My resignation, and some background of events lead to.

[nnnik]

Would you guys mind putting up the logs in the Staff forum though?
@TLM finally someone summed up my feelings about this.

[tank]

I don't think Tank is incapable. I don't know the man, I don't know his qualifications, nor his track-record. I'd say he seems knowledgeable enough. Were him and I differ, he sees this as yet another problem, that yes, is important, yes, requires work, but he'll get to it in time. I see it as something that needs to be addressed immediately. I will say someone has fixed something, and looked into holes allowing SQL-injection, so progress is being made here.

A rational and appreciated comprehension.

If we want to get technical about site security the trifling things mentioned in this post are little more than a half arsed attempt and making drama. The only way to do proper security is to build a replicated environment and operate a proper pen test. then take those findings thru a proper risk assessment and use that assessment to prioritize efforts. A proper risk assessment would not only involve looking at code but server and network infrastructure but access controls separation of duties definition of threat responses, fail-over procedures and tests and background checks on admins as well as confidentiality agreements.

what we have here is an environment where at best if someone wants to address a problem I will do my best to give them means. every person in the chain is not verified nor has been asked to sign any agreements. just volunteers using their own limited free time to do the best they can. I will absolutely not tolerate attacks on the character of those who are working hard to move this site and its efforts forward. There will be mistakes. None of us is perfect or knows everything. It is one thing to find and report a problem it is another to use that to attempt to portray someone giving it their all as being unworthy. It is one thing to report an issue and quite another to make demands regarding those and refuse to act on them. My decision about DrainX was solely on his consistent attacks on JoeDF and refusal to demonstrate corrective behavior. I do not disagree with any single item he identified as an issue except that he claimed we weren't using ssh keys. which was in error. I could have attacked his method of identifying issues because of how incomplete it was. but i accept that as his best effort. When i removed his sudo access to the web server it was actually based on the fact that it had already been discussed and decided that all such changes to the code should happen on a dev machine and granting him access was in fact one of those mistakes. An innocent one. It takes only a few years of experience to realize there are always major security issues in every network and server. It takes maturity to not run around about those as if the world were on fire. using a threat assessment is the best and in my opinion only valid way to prioritize. aside from that we work on issues in the order in which they are detected for abuse.

How does an admin know when there is abuse?
Looking at statistics from logs and evaluating incorrect effects like spam or malicious content manifesting. he might even have the time to run a comprehensive pen test. engage in server hardening. the pen test can identify weakness in code or server configuration. In the real world almost all data breaches involving financial data are either compromised persons with access or access control failures. the remainder of notable breaches are on the backs of systemic problems like heartbleed, shellshock, or the like. these are the focus of my limited time.

We just got to new servers that i actually have full control of. i mean not 30 days. JoeDF applied suhosin PHP hardening when i suggested it. Only after getting things on a server where i had proper access to logs was I able to use a tool like SumoLogic to properly evaluate traffic. The MySQL crash on autohotkey.com seems to primarily been from traffic from only 1 IP address making up well over 3/4 of all traffic to both domains. Since i now have full control of the server i was able to just block that IP. I was able to add rule to prevent the ping of death and set up a very liberal connection based throttling rule. This is some of the actual relevant security efforts i focus my limited time on. we had no backups for autohotkey.com before and we had to pay for backups to be restored before. Now we have daily Host based backups and a weekly provider backup offsite. as well as database replication. because at worst the time consuming exploits that Drainx identified could cause me to have to use those backups. the ones I am focused on could keep us down for indefinite periods of time. DrainX identified legitimate exploits that will take weeks to fix properly and will turn up many more along the way. exploits that can at best cause temporary hiccups. I am focusing on issues that we have suffered from many times already like moving to a forum software for both groups that i can modify to slow spam from ever occurring. I don't want to lock and archive IPB but i and according to the polls the community doesn't want to waste our time on that we cant ever properly fix or modify to slow spam down correctly.

