ATS login is not secure

originally posted by: toysforadults
a reply to: Cauliflower

I've read there has been a lot of problems with PKI and CA especially anything that has to do with Symantec.

I guess there is some new CA authentication protocol they are working on not sure where it's at and how secure SSL is anymore.

SSL is NOT secure, at all. The only protocols you should be using now are TLS 1.2/1.1 with VERY specific cipher groups. If RC4 is in your groups, consider yourself already hacked.

a reply to: Tempter

That's what I meant TLS.

I am talking about ROCA

I don't think it has anything to do with the stream cipher but the key itself.

originally posted by: toysforadults
a reply to: Tempter

That's what I meant TLS.

I am talking about ROCA

I don't think it has anything to do with the stream cipher but the key itself.

Yeah, we just just started a project to replace all certs with at least 4096 bit keys to address this very CVE.

Pain in the ass unless you have an enterprise cert manager platform.

a reply to: Tempter

I heard they have a solution with some kind of new authentication protocol for the certificates. Some new later of authentication I forgot exactly.

a reply to: Tempter

www.extremetech.com...

Hmmm. Interesting way of doing things....

originally posted by: Tempter
In all honesty, it'd take any good load-balancer a whole 30 minutes to front end this website with a secure backend channel using up to date cipher protocols and a 302-responding 80 redirect.

Why hasn't this been done yet?

Need some help? I'm cheapish.

I dunno man. I think the owner once chimed in about how this isn't off-the-shelf forum software, it's a custom job. You have to remember that you can still read posts from like 10+ years ago on here, and all the members over the years with all their photos and stuff they've uploaded.

I have a feeling ATS as a site takes up a LOT of storage space, and with as much traffic they have globally, they need dedicated servers...not shared or virtual ones. They also appear to be using a CDN (content delivery network) to boost speeds for page loads. Then, you have to figure in the cost of DDOS mitigation stuff (ATS has been attacked in the past, I remember not being able to get on here and announcements about being attacked being made). So, I'm sure they now pay for some kind of anti-hacking thing too.

So, I don't think ATS is just some website you can host on a VPS (virtual private server) using Unbuntu with DigitalOcean for like $9 a month...

a reply to: Kettu

Wouldn't Amazon really be the best solution??

PaaS?

Fine with this - who's to say I haven't been hacked and my IP spoofed?
Who's to say this is even me, whoever me actually is...since the sign on isn't secure then we can't really be sure can we?

a reply to: iTruthSeeker

Meh. Do you give any more information here than you would give Facebook? I don't. Don't put in a CC# and you'll be fine.

I almost did before I saw that. There have been several reasons since then that I'm glad I didn't donate but that was the first.

originally posted by: Tempter
In all honesty, it'd take any good load-balancer a whole 30 minutes to front end this website with a secure backend channel using up to date cipher protocols and a 302-responding 80 redirect.

Why hasn't this been done yet?

Need some help? I'm cheapish.

Is that you Dan Akroyd?

a reply to: Cauliflower

We aren't engaged in intellectual property theft or insider trading to any serious degree.

So... does this mean we are engaged in such activities to a lesser degree?

Inquiring minds want to know!

a reply to: iTruthSeeker

Many of us don't ever log in or out at all.. just stay in on a bookmarked fav. opening ATS page of choice

PS Really never sign into browsers either

a reply to: Kettu

Ya, ATS is a custom job, which in turn means updated security also becomes a custom job which is way more expensive.

Security on ATS is already a joke.

The real question we should ask is, especially given the funding issues the website has, why hasn't the site been converted to an off the shelf solution that could automatically manage security like phpBB or vBulletin and has low license fees?

Or, if we stay with a custom solution, why not go to tripcodes and eliminate any security concerns?

originally posted by: Abysha
a reply to: iTruthSeeker

Meh. Do you give any more information here than you would give Facebook? I don't. Don't put in a CC# and you'll be fine.

I almost did before I saw that. There have been several reasons since then that I'm glad I didn't donate but that was the first.

Oh I am not too worried about it. At first I was just curious what it all meant. And many knowledgeable people chimed in and told how it works.

originally posted by: mysterioustranger
a reply to: iTruthSeeker

Many of us don't ever log in or out at all.. just stay in on a bookmarked fav. opening ATS page of choice

PS Really never sign into browsers either

I normally don't log out, but ive been testing a live Linux system and it wipes everything upon each boot. It is no biggie though.

originally posted by: iTruthSeeker

originally posted by: mysterioustranger
a reply to: iTruthSeeker

Many of us don't ever log in or out at all.. just stay in on a bookmarked fav. opening ATS page of choice

PS Really never sign into browsers either

I normally don't log out, but ive been testing a live Linux system and it wipes everything upon each boot. It is no biggie though.

