Hacked behind us

[Jack McKalling]

Welcome to the renewed W3Schools Forums! yesterday we got hacked, but now we are back again.Users from before this hacking, who created new accounts, may yet again log in with their old accounts, the new ones got overriden.

[boen_robot]

Whoa. I left the forum for just a few minutes, and now it's back with the backup .Hope now W3Schools may at least try to fix those security vulnerabilities and/or upgrade IPB.

[Jack McKalling]

Unfortunately, all topics made and bumbed after the backup, lost their new data. But not much data is lost, after the backup was restored. Even stronger, we don't care! I don 't at least. :)Actually there is something I miss, the last few weeks I have been struggling to get from 920 to 985 posts, and now I have to do that all over again. But I don't care much, we overcome the hacking, more importantly

Edited August 2, 2006 by Dan The Prof

[Cronthenoob]

YAY!! I guess it didnt remember all of our posts, because I have more than just 8 :)oh well

[aspnetguy]

*huge sigh of relief*edit: just noticed that the backup was from July 8th...wow I thought backups got made more often.

[superninja]

I'm Glad you're back guys

[MartinAustin]

Welcome back, no more withdrawal. I'll stick with my new account, being that I only had 8 posts on the old one

[Skemcin]

Suggested Link:http://w3schools.invisionzone.com/index.php?showtopic=6113

[boen_robot]

Yes! W3Schools has upgraded to IPB 2.1.7 .

[vchris]

Woot! accounts back!

[Sniffy]

I was worried there for a moment.

[justsomeguy]

Actually there is something I miss, the last few weeks I have been struggling to get from 920 to 985 posts, and now I have to do that all over again. But I don't care much, we overcome the hacking, more importantly

I was over 1500. Nothing was really "overcome" though, the guy who attacked the forum eventually unlocked it, but I do see that it was upgraded. I'm just sorry we lost nearly a month's worth of posts, this place is supposed to be a community to provide help to whoever asks, and some kid comes along and destroys all that just because he wants to be an ######. Not much you can say about that, it's just the way some people are.Oh yeah, and also, a big hearty ###### YOU to zero cool on the hacker forum for suggesting this forum as a target in the first place.

[Jack McKalling]

You're right, nothing overcome actually. But I mean survived.

[Skemcin]

its so easy to get ticked off at a hacker for doing what was done here. but one must understand that it is not entirely "zero cool on the hacker forum" 's fault. although this may sound harsh and may be unpopular, the people responsible for managing/overseeing this application are truly responsible.if everyone minded their P's and Q's and took the time they needed to do things right, then people like "zero cool on the hacker forum" would find other things to do. I know that is a perfect world scenario and I know that is not realistic, but everyone needs to understand where the real problem is. everyone needs to see that a website is not sellf-sufficient, it needs interaction.Keep the applications you build/use up-to-date and protected.Our whole purpose, as its been stated, in coming here is to learn how to be web developers. So far, this is -hands down- the most important lesson to be demonstrated in these forums. The second lesson learned is that backups must be maintained and verified more than once a month. Backs ups need to be performed daily (even twice) and data verification once a week (at least). The more popular a website becomes, the more responsibility you have to protect its visitors. Everyone of you need to understand this as a basic principle of all the work you do.

[aspnetguy]

100% right...Hackers will always exist and will cause trouble but had the admins been diligent and installed the updates as they came out the hacker would not have been able to get in.At the time of the hack the forums were running on version 2.0.4...a far cry from the most up-to-date version 2.1.7 (13 releases since the forum had been updated - unexcusable) which has fixed the exploits these hackers are using on alot of IPB forums.

[justsomeguy]

its so easy to get ticked off at a hacker for doing what was done here. but one must understand that it is not entirely "zero cool on the hacker forum" 's fault. although this may sound harsh and may be unpopular, the people responsible for managing/overseeing this application are truly responsible.

I understand what you mean, and hackers use that argument all the time to justify them screwing up other people's websites, but it's a chicken before the egg problem. If we kept the software updated, hackers wouldn't be able to get in, but if there were no hackers trying to get in, then we wouldn't need to keep the software updated. Still, for essentially putting a bounty on this place, I blame him. Secondly, I blame the attacker himself, because if all he wanted to do was prove that we need to upgrade or prove that he could get in, all he needed to do was change the page title. He didn't need to delete all users and block public access. That's malicious. He didn't demonstrate any skills or knowledge, other then being able to run a Perl script. He used the work of a competent programmer, probably someone in Russia, executed the guy's script and got in. The only work he did was to delete the users, lock out the public, and change all of the titles.I don't want to blame the admins for the site being hacked, because that takes the blame away from the script kiddies who used the exploit. It's their fault, they are the people who committed the felony. I would blame the admins for the fact that the site was down for 5 days without a response, but not for the fact that it got hacked in the first place. They should have upgraded the software, but that doesn't excuse some selfish, immature, parasitical kid from choosing to exploit the forum and block everyone's access to it.

[Jack McKalling]

Who to blame is everone's own choice, I too do blame the attacker, but it is just the fact not everybody is the honest we are, nothing can be done about that. Everyone is different, even though every single human has good will in his heart, not everyone chooses to use his good side. We should remind ourselves those people just exist and cannot be changed by us. We can ever blame someone for his or her acts, but it doesn't change the way that person is. What does help, is taking the care needed to overcome or even prevent it from happening. That way all parties would learn from the happening, we to be smarter than the attacker, and he for the failure he made by trying, when we prevented it from happening.

