Yes, becuase SEV haven't fixed it yet (they should be arising soon), so until then, we only have The_Widget and GTTurbo as mods posting as demo players.

EDIT: and I just saw Gunn as a Moderator, and everyone else is one now too

Edit2: In space, nobody can see the announcement.

In all seriousness, it's pretty crap Webmastering from someone not keeping vB up to date. We are on 3.6.0 and the latest is 3.6.4, which was released in Nov 2006.

Seems like Phlos has informed the Devs of his concerns, given them time to act, then, when they haven't, he has proved his point.

More to the point though, he states that there are holes all over LFS.

Can someone confirm or deny that our Credit Card information is safe?
What about our LFS Account details, passwords etc?

It is fairly common for 'Whitehat' Hackers to do this, if you look in the right places on t'interwebnet, you will see that someone has got so p!ssed with the PHP devs that he is releasing exploits every day throughout next month for bugs that have been known for ages but still aren't fixed.

Batten down the hatches in March, it's gonna be a script kiddies paradise.

Quote from joshdifabio :

I should add that, if it is discovered that Phlos has done something more serious, such as what Kegetys suggested, I would say that prosecution would certainly be reasonable.

I really don't think it is in his nature though.

How do you know? Phlos obviously has a screwed up set of morals, if someone ignores him or tells him no, then he just ignores them anyway (ie LFSW traffic raping) - i can't trust someone who just hacked into the forum, banned all the mods, made himself admin, screwed about and did god know what else - I cant trust him and i don't see why i should! Maybe being nice to Phlos would have avoided this, but from the actions of Phlos i don't see why the devs would want to get near him.

(Oh, and fyi, LFS Manager wasn't that good )

Quote from ATC Quicksilver :

You also need to think about private sections of the forums, perhaps for moderators and devs, personal messages too...both of those could contain sensative information about passwords and other things.

From what i've heard there is a lot of stuff in the Mod/Dev forum they don't want out, and maybe Phlos nabbed it all - it would make more sense that putting himself in all this s*** for nothing

Quote from Bean0 :

In all seriousness, it's pretty crap Webmastering from someone not keeping vB up to date. We are on 3.6.0 and the latest is 3.6.4, which was released in Nov 2006.

Seems like Phlos has informed the Devs of his concerns, given them time to act, then, when they haven't, he has proved his point.

More to the point though, he states that there are holes all over LFS.

Can someone confirm or deny that our Credit Card information is safe?
What about our LFS Account details, passwords etc?

It is fairly common for 'Whitehat' Hackers to do this, if you look in the right places on t'interwebnet, you will see that someone has got so p!ssed with the PHP devs that he is releasing exploits every day throughout next month for bugs that have been known for ages but still aren't fixed.

Batten down the hatches in March, it's gonna be a script kiddies paradise.

Some interesting questions mate

Quote from Jakg :

How do you know? Phlos obviously has a screwed up set of morals...

I think the reason he does this kind of thing is to boost his ego and not to cause damage. If you look at his past he has never gone that far.

I'm not saying his actions are excusable but if you look at it logically it's quite a clear conclusion to come to.

Josh

Just finished reading all of the 10 pages, I see its been a rather busy night.

Can't believe hat Phlos is at it again!!!! I think this time though its quite serious and there may be action taken against him. What I dont understand is why would anyone do all this to LFS (including what he has done in the past years) in order to get the devs attention so that they would make him part of the team. illepall This is just nuts....

He seems to be quite a clever guy when it comes to coding BUT an idiot when it comes to decision making, his morals as Jakg pointed out are seriously screwed up. If he thinks that by hacking a forum ScaViEr will offer him to help out with LFS he must be seriously retarted.

If only he would make better use of his own time and come up with something that would actually show a different side to him and ad something to the LFS community rather then always come up with ways that do nothing but harm to LFS....

mad

Quote from joshdifabio :

I think the reason he does this kind of thing is to boost his ego and not to cause damage. If you look at his past he has never gone that far.

so the fact he can justify that this is alright with himself (like he was doing) makes me wonder what else he could do that he could convince himself was "right"

i DO Understand what you mean when you say he didn't actually do that much, but to be fair how do we know?!

Personally i think your right about the ego bit - he's an attention whore (Thus making the post rather than just f**king the forum) who is using the "i'm just helping to show the bugs" as an excuse - i think that tbh he's gone so far he's having to post just to convince himself its true, but thats no security policy, whatever his reasons he did this, and now you have to understand why he's hated by the community.

You say "he's never gone that far" but each time he's going further - hacks in LFS, ignoring a devs request and raping bandwidth - now the forum, what next?

There may be truly repentant murderers about, but you don't them out because what they could do is so serious you just can't take the chance.

