← Back to context

Comment by RajT88

3 years ago

Use ubiquitous open source software, which has been battle-hardened over the years.

I ran a web forum for years, either on PhPbb, or YAF.net. Never got compromised. Constant, round-the-clock attacks though.

I think the ultimate saving grace is that the site didn't contain anything of interest - it wasn't selling anything, so no stored credit cards. No digital goods to steal, no public forum topics which relate to videogames, politics, etc. It was a small forum for friends of mine, so there was no obvious community anyone wanted to ruin.

The worst we got, was some spam bots once in a while would breach the captcha, and start posting ads. Easily fixed. Not a hack, per se, but neither benign. I don't think we ever attracted the attention of a human hacker, and that's likely why we never got breached.

12 comments

RajT88

Reply
RajT88  3 years ago

Also - I am more knowledgeable now. Also install ModSecurity. That will block a lot of malicious stuff once you tune it to your application.

Gigachad  3 years ago

PHP forum software getting hacked used to be very common occurrence. Not so sure about those but I remember a vbulitin one being exploited.

  • RajT88  3 years ago

    Yeah, sure. PHPbb had plenty of exploits too.

    You could read about them as they were published/fixed.

urbandw311er  3 years ago

Genuine question : do you feel that FOSS is at a disadvantage when it comes to security/threat prevention? The hypothesis would be that potential attackers are able to gain the advantage by being able to fully review the source in advance and leverage potential weaknesses. (Or worse, contribute to the project and inject weaknesses)

  • EUROCARE  3 years ago

    It's the other way around. Only FOSS code has the ability to gather reviews, improvements and fixes from the general public. Security through obscurity is not security.

    • madacol  3 years ago

      > Security through obscurity is not security

      I've never felt comfortable with that argument

      Yes, if you are a big corporation, and you have many employees with eyes on the code, there's no obscurity when an employee goes rogue, you are wide open.

      But if you are the only person with access to the code, obscurity works

      3 replies →

  • imtringued  3 years ago

    That is a nice hypothesis. The real world isn't that nice. You are assuming that proprietary software vendors care about fixing security vulnerabilities. Most of them don't and they will sue you if you make the foolish mistake of not contacting them anonymously.

    The truth is that hiding source code is the security barrier for most proprietary software and nothing else.