so what really happen to steroidology?

[kingjohn]

sam you should post some of your nudie pics on steroidology when it opens back up.

 

[Biggie -- ST]

While I am sure you can handle it, that is not what we are about. With all honesty I didn't expect that type of response from you. I have said this before and I will repeat it here, our community should be one with no barriers. We should all work together to share knowledge, and support each other. Rumors and things of the such can really hurt people and their family's. We do not want to see that happen to you as it has happened to others recently.

Again, we are very happy to allow the posts about your board being up, but we will not allow the bashing of your board or any others. I would hope that our members will listen to my request and not do this. Thanks everyone!

With all due respect, it was one of your Mods that on this very thread decided to start the rumor mill so while you can tell me how you believe that our community should do this and that, remember, it all starts at home. Although no specific rumor was started, the crypticness of his posts led someone to believe that there was more to the 'story' then I was telling. Also posting that I was a liar. How are the members to listen to what you say when someone from your staff will not even listen to you?

Im sorry that you expected a different response from me but me posting that I can handle it doesnt really strike me as a kind of post that is negative in nature. I didnt think that bringing a little humor to the board was a bad thing and that it somehow showed that I am against the community having no barriers.

But anyways, I appreciate you letting posts about my board stay up.

 

[EF Sam]

With all due respect, it was one of your Mods that on this very thread decided to start the rumor mill so while you can tell me how you believe that our community should do this and that, remember, it all starts at home. Although no specific rumor was started, the crypticness of his posts led someone to believe that there was more to the 'story' then I was telling. Also posting that I was a liar. How are the members to listen to what you say when someone from your staff will not even listen to you?

Im sorry that you expected a different response from me but me posting that I can handle it doesnt really strike me as a kind of post that is negative in nature.

But anyways, I appreciate you letting posts about my board stay up.

Understood. The thing that caught me about your response was that it was a promotion of your site, rather than a response to my posts. As I said above, I apologize that I did not catch this thread earlier.

Again, congratulations on your board returning. We had a hack attempt over the last week and we realize how hard it can be. Thankfully we had enough security in place that the hackers didn't get anywhere other than an attempt. Take care!

The thing that caught me about your response was that it was a promotion of your site, rather than a response to my posts.

 

[Biggie -- ST]

Understood. The thing that caught me about your response was that it was a promotion of your site, rather than a response to my posts. As I said above, I apologize that I did not catch this thread earlier.

Again, congratulations on your board returning. We had a hack attempt over the last week and we realize how hard it can be. Thankfully we had enough security in place that the hackers didn't get anywhere other than an attempt. Take care!

The thing that caught me about your response was that it was a promotion of your site, rather than a response to my posts.

Well, sometimes hackers get in and sometimes they dont. If one is to think that they are have enough security that a hacker will never, ever get in, then they are mostly fooling themselves. No one really knows the ability of some hackers.

And about the promotion of my site, remember, it was meant to humor, not to promote. We as admins have mass emailing features to use for promotion. If you took it the wrong way, then you did. Some people see one thing and some people see the other.

Take care

 

[EF Sam]

Well, sometimes hackers get in and sometimes they dont. If one is to think that they are have enough security that a hacker will never, ever get in, then they are mostly fooling themselves. No one really knows the ability of some hackers.

And about the promotion of my site, remember, it was meant to humor, not to promote. We as admins have mass emailing features to use for promotion. If you took it the wrong way, then you did. Some people see one thing and some people see the other.

Take care

Very true on the hackers. We spend $4k a month on our host and hope that our security is up to speed, however anything can happen at anytime. We backup our database a few times a day and do everything possible for the security of our site and its members. That being said, we could be taken down at anytime and we realize that for sure.

If I read you wrong, I sincerely apologize. Thanks and take care.

 

[theoak01]

I got the email saying your back up which makes me happy

 

[AAP]

I been trying to hack myself a modship around here for a while.

I swear, I get tired of having to log out and log back in under my old username of Cornholio just to lock a thread.

 

[NoDaddyNo]

Very true on the hackers. We spend $4k on our host and hope that our security is up to speed, however anything can happen at anytime. We backup our database a few times a day and do everything possible for the security of our site and its members. That being said, we could be taken down at anytime and we realize that for sure.

If I read you wrong, I sincerely apologize. Thanks and take care.

$4K? At what rate? A month? A year?

Is EF still running RedHat Linux? One step would be to run FreeBSD - Linux is fun and all, but the occassional slip up occurs.
FreeBSD hasn't had any issues in ages.

EF has been good and closed off the bulk of the ports, which is smart - at least last I recall checking.

Last I looked (over a year ago if not more), EF (or rather VBulletin) allowed infinite login attempts, ignoring of course bandwith limitations.
The way the passwords work, they are hashed - I think via MD5 if memory serves. So I enter my pass on the client side, it gets passed in (clear text by the way). Then the server takes that and runs it through the hash and compares it to the stored hash - so the system (including admins and the like) never "know" what the password is - just the hash.
Now there is a seemingly huge dataspace available to the hash, but there is also a known issue (unless this has been resolved in the last year or so that I missed out on) where there are a relatively large number of collisions in that dataset.
So that means that it is technically feasible that I have a password of "munchyTits" and then I log in and type a password of "Ilovehotmansex" and it happens to share the same hash and I get in anyway - even with the wrong password.
The liklihood of this happening is obscenely rare though, so it doesn't matter too much for us as EF peeps.
But if someone then set up a program to brute force ever combination of hashes, there are two options. The long way - just create all the combinations of that long string with that character set - or the now shown shorter way - you run through combinations of words and characters into the hash.
That would most certainly get them in, and in less time due to the collisions that occur, so they might not get the right password, but it doesn't matter since they just need the hash.

