SUPPOSED Security problems with scoobynet
#1
Hi All
We have had a number of people stating that there are security problems with scoobynet...
Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information).
AdamM with his "hacked password" which turned out to be caused by him using a public machine and his cookie being stored on it.
rsquire stating he had "hacked" the moderator's forum when in fact all he'd done was use Michelle's password after she had used his machine (not impressed with this one)
CraigH stating that email addresses had been stolen due to a "security hole", which is simply a standard web page crawler grabbing email addresses off the pages (as is standard practice across the web).
All of these things are basically "scare-mongering" and causes people to lose faith in scoobynet. Can we PLEASE not jump to conclusions until you have the facts?
It is clear that work needs to be done so that cookies are not stored in all cases, but this is a seperate issue.
All the best
Simon
We have had a number of people stating that there are security problems with scoobynet...
Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information).
AdamM with his "hacked password" which turned out to be caused by him using a public machine and his cookie being stored on it.
rsquire stating he had "hacked" the moderator's forum when in fact all he'd done was use Michelle's password after she had used his machine (not impressed with this one)
CraigH stating that email addresses had been stolen due to a "security hole", which is simply a standard web page crawler grabbing email addresses off the pages (as is standard practice across the web).
All of these things are basically "scare-mongering" and causes people to lose faith in scoobynet. Can we PLEASE not jump to conclusions until you have the facts?
It is clear that work needs to be done so that cookies are not stored in all cases, but this is a seperate issue.
All the best
Simon
#5
Former Sponsor
iTrader: (4)
Join Date: Jan 2001
Location: ECU Mapping - www.JollyGreenMonster.co.uk
Posts: 16,548
Likes: 0
Received 2 Likes
on
2 Posts
Thank you for reassuring us Simon.
Spending a lot of time here it was easy to spot the hype and scare mongering, but it is easy for this to be taken for *real* if someone visits infrequently.
Anyway....Thanks for letting us know
Simon
Spending a lot of time here it was easy to spot the hype and scare mongering, but it is easy for this to be taken for *real* if someone visits infrequently.
Anyway....Thanks for letting us know
Simon
#7
Scooby Regular
What the FUKC was Rsquire doing playing idiotic games like that??
He comes on my threads and has a pop at me - I would never be such an 4rse as to do that - he has disappeared down the hole of no respect in my eyes now!
Pete
He comes on my threads and has a pop at me - I would never be such an 4rse as to do that - he has disappeared down the hole of no respect in my eyes now!
Pete
Trending Topics
#10
Simon
Re your comment: "Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information)."
I did not state that this was a "hacked password". I was not happy that the cookie file stored the username and password in plain text rather than in an encrypted form. If the password and username were transfered over the internet in plain text form it would not be the work of a genius to recover and use the login details. Most other BBS softwares that I have seen store the password and username information in an encrypted form. Scoobynet did not at the point when my account was compromised. I am still not convinced that anyone "stole" my cookie file.
So can you put my mind at rest and confirm that the software does now encrypt the login information before it is transfered over the internet.
Moray
bbs.22b.com
Re your comment: "Moray with his "hacked password" which turned out to be cookie theft (unless anyone has any further information)."
I did not state that this was a "hacked password". I was not happy that the cookie file stored the username and password in plain text rather than in an encrypted form. If the password and username were transfered over the internet in plain text form it would not be the work of a genius to recover and use the login details. Most other BBS softwares that I have seen store the password and username information in an encrypted form. Scoobynet did not at the point when my account was compromised. I am still not convinced that anyone "stole" my cookie file.
So can you put my mind at rest and confirm that the software does now encrypt the login information before it is transfered over the internet.
Moray
bbs.22b.com
#11
Simon,
I know nothing about security issues, all I can say is I object to the use of the word scaremongering as it suggest malicious intent.
I suggest you choose your words more carefully in future, as you could end up offending people who were only trying to help you out.
I know nothing about security issues, all I can say is I object to the use of the word scaremongering as it suggest malicious intent.
