IMPORTANT! M.A.I.L. Has Been Hacked
View previous topic | View next topic >
Post new topic This topic is locked: you cannot edit posts or make replies.
M.A.I.L. Forum Index -> M.A.I.L. Help
   
Author Message

Joined: September 02, 2010
Posts: 380
Submissions: 16
Location: Freiburg (Germany)

Reply with quote
Posted on Fri Jun 24, 2011 7:23 pm
Link to Post: Link to Post

Thanks for the detailed informations ^^ the first time that I'm happy that I use this e-mailadress not really for emailling and the password is on every site different ^^ although I kinda dislike thinking of a new again xD

Keep up the good work and your way to share every goody and every bady Wink

Joined: December 22, 2007
Posts: 4179
Submissions: 106
Location: Hampton, Virginia USA

Reply with quote
Posted on Fri Jun 24, 2011 7:32 pm
Link to Post: Link to Post

I'm one of those people who cluelessly traipses all over the internet without a clue as to how things actually work. Rolling Eyes

There are two things I'm sure of though:
1. There will always be bad people who will stop at nothing to do bad things.

2. After having watched DL keep this place running, on a daily basis, for years now... he has my complete trust that he's doing whatever is possible to keep bad things from happening.

I don't care how sappy it is, I'm gonna do it anyway. *gives DL a big "thank you" hug*


"I am a leaf on the wind." ~ Wash
Lorraine's Chains
Gallery Submission Guidelines

Joined: August 30, 2008
Posts: 2833
Submissions: 20
Location: Cambridge, ON, Canada

Current Update
Reply with quote
Posted on Sat Jun 25, 2011 5:22 am
Link to Post: Link to Post

Some people received the first batch email (approx 400)... I did not at the time know why people were not receiving it, and wrote a custom script to send them out... Not trusting phpBB's

After sending out 500 or so emails, I went to check what percentage were bouncing, and noticed an odd error message...

Our host was cutting us off at 400 outbound emails per hour... A ridiculously low limit to be sure, but I understand to a point what they're trying to prevent by imposing one.

I spent the next 3 hours in back-and-forth with our host, to try to get that limit increased or removed temporarily...

They won't... Flat out... Adjust anything to do with email...
I think they assume we're attempting to spam you all, or blow up their precious server, or god knows what...

I was pretty much told "You can't do that. We suggest you pay for a service to do it." and had my support ticket closed.
I wasn't very happy, but to an extent I understand their position.

Anyway... Net result, I've written a script to send out 40 emails every 10 minutes... This works out to about 250 an hour... This level of mail allows PM Responses and "Help I forgot my password" emails to get through, while still contacting everyone... It's CRON'd (Google It) so that it will continue to run without intervention until it hits every user we have.

It will take roughly 52 hours to run its course... Sucks, I know, but my hands are tied...

I've already noticed a few older members who haven't been here in years poking their heads in to change their passwords, and I hope this brings a few people back to the hobby... Make the best out of a bad situation. Smile

Edited to add: I've also noticed that a few of you active users have false or blank email addresses... Naughty Naughty users.
Please, for the sake of sanity, update your account and set a valid one, so you can be contacted in an emergency in the future... You don't need to have it set to public viewing... Just have it there for me. TYVM


Useful Links
Site Help: [ BBCode Help | Weave AR/Ring Size Popup | Login Issues ]
Weave AR Search is back: Try it out!

Joined: July 29, 2009
Posts: 42
Submissions: 2
Location: Regina, sk Canada

Reply with quote
Posted on Sat Jun 25, 2011 6:59 pm
Link to Post: Link to Post

Quote:
Hey hey hey, DL, you need to handle this up to Sony's standards.
Romulet is right. I demand one month free!

Joined: January 01, 2005
Posts: 25
Submissions: 0

Reply with quote
Posted on Sun Jun 26, 2011 1:23 am
Link to Post: Link to Post

Now honestly I don't care if someone can log in to my MAIL account... as many others have stated what are they going to do with it?

