concerns over accounts in two places...


PDA






flynnguy
October 16, 2008, 10:32 AM
In case you haven't heard, there has been some arguments over THR. Without taking sides here, I know some people are concerned because there is a new site (thehighroad.us) that is a copy of this site.

Now I wasn't involved at all but I want to explain how this probably happened from a technical end. Both sites use a piece of software called phpBB (http://www.phpbb.com/). This keeps everything in a database. If you wanted to clone the site, it is actually just a simple matter of installing phpBB and copying the database.

Your password is stored encrypted with an md5 has. What this means is that a math formula is run on your password to turn it from something like 'password' to '5f4dcc3b5aa765d61d8327deb882cf99'. There's no way to take the md5 and turn it back into your password. What happens is, when you login, it takes what you typed, md5's it and compares that to what's stored. If it matches, it lets you in.

I know some people were concerned about the security of their accounts since there is a clone out there. Hopefully this should alleviate your concerns.

If you enjoyed reading about "concerns over accounts in two places..." here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!
shdwfx
October 16, 2008, 11:02 AM
1) if Oleg and friends were locked out as reported, how did they manage to get a relatively current copy of THR's DB (it seems to be relatively recent)?

2) If the sites are ever merged back, how do you resolve the divergent set of user accounts. New users will join each site, causing potential collisions during a future merge.

I don't think this fork was thought through from a technical perspective.

Water-Man
October 16, 2008, 11:16 AM
There is politics after all on this forum. Who would have known?

flynnguy
October 16, 2008, 03:11 PM
I don't know who has access to what and quite frankly it's none of my business but somehow they got a copy of the DB. My main interest in posting is so that average users know their passwords weren't compromised or anything.

As for merging, it could be done, there are some constraints such as if two different people sign up with the same name on both sites, one will loose out when they merge.

Of course if it were my site, I'd probably tell the people that chose the loosing side tough luck, create a new account, but a merge could be done... just a few kinks to work out.

Beren
October 16, 2008, 03:24 PM
I am speaking personally, and not as a staff member of either .us or .org. The change was a complete surprise to me and the technical means through which it was accomplished has not been disclosed to all staff.

I urge you to change your passwords on both websites, and make sure they are different passwords.

While they are probably MD5-encoded (I will check), that doesn't prevent a dictionary attack by one party or the other if they have a copy of the hashed password.

Derek Zeanah
October 16, 2008, 03:35 PM
vBulletin (what we use, not phpBB ;) ) stores hashes of passwords in the database. This means that the password itself isn't stored; rather it's passed through a one-way function and the result is compared with the result stored in the database.

This means they can't do a simple query and grab your password, but they could run a dictionary attack against all the passwords in the database. If your password isn't in a dictionary and it's reasonably long then you should be fine. It will probably be fine anyway. I don't see any reason Oleg would want to crack user passwords. But then, lots of his behavior has caught me off guard of late. :(

Jorg Nysgerrig
October 16, 2008, 03:39 PM
Both sites use a piece of software called phpBB.

Uh, they use vBulletin, which is not the same thing.

While they are probably MD5-encoded (I will check), that doesn't prevent a dictionary attack by one party or the other if they have a copy of the hashed password
Since vB by default uses an MD5 + salt, it shouldn't be decryptable even with a dictionary attack unless someone wanted to calculate all the salt values and combine that with a dictionary attack.

That assumes that no one modified the default password stuff, which can be done.

Regardless, the advice to change your passwords and use unique passwords is a good practice.

Samuel Adams
October 16, 2008, 03:46 PM
I urge you to change your passwords on both websites, and make sure they are different passwords.
+1

I don't like this issue one bit. The THR is a prime source of information for the 2nd Amendment. It would be a sad day to see that compromised because of a couple of two year olds fighting.

Quoheleth
October 16, 2008, 07:07 PM
This means they can't do a simple query and grab your password, but they could run a dictionary attack against all the passwords in the database. If your password isn't in a dictionary and it's reasonably long then you should be fine. It will probably be fine anyway. I don't see any reason Oleg would want to crack user passwords. But then, lots of his behavior has caught me off guard of late

Somehow I am now a member at the .us site as well - name & password work just fine. I will admit my password is not Top Secret Clearance stuff, but it's not "password" either.

There are few things I really, really dislike [on the verge of "hate"] and that's when someone "knows what I think." I wasn't *invited* to join .us, someone apparantly knew I was thinking about joining up and did it for me.

:fire:

Q

CRAZY-G
October 16, 2008, 08:11 PM
Who owns posts put on a public forum? I would think nobody owns them but that the owner of the site controls them.

akodo
October 16, 2008, 09:15 PM
Q

There are few things I really, really dislike [on the verge of "hate"] and that's when someone "knows what I think." I wasn't *invited* to join .us, someone apparantly knew I was thinking about joining up and did it for me.

I believe it is a case where user info, be it passwords, personal messages, signature files, EVERYTHING gets copied. No way to say 'wait, leave this little bit, with everyone's I.D.' behind.

at least that is my understanding, and I have been on some board 'migrations' before. I have also been on some boards that didn't migrate, and that caused a LOT of problems

See, people would register using the username of long time respected posters on the other forum to cause general hurt feelings. I can definately see people out to scam a buck 'cyber squatting' on user names of well respected gun traders or whoever on the new THR sight.

Also, if you had to sign up anew, everyone would have the 'start date' of 10-15-08 and it would be harder to tell the new from the old when weighing how likely you are getting good advice vs some guy on the internet just spouting off.

S.P.E.C.T.R.E.
October 16, 2008, 09:59 PM
I don't see any reason Oleg would want to crack user passwords. But then, lots of his behavior has caught me off guard of late.


Oleg has posted his side (http://olegvolk.livejournal.com/474369.html) of the story. Is your side posted somewhere?

JShirley
October 16, 2008, 10:19 PM
No. Derek has always maintained that public bickering is bad for the forum, and contrary to the way we have always run THR.

Everything that has happened is a result of an unfortunate disagreement between the two individuals most responsible for THR. One wants to fight all across the 'net. The other wants to handle this civilly.

On that note, I think we're done.

John

If you enjoyed reading about "concerns over accounts in two places..." here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!