* WalrusIRC

You need to have 5 posts and not be part of restricted usergroups in order to use the WalrusIRC embedded shoutbox. However, you can also access our IRC channel called #CodeWalrus via EFnet.

Author Topic: Important security notice about your CodeWalrus account  (Read 4699 times)

0 Members and 1 Guest are viewing this topic.

Offline Sorunome

  • Full User
  • CodeWalrus Supporter
  • *
  • Safe-haven access
  • 2016 Yearly CW Project Winner
  • *
  • Join Date: Mar 2015
  • Location: Equestria
  • Posts: 146
  • Post Rating Ratio: +6/-0
  • Keep calm and fox on
    • @sorunome
    • @sorunome
    • /u/sorunome
    • Sorunome
    • 110/11005
    • View Profile
    • My Website
  • Gender: Female
* DJ Omnimaga pokes @Juju and @Streetwalrus to share the logs, then.
The post-body and reply content doesn't land in server-side access logs, though, thus needing the logs of the client.
Server-side logs might help a bit, too.

Also, I am not saying that the login mod has a bug, all I'm saying is that it might have a bug and that these informations would be helpful to pinpoint if it has or if it hasn't. ;)
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Offline DJ Omnimaga

  • Omni founder & CW co-founder
  • CodeWalrus Staff
  • Super User
  • Forum Maintenance
  • Original 5
  • CodeWalrus Supporter
  • *
  • Topic Management
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 17436
  • Post Rating Ratio: +83/-4
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • View Profile
    • DJ Omnimaga music store
  • Gender: Male
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
  • Calculators owned: TI-73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX, HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Sorunome

  • Full User
  • CodeWalrus Supporter
  • *
  • Safe-haven access
  • 2016 Yearly CW Project Winner
  • *
  • Join Date: Mar 2015
  • Location: Equestria
  • Posts: 146
  • Post Rating Ratio: +6/-0
  • Keep calm and fox on
    • @sorunome
    • @sorunome
    • /u/sorunome
    • Sorunome
    • 110/11005
    • View Profile
    • My Website
  • Gender: Female
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
I mean that for the people to whom it happens it would be helpful if they could dump the output of the "network" tab in their debugging console (f12).
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Offline DJ Omnimaga

  • Omni founder & CW co-founder
  • CodeWalrus Staff
  • Super User
  • Forum Maintenance
  • Original 5
  • CodeWalrus Supporter
  • *
  • Topic Management
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 17436
  • Post Rating Ratio: +83/-4
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • View Profile
    • DJ Omnimaga music store
  • Gender: Male
Ah I see. In any case, I hope if this happens to them, that they see this topic beforehand. Also does this apply to Windows and Mac as well?
« Last Edit: December 29, 2015, 07:26:18 am by DJ Omnimaga »
  • Calculators owned: TI-73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX, HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline rwill

  • New User
  • Join Date: Aug 2015
  • Location:
  • Posts: 17
  • Post Rating Ratio: +0/-0
    • View Profile
Regarding the type of login problems, Art_of_camelot made a thread about it and he had the same symptoms as I had, it just hangs on the loading part. It may only happen on the first login after the security update was deployed, it happened on my first login after the update and he created the thread 5 minutes after that. I do not know if it was his first login after the security update, one might need to ask him if one wants to investigate in this direction further. I did look at what I POST to the server on login and besides some 20kb hashed_paswd in the form, where I do not know where it comes from, I noticed nothing out of the ordinary and had no problems ever besides the one time after the security update. Ah well, good luck.

And hopefully unrelated, I got this email directing me to this thread:

Code: [Select]
Subject: rwill, you have been mentioned at a post in CodeWalrus
Hello rwill!

DJ Omnimaga mentioned you in the post "Sorunome, you have been mentioned at a post in CodeWalrus", you can view the post at https://codewalr.us/index.php?msg=28835

Regards,
CodeWalrus

While the Sorunome part is certainly not his post title I think.

Offline DJ Omnimaga

  • Omni founder & CW co-founder
  • CodeWalrus Staff
  • Super User
  • Forum Maintenance
  • Original 5
  • CodeWalrus Supporter
  • *
  • Topic Management
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 17436
  • Post Rating Ratio: +83/-4
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • View Profile
    • DJ Omnimaga music store
  • Gender: Male
The Sorunome mention bug is known. It's a problem on the user mention mod's side when we @mention/!call multiple people at once in one post. You would need to report it to the original author on SMF forums.

As for the login loading taking forever, I have the same problem happening on Omnimaga until about the third try. On CW it never happened to me, but logging in takes a long while (up to 10 seconds sometimes). This is definitively something that Soru needs to fix.

If it becomes too much of an issue or hinders our activity, then we might need to revert the changes and ditch this mod, at the cost of lowered security, and if security becomes a problem, then we could just require everyone to login via Reddit, Facebook, Github, Google or something like that until SMF 2.1 comes out.
  • Calculators owned: TI-73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX, HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Streetwalrus

  • Professional slacker
  • CodeWalrus Staff
  • Super User
  • Server Maintenance
  • Original 5
  • Join Date: Nov 2014
  • Location: Israel
  • Posts: 2784
  • Post Rating Ratio: +19/-0
  • ƎW∀⅁ ƎH⊥
    • View Profile
  • Gender: Male
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.
  • Calculators owned: TI-80, HP 40G, TI-84 Plus rev G (yay 128k RAM), TI-83 Plus Silver Edition (broken LCD), TI-82 Stats.fr (black), TI-Nspire CX rev C (yay Nlaunchy), TI-83+ SE ViewScreen

