Hi All

We have had a number of people stating that there are security problems with scoobynet...

Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information).
AdamM with his "hacked password" which turned out to be caused by him using a public machine and his cookie being stored on it.
rsquire stating he had "hacked" the moderator's forum when in fact all he'd done was use Michelle's password after she had used his machine (not impressed with this one)
CraigH stating that email addresses had been stolen due to a "security hole", which is simply a standard web page crawler grabbing email addresses off the pages (as is standard practice across the web).

All of these things are basically "scare-mongering" and causes people to lose faith in scoobynet. Can we PLEASE not jump to conclusions until you have the facts?

It is clear that work needs to be done so that cookies are not stored in all cases, but this is a seperate issue.

All the best

Simon

 

Noted

bttt

 

I can browse Scoobynet and post quite happily with cookies disabled.

 

bttt

 

Thank you for reassuring us Simon.

Spending a lot of time here it was easy to spot the hype and scare mongering, but it is easy for this to be taken for *real* if someone visits infrequently.

Anyway....Thanks for letting us know

Simon

 

btt

 

What the FUKC was Rsquire doing playing idiotic games like that??

He comes on my threads and has a pop at me - I would never be such an 4rse as to do that - he has disappeared down the hole of no respect in my eyes now!

Pete

 

Oh, yes, - is there a forum that we cant see which is used by moderators only???????? can I have the passwords to access it please??

Pete

 

Pete

Sorry, it is a personal thing, that forum is only to discuss the positive benefits of GOLD wheels.

Duncan

PS. BTT

 

Simon

Re your comment: "Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information)."

I did not state that this was a "hacked password". I was not happy that the cookie file stored the username and password in plain text rather than in an encrypted form. If the password and username were transfered over the internet in plain text form it would not be the work of a genius to recover and use the login details. Most other BBS softwares that I have seen store the password and username information in an encrypted form. Scoobynet did not at the point when my account was compromised. I am still not convinced that anyone "stole" my cookie file.

So can you put my mind at rest and confirm that the software does now encrypt the login information before it is transfered over the internet.

Moray
bbs.22b.com

 

Simon,

I know nothing about security issues, all I can say is I object to the use of the word scaremongering as it suggest malicious intent.

I suggest you choose your words more carefully in future, as you could end up offending people who were only trying to help you out.

 

The only time information is encrypted is on a secure (https) site when you get the Key Lock at the bottom of your browser.

Some sites may do some basic scrambling but most send in plain text - if its not https then its pretty easy to break, given a decent PC and enough test data.

Remember that all your POP3 (email) passwords go as plain text!

Best thing is to keep all your passwords different!

 

Webmaster,

Can you answer Moray's question about encryption of the login information, please?

 

Oh - Adams got told off and has now picked up his Handbag

Jza

 

LOL,

Thought he never put his handbag down?

 

guys, I know you like to have a joke, but I am actually pissed off about this.

Simon is normally very careful about choosing his words so that no one is offended, in short he likes to be very pc regardless of what he is thinking.

I really dont take kindly to being accused of deviousness. I am also somewhat surprised that he genuinely believes I dont have better things to do with my time then to try to sabotage his community.

Frankly I would appreciate an apology.

 

Little wonder that the reputation of Scoobynet is in free-fall when 'issues' arise, fingers are pointed, but the detail is lacking.

 

[spoilt_whine]guys, I know you like to have a joke, but I am actually pissed off about this.[/spoilt_whine]

Some of us do recall you post when you thought your password had been 'nabbed'.

Not PC either.

We reap what we sow.

Enjoy a further 15 minutes of fame.

 

bttt

Webmaster - Can you please answer Moray's question

 

There are a few people that would like an apology from Simon, he tends to not even have the decency to reply to emails.

Paul

 

I can answer that... no. you need https (as stated) and to be honest thats going WAY overboard. It may even require client side software to encript and decript the password in and out of the registry... If someone wanted to attack the board it is much easyer to attack the server than clients connecting to it.

Guys this has been done to death (moray issue) on a number of occasions I have seen, it just rasies backs n gets ppl anoyed can't we just live n let live?

 

devils_ad - Kryten has already answered the question fairly well. I think that at the end of the day it is up to Simon what level of encryption is needed. Its his board that will suffer should anyone ever manage to hack it.

Adam - I think Simons point was that there were a fair number of people posting 'There is a flaw in Scoobynet security, as someone posted using my name etc etc', when in actual fact the post should have been 'I've been careless with my cookies or I don't understand cookies and someone is using my login.' When you posted, you hadn't bothered to check anything out around possible causes but imediately pointed the finger at the BBS software. You are also someone who generally chooses his words carefully, so there are many people here would would read what you have written and take it as fact. I don't think Simon was accusing anyone of deviousness, but was justifiably accusing people of causing security scares through carelessness with their own accusations. Possibly if you had taken the PC step of mailing him with your concerns instead of posting for all to see then you would not feel that the finger is being pointed at you?

[Edited by fast bloke - 3/20/2002 9:28:27 AM]

 

Hi All

Apologies for not replying sooner, I'm out of the country and have only just got internet access back up. Thank you SO MUCH to the moderators for doing their usual fabulous job.

Moray, the passwords are not encrypted as it would make no difference. The encrypted password would then be stored on the users machine just the same as the non encrypted version. As stated the only true security is https.

Adam. My apologies (and this is specific) if you interpreted my statements as meaning that I thought you wanted to sabotage scoobynet, or that there was any malicious intent. This is not the case.

POC. I have replied to all of your emails. The email server had problems for about a week, so my replies were not getting to people (as the email responses from scoobynet were also going missing). This is now resolved, so please email me if there is something outstanding.

All the best

Simon

 

I am quickly getting very tired of this website.

 

Frankly I can't be bothered Simon.

Forward you 'replies' if you still have them.

Paul

 

simon,

when I clicked on reply, I had not seen your reply.

Thankyou for the specific apology, it puts my mind at rest.

To those who think I did not check before posting, they are wrong, I had searched around on both computers I had used. The scoobysport computer had been an oversight on my part as at the time, I thought I had failed to post using their machine as the site was not responding when I was there so I gave up.

To be honest, careless with cookies is perfectly valid, I am a lawyer not an IT bod, and even if you told me I needed to erase all cookies after using a machine I would have no idea how to.

 

Hello I don't post very often but have just read this thread and would just like to say
SIMON DOES ALL THIS FOR FREE AND IF HE STOPS SO DOES SCOOBYNET!
It isn't his full time job.
Sorry for shouting!
but lots of people on here work in IT and we all know nothing is very safe/secure email doesn't always work and we have all got so used to instant messaging that if we don't get a reply instantly we start moaning. Try sending Simon a letter as he said he is out of the country at the mo so you would be unlikely to get a reply for days or weeks! Technology ain't perfect god knows I'm aware of that.
Cheers.
Craig.

 

I'm staggered that people seem to be acting as if this website was a god-given right, rather than a labour of love by Simon DB.

The increasingly defensive atmosphere on this site is hardly helped by this petulant attitude - I'm shocked by the replies to the initial post. People get p1ssed off, but I would have thought that as long-term members it would have been more tactful to voice frustrations directly and not publically.

How can we complain the behaviour about new visitors to the BBS when some of our most senior members are throwing their toys out of the pram?



[Edited by IanWatson - 3/20/2002 10:15:53 AM]

 

How do you know the first post in this thread is the real SDB and not an imposter with a hacked account trying to stir things up a bit ?

 

If people are getting tired of this website and have had enough, then you know the answer.

Simon does have have a full time job you know!