Page 4 of 7

Re: Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 8:26 am
by Cosmo.
Barny wrote:This is the first time I have visited this site for well over a year, so definitely not me trying to login.
And nobody else. This is a known problem with the forum's configuration. The team is working on it. There is no security problem behind the fact, that you get this warning and the need to solve the puzzle (aka captcha).

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:06 am
by romanybob
People have been telling you about this breach for ages???? Why so slow to react?
I received a notice too, from when I used mint a few years ago. Thank god I don't use it any more! The corrupt iso's too??? confused?
I am very happily an Arch user now, have been for a while, rock solid. Also very secure.
Bye Mint.
(P.S. If you want to abuse/flame me, your too late, that's why I left mint and the community in the first place.)

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:07 am
by damoney777
Ahhh... this explains why I started getting junk email. I never have received any in the email account I use here previously. Interesting. Thank you for notifying us all. Always use the strongest password (maximum amount of characters) possible. Never ever use the same PW on other site/accts. I use a PW generator and keep them on a encrypted Flash Drive. They are then copy/pasted into the PW field when required. I then clear my clipboard w/ Glipper afterwards. I started doing this after finding a keylogger on my Windblows box about 9 mos before the Snowden revelations. The KL I found lead back to a N-Esay ip. Told a few about it and they thought I was claaaazzzzy. Huh :p

Re: Forum Security

Posted: Tue Mar 01, 2016 9:12 am
by xenopeek
From the link in the email you received:
On the servers themselves, the team worked day and night to harden as many aspects as possible. Each website is now running on its very own server. All websites are now behind a strict firewall and the presence of malware is monitored by a security firm. Many restrictions were placed on apache and php to restrict their scope and privileges. All automated backups were reviewed. Https was implemented to prevent man-in-the-middle attacks.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:17 am
by Moem
romanybob wrote: Bye Mint.
Bye bye! *smiles and waves*

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:23 am
by ironforger
Where do I go to change my password? I cant find where to change it! I checked in user profile and control panel. Can't find it!!! Please help. Thanks

Re: Forum Security

Posted: Tue Mar 01, 2016 9:25 am
by karlchen
Let me add: those users who have not received Clem's e-mail, yet, can find the exact same words in Clem's post here:
All forums user should reset their password, section "What is being done to prevent this in the future?", last paragraph. :wink:

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:35 am
by Habitual
ironforger wrote:Where do I go to change my password? I cant find where to change it! I checked in user profile and control panel. Can't find it!!! Please help. Thanks
I used ucp.php?mode=sendpassword and I was "back in" inside of 3 minutes.
Prior to that....at least a dozen captchas w\out success.

Worth a shot? YMMV

Let's hope your contact_email is up-to-date, and you have access to it.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:40 am
by Moem
ironforger wrote:Where do I go to change my password? I cant find where to change it! I checked in user profile and control panel. Can't find it!!! Please help. Thanks
User control panel => Profile => Edit account settings.

Direct link: ucp.php?i=ucp_profile&mode=reg_details

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 9:50 am
by ganamant
Thanks, I got my email no problem and I have reset the password, but I keep being asked to solve a captcha ever since. Is this normal?

It is common sense, but still very good advice, to use unique passwords. I would add that it's even better that they be random-generated by machine, rather than a human brain thinking them up.
clem wrote:
Can the hackers decrypt my password?

No, but they can "find" it by brute-force [...]

How long would it take for the hackers to decrypt my password?

They're hashed and salted, but that only slows them down [...]
In the quoted passage, I feel that the word 'cracker' would fit in better than 'hacker'.

Re: Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 10:10 am
by Habitual
Cosmo. wrote:
Barny wrote:This is the first time I have visited this site for well over a year, so definitely not me trying to login.
And nobody else. This is a known problem with the forum's configuration. The team is working on it. There is no security problem behind the fact, that you get this warning and the need to solve the puzzle (aka captcha).
ucp.php?mode=sendpassword is the 3 minute solution I employed for the obscenely aggressive captcha feature.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 10:20 am
by xenopeek
Currently you'll get that incorrect "too many failed logins" message each time you log in. We're working on solving that.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 10:36 am
by altair4
marke54805 wrote:Time to throw out phpBB! And while you're at it cancel my account.
If you wish to cancel your account there's no point in asking for it within a topic in the forum. Ask for it directly to an Admin:
memberlist.php?mode=contactadmin

The link is at the bottom of this page: Contact Us

And try to be nice about it and without any profanity. Being an Admin is a thankless job. In fact I often wonder what personality peculiarities one possesses to even think about being one.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 10:55 am
by sdibaja
altair4 wrote:Being an Admin is a thankless job. In fact I often wonder what personality peculiarities one possesses to even think about being one.
that is profound
thanks for your service

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:00 pm
by karlchen
Hi, Da_Thunderbird.

Of course it is up to you to decide which distribution you trust and which distribution you use.
Yet, the reason that you give for not trusting Linux Mint is a bit far-fetched to put it mildly.
The Linux Mint forum website has been broken into. This suggests that the old website had not been secured properly. This, however, does not have any impact on the security of Linux Mint.
The Linux Mint forum website has been setup from scratch on a different server, using a recent version of phpbb. The login process has been revamped and has been made more secure than it was before.
Sadly for the past few days this revamped login process has lead to a minor annoyance where the first login gets always rejected and a second login is needed that involves solving a captcha. How does this have any impact on the security of Linux Mint?

I fail to see the connection between both. Linux Mint is one thing. The Linux Mint forum is another thing.

Regards,
Karl

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:09 pm
by lexon
Looks like time to move on. The Mint forums login has become a real pain in the butt. Too bad.

L

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:13 pm
by karlchen
Do not permit yourself to be frustrated so easily by such minor annoyances. There are worse problems in life. Consider the captcha a temporary game which will be forgotten soon.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 1:06 pm
by Sector11
sdibaja wrote:
altair4 wrote:Being an Admin is a thankless job. In fact I often wonder what personality peculiarities one possesses to even think about being one.
that is profound
thanks for your service
+1 KUDOS to Admin and Mods - everywhere!
Thank you. <--↑(up there too)↑ see not 'totally' thankless. ;)

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 5:18 pm
by killer de bug
Da_Thunderbird wrote: I'm with Marke, and so pissed that I used my real email that I removed Mint from computers as it cannot be trusted.
Don't forget to throw away your sony devices. Their web site was hacked too.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 5:28 pm
by sdibaja
Da_Thunderbird wrote:
xenopeek wrote:Currently you'll get that incorrect "too many failed logins" message each time you log in. We're working on solving that.

I'm with Marke, and so pissed that I used my real email that I removed Mint from computers as it cannot be trusted. Debian or FreeBSD for me for the foreseeable future.
Reading Comprehension... it is a BIG challenge for some.

https://www.youtube.com/watch?v=zvfD5rnkTws