A heads up, before something happens here...

[PinkFloydYoshi]

4 hours ago, yoshilore forums was sucessfully hacked. I was there the entire way to see it's demise, along with a year of my memories there. I recommend that, although I'm not one to say things like this, all members of staff reinforce their password security, as he could well appear here too.

The username to look for is 'bumyoshi'. He has been banned from some other boards I work at and his 'supposed' ip has been banned at other places, including here since I told timyoshi earlier about it.

If you own a forum yourself, keep an eye on your users coming into the board.

[bloodoftheyoshi]

Im scared! i hope YC doesnt go down! this is the only forum i belong to! *shivers*

[teh yoshi]

Yeah, I was there to witness the entire downfall as well. It was pretty insane... .

Also, that tart stole my icon from my website! It's my friend's server, dagnabbit >_<!!

[PinkFloydYoshi]

YC's won't go down so long as the staff have 'good' passwords, and with someone as resourceful as soul on the team, I'm sure we're safe. I could do with a chat with soul though, see if I'm right about the possible ways he could've got in.

[bloodoftheyoshi]

Ahhhhh, well i speak for all of us members when i say you are truly awesome mods. i feel a little better now.

[Toshi]

Yoshilore? Man...i was there last night too, must have happened when i left!

Lets just hope it doesnt happen here!

[Anjil]

Isn't there someone who's already registered here named "bumyoshi"? Well, if his supposed IP has already been banned, I think we are safe.

[yro Pedward]

I'll be sure to look after my proboards as well. Alright Pinky, I'll bear that in mind.

[PinkFloydYoshi]

AnjilYoshi said:

Isn't there someone who's already registered here named "bumyoshi"? Well, if his supposed IP has already been banned, I think we are safe.

Oh right. Can you send me the IP via pm, please? I want to match it with the one I have from tyfn, help me determine if it's dynamic.

I'm 'looking' for way's in. I'll give YY the keys back then. I'm not hopeful though. Then again, I wonder...

[bloodoftheyoshi]

i don't think it is that 'bumyoshi' supposedly hes only ten and his last post was september 3rd. but then again im not the one with the ability to check IP addresses so do your thing! XD

[Toshi]

PinkFloydYoshi said:

I'm 'looking' for way's in. I'll give YY the keys back then. I'm not hopeful though. Then again, I wonder...

Well i wish ya the best of luck on that one! What he did was stupid *shakes fist* i'd pay a visit to his home anyday to give him a piece of my mind!!!

[red.yoshi]

pink, unless tim changed the settings otherwise, IP's can only be seen by admins, root and non.

[PinkFloydYoshi]

Usually, all admins and mods, whatever type (global or non-global) can see IP Addresses, but Proboards defaults are strange. No other forum providing service uses the settings proboards does. Then again, I've been using Invision for the majority of my online life, and all mods can see IP's, and can suspend a user, and a myriad of different things.

From what I've seen, after playing with a proboard myself, Gmod's can see IP's, so if the one I have matches the one here, it proves he's not dynamic, so the IP we have here is correct, and can be used to report him to his ISP for harrassment.

[red.yoshi]

i think only the root admin should see ones ip address if it has to be seen (other then for banning reasons.) before you join a board, you should trust all those who can see your ip address becuase it could lead to worse things then hacking ones computer (such as kidnapping, the hacker can track someones computer by just using their ip address.)

[PinkFloydYoshi]

Well, staff are trustworthy anyway, so long as the admin has picked the correct people for the job (ie, not made someone moderator that he doesn't even know).

Mod's need the ability to stop someone's access to the board, in the event that they abuse the rules. An admin can't be on 24 hours a day. It's only logical to emply those that are in different timezones. Someone's always available then...

[sui]

Wow, that forum is swimming in the sea of chaos... ;

[Mailtroid]

[glow=red,2,300]IMPORTANT PLEASE READ!!![/glow]

Latest news from the Yoshi Lore forums.

Remember ....it is still April 2005 right? Now...here are the latest news, THE YOSHI LORE FORUM HAS NOT BEEN HACKED BY SOME STRANGER(S)!!!! According to PinkFloydYoshi who is talking to me on Skype right now. Everything was just a really well planned april fools joke! And that is NOT A JOKE!!!

So...as to my knowledge everything will be restored really soon...

So there is not need to be worried about all that anymore...*phew*...*sweatrop*...

Time for some tea...right PinkyFloydYoshi? *snicker*

[PinkFloydYoshi]

Being serious has certainly not payed off. Idon't do jokes. I'm going to watch for this sort of thing again. That was one right joke. I'm still having trouble coming to terms with it.

leikomg.

