blog

archives

Discourse Official Hosting Now Available in EU

Michael Brown November 25, 2019

Yes, Standard and Business hosting is now available in the EU!

"Hosting Region" selector with two choices: US (default) and EU (selected)

Early this year we deployed additional bare-metal hosting in Europe. Until now the EU region was only available to our Enterprise customers, but we are pleased to announce that you can now sign up for Standard and Business hosting in either the US or EU region.

At this time we are not offering same-tier moves between regions.

0 comments

Presentations on Discourse

Jeff Atwood September 15, 2019

If you’d like a deeper dive into the philosophy of Discourse, the project — what it is, what it set out to do, and why it exists — I can recommend a few presentations and podcasts I’ve done over the years which go deeper on background than what you’ll find on the Discourse home page.

2013Forums Are Dead, Long Live Forums, presented at Forumcon

(You may want to follow the slide deck as you watch the video.)

2014Learning versus Discussion, presented at San Francisco Community Managers

2015User-Driven Product at Stack Overflow and Discourse, presented at Heavybit

2017Civilized Discourse .. But How? presented at Heavybit

2019Jeff Atwood on Discourse, Stack Overflow, and Building Online Community Platforms, with Jono Bacon

If you don’t have time for a video, I recommend clicking through to the Heavybit presentations in 2015 and 2017 as they offer a complete transcript you can quickly read through if you prefer.

There have been other presentations and podcasts, but these are best ones for getting a broader sense of what Discourse set out to do.

0 comments

Slack Security Incident

Jeff Atwood September 6, 2019

From mid 2014 to January 2018, Discourse used Slack as an internal chat tool.

In February 2015, Slack had a security incident, and notified any accounts of “suspicious activity”:

As part of our investigation we detected suspicious activity affecting a very small number of Slack accounts. We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams. Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.

We were not notified of any suspicious activity for any of our Slack accounts at that time. In July 2019, Slack posted an update and revealed important new information:

In 2015, unauthorized individuals gained access to some Slack infrastructure, including a database that stored user profile information including usernames and irreversibly encrypted, or “hashed,” passwords. The attackers also inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.

We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.

We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users. However, as more information became available and our investigation continued, we determined that the majority of compromised credentials were from accounts that logged in to Slack during the 2015 security incident.

Our Slack workspace was permanently deleted in January 2018, and as of that date we no longer use Slack in any capacity whatsoever. We were not notified by Slack of any potential compromises of our old Slack Workspace.

About 3 days ago, we were contacted by an individual who provided excerpts from Slack chat logs from a specific non-management Discourse team member that span dates from July 2015 to March 2017.

Please note that access to Slack, by itself, confers absolutely no access to Discourse systems. We’ve closely analyzed the old Slack chat logs provided by this individual, and any credentials listed in those chat logs.

We only identified one set of credentials in the Slack chat log that was still valid — a Digital Ocean droplet that we used for external HTTP ping monitoring, but was no longer in active use. This droplet had no internal access to Discourse systems. We destroyed the old droplet and rebuilt it.

Based on our analysis of the Slack logs provided by this individual, we believe the risk to our hosting customers is low, and there is no risk to the Discourse public codebase.

However, out of an abundance of caution:

  • We directly and privately contacted all our enterprise hosted clients within 24 hours of discovery, and provided them a draft of this blog post.

  • We ensured that all internal Discourse credentials, of any type, have been cycled since January 2018.

  • On our hosting, we are now deleting Discourse API keys that have not been used in 4 weeks.

We are also moving up two security related features that are now planned for the current beta release, Discourse 2.4:

  • Any unused API keys will always be deleted after 6 months of non-use.

  • We will automatically send reminders to admins when sensitive secrets in your Discourse instance have not been rotated for 2 years.

Feel free to contact us at team@discourse.org if you have followup questions.

We apologize for this incident, and we will certainly use this as a lesson in how to further improve our security hygiene.

0 comments

For more blog posts, visit the archives