Author Topic: ATTENTION: Attempted security attack discovered!  (Read 24184 times)

Re: ATTENTION: Attempted security attack discovered!
« Reply #60 on: February 17, 2011, 10:51:19 AM »
name and password changed.Thanks for the warning.

HolmCross

  • Sad Robot
  • Is not a gun
Re: ATTENTION: Attempted security attack discovered!
« Reply #61 on: February 17, 2011, 11:10:56 AM »
Haven't been logged out yet, but changing details/password just to be on the safe side, thanks for keeping us informed.
We're going to have a mass identity crisis at this rate  :V
My mouth is not so much a communications tool as an exhaust port for my brain.

Twitter | Steam | Seek your own Wonderland

WGH

    • Touhou arrangements grouped by source
Re: ATTENTION: Attempted security attack discovered!
« Reply #62 on: February 17, 2011, 11:36:22 AM »
That was insidious plan to make not talkative ones post a bit more.

?q

  • Lurking librarian
  • and moe sound effect
Re: ATTENTION: Attempted security attack discovered!
« Reply #63 on: February 17, 2011, 11:41:44 AM »
(I know admins have the ability to send an announcement to everyone on the forum via e-mail - maybe this is the kind of thing that warrants such an alert?)
I check my e-mail once every whenever someone tells me I have an e-mail, and I don't think I'm the only one...

I no longer have my ? filter, so I guess I don't need to go back to my original name anyway :(

Quote
That was insidious plan to make not talkative ones post a bit more.
HA!  I would NEVER fall for that!
« Last Edit: February 17, 2011, 11:59:54 AM by Nit?na »

Mimachiro

  • Master of the Swimsuit
  • Making being an evil spirit look good
    • Tondemonai
Re: ATTENTION: Attempted security attack discovered!
« Reply #64 on: February 17, 2011, 11:42:41 AM »
That explains why I was being logged out. Oh well, first time I've had a different display name for anything in about ten years, give or take, so whatever. I think me and Flan should 'kyuu' the culprits.  :D

"I don't have anything against you, but I hope you're ready to die a dog's death!
Oh, don't worry, that cat will carry off your body, so you'll be able to live in our place!"

Ryuu

  • time for kittyrina lessons
  • time to press r again
Re: ATTENTION: Attempted security attack discovered!
« Reply #65 on: February 17, 2011, 11:45:53 AM »
oh hey I got logged out after I changed my name too


OH MAN I'M UNSECURE

http://ryuukyunplaysstuff.tumblr.com/ read about me playing league i guess

Marokuu

  • Maru~ Maru~
  • Lurk~ Lurk~
Re: ATTENTION: Attempted security attack discovered!
« Reply #66 on: February 17, 2011, 11:49:13 AM »
Huh. *flies of to change name and password*

Now it's time to burninate someone.

And right as I do that I get logged out :/
« Last Edit: February 17, 2011, 01:57:02 PM by Okyuurin »
My first attempt at storywriting, looking for critique

Avatar schizophrenia? I don't know what you're talking about.

Momiji

  • Cya
Re: ATTENTION: Attempted security attack discovered!
« Reply #67 on: February 17, 2011, 12:10:01 PM »
oh hey I got logged out after I changed my name too


OH MAN I'M UNSECURE
I think you made a friend.  Else they had already extracted all the usernames from here beforehand.

That was insidious plan to make not talkative ones post a bit more.
Hey, I know you!

Conqueror

  • Here I am, dirty and faceless
  • waiting to heed your instruction
Re: ATTENTION: Attempted security attack discovered!
« Reply #68 on: February 17, 2011, 12:13:40 PM »
I feel lucky nothing has happened to me yet.

Password changed anyway to be more forgettable secure. I learned my lesson after Gawker.  :V


On tue un homme, on est un assassin. On tue des millions d'hommes, on est un conqu?rant. On les tue tous, on est un dieu.
Every saint has a past and every sinner a future.

Re: ATTENTION: Attempted security attack discovered!
« Reply #69 on: February 17, 2011, 12:23:09 PM »
Changed my username and profile as well, even though my account never randomly logged out.  Still, thanks for the warning!

Out of curiosity, what's TOR?

Thanks in advance!

Re: ATTENTION: Attempted security attack discovered!
« Reply #70 on: February 17, 2011, 12:25:55 PM »
First Winamp and now MoTK.. Great, nice paranoia fuel..

Sapz

  • There's no escape.
  • *
  • It's time to burn!
Re: ATTENTION: Attempted security attack discovered!
« Reply #71 on: February 17, 2011, 12:29:04 PM »
Done and done. I think I've been logged out twice now, first was a while ago, second was this morning.
Let's fight.

Palewolf

  • バカ狼ですよ
Re: ATTENTION: Attempted security attack discovered!
« Reply #72 on: February 17, 2011, 12:30:09 PM »
Ah lol i was all convinced i did something weird to get logged out all the time.
Thanks for the warning.

Iryan

  • Ph?nglui mglw?nafh
  • Cat R?lyeh wgah?nagl fhtagn.
Re: ATTENTION: Attempted security attack discovered!
« Reply #73 on: February 17, 2011, 12:35:48 PM »
Name and password changed.

For the people who got logged out after changing name and password, I remember that any previous time I changed my name, I got logged out after some time, so I assume that changing your display name somehow defaults the selected option from "login forever" to "1 hour", so if you want to be sure, log out and back in after you changed your name. If you get disconnected again, then something is definitely up in the air.  :derp:
Old Danmakufu stuff can be found here!

"As the size of an explosion increases, the numbers of social situations it is incapable of solving approaches zero."

Re: ATTENTION: Attempted security attack discovered!
« Reply #74 on: February 17, 2011, 12:43:52 PM »
I never got logged out. I guess I'm not interesting enough or they got my password right on the first try.
Spoiler:
;_;

Mimachiro

  • Master of the Swimsuit
  • Making being an evil spirit look good
    • Tondemonai
Re: ATTENTION: Attempted security attack discovered!
« Reply #75 on: February 17, 2011, 12:48:44 PM »
Name and password changed.

For the people who got logged out after changing name and password, I remember that any previous time I changed my name, I got logged out after some time, so I assume that changing your display name somehow defaults the selected option from "login forever" to "1 hour", so if you want to be sure, log out and back in after you changed your name. If you get disconnected again, then something is definitely up in the air.  :derp:
I hope you're right, since I just got logged out after changing my name and password. XD

"I don't have anything against you, but I hope you're ready to die a dog's death!
Oh, don't worry, that cat will carry off your body, so you'll be able to live in our place!"

ふねん1

  • Scientific editor
  • If you're alive, you can always keep moving.
Re: ATTENTION: Attempted security attack discovered!
« Reply #76 on: February 17, 2011, 01:44:50 PM »
I have no idea what this TOR thing is, and I've yet to experience random logouts. I'm changing my password anyway to be safe.
"Science is more than a body of knowledge. It's a way of thinking." - Carl Sagan

NEW AND IMPROVED YOUTUBE, now with 60 fps Touhou videos! Latest video update: WBaWC Lunatic/Extra no-miss no-bomb no-Roars no-Spirit-Strikes compilation.

helvetica

  • Arcade Maid
  • *
  • United Federation
Re: ATTENTION: Attempted security attack discovered!
« Reply #77 on: February 17, 2011, 02:19:22 PM »
Changing your display name ONLY works if you haven't been attacked yet.  I will be sending out another PM to the people we've caught login attempts on so we can discuss changing your username as well.  Changing usernames is a function only admins can do.

Ah god damn, I gotta change my password, eh?
Also, I'm getting a lot of 403, aka "Forbidden" errors. Would that be part of this attack or no?
No, that's just forum load issues.  Try clearing your cache and stuff.

Thank you very much for the professional, reasonably detailed report as to what was happening, and what the fixing measure are.

I would like to suggest, next time you're working on the SMF files, that somehow, a notification that your login and visible names should be different should be provided at registration. Forgetting how the registration works on SMF, I'm betting that there's a line for visible name during registration - simply adding a boldfaced "For security reasons, do not make this the same as your login name" should be a reasonable warning.

It won't stop idiots, but this might be a case where, if we can get a majority of accounts to avoid this, then this hack becomes ill-worthwhile - the machine effort put in becoming more useful to put to attack other forums. Essentially, the same principle as herd immunity in disease-research fields.

(I also changed my secret question and answer to "WHY ARE YOU ASKING THIS WHEN YOU HAVE YOUR PASSWORD STORAGE PROGRAM?!", and then made sure the secret answer would be ridiculously hard to get by any means ever.)
We're looking into alternate login methods, probably something involving email address.  Username is exposed in user profiles as people tend to change their display name a lot (oftentimes to things that aren't readily recognizable) and it's a nice tool to figure out who's who since they're normally unchangeable.  Email addresses, on the other hand, do not need to be exposed directly ever as the forum can email on the behalf of other users, and thus can remain totally hidden and unique per user.

But until that is in place, profile viewing has been blocked from people with less than 10 posts.  This makes the task of farming usernames much much much more difficult, far beyond any automated tool.

oh man, my glorious username ;-; tarnished by the seeking of security.

(I know admins have the ability to send an announcement to everyone on the forum via e-mail - maybe this is the kind of thing that warrants such an alert?)
Already sent it :V

I have no idea what this TOR thing is, and I've yet to experience random logouts. I'm changing my password anyway to be safe.
The Onion Router, an anonymizing proxy that works by scattering your connection across thousands of "exit nodes" so noone can reasonably track your original IP.


Twitter: @hipsterfont | Discord: helvetica#0573 | LINE: hipsterfont

He thought that on that same day he was to take the city of Priam, but he little knew what was in the mind of Jove, who had many another hard-fought fight in store alike for Danaans and Trojans."


Re: ATTENTION: Attempted security attack discovered!
« Reply #78 on: February 17, 2011, 02:34:01 PM »
Yeah. Now i've been logged out once too. Quite a nuisance.

Huckebein

Re: ATTENTION: Attempted security attack discovered!
« Reply #79 on: February 17, 2011, 02:52:06 PM »
They can take my name, but they can't take my sweet av.  Thanks for the heads-up.