And mailtroid, sweatdrops don't even begin to describe my current feelings. I'm Angry, while pleased to see how well played it was, to actually trick me. I'm not easy to trick, but I keep a sense of urgency, so I'll always check it out to see if it's really true, and this was, I got sucked in and everything.

Now I've got to reinstall windows on the laptop because I have a bunch of brute force scripts on it...

[Soul]

..............

It is horrifying to see how much people actually know about computer security........

forums.invisionpower.com/index.php?showtopic=114715

As you can probably figure out from that link above, YY's board has been easily hackable at least since Feb. 19, 2004.

Nothing is 100% secure, absolutely nothing. In fact, the only way something could ever be 100% secure is that there were no people with evil intentions around. But that will never happen, so administrators need to make sure their servers are as hard to break into as possible. How exactly do they do that? Well, the answer to this is not something I can finish typing in a few hours (so I'll give a very simplified answer). In short, you make it VERY easy for hackers and script kiddies to hack into your accounts/servers if you or your service providers:

-Run outdated server software
-Don't use a firewall
-Use passwords that are less than 8 characters long and/or contain only letters or only numbers
-Do not check the news every few days to see if a new vulnerability has been discovered in any of your server applications/services/scripting technologies/cgi or php scripts/etc.
-choose "secret questions" (used for password recovery) that anybody can guess
-use the same password for everything
-log in to your accounts from any available computer

Yellow Yoshi was running IPB v1.2. The latest version is IPB v2.1 (!!!). Also, in December a VERY serious vulnerability was discovered in PHP 4.3.9. If YY's host hasn't upgraded his PHP version since last December, then he has exposed all of his hosted websites to attack. And who knows if his admin passwords were less than 8 characters long. Vulnerabilities are being discovered ALL the time, not every few months. I consider it security suicide to run outdated server software for more than a week. YY had been running IPB v1.2 for.... years?? All that was required to hack his board was a very angry user who knew how to use google to find hacking tutorials for IPB v1.2 (whoever that was).

A note about IPs: IP banning is only useful to ban unintelligent users using a fixed-IP connection (such connections for end-users are rare nowadays). Even if you have a fixed-IP connection, you can just use any other computer in the world and you will be able to gain access again, assuming only your IP is banned. So IP banning is largely useless now. And whole-network banning (banning 15.14.xxx.xxx instead of 15.14.13.12, for example) is pointless, because you'll end up banning an entire ISP. You could even end up banning yourself if you happen to be a customer of the same ISP that the hacker is using! So it is really funny when a board admin says something like "his IP is banned, so there's nothing to worry about". LOL...

As for the security of this board (YC): There is nothing I can do to make sure no outdated software is being run at proboards.com, only ProBoard's admins can do that. So there's not much I can do. Pretty much all we CAN do to improve security is to protect staff accounts, i.e. give them out only to people we trust a lot, NEVER give admin/mod rights to people that specifically request it (unless you trust that person a lot), downgrading inactive staff accounts, prevent over-staffing, and training staff not to fall for social engineering tactics. A mod/admin's brother or sister could very easily cause havoc here if they only have one PC and if the mod/admin doesn't sign out when he/she is done.

I prefer to run a proboards board, than a phpbb board at my website because I don't have to keep checking for newly found vulnerabilities. That way, if YC is ever destroyed by a hacker, yoshiart.com won't go with it. I would strongly recommend that if there is anything on YC that you'd like to be able to read anytime, that you save it on your computer asap, because you never know what's going to happen. All this stored text is using a lot of space at proboards, do you think they will never run out of space? What if they decide to do a cleanup, without warning?

EDIT: *reads two previous posts that were not there when I started writing my post* Who says it's a joke? What if YY simply was able to get his host to restore his board from tape backup, and YY decided to tell everyone it was a joke since he was able to get the board back to 'prove' it?

[PinkFloydYoshi]

Hmm. I'm not sure if my forum has had that patch applied. I'll do that.

There's many reasons why someone would stick with an old version of ipb. For one, skinning in IPB2.0.x is a lot more difficult. 1.2/3 are reletively simple. There are more hacks for ipb1.2/3 too, to allow for site integration. Using IP Dynamic lite is a waste of time because it's crap. UnrealPortal's ok, but I don't wan't a portal. I want complete integration, and thats available thanks to the world of open source.

I'll type more tommorow. There's only so far I can go without sleep.