I am focusing on the areas with my limited time where i believe i can do the most good and by most good i mean the most impact. as is JoeDF. There are numerous details in this that JoeDF and I discuss privately. It is critical that these aren't public because some of it involves issues that are unfix-able or making the public aware of would invite disaster. Things are being addressed just not in the order or fashion DrainX is focused on. I have very limited time to work on these but i do work on them. but security conversations and i mean the details should not be discussed in public. And i will not be goaded into doing so. Anyone that wants to engage me as JoeDF has with hey here is this thing i want to do to help out is welcomed to it. anyone that just wants to air a laundrylist of problems and focus on problems not how to help solve them has my utmost permission to go ****ing some where the **** else. There are at least a dozen people in this community that have found this out. they have contributed content, code, improvements etc. I endorse and support anyone that comes to me with "hey there is this thing i want to fix". But how dare you accuse me of not using all of my free time to work on exploits. Its almost all i do. I leave forum code maint and help documents content. to others. when i have finished securing the infrastructure I'll move on to securing code. which will mean Pen Testing, threat assessment, Privately discussing issues with the appropriate persons and yes even cleaning up after them. It is foolish to expect every contributor to focus on security or to even be well educated on the subject. especially in a purely volunteer organization. This shit takes time, it is never finished, and is never perfect or even good even in the most robust institutions. any implication otherwise comes from a place of ignorance. All you can do is get in the way of the things you expect to actually occur and have a recovery plan for the things you cant be ahead of. JoeDF and I are like batman and robin. we are constantly faced with choosing one not so great alternative or another. DrainX is kinda like Joker. trying to create mayhem where none yet exists. You wanna help then help and stop attacking people. your don't wanna help then feel free to shut up. I hope this is clear enough for everyone to understand my point of view. I really appreciate the support everyone has offered since i started this. I appreciate the support that i have received in this thread. I really do. Every response to this thread feeds this troll. and i for one am tired of paying his bridge toll

[lexikos]

I will absolutely not tolerate attacks on the character of those who are working hard to move this site and its efforts forward. [...] It is one thing to find and report a problem it is another to use that to attempt to portray someone giving it their all as being unworthy.

There is a difference between attacking a person's character and "attacking" a person's competency at a particular role. I think that you could have handled that criticism much better, even if the other guy was being stubborn and insensitive. I also don't understand your reluctance to let a staff member be held accountable for mistakes he has made (whoever or whatever they may be). I'm not saying there should be dire consequences; but accepting blame where due is the least any responsible person can do, and I don't think he needs you defending him so aggressively.

It is one thing to report an issue and quite another to make demands regarding those and refuse to act on them.

Yes, clearly.

I do not disagree with any single item he identified as an issue except that he claimed we weren't using ssh keys.

I think you missed the point of that one, and I will elaborate in the staff forum.

[M0doJ]

Why all this drama? Is it not possible to discuss the issue without getting emotional? If there will be no outcome from the discussion we could just start a poll and ask the community, as it has been done in the past...

here is why there is drama:

there are two hackers/sysops who are on power trips wanting to display their omniscient knowledge, and are condemning and criticizing the volunteers who aren't as smart as them. the volunteers said, "hey if you know better, go ahead and help fix these issues for us". instead, they declined and started this crusade to point out how dumb everyone else is.

that sums it up

If that's how I come across, I apologize. I've said several times I'm not familiar with the competency in charge, I just supported the op's statement that there are serious holes that need fixing. My intention was never to display superiority, there are many far more capable than I am, I'm actually a very humble human being, believe it or not. I like to help others better themselves, not belittle them for not knowing things. That wasn't my goal at all, and if I at all upset or offended Tank or Joe#2, I give my sincerest apology, I just wanted to help... I know I came across like an ass at first, but I thought I had corrected my mistake. apparently not. I'm sorry for any drama or harm I may have caused. If we're being honest with each other, I myself have quite the inferiority complex, I never feel that I'm good enough, and I strive constantly to be better, I push myself in every direction, wherever I can improve... often this leaks from me, to be directed at others, I may be too critical to the point of being insulting, and often don't realize that I am... that's how I criticize myself, and my work, I guess I shouldn't expect the same for others, as they don't demand the same from themselves. I forget that. I am very much an example of Asperger's, lol. So I see now that I'm coming across as some better than thou pompous ass, again, I apologize, my intention truly was to help, I just have a hard time doing so.

In the defense of draino, he made his statement and left it at that... it wasn't until after my post that he returned, I feel entirely at fault here now. I don't want to cause drama within this community, I've come to like it.

I could defend my statements, I still think many of my observations were valid, but now I feel I went about it the wrong way.