Stopping that is easy by limiting the attempts at how many times you can get in - again it probably does this now (I hope it does) - but it certainly didn't in the past.
If the passwords fails N times, where N is very small - like 5 - then lock the account and an admin has to unlock it.
That way, it is incredibly unlikely for a brute force attack to function within the space of 5 attempts, but it should be plenty for someone that knows the password to make an error and then say "ahh fuck, I meant to have a 69 at the end of that" and then get in correctly.

I personally think sniffing is overrated. If I can control things on my end, I'm not worried about the colocated side of EF stuff - then again, I also have nothing of value being sent back and forth.
If I did, then I would be worried that my cookie has my password hash right in it.

There was a hole for a bit in IE and in VBulletin that could be combined to get passwords. You could put Javascript code into the IMG tag of VBulletin, that could then redirect a user to another page - on that page you could then strip out the elite cookie and get their username and password.

Then there is the page that is built into VBulletin to restore the admin passwords. Fortunately, EF seems to be smart enough to have htaccess enabled and also not keeping that file around where it is always accessible - either it is deleted as it should be, or renamed something else ideally not easily guessable.

But the fact of the matter is that no matter how hard you really try to lock down a site, you have the same old issues at hand that have always been at hand.
1) dumb users - in this case mods and possibly admins
2) human nature

Between those two, you can get easily guessed passwords (you can work around this by automatically generating them and not allowing the user to pick them), and then there is the fact that everyone will let their guard down to someone - and that someone can walk away with the world if they know what they are doing.

Blah blah blah.

Maybe Code will come in here and make this fun.

 

[bdog527]

$4K? At what rate? A month? A year?

Is EF still running RedHat Linux? One step would be to run FreeBSD - Linux is fun and all, but the occassional slip up occurs.
FreeBSD hasn't had any issues in ages.

EF has been good and closed off the bulk of the ports, which is smart - at least last I recall checking.

Last I looked (over a year ago if not more), EF (or rather VBulletin) allowed infinite login attempts, ignoring of course bandwith limitations.
The way the passwords work, they are hashed - I think via MD5 if memory serves. So I enter my pass on the client side, it gets passed in (clear text by the way). Then the server takes that and runs it through the hash and compares it to the stored hash - so the system (including admins and the like) never "know" what the password is - just the hash.
Now there is a seemingly huge dataspace available to the hash, but there is also a known issue (unless this has been resolved in the last year or so that I missed out on) where there are a relatively large number of collisions in that dataset.
So that means that it is technically feasible that I have a password of "munchyTits" and then I log in and type a password of "Ilovehotmansex" and it happens to share the same hash and I get in anyway - even with the wrong password.
The liklihood of this happening is obscenely rare though, so it doesn't matter too much for us as EF peeps.
But if someone then set up a program to brute force ever combination of hashes, there are two options. The long way - just create all the combinations of that long string with that character set - or the now shown shorter way - you run through combinations of words and characters into the hash.
That would most certainly get them in, and in less time due to the collisions that occur, so they might not get the right password, but it doesn't matter since they just need the hash.

Stopping that is easy by limiting the attempts at how many times you can get in - again it probably does this now (I hope it does) - but it certainly didn't in the past.
If the passwords fails N times, where N is very small - like 5 - then lock the account and an admin has to unlock it.
That way, it is incredibly unlikely for a brute force attack to function within the space of 5 attempts, but it should be plenty for someone that knows the password to make an error and then say "ahh fuck, I meant to have a 69 at the end of that" and then get in correctly.

I personally think sniffing is overrated. If I can control things on my end, I'm not worried about the colocated side of EF stuff - then again, I also have nothing of value being sent back and forth.
If I did, then I would be worried that my cookie has my password hash right in it.

There was a hole for a bit in IE and in VBulletin that could be combined to get passwords. You could put Javascript code into the IMG tag of VBulletin, that could then redirect a user to another page - on that page you could then strip out the elite cookie and get their username and password.

Then there is the page that is built into VBulletin to restore the admin passwords. Fortunately, EF seems to be smart enough to have htaccess enabled and also not keeping that file around where it is always accessible - either it is deleted as it should be, or renamed something else ideally not easily guessable.

But the fact of the matter is that no matter how hard you really try to lock down a site, you have the same old issues at hand that have always been at hand.
1) dumb users - in this case mods and possibly admins
2) human nature

Between those two, you can get easily guessed passwords (you can work around this by automatically generating them and not allowing the user to pick them), and then there is the fact that everyone will let their guard down to someone - and that someone can walk away with the world if they know what they are doing.

Blah blah blah.

Maybe Code will come in here and make this fun.

Holy fuck that was boring.

*Note to self* Never read another NoDaddyNo post that is longer than a paragraph.

 

[jnuts]

Holy fuck that was boring.

*Note to self* Never read another NoDaddyNo post that is longer than a paragraph.

That is why people have to pay a lot of $$ for others to handle/stay on top of security. It's a continually changing target and if ya don't stay on top of it, ya get f*cked.

Kinda like all the dipshits in this world that can't keep an email virus from invading their machine.... or patching their machine so a script kiddie can easily exploit it.