Alice★f

  • That uncanny smile...
  • *
  • Kuroya Shinobu strikes again
    • TsundereWorks' Mo? Blog
Re: ATTENTION: Attempted security attack discovered!
« Reply #80 on: February 17, 2011, 02:52:36 PM »
Changed, thanks for the notification.

I used to use TOR to tunnel through my school's firewall in the past. Awfully slow, though.

DeviantArtPixivTsundere WorksYoutubeNEW! Liz Triangle's S4U
日本語勉強中 | Touhou Hard Modo Gamer

helvetica

  • Arcade Maid
  • *
  • United Federation
Re: ATTENTION: Attempted security attack discovered!
« Reply #81 on: February 17, 2011, 02:59:52 PM »
OK a new profile field has been added to replace username as a method of identification.  Under Account Settings you will see a new option named "Nickname", it will show up right under your avatar so people can recognize you even if you change your display name.  This is a PERMANENT option, so choose wisely what you wish to be there.  We are leaving the field open for editing for the next couple of days to let people use it, but after that it can only be edited by an admin.  At registration time you are forced to fill it out.

Usernames are now hidden again, only staff and the owner of the account can see the actual username.


Twitter: @hipsterfont | Discord: helvetica#0573 | LINE: hipsterfont

He thought that on that same day he was to take the city of Priam, but he little knew what was in the mind of Jove, who had many another hard-fought fight in store alike for Danaans and Trojans."


Yadogari

  • Hieda no Akyu of Shrinemaiden
  • Resident Jackass
Re: ATTENTION: Attempted security attack discovered!
« Reply #82 on: February 17, 2011, 03:19:16 PM »
So weird getting messages from this site. Haven't checked here for ages.

Maybe you're just getting the non-actives to post eh   :V

Gpop

  • Subconscious Rose Girl, Koishi
  • FIRST PLACE BAYBEE!
Re: ATTENTION: Attempted security attack discovered!
« Reply #83 on: February 17, 2011, 03:29:16 PM »
Hmm, I don't ever remember being logged ou- wait once but a while ago.

The Girl with the Golden Smile

  • The insane Oneness
Re: ATTENTION: Attempted security attack discovered!
« Reply #84 on: February 17, 2011, 03:34:55 PM »
Changed up some stuff to protect me :)

Re: ATTENTION: Attempted security attack discovered!
« Reply #85 on: February 17, 2011, 03:45:20 PM »
OK a new profile field has been added to replace username as a method of identification.  Under Account Settings you will see a new option named "Nickname", it will show up right under your avatar so people can recognize you even if you change your display name.  This is a PERMANENT option, so choose wisely what you wish to be there.  We are leaving the field open for editing for the next couple of days to let people use it, but after that it can only be edited by an admin.  At registration time you are forced to fill it out.

Usernames are now hidden again, only staff and the owner of the account can see the actual username.

Question. Does the nickname have to be different from the username? 
All lies and all sin, all dreams and all majesty, Everything rots in this ruined hell

[The Perfect, Elegant Maid] [Pathos of the Hated People] [Music, Projects, and Art]

HakureiSM

  • Reimu is all of it
  • I suddenly feel like I ate a crowbar.
Re: ATTENTION: Attempted security attack discovered!
« Reply #86 on: February 17, 2011, 03:47:40 PM »
Question. Does the nickname have to be different from the username?
Your username should not match ANYTHING publicly identifiable on your account, so don't set your display name, your nickname, or any instant messaging nicks to your username.
[20:45:19] Ciryano: come and behold why they call it the Panzerfaust
[20:45:39] Hakurei Reimu: ... because it shoots once and then you throw it out?
                                                                                   .

helvetica

  • Arcade Maid
  • *
  • United Federation
Re: ATTENTION: Attempted security attack discovered!
« Reply #87 on: February 17, 2011, 03:50:16 PM »
Question. Does the nickname have to be different from the username?
Defeats the purpose of having them separate.  If you want your current username to be your nickname, you can PM one of the admins and we'll change your username so you can reuse it.  NOTHING publicly visible on your account should match your username.  Your username is only visible by staff and yourself, and is only necessary for logging in, that's it.
« Last Edit: February 17, 2011, 03:51:57 PM by ♪ Tesoro Corporation ♫ »


Twitter: @hipsterfont | Discord: helvetica#0573 | LINE: hipsterfont

He thought that on that same day he was to take the city of Priam, but he little knew what was in the mind of Jove, who had many another hard-fought fight in store alike for Danaans and Trojans."


Re: ATTENTION: Attempted security attack discovered!
« Reply #88 on: February 17, 2011, 04:01:59 PM »
Okay, I just changed a few things. However, does this new nickname thing mean that I can't go with my previous username as my nickname?

Chronojet ⚙ Dragon

  • The Oddity
  • 今コソ輝ケ、我ガ未来、ソノ可能性!!
Re: ATTENTION: Attempted security attack discovered!
« Reply #89 on: February 17, 2011, 04:04:35 PM »
Woah.

I'll go change my password anyways.