pa2a.org


Share Thread:  
Security as compared to vB?
#1
How secure is myBB as compared to vB from spiders and the like? I joined up in a limited capacity until I figure that out. My experience with open source stuff has been mostly positive, but you do have to watch them as many times the back ends to open source code never really gets tested from external threats. And if the boards here get as big or larger than PAFOA, I worry that the antis will be pulling all the stops out to get this place taken down.
~All Knowledge is Worth Having~
Reply
#2
All forums can have vulnerabilities but MyBB is very stable and secure. The code itself is well written and security updates are applied regularly. We also run several security plugins on our backend to protect even further.
___________________________________________________________
A Reading from the Book of Armaments, Chapter 4, Verses 16 to 20:

Then did he raise on high the Holy Hand Grenade of Antioch, saying, "Bless this, O Lord, that with it thou mayst blow thine enemies to tiny bits, in thy mercy." And the people did rejoice and did feast upon the lambs and toads and tree-sloths and fruit-bats and orangutans and breakfast cereals ... Now did the Lord say, "First thou pullest the Holy Pin. Then thou must count to three. Three shall be the number of the counting and the number of the counting shall be three. Four shalt thou not count, neither shalt thou count two, excepting that thou then proceedeth to three. Five is right out. Once the number three, being the number of the counting, be reached, then lobbest thou the Holy Hand Grenade in the direction of thine foe, who, being naughty in my sight, shall snuff it."
Reply
#3
(09-19-2012, 08:41 AM)the1jeffy Wrote: How secure is myBB as compared to vB from spiders and the like? I joined up in a limited capacity until I figure that out. My experience with open source stuff has been mostly positive, but you do have to watch them as many times the back ends to open source code never really gets tested from external threats. And if the boards here get as big or larger than PAFOA, I worry that the antis will be pulling all the stops out to get this place taken down.

I asked a similar question a while back, not that I think this software is bad but a lot of off the shelf BBS are hacked regularly.

That being said your comment:

Quote:as many times the back ends to open source code never really gets tested from external threats

is about as off the mark as it can be. Open source projects are tested 100 times more than closed projects and by a more diverse group of people. That's what the whole open source community is about, thousands and thousands of people coming together to help create stable secure software.
Reply
#4
(09-19-2012, 10:56 AM)dc dalton Wrote:
(09-19-2012, 08:41 AM)the1jeffy Wrote: How secure is myBB as compared to vB from spiders and the like? I joined up in a limited capacity until I figure that out. My experience with open source stuff has been mostly positive, but you do have to watch them as many times the back ends to open source code never really gets tested from external threats. And if the boards here get as big or larger than PAFOA, I worry that the antis will be pulling all the stops out to get this place taken down.

I asked a similar question a while back, not that I think this software is bad but a lot of off the shelf BBS are hacked regularly.

That being said your comment:

Quote:as many times the back ends to open source code never really gets tested from external threats

is about as off the mark as it can be. Open source projects are tested 100 times more than closed projects and by a more diverse group of people. That's what the whole open source community is about, thousands and thousands of people coming together to help create stable secure software.
Yeah, DC is correct! I have seen a ton of MyBb sites get hacked but they are all off the shelf installs and the webmasters never upgrade or secure. All the bigger, well maintained MyBB sites are secure. Open source is a great thing! Big Grin

I like MyBb because I also have more flexibility with the core files where as vB and IPB are encrypted.
___________________________________________________________
A Reading from the Book of Armaments, Chapter 4, Verses 16 to 20:

Then did he raise on high the Holy Hand Grenade of Antioch, saying, "Bless this, O Lord, that with it thou mayst blow thine enemies to tiny bits, in thy mercy." And the people did rejoice and did feast upon the lambs and toads and tree-sloths and fruit-bats and orangutans and breakfast cereals ... Now did the Lord say, "First thou pullest the Holy Pin. Then thou must count to three. Three shall be the number of the counting and the number of the counting shall be three. Four shalt thou not count, neither shalt thou count two, excepting that thou then proceedeth to three. Five is right out. Once the number three, being the number of the counting, be reached, then lobbest thou the Holy Hand Grenade in the direction of thine foe, who, being naughty in my sight, shall snuff it."
Reply
#5
(09-19-2012, 08:41 AM)the1jeffy Wrote: How secure is myBB as compared to vB from spiders and the like? I joined up in a limited capacity until I figure that out. My experience with open source stuff has been mostly positive, but you do have to watch them as many times the back ends to open source code never really gets tested from external threats. And if the boards here get as big or larger than PAFOA, I worry that the antis will be pulling all the stops out to get this place taken down.


One of the nice things is none of the big BB systems can really hide code from each other. The big name ones are all written in PHP, even with vB once you have a licensed copy you can look through all the code line by line and pick it apart. When something major happens to one, you can bet the others start analyzing their own code for similar threats and apply very similar fixes. IMO as long as you are using one of the more popular systems and you apply the updates and fixes as they are released, it becomes a Windows vs Mac security debate.
The law? The law is a human institution...
Reply
#6

"I like MyBb because I also have more flexibility with the core files where as vB and IPB are encrypted."


That was basically my point (my bold).

I'm not hating on open source, I run a simple Ubuntu install on my media PC and basically never pay for software (without, ahem, 'A-Hoy matey-ing' anything) because of sourceforge.

But, and no offsense intended, an "art of shaving" or "mustangs are awesome" board is not going to be the focus of a determined and well-funded group of camaro fans or a pro-beard group.

Can you really say the same for a pro-2A board?

If someone does manage to circumvent security, all they get is an encrypted mess with vB or that ilk (and access to non-encrypted portions). But with open source, they could, if I am correct, set up am 'official' forum invite to militia groups or white supremacy leaders, or something that would look terrible.

I might be right in tin-foil hat territory, but I think this should be considered. Think like/ know your enemy and all that.

EDIT: yikes, quoting fail.

(09-19-2012, 12:20 PM)csmith Wrote: (snip) apply the updates and fixes as they are released, it becomes a Windows vs Mac security debate.


That's true, but I don't like using, "There's no security leaks for Mac!" with the understood, never spoken line of, " . . .because hackers never bothered to attack it," as my security.
~All Knowledge is Worth Having~
Reply
#7
You have some great points and I agree that a pro 2a board would make a great target for somebody looking to make a statement or cause some trouble.

I really don't believe that any one BB system is going to be safer though. They are all written in PHP, all use a database backend, they all hash their passwords. The general goal of a hacker against a website is to gain access either directly to the database, or to the console of the server hosting the website. If you obtain either, no security measures employed by PHP will be worth anything.

Historically speaking, vulnerabilities in BB systems have come in one of two flavors. The most common being SQL injection. It's surprisingly easy to protect against, yet so many developers fail to do so. I would bet that all modern BB systems are pretty well protected against it because it is literally the FIRST thing that somebody will try to exploit on a website. The second flavor of attacks is aimed at vulnerabilities in PHP itself. vBulletin and phpBB suffered severely from attacks against the PHP magic quotes functions for a very very long time. PHP finally deprecated and removed the functions, that's how bad it was.

Your best bet when signing up with ANY forum is to use a different password (we all use different passwords for everything anyway right?), and a dedicated email address. That way, even if somebody does get in, what do you really have at stake?
The law? The law is a human institution...
Reply
#8
(09-19-2012, 01:32 PM)csmith Wrote: You have some great points and I agree that a pro 2a board would make a great target for somebody looking to make a statement or cause some trouble.

I really don't believe that any one BB system is going to be safer though. They are all written in PHP, all use a database backend, they all hash their passwords. The general goal of a hacker against a website is to gain access either directly to the database, or to the console of the server hosting the website. If you obtain either, no security measures employed by PHP will be worth anything.

Historically speaking, vulnerabilities in BB systems have come in one of two flavors. The most common being SQL injection. It's surprisingly easy to protect against, yet so many developers fail to do so. I would bet that all modern BB systems are pretty well protected against it because it is literally the FIRST thing that somebody will try to exploit on a website. The second flavor of attacks is aimed at vulnerabilities in PHP itself. vBulletin and phpBB suffered severely from attacks against the PHP magic quotes functions for a very very long time. PHP finally deprecated and removed the functions, that's how bad it was.

Your best bet when signing up with ANY forum is to use a different password (we all use different passwords for everything anyway right?), and a dedicated email address. That way, even if somebody does get in, what do you really have at stake?


I have a segregated email for signing up to boards.

But, thanks for the security summary, that's what I was looking for.
~All Knowledge is Worth Having~
Reply






Possibly Related Threads...
Thread Author Replies Views Last Post
  Security Warning Signing on? das 10 1,568 11-01-2013, 08:26 AM
Last Post: rocketfoot



Users browsing this thread: 1 Guest(s)

Software by MyBB, © 2002-2015 MyBB Group.
Template by Modogodo Design.