we test? You mention a vulnerability, do you know what it is? Because I sure don't.
From personal experience, I know that the chance of finding a bug by just looking at the code (without a better knowledge of the problem), is almost zero. We could all spend lots of time looking for a vulnerability that may not even exist in the Snitz code.
As I understand the situation, we don't know whether there was a vulnerability in the registration proceedure, some vulnerability in some other part of the software, or whether the datbase was hacked using a totally non-Snitz vulnerability.
I realise that I'm only new to the Snitz community, but I don't believe that closing registrations is the answer, except as a short-term measure. There is no evidence that there is any security proplem in registrations. On the other hand, the vast majority of registrations (in the past and in the future) are from people who use Snitz. Closing registrations will prevent new Snitz users from getting the benefit of the Snitz community and drive them to use other software, or customised versions of Snitz where they can readily get help and in turn contribute.
What should we do ? Take Snitz off the market because one or two people managed to hack into one Snitz site ? If so, then we should all stop using Snitz - but that seems a little extreme to me !
Recommendations: - It does seem sensible to at least make registrants use real e-mail addresses, rather than the free yahoo or MSN accounts. I thought this was built into Snitz, but maybe it was a MOD.
- Since the users of Snitz's forums are themselves admisistrators of other Forums, maybe it would be relevant to require the URL of their Forum ? OK, we would need to allow new users to get support setting up the software, and this may not be done at an internet address, so we may have to allow a 1-2 month leeway.
- One other point I took from this incident, was the need to keep a fairly up-to-date off-line backup of both the database and the forum software.
|
Edited by - donburch on 05 December 2002 21:28:54 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 05 December 2002 : 22:02:49
|
quote:
Originally posted by Etymon
Question: Does this problem also effect Snitz version 3.3.05 forums?
If you don't know what the problem is, how can you tell if it affects 3.3.x forums? My own forum is still a v.4.0Beta forum, which means it really is a 3.3.x forum underneath. I'm not excessively worried, though I think some discomfort comes from not knowing how they did it. I think some solace also comes from the fact that we're not watching a hacking wave, like we had with the 3.3.x infamous members.asp bug... |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 05 December 2002 : 22:14:39
|
Most likely we are going to implement a filter to not allow e-mail addresses from places such as yahoo.com or hotmail.com etc. I personally have never wanted to do this, but it looks like we are going to have to.
What we need is to compile a list of all free e-mail services.
I know of (off the top of my head):
yahoo.com
hotmail.com
netscape.com
excite.com
myrealbox.com
football.com
there are many, many others. Does anyone know of a place that might keep a list of them? |
|
|
|
Topic |
|
Topic Locked
