Dear all,

As you all know Amigaworld.net was hacked on or around the 1st October 2018. This was the second successful attack in recent memory and we are assured that some modern password 'PHP hashing' technology is in place to deter similar encription hacks in the future if the hackers get hold of the database again.

I have started this because the old 'Amigaworld.net hacked!' thread has been locked without comment from the moderators. Which I think is unreasonable. This site may or may not now be secure but we should be able to at least speak about it and debate whether it's time for a complete rebuild as per Amiga.org.

I have been threatened by the AmigaWorld hacker from the October 2018 breech for the second time via email (he doesn't have the password but if I'd used my old AmigaWorld one he would have) and just like before since I didn't respond he's 'leaked' my email address to more spam advertisers. I had more Spam in my Inbox today than proper email and I send every unwanted email to the Spam folder but some new ones still get through despite the spam filter adapting as I send new emails to the Spam folder manually. It really is unacceptable that this website has fallen so far behind in security measures having been documented as being hacked in both 2012 and 2018.

Sibbi Quote from 7th November 2018:

Quote:

I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.

Has that really been enough to stop this happening again? Is the core database safe from being copied and then cracked at leisure by the hacker? Surely the hash method of PHP could have been implemented after the first attack in 2012?

Finally, why the silence? This issue has not gone away and this is a paid for webmail service that the AmigaWorld breech is well on the way to making inoperable! To say I'm disappointed is an understatement. The big companies such as Sony and Microsoft would be litigated beyond the pail for having two hacks in the space of 6 years. AmigaWorld however just locks the threads and prays that the site is secure not knowing whether the layers of Classic Amiga browser compliant custom code is a security risk or not! At least you don't have my credit card number though at least I could easily have got a replacement card whereas giving up on my email address is a lot more painful.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

This is becoming a problem for me as well. Going forward I'm using a different email address for each online account. If I get hacked, at least it will be contained, and if I get spam, I know where it came from.

For years I've used two email addresses, one for personal use, and one for online accounts, but that no longer seems to be sufficient.

_________________
"Unix is supposed to fix that." -- Jay Miner

@BigD

Quote:

I had more Spam in my Inbox today than proper email and I send every unwanted email to the Spam folder but some new ones still get through despite the spam filter adapting as I send new emails to the Spam folder manually.

Who is your email provider? Some companies are much better at automated spam detection than others.

Quote:

The big companies such as Sony and Microsoft would be litigated beyond the pail for having two hacks in the space of 6 years.

Actually, history shows that even the most severe data breaches have rarely had any serious legal consequences.

Quote:

Has that really been enough to stop this happening again? Is the core database safe from being copied and then cracked at leisure by the hacker? Surely the hash method of PHP could have been implemented after the first attack in 2012?

The nasty little secret is that almost every established Amiga-related forum is still running on either PHP4 (worst case) or PHP5, which finally reached 'end of life' status in December of 2018.

Due to incompatibilities between the various PHP versions, moving to PHP7 does require you to either manually update existing forum engines or to migrate all data to new forum engines.

This process should not take months but it is not a matter of minutes either.

@ASiegel

Perhaps it's time a migration plan was formulated and the members asked for donations if required. It is not good enough to ignore the problem until ALL our Inboxes are bloated messes of SPAM!

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

Quote:

It is not good enough to ignore the problem

Well, this is your opinion.

As long as these discussions are deliberately hidden from the frontpage and purposefully restricted to one of the least visited parts of this website, it will be next to impossible to find out if others agree.

@ASiegel

Now I'm confused.

The thread category at top shows it IS in a forum viewable on the front page (Website feedback and suggestions) , yet it clearly is not.

#6

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

@thread

In addition:

shows the former thread on the topic is locked from posting

Correct me if I am reading this wrong.

@BigD

I see your mention of this. I'm just confirming.

#6

Last edited by number6 on 21-Mar-2019 at 12:41 PM.

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

@BigD

Span is thing that happens on the internet, be an adult and use a proper spam filter. YAMs heuristic filter works fairly well, I get virtually no false positives these days though it does miss a few. Thunderbirds one is also good I hear.

Whilst perfect security on all sites would be lovely, you need to take responsibilty for your own net security. Use a different password foreach forum and certainly don't use one you use with bank or similar.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

@broadblues

And never ever use "Amiga" as a password. heh.

#6

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

@number6

What about 'zeluR_agimA' ?

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

@broadblues

Nzvtn_Ehyrm perhaps, since rot13 is all the rage now.

#6

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

@broadblues

I file this issue under major annoyance rather than criminal negligence but if Amigaworld is hacked again whose fault is that?

I am not saying anyone has gained access to any other of my accounts but only that I am receiving a 20 fold increase in SPAM to the leaked email address

I should not have to change email addresses due to the negligence of the moderators of this site. If there is no long term migration plan to a more secure PHP framework / database then Amiga.org will remain and Amigaworld WILL fall away IMHO!

Last edited by BigD on 21-Mar-2019 at 02:04 PM.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

@BigD

Quote:

I should not have to change email addresses due to the negligence of the moderators of this site.

Moderators often lack sufficient technical access to improve security issues. They are not necessarily to blame.

Quote:

If there is no long term migration plan to a more secure PHP framework / database then Amiga.org will remain and Amigaworld WILL fall away IMHO!

I hope you are aware that amiga.org and amigaworld.net are owned by the same people.

From a pure business perspective, it might be beneficial to only have to maintain one community website.

Last edited by ASiegel on 21-Mar-2019 at 02:14 PM.

@ASiegel

Quote:

From a pure business perspective, it might be beneficial to only have to maintain one community website.

Maybe that's the medium term plan then. Let AmigaWorld die a slow death and in the meantime keep their fingers in their ears regarding potential security holes they have no intention of fixing. That would make a lot of sense! "Only Amiga"

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios