What