tt
Novice
Posts: 27
|
Post by tt on Nov 30, 2006 20:26:28 GMT
Currently I estimate that the site will be back at the latter part of the weekend or very early next week. The site is currently being thoroughly scanned and everything sorted by external security experts, so at relaunch I'll be as sure as I can be that everything is secure. As we're not quite sure exactly what will be found and am working with other people, I can't give a firm date, other than to assure you that it will definately be reinstated. So make yourselves at home for a couple more days!
|
|
|
Post by foggy on Nov 30, 2006 22:05:33 GMT
As long as I can smite people I dont mind hanging round here!!
|
|
|
Post by robert on Nov 30, 2006 22:47:24 GMT
Yes - can we have a smiting / exalting facility on TT ?
Silly nonsense, I know, but it's our only way to punish Paddington Ray!!
|
|
|
Post by paull on Dec 1, 2006 9:01:53 GMT
Thanks for the update Gareth. I am sure most of us are happy to wait until TT is fixed properly. Is there any chance you can make the TT Christmas do? I think we would all buy you a drink! Cheers, Paul.
|
|
|
Post by bigbopper on Dec 1, 2006 10:16:45 GMT
Yes - can we have a smiting / exalting facility on TT ? Silly nonsense, I know, but it's our only way to punish Paddington Ray!! Smites are a punishment for Ray? But he loves it, the dirty little hoor that he is! ;D BB
|
|
|
Post by bigbopper on Dec 1, 2006 10:17:38 GMT
Alas, Gareth is the wrong part of the country. Bel and I were desperate for him to come.
BB
|
|
|
Post by schedboy on Dec 1, 2006 12:38:50 GMT
Gareth you are a god!! Is there any chance of merging in the weeks worth of posts from here back to our house??? Oh, BTW can we get karma? ;D
|
|
|
Post by ray on Dec 1, 2006 13:26:50 GMT
|
|
|
Post by robert on Dec 1, 2006 14:23:04 GMT
Some of us have work to interrupt our 24-hour TT marathons!
|
|
bex
Couch potato
Posts: 2
|
Post by bex on Dec 1, 2006 15:54:29 GMT
wooohoo i found you and i'm in!! this is all very wierd!
|
|
|
Post by robert on Dec 1, 2006 16:03:12 GMT
Hi there!
But how comes you've already been smited / smitten / smoted ? That's gotta be a record!
|
|
|
Post by namkinoib on Dec 1, 2006 17:18:20 GMT
sorry ray just had to smite you, even though your a good bloke and all, its just got to be done!
|
|
|
Post by bruiser2 on Dec 1, 2006 17:25:17 GMT
I don't know, I turn my back for 5 minutes, a couple of days, a couple of weeks and it all goes breasties up! Sounds like you've had a rough time of it Gareth - hope it all goes well this weekend and you're back up and running soon. PS Just Previewed this note and it turns "t*ts" into "breasties". That's clever
|
|
|
Post by namkinoib on Dec 1, 2006 17:51:08 GMT
breasties sounds better if you ask me interesting game i wonder what it will change this into>>? bum f**ker
|
|
|
Post by bruiser2 on Dec 2, 2006 11:53:50 GMT
f**k is a bit disappointing but cr*p turns into "rubbish"
|
|
|
Post by robert on Dec 2, 2006 14:25:05 GMT
Breasties?
Does that mean you can't say blue breasties? What about queen nefertiti?
|
|
|
Post by robert on Dec 2, 2006 14:25:30 GMT
Oh, so it's just the plural it doesn't like!
|
|
|
Post by fatboyinlycra on Dec 3, 2006 20:38:24 GMT
I've been out of it all week, so logged on tonight hoping to see good ole TT back up.
WHat's going on? What's the latest? Is TTs backup regime as watertight as ours at work?
(I hope not!)
|
|
trex
Sprint
Grrrrr!!!!
Posts: 83
|
Post by trex on Dec 3, 2006 20:41:08 GMT
The last I heard was that TT was hoping for tonight or tomorrow, but he's not updated us on that deadline, so not so sure that they've found the hole. But rest assured that he's working on it.
