FICS Teamleague

Board

Teamleague Forum

I would like to thank the admins for their actionsTechnical issuesIndex ->

posted at 2013-08-26 12:50 by capnhector

I would like to thank the admins of teamleague for their actions durring the hacking of the site. Resetting the passwords and acknowledging that even though the passwords were hashed they are still open to cracking and should be changed was very refreshing to see.

From a techie point of view, if the admins do not feel it would make the site vulnerable, what hash algorithm was used before the attack and is in use now? This is just idle curiosity from another programmer and security minded IT professional.

posted at 2013-08-26 17:24 by jaberwock

As a security minded IT pro, you can probably understand why it will not be shared.

posted at 2013-08-26 17:27 by capnhector

totally understand. Once again thank you for not trying to sugar coat the breach.

posted at 2013-08-26 19:38 by wmahan

The hashes were unsalted SHA-1. That is a poor choice, but I didn't make the decision.

After the hack I changed the hashes to be (salted) bcrypt instead.

posted at 2013-11-05 02:55 by bodzolca

Just a quick question: does FICS support a secure channel and do most of the interfaces use it? Tutorials (e.g. on making bot) don't go beyond telnet and if that is all, the discussion about particular hash algorithm is probably mute.

posted at 2013-11-11 21:52 by wmahan

That's a good question. The answer is that no, FICS does not support any encryption. As you imply, that's less than ideal, but there's nothing TeamLeague can do about that.

The TeamLeague website does not currently support https connections, but I hope to fix that at some point. I don't agree that the discussion of other security issues is moot. Password hashing applies to threat models other than just a passive eavesdropper, as the recent hack illustrated.

posted at 2013-11-12 08:48 by bodzolca

True, I misspoke. I'm not aware of the nature of attacks, but if password hashes were exposed then it's true that choosing more robust hash algorithm is best you can do given the circumstances. I did not intend to belittle your contribution to restore the FICS.

So the best we can - as users - do is probably not to reuse passwords.

posted at 2013-11-25 17:49 by jaberwock

Stop spamming.

jaberwock

posted at 2013-11-25 19:40 by robertfrost

indeed