

Avast forum offline due to attack - sunilkumarc
http://blog.avast.com/2014/05/26/avast-forum-offline-due-to-attack

======
LawnGnome
It appears they were running SMF, so in this case "hashed" means "a single
iteration of SHA-1 after salting with the username"[1]. Ugh. Hopefully nobody
was using a password they used elsewhere.

[1]
[https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/So...](https://github.com/SimpleMachines/SMF2.1/blob/release-2.1/Sources/Subs-
Auth.php#L570) — I can't find a public VCS for 2.0.x, but the code hasn't
changed.

~~~
epochwolf
Unfortunately, forums with decent security, forums that are free, and forums
that have the features you are looking for are groups that rarely overlap.

SMF was the only viable option for a forum I started. My requirements were

    
    
        1. An events calendar
        2. Discussion boards with varying permissions
        3. Tiered membership 
        4. Automatic events newletter
        5. Costs less than $10/month to host
        6. Takes less than 2 hours/month of technical work to run
        7. Can be set up and running in less than 40 hours.
        8. Can be run/hosted by someone else if I'm no longer have time to manage the site.
    

I'd write my own but there's only so much time available in a day. I'll be
looking into a way to add bcrypt hashing to SMF as a plugin. Not an easy thing
to solve.

Edit: "newsletter" isn't the same thing as forum reply notifications.

Edit2: Added requirement #8.

~~~
infogulch
Have you considered Discourse[1]?

It can act as a mailing list with reply-able email notifications or
daily/weekly/semi-weekly digests. Super easy setup and maintenance.

[1]: [http://www.discourse.org/](http://www.discourse.org/)

~~~
epochwolf
Discourse lacks an integrated calendar. Also, forum notifications aren't
sufficient when I want to set a weekly events newletter to people that haven't
read the forum recently.

~~~
infogulch
In Discourse, the word for "newsletter" is "digest". And it can be set up by
users to email them weekly.

About the integrated calendar, you're right it doesn't have one integrated. I
wonder if someone would develop a plugin[1] for it...

Edit: Actually, somebody already thought of this and there's already a
plugin[2] for it. Here it is in action[3].

[1]:
[https://meta.discourse.org/category/extensibility/plugin](https://meta.discourse.org/category/extensibility/plugin)

[2]: [https://meta.discourse.org/t/discourse-topics-as-google-
cale...](https://meta.discourse.org/t/discourse-topics-as-google-calendar-
events/11794)

[3]:
[http://yhteinen.fi/events?locale=en](http://yhteinen.fi/events?locale=en)

~~~
epochwolf
Interesting. This wasn't available back in February.

I considered Discourse since I am very familiar with rails but adding the
features I required would have taken more time than I had back then.

------
mandlar
Direct link to blog post: [http://blog.avast.com/2014/05/26/avast-forum-
offline-due-to-...](http://blog.avast.com/2014/05/26/avast-forum-offline-due-
to-attack/)

~~~
dang
Thanks. Changed.

------
atmosx
Let me guess, it was a virus \o/