In the brief time that the site went back up on Monday or Tuesday the site was actually intact as the db was backed up on the Sunday morning (I think) and it all looked really lovely, so no issues with no viable back-up. There's thousands of posts on nonsense that somehow I feel I'm missing right now!
|
|
legs
Novice
Posts: 48
|
Post by legs on Dec 4, 2006 10:24:34 GMT
any further updates on the TT situation? I suspect that Gareth has been a tad busy!!
|
|
|
Post by bluepoolshark on Dec 4, 2006 10:39:48 GMT
Late today or tomorrow, which is good as i'm missing my blog!
|
|
tt
Novice
Posts: 27
|
Post by tt on Dec 4, 2006 11:28:20 GMT
It's all patched up now. I just need to do a bit of house keeping to replace a couple of missing images, then change the DNS to point back to the original TT and finally reconfigure the firewall to let you all back in. The DNS changes usually take a little while (up to 24 hours) to propagate through the internet so suggest it'll be ready at some time tomorrow.
|
|
|
Post by foggy on Dec 4, 2006 11:41:07 GMT
Is there going to be a way to get some of the threads off here? At least things like the xmas pics posts etc? Or will we need to manually copy em across?
|
|
tt
Novice
Posts: 27
|
Post by tt on Dec 4, 2006 15:04:25 GMT
Is there going to be a way to get some of the threads off here? At least things like the xmas pics posts etc? Or will we need to manually copy em across? No, not going to be possible. On a lighter note I've just discovered that someone has just purchased a new server on my behalf using an old hosting account I had, running up a bill of over £1000. This company had the card details stored but still managed to get my username and password from somewhere as these were not on TriTalk.
|
|
|
Post by dirtydavey on Dec 4, 2006 16:46:53 GMT
Surely the passwords were hashed in the TT database? How'd they manged to get hold of them?
|
|
tt
Novice
Posts: 27
|
Post by tt on Dec 4, 2006 17:14:31 GMT
They are MD5 hashed, so probably they have not.
|
|
jc
Novice
Posts: 49
|
Post by jc on Dec 4, 2006 17:29:49 GMT
Whoa there.... your saying that if you had any online accounts (wiggle etc..) which require your email address and a password, that might have been the same as your TT one - you should change it?
|
|
tt
Novice
Posts: 27
|
Post by tt on Dec 4, 2006 17:38:48 GMT
Just to clarify as I don't want to cause any undue alarm or concern. There is no evidence that any passwords have been stolen. I asked someone for a detailed explanation as to the ability to determine the passwords from the database which are hashed...
MD5 hashes ARE mathematically impossible to decrypt, with our current knowledge. However, there is an attack which can be used against hashes, and this is actually what sets apart a strong password from a weak one.
This attack is called a "brute force" attack. Essentially, the attacker uses a program which generates hashes for every possible password following certain rules. For instance, a to z, then aa to az, then ba to bz, etc. When one of the hashes it generates matches the hash to be cracked, the password is known.
Another form of this attack involves using words from a dictionary or other wordlist, often with permutations made on each word to increase the chances of success.
A pure brute force attack will ALWAYS work, given enough time and enough computing resources. However, a strong password should make it computationally infeasible for an attacker to crack it.
|
|
|
Post by andys on Dec 4, 2006 18:44:29 GMT
Thanks for the tip Gareth. I think it’s wise to remember you can't be too complacent with any form of internet security. The events of recent weeks have shown us online transactions are vulnerable, weather they be the alleged on-line bike shop problems, the forum hacking or any number of other activities that go on behind the scenes such as TG’s ebay scam. You can't be to careful.
The offer of a donation still stands.
|
|
|
Post by tritraveller on Dec 4, 2006 21:26:40 GMT
A pure brute force attack will ALWAYS work, given enough time and enough computing resources. However, a strong password should make it computationally infeasible for an attacker to crack it. Not to suggest any form of incompetency, but this NOT the case. Many systems I use(yes, mostly internally corporate secured ones) only allow three attempts at a password and then the userid is locked out. Requiring either manager or employee action to create a reset. Assuming your userid is locked out over a period of a coupe of days and you didn't do it, your IT dept, or the service provider should put a trace on and if there is questionable activity can take what ever action deemed appropriate... such as getting the cops involved. Hence you probably wouldn't get than say 20-attempts to guess a password. So theoretically what you say is true, it isn't in many implementations. I use a number of systems that even do this for file access. If you try to access files which are not authorised, each access is logged and after 3-attempts in 15-minutes your userid is locked out. Of course all this incurs overhead, and overhead equals cost. Something most websites try to avoid, even the big ones. I use PayPal, I wouldn't use it as my bank account though... FirstDirect much better... but then its a bank, not a web site trying to grow up into a bank. I once spent 4-weeks debating the cost of hacking into online banking transcations. My boss, bored with the cost of the debate declared that we should implement fixed amounts that could be transfered every week to limit the exposure of the online transactions. He declared that it should be less than you could take out an an ATM at the time. Much to my disappointment, I went to transfer more than this amount the other day, to my surprise the same restriction is still in place some 22-years later... Fortunately no one could tell me why, which means they won't remember my involvement :-)
|
|