[aspnetguy]

Both of you are forcing me to see this in 2 diffent lights and both have strong cases.Skemcin is right in that the admins are responsible to protect their users and have failed in that regard.However what justsomeguy is saying is also right. The hackers were malicous and broke the law.Perhaps a metaphor is in order.Situation 1:A burglar breaks into a home, that has no security system and the owners forgot to lock the door before going to bed, and steals all the valuables.Legally the crook is legally responsible and would go to jail if caught but on the other hand the home owners were very negliable and stupid and ultimately contributed greatly to their own dilema.Situation 2:Someone breaks into a high security bank and steals $12 million. Regardless of the crook is caught the bank is liable to its customers for the money...that is why they buy insurance.So it can be looked at from both ways.

[Skemcin]

fault = Neglect of care; an act to which blame or censure is attached.blame = To hold responsible.I'm not a word smith, but I do have to point out that I never used the word blame. There is no question that the hacker is to blame, but the fault lies in the site owner/administrators. There is a very fine distinction between reading something and comprehending it. Its this type of incomplete thinking/responding that creates miscommunication. Be careful what you write and be care how you read.aspnetguy's scenarios point out exactly how one person be at fault for something while another is to blame.

[justsomeguy]

Well that's a pretty fine line, but I was referring to this:

the people responsible for managing/overseeing this application are truly responsible.

If blaming is to hold responsible, then that sounds like what you said. But there's two meanings there, I would agree that the admins are responsible for keeping the place secure, but the admins are not responsible for the reality of the attack, the attackers are responsible for that. The admins could have done more to defend against the attack, but they aren't responsible for the attack itself. That was the point I was trying to make. But again, if we're debating the meaning of fault and blame, it is a very fine line. Each party is responsible for their own actions, or lack thereof, but not for the other's.

[Jack McKalling]

But what I mean, is this. We can discuss who is to blame, and whose fault it is. However, it is better to see what we have learned and prevent future happening, than discuss who should be taken responsible :)I am not a word smith either, and I am even dutch, so it was probably my lack of english. You are right that that could trigger misunderstandings. That is why I explain afterwards right now.So it doesn't matter if it is our admins who should have done things otherwise, or the creators of our software who should have created backups more frequently, or the attacker who should have left the idea of hacking allone, or the site holding the exploits who should have never turned into serving exploits.What does matter, is that we have been hacked, and we should take care about that (we did) and try to prevent it from happening again.Well, that is only my opinion, and it is not choosing side between the fault of either party, but it stands in the middle. Choosing sides doesn't solve any problems I think. Some people just are how they are, and I have accepted that.

[Skemcin]

Well that's a pretty fine line, but I was referring to this:If blaming is to hold responsible, then that sounds like what you said. But there's two meanings there, I would agree that the admins are responsible for keeping the place secure, but the admins are not responsible for the reality of the attack, the attackers are responsible for that. The admins could have done more to defend against the attack, but they aren't responsible for the attack itself. That was the point I was trying to make. But again, if we're debating the meaning of fault and blame, it is a very fine line. Each party is responsible for their own actions, or lack thereof, but not for the other's.

I absolutely agree. I just wanted to be sure that the distinction (how ever fine it is) was made.

[Skemcin]

Well, that is only my opinion, and it is not choosing side between the fault of either party, but it stands in the middle. Choosing sides doesn't solve any problems I think. Some people just are how they are, and I have accepted that.

I understand what you are saying and appreciate the perspective. However, I can;t help but to sugges that you challenge yourself to think even deeper to kind a position. You don't necessarily have to share. But the middle is a very dangerous place just as much as it is the safest place - thats a discussion in of itself.But anyway, for this I think it is important to understand how and where to put yourself. Maybe many of you cannot see this yet but as you get involved in business more and more you'll be faced with situations where there is no floor in the middle of the room - you will have to choose (to some degree and/or resistance) one side or the other.If any of you are into reading, here are a two text books worth looking at. They each are a serious of short case studies or summaries of historical business decisions. I HATE reading but I loved these books. Each case study is no more than 5 to 10 pages - so you are not reading a whole book, just the selected stories that you might find intersting:Crainer. S. (2003). The Ultimate Business Library: The Greatest Books that made Management. New ed. Capstone Publishing Ltd (a Wiley company): Oxford, UK.ISBN: 1-84112-059-6Hartley, R. F. (2005). Management Mistakes and Successes. 8th ed. New York: John Wiley & Sons. ISBN: 047166202XIn any case, I am not debating your points at all, just pushing you(and anyone else) a little to see if there is anything to it than what you might see on the surface.

[Jack McKalling]

To what exactly you want me and others push than?I think I only see this thing realistic, and practical. What should be done about it. What is the use of blaming or saying who is responsible? Out of case that that would be used for the punishment in business, treaters would get by the authorities? I personally don't care about the faultness of whatever party, only about what we can learn from it. Because I am a person who believes in the good and bad of mankind, and I know no one can change howmany good or bad someone uses. But lets not go into the fact I think our justice system is a total chaos and broken in every way. Next to what I think is important in these sorts of situations, what do you suggest me to do or see?

[justsomeguy]

I think it's pretty obvious what can be learned:1) keep your software upgraded2) some people will be ######s, and they will enjoy it, and there's nothing you can do about it except for 1)