Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Our security: Controversy
#1
Some comments were made in the staff chat about our security, that people feel I went overboard.
People also believe that other websites in the gmod community   specially prime hacker targets  does not use the same security.
I come on video to prove a point.




Just 2 days ago we had 56 attack attempts on our config files  Trying to take our site over. which i posted in the staff chat.

Ask any staff member to confirm this.

Think twice and do a little bit of research before lobbying to the admins and staff to have the protection removed.

We have hundreds of players here   probably over 6 figures in dollars in total games and items in peoples accounts in total.

But Fish I Hear You Exclaim!
Our steam passwords are not logged on our site   our passwords are safe

My reply:
A hacker can produce a man in the middle attack   modify our links   and make fake phishing pages  to send plain coded passwords to them.
It is real easy   just use google.  

In fact   let me google that for you
http://lmgtfy.com/?q=how+to+create+a+fak...login+page

MyBB is not a professional forum with paid round the clock 24/7 security staff to thwart attacks like Enjin.
It is an amature project made by some people, perhaps some fresh college grads trying to make a name for themselves to get noticed,  who got together to make a free forum.
They do their best, but I have seen for my self  MyBB hacked, passwords stolen, and put on the black market in a matter of moments.

Think about others, and think about dinkleberg's liability if security is breached.

Thats all.

Thank you.

Also another thing....

We dont have encryption on this website    We do not have a SSL from a CA   something we desperately should have
A SSL from a CA costs money.   I cant afford to pay for one   I am sorry.  I'm out of work right now due to a surgery,  I cannot do it.

What is a SSL?
"SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers."

Read more on an SSL here

So again before you say something about the security....    

We are not secure    
We have ZERO encryption here
Everything transmitted on our website is PLAIN TEXT that ANYONE can see and possibly even inject their own code into since its plain text
(can you imagine an injection attempt without our current security They wouldnt even need an account they could inject code into a forum view from an admin and use their account like what they did on 4thlife)

Perhaps someone or a few of you would like to step forward and donate some money towards a SSL certificate from a CA  so we could be further protected   that would be really thoughtful.

The price of an SSL can range greatly and have an anual cost
The cheapest are about 9$ a year and provide minimal low bit encryption (still better than nothing) to 40$ a year for medium bit encryption    and 250$ for strong 256bit encryption.  Some providers even come with insurance in case the server is hacked   they cover the cost of repairs and loses. Such as RapidSSL  at 12$ a year  has 10k$ worth of insurance in case of a loss or damage, 256bit encrypted, domain verification to prevent phishing and, site seal, and has 24/7 support so i can call someone for help.

For such a low cost encryption and 10k$ worth of insurance would be nice you could pay for someone to come here and rebuild the server and compensate a players losses if we got trashed.

Here is a like to some cheaper providers if someone wants to consider helping out.
https://aboutssl.org/worlds-top-15-cheap...ders-2017/

Many of these companies offer 30 day trials that we can also test to make sure they work before we purchase which is very important.
So if you wanna help discuss it below
Let me get a trial before tossing money at one of these companies.
Most companies also offer a 30 day refund too some dont. We need to make sure they are server compatible and browser trusted.

[Image: insecure.png]

[Image: insecure2.png]
#2
Could ad revenue from the servers cover at the very least, minimal protection? Something this serious needs to be addressed to some extent.
Pandas are cute as hell, don't you forget that.

[Image: x1iAjZQ.gif]

[Image: 76561198228770820.png]
#3
Its actually pretty cheap

like i said  8.99   from a licenced comodo ssl dealer or for 3 years for 22$
https://comodosslstore.com/positivessl.aspx

rapidssl is 17$ a year
https://www.rapidsslonline.com/ssl-brand...cates.aspx
They provide installation support more,   i would kind of rather go through rapidssl   than an "authorized comodo dealer"
RapidSSL was garbage and very sketchy  after 30 min phone call   could not get my free trial.

