If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.
Policy / Politique
The fee for tournament organizers advertising on ChessTalk is $20/event or $100/yearly unlimited for the year.
Les frais d'inscription des organisateurs de tournoi sur ChessTalk sont de 20 $/événement ou de 100 $/année illimitée.
You can etransfer to Henry Lam at chesstalkforum at gmail dot com
Transfér à Henry Lam à chesstalkforum@gmail.com
Dark Knight / Le Chevalier Noir
General Guidelines
---- Nous avons besoin d'un traduction français!
Some Basics
1. Under Board "Frequently Asked Questions" (FAQs) there are 3 sections dealing with General Forum Usage, User Profile Features, and Reading and Posting Messages. These deal with everything from Avatars to Your Notifications. Most general technical questions are covered there. Here is a link to the FAQs. https://forum.chesstalk.com/help
2. Consider using the SEARCH button if you are looking for information. You may find your question has already been answered in a previous thread.
3. If you've looked for an answer to a question, and not found one, then you should consider asking your question in a new thread. For example, there have already been questions and discussion regarding: how to do chess diagrams (FENs); crosstables that line up properly; and the numerous little “glitches” that every new site will have.
4. Read pinned or sticky threads, like this one, if they look important. This applies especially to newcomers.
5. Read the thread you're posting in before you post. There are a variety of ways to look at a thread. These are covered under “Display Modes”.
6. Thread titles: please provide some details in your thread title. This is useful for a number of reasons. It helps ChessTalk members to quickly skim the threads. It prevents duplication of threads. And so on.
7. Unnecessary thread proliferation (e.g., deliberately creating a new thread that duplicates existing discussion) is discouraged. Look to see if a thread on your topic may have already been started and, if so, consider adding your contribution to the pre-existing thread. However, starting new threads to explore side-issues that are not relevant to the original subject is strongly encouraged. A single thread on the Canadian Open, with hundreds of posts on multiple sub-topics, is no better than a dozen threads on the Open covering only a few topics. Use your good judgment when starting a new thread.
8. If and/or when sub-forums are created, please make sure to create threads in the proper place.
Debate
9. Give an opinion and back it up with a reason. Throwaway comments such as "Game X pwnz because my friend and I think so!" could be considered pointless at best, and inflammatory at worst.
10. Try to give your own opinions, not simply those copied and pasted from reviews or opinions of your friends.
Unacceptable behavior and warnings
11. In registering here at ChessTalk please note that the same or similar rules apply here as applied at the previous Boardhost message board. In particular, the following content is not permitted to appear in any messages:
* Racism
* Hatred
* Harassment
* Adult content
* Obscene material
* Nudity or pornography
* Material that infringes intellectual property or other proprietary rights of any party
* Material the posting of which is tortious or violates a contractual or fiduciary obligation you or we owe to another party
* Piracy, hacking, viruses, worms, or warez
* Spam
* Any illegal content
* unapproved Commercial banner advertisements or revenue-generating links
* Any link to or any images from a site containing any material outlined in these restrictions
* Any material deemed offensive or inappropriate by the Board staff
12. Users are welcome to challenge other points of view and opinions, but should do so respectfully. Personal attacks on others will not be tolerated. Posts and threads with unacceptable content can be closed or deleted altogether. Furthermore, a range of sanctions are possible - from a simple warning to a temporary or even a permanent banning from ChessTalk.
Helping to Moderate
13. 'Report' links (an exclamation mark inside a triangle) can be found in many places throughout the board. These links allow users to alert the board staff to anything which is offensive, objectionable or illegal. Please consider using this feature if the need arises.
Advice for free
14. You should exercise the same caution with Private Messages as you would with any public posting.
I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
It is perhaps not entirely random: there are numerous processes that scan websites looking for known vulnerabilities to exploit. Hackers employ fleets of previously hijacked computers to perform this scanning (and by "fleets" I am talking about hundreds of thousands of computers). It is conceivable that websites that yielded once are on a short list of 'juicy' potential targets.
I suppose it is possible that someone who is not thrilled with the CFC deliberately is targeting the website (there are likely a few people with a grudge) but that seems rather paranoid to me.
Sorry to say, but seems that the site (rating part) was hacked again.
Now it has a link to "a0v.org/x.js"
Keep eyes open to any computer message.
This is very sad. There are two possibilities. Either the contractors hired by the CFC to clean the database of infected strings didn't do a very good job. Or equally as bad they didn't implement a filter on input data to prevent further injection attacks. In either case, the CFC web site is still in bad shape.