Down the road? I'd like to know how LINUX is working for you...I'm interested. Thanks

If ATS is not selling products the is not a real need for HTTPS.

If you log on to ats do not use your password on any other site .

I only use my username and password on ATS and no other site.

Now anyone that believes that the California online privacy protection act is there to help protect you is not all there.

The act is rally there to help the state track you if they want to.

The first thing i learned when i first went on the internet was never trust the internet as there are too many bad guys out there.

Always follow internet safety protocol and do not rely on anyone else to 100% protect you.

originally posted by: mysterioustranger

originally posted by: iTruthSeeker

originally posted by: mysterioustranger
a reply to: iTruthSeeker

Many of us don't ever log in or out at all.. just stay in on a bookmarked fav. opening ATS page of choice

PS Really never sign into browsers either

I normally don't log out, but ive been testing a live Linux system and it wipes everything upon each boot. It is no biggie though.

Down the road? I'd like to know how LINUX is working for you...I'm interested. Thanks

Remember, if something doesn't work with your Linux disto, you don't need it anyway. Bluetooth not working? Meh! No support for multi-touch touchpad? Who needs it! Sound card not recognized? Music is overrated!

I got a brother in law who works for the gov. and is a professor of advanced computer science (so geeky, I can barely talk to him)...and he's been telling me for years and years about building his own Linux system to his specs.

He wrote a few books too on advanced math and comp sci...and has always been expounding on how great Linux is as in the beg. he was just learning himself.

Tryin' to figure out what so special about it..?

Thanks

originally posted by: mysterioustranger
I got a brother in law who works for the gov. and is a professor of advanced computer science (so geeky, I can barely talk to him)...and he's been telling me for years and years about building his own Linux system to his specs.

He wrote a few books too on advanced math and comp sci...and has always been expounding on how great Linux is as in the beg. he was just learning himself.

Tryin' to figure out what so special about it..?

Thanks

On topic, what's the worst that can happen to me due to ATS lax security?

Someone pretends to be me, makes some nasty posts pretending to be me using my hacked credentials and gets me banned. Not that serious of a problem, really, so I'm not that worried about it even if it did happen.

Off topic, the ISS switched from Windows to Linux which has been the scientific community's OS of choice for a long time, but choices for some consumer apps may be more limited, something scientists aren't concerned about:

International Space Station switches from Windows to Linux, for improved reliability

The United Space Alliance, which manages the computers aboard the International Space Station in association with NASA, has announced that the Windows XP computers aboard the ISS have been switched to Linux. “We migrated key functions from Windows to Linux because we needed an operating system that was stable and reliable.”

In specific, the “dozens of laptops” will make the change to Debian 6. These laptops will join many other systems aboard the ISS that already run various flavors of Linux, such as RedHat and Scientific Linux. As far as we know, after this transition, there won’t be a single computer aboard the ISS that runs Windows. Beyond stability and reliability, Keith Chuvala of the United Space Alliance says they wanted an operating system that “would give us in-house control. So if we needed to patch, adjust or adapt, we could.” It’s worth noting that the ISS laptops used to run Windows XP, and we know they’ve been infected by at least one virus in their lifetime: in 2008, a Russian cosmonaut brought a laptop aboard with the W32.Gammima.AG worm, which quickly spread to the other laptops on board. Switching to Linux will essentially immunize the ISS against future infections.
...
To be honest, we shouldn’t be too surprised at the ditching of Windows. Linux is the scientific community’s operating system of choice. CERN’s Large Hadron Collider is controlled by Linux. NASA and SpaceX ground stations use Linux. DNA-sequencing lab technicians use Linux. Really, for applications that require absolute stability, which most scientific experiments are, Linux is the obvious choice. The fact that the entire OS is open source and can be easily customized for each experiment is obviously a very big draw, too.

Recently I ran a quick search for translation software, the offline type and the options were predominantly windows. I didn't spend enough time looking to see if I could eventually find any Linux options or not, but the number of linux users is much smaller and they tend to prefer open-source so I didn't really expect to see a lot of options for Linux.

But if all you need is a browser and some simple apps, the Linux distros like Ubuntu are pretty easy to use.

The Debian Linux distro on the ISS is a little more geek-oriented but is probably the best choice for that application, and the scientists using linux write some of their own custom apps which is more transparent using open source linux instead of closed source windows.