One thing I will state though, Guest, you keep on bringing up the fact that they are volunteers, what does this matter? Whether or not it is paid or volunteer work, it's still a job. I know I treat my volunteer work as I would any paid position, and give it my all. If I didn't have time, or the ability to tend to my duties in a position, I would say so, and allow someone to step in who could to replace me. I'm not at all saying that's what should happen here, I just don't think leniency should be taken because they aren't in a paid position. A job is a job is a job is a job. I've actually found things you've said to be insulting, I'm not at all questioning their competency, I think Tank is competent enough, I don't know enough about JoeDF at all.

I think I was too quick to make the assumption that Tank and Joe don't consider security a priority. My assumption was based on limited information. I had heard of AHK many years ago, but never thought it to be something I could utilize, or would need. I already have a plethora of scripting languages under my belt, but I was looking for an alternative for a friend of mine who was looking for something along these lines. I remembered AHK being mentioned and touted as a great learning tool for beginners on LifeHacker and several other tech sites, and just happened to come across this post. At first, I assumed this was simply how it has always been, and for a "well-regarded" scripting program, that the administrators here were long-standing and simply did not care. Now that I think about it, I guess my initial "gut reaction" was to push buttons ever so gently, to get the admins to care, to light a fire under them and get them working. I quickly realized the error in doing so, and tried to rescind, but I still had assumptions to work from. Tank knows exactly what security holes there are, and I have no doubt that in time, they will be fixed. I didn't know the history, I made huge assumptions that this is how it's been for years, and I was wrong. Hell, yesterday I didn't even know this was the "newer AHK" site, that autohotkey.org even existed, lol. I just want give some insight into my thought process coming here, I didn't mean to stir up shit, I promise. I came here thinking, "I thought this was a respected scripting language/software for beginners, what the hell man, you would NEVER see this on PYTHON.org", then I went poking, and it didn't take me long to find issues. I jumped to conclusions, I expected more from the community than hissy-fits and backstage drama from the administration/moderators (at least publicly, WE ALL KNOW they happen everywhere ), this was the very first post I clicked on... and I probably should have left it alone, to be honest, this isn't my place, and I took turned this conversation into something I didn't want, nor anticipate, again, I'm sorry, not only to the three involved, but to the community. I am a very vocal person, I speak up far too often, I defend any position I side on, whether I'm involved or not, and I can take things too personally, causing me to become too invested. This personality trait is both a gift and a curse.Most of the time, it's my fast-track to leadership roles, I'm often a large voice in a community, and people listen to me... sometimes to a fault. It's not often I am the proprietor of drama... I don't like it, I don't think it helps any thing at all, it's quite often a waste of time. I'd like not to participate in it here, I'd much rather, if I do find a place here, help, than harm.

From Tank's last post, it's clear to me now that he is competent in his role, I just hope he can find time to fulfill it, it can be balancing something like this, with family, and another full-time job on top! I've said it several times before, I do not envy it... I've been there, done that, stretched myself so thin I was on the brink of breaking down constantly. I had to learn to make time for myself, and know my limitations. I've experienced severe burn-out from working two full-time jobs, one very similar to Tank's. I can relate to him. Thanks for clearing up the facts, and helping me realize the assumptions I had of this site weren't accurate. Again, I apologize for being an inciter, and for any harm I may have caused.

EDIT:

BTW, I LIKE THIS FEATURE!!!

"Post review

At least one new post has been made to this topic. You may wish to review your post in light of this."

[gregster]

If someone wants to do a good deed, close this thread!

[guest3456]

If that's how I come across, I apologize.

fair enough. i have probably taken things too far too.

One thing I will state though, Guest, you keep on bringing up the fact that they are volunteers, what does this matter? Whether or not it is paid or volunteer work, it's still a job. I know I treat my volunteer work as I would any paid position, and give it my all. If I didn't have time, or the ability to tend to my duties in a position, I would say so, and allow someone to step in who could to replace me. I'm not at all saying that's what should happen here, I just don't think leniency should be taken because they aren't in a paid position. A job is a job is a job is a job. I've actually found things you've said to be insulting, I'm not at all questioning their competency, I think Tank is competent enough, I don't know enough about JoeDF at all.

maybe i'm unaware of the full structure of the organization as well, but my impression was that these guys are not sysops by trade. they are AHK programmers with some server knowledge. we had a dictator in polyethene and needed an alternative site, and they provided it as best they can. has anyone offered to replace them? until there is an alternative, why complain? they are doing what they can. do you expect them to just step down and leave the position empty? thats all i meant by the volunteer statement. i didn't mean to diminish the importance of the job.