Some browsers like Chrome and Firefox will warn you not to visit the CFC web site. Internet Explorer won't do you that service. For the time being, I would recommend that CFC members don't query the web site for their ratings. After conducting a limited and unscientific survey of the CFC database, it seems that only some portion of the database has been infected but that's scant comfort if the data you're looking up is polluted with links to malware.
It looks right now that a fully patched computer will block the malware that is being distributed through the link to "a0v.org/x.js"; however, it is probably best to be safe rather than sorry.
As of mid-August, over 55,000 web sites worldwide had been compromised by this attack. That doesn't excuse the fact that the CFC web site is a mess -- it just shares its mess with 55,000 other badly maintained web sites.
I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
Regarding the second question:
"2. Do you think the attacks on the site will stop or be unsuccessful with a new setup?"
I am not a wizard :)
Attacks will never stop, they will go forever. There are lot scripts walking around and searching for vulnerable sites.
However, there are ways to prevent (avoid) damages. You must be ahead of this and try not to step on the rake the second time...
----
Two post above mine appeard early while I wrote mine. I totaly agree with both of them.
Last edited by Egidijus Zeromskis; Monday, 21st September, 2009, 02:48 PM.
Reason: postediting
I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.
I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.
I thought the ratings were an add on which could be separately repaired or rewritten.
Lots of chess organizations have lookup ratings. FIDE, ICCF, other national federations and at least some private servers.
When large sum$ are involved, one has to be cautious. Let us not be naive. Why is the site hacked? When a crime is involved, follow the money. Who stands to benefit? If there are tens of thousand$ to be made by fixing web sites, the person doing the fixing is suspect. If the fixers are infecting web sites they stand to profit from people (or groups) willing to pay huge sums to affect repairs. If the CFC forks out 10 or 20 Gs are they perhaps paying the blackmailer?
Am I being paranoid or merely cynical?:(
Unless some fantastic deal came along, like almost free, I'd keep the existing site. I can't see anything the CFC is doing, or a large enough membership, to justify spending that kind of money on a new website.
It's actually pretty funny. CFC governors wanting to spend that kind of money on a website and kids building their own sites, which are just as good, for free. :)
I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.
Hi Steve:
I'm a little out of date on this but I'm assuming this is a SQL injection attack again. Shouldn't this be relatively easy to block/filter since the only parts of the CFC site open to it are the ratings page (maybe the crosstable page?) and anything in the equipment store. So why not just shut down the equipment store and be done with it?
(And maybe somebody should re-think how the equipment business is outsourced.)
Even so, it's not hard to pass *any* input into a filter function to strip out the unexpected SQL, whether the application is ASP-based or not.
Steve
P.S. And once somebody's 'bot manages to breach your site once, it will keep on trying.
Even so, it's not hard to pass *any* input into a filter function to strip out the unexpected SQL, whether the application is ASP-based or not.
Steve
P.S. And once somebody's 'bot manages to breach your site once, it will keep on trying.
Yes, a filter on any input would be a good idea. Writing a good filter is non-trivial since attackers often use clever encryption schemes to hide their malicious payload. Additionally using stored procedures for SQL queries can help make a web site more resistant to attacks.
Security is possible for classic ASP web sites but it is easier working through these problems in ASP .Net.
For classic ASP web sites (like the CFC web site), a really nice tool from Microsoft is called UrlScan. It's a web server add-on that intercepts postbacks, url query strings, etc. and can be told to look for SQL injections. I've used this on legacy ASP sites and it works pretty good. Here's a link to some info on URLscan:
1. I take it that you see no reason that CFC cannot continue on with the existing website.
2. You mention ASP support - I do not understand this technical issue. But Stijn de Kerpel, CFC V-P has posted:
"Another problem is as Chris has stated is that it requires ASP support - which is (from what I understand) something very few providers provide support to anymore - which makes it all the more difficult when we ask someone to find the problem and solve it, or even to do some enhancements."
Has he got a critical concern here, that means we should move to a new website?
3. What do you see as the most difficult aspects of continuing on with the existing website?
Bob
1. Yes.
2. Change web hosting companies to Cogeco which will charge $30 per month or a bit less if you pay by the year. ASP support will then become a non-issue and you will have 24 hour support 365 days a year. If you have a problem and call their toll free support line you will get to talk to a real person based in Canada who will understand your problem after you explain it to them and will get it resolved.
3. The people running it which will not be resolved by updating the website. The CFC will spend money that could go to funding the Olympic team and Canadian Closed and promoting chess on a website which will not make any difference if you keep everything else the same.
I just wish the CFC will drop its propensity to shoot itself in the head but maybe I am hoping for too much and should just shut up and let the inevitable happen again and again and again.
If I'm not mistaken, most of what you complain about has to do with content maintenance - misplaced and dated as John Cordes has said. This has more to do with our contract with EKG and the limited 3.5 days Gerry allots to CFC for all " normal " operations, than website design or program coding - he has no time to update the website or rearrange it to make it more organized.
Here is a list I have sent to Stijn to be done:
1. “ Contact Us “ – a) there are 18 Ontario governors shown, and Ontario is only entitled to 17, according to Gerry. OCA President Chris Mallon must recall one of the Ontario governors;
b) the governor Can. Champion and runner-up have to be replaced – Jean Hebert and Mark Bluvshtein;
c) I submitted a picture of myself to the Governors’ List, but Gerry had some technical problem posting it and said he needed some expert techie help on what was the problem. Here is the picture attached again;
2. Top Females – Hazel Smith ( 2015 ) is still missing ( Yuanling Yuan, who had been missing, has been added however );
3. Home Page – Canadian Champions – all needed to be updated to show 2009 Champions ( still showing 2007 & 8 champions );
4. Home Page “ Store “ advertisement:
The home page shows:
Sale
Most books and software 50% OFF.
No backorders.
While supplies last.
Free shipping on orders over $100.
Go to the CFC store.
I thought this was an item from a long time ago, when CFC was selling its own inventory of books when we were just setting up our arrangement with Amazon. Is this still current? Are we still selling off some of our own CFC past inventory?
I know we are still in the equipment/supplies business, with FEN as agent to deliver on our contracts - but does it still include books, since the reference is to our “ store “ ?
5. Olympic Team, etc. information not labelled to show its relevant date ( one can wrongly think it is current information ) - you mention this - I mentioned it to Gerry some time ago I believe, but forgot to put it on this list ( you also mention it ).
And your list of content/presentation updates and reorganizations ( all of which can easily be done on the existing site, given enough time ) adds more outstanding work to be done.
But, as I say, I don't see this as the argument for needing a new website.
Bob
I agree. In my opinion content maintenance is the only important problem. When you manage a website if people send you contents then 90% of the problems are solved. If many people send contents reguraly with some lists of changes then the job of the webmaster is 75% easier. He will always feel that it is too much but since the content is already built, he spend a few hours in the code without having to WRITE texts and the job is done.
For the security problems, since there is little DATA INPUT from the users (TRANSACTIONNAL) on the website it is probably easier to let the actual webmaster to work on it and find solutions and slowly take control of the environment by closing the opened doors. If it is too difficult for him to close the hackers doors then he could have a batch job at night to generated HTML list of tournaments schedules and ratings so that their would be no ONLINE TRANSACTIONNAL at all. I have not seen the CFC system in details but you have the idea. With no Transactionnal online then the batch could run on his own home PC and the html pages could be hosted for free at www.emenace.com or www.freewebhostx.com with no servers at all.
Carl
Last edited by Carl Bilodeau; Tuesday, 22nd September, 2009, 02:13 PM.
2. Change web hosting companies to Cogeco which will charge $30 per month or a bit less if you pay by the year. ASP support will then become a non-issue and you will have 24 hour support 365 days a year. If you have a problem and call their toll free support line you will get to talk to a real person based in Canada who will understand your problem after you explain it to them and will get it resolved.
Not true. No web hosting company is going to supply software support especially for $30/month. Web hosting services like Cogeco provide the physical server and web serving software for your website. They might also include some software to make it easier for you to build a web site. But no one is going to debug your ASP code or instruct you on how to harden the security on your site for that sort of money. Those are services that fall outside of web hosting.
There are many good hosting services. The choice usually depends on what you need (IIS or LAMP) and what sort of customer service you want (for example, regular backups of your databases, etc.). Pretty much you get what you pay for. If you go to a discount host (like GoDaddy), you get discount service.
For an organization like the CFC with database driven content (the ratings data), you're probably looking at $20 to $60 per month. The Scarborough Chess Club which uses a modern content management system costs $20 per month to host.
Last edited by Steve Karpik; Wednesday, 23rd September, 2009, 12:07 AM.
Tweet
Comment