Some other sites provide things like malware scanning and stuff   i just think encryption is enough
I got the malware part covered.

i can get a free 90 day trial (SWEET) from comodo     we should try that first.
https://ssl.comodo.com/free-ssl-certific...track=8177

We are now using the 90day free trial
#4
Hey lookie there at the top

https://www.dinklebergsgmod.com/site/

90day comodo ssl cert installed and working we are now encrypted for the next 90 days

It might have a little icon next to it because of peoples images from off sites.

thats called "mixed content"
and you should not be afraid of it

It means the OFFSITE pictures you guys post, or things like the game tracker icons, are not covered under the encryption. Obviously i cannt encrypt something when you link another website.

But i would say security is much better now

I might have a solution for the pictures I can use a redirect proxy where the server reads itself and then encrypts the pictures and then sends the pictures to you.
It would add extra strain to the server though. Literally double work

Do you guys care if your shit posting pictures are encrypted or you guys happy that its encrypted as is.

If you don't know what I'm talking about if its too technical for you or what not then to make it simple,
The important shit is encrypted now. Pictures of scoovies naked ass are not. A hacker can AT MOST can ONLY see that you looked at PICTURES of scoovies ASS on the forum.

If you are more technically inclined
you can look at the mixed content in firefox in the element inspecter

its just like your avatar pictures and game tracker....

[Image: mixedcontent.png]

Also RAPIDSSL was a bust their free link did not work i called them and after 20 mins they tried to sell me a cert for 8.99 saying that there was a 30 day guarentee so fuck rapidssl
if their 30 day trial cant work they can go fuck off
#5
Thanks for everything that you’re doing Sugam. I know one of my concerns last year when we migrated over to these forums from Enjin was my Steam account being compromised and the forums not having an SSL certification, and I’ve overheard a couple of players talking about that too. Luckily we’re still good. We talk about wanting to take this server to the next level and being the best. Well I wholeheartedly believe that protecting our forums and our users is definitely something that needs to be done.

Peppermint Patches brings up a good point. Can some of the donations be allocated to paying for encryption service? I’m not sure what the upkeep costs are, but if we took all donation options and made half of the costs go to server expenses and half go to encryption we should be ok right? (Take TMod, a $40 donation and $20 goes to the server and $20 goes towards encryption)

On a related note, if for whatever reason you’re reading this and you don’t have Steam’s two-factor authentication enabled (Steam Guard) I HIGHLY recommend you enable that ASAP. Two-factor authentication can decrease your chances of losing your account. In fact, enable two-factor authentication on every account you can.

Thanks again for your dedication to our safety Sugam.
#6
Before we used to use the free web server from nfo which i don't even think we could install a SSL cert.
I did not get to see our site on the free nfo server but i do know nfo's setup and its a security joke its literally 40 people on the same server with their own folder. You can ssh in and even use commands like W and last and history and see everyone's actions everywhere. All the users IP's from ALL the websites.

I cant install an SSL cert without having access to Apache and sites-available to edit the virtual hosts and that was not available on the free nfo webserver. And they sure the hell did not run mod-security.

So moving all this, the forums loading screens ban sites all over to the "SQL Server" was the best move.

At one pint I considered just using a self signed cert and making the user as in YOU being responsible for using HTTPS instead of HTTP. You would have to permit it in the browser because self signed certs are not trusted but THAT option is still better then no option.
#7
The Problem with SSL jokes is that you must get someone else to vouch for you before you can tell the joke.
#8
Add a way to donate to the forums again, from what I saw on the enjin forums it was paid for like 400 days or something, so if someone wanted to help pay for the forums that could be added to the !donations in game or should talk to fish/dink about it
#9
i haven't had ads in ages, is there an exemption fro certain ranks?
"let's fuck lycan" -Starky
#10
Yes Tronald. Thanks for making this clear for those people Fish. Everything you do really helps and is appreciated.


Forum Jump:


Users browsing this thread: 5 Guest(s)

About Us
    This is Dinkleberg's GMod, a gaming community based in Garry's Mod. We have a Trouble in Terrorist Town, Prop Hunt, Murder, and Deathrun Server. Come check them out sometime.