Well, I paid the domain warandtactics.com today (18,15 Euros), but the server (106 Euros) I cannot take on me (simply don´t have them). If nobody pays the hosting fee it the server will be shut down, payment was due 26.10. and I then had negotiated a prolongation for both domain and server til NOV 7th with the hosting guys (and informed Koen).
I asked the hosting guys again for a prolongation of the hosting plan to be paid until end of NOV 12th, not received a response yet but I think we will get this time of grace.
After this, quite probably the site will be shut down in the current form. I am taking steps to revive it later, in a different form, but I cannot guarantee this will work (50/50 chance).
Okies, after some time of prolonged absence I am back in the seat (more or less, will take some time to get to 100%, but at least I will check in every day again), here what is on my plate, let me know if you need anything else done. Known Problems
- Regular members could not see whether their PMs sent to other persons were read by them (FIXED)
- Registration Puzzles (that should keep away spammers) unwantedly keep away everybody, as they are not audible and dont allow input. This is a bugger, did not find a quick fix today, will attack it next week (I have to delve into the change log archives to uninstall the stuff). In the meantime, if you need to register and cannot then please send an email to rattler (at) ohlmer (dot) es, I will then proceed to register you manually.
- Summertime ends on Sunday 0200J and rquires reset of our mil clock. I will adress it early Sunday morning.
- Forum software is way outdated version wise and has security holes, I will address this (and try to update to latest version) not earlier than end of next week.
- Forum software is completely obsolete (and not supported anymore): We need to rebuild the forum from scratch on the newer 2.x platform of SMF, this will lead to big changes both for the positive as for the negative. This is a major project and will be started parrallel to this forum to facilitate a later switch. Layout and functionality will change sometimes dramatically, content will be preserved.
well, Eva Peiler and Rob Henderson are (probably now not anymore) actually friends of mine and come here just to read (our conversations take place in other mil forums), but had to register to exchange PMs with me. Both are young and no dinosaurs like ourselves, i.e. never look at their email, but daily at FB and twitter.
Stoffel, as they are also on FB (visible as friends of mine as well as you and Koen), maybe a good idea to check FB for names before deleting members, especially if it is for unavailability rather than for breaking rules with spamming etc.
Inactivity is no crime from my POV, sometimes ppl need to register to contact one of our active members.
I would guess that if they went after any password they could crack them. Of course the more convoluted the password the safer it is.
While right with the latter, I think we stil suck (and I mean *suck*, capitally) with the first: You cannot, as average hacker - not talking FBI, NSA or affiliates - crack a good PW "just like that".
Problem is that even I can crack 50% of the passwords on our site without much effort, want to know how many members have "password" as password? 3 of 200..., says it all. I also tripped in my tests over 31 (of 260 overall tested) PWs that use their user name in reverse as PW, how not to find out in 0.1 sec for a hacker? (First try: "username"/"password" in all combinations, 2nd try all usernames visible with "password" as PW in all combinations, third try visible usernames with "reverse username" as PW, takes less than a seccond to try out with 200 members...)
OTOH, hacking them simple members is not the prob, hacking a member with admin rights, is, and truly so: With admin rights you have access to the database, i.e. all emails of all members (and it seems this table has been dl-ed on other sites by the same hacker, though our logs dont show anything in this respect, assuming for the moment that we were saved by the inherent sec features we have been building up over the years). Problem is that there is almost always a user with the username "admin" on forums, as that is the standard first UN handed out, and hence also the first target try for hackers, 99% success rate...
In any case the security we have for the site seems to have done exactly what we wanted it to.
It did, but it was not *our* security but *the hosts* ones.
Again (I know I am repeating myself for the umptieht time and tiring everybody, talking to a wall here, but these thing *are* important and will be *more important as we advance in time), while we ppl here try our best, this time the praise is only and all owed to our host (hostsuar.com), we staff ppl missed the attack and any responses completely, had they not alerted us we wouldnt even know about the hack. *They* caught it, and *they* fixed it, myself I was only aware of the attack 10 days later (as you all know I am not around here as often anymore). My personal belief is that only less than 1% of hosts available on the net will do that.
