Technical Error - High End Football Forum Closed

[CoolHandLuke]

I don't think you understand the importance of that information. If a website is compromised -- take gawker for example -- the majority of that information is encrypted. This encryption will stand up for a while and thus the importance of immediate notification.

From there, your NAME, EMAIL ADDRESS, ADDRESS, PHONE, etc are all available. With SCFs member size, you're looking at about 350,000 worth of information.

In addition to that, a large majority of people use the same password for all of their websites. The SCF password gets tried at the associated email address, from there, it's a plain old search for banking/credit card/social insurance/etc.

That is why this stuff is so incredibly important. I've been told repeatedly that SCF wasn't hacked and I no longer have any reason to doubt that.

But, please don't trivialize the importance of the information collected. If a website is compromised and you use the same password for all of your online activities very bad things can and will happen. Identity theft can occur with even half of the information stored in this server.

I'll restate -- this did not happen to SCF -- but please, do not trivialize the importance of the information inside the SCF database.

Since data seem important to you, here my take on it.

First, since I a member, this site was never hacked. I am a senior programmer and I can assure you that all custom coding is secure and we take this very seriously. Only 2 person are mandated to access the database directly. They are both professional senior programmer with ton of experience. Mainly Harry is SCF forum programmer and I code the card manager.

So the data are secure and well protected ans so are all our custom coding. We run a well known version of VBulletin that is the number one application for discussion forum.

Back to our decision, I said we decided to not loose any data. We could and still could revert to a back up because we have one. We decided not use the back up because we also have a trade manager that manage our members trade. To you, wipping out member transaction seem not important, to us they are. We decided to save all data and do a big spring cleanup.

We took this decision because the data to us, are far more important then they seem to you.

We closed the forum 1h 10 min Monday and reopen for the evening. This is the only down time. The scf forum Inventory never was down or affected since it's a separate database. The member were surprise but so were we. We acted promptly to bring back more and more threads every day.

Will we do some change in regard of permission and access? Of course, we will review many things because none of us want to see this happened again.

One thing will not change is that a site like our mediate transaction between member and the private information is visible to staff because they are there to protect our members via trade dispute. All staff do a 2 week training to learn how to handle dispute. SCF staff also are on the constant look for scammer or banned member trying to come back. All staff need to access the members information to be able to verify accounts. We have a new team member that scan all new account. I coded a module they use to silently validate account. Search are perform to match information and spot potential know scammer or banned member.

The security here is more important then you think. We ask high standard from our volunteer that step up. At the same time, we accept that a long time member and moderator can make a error. Not one senior manager mentioned the name, in the staff forum, of the moderator who made the mistake. Mike decided that it was a honest mistake, that we make sure we take the measure so it will not happen again and move on. I am sure the mod was punish enough seeing the consequences.

SCF is not a company with employees, it's a sport card traders community and like in many communities, we all have many friends and if we step step up for this community it because we like the people, the place and all it offer us.

In the end the site was down 1 hour and thread are all coming back every day more and more. Yesterday you could see 2 weeks, today you can see 1 month. we lost not one record and if I had to decide again, I would do the same thing. My community come before my comfort of making a phone call to my ISP.

[andrewhoya]

That is hardly trolling for answers, Mike. That is asking a question and getting a response that reads "Sorry, Mistake moving threads." before eventually getting "someone screwed up because their computer froze and moved all the threads."

Eventually I got an answer that explained why a back-up couldn't be installed and I was fairly happy. He also asked me what I would've done and I explained exactly what I would've done.

I'm not going to tell you how to do your job unless I'm asked but if and when I'm asked for my opinion, I'll give it.

When there is a problem with a website that collect personal information, generally you get more than a two line answer. Two-line answers incite panic and knowledgeable people fear the worst.

Or, a two line answer can indicate that the poster is working very hard trying to fix the site and move back all of the threads, and does not have time to type up a 5 paragraph essay.

[baseballphr3ak17]

asdf

[CoolHandLuke]

This is where I'm confused: you said the only usable back-up was a monthly back-up, unless I misunderstood you. Now you're saying you have a back-up, but chose to not use it because it would erase the transaction history?

A monthly back-up is not a back up now?

Data is very important to me, despite what you're assuming. However, I also value performance and certainly wouldn't have coded a trade manager into the same table as the post-forums.

I have not coded the trade manager and I intent to code it from scratch, next year. It will have it's own database then. This apllication as seem many programmer work in it and when the new owner bought the site, he hired Harry to secure the application because it was a mess. Harry would have loved to code it from sratch but it cost money and the budget only allowed to secure it and fix the big it had.

Getting back to the point at hand, if you had a viable back-up and a broken db structure; why would you not simply code a php script to call the back-up db into an assoc array, and fire the hierarchy permission numbers into the current database? It seems like you'd only have to move the threads created since your last back-up manually that way.

You can apply to Mikesilvia if you wish to do it for free.

Anyways, I appreciated your most recent response but it was in no way required. I'm sure you value security but I'm sure you understand how difficult it is to believe that someone bypassed all of vBulletin's features that prevent mass destruction of threads.

I understand that you did not understand my point.

[mikesilvia]

Chris,

Thanks for your inputs! It looks like this chat has come up with a nice solution for our threads from 11 Dec and older.