Right, this thread is for telling folk that the 'proper' ILX is down again, so if you see this above the "ILX is back up" thread it means ILX is back down

vs

No one else (other than the admins) know how I did it

-- jw (jon@////), February 11th, 2007

Jon, I've listened to you many times! You've emailed me about googleproofing stuff in the past, and I've got onto it str8away, just the same as I wd do for anyone! I even emailed you the other day to ask you what that "fuck you googleproof me" thing was about.

FWIW, I looked at ilx this morning (uk time), ACCIDENTALLY looked at the modlog on ile, and noticed that Jon had carried out a couple of admin actions last night, checked the admin page on ile, and found that he had somehow added himself to the ile moderators list with full privs. I emailed stet about this, and he pulled the site. I think stet did the right thing, because if Jon can exploit vunerabilities in the old code, so can other ppl. Getting in at top level means among other things, the ability to delete the entire database. Personally, I can't see Jon doing this. Other people I don't know about.

Jon found a security hole in ILX that lets him get access to the database. Full access, so he can give himself mod privs, delete posts, threads, boards, the whole site.

He didn't tell Keith or me how he did it, he just took advantage of it. Keith and I are the only people with access to the server right now. We both have full-time jobs. The old ILX code running depends on people not trying to break it, or hack in.

If Jon is going to hack the boards by finding holes -- of which there are many -- we can't leave them up without doing a lot more admin work to try and stop him. On top of which, the new host's backup system hasn't been set up yet, so we have no backups right now.

We're going to move to the new secure code. It's not quite ready, it hasn't had all the features fleshed out, but it lets you post and is largely secure.

Is this a threat?

good luck with that

Yes, the message should be a bit better, but I'm at work and can only access the server from my phone! Otherwise I would get cracking on backups etc, aye.

that is hardly going to deter jon, the only registered user who bothers to exploit security issues with ILX code. banning doesn't work on savvy enough regulars who repeat offend.

http://www.youtube.com/watch?v=CqT2COHG4uI

Yes. I figured it was an OK risk given that it hadn't happened in all the preceding years, and the code would only be up for a few months till the switchover. Ah well.

So the argument is that JW exploited a hole in the code, and so now you're shutting the whole thing down on principle? Why wouldn't you have shut the whole thing down on principle years ago? Why is this different?

No, the argument is that the risk above is now too big to take. If Jon's going to be such a loose cannon that he can't restrain himself from hacking what we know to be insecure code, I'm not going to run around trying to stop him.

So a combo of factors in play here. Can't say I blame the admins. It'd be one thing if there were backups but in absence of them, it's probably best to leave the site down.

This is still kinda funny, though.

I guess the point is that in the first place it's not OK for Jon, or anyone else to hack into the database, and more urgently, now that Jon has shown it can be done, it's extremely likely that someone else will do it. Like the CSS flooding thing referred to upthread, Jon didn't CSS flood the shimura curves thread, someone else did, but w/o Jon's example of showing it could be done in the first place, it likely wouldn't have happened.

(x-posts, in which everyone explains it better than I can :( )