Thanks for everything you guys do to keep the site safe.
We try (e.g. by finding an excellent host), but also every pecuniary contribution should help, these guys cost (not much, less for what especially *they* are doing for us, but in the end it has to be paid somehow, talking some 200+ Euros a year here), any contributions welcome: See "Support WaT" on the front page.
Personally, I think all money we spent so far has proved to be the right investment (I know that ppl here feel that we should have an English speaking host, but the way they treat us I have never seen with any host before, whatever language, and they understand enough English to be of more help than any US firm I know).
As far as the pure tech data goes, PMs are on the way, we have the whole thing deciphered by now.
On FEB 19th, WaT was hacked (the details are not clear yet but it looks the PW of user "admin" got cracked) and defaced, for some (short) time everybody coming here saw this instead of what you all know:
Thanks to our great host nobody ever realized, not even me (as I only tody connected to my email since 3 weeks), as they restored the original forum straight from their last backup which was only 4 hours old.
Again, hats off to those guys, where would we be without them!
The hack itself is not clear yet (I am waiting for their log details) but I assume it was done by data base injection after cracking the PW of user "admin" (this user name actually, I have said it before, is a NO-NO as it is the first name any hacker will try out), no action required atm by anybody until I have confrimation on what happened exactly.
Iran’s Flying Saucer Downed U.S. Drone, Engineer Claims
Late last month, Iran put on display what it insisted was a captured American stealth drone. At the time, Tehran claimed it brought down the RQ-170 with a sophisticated electronic attack. Nonsense, says one Iranian engineer who claims to have inside knowledge of the drone-nab. The Islamic Republic used force fields and flying saucers to subdue and capture the unmanned aircraft. [..]
Sorry folks, but after now 2+ something years I have to take a break from WaT, cannot find the time anymore to keep on top of things here daily.
I will try and smoothe out the latest glitches that came up with the continous crashes, but then I am out, give or take a week from now. I plan to keep my "Rattler" user acount alive, lets see how it goes.
A pleasure working for all you guys during this time, I hope my work was of some help, may WaT prosper and go strong in the future!
As the forum went offline again tonight 0201, NOV 25 I have gone investgating deeper and found the cause for the emptying out of the Settings.php file thanks to people at Catskill Technologies:
Background: The Settings.php file for some odd reason is used to log the last database error time stamp (why this is so only the developers of SMF will know, but its really bad programming).
The design of SMF's mechanism for logging database errors is really bad. What happens is that the entire Settings.php file is completely rewritten just to update the timestamp of the last database error, which is assigned to PHP variable $db_last_error:
- The original file's settings are read in, then the file is emptied/truncated (this is supposedly done to get around a glitch in some ancient version of a Unix-based server). Finally, the Settings.php file is written out anew, with all the original settings, except that $db_last_error has been updated with the current timestamp.
The problem with this approach is that there is a window in time where the original Settings.php file has been emptied, but the file not yet rewritten.
This sets up a race condition, where if another user has also encountered a database error, their error code will read in the empty Settings.php file, and try to process that! What are the odds of this happening? Apparently, quite good. If one user encounters a database error, how likely is it that the problem will resolve itself before the next user attempts a database operation, and also gets an error? Not so good.
The symptoms of an emptied out Settings.php file vary, including error messages that "$sourcedir" is missing, as well as errors opening files such as /QueryString.php (most of the path, supplied by $sourcedir, is missing). The different ways that this error can manifest itself is confusing even to experienced support team members, is undocumented, and thoroughly crashes a forum as now happened to us twice in one day. It is a catastrophe for its victims, but the developer response is to tell them to find a better host, one who never has database errors (an arrogance of the developers that makes me cringe: If something is buggy fix the bloody bug and dont tell your bug victims to look for a workaround).
What's the solution?
- One simple solution is to make the Settings.php file "read only" (444). On a Linux server, this involves setting its permissions to 444 or lower - the idea is that the application can't write to the file and hence not empty it out accidentally. The drawback to this is that the database error timestamp can't be logged, and the user may receive an error log entry reporting that the file was unwritable. We will not adopt this solution for the mentioned reasons.