[M0doJ]

If someone wants to do a good deed, close this thread!

I think the bulk of the drama is done for, things were said, shade was thrown (I'm so hip!), and it seems like here forth we can foster a positive conversation, without any attacking each other.

It is critical that these aren't public because some of it involves issues that are unfix-able or making the public aware of would invite disaster.

I'm also sorry that I made it my goal to point this out for everyone to see. That should have been a conversation held privately if I hadn't been so brazen. It wasn't my intention, but all I did was fan the flames.

I don't want to lock and archive IPB but i and according to the polls the community doesn't want to waste our time on that we cant ever properly fix or modify to slow spam down correctly.

If it really comes down to there not being enough resources to maintain, I may be up to taking over responsibility for the dot com (if you guys would even have me, I know it might be hard to trust me after all this, plus y'all have no clue who I am or my qualifications!), but then again, it has to be considered whether a splintering of the community is at all beneficial, or worth maintaining... so far it looks like not, but if you truly don't want to lock it down there must be a reason. I'm not saying yes, I'll do it, or please, have me! Just a friendly, "if it comes down to a valuable resource continuing to exist, or not, I would have no problem volunteering my time to help". Does the other site offer anything that cannot be accomplished here? Also, it's unix-based hosting, right? I promised myself... NO MORE WINDOWS SERVER! It's just a hassle, and linux performs soooo much better. I'd have to consider whether I would want to undertake this project, or not. If it's even something y'all would be open to. Just thoughts!

Another possible solution could be to, rather than continue to host a dead forum, convert the database over to phpBB, archive it here, so there is one centralized site... I actually prefer IPB, but my preference isn't what matters. Whether this feasible would depend on a few things, a few issues I could foresee, I assume many have accounts on both, and... not much else really... the converters available are quite competent in translation of userbase, posts, and forums. If this was done, everything could be kept for archival purposes, unified, aaaaand, could allow y'all to move back to the original domain. If that's something you guys would even want. There may be much larger issues preventing this, I've only moved an old board to a fresh slate, never merged an entire board into an existing one, but I have imported sections of a board into another (similar to this situation, from IPB to phpBB, for archival purposes), and it was a cakewalk. If there's an issue preventing this possibility, please disregard.

These possibilities may have, and probably were, discussed... I won't be offended if anyone thinks it's a bad idea to merge, it could be, but it's probably the solution I would come to, hence the suggestion.

[joedf]

I personally wouldn't mind having you in the team, if you are willing to take action. It's a very nice offer, thank you actually! But, yes as you've mentioned we don't know you very well yet haha.
On a separate note, I wonder if it tic is still willing to help... Hmmm

[tank]

There is another thread about converting IPB to PHPBB I am going to be setting up a dev server for that effort and am happy to add you to it. http://ahkscript.org/boards/viewtopic.php?f=17&t=9768

[Drainx1]

I am commenting here, because I don't have a autohotkey.com account.

I think it is important to point things out, especially given the recent events. http://autohotkey.com/board/topic/15027 ... ntry735682
Tank said that there was a breach, and nobody was notified, staff wasn't either (at the time at least.)

we do not have the means for http encryption nor have we ever.

You do, you just don't know how to use it. Not that it would have done any good in this case anyway. SSL is fairly cheap and prevents basic MITM attacks.

several weeks ago there was a security weakness exploited within IP BOARDS this forum software. there was some defacing done but no evidence was found at the time of compromise to the DB.

If the boards were compromised, and defaced the the DB username and password in the config file were there and in plain view. Autohotkey.com's DB was hosted on the same server instance as the web side of things (apache.) If you worked at all in IT, you know that you MUST assume the worst.

so additional firewall rules were applied based on logged activity and all DB credentials were changed.

That's funny... Because I recommended that AFTER this whole thing happened, and they certainly weren't changed before I was given access.

in addition the files with the exploit were neutered.

You can't neuter an IPB file for several reasons.

