Replies

FYI, I have temporarily disabled the WYSIWYG editor function when creating replies to threads. This should make IE10 work without using compatibility mode, and it may resolve other issues related to using the Lounge on IE 10.

Let me know if you see any problems, or otherwise have any concerns related to this.

That is pretty much accurate. I’ve worked on applying pressure on the vbulletin devs and raising the priority for fixing this issue. They aren’t promising anything though.

We are working on alternatives. One which we are considering is updating vBulletin ourselves to use a newer version of CKEditor. http://ckeditor.com/

That could fix the issue, but we aren’t the ones who created the software, and updating it ourselves could take time and make the problem worse. We’re looking into it though.

Sounds like there is no ETA on a fix:
https://www.vbulletin.com/forum/showthread//414654-What-version-of-CKEditor-is-included-in-an-updated-vB4-2-0

Disappointing response there, however we are in the same situation as many other large Windows forums, most of which also use vBulletin. Hopefully they make updating CKEditor a higher priority.

The problem is with “CKEditor”, which is the default editor in our version of vBulletin. vBulletin 4.2.0 currently doesn’t include an up to date version of CKEditor which fixes this problem.

I haven’t tested IE10, but I expect this is the description of the problem:

“Pressing the enter key when typing a reply does not insert a new line when using IE10 and the vbulletin WYSIWYG post editor”

The problem was brought up again recently on vbulletin.com and has been brought up many times previously. vBulletin.com is the official support site for our vbulletin forum software. One of the vBulletin developers replied stating awareness of the problem, and a workaround by changing the reply editor in vbulletin:

https://www.vbulletin.com/forum/showthread//413352-Win8-amp-IE10-with-vB4-2-0?highlight=ie10

Click on the a/A button, and use the standard editor. It is a problem with our editor: CKEditor.

There was a bug opened for this with vBulletin in October last year. It contains further details of investigating and identifying the problem.

In summary:
– This is not an IE 10 error
– This is a problem with older versions of the CKEditor (the default vBulletin 4 post editor)
– It can be fixed when vBulletin releases a version of vBulletin 4 that updates the CKEditor version

The problem is listed here in the vbulletin bug tracker, but it can only be viewed by logged in members:
http://tracker.vbulletin.com/browse/VBIV-13267

FWIW, I haven’t gotten to test Windows 8 yet, but I am looking forward to it.

However, I am currently testing Arch Linux on my laptop, and I have chosen to use the default experience of Gnome 3. Gnome 3 did away with the traditional start menu by default (though the old way can be enabled). The old way was essentially equivalent to the old Windows start menu. In Gnome 3 to launch apps you push a button (or put your mouse in the top left hotspot), then start typing the name of what you want to launch, and immediately it displays whatever matches what you’ve typed so far.

From the discussions I’ve heard, it sounds like Win8 and Gnome 3 went with similar alternatives to the typical start menu paradigm.

The discussion here on right and wrong is interesting. I think clarifying how things actually work is important to helping users get the most from Win8 and thats great.

But mostly, I wanted to make a prediction… A lot of people won’t like the change, maybe even most. But 2 years after launch we’ll see most people speaking favorably about the new way, and those using the old approach will be viewed moreso as hangers-on.

From your “We do salt.”, it didn’t seem as though you were dependent on the same source of information as the rest of us.

Gotcha. I’m familiar with the platform we run on, so I knew the salt answer – anyone who knows what runs WindowsSecrets could know it as well. The newsletter side is based on WordPress, which salts passwords. The lounge side runs vBulletin, which also salts passwords. Since I knew that, thats why I posted it.

But now from the updated announcement we both know that there was no difference between your example and the actual brute force attack with no countermeasures in place.

I wasn’t the one who researched what happened, as I don’t have direct access to any of the logs or anything else related to the issue. I wouldn’t ever intentionally state something as a fact unless I was certain it was the case. Especially in a situation like this where every word is dissected. Erring on the side of caution, turns out my inferences were accurate.

The attacker was able to export our email addresses easily enough. Why would hashed passwords be any more difficult?

Nobody expects the ………. oh, wait …

Bruce

I could think of several reasons. Last time I gave you an example you only gave me more grief though. lol

You were using the example to explain what could have happened here. How is what actually happened different?

Although salt may not have affected the administrator’s account being compromised; now the attacker has thousands of names and hashed passwords, it’s relevant, right?