Offline DJ Omnimaga

  • Omni founder & CW co-founder
  • CodeWalrus Staff
  • Super User
  • Forum Maintenance
  • Original 5
  • CodeWalrus Supporter
  • *
  • Topic Management
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 17436
  • Post Rating Ratio: +83/-4
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • View Profile
    • DJ Omnimaga music store
  • Gender: Male
Oh, that could be an idea. Just as long as it doesn't require the regular users to do something special, because contacting 400 members to ensure that they do it doesn't mean all of them will get the message. :P
  • Calculators owned: TI-73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX, HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Streetwalrus

  • Professional slacker
  • CodeWalrus Staff
  • Super User
  • Server Maintenance
  • Original 5
  • Join Date: Nov 2014
  • Location: Israel
  • Posts: 2784
  • Post Rating Ratio: +19/-0
  • ƎW∀⅁ ƎH⊥
    • View Profile
  • Gender: Male
Removing it would be a site-wide admin option.
  • Calculators owned: TI-80, HP 40G, TI-84 Plus rev G (yay 128k RAM), TI-83 Plus Silver Edition (broken LCD), TI-82 Stats.fr (black), TI-Nspire CX rev C (yay Nlaunchy), TI-83+ SE ViewScreen

Offline DJ Omnimaga

  • Omni founder & CW co-founder
  • CodeWalrus Staff
  • Super User
  • Forum Maintenance
  • Original 5
  • CodeWalrus Supporter
  • *
  • Topic Management
  • Join Date: Nov 2014
  • Location: Quebec, Canada
  • Posts: 17436
  • Post Rating Ratio: +83/-4
    • dj_omnimaga
    • DJOmnimaga.music
    • @DJOmnimaga
    • dj_omnimaga
    • @DJOmnimaga
    • /u/DJ_Omnimaga
    • DJOmnimaga
    • 112/11286
    • @djomnimaga
    • @DJOmnimaga
    • View Profile
    • DJ Omnimaga music store
  • Gender: Male
Yeah I am refering more to how we should avoid going the same route as the topic ID changes controversy , where no automated fix (eg a redirect or admins updating everyone's sigs) was available, thus, forcing thousands of people to manually fix their stuff themselves.
« Last Edit: December 29, 2015, 10:47:39 pm by DJ Omnimaga »
  • Calculators owned: TI-73, TI-80 (broken), TI-81, TI-82, TI-83, TI-83+ (broken), TI-83+ (broken), TI-83+SE (broken), TI-84+, TI-84+CSE, TI-84+CE, TI-85, TI-86, TI-89T, TI-92, TI-Nspire, TI-Nspire CX, HP 39gII, HP Prime, Casio fx-7000G, fx-7400G+, fx-7700GE, fx-9750G+, fx-9750GII, fx-9860G, cfx-9850G, FX-1.0+, fx-CG10, fx-CP400
  • Consoles, mobile devices and vintage computers owned: Samsung i5510, Nexus 5, Atari 2600, Lynx, SMS, Game Gear, Genesis, Dreamcast, NES, SNES, N64, GCN, Wii, Wii U, GBA, DS, 3DS, PS2, PS3, PS4, PSP, PSVita, XBox 360, XBOne

Bandcamp|Reverbnation|Facebook|Youtube|Twitter
Retired Omnimaga admin (2001-11) and editor (2012-14)

Offline Sorunome

  • Full User
  • CodeWalrus Supporter
  • *
  • Safe-haven access
  • 2016 Yearly CW Project Winner
  • *
  • Join Date: Mar 2015
  • Location: Equestria
  • Posts: 146
  • Post Rating Ratio: +6/-0
  • Keep calm and fox on
    • @sorunome
    • @sorunome
    • /u/sorunome
    • Sorunome
    • 110/11005
    • View Profile
    • My Website
  • Gender: Female
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

EDIT: also
Quote
<Sorunome> what might help is going into Subs-Auth.php search for the function getRSAValue (probably close to bottom), search for $smcFunc['db_query']('','DELETE FROM {db_prefix}rsa_keys WHERE ts < (NOW() - INTERVAL 1 MINUTE)'); and amke that to like 5 mins or so
« Last Edit: December 29, 2015, 11:01:04 pm by Sorunome »
  • Calculators owned: Too many (why are you even reading this?)
  • Consoles, mobile devices and vintage computers owned: Gamebuino!
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Offline Streetwalrus

  • Professional slacker
  • CodeWalrus Staff
  • Super User
  • Server Maintenance
  • Original 5
  • Join Date: Nov 2014
  • Location: Israel
  • Posts: 2784
  • Post Rating Ratio: +19/-0
  • ƎW∀⅁ ƎH⊥
    • View Profile
  • Gender: Male
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
* Streetwalrus prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD
Doesn't look like it's possible. Also a quick grep shows that pretty much everywhere it's set it's true.
  • Calculators owned: TI-80, HP 40G, TI-84 Plus rev G (yay 128k RAM), TI-83 Plus Silver Edition (broken LCD), TI-82 Stats.fr (black), TI-Nspire CX rev C (yay Nlaunchy), TI-83+ SE ViewScreen

 


You can also use the following HTML or bulletin board code to share it on your page or forum signature!


Also do not forget to check our affiliates below.
Planet Casio TI-Planet Calc.news BroniesQC BosaikNet Velocity Games