• IPB files use bytecode level obfuscation, so if you modified a file, the whole thing would fail to run.
• IPB releases security updates and patches the second they know about it. There hasn't been a notice about anything that would affect the .com install

My guess is that one of the scripts that was written was exploited (just like p.php,) as I predicted in my security report.

some spyware or cookie based exploit.

It should be noted that cookies CANNOT infect you with a virus or anything for that matter. Since apparently you don't know what a cookie is, it is a simple text file used to save preferences for sites, as you have found out with the cookie settings on the board and the whole 'not logging in' thing.
As such, a cookie is not executed, only read. Cookies can be used for tracking, however that is a lot more difficult to pull off.
What I think you meant was sessions. Session hijacking is a thing, which the root cause is bad session handlers on the server. Also see CSRF attacks.

Link to another for comments: http://autohotkey.com/board/topic/15027 ... ntry735695

of passwords that cannot be decrypted Its a one way salted hash seems a bit extreme

Ever use John The Ripper? Salted passes are easy to get past. A password change is mandatory after an event like this... which you told nobody about.

More:

it would be far easier to steal said passwords with a man in the middle as almost all email is encrypted. as is this site.

99% of emails aren't signed, including the ones from any of the services here or anywhere else. Email signing is a dying art. PGP is better used for it anyway. Autohotkey.com is NOT encrypted. Please stop saying it is.

amount of work to brute a tens of thousands of email accounts

Again, please defer to John the Ripper. Bruting is also pointless if they had DB access to start with.

Within the coming weeks, I am going to start my own board, with proper security measures and policies shown to the public. You have shown that you do not have the ability to host a community safely. As such, I would like to request a DB dump, or even a limited one.
Unlike you, I am willing to spend money keeping AHK alive. I wouldn't be here posting this if AHK wasn't worth it.

[joedf]

+1 about John the ripper
I will send you a db dump as soon as I can.
I'm currently on travel, but I will try when I can.
PM me your preferred email or where you would like to receive it.

[tank]

Like i said i am willing to post an announcement but that's all that's technically possible anyway. an email blast is not possible even if i were inclined. while these things are certainly suspect they certainly don't rise to anything more than a nuisance if true. I am all for err on side of caution. it would be far easier to steal said passwords with a man in the middle as almost all email is un-encrypted. as is this site. And on top of that the amount of work to brute a tens of thousands of email accounts they would surely select a better audience. the scenario you described above would simply require some port sniffing when you log onto this site and no brute force a tall. its an encrypted connection. there are and have been countermeasures for brute force attacks on user accounts for a very long time. and this is true of most common mail hosts. So while its worth mentioning it certainly does not rise to being anything more than a nuisance.
 
I have corrected a typo in the above statement caught by another user here it was an unintentional and important typo.

thanks at least for catching my typo i wont comment the rest
http://autohotkey.com/board/topic/15027 ... ntry735850
I wonder how those infected files nested deep in the IPB directory got on the server you used to have access to? yes they were infected. why didnt you catch those?
why didnt you catch them on this server when you had access? did you want them there?
hmmmm?

http://autohotkey.co...ic/150288-spam/

[Drainx1]

Like i said i am willing to post an announcement but that's all that's technically possible anyway. an email blast is not possible even if i were inclined. while these things are certainly suspect they certainly don't rise to anything more than a nuisance if true. I am all for err on side of caution. it would be far easier to steal said passwords with a man in the middle as almost all email is un-encrypted. as is this site. And on top of that the amount of work to brute a tens of thousands of email accounts they would surely select a better audience. the scenario you described above would simply require some port sniffing when you log onto this site and no brute force a tall. its an encrypted connection. there are and have been countermeasures for brute force attacks on user accounts for a very long time. and this is true of most common mail hosts. So while its worth mentioning it certainly does not rise to being anything more than a nuisance.
 
I have corrected a typo in the above statement caught by another user here it was an unintentional and important typo.

thanks at least for catching my typo i wont comment the rest
http://autohotkey.com/board/topic/15027 ... ntry735850
I wonder how those infected files nested deep in the IPB directory got on the server you used to have access to? yes they were infected. why didnt you catch those?
why didnt you catch them on this server when you had access? did you want them there?
hmmmm?

http://autohotkey.co...ic/150288-spam/

The spam doesn't matter so much, as what Lex said in that thread is more than likely right. Poly probably got hacked again and they used that for the email spam.

