Please refrain from joking around in this forum. Your posting privileges are being discussed.
ETA: Smeghead, that goes double for you.
Especially if the “position” is bend over and rest your head on this block…
(Ellipsis bolding mine) Please note that the extra period is inappropriate for this forum.
Again, bolding mine.
This is just a note, Ivory Tower Denizen. I probably would have ignored this, but you’ve been around a while and so I expect more from you.
I give 133% to the SDMB!
To do this manually, what level of access do you need to have? Someone has to have at least file level access, so that they can grant permissions to others, right?
My other idea is that they get the database by using some sort of exploit that only works through an administrator account.
Hm, you seem to know a lot about how this went down… New Admin **Kayaker **would like to request a word with you.
Hasn’t that always been his title, though?
I’m sorry but we are all out of peeps.
You’ve got to be f—ing kidding me.
Does it concern anyone else that no mods have commented on this thread?
Still the Perfect Master, but now he’s being perfect as a Moderator.
It says, perhaps, more about the Sun-Times than it does about the board.
What are you talking about? New admin Kayaker’s been posting a bunch.
What carnivorousplant said.
Correct. Although anyone who has this level of access can pretty do anything they want, so it’s unlikely they’d bother going through the vB interface at that point.
This is probably what happened. My initial theory was that they did it because they were incorrectly postulating that the breach was caused by a hacked admin account pulling the data from the database directly, which would only be possible if they’d set those permissions up in advance. However, poster McNutty on my board did some research and explained that it appears that one can get database access by exploiting a security hole to install a malicious vB add-on, which admins have permission to do by default. There are enough ways to spoof a seemingly legitimate message from the server (e.g. a reported post) that it would have been very hard to defend against such an attack.
So removing admin access makes sense until they can figure out how to prevent such an occurrence in the future. Given how rarely they change anything in the vB configuration here, it probably makes sense to keep any account used for posting at super moderator level access. When they need to do something admin-y, e.g. IP ban someone, they could set up separate accounts for that (e.g. TubaDiva-admin) that they only log into temporarily to perform AdminCP tasks. That’s what I would do, anyway.
Maybe the guy has a time machine. Goes forward to a time when he has already hacked in, gets an admin password and comes back in time to use the admin password to hack into the Straight Dope.
I think they’d better look closely at those Dopers who have the highest scores in the Death Pool. :dubious:
With my computer, it says Kayaker’s a guest. Or was I whooshed?
Whooshed. He is only a Hall Monitor.