New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Never... they would have done it by now to prevent loosing revenue.
But vBulletin didn't update with the time :P wonder if vb5 has a new encryption.
did those b**** deleted your account for arrogant reasons ?
Sadly not lol it's still there.
very arrogant person over there .. be careful haha
Funny thing is that as dead as it seems I know providers advertising there and making thousands of sales... so sales wise it seems active.
Personally I find LET offers are better than even paid WHT offer threads, even though the view count on WHT is a bit higher.
A lot of hosts on WHT make their sales from posting bad advice and unreleated crap on people's threads, it's so obvious that it makes WHT painful to read. For example, someone might ask if a dedicated server or VPS is better for his needs, then some provider comes along and posts "You must use a hybrid-cloud-super-dedi for running x", when his signature advertises hybrid-cloud-super-dedis.
LET is much better in that providers who want to recommend their own services in other people's threads can just do it without having to make some bullshit up.
I calling this out as bullshit. That's not a reputable vendor and no proof to the details being hacked. Just some campaign probably from some disgruntled WHT member who got banned probably and this is his plan to cause them some financial loss. Sucks at that anyway lol.
I'd say unlikely considering they targeted and supposedly got three different forums owned by the same company rather than just targeting WHT.
The "proof" is shocking. I don't understand how you take it as valid.
This is pretty easily explained - most system administrators do not understand security in any way other than stupid Google tweeks which never work.
/care
On more interesting news, Datadog (which is used by a lot of Fortune 500 and similar for monitoring/metric storage) got compromised also, AWS keys and so on....
Hahahahahaha.
I used to read wht till I learned linux and started to use dedicated servers and vps. They have great shared hosting section, but I switched to LET, because I need news about vps and dedicated industry.
Yeah got 2 emails from them this morning, signed up but I had never really used it...seems like every other day I'm getting emails from companies getting compromised.
Also the "no ad trashing" rule that we don't have. Never. We tell people when their offers are shit.
Go back to bed... I linked to a thread on VBULLETIN.COM stating there was a security update for 4.2.2 patch 4. Which is what WHT is currently on...
And since you are too stupid to go and read yourself i'll paste it here, there could be a issue with their own script but it doesn't take a genius to know you can do DB backups via SQLi.
Oh and that security patch was released: Thu 16th Jun '16, 4:58am today is Sat 9th July '16
As I said, no data is safe online. None, zero, no exceptions. If you have someone after you, you will be hacked sooner or later, FBI, NASA, CIA, etc. And if that does not work, insider jobs or social engineering will work instead.
Sure, some people are more careless than others and the low hanging fruits will be picked much more often, hence criticism here is deserved, however, depends who is after you, also, you may not even know you were hacked, maybe the chinese have right now sniffers in CIAs network, they know all the passes, etc.
Well if WHT Penton had a brain they would have found this nice little website from the vbulletin.org forum. This changes VB4 MD5 hashing crap to Bcrypt: http://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/
So they have no excuses. Not one!
Wait, why is MD5 crap? I just did the math and assuming somebody had 100 GPUs to "decrypt" (bruteforce) an MD5 hash for a random alpha-numeric 14 character password, it would take them over 11,000 years to check all of the possible passwords and even more if they didn't know exactly how many characters the password was and if they checked for symbols. If a person only had a single GPU it would take over 1 million years to check the hash against every password.
EDIT: I didn't take salt into account so I don't know how much time that would add to the calculation if any.
EDIT2: It's still a shitty situation. My e-mail address is probably more important to me than my password is.
Because MD5 is hackable, why do you think better software use Bcrypt...
Do you think SHA-1 SSLs are fine to use because they are insecure? Nah bet you don't mate that's the same reason... You use SHA-256 for SSL certificates, you use Bcrypt or something like it.
I could have a massive password like:
b5BR)lRvS6a60x2D'o&#Jx|hpT-%mJs/Mu7-IsBq0}BSUNhzgz7@A*:.pF:Tr8mttU(JJrd?XR
But I bet if that was in a database and you decoded it with PHP / database you will get the password in plain text.
Put it this way, WHMCS uses MD5 with a little security extra and even Blesta developers can decrypt that with their importer, now ask WHMCS for a Blesta importer and they'll tell you, they don't have one, Blesta uses Bcrypt.
See:
http://dfhu.org/blog/hashing-passwords-in-php-using-md5-vs-sha256-vs-bcrypt-vs
http://security.stackexchange.com/questions/61385/the-brute-force-resistence-of-bcrypt-versus-md5-for-password-hashing
https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored
http://yorickpeterse.com/articles/use-bcrypt-fool/
And in layman terms.
You could have the best lock on your front door, the most expensive lock, but if you leave your door open, you are welcoming even the beginner thief.
I take it being a Brit I learn the easy way: http://www.ncl.ac.uk/estates/services/documents/Dont-Advertise-Your-Stuff-To-Thieves-Booklet-Dec2009.pdf
"Don't Advertise Your Things To Thieves"
I remember Tom Scott a great youtuber I subscribe too has a video about why not to use MD5:
MD5 still shouldn't just be "decrypted" like it's that easy. Are you sure something else isn't going on there? MD5 decryption is done by guessing+comparison. Are you claiming Blesta has an algorithm that immediately, with no resources, turns MD5 into plain text?
Seems more likely Blesta would be using the MD5, not decrypting it.
WHMCS uses salts, Blesta uses Bcrypt which are one way passwords, when you enter your password it crypts it and checks it. You can check the importer and find out how they do it if you can understand PHP.
I may be misunderstanding but I don't think that quite answers this:
You're suggesting that Blesta's importer is completely decrypting MD5 hashes. Exactly how sure of that statement are you? This should be international news if Blesta has figured out how to instantly turn MD5 hash into plain text.
I might have said it wrongly
They import them over and then if you change the configuration to "whmcs-md5" it imports them to the database in md5, you can then log in and it changes it to Bcrypt.
They use the phpseclib library to do the encoding.
Aye. I mean I'll admit MD5 isn't the best choice and if you're making a decision today that wouldn't be the smart pick. That said, it would be a bit extreme to say MD5 is hackable. It's crackable. That still means that the only way to get the password is to guess the password. You have to have the password to know you have it. In 25 years MD5 may be completely useless and so easy to crack that using it is hilariously dumb, but at least for today it still has some value if you've got a few legacy things using MD5, IMO. It just shouldn't be where you actively choose to go today.
Sadly this could have been avoided at WHT if they updated the forum last month when the fix came out, unless it was hacked before June.
Gotta be honest I have a really hard time caring if they did get compromised. Like my level of "give a shit" about WHT is so low that I can't even get the wheels spinning.
I'm gonna get my ass kicked talking this much trash before hostingcon lol