The exploit that caused this change can be summarized as follows:
Images were hosted on a malicious server and embedded through bbcode in forum posts and signatures. When a client (user's browser) attempted to load the page and the embedded images, the malicious server sent an authentication request, which manifested as a client side popup. The popup was crafted to look like it was an authentication request from the minecraft forum, and prompted users to enter their minecraft forum information, which was then sent to the malicious server.
Please read every option, you are allowed to vote in more than one. Keep in mind that it would also be possible to implement more than one.
Some info on the proposed solutions:
Whitelist - the current system. All images are blocked except those on a list of allowed domains.
Blacklist - All images are allowed, except those on a list of blocked domains.
Postcount or Duration - Users must meet a requirement (postcount or time since registration) to use image embedding, perhaps also other features
Forum Setting - add an option in the userCP that controls whether or not images load or are filtered (this could be made better by setting it as filtered by default, and making users read a bunch of red warning text before allowing.
Disable IE - I'm fairly sure that internet explorer was the only browser that was affected by the exploit. I run google chrome for everything, and I didn't even notice that something was wrong.
Personally, I would like to see the whitelist replaced with a blacklist, which is much more flexible in terms of allowing images through, but just as effective at blocking the malicious domains. I would be ok seeing a forum setting or a postcount/duration restriction as well, I think both would be effective. Disabling IE would solve the problem (as far as I know) and it would do some good for IE users to get used to a new browser that doesn't suck.
The 'disallow internet explorer' option has been removed due to confirmation that the exploit was not limited to IE.
Unfortunately, this reset the votes as well, so people who have voted, please revote.
The problem with whitelist is that only images from certain sites get seen. Images on other sites or self hosted images are going to be left out. The problem with blacklist is that it'll already be too late by the time it's added. I still vote blacklist though.
By the way, what's "Disallow Internet Explorer"?
The problem with whitelist is that only images from certain sites get seen. Images on other sites or self hosted images are going to be left out. The problem with blacklist is that it'll already be too late by the time it's added. I still vote blacklist though.
By the way, what's "Disallow Internet Explorer"?
I mentioned this in the original post.
I could be wrong, but I think only users of internet explorer were vulnerable to the exploit that prompted the recent change. The exploit is detailed in the first post.
I have heard that the exploit did not just affect IE. Haven't seen confirmation, but citricsquid said it, and I trust him. mostly.
Whitelist and Other.
And an option for users to see all images (Default Off, so only people who know what they are doing do it)
Other being a form where people can request their website, or host as whitelisted.
I know it would leave some people out, but is it really that hard to re-upload an image (or even to just use an URL, its just a click away!), and for security reasons, it seems the best way to make sure nothing gets through.
Rollback Post to RevisionRollBack
Your friendly neighborhood dragon. Don't be scared, I won't bite!
I am here for you, Don't be afraid to send me a message.
Whitelists are harder to maintain, and I can't see any problems that the whitelist could solve that couldn't be solved just as efficiently by a blacklist. Keep in mind, the forum is adding a bunch of mods as well. It is possible that in the final state, mods may have access to the whitelist/blacklist.
How is a whitelist hard to maintain?
At first, it may be, with loads of requests to go through.
But there arent that many popular sites, most of them are already whitelisted.
It only takes a few moments for a bot to steal someones details, thats why blacklisting is so flawed, it takes alot of time for them to respond to the threat, its no different from being able to ban and remove posts, it works once, for one domain, there are millions of domains for them to choose from.
im usually around when there are no mods on, and even when there are, alot of bots take a while to be removed and banned. in that time someone has already had their account stolen, the same would happen with a blacklist.
Rollback Post to RevisionRollBack
Your friendly neighborhood dragon. Don't be scared, I won't bite!
I am here for you, Don't be afraid to send me a message.
I was using ie AND a competent security system, so I didn't know there was anything wrong either.
The only time this site ever sent a pop-up was when I got a new pm, and it was still blocked by my filter.
Rollback Post to RevisionRollBack
You have just started
To read the haiku that you
Just finished reading
I don't think I've ever gotten any form of popup from this site.
Quote from Trippledot »
How is a whitelist hard to maintain?
At first, it may be, with loads of requests to go through.
But there arent that many popular sites, most of them are already whitelisted.
