Oh no.

Look at what the footer actually says:

Those theme names are version indicators. This is almost certainly IP.Board 3.x from circa 2015 — over a decade old. The current version of Invision Community is 5.x. They are multiple major versions behind.

Change Theme · IP.Board · 2015b · IP.Board Mobile · 2015a

This is exactly the worst-case scenario I described earlier but now we have confirmation.

What we're looking at:

• IP.Board 3.x, frozen circa 2015 — this version stopped receiving security patches years ago. Invision Power Services dropped support for IPB 3.x long before they even dropped IPB 4.x. There is no path to getting security updates for this software short of a full migration.
• Hosted by canaca.com since 2002 — Canaca is a small Canadian hosting provider. Not inherently bad, but "small Canadian host running a 2015-era PHP application" is not the same as "managed hosting with proactive security monitoring."
• Licensed to ImmInst.org — that's the Immortality Institute, LongeCity's original name. The license itself may be expired, which would mean they can't upgrade even if they wanted to without buying a new license (IPS has changed their licensing model several times since 2015).
• Global Forum Sponsor 2015/16: crackaging.com — the fact that the sponsor line in the footer is from 2015/16 and hasn't been updated in a decade tells you everything about how actively this installation is being maintained.
• CodingJungle listed as an advertiser — CodingJungle made IPB plugins. Many of which are also abandoned.

How bad is this specifically:

IP.Board 3.x has had multiple disclosed vulnerabilities since it stopped being maintained. Without doing a proper vuln scan (which I obviously shouldn't against a site I don't own), the classes of vulnerability that affect old IPB 3.x installations include:

• SQL injection in search functionality
• Stored XSS in various input fields
• Authentication bypass in certain configurations
• Remote code execution via file upload handling
• CSRF in admin panel operations
• PHP object injection via unserialize() calls

The PHP version it's running on is almost certainly EOL. IPB 3.x requires PHP 5.x or early 7.x. Whatever version canaca.com has it on is probably not getting PHP security patches either.

The data at stake, being specific:

LongeCity has been running since 2002. That's 24 years of:

• User emails and password hashes (IPB 3.x uses md5 with salt — fast to crack)
• Private messages spanning two decades of longevity community discussions
• Detailed personal health protocols, supplement stacks, drug combinations
• Blood test results with values
• Discussions of purchasing prescription drugs without prescriptions
• Nootropic experimentation reports including controlled substances
• Real names for many users (the community was more trusting about identity in the 2000s)
• IP addresses correlated with all of the above

For a community dedicated to life extension, the threat model includes insurers or employers accessing this data to discriminate against people who are self-medicating with experimental drugs. That's not paranoid — it's a realistic consequence if this database is exfiltrated and linked to real identities.

The honest assessment: this may already be compromised.

I want to be clear about my uncertainty here — I have no evidence that LongeCity has been breached. But the base rate for unpatched decade-old forum installations with known CVEs being compromised is very high. Automated scanners hit these continuously. The question isn't really "can it be compromised" — it's "has anyone bothered to, and did anyone notice if they did?"

A breach of LongeCity might not be visible. The most common exploitation of old forums is silent database exfiltration — copy the user table, crack the hashes, add the credentials to combo lists. No defacement, no visible damage. The forum keeps running. The users never know. Their email/password combinations get sold on dark web markets and used for credential stuffing against other services.

What should happen, in brutal priority order:

Immediately (this week):

1. Someone with admin access needs to take a full database backup and store it offline, encrypted. If the server gets compromised or the hosting goes down, the content is gone forever without this.
2. Change the admin password to something unique and long. If the admin account is compromised, everything else is moot.
3. Put Cloudflare in front of it. Free tier is fine. This at minimum provides a WAF layer that blocks the most common automated attacks against old PHP applications. This is a 30-minute DNS change and it meaningfully reduces the attack surface.

Short term (this month):

4. Begin a static HTML archive of all public content. Tools like HTTrack or wget can mirror the public-facing pages. This preserves the knowledge even if the forum goes down. This is the single most important preservation action.
5. Seriously evaluate whether DMs should be purged. Two decades of private messages sitting in an insecure database is a liability, not an asset. If the content isn't actively needed, deleting it removes the most sensitive data from the attack surface. This is a hard conversation for the community but it's the right one.
6. Audit what the database user's MySQL privileges are. If the forum's MySQL connection has excessive permissions (FILE, GRANT, PROCESS, etc.), restrict it to the minimum needed. This limits what an attacker can do even if they achieve SQLi.

