Announcement

**Floris** · Tue 12 Feb '08, 7:36am

Originally posted by PitchouneN64ngc

Good thing to regenerate this password, more small too

PS: update your kernel too, there is a big security issue

there isn't a new kernel out yet for RHEL

**diettalk** · Tue 12 Feb '08, 7:47am

Originally posted by xjuliox

When i first saw the email i found it alittle suspicious!

I thought the same thing. A forum announcement would have been nice.

**Onimua** · Tue 12 Feb '08, 8:10am

I will say that it would've been nice to know ahead of time. They let us know about the server maintenance, but not this (which effects us more as customers I think). Other than that, it's not really that much of a problem as some people have claimed it to be on this site.

**Yves R.** · Tue 12 Feb '08, 8:15am

Originally posted by Floris

there isn't a new kernel out yet for RHEL

There is a local root exploit in linux kernel 2.6.xx

Linux Kernel 2.6 Local Root Exploit - Slashdot

http://it.slashdot.org/it/08/02/10/2011257.shtml

aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code....

**Creepshow** · Tue 12 Feb '08, 8:15am

Yeah my new password has a '!' in it.

Which I was kind of surprised about...

**Mez** · Tue 12 Feb '08, 8:19am

Originally posted by Creepshow

Yeah my new password has a '!' in it.

Which I was kind of surprised about...

and the ! portrays your shock quite well !

**Creepshow** · Tue 12 Feb '08, 8:22am

Originally posted by Martin Meredith

and the ! portrays your shock quite well !

Heh

**Scott MacVicar** · Tue 12 Feb '08, 8:24am

Originally posted by PitchouneN64ngc

There is a local root exploit in linux kernel 2.6.xx

http://it.slashdot.org/it/08/02/10/2011257.shtml

Lucky we have no regular users that don't have root already

The patch for RHEL hasn't been released yet, its going through QA. When it gets released I'll upgrade.

**Tailfeathers** · Tue 12 Feb '08, 9:46am

Originally posted by Floris

Yes, all the customers.

About the recent password change on your vBulletin Members' Area account.

This step was taken as part of a general review of our security, privacy and anti-piracy operations. As a part of this review, a decision was made to more closely adhere to best practices in terms of password security, such as the use of good strong passwords with letters, numbers and punctuation.

Please accept our apologies for any inconvenience caused. As stated in the email, this change will have no effect on on your assigned "priority support" forum accounts, the passwords for which remain unchanged.

If this wasn't some urgent necessary change, then I think it vB should really have let people know in advance because this will create a lot of problems for a lot of people (and extra work for vB).

I agree that knowing about this in advance is a lot more important than knowing in advance that vbulletin.com will be down for a little bit.

**DanaSoft** · Tue 12 Feb '08, 12:00pm

Originally posted by Tailfeathers

If this wasn't some urgent necessary change, then I think it vB should really have let people know in advance because this will create a lot of problems for a lot of people (and extra work for vB).

I agree that knowing about this in advance is a lot more important than knowing in advance that vbulletin.com will be down for a little bit.

Got a new password assigned to an account that wasn't even a week old.

:shrug:

**Gladius** · Tue 12 Feb '08, 12:20pm

I think that the fact that no one from Jelsoft is willing to answer whether their client details database has been compromised or is suspected to have been compromised is quite telling.

**Wayne Luke** · Tue 12 Feb '08, 12:32pm

Its to do with how passwords are now handled in our system. Support staff will not ask for passwords as a form of license verification anymore. We don't have access to them under any case. Instead you will obtain an authorization code if we need to verify license information and will request that.

This means that the password doesn't have to be stored in the database as plaintext anymore and will protect you should the database somehow be compromised in the future. It is a increase in our security measures to keep your licenses safe in a day and age when attempted license theft is on the rise. There was no compromise of your data or our database, this is just a precautionary change for the future.

**Gladius** · Tue 12 Feb '08, 12:35pm

Thanks for the explanation - makes more sense now.

**Reeve of Shinra** · Tue 12 Feb '08, 12:36pm

I think this was a rather sudden change... we should've been given advance notice and there should be an announcement made in the forum. This wasn't the best way to learn about this.

**Wayne Luke** · Tue 12 Feb '08, 12:39pm

In hindsight, we agree and will take that into consideration in the future. The current change has already been implemented though and there is no way to undo that.

Announcement

[pw change] Just received this email from vBulletin...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment