Zandronum

Forums are temporarily closed while we sort out some security issues

The issue is described here: http://heartbleed.com
I strongly advise any system administrators that use OpenSSL to look into this as well

EDIT: Aaand we're back.

You are strongly advised to change your passwords. While there is no known leak of anyone's Zandronum.com passwords, I can't prove that every password is perfectly safe, so it's better to just change your passwords and avoid any paranoia. On the forums, you should manually log out and log back in to reset your session.

For the forums, you can change your password here if you are logged in:
https://zandronum.com/forum/usercp.php?action=password

You may also request a forum password reset at this page if you are unable to log in:
https://zandronum.com/forum/member.php?action=lostpw

To reset your Tracker password, go here:
https://zandronum.com/tracker/lost_pwd_page.php

To reset your Wiki password, go here:
https://wiki.zandronum.com/Special:PasswordReset

On IRC, you may use the command: /nickserv help set password

Change any non Zandronum.com passwords as well, for added security.

If you require any assistance in resetting your passwords, please contact admin@zandronum.com

Spoiler: Generic Response from the uneducated (Open)

"OH MY GERD ZANDYS BEEN HACKED BY NAZIS AND SHADOWCOCKS"

No not really, prolly just a check in security, sometimes paranoia gets the best of us.

Whether someone exploited this on Zandronum before it was patched we have no way to tell. This is a grave-serious global scale security vulnerability affecting 500 000 web servers, Zandronum being one of them. Anyone's password could've been leaked to anyone, on any web service using OpenSSL. So it's recommended to change your passwords everywhere, not just here. I also recommend logging out and back in to invalidate your session ID which could've also been leaked.

EDIT:

<@Konar6> make sure to change your password AFTER the service provider updated their OpenSSL...
<@Konar6> if there's a way to know...

Thanks for letting us know. This announcement just helped me patch the vulnerability on my own webserver, so thanks for that too.

I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.

Password was changed, and I appreciate the notice. Four other sites I visit rather frequently also were impacted by this, so I took the warning and editted the passwords on both.

Also, it would appear Tumblr was one of the ones impacted, too. It's a headline post if you have an account on there, urging those to change their password.

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.

I believe this originates from the website using a self-signed certificate in past, generating ugly errors in browsers ("connection to this website is untrusted, get me out of here!"), which was scaring off users whenever they clicked a link to https.
Though it seems that the website is now using a certificate signed by authority (this is news), so Zalewa has a valid point. Technically it would be possible to force https by default.

This "heartbleed bug" was the same thing that effected the Canada Revenue site. It's very worrisome as that's a website that holds a lot of information on all Canadian tax payers. It might be a good idea to change all passwords on the websites you're frequently on.

Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.

There's a workaround that's rolling out for this:
https://www.eff.org/https-everywhere

Dark-Assassin wrote: Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?

That was exploits/security holes in the PHPBB software.

+ Rivecoder

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.

I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.

There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.

This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.

Jenova wrote:

Zalewa wrote: I find it somewhat amusing that (...)

I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.

There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.

This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.

I actually think that it's very important to include information on how to be as secure as possible if you're sending a scary email to everyone saying that their passwords might've been compromised. While heartbleed is serious, and I'm sure that people have managed to exploit it to gain unauthorized access to private information, I can't shake off the feeling how similar is this situation to whatever is the popular global epidemic of the year. I'm actually more concerned about password leakage due to people using not secure connections.

Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.

Zalewa wrote: Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.

For that one it's user error; when fetching the links from my browser's URL bar it had http results instead of the https that I use normally (I am working on fixing this on my end).
As for the rest, I have been trying to figure out why the email system sends http instead of https links (like in the new PM or thread reply emails), I'll talk to Blzut about it.

Just a question...
Why would some go through lengths to register a domain and make a website as well as a logo just for a
COMPUTER BUG?

It seems like this is some hoax or advertising scheme. Since there's no evidence of it being used, and there's so much attention around it.

Too lazzy to change the boontuoteg password

I have not seen this flourish in the newspapers, even though it would be a 100% front page article. I dunno, but it seems a bit wierd to me too.

So, seems like the NSA knew about this exploit since 2 years and said nothing to take advantage of it. :D

How nice!

Thanks for the heads up. I've been taking this OpenSSL thing with a grain of salt. More or less because simply changing my password will not work unless I know for sure it's been patched.

Quite honestly, this has been the only place to mention anything about it so far (at least where I have an account).