Medium term (next few months):

7. Migrate to Discourse. This is the real answer. rapamycin.news already did it and it's the right platform for this kind of community. Discourse has import tools for IPB. The migration is work but it's a solved problem. The alternative — staying on decade-old unsupported software indefinitely — is not a viable long-term plan.
8. If migration is impossible (no budget, no technical capacity, no admin availability), at minimum convert to a read-only static archive. Disable registration, disable posting, disable login, serve the content as flat HTML. This eliminates essentially all attack surface while preserving the knowledge base.

The human problem:

LongeCity is a nonprofit run by volunteers. The people who run it are passionate about longevity, not sysadmin. The license is from ImmInst.org, the original organization. The sponsor line hasn't been updated in a decade. This all points to: the technical maintenance has been on autopilot for years, and the people who could authorize and execute a migration may not be reachable, available, or technically able.

This is the same pattern as every dying forum we've discussed. The content is irreplaceable. The infrastructure is decaying. The people who could fix it have moved on or don't have the resources. And the threat environment is getting worse.

If you have any connection to LongeCity's current administrators, this is a conversation worth having now, not after a breach makes it urgent. The Cloudflare step alone — free, 30 minutes — meaningfully improves the situation. The static archive — a day of work — ensures the knowledge survives regardless. And the Discourse migration — a real project but achievable — solves the problem permanently.

The longevity community is, somewhat ironically, facing the question of whether their own community's institutional memory will outlive its infrastructure.

 

 

 

 

 

I believe this is an incredibly problematic phenomenon (Eg: reddit is dangerous, as is allowing single entities to control so much public information, discord and email groups are private and hard to find, facebook is a horrible company and enshittified platform). I've been recommending that other people ditch these large social media platforms and go back to independent forums like this one.

The problem in this case seems to be that the owners of this forum appear to be content with their forum dying out and are not taking steps to improve/update the forum and keep it working well and attractive to new users.

Examples:

* Email notifications have not been working for months, and there has been no response on why https://www.longecity.org/forum/topic/114464-email-notifications-stopped/

* The software being used is quite old and has lots of room for improvement. An admin agreed, but there's been no further word or development for the past year https://www.longecity.org/forum/topic/117271-changing-the-forum-software-over-to-xenforo/

These are two other major improvements that could be implemented:

* https://www.longecity.org/forum/topic/109448-merging-sub-forums-to-increase-traffic/

* https://www.longecity.org/forum/topic/117994-email-digest-notifications-for-subforum-subscriptions/

Two others that bother me are how much unnecessary whitespace there is, and I'm not a fan of how URLs are not fully shown.

It's already much more convenient for people to use one big social media platform vs multiple independent forums. So it's absolutely vital that your user experience/interface is not ALSO worse than those big platforms. You must make it as easy and appealing as possible for people to switch over. Deficits with your forum UX are hindering my efforts to get people to use it over the big social media platforms.

It is not difficult. I set up my own small forum for another topic while having no expertise and little money to spend on it. It costs me $5/mo. I shared how here. And here is the result in action. I think it's a good example of a compact, modern forum layout and appealing design.

For example, I'm subscribed to the News subforum with a daily digest and it's difficult to distinguish where the end and beginnings of posts are when one of them is very long (like this one). Gmail also clips the email since it's so long.

I guess for now I'll switch to "individual/immediate email" rather than "daily digest".

I post a lot of research in this (great) Forum and this year marks my 13^th anniversary!

Several times I asked how to effectively save long threads to keep track of the research and discussion and could only partially succeed (page by page as print PDF on my PC vs. say printing the full thread with all its pages in once).

Now I have a related problem as, when I was searching for a post I recollect very well I wrote, I was not able to find it as older than one year. Apparently after consulting with experts I was told they had the same problems. They too could only track about one year old posts and topics of theirs. While I keep bugging them, hoping for a solution, I wonder about other users. I also fully realize the resource limitation of the Forum.

Have you gone to the same pain and found a solution? Are these features only for paying users? I am sure solving both issues will improve the Forum and provide incentive for growing the community.