It only takes a few moments for a bot to steal someones details, thats why blacklisting is so flawed, it takes alot of time for them to respond to the threat, its no different from being able to ban and remove posts, it works once, for one domain, there are millions of domains for them to choose from.
im usually around when there are no mods on, and even when there are, alot of bots take a while to be removed and banned. in that time someone has already had their account stolen, the same would happen with a blacklist.
Most people recognize the scam when they see it. Besides, we can blacklist all russian internet domains. I don't think any russian image hosting sites are widely used by mcf user (if any)
I say they're difficult to maintain because as more and more legit stuff ends up there, they grow huge. there are such a large number of legit places that get blocked with the whitelist, and every new member who comes along will end up fighting with the powers that be so his/her blog can be whitelisted. Lots of requests probably won't go through. I'm fairly sure mine wouldn't be whitelisted. It's perfectly legit, but I have the know how and means to use it to scam passwords, and I'm sure they don't want to take that risk (even though I don't do stuff like that).
Besides, the forum is hiring more mods. This will make the problem much better (stuff will remain unhidden for less time)
I don't know if I have disclosed by vote. Here it is:
I want the old system back, exploits and all, because it gives us (me) the freedom to post stuff on our (my) personal hosting. If other people don't want that, fine, give them an option to turn it off. Since it's always newly created spam accounts anyway, we should just disallow new users from using image embedding. Finally, we could blacklist sites that do use the exploit and auto-permaban accounts that embed from them. That, combined with more mods like we will be expecting soon, will keep the problem under control.
The problem is blacklisting gives a window for abuse. What if all the admins are offline for the night, that's many hours when an offending image could be posted, it's also very easy to switch domains, it takes less time to switch domain than it takes us to ban the posts.
A whitelist is the only real secure solution, it sucks but it's the only maintainable method, the problem lies with those abusing :sad.gif:
Quote from Swingerzetta »
There's been a few announcements, but those aren't hard to make, and really, it's a pretty big deal. people's accounts have been stolen, so things needed to be done to stop it.
Quote from Basic »
It seems that you don't get the whole picture: The_Hand is not the only account who have been posting phishing images. I've dealt with 15+ accounts who've done the exact same thing, they all spammed phishing images mostly in popular threads and a bit at random; these phishing attacks are a major problem who've been going on for many weeks.
Quote from citricsquid »
unfortunately people have abused how lenient we have been and now we have no choice but to do this.
tried it. no results yet. still cant embed images from facebook, google, deviantart and other such obviously safe sites.
Submit a ticket
Where? it can't be done from the forum interface.
Besides, what chance is there that my perfectly legitimate, self hosted, non exploiting domain where DOZENS of images on this forum are hosted is going to get whitelisted? fat chance.
The images from non white listed sites would still initially appear as links but clicking on them would cause them to be loaded inline instead of directing you to another site. Read the thread for more detailed information.
Rollback Post to RevisionRollBack
Tis far better to be a witty fool than a foolish wit.
tried it. no results yet. still cant embed images from facebook, google, deviantart and other such obviously safe sites.
Submit a ticket
Where? it can't be done from the forum interface.
Besides, what chance is there that my perfectly legitimate, self hosted, non exploiting domain where DOZENS of images on this forum are hosted is going to get whitelisted? fat chance.
Really not that hard..
That took a whole whopping one extra minute, sure it is an inconvenience but it protects the rest of the forum members from a simple phishing scheme
Good, then you can sit down and edit my 1000+ posts to change the image links and also move my 100+ images over to another host. :tongue.gif:
For some of us it is a bit more of a bother.
This is my problem. Also, my desktop is 300 miles away until I return from vacation.
If there is a suggestion to make it so that they load upon click, why not just make a forum setting that makes them load automatically? (this is in the poll)
So I submitted a ticket. Now we wait and see if it will actually get any attention. I highlighted dragcave.net, deviantart.com, facebook images, and my personal domain.
If the following message appears as an image and not a link, it has been fixed.
The problem is blacklisting gives a window for abuse. What if all the admins are offline for the night, that's many hours when an offending image could be posted, it's also very easy to switch domains, it takes less time to switch domain than it takes us to ban the posts.