And i'm sorry, i'll make my bias clear, i DO dislike you after these posts because of that fact your standing up for him, but i'll try not to let it get in the way

Quote from Jakg :

so the fact he can justify that this is alright with himself (like he was doing) makes me wonder what else he could do that he could convince himself was "right"
...
Personally i think your right about the ego bit - he's an attention whore ... I think that tbh he's gone so far he's having to post just to convince himself its true, but thats no security policy, whatever his reasons he did this, and now you have to understand why he's hated by the community.

You say "he's never gone that far" but each time he's going further - hacks in LFS, ignoring a devs request and raping bandwidth - now the forum, what next?

There may be truly repentant murderers about, but you don't them out because what they could do is so serious you just can't take the chance.

I agree.

Phlos + jail + 6 year calendar = sorted.

I don't know about the rest of you, but the closest the devs came to my credit card info was a confirmation number from Paypal, so yes, your CC information should be safe.

Unfortunately for us, it was seen fit to store our web passwords in clear text, so at the very least those are compromised, or at least in a way that allows them to make it plain text again, since you can view it on the web site. Perhaps also the game password, if that is also stored in clear text. Maybe there's a good reason it isn't considered best practice to store passwords in the clear if it's at all possible not to.

Shame on Phlos for making me change my password after the servers are fixed, and shame on Victor (or whoever) for not keeping security in mind and updating the forum software. As much as I'd like to place all the blame on Phlos, it's just as much the fault of the system administrator when they fail to keep up with security updates, as well as the developer's for writing software with a security problem in the first place.

Like it or not, Phlos' attitude is fairly common among certain types of legitimate security researchers, much less those who use the work of others to crack systems. "We gave you fair warning" is often considered enough in their minds to justify public shaming by cracking the vulnerable system.

The worst thing is that for all we (or the admins, for that matter) know, someone else could have long ago exploited the forum software and absconded with our passwords and just not been kind enough to let everyone know like Phlos did.

By the way, in most states in the US, computer trespass isn't a felony unless it causes monetary damage of at least $10,000.

Quote from nathanm :

I don't know about the rest of you, but the closest the devs came to my credit card info was a confirmation number from Paypal, so yes, your CC information should be safe.

it was an example of what he could have done - we just dont know what else Phlos has done, or whats in the mod forum that Phlos may now know

Quote from Jakg :

it was an example of what he could have done - we just dont know what else Phlos has done, or whats in the mod forum that Phlos may now know

TBH I don't think Phlos' intentions were malicious, but as has been said, who knows who else has been peeking about where they shouldn't while the holes have been open.

Quote from nathanm :

Like it or not, Phlos' attitude is fairly common among certain types of legitimate security researchers, much less those who use the work of others to crack systems. "We gave you fair warning" is often considered enough in their minds to justify public shaming by cracking the vulnerable system.

Full disclosure is VERY different to actually exploiting things and running around making an ass of yourself. A decent enough thing to do would be to email the devs, possibly give them some time to fix/respond, then make details of vulnerabilities public (and not actually exploit/damage).

http://www.schneier.com/blog/a ... 7/01/debating_full_d.html

Quote from Bean0 :

TBH I don't think Phlos' intentions were malicious, but as has been said, who knows who else has been peeking about where they shouldn't while the holes have been open.

For me thats not the point the point is he defecated on something that over 15k people come to visit. It doesn't matter he didn't do anything serious. He attacked LFS and the LFS community no matter how much wrapping paper and nice little bows you attach he did something that should not be done.

Who knows maybe it's not even Phlos but an imposter impersonating him.

Quote from Bean0 :

TBH I don't think Phlos' intentions were malicious, but as has been said, who knows who else has been peeking about where they shouldn't while the holes have been open.

Analogy time!

Phlos - Burglar
Forum - Your House

Does the fact it wasn't malicious detract from the fact he broke into your home? What if you forgot to close a Window and he got in? Certain people would say its now just as much your fault as his, even though he was the one that exploited the whole, whereas im sure therer are a fair few people who could do this, but were well balanced enough not to even consider it

Quote from Davo :

Who knows maybe it's not even Phlos but an imposter impersonating him.

That's what IP's and MAC addresses are for =)

I agree, wabz, but not everyone does. At some point, many gray hats will do the actual hack just to show the software maker/site owner/whatever that they're not BSing. I'm not saying it's right, although I long time ago I did think so (but I was 16 at the time and 'Internet' was still far from being a household word), but a lot of people still do.

Schneier and other of the more respected security researchers only crack their own systems and their client's systems. Not all of them share the same views. As I mentioned, some draw the line at causing damage. Either way, I'm far more comfortable with the people who draw attention to their breakins than those who don't, as the ones who don't are the ones we most need to worry about.