I suggest you choose your words more carefully in future, as you could end up offending people who were only trying to help you out.
#12
The only time information is encrypted is on a secure (https) site when you get the Key Lock at the bottom of your browser.
Some sites may do some basic scrambling but most send in plain text - if its not https then its pretty easy to break, given a decent PC and enough test data.
Remember that all your POP3 (email) passwords go as plain text!
Best thing is to keep all your passwords different!
#16
guys, I know you like to have a joke, but I am actually pissed off about this.
Simon is normally very careful about choosing his words so that no one is offended, in short he likes to be very pc regardless of what he is thinking.
I really dont take kindly to being accused of deviousness. I am also somewhat surprised that he genuinely believes I dont have better things to do with my time then to try to sabotage his community.
Frankly I would appreciate an apology.
Simon is normally very careful about choosing his words so that no one is offended, in short he likes to be very pc regardless of what he is thinking.
I really dont take kindly to being accused of deviousness. I am also somewhat surprised that he genuinely believes I dont have better things to do with my time then to try to sabotage his community.
Frankly I would appreciate an apology.
#18
[spoilt_whine]guys, I know you like to have a joke, but I am actually pissed off about this.[/spoilt_whine]
Some of us do recall you post when you thought your password had been 'nabbed'.
Not PC either.
We reap what we sow.
Enjoy a further 15 minutes of fame.
Some of us do recall you post when you thought your password had been 'nabbed'.
Not PC either.
We reap what we sow.
Enjoy a further 15 minutes of fame.
#21
So can you put my mind at rest and confirm that the software does now encrypt the login information before it is transfered over the internet.
Guys this has been done to death (moray issue) on a number of occasions I have seen, it just rasies backs n gets ppl anoyed can't we just live n let live?
#22
devils_ad - Kryten has already answered the question fairly well. I think that at the end of the day it is up to Simon what level of encryption is needed. Its his board that will suffer should anyone ever manage to hack it.
Adam - I think Simons point was that there were a fair number of people posting 'There is a flaw in Scoobynet security, as someone posted using my name etc etc', when in actual fact the post should have been 'I've been careless with my cookies or I don't understand cookies and someone is using my login.' When you posted, you hadn't bothered to check anything out around possible causes but imediately pointed the finger at the BBS software. You are also someone who generally chooses his words carefully, so there are many people here would would read what you have written and take it as fact. I don't think Simon was accusing anyone of deviousness, but was justifiably accusing people of causing security scares through carelessness with their own accusations. Possibly if you had taken the PC step of mailing him with your concerns instead of posting for all to see then you would not feel that the finger is being pointed at you?
[Edited by fast bloke - 3/20/2002 9:28:27 AM]
Adam - I think Simons point was that there were a fair number of people posting 'There is a flaw in Scoobynet security, as someone posted using my name etc etc', when in actual fact the post should have been 'I've been careless with my cookies or I don't understand cookies and someone is using my login.' When you posted, you hadn't bothered to check anything out around possible causes but imediately pointed the finger at the BBS software. You are also someone who generally chooses his words carefully, so there are many people here would would read what you have written and take it as fact. I don't think Simon was accusing anyone of deviousness, but was justifiably accusing people of causing security scares through carelessness with their own accusations. Possibly if you had taken the PC step of mailing him with your concerns instead of posting for all to see then you would not feel that the finger is being pointed at you?
[Edited by fast bloke - 3/20/2002 9:28:27 AM]
#23
Hi All
Apologies for not replying sooner, I'm out of the country and have only just got internet access back up. Thank you SO MUCH to the moderators for doing their usual fabulous job.
Moray, the passwords are not encrypted as it would make no difference. The encrypted password would then be stored on the users machine just the same as the non encrypted version. As stated the only true security is https.
Adam. My apologies (and this is specific) if you interpreted my statements as meaning that I thought you wanted to sabotage scoobynet, or that there was any malicious intent. This is not the case.