The reason why someone would hack into this site would be for stealing email addresses. As I said MD5 was the top standard for a very long time, and even though it's not as popular as the NSA's SHA-1 (also has been cracked but being 160bits long it takes a few minutes longer to find collisions than MD5 does). Many places use MD5 still, even WordPress, and many email servers. So if an MD5 collision is found, and you are like most people on the internet ( http://xkcd.com/792/ ) you probably reuse the same password over, and over, and over again. So an MD5 collision found means potential to log into and steal a wide variety of sites you use for SPAM purposes. Everything from FaceBook (which I honestly don't know if they use MD5 or not... I'd hope not, but who knows) to your email account, that probably has lists of email addresses that could be sent SPAM.

As a webadmin I've taken every precaution to change and protect my sites from invasive attacks, changing over to SHA-512 for passwords, and even sessions... but most webmasters do not know about these invulnerabilities, and if they do, they don't know how to fix it (hence the remaining silent). My suggestion to all of you is to never reuse passwords, always use passwords at LEAST 12 characters long (with a powerful GPU even a 7-8 character password with special characters, spaces, etc. can be brute forced in mere hours), always use mixed characters (numbers letters), mixed cases, special characters, no dictionary words or derivatives, and keep it secret from others.

I use a program called KeePass that stores databases encrypted on the drive with AES-256 encryption. It also allows you to generate random passwords and store them for any websites, or whatever that you might use. They are stored with a master password, which of course your passwords are only as safe as that password.

[Edited by Daemon_Lotos to removed a few bits... Sorry folks.]

Joined: August 30, 2008
Posts: 2833
Submissions: 20
Location: Cambridge, ON, Canada

Reply with quote
Posted on Sun Jun 26, 2011 1:35 am
Link to Post: Link to Post

archmaille wrote:
Now honestly I don't care if someone can log in to my MAIL account... as many others have stated what are they going to do with it?

The reason why someone would hack into this site would be for stealing email addresses. As I said MD5 was the top standard for a very long time, and even though it's not as popular as the NSA's SHA-1 (also has been cracked but being 160bits long it takes a few minutes longer to find collisions than MD5 does). Many places use MD5 still, even WordPress, and many email servers. So if an MD5 collision is found, and you are like most people on the internet ( http://xkcd.com/792/ ) you probably reuse the same password over, and over, and over again. So an MD5 collision found means potential to log into and steal a wide variety of sites you use for SPAM purposes. Everything from FaceBook (which I honestly don't know if they use MD5 or not... I'd hope not, but who knows) to your email account, that probably has lists of email addresses that could be sent SPAM.

As a webadmin I've taken every precaution to change and protect my sites from invasive attacks, changing over to SHA-512 for passwords, and even sessions... but most webmasters do not know about these invulnerabilities, and if they do, they don't know how to fix it (hence the remaining silent). My suggestion to all of you is to never reuse passwords, always use passwords at LEAST 12 characters long (with a powerful GPU even a 7-8 character password with special characters, spaces, etc. can be brute forced in mere hours), always use mixed characters (numbers letters), mixed cases, special characters, no dictionary words or derivatives, and keep it secret from others.

I use a program called KeePass that stores databases encrypted on the drive with AES-256 encryption. It also allows you to generate random passwords and store them for any websites, or whatever that you might use. They are stored with a master password, which of course your passwords are only as safe as that password.

[Edited by Daemon_Lotos to removed a few bits... Sorry folks.]


Replied via PM


Useful Links
Site Help: [ BBCode Help | Weave AR/Ring Size Popup | Login Issues ]
Weave AR Search is back: Try it out!

Joined: September 02, 2010
Posts: 380
Submissions: 16
Location: Freiburg (Germany)

Reply with quote
Posted on Sun Jun 26, 2011 6:56 am
Link to Post: Link to Post

If there was a 'like' button, I would definitly like archmailles post ^^ (especially since I love xkcd xD). I don't reuse passwords, but for not-so-important sites my passworts aren't that good, they are not bad, but what gives. Only for important ones I use better ones.


And for Sony....; VG Cats ^^

Joined: December 07, 2006
Posts: 1
Submissions: 0
Location: Australia

Reply with quote
Posted on Sun Jun 26, 2011 8:41 am
Link to Post: Link to Post

Thanks for letting us know. I am now in the process of changing my passwords everywhere I can think of. Stupidly, I used the same on for many forum type sites, but nothing financial.

