IMPORTANT: The forum is in Read-Only mode and registrations have been disabled.

Security issues

Talks about web site construction, changes and administration, public relations and permissions.

Moderators: Rafa, ModeratorGroup

Locked
Rafa
KT-GrandMaster
Posts: 1427
Joined: Wed Jan 30, 2008 12:16 am
Location: México

Security issues

Post by Rafa »

Hi. Recently a major forum where I participate has been hacked. The database is quite big and its taking several days to get restored. Although this forum is full of specialists in programming it was still vurnerable. Maybe this was the reason for the target.

Another one, more modest is getting several posts from forum bots. Just a matter of deleting posts, but it shows a security vulnerability.

Just a reminder to keep strong passwords and a good backup.
Fletch
KT-Team
KT-Team
Posts: 8564
Joined: Fri Oct 27, 2006 2:38 am
Location: Milwaukee, WI USA
Contact:

Post by Fletch »

yes, we should be updating passwords every 2months... at very least every 6 months.
GreyHead
KT-Explorer
Posts: 329
Joined: Fri Nov 02, 2007 9:41 pm

Post by GreyHead »

This forum is one version and a couple of releases out of date; and so is the Joomla site. There must be a chance that it will be hacked at some time in the future.

Doubtless all will be up-to-date on the new Thea site.

Bob
alex
KT-Team
KT-Team
Posts: 2746
Joined: Sun Nov 26, 2006 10:12 am
Location: Clermont-Ferrand, France
Contact:

Post by alex »

GreyHead wrote:Doubtless all will be up-to-date on the new Thea site.

Bob
BTW, do we have any roadmap for it ?
Alexandre Bagros-Murat

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
GreyHead
KT-Explorer
Posts: 329
Joined: Fri Nov 02, 2007 9:41 pm

Post by GreyHead »

Hi Alex,

No, Giannis effectively stopped the work that Kim and I were doing with Kerkythea sites last September and said that Claudio would be in touch shortly about the new site. I've not heard a word since.

So, if there is a route map it is - let the KT site fade away and do something about Thea sometime.

Apologies for the cynicism . . . but the facts pretty much speak for themselves.

Bob
alex
KT-Team
KT-Team
Posts: 2746
Joined: Sun Nov 26, 2006 10:12 am
Location: Clermont-Ferrand, France
Contact:

Post by alex »

ok.... do you know if we will still have a joomla template, or if we will have a more personalised website ? I would really like a fully black homepage (no borders or anything), and just buttons with "the renderer" (in which we describe Thea and its features), "Gallery", "Downloads" (materials, sample scenes), "Support" (forum, wiki, tutorials), and "Contact". All these buttons on top of a flash slideshow showcasing our best renders.

(So you would basically have a slideshow and the words on top of it (orange words). Just this.)
Alexandre Bagros-Murat

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
alex
KT-Team
KT-Team
Posts: 2746
Joined: Sun Nov 26, 2006 10:12 am
Location: Clermont-Ferrand, France
Contact:

Post by alex »

BTW, I really think that we under-estimate the needed time to build a fully pro looking website. IMO, we need at least 3-4 months if we want it to be fully working (and I exclude the shop).
Alexandre Bagros-Murat

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
GreyHead
KT-Explorer
Posts: 329
Joined: Fri Nov 02, 2007 9:41 pm

Post by GreyHead »

Hi Alex,

I have no idea what Claudio and Giannis are planning - though I suspect that at the moment the answer is that they are fully occupied with other things.

I wouldn't disagree with your estimate on timing . . . but I also suspect that Thea is unlikely to be ready for a full public presentation for many months yet.

Bob
Rafa
KT-GrandMaster
Posts: 1427
Joined: Wed Jan 30, 2008 12:16 am
Location: México

Post by Rafa »

Im posting here the abstract of what happen to the forums. Quite complicated issue.
It's in spanish, but it has some steps that helped to recover the controll. (I don't want to misstranslate... I'm a little tired)
Aciertos

- Haber hecho ruido desde que todo esto empezo. No quedarme callado, ni intentar resolver nada en privado con quien sea el responsable.
- Usar el teléfono antes que el email, aunque me encontré que con muchos proveedores no hay otro camino más que el digital.
- Al ver la posibilidad de que siguieran recuperando mis cuentas, fuí directamente a asegurarme nuevos accesos, con datos frescos, siempre reales (y comprobables) para asegurar que siguieran vinculando a mi identidad real.

Deshaciertos
- Tener demasiadas cuentas registradas con un solo email. Cuando perdí el acceso a mi dominio, fue muy fácil que empezaran a ganar accesos. De nada sirvió tener una serie de passwords.
- El mismo lunes ibamos a intentar poner a funcionar el foro en otro dominio temporal. Pero debí pedir que los servidores se apagaran de inmediato cuando empecé a ver las dimensiones del ataque. Y seguía dependiendo de servicios anteriores de los que no tenía constancia si habían sido vulnerados de alguna forma.
- Cambié passwords en mi cuenta de Gmail, pero no pensé en todas las formas en que pudieran obtenerla, incluyendo lo del email de emergencia.
- El sueño y la intranquilidad no son buenos amigos para que pienses rápido y actues en consecuencia.
One interesting thing its the problem of cross information. If someone gains access for example to an email, it can gain acces to all accounts asociated with it.

And maybe the "secret question" to recover a password in a mail account can be the door to gain access to all.

Another interesting thing is the comprobation of the identity of the owner... not as the movie "The Net" with Sandra Bullock, but... :)
Locked