POC. I have replied to all of your emails. The email server had problems for about a week, so my replies were not getting to people (as the email responses from scoobynet were also going missing). This is now resolved, so please email me if there is something outstanding.
All the best
Simon
Apologies for not replying sooner, I'm out of the country and have only just got internet access back up. Thank you SO MUCH to the moderators for doing their usual fabulous job.
Moray, the passwords are not encrypted as it would make no difference. The encrypted password would then be stored on the users machine just the same as the non encrypted version. As stated the only true security is https.
Adam. My apologies (and this is specific) if you interpreted my statements as meaning that I thought you wanted to sabotage scoobynet, or that there was any malicious intent. This is not the case.
POC. I have replied to all of your emails. The email server had problems for about a week, so my replies were not getting to people (as the email responses from scoobynet were also going missing). This is now resolved, so please email me if there is something outstanding.
All the best
Simon
#26
simon,
when I clicked on reply, I had not seen your reply.
Thankyou for the specific apology, it puts my mind at rest.
To those who think I did not check before posting, they are wrong, I had searched around on both computers I had used. The scoobysport computer had been an oversight on my part as at the time, I thought I had failed to post using their machine as the site was not responding when I was there so I gave up.
To be honest, careless with cookies is perfectly valid, I am a lawyer not an IT bod, and even if you told me I needed to erase all cookies after using a machine I would have no idea how to.
when I clicked on reply, I had not seen your reply.
Thankyou for the specific apology, it puts my mind at rest.
To those who think I did not check before posting, they are wrong, I had searched around on both computers I had used. The scoobysport computer had been an oversight on my part as at the time, I thought I had failed to post using their machine as the site was not responding when I was there so I gave up.
To be honest, careless with cookies is perfectly valid, I am a lawyer not an IT bod, and even if you told me I needed to erase all cookies after using a machine I would have no idea how to.
#27
Hello I don't post very often but have just read this thread and would just like to say
SIMON DOES ALL THIS FOR FREE AND IF HE STOPS SO DOES SCOOBYNET!
It isn't his full time job.
Sorry for shouting!
but lots of people on here work in IT and we all know nothing is very safe/secure email doesn't always work and we have all got so used to instant messaging that if we don't get a reply instantly we start moaning. Try sending Simon a letter as he said he is out of the country at the mo so you would be unlikely to get a reply for days or weeks! Technology ain't perfect god knows I'm aware of that.
Cheers.
Craig.
SIMON DOES ALL THIS FOR FREE AND IF HE STOPS SO DOES SCOOBYNET!
It isn't his full time job.
Sorry for shouting!
but lots of people on here work in IT and we all know nothing is very safe/secure email doesn't always work and we have all got so used to instant messaging that if we don't get a reply instantly we start moaning. Try sending Simon a letter as he said he is out of the country at the mo so you would be unlikely to get a reply for days or weeks! Technology ain't perfect god knows I'm aware of that.
Cheers.
Craig.
#28
Scooby Regular
Join Date: Jul 2001
Location: maturin23 - 205GTi Drivers.com
Posts: 504
Likes: 0
Received 0 Likes
on
0 Posts
I'm staggered that people seem to be acting as if this website was a god-given right, rather than a labour of love by Simon DB.
The increasingly defensive atmosphere on this site is hardly helped by this petulant attitude - I'm shocked by the replies to the initial post. People get p1ssed off, but I would have thought that as long-term members it would have been more tactful to voice frustrations directly and not publically.
How can we complain the behaviour about new visitors to the BBS when some of our most senior members are throwing their toys out of the pram?
[Edited by IanWatson - 3/20/2002 10:15:53 AM]
The increasingly defensive atmosphere on this site is hardly helped by this petulant attitude - I'm shocked by the replies to the initial post. People get p1ssed off, but I would have thought that as long-term members it would have been more tactful to voice frustrations directly and not publically.
How can we complain the behaviour about new visitors to the BBS when some of our most senior members are throwing their toys out of the pram?
[Edited by IanWatson - 3/20/2002 10:15:53 AM]