I am also wondering why the .... would anyone want to target this site? It's crazy! Some people must have little to do with their time. Sad indictment on our society these days huh?

Lisa

Joined: January 18, 2009
Posts: 242
Submissions: 0
Location: Cow Town, Canada

Re: Current Update
Reply with quote
Posted on Sun Jun 26, 2011 5:26 pm
Link to Post: Link to Post

Daemon_Lotos wrote:

I've already noticed a few older members who haven't been here in years poking their heads in to change their passwords, and I hope this brings a few people back to the hobby... Make the best out of a bad situation. Smile

Ah the real reason for this email Very Happy

Thanks for remaining vigilant DL!



Joined: August 30, 2008
Posts: 2833
Submissions: 20
Location: Cambridge, ON, Canada

Reply with quote
Posted on Sun Jun 26, 2011 5:29 pm
Link to Post: Link to Post

I should also note, as I have just noticed...

People who haven't touched their MyMAIL in a long time, who are updating to change their passwords may notice that this is breaking their sig...

This is due to: http://www.mailleartisans.org/board/viewtopic.php?t=16190 and is an unintentional but unavoidable side effect... My apologies.


Useful Links
Site Help: [ BBCode Help | Weave AR/Ring Size Popup | Login Issues ]
Weave AR Search is back: Try it out!

Joined: July 12, 2009
Posts: 203
Submissions: 3
Location: Illinois

Reply with quote
Posted on Sun Jun 26, 2011 8:30 pm
Link to Post: Link to Post

Thank you for taking care of this for us and notifyuing us about it. No I have not been on here in a while because I am just too busy. That is a good thing because it means I am making and selling jewelry. But I appreciate that the group is here when I need it. I also refer a lot of newbies here.

Again, many thanks.



Joined: April 16, 2009
Posts: 2
Submissions: 0

Reply with quote
Posted on Sun Jun 26, 2011 10:12 pm
Link to Post: Link to Post

Thanks for the heads up-password is changed

Joined: April 23, 2008
Posts: 2
Submissions: 0

Reply with quote
Posted on Sun Jun 26, 2011 10:55 pm
Link to Post: Link to Post

I would also like to join in with a big thank you. I have received some notices elsewhere but they have not said it was needed to change passwords. I really appreciate what you do.

I'm sorry to ask this, but I cannot find how/where to change my password here. Would appreciate the info. I'll keep looking tho.

Thanks again.

Joined: August 30, 2008
Posts: 2833
Submissions: 20
Location: Cambridge, ON, Canada

Reply with quote
Posted on Sun Jun 26, 2011 10:57 pm
Link to Post: Link to Post

Mambolady wrote:
I would also like to join in with a big thank you. I have received some notices elsewhere but they have not said it was needed to change passwords. I really appreciate what you do.

I'm sorry to ask this, but I cannot find how/where to change my password here. Would appreciate the info. I'll keep looking tho.

Thanks again.


MyMAIL (http://www.mailleartisans.org/members/mymail.php) is where you want to do it.
You will need to fill in your current password, and the desired new one.


Useful Links
Site Help: [ BBCode Help | Weave AR/Ring Size Popup | Login Issues ]
Weave AR Search is back: Try it out!

Joined: April 23, 2008
Posts: 2
Submissions: 0

Reply with quote
Posted on Sun Jun 26, 2011 11:08 pm
Link to Post: Link to Post

Mambolady wrote:
I would also like to join in with a big thank you. I have received some notices elsewhere but they have not said it was needed to change passwords. I really appreciate what you do.

I'm sorry to ask this, but I cannot find how/where to change my password here. Would appreciate the info. I'll keep looking tho.

Thanks again.


FOUND IT!! And another thanks to DL for poking his head in to see that I did.
I haven't been around 4 awhile, various reason, no computer, have computer no internet, but wanted to say WOW THE SITE IS GORGEOUS!!! Making a big note to come back after I go around TCB.

Post new topic This topic is locked: you cannot edit posts or make replies.
Jump to:  
Page 2 of 4. Goto page Previous  1, 2, 3, 4  Next
All times are GMT. The time now is Sat Oct 25, 2014 5:27 pm
M.A.I.L. Forum Index -> M.A.I.L. Help
Display posts from previous: