bit-tech.net

Go Back   bit-tech.net Forums > bit-tech.net > Feedback & Suggestions

Reply
 
Thread Tools
Old 7th Sep 2016, 12:04   #1
Dogbert666
I benchmark, therefore I am.
bit-tech Staff
 
Dogbert666's Avatar
 
Join Date: Jan 2010
Location: London, England
Posts: 1,358
Dogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming Saiyan
bit-tech forum alert: Please change your password

Dear All,

We’ve something important to update everyone and protect you, and the forums the best we can.

As I am sure you are all aware, we run vBulletin, an off-the-shelf forum package, which we get notified on when to update.

We have sent notifications to all members to notify them that they need to change their password because we have just been made aware of a security leak that occurred in January this year due to a series of vulnerabilities in vB, some of which have been of a high severity over the past few months. We have been patching these, but as a high-traffic site there’s always an increased risk, and we want to protect all users and admins the best we can.

We want to be transparent with you - the only information which we believe the attack could have taken is email, username, IP, and salted/hashed password. However, whilst the vB passwords are salted and hashed, and are safely stored, they can, if gathered, be broken to reveal the password in plaintext. This is all the more likely when you are using common, short or simple passwords, so we highly recommend users choose strong passwords.

Please be vigilant against fake/phishing emails going forwards; we rarely email people on the forums and we would never ask for your username or password. If you are not sure if the email is genuine, please, of course, double check.

We want to apologise for any inconvenience caused, and we wanted to notify you as soon as information has come to light in order to protect you.

The forums are fully patched and secure per vBulletin’s guidelines, and all admins and moderators have been forced to change their passwords too. We are keeping an eye on things as well.

As many of you will be aware, a new bit-tech is also being built. With this, we will implement a https domain and ensure that all connections to the forum are TLS-encypted. The forums will also be moving away from vB entirely.

Thanks,
Matt Lambert
Editor - bit-tech.net
Dogbert666 is offline   Reply With Quote
Old 7th Sep 2016, 12:11   #2
IanW
Grumpy Old Git
 
IanW's Avatar
 
Join Date: Aug 2003
Location: N.Wales
Posts: 5,773
IanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming SaiyanIanW is a Super Spamming Saiyan
Done. Thanks for the heads-up.
__________________
i7 4770K@3.9GHz / Corsair H100i / Asus Maximus VI Gene / 16GB Corsair Vengeance 2133 /
Asus Strix GTX1080 Advanced / 500GB Samsung 840 Evo / 1TB Sandisk SSD / BeQuiet! 1kW /
Thermaltake Core V21 / Dell U2713HM / Corsair K70 RGB / Logitech Performance MX / Win10 / Kubuntu 17.04
IanW is offline   Reply With Quote
Old 7th Sep 2016, 12:30   #3
Toka
Supermodder
 
Join Date: Nov 2006
Location: Oxford UK
Posts: 311
Toka has yet to learn the way of the Dremel
done - thanks for the email
__________________
Toka is offline   Reply With Quote
Old 7th Sep 2016, 12:33   #4
Andy Mc
I *am* a Dremel
 
Andy Mc's Avatar
 
Join Date: May 2002
Location: In a house.
Posts: 1,702
Andy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming SaiyanAndy Mc is a Super Spamming Saiyan
When did you find out about the breach?
__________________
Andy Mc is offline   Reply With Quote
Old 7th Sep 2016, 12:50   #5
Bindibadgi
Am I out of touch?
 
Bindibadgi's Avatar
 
Join Date: Mar 2001
Location: Taiwan
Posts: 36,043
Bindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming SaiyanBindibadgi is a Super Spamming Saiyan
Urgh. 3.xx is so old not surprised. Suggest people change it to something disposable not related to any other accounts.

How long til new forum roughly? Will we get to see a beta? (In my experience allowing ~50 people to test creates a group of ambassadors)
__________________
The bitterness of poor quality remains long after the sweetness of low price is forgotten.
Bindibadgi is offline   Reply With Quote
Old 7th Sep 2016, 12:51   #6
Dogbert666
I benchmark, therefore I am.
bit-tech Staff
 
Dogbert666's Avatar
 
Join Date: Jan 2010
Location: London, England
Posts: 1,358
Dogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming SaiyanDogbert666 is a Super Spamming Saiyan
Quote:
Originally Posted by Andy Mc View Post
When did you find out about the breach?
Less than 24 hours ago.
Dogbert666 is offline   Reply With Quote
Old 7th Sep 2016, 13:10   #7
Arboreal
I *am* a Dremel
 
Arboreal's Avatar
 
Join Date: Jan 2011
Location: The basement, Gershon's Haus of Sausage
Posts: 1,573
Arboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming SaiyanArboreal is a Super Spamming Saiyan
Thanks for the heads up, another password 'mare. Changed and moved on...hope I can rememberthe darn thing!
Arboreal is offline   Reply With Quote
Old 7th Sep 2016, 13:13   #8
.//TuNdRa
Resident Bulldozer Guru
 
.//TuNdRa's Avatar
 
Join Date: Feb 2011
Location: Northamptonshire Region.
Posts: 4,006
.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan.//TuNdRa is a Super Spamming Saiyan
Whelp, there goes me having a memorable password for Bit, Lastpass to the rescue again...
__________________
Overdue Upgrades: AMD R7 1700 | Thermalright Archon IB-E | Asrock Taichi 370X | 16GB (4x4GB) Corsair Vengeance LPX | Asus Strix Soar | Gigabyte Windforce 670 | Silverstone ST1000-PT | Silverstone Raven RV-02B V1.7 | 2x Hynix SL301 250GB RAID0 | 2x WD 3TB RED RAID0 | Lite-on Blu-ray ROM
Dell U2913WM | Sennheiser HD 518s | Microlab Solo8C Speakers | Logitech G13 | Ducky Legend (MX Blues) | Logitech G503
.//TuNdRa is offline   Reply With Quote
Old 7th Sep 2016, 13:18   #9
Andyuk911
What's a Dremel?
 
Join Date: Jun 2009
Location: UK- Southeast
Posts: 13
Andyuk911 has yet to learn the way of the Dremel
Try Roboform
Andyuk911 is offline   Reply With Quote
Old 7th Sep 2016, 14:07   #10
David
RIP Tel
 
David's Avatar
 
Join Date: Apr 2009
Location: Somewhere over the rainbow, weigh a pie
Posts: 11,461
David is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming Saiyan
So, when Hexus sent out their alert a couple of weeks ago, bit-tech did nothing?

Despite sharing staff and resources?

WTF?
__________________
Before you judge a man, walk a mile in his shoes; after that, who cares?! He's a mile away and you've got his shoes!

Main rig - 6700K|Z170|32GB|256GB M.2|500GB SSDs|8TB NAS|980 Ti|3007WFP-HC|Parvum S2.0
David is offline   Reply With Quote
Old 7th Sep 2016, 14:15   #11
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 8,620
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Quote:
Originally Posted by Spreadie View Post
So, when Hexus sent out their alert a couple of weeks ago, bit-tech did nothing? Despite sharing staff and resources? WTF?
More scandalously, Bit-Tech also did nothing when Dropbox was hacked way back in 2012. Because, y'know, Bit-Tech isn't Dropbox.

Bit-Tech also isn't Hexus. It's run on separate servers, using separate software. The attack on Hexus and the attack on Bit-Tech were two completely separate events: the Hexus breach took place on the 8th of August, the Bit-Tech breach took place on the 13th of January - but, and this is critical, Bit-Tech only found out about the attack yesterday. When the Hexus breach notification was sent out, there was nothing to suggest that Bit-Tech had been breached months prior - which is why nobody from Bit-Tech sent out any alerts. As soon as Bit-Tech found out about the breach, the alerts were sent in less than 24 hours - which I'd say is pretty good going.

Just to clarify again: the Hexus and Bit-Tech websites and fora are in no way linked. Breaching one will not get you any data from the other. The Hexus breach and Bit-Tech breach are not known to be related. They happened at completely different times. Unfortunately, crap happens - especially if you're running vBulletin, which has been described as a great remote shell with a so-so forum attached, which is one of the reasons Bit-Tech is shifting away from vBulletin.
__________________
Author, Raspberry Pi User Guide Fourth Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me! | Need a VPN? Try AirVPN!
Gareth Halfacree is offline   Reply With Quote
Old 7th Sep 2016, 14:20   #12
pumpman
Ultramodder
 
pumpman's Avatar
 
Join Date: Jul 2004
Location: UK
Posts: 1,035
pumpman has yet to learn the way of the Dremel
Spookily enough I changed mine in June using 1password and generated a new password just done same again to be on safe side
__________________
Hexus
pumpman is offline   Reply With Quote
Old 7th Sep 2016, 14:25   #13
David
RIP Tel
 
David's Avatar
 
Join Date: Apr 2009
Location: Somewhere over the rainbow, weigh a pie
Posts: 11,461
David is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming Saiyan
Quote:
Originally Posted by Gareth Halfacree View Post
More scandalously, Bit-Tech also did nothing when Dropbox was hacked way back in 2012. Because, y'know, Bit-Tech isn't Dropbox.

Bit-Tech also isn't Hexus. It's run on separate servers, using separate software. The attack on Hexus and the attack on Bit-Tech were two completely separate events: the Hexus breach took place on the 8th of August, the Bit-Tech breach took place on the 13th of January - but, and this is critical, Bit-Tech only found out about the attack yesterday. When the Hexus breach notification was sent out, there was nothing to suggest that Bit-Tech had been breached months prior - which is why nobody from Bit-Tech sent out any alerts. As soon as Bit-Tech found out about the breach, the alerts were sent in less than 24 hours - which I'd say is pretty good going.

Just to clarify again: the Hexus and Bit-Tech websites and fora are in no way linked. Breaching one will not get you any data from the other. The Hexus breach and Bit-Tech breach are not known to be related. They happened at completely different times. Unfortunately, crap happens - especially if you're running vBulletin, which has been described as a great remote shell with a so-so forum attached, which is one of the reasons Bit-Tech is shifting away from vBulletin.
As much as I enjoy your sarcasm, I didn't say it was the same breach - the alert from Hexus was in reference to a breach due to a vulnerability in vBulletin, which both Hexus and bit tech use.

