Welcome back everyone
-
[quote name=“chrisj” post=“53588” timestamp=“1390310879”]
[quote author=MrWyrm link=topic=7041.msg53587#msg53587 date=1390310725]
I use PHPbb, can’t help but feel it’s lagging behind others in terms of features these days though.
[/quote]What other ones do you like?
[/quote]I’d guess the truth is that doesn’t really matter, and I know that’s a bit of a cop out, I think ultimately the requirements of this forum are very different from most others forums. The ‘shoe and shoe polish appreciation’ forum, for example, might prize the ability to post and host media over forum security and uptime. I think that anecdotal evidence from anyone of reliability is going to be useless.
There’s two things that spring to my mind, which is the ‘most secure’ out of the box and which has the most vanilla features that we ‘need’ (to prevent the need for additional mods creating security holes). Forget pretty haha.
But we could pick the most secure package available, whilst it would seem that it’s the forum that had the weakness, it still worries me that I’ve read elsewhere that ‘not all packages’ were up to date. I understand how easy it is to let these things slide, but if the community is one of the most prized features of the FeatherCoin, then it must have all it’s bases covered as a priority. :)
Perhaps we could also benefit from a ‘disaster plan’, so that you can respond to these problems quickly whilst singing form the same hymn sheet? Things have been handled ok all in all, and you don’t need me to tell you, the forum should have been pulled and shutdown much earlier pending enquiry. :D
-
It’s nice to be back.
-
Guess who is back , back again :P http://www.youtube.com/watch?v=YVkUvmDQ3HY
-
[quote name=“Bushstar” post=“53589” timestamp=“1390310905”]
I have posted an update here.http://forum.feathercoin.com/index.php?topic=7031.msg53583#msg53583
Moving to VBulletin would be a good option as it is more actively developed though it is commercial. Not sure that I would rate phpBB any higher than SMF.
[/quote]Surely, we can get donations from the community to purchase VBulletin? I don’t have much to offer but I’d be willing. It wouldn’t take much from each person if a bunch of us chipped in :D
-
I’d gladly contribute :D
-
[quote name=“justgeig” post=“53627” timestamp=“1390315608”]
[quote author=Bushstar link=topic=7041.msg53589#msg53589 date=1390310905]
I have posted an update here.http://forum.feathercoin.com/index.php?topic=7031.msg53583#msg53583
Moving to VBulletin would be a good option as it is more actively developed though it is commercial. Not sure that I would rate phpBB any higher than SMF.
[/quote]Surely, we can get donations from the community to purchase VBulletin? I don’t have much to offer but I’d be willing. It wouldn’t take much from each person if a bunch of us chipped in :D
[/quote]I’ve already offered a licence for vbulletin 3.x and 4.0 that I don’t need anymore I’m really hoping they will take me up on it. Its not the newest version but many huge boards are still on 3.x and they are quick with security patches even for older versions
-
[quote name=“ryan176” post=“53630” timestamp=“1390315871”]
[quote author=justgeig link=topic=7041.msg53627#msg53627 date=1390315608]
[quote author=Bushstar link=topic=7041.msg53589#msg53589 date=1390310905]
I have posted an update here.http://forum.feathercoin.com/index.php?topic=7031.msg53583#msg53583
Moving to VBulletin would be a good option as it is more actively developed though it is commercial. Not sure that I would rate phpBB any higher than SMF.
[/quote]Surely, we can get donations from the community to purchase VBulletin? I don’t have much to offer but I’d be willing. It wouldn’t take much from each person if a bunch of us chipped in :D
[/quote]I’ve already offered a licence for vbulletin 3.x and 4.0 that I don’t need anymore I’m really hoping they will take me up on it. Its not the newest version but many huge boards are still on 3.x and they are quick with security patches even for older versions
[/quote]Oh nice one, thank-you very much :)
-
Hi!
-
If bushstar or someone just pm’s me with some details I’ll get it transferred this evening.
