1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Did anyone else see the Steam security breach. :(

Discussion in 'Off Topic' started by Deepmartini, Nov 11, 2011.

  1. Deepmartini

    Deepmartini Well-Known Member

  2. kuyenmotdivad

    kuyenmotdivad Active Member

    Ya I seen it, I was on the forum when it happened, what do they expect they use VB and its an old version.... If they used XF this would not happen... (y)
  3. mauzao9

    mauzao9 Well-Known Member

    There isn't any software that can assure us that would not happen.
    Jarod likes this.
  4. kuyenmotdivad

    kuyenmotdivad Active Member

    Keeping your software on the server side like (PHP etc) would make it more secure and also use forum software and keep it up to date.

    I find password protecting the admin/mod login with .htaccess helps a lot as well.
  5. ManagerJosh

    ManagerJosh Well-Known Member

    To be fair, we don't know if vBulletin was the culprit or something else allowed for the data breach to occur.
  6. kuyenmotdivad

    kuyenmotdivad Active Member

    True, but if there software was up to date it would not happen, and if it was up to date and they got hacked....then i'm worried.
  7. Deebs

    Deebs Well-Known Member

    They used decent security measures so I am not worried. Saw a message earlier that they used SHA256 but not sure about a random salt per account. Even with todays GPUs it will take years and years to discover a decent password, ie, one with at least 8 characters/digits plus 1 special character. Personally I use lastpass (with 2 factor auth) and use a 16 digit password, auto-generated, with alphanumeric and at least 2 "special" chars. If they break that before I am dead then wow.
    Shelley and Forsaken like this.
  8. KevinL

    KevinL Member

    Weren't they using 3.8.x? It was up to date for that branch...
  9. Deebs

    Deebs Well-Known Member

    No software is immune from attack. Be it now or tomorrow, it will get broken. The only sure way of protection is a hash that is capable of withstanding today's, and tomorrow's computing power. That is either bcrypt or scrypt. Forget two factor authentication as that does not protect you from using the same password on multiple sites. I think the ideals behind bcrypt and scrypt are sound, make the cost of brute forcing a password expensive, in CPU terms. scrypt goes one further and makes it extremely hard to implement on a GPU.

    For me, right now, XF should update the salt on a successful login. Everytime a salt changes it makes the rainbow table view less effective. Better still move to bcrypt or scrypt. I would much rather have a message saying that the extra second in login time is to reduce a hacker's chance of breaking your password by a factor of 100 years (or more). By then I won't care.
    BlackJacket and KevinL like this.
  10. SilverCircle

    SilverCircle Well-Known Member

    This shows impressively, how little people understand about all this security stuff...

    I don't blame you or anyone else for believing in the "if you update your software, you're safe" paradigm - after all, this is what most software producers are trying to *make* you believe.

    Unfortunately, it's wrong and believing in it can be dangerous, especially when you start to act carelessly, because you always update and therefore think you're safe.

    There is no software that is free of bugs and even if a PHP application was free of bugs and possible exploits, you still depend on the underlying software (i.e. PHP itself, your web server, even your operating system) and no matter how hard you try to keep all that stuff up to date, you're not safe. Period.

    Software developers can only fix known bugs and exploits, but as a matter of fact, many hacks and exploits make use of recently discovered and unknown bugs and this is something you cannot avoid, not today, not tomorrow, not in 100 years from now. As software evolves, it gains complexity and the more complex a software is the higher is the chance for hidden bugs and possible exploits to exist.

    Bugs have been found in software that was tested for many years before it was deployed into productivity (i.e. flight management software for modern airliners - something you cannot even remotely compare to a php script running a blog or forum) which was designed and tested under completely different standards and yet, bugs were found years later.

    Hacks, exploits, data theft - that's something we'll need to accept as negative side effects of all our modern technologies and like Deebs correctly stated in his post, the only way to protect our data is to use strong encryption. After all, stolen data is basically worthless when you cannot decrypt it.

Share This Page