Bruce

I don’t know how its different from what actually happened. I’m reading the same announcement you are.

I didn’t actually say the question about salt was irrelevant. I answered it to explain where salt is relevant and where it is not. In the attack vector that gained access to the site, salt didn’t matter – it was a brute force attack on a page that didn’t limit the number of failed login attempts (note the update to the announcement, failed logins are limited on that page now). If the attacker was interested in, and was able to export hashed passwords, the salt does matter.

It’s not dead because WS are using ambiguity, vagueness and other such whitewashing techniques to divert attention from the fact that they have not revealed the method of the break-in.

Given their usual approach of being highly investigative of other’s security misdeeds, I find their lack of honesty when it comes to their own back yard to be extremely hypocritical.

It was a brute force login attack on a page that didn’t limit the number of failed login attempts from a specific IP (this information is available in the announcement I linked above). I believe the best effort has been made at being entirely transparent as soon as possible with as much information as is understood. I hope this helps clarify.

BruceR: The user I replied to was asking if we salt passwords and how they are stored. We do salt. My example was for a simple demonstration of a targeted brute force attack, and why the salt wouldn’t matter in a situation like that one. Not an example of what happened here specifically.

:huh:

What isn’t covered on the website, etc. is an acknowledgment that the passwords were salted AND the salt was stored in a different location. If it’s true the password file wasn’t salted, then it’s unforgivable for an organization like Windows Secrets to be so lax in it’s security process.

Good questions.

Salt mitigates a rainbow table based attack, or a brute-force attack on hundreds or thousands of accounts. But it does nothing for a brute-force attack vector on a specific account. The announcement states a brute-force attack was used. An example of a brute-force attack is: They choose an account name, and they try 10 million passwords, hoping one is a match. If that is what they did, the salt wouldn’t matter.

Passwords are not stored in a file, but they are salty.

Kager: The notice was made available as soon as we were able to disclose information as accurate as possible. When something like this happens, it takes time to investigate and understand what happened, then to relay that information. This security event is covered here in the lounge, in the newsletter, and on the windowssecrets.com homepage prominently on the right side. Some answers to your initial questions are listed if you go to the homepage and click the link to the latest statement we released, including the timeline of events.

You may also want to check under your desk or chair for an “annoy-a-tron”. It can be taped into place, or it is magnetic as well… We used to tape them to the bottom of drawers in the office at coworkers desks. Good office entertainment.

http://www.thinkgeek.com/product/8c52/

It beeps. But only very occasionally. And with a tone that is very hard to locate. But you hear it… And can’t quite ever tell just where its coming from. Then you go back to what you were doing for a while. And it beeps again.

Is the sound coming from your speakers, or is it coming from the actual box that holds the computer parts?

There is a system speaker typically on your motherboard, which can make “soft” beeps.

I also think its pretty likely that you just notice the beep while you are surfing the net, but it actually doesn’t have anything to do with being connected to the internet.

Thanks for the heads up Tinto!

In the previously mentioned list of power users, the Hard Drive was erroneously or otherwise left out of the list. Just touch the case of any running laptop, in the area where the HD lives and you will quickly see that it’s a huge heat generator.

Under load, a rotational drive can pull about 8 watts of power. At idle, they can pull about 5 watts of power. That would be for older, worst case scenario, non-green drives. Compared to the other components listed, that isn’t much – similar to what the wireless chip pulls and other miscellaneous components. If that section of the hard drive is warm, its due to the mechanical warming up/friction but not due to the amount of power draw.

It depends on the specific hardware in the laptop in question… However, generally speaking, last I looked at figures, the screen accounts for 30% (LCD + LCD backlight) and everything else pales in comparison. The next biggest consumption in most laptops will be the CPU, if there’s a discrete (not integrated) GPU that will be next, then things like drives, wifi cards, etc.

With that being said, the biggest impact can be made by improved screen technologies. The backlight especially is important – there are LED backlights now which help a lot compared to older laptops using CCFL backlights.

Processors are always being created with better and better power usage functionality, with increased focus on mobility and the power savings emphasis that goes along with that.

Graphics has also evolved recently, with the inclusion of technology that enables discrete GPUs to power on during gaming, but power down during web browsing or word processing.

I expect we’ll see more of these types of improvements to lower power usage further yet.