A whitelist is the only real secure solution, it sucks but it's the only maintainable method, the problem lies with those abusing :sad.gif:
Quote from Swingerzetta »
There's been a few announcements, but those aren't hard to make, and really, it's a pretty big deal. people's accounts have been stolen, so things needed to be done to stop it.
Quote from Basic »
It seems that you don't get the whole picture: The_Hand is not the only account who have been posting phishing images. I've dealt with 15+ accounts who've done the exact same thing, they all spammed phishing images mostly in popular threads and a bit at random; these phishing attacks are a major problem who've been going on for many weeks.
Quote from citricsquid »
unfortunately people have abused how lenient we have been and now we have no choice but to do this.
[/quote]
Well, unfortunately, I believe critic is punishing innocent people as well by whitelisting things. Once we move, I would also suggest a moderator overhaul of behaviour.
Rollback Post to RevisionRollBack
Konami Code on Minecraft... wouldn't that just kill Creepers on the spot? [SSSS]
Also, images are gone, but I didn't have to worry much... none were on my sig. Others have different opinions...
Well, unfortunately, I believe critic is punishing innocent people as well by whitelisting things. Once we move, I would also suggest a moderator overhaul of behaviour.
Well look at it this way
Either the whitelist comes in play and people are annoyed
Or the phising continues and people are annoyed; and lose accounts due to ignorance
The fact is Citric is an admin; you pay no money nor dues to access and use this forum so you are not entitled to anything except use of the forum and as administrator, he can do as he sees fit to stop said phishing attacks.
Well, unfortunately, I believe critic is punishing innocent people as well by whitelisting things. Once we move, I would also suggest a moderator overhaul of behaviour.
Well look at it this way
Either the whitelist comes in play and people are annoyed
Or the phising continues and people are annoyed; and lose accounts due to ignorance
The fact is Citric is an admin; you pay no money nor dues to access and use this forum so you are not entitled to anything except use of the forum and as administrator, he can do as he sees fit to stop said phishing attacks.
The same can be said about Hitler's rise to power. There are other ways, but unfortunately, he stuck with the contents of the box, so to say.
Rollback Post to RevisionRollBack
Konami Code on Minecraft... wouldn't that just kill Creepers on the spot? [SSSS]
Also, images are gone, but I didn't have to worry much... none were on my sig. Others have different opinions...
Images were hosted on a malicious server and embedded through bbcode in forum posts and signatures. When a client (user's browser) attempted to load the page and the embedded images, the malicious server sent an authentication request, which manifested as a client side popup. The popup was crafted to look like it was an authentication request from the minecraft forum, and prompted users to enter their minecraft forum information, which was then sent to the malicious server.
Please read every option, you are allowed to vote in more than one. Keep in mind that it would also be possible to implement more than one.
Some info on the proposed solutions:
Whitelist - the current system. All images are blocked except those on a list of allowed domains.
Blacklist - All images are allowed, except those on a list of blocked domains.
Postcount or Duration - Users must meet a requirement (postcount or time since registration) to use image embedding, perhaps also other features
Forum Setting - add an option in the userCP that controls whether or not images load or are filtered (this could be made better by setting it as filtered by default, and making users read a bunch of red warning text before allowing.
Disable IE - I'm fairly sure that internet explorer was the only browser that was affected by the exploit. I run google chrome for everything, and I didn't even notice that something was wrong.
Personally, I would like to see the whitelist replaced with a blacklist, which is much more flexible in terms of allowing images through, but just as effective at blocking the malicious domains. I would be ok seeing a forum setting or a postcount/duration restriction as well, I think both would be effective. Disabling IE would solve the problem (as far as I know) and it would do some good for IE users to get used to a new browser that doesn't suck.
The 'disallow internet explorer' option has been removed due to confirmation that the exploit was not limited to IE.
Unfortunately, this reset the votes as well, so people who have voted, please revote.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
By the way, what's "Disallow Internet Explorer"?
I mentioned this in the original post.
I could be wrong, but I think only users of internet explorer were vulnerable to the exploit that prompted the recent change. The exploit is detailed in the first post.
I have heard that the exploit did not just affect IE. Haven't seen confirmation, but citricsquid said it, and I trust him. mostly.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
And an option for users to see all images (Default Off, so only people who know what they are doing do it)
Other being a form where people can request their website, or host as whitelisted.
