Sunday, June 21, 2009

Members' security was never a big issue for Beowulf...


I perfectly understand your point, but let me just quickly mine since i have no much time to spend with this.
- First I fully aware of the situation, what I'm doing with some sense of humor is avoiding paranoia that many members with less tech knowledge easily get into, as I could see by previous situations.
- You may have knowledge of SQL and know that its not that dificult to search for information in a database, no matter how big it is. I'm not saying that I know more then you, but SQL is also peanuts for me, and I'm perfectly aware of what they can and can't do right now no matter how large is their knowledge and resources.
- You can say that there was some nigligence on the problem that caused this, the PHPBB3 update caused disruption on the .htaccess on some folders. That is definitely unexpected, and I would be easy to happen to any admin and never noticed. Even without any security directives in the .htaccess files, there would be nothing else they can do other then downloading non-web related files on the webroot, which doesnt represent any threat for the forum/server. However when backups of the forum are done through the forum control panel, a copy of the backup stays in the /store/ folder so the forum can be restored anytime just by browsing the existing backups without the need for upload. Sometimes I delete them but it was never expected to have this uncommon issue, and I even used to have a cron setup to delete those backups authomatically, but once i had an issue with the remote backup server, and had to stop it.
- They can create fake PMs but the same can be done against them, members saying that PMs they are publishing are fake. Same happened before on a simmilar situation.
- I do what I can do to get the forum running, I'm not being payed, nor I get any kind of benefit for doing so. I have anough in my plate to deal everyday, so, here I do what I find that needs to be done to keep the forum running. Don't expect me to do the same as I do for paying clients that have critical servers managed by me. I know also we should care for members security but its not a responsability we should take eavily. Ppl are aware of risks since they just connect to the Internet, and members are also adviced adviced about risks of sending vital info through PMs. If it is to take it that far, I would tell everybody to not even use the Internet.

- and THE MOST IMPORTANT for me is to keep the forum up... if they got a copy of the database, other then cloning the forum (unupdated), reading PMs, IPs and email addresses, they will not take control of this server. The issue is not a security issue in the system, but just files there were not protected from public access.
They can even get root access to the server, It will take me just 2 hours to get everything back up and running again... and the forum will keep its voice up.

Again, I understand you point, but you don't know many past situations and whats behind the courtins... so, I understand you, and I thank you for your concern!
Showld I be alert for consequences? Yes...
Should I worry? not that much...
Should I stress out and fall into paranoia?? Not at all...
REMEMBER: I'm just avoiding paranoia, I'm not misleading anybody... Every risk members can take are well explained in the first post.
Believe me... sometimes there's an ant in the forum and people come up to me saying there's an elefant there!
What matter is, the forum will keep up!

No comments:

Post a Comment