Regular readers will have noticed that we’ve been offline for several days. As you can see, during that time, we’ve made some major changes to the site, and though the design has changed substantially, we’ve made even more dramatic changes in the back-end. We are now running our 6th major iteration of OSNews. It all was precipitated by messages from readers we’ve received over the past few weeks alerting us that they’ve been getting spam, phishing attempts, and some weak-sauce cyber-extortion emails at addresses that were unique to their OSNews accounts. Read on for more.

It certainly seems like we’ve had a breach. Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site’s content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database. Your email addresses were in there, and the encryption on the passwords wasn’t up to modern standards (unsalted SHA1). The truth is that once we concluded it was likely that we were breached, our small volunteer team decided it was better to go offline than it was to learn the avenue of exploit, given that we had no interest in continuing to rely on the aged codebase.

Other than potential spam, though, we’re not aware of any other nefarious use of your data, we don’t store much beyond email addresses and passwords, but nonetheless, we’ve very sorry that we weren’t more diligent over the years with keeping in lockstep with best practices with respect to site security.

Upgrading the site has been long overdue. In fact, we’d made a serious attempt at discontinuing the old CMS a few years ago, and a few years before that, and it got bogged down both times by the fact that we depend on volunteer help and we all have real lives. The OSNews system is old. The last meaningful update to the codebase was in 2008, with much of the logic based on the 2005 “version 3” rewrite of OSNews. File modification times of 2014 or older were almost always small tweaks or bug fixes. The site was largely written for PHP 4 and it never had a proper maintenance plan. We’ve now migrated the site to WordPress. For all its faults, WP is at least a known quantity. Many thanks to Adam Scheinberg for spending so many hours over his winter break migrating the data from the old CMS to WordPress.

To be perfectly honest, when contemplating what needed to be done to properly move the site to a new platform, I considered just throwing in the towel and going offline permanently. Revenues from advertising don’t cover expenses, and though this could probably be rectified by exploring more creative sponsorship approaches, I don’t have the time. I’m currently trying to get a startup off the ground. I love being a part of this community, and I’m willing to continue to invest in it, but I only want to keep it going if it’s going to remain vibrant and meaningful.

In order to keep your history from the old site, and to make that re-association process as painless as possible, we’ve written a very simple account migration tool. The tool checks your login against a very stripped down version of our old user table and then re-encrypts your password. When you login to the new OSNews site, your password will be encrypted using a modern secure algorithm, which is currently PHP’s password_hash function, which uses Blowfish or Extended DES and can change over time so we don’t repeat any past mistakes.

I’d like to conclude this update with a cry for help. The only way to achieve this dream of vibrancy and meaningfulness is with your help. One of the advantages of the new platform is that it will make it easier for us to include new contributors and do experiments. What can you do?