Don't forget that there are an awful lot of people out there who think full disclosure is always bad, no matter how long you give a developer to fix their problems. Those people are, IMO, almost as dangerous as the black hats that break in, steal, and then leave without a trace. In the days before full disclosure, software security was almost universally shit.

Quote from nathanm :

Either way, I'm far more comfortable with the people who draw attention to their breakins than those who don't, as the ones who don't are the ones we most need to worry about.

Nail hit squarely on head

Quote from joshdifabio :

I think the reason he does this kind of thing is to boost his ego and not to cause damage. If you look at his past he has never gone that far.

I'm not saying his actions are excusable but if you look at it logically it's quite a clear conclusion to come to.

Josh

http://www.lfsforum.net/showthread.php?p=191761#post191761

I think you'd be seriously pissed off if someone went and cost you 12gbs of traffic all for some stinky graph that tried to work out how much money you were earning... I'll be frank and say I don't know how much 12gbs costs as I don't use that sort of volume but it's still traffic wasted that could have been doing stats.

Fact is Phlos continues to prove the point he can't be trusted or follow the rules and morals set out. It's his own bloody fault for being banned and quite frankly if I were the devs I'd be banning him from the master server as well. Maybe even plan a holiday to France

I just pitty them people who use his program that if I remember correctly you had to enter your LFS account details... He may well have himself a nice database of peoples login details.

Keiran

Quote from Jakg :

And i'm sorry, i'll make my bias clear, i DO dislike you after these posts because of that fact your standing up for him, but i'll try not to let it get in the way

That's unneeded, I respect Josh for the fact he's trying to be fair even if I completely disagree with him.

btw are the Devs aware Phlos still has the chart site he was banned for?

Quote from Jakg :

Analogy time!

Phlos - Burglar
Forum - Your House

Does the fact it wasn't malicious detract from the fact he broke into your home? What if you forgot to close a Window and he got in? Certain people would say its now just as much your fault as his, even though he was the one that exploited the whole, whereas im sure therer are a fair few people who could do this, but were well balanced enough not to even consider it

Here is my analogy:

Phlos - burglar
LFS - bank

So, the bank stores personal details, valuable non-encrypted passwords (apparently) and possibly even financial details. Flaws in the bank's security system are pointed out. Nothing is done to fix these flaws, and protect paying customers' valuable details. Now, the man who pointed these flaws out decides to exploit them (wrongly so). He climbs through the open window, locks the guards out and leaves a note of ridicule, apparently taking nothing.

Now, there is no doubt Phlos has done wrong here; don't be fooled, I don't think he has done a great thing, or that it is even excusable. However, he isn't the only guilty party here and that should not be overlooked.

Try and realise that I have no loyalties with Phlos, I used to race with him quite frequently and sometimes speak with him on msn. A man I respect more than him is Scawen, but my love for this sim and respect for Scawen
won't lead me to think that a petty 'breaker-and-enterer' should be tried as a 'bank robber'.

Josh

Whilst I'm not a big fan of Phlos, never have been and never will be (either on or off the race track), I think some of the comments in this thread are as immature, if not more, than what he's done. Of course, some comments are very perceptive and welcome, but I think quite a lot of the useless posts (e.g. imthebestracerthereis vote spams, which seem to be fashionable at the moment) should be removed by a mod.

Quote from Davo :

Who knows maybe it's not even Phlos but an imposter impersonating him.

Actually... that's quite a possibility. As far as I can remember KiD got banned for posting a link to a site that would steal LFS account information, but he messed up when he tried to blame it on Phlos.

Quote from joshdifabio :

So, the bank stores personal details, valuable non-encrypted passwords (apparently) and possibly even financial details.

the passwords are encrypted, the bank details are somewhere else, but i understand

i think there are exploits for the latest vB, but they are just "still hidden" - im sure Phlos is reading a guide rather than making this up himself

I DO understand what you mean, i just think that to aportion any blame to Scavier for ignoring Phlos is a little rich under the circumstances o what Phlos has done

Quote from joshdifabio :

So, the bank stores personal details, valuable non-encrypted passwords (apparently) and possibly even financial details. Flaws in the bank's security system are pointed out. Nothing is done to fix these flaws, and protect paying customers' valuable details. Now, the man who pointed these flaws out decides to exploit them (wrongly so). He climbs through the open window, locks the guards out and leaves a note of ridicule, apparently taking nothing.

All he's done is exposed the already very well known flaws in vB, either we can panic and have the forum down for months (exactly the same as with RSC) or just live with the fact that there is a risk. Phlos hasn't exposed anything that the Devs can do about or isn't well known, AFAIK he hasn't been able to get anything personal (except maybe PMs), however, the trial of destruction that has to be cleared up and checked over will take a lot of the Devs time and I'd personally rather Scawen was working on S3 or redecorating his house and Eric working on a new 13 mile de-reistricted one way German toll road than clearing up the trail of such an idiot again.