Technical Issues - TPU Main Site & Forum (2021)

[W1zzard]

Oh, hell no. TPU starts that crap and there will be problems. It should be user choice, not mandatory.

Agreed. I'm thinking about making it mandatory for staff, but not even that is decided yet

 

[lexluthermiester]

2FA is crap?

Mandatory 2FA is cumbersome and annoying. I refuse to use Discord because of it. It's NOT needed if people use properly long and well crafted passwords and don't monkey about on the internet.

 

[WhitetailAni]

Mandatory 2FA is cumbersome and annoying. I refuse to use Discord because of it. It's NOT needed if people use properly long and well crafted passwords and don't monkey about on the internet.

Plus there's some people (like me) who can't use 2FA. Requiring it would essentially boot me out of here.

 

[lexluthermiester]

Agreed. I'm thinking about making it mandatory for staff, but not even that is decided yet

Fair enough.

Plus there's some people (like me) who can't use 2FA. Requiring it would essentially boot me out of here.

Exactly.

 

[FireFox]

My login details can be stolen but they still need my fingerprint.

 

[Hachi_Roku256563]

Mandatory 2FA is cumbersome and annoying. I refuse to use Discord because of it. It's NOT needed if people use properly long and well crafted passwords and don't monkey about on the internet.

Discord does not require 2fa never has

 

[lexluthermiester]

Discord does not require 2fa never has

You would be mistaken. Try using it.

 

[Hachi_Roku256563]

You would be mistaken. Try using it.

I've used it for 3 years and only ever received one email saying verify your account when I made it'

 

[Nuckles56]

You would be mistaken. Try using it.

I have it and I've never had to use 2FA for it

 

[FreedomEclipse]

Im curious as to how @Durvelle27 machine was exploited also where the exploit originated from and how and when. Was there some malicious code written to the FP that injected some other code and started hijacking or logging the users keypresses? what was TPUs involvement in all of it if multiple users was hacked? It couldnt of been a freak accident unless the affected accounts are either all run by the same person which is against ToS or the users both visted the same website or clicked on the same link that lead to their details being stolen or hacked. Im guessing it wasnt a brute force attack because TPU would have banned many I.Ps already

 

[lexluthermiester]

I've used it for 3 years and only ever received one email saying verify your account when I made it'

I have it and I've never had to use 2FA for it

Anytime your IP address changes Discord requires re-authentication via email. That is a form of 2FA. My IP often changes daily, so for me and people who have a similar situation, it's a unnecessary and annoying hassle. It's also totally pointless. No fraking thank you.

 

[Hachi_Roku256563]

Anytime your IP address changes Discord requires re-authentication via email. That is a form of 2FA. My IP often changes daily, so for me and people who have a similar situation, it's a unnecessary and annoying hassle. It's also totally pointless. No fraking thank you.

My IP changes monthly and I move around quite a bit still never ever received a 2fa email

 

[lexluthermiester]

My IP changes monthly and I move around quite a bit still never ever received a 2fa email

Then you must be special... I just tried it and BAM, happened again.

 

[Hachi_Roku256563]

Then you must be special... I just tried it and BAM, happened again.

Ever thought maybe you turned the settings on?

 

[lexluthermiester]

Ever thought maybe you turned the settings on?

Nope, just checked. However, we're getting off topic. If you want to continue the discussion about Discord, start a new thread.

 

[W1zzard]

what was TPUs involvement in all of it if multiple users was hacked?
Im guessing it wasnt a brute force attack because TPU would have banned many I.Ps already

- all our passwords are hashed and salted, using modern methods, so they can't be reversed, even if we have a data leak
- i looked in the logs, and it simply looks like they knew the correct password
- brute force isn't feasible, because XF blocks brute force on both a username and IP level
- my current theory is that they used the same password on multiple sites, and the attacker simply collected multiple working logins, before making a targeted attack to create FSFT threads for graphics cards
- so far zero hacks today

 

[lexluthermiester]

- all our passwords are hashed and salted, using modern methods, so they can't be reversed, even if we have a data leak
- i looked in the logs, and it simply looks like they knew the correct password
- brute force isn't feasible, because XF blocks brute force on both a username and IP level
- my current theory is that they used the same password on multiple sites, and the attacker simply collected multiple working logins, before making a targeted attack to create FSFT threads for graphics cards
- so far zero hacks today

Ok, so this was a social hacking job not a site hacking problem. Good to know.

 

[qubit]

Agreed. I'm thinking about making it mandatory for staff, but not even that is decided yet

I think it should be mandatory for admins, since they've got the power to really screw up the forum. This will be my policy for my forum when it's finally up and running. Mods are not too bad, because their actions can usually be reversed without too much trouble, so it would be recommended, not enforced.

 

[Selaya]

it would remember all your recent IPs of course, not just the last one

XF already records this IP history, so just piggybacking on it with an addon should be easy

How about making that IP history visible to the user? Like, their personal history. Some sites do that, and it's a really neat tool for the technically adept to spot potential breaches.
If it is feasible, even failed attempts; at the very least the ones where the password was breached but not the tfauth (idt XF logs those per default/stock, would require an addon).

Speaking of tfauth, I'd recommend this: https://winauth.github.io/winauth/download.html
Saves you the trouble of having a phone or something. However, it does mean that compromising your computer would also compromise your accounts - something to keep in mind. Personally, I am fine with that because I am confident enough in my abilities to keep my computer secure, but obviously your mileage may vary.

 

[windwhirl]

You would be mistaken. Try using it.

That's a per-server directive, it's not everywhere. Without going too far, TPU's own Discord server doesn't even require me to wait ten minutes (or at least it didn't when I joined in)

BTW, @W1zzard , is it possible to implement some sort of list of where you're logged in, where you can log out all open sessions? Something like this, I mean:

Though I'm not sure about the ramifications (say, attacker gets access and the first thing it does is kick out the legitimate user and keep kicking them out every time they try to log in/get control back), it's just a thought.

 

[PerfectWave]

Several forum members have been hacked yesterday, please be ultra-careful when making purchases or doing some other kind of money transfer. Feel free to report suspicious activity directly to W1zzard

Are you sure that the forum was not compromised?

 

[W1zzard]

where you can log out all open sessions

would require me to study how this works on xf and write an addon, not sure if worth it

Are you sure that the forum was not compromised?

to the best of my knowledge i'm sure

 

[qubit]

- my current theory is that they used the same password on multiple sites, and the attacker simply collected multiple working logins, before making a targeted attack to create FSFT threads for graphics cards

An excellent real world example of why a password should only be used once per site. This is drummed into users all the time, but still there are those who won't listen.

 

[Frick]

Plus there's some people (like me) who can't use 2FA. Requiring it would essentially boot me out of here.

So you don't have email?

Mandatory 2FA is cumbersome and annoying. I refuse to use Discord because of it. It's NOT needed if people use properly long and well crafted passwords and don't monkey about on the internet.

Or if you hang about on a targeted platform or forum.

 

[windwhirl]

would require me to study how this works on xf and write an addon, not sure if worth it

I see. In any case, though, I'd greatly appreciate just having the list of either open sessions or the IP history, the "force log out all other sessions" feature isn't really that important (honestly, by that point they already have my email, which is the only quickly exploitable data they'd get)