- A second solution would be to fix the code in the Settings.php file update function that appears to be a check for an empty Settings.php file, and to either forget about updating the file, or to wait until it can read in a good version. Evidently that code is broken, but re-writing the whole database timestamp code for the smf developers is out of my technical bilities scope.
- Our solution provided by the programmers of Catskill Technologies is to separate out the database timestamp line into its own file. Only that file, with its single line of code $db_last_error = 1234567890; gets rewritten. If this separate file gets corrupted (emptied out) by the race condition, it's only a minor problem: We will implement a check in Settings.php to see if $db_last_error was defined, after it was supposedly included into the file. If not, have it assume that it was empty and rewrite it with a 0 value. That may not be the optimal solution, as another user's SMF process may be busy writing out the revised file (with a non-zero value), but at least it will prevent the forum crash problem.
I wont bother you with the detailled code changes required, I am writing this here so you trusting WaT users can see we Tech people are working, even if our work is usually invivisble and we keep in the background For techwise users or administrators in other smf forums with the same problem this text here might be a good starting point to let the smf developers know that their approach to customer servcie is suboptimal as a solution for the bug exists and they just would have to move their ass a bit.
The WaT forum was offline and not reachable from the outside for a large portion of today.
I got wind of the problem at 2025 forum time, double checked and found an email from Koen from 1853 that said WaT was down.
I informed our host (http://hostsuar.com) by "urgent" ticket at 2038: At 2043 they had our forum fixed and the problem solved. Now, *thats* what I call service! Show me any other host who is equally responsive, personally have not met any, hats off and a big thank you to Carlos from the hostsuar team.
What had happened was that the main starting file (settings.php) of our forum software for some reason had gone blank, empty. Hostsuar overwrote the empty file with one of the last backup, this solved the problem..
What is not clear is how it could occur that the file went blank at the first place, as we havent modified or worked on forum files for at least a week. We are investigating to hopüefully prevent this from happening again.
I am sorry for any inconvinience caused and that I could not react earlier, hope the forum was not offline too long.
I can only second Koen in this assesment, the hostsuar guys (link in English) as host are from my semi-professional POV the best thing since internet was invented, and if you want to spread that news elsewhere you have my full support.
For various reasons I still have to deal with other hosts on a professional basis, and the comparison shows abysmal differences (and we are not talking true anti-hosts like vibit). I am not sure how long hostsuar can keep up that good work (as when companies tend to grow they also sometimes lose focus, servers and help desk tend to get overloaded, etc. Been there, done that...) and how the crisis affects them, but I sure wish them all the best (not only out of pure egoism... ).
This said, there are some limits they have not yet overcome (based on legal issues here in Spain that are not in their hands), so you might have to make one or the other concession: You cannot, e.g., register all domain endings, you cannot have a deposit or account to draw from, etc., but there are workarounds that I am glad to help out with if needed. In comparison and impact these concessions are small bumps on a road to a succesful cooperation with one of the most responsive and responsible hosts I have known so far, there is so much crap out there that have a brilliant appearance, but here you get what you pay for.
Here at WaT - within certain quantitive limits (3 per post, 30 per page) - we feature the direct embedding of videos into posts, messages, even senctences by just typing the link to them. This, in some cases, can be annoying:
Sometimes you just want to mention a link to a certain video as a source reference or a pointer, but, alas: Instead of the link you wanted to write the whole video appears in the middle of your sentence. Or, you want to advise in the shoutbox on our front page, but the asppearing embedded video makes all other shouts invisible, etc.
For those cases, we have implemented since long (but, my fault, not officially documented) the "noembed" BBC code tag. Adding it before and avter a link to a video results in the video not being displayed (embedded) but preserves the link, just what you want for the cases mentioned above.
The syntax for the "noembed" tag - similar to all other BBC code - looks like follows (have to display it as a graphic, in writing even if put into code tags it wont display):
Use this, e.g. to post a link in a sentence (where you dont want the video to show as you are just referring to it) or in the shoutbox.