Both sites share the same owner and tech staff. Given that, I think it's fair to ask why there wasn't some crossover between the two sites.
__________________
Before you judge a man, walk a mile in his shoes; after that, who cares?! He's a mile away and you've got his shoes!

Main rig - 6700K|Z170|32GB|256GB M.2|500GB SSDs|8TB NAS|980 Ti|3007WFP-HC|Parvum S2.0
David is offline   Reply With Quote
Old 7th Sep 2016, 14:35   #14
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 8,620
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Quote:
Originally Posted by Spreadie View Post
As much as I enjoy your sarcasm, I didn't say it was the same breach - the alert from Hexus was in reference to a breach due to a vulnerability in vBulletin, which both Hexus and bit tech use. Both sites share the same owner and tech staff. Given that, I think it's fair to ask why there wasn't some crossover between the two sites.
Absolutely no sarcasm intended: merely a demonstration of the core concept I tried to get across in the post.

Yes, both Hexus and Bit-Tech use vBulletin. So do literally hundreds of thousands of sites across the internet - it's one of the most popular forum packages in the world. When one of those sites is breached, all the other sites can do - assuming they even find out about it - is patch against the vulnerability used and hope for the best. As it happens, Bit-Tech was breached before Hexus - so no amount of information from the Hexus breach could have protected Bit-Tech.

When you say "why [wasn't there] some crossover between the two sites," what do you mean?
__________________
Author, Raspberry Pi User Guide Fourth Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me! | Need a VPN? Try AirVPN!
Gareth Halfacree is offline   Reply With Quote
Old 7th Sep 2016, 14:39   #15
B1GBUD
More Biddy Bang Bang than Sean Paul
 
B1GBUD's Avatar
 
Join Date: May 2008
Location: Guildford
Posts: 2,914
B1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming SaiyanB1GBUD is a Super Spamming Saiyan
Thanks for the headsup and honesty guys.
__________________
Teh unofficial Bit-Tech proof reader and understander of all the necessary hashtags
B1GBUD is offline   Reply With Quote
Old 7th Sep 2016, 14:40   #16
UberTiger
Minimodder
 
Join Date: May 2009
Posts: 24
UberTiger has yet to learn the way of the Dremel
What platform are you moving to?
UberTiger is offline   Reply With Quote
Old 7th Sep 2016, 15:46   #17
David
RIP Tel
 
David's Avatar
 
Join Date: Apr 2009
Location: Somewhere over the rainbow, weigh a pie
Posts: 11,461
David is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming Saiyan
Quote:
Originally Posted by Gareth Halfacree View Post
Absolutely no sarcasm intended: merely a demonstration of the core concept I tried to get across in the post.

Yes, both Hexus and Bit-Tech use vBulletin. So do literally hundreds of thousands of sites across the internet - it's one of the most popular forum packages in the world. When one of those sites is breached, all the other sites can do - assuming they even find out about it - is patch against the vulnerability used and hope for the best. As it happens, Bit-Tech was breached before Hexus - so no amount of information from the Hexus breach could have protected Bit-Tech.
Yes bit-tech was breached before Hexus, but didn't find out until now - weeks later. I'd have thought, given the shared technical resource and the fact that Hexus' forum was patched weeks ago, bit tech's vulerability would have been identified and dealt with at the same time.

I understand bit's breach was back in January, but why wasn't it discovered until now, when the staff were aware of the vulnerability since early August?

Quote:
Originally Posted by Gareth Halfacree View Post
When you say "why [wasn't there] some crossover between the two sites," what do you mean?
Both sites share the same technical staff.
__________________
Before you judge a man, walk a mile in his shoes; after that, who cares?! He's a mile away and you've got his shoes!

Main rig - 6700K|Z170|32GB|256GB M.2|500GB SSDs|8TB NAS|980 Ti|3007WFP-HC|Parvum S2.0
David is offline   Reply With Quote
Old 7th Sep 2016, 16:09   #18
wecrookie
Multimodder
 
wecrookie's Avatar
 
Join Date: Dec 2013
Location: Norn Ireland apparently
Posts: 83
wecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyanwecrookie is a Super Spamming Saiyan
Done & thx for the heads up.

yours wecrookie
__________________
Carpe Diem - Squeeze the day!
wecrookie is offline   Reply With Quote
Old 7th Sep 2016, 16:28   #19
jonnyGURU
Power to the People
 
Join Date: Oct 2006
Posts: 23
jonnyGURU has yet to learn the way of the Dremel
Done. Thanks!

jonnyGURU is offline   Reply With Quote
Old 7th Sep 2016, 16:30   #20
itrush07
Multimodder
 
Join Date: Nov 2007
Posts: 228
itrush07 has yet to learn the way of the Dremel
Done, thanks for the heads up too..
__________________
IT Rush <my blog
itrush07 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 04:54.
Powered by: vBulletin Version 3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.