-
Good to be back :)
-
As long as we are looking into changing forum engines and site redesigning, having dedicated and branded Feathercoin Forum apps would be awesome and should help lend credibility to our community.
edit:
I say this fully realizing that I have no idea how hard that would be and that I couldn’t help… -
Hello, have missed you all :)
-
Glad were all back! 8)
-
Just shows how much you can miss something. There was a serious risk of me wearing out my refresh button. ;D
-
[quote name=“MrWyrm” post=“53669” timestamp=“1390322159”]
Just shows how much you can miss something. There was a serious risk of me wearing out my refresh button. ;D
[/quote]haha this :P
-
So these people attacked and temporarily disrupted the site …
All they have achieved is bringing the Feathercoin community closer together ! :)
-
MrWyrm good advice, rep+1
-
HOME SWEET HOME! 8)
-
[quote name=“MrWyrm” post=“53618” timestamp=“1390313528”]
[quote author=chrisj link=topic=7041.msg53588#msg53588 date=1390310879]
[quote author=MrWyrm link=topic=7041.msg53587#msg53587 date=1390310725]
I use PHPbb, can’t help but feel it’s lagging behind others in terms of features these days though.
[/quote]What other ones do you like?
[/quote]I’d guess the truth is that doesn’t really matter, and I know that’s a bit of a cop out, I think ultimately the requirements of this forum are very different from most others forums. The ‘shoe and shoe polish appreciation’ forum, for example, might prize the ability to post and host media over forum security and uptime. I think that anecdotal evidence from anyone of reliability is going to be useless.
There’s two things that spring to my mind, which is the ‘most secure’ out of the box and which has the most vanilla features that we ‘need’ (to prevent the need for additional mods creating security holes). Forget pretty haha.
But we could pick the most secure package available, whilst it would seem that it’s the forum that had the weakness, it still worries me that I’ve read elsewhere that ‘not all packages’ were up to date. I understand how easy it is to let these things slide, but if the community is one of the most prized features of the FeatherCoin, then it must have all it’s bases covered as a priority. :)
Perhaps we could also benefit from a ‘disaster plan’, so that you can respond to these problems quickly whilst singing form the same hymn sheet? Things have been handled ok all in all, and you don’t need me to tell you, the forum should have been pulled and shutdown much earlier pending enquiry. :D
[/quote]+1 rep, great post.
2 of these things are covered in the famous 7 deadly sins of the Linux administrator: http://searchenterpriselinux.techtarget.com/news/904844/Linux-security-The-seven-deadly-sins
Specifically #3: Running old software versions, and #4: Running insecure and badly configured programs.
From the article:
[quote]
Do use good programming practices, and run audits of common gateway interfaces (CGIs) regularly, Toxen said. Many programmers don’t know secure programming techniques. The auditor should.On Toxen’s “don’ts” list: [b]Don’t use PHP, even though it’s convenient.[/b] Don’t run DNS, auth (ident) or Apache as root. But, do user suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs.
[/quote]There’s a REALLY good reason to NOT use PHP, as was demonstrated with this hack: The entire security model for PHP is completely broken. PHP is by far and away the most security problematic platform for the web in existence.
PHP accounts for 29% of all vulnerabilities in the National Vulnerability Database. 99% of PHP-related vulnerabilities can be exploited remotely. PHP vulnerabilities account for about 33% of vulnerabilities which allow a remote access.
PHP only works as a CGI interface, which means that the code must be compiled and executed off the file system as a response to a web request. That means that all an attacker has to do is modify a file on the file system, and issue a web request to get it to run. This is basically impossible to lock down, since the only requirement is a file system change, and not even privilege escalation is required. This problem is exacerbated by the fact that the default way of stringing two pieces of functionality together is via an ‘include’ statement, which is the automated equivalent of cutting and pasting code around in files in real time. You combine this with functionality that requires a file system change, like custom avatars, and you’ve got a guaranteed recipe for insecure code that even the most seasoned of developers will overlook. Add into this mess using PHP’s global namespace as a storage mechanism for query parameters, and a lack of support for stored procedures, and you’ve got a SQL injection attack on your hands that’s just waiting to be uncovered. Or how about PHP’s handling of nulls in strings? Or how it completely fucks up string comparison of numerical values?
Don’t believe me? How do you think the hacker got in???
It WILL happen again. It’s only a matter of time. Heed my warning: Avoid insecure platforms that get hacked all the time.
-
Coming from someone ignorant about what forum software is available and doesn’t use PHP … what would you recommend?