I know it would leave some people out, but is it really that hard to re-upload an image (or even to just use an URL, its just a click away!), and for security reasons, it seems the best way to make sure nothing gets through.
I am here for you, Don't be afraid to send me a message.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
At first, it may be, with loads of requests to go through.
But there arent that many popular sites, most of them are already whitelisted.
It only takes a few moments for a bot to steal someones details, thats why blacklisting is so flawed, it takes alot of time for them to respond to the threat, its no different from being able to ban and remove posts, it works once, for one domain, there are millions of domains for them to choose from.
im usually around when there are no mods on, and even when there are, alot of bots take a while to be removed and banned. in that time someone has already had their account stolen, the same would happen with a blacklist.
I am here for you, Don't be afraid to send me a message.
The only time this site ever sent a pop-up was when I got a new pm, and it was still blocked by my filter.
To read the haiku that you
Just finished reading
Most people recognize the scam when they see it. Besides, we can blacklist all russian internet domains. I don't think any russian image hosting sites are widely used by mcf user (if any)
I say they're difficult to maintain because as more and more legit stuff ends up there, they grow huge. there are such a large number of legit places that get blocked with the whitelist, and every new member who comes along will end up fighting with the powers that be so his/her blog can be whitelisted. Lots of requests probably won't go through. I'm fairly sure mine wouldn't be whitelisted. It's perfectly legit, but I have the know how and means to use it to scam passwords, and I'm sure they don't want to take that risk (even though I don't do stuff like that).
Besides, the forum is hiring more mods. This will make the problem much better (stuff will remain unhidden for less time)
I don't know if I have disclosed by vote. Here it is:
I want the old system back, exploits and all, because it gives us (me) the freedom to post stuff on our (my) personal hosting. If other people don't want that, fine, give them an option to turn it off. Since it's always newly created spam accounts anyway, we should just disallow new users from using image embedding. Finally, we could blacklist sites that do use the exploit and auto-permaban accounts that embed from them. That, combined with more mods like we will be expecting soon, will keep the problem under control.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
[/quote]
NEEDS.
and all of those quotes address JUST a blacklist. Do you not agree that adding several layers of security would be just as effective?
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
Create a thread about petitioning
Submit a ticket
Two ways to do that..
tried it. no results yet. still cant embed images from facebook, google, deviantart and other such obviously safe sites.
Where? it can't be done from the forum interface.
Besides, what chance is there that my perfectly legitimate, self hosted, non exploiting domain where DOZENS of images on this forum are hosted is going to get whitelisted? fat chance.
edit - OK, so they fixed google.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
viewtopic.php?f=7&t=206694
The images from non white listed sites would still initially appear as links but clicking on them would cause them to be loaded inline instead of directing you to another site. Read the thread for more detailed information.
Really not that hard..
That took a whole whopping one extra minute, sure it is an inconvenience but it protects the rest of the forum members from a simple phishing scheme
And to submit a ticket
http://support.mcft.net/
Suggest you bookmark it
But of course that will take an extra minute
And the chances of something getting changed if a large amount of people request it and it doesn't disrupt anything else, are usually good
Good, then you can sit down and edit my 1000+ posts to change the image links and also move my 100+ images over to another host. :tongue.gif:
For some of us it is a bit more of a bother.
This is my problem. Also, my desktop is 300 miles away until I return from vacation.
If there is a suggestion to make it so that they load upon click, why not just make a forum setting that makes them load automatically? (this is in the poll)
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
If the following message appears as an image and not a link, it has been fixed.
[FAQ] Extremely Common Problems
[OFFICIAL] Dragon Cave Thread
Well, unfortunately, I believe critic is punishing innocent people as well by whitelisting things. Once we move, I would also suggest a moderator overhaul of behaviour.
Also, images are gone, but I didn't have to worry much... none were on my sig. Others have different opinions...
Well look at it this way
Either the whitelist comes in play and people are annoyed
Or the phising continues and people are annoyed; and lose accounts due to ignorance
The fact is Citric is an admin; you pay no money nor dues to access and use this forum so you are not entitled to anything except use of the forum and as administrator, he can do as he sees fit to stop said phishing attacks.
The same can be said about Hitler's rise to power. There are other ways, but unfortunately, he stuck with the contents of the box, so to say.
Also, images are gone, but I didn't have to worry much... none were on my sig. Others have different opinions...