My point is that the IPB install you have was hacked, and nobody was notified, and you took no action.

As I stated in my OP, I only spent 3 hours looking at it, and frankly the IPB install wasn't concerning me because there were more pressing matters, like the install directory of this board remaining there, and the IPB install itself looked fairly clean.

If you are accusing me of planting a backdoor, you have lost it; I could have done much worse things, but instead I created a security report detailing the issues. It seems you not only didn't take my advise, but you seemed to fail to take anything from it.
As I have asked, please tell me what was infected and/or report it to IPB.
Again, as stated, IPB uses PHP bytecode obfuscation, which is not easy to modify, which is why I want to know what happened, or you report it to IPB.

I am posting this publicly because it needs to be:
Sent to Tank via skype:

[10/30/2015 4:40:30 PM] Win Awesome: Hi, as you may or may not be aware, I am creating another forum for autohotkey. When things like hacks and such happen, it clearly shows you are not up to the task. It is at this point I am requesting things such as the domain name and any and all database stuff.
[10/30/2015 4:41:14 PM] Win Awesome: At that, you told nobody about any hack that happened, which is a red flag. It sadens me, but AHK is worth it to me.

I can't believe that it has come to this, but I believe that AHK deserves someone more capable and responsible than yourself Tank, as such, I am requesting a dump for both forums (even a dump of just posts would do nicely.)

@Joedf, I'll see if I can get with you soon to get exactly that. Thank you very much.

[Exaskryz]

I don't want to take a stance on the issues of security because I don't know the full details.

However, I notice that just recently it was finally agreed to merge the two AHK communities on different forums at autohotkey.com and ahkscript.org. And now that that process has started and is going through the planned steps, Drainx1 wants to start up a new forum and split the community again?

I would just like to suggest both parties try to work something out so there aren't two communities that users are split between or jumping between again.

[guest3456]

I am posting this publicly because it needs to be:
Sent to Tank via skype:

[10/30/2015 4:40:30 PM] Win Awesome: Hi, as you may or may not be aware, I am creating another forum for autohotkey. When things like hacks and such happen, it clearly shows you are not up to the task. It is at this point I am requesting things such as the domain name and any and all database stuff.
[10/30/2015 4:41:14 PM] Win Awesome: At that, you told nobody about any hack that happened, which is a red flag. It sadens me, but AHK is worth it to me.

I can't believe that it has come to this, but I believe that AHK deserves someone more capable and responsible than yourself Tank, as such, I am requesting a dump for both forums (even a dump of just posts would do nicely.)

you can't be serious

how about you stop being a childish idiot and actually start contributing instead of complaining. tank, joe, lexikos, have all put in a lot of work getting these ahkscript forums running, and now they are planning to transition them to authotkey.com. if you have suggestions to improve things, make them known so they can be fixed.

all you've done is complain about how things are being done poorly. yet, i read the original logs, and you were offered the opportunity to do things, and you didn't want to. you just wanted to continue to complain that everyone else isn't as smart as you.

further, given your ridiculous mental state, i would even agree with the decision to no longer offer you any position, because you CONTINUE to show that you're a *******

but i have no power so my opinion means little

[lexikos]

I have advised joedf against sending anyone a dump of the database.

[just me]

I think that this is a (lousy) attempt to regain control over the AHK forums.

[nnnik]

I have really tried to keep quiet about this but that last post (from Guest named tidbit) almost made my blood boil.

From my point of view it looks like this:

tank: Part of the current Admin duo. Has the capabilities but doesn't have the time to do everything perfectly.
joedf:Part of the current Admin duo. Doesn't have the capabilities yet but has a lot of spare time to help tank out. Makes minor mistakes since he's still inexperienced.

Drainx1 :Ex-Admin got SSL access from tank and checked the Server security. Apparently has the capabilities to do this and the time yet doesn't want to do it as long as tank is around (???)
modoJ :According to his posts he has the capabilities but lacks free time completely.

Yeah we need more people like the latter 2. tidbit if that's actually you I hope it's sarcasm (or that I'm not lacking some very basic Info here).

[Blackholyman]

@nnnik that guest's name is "ti t bit"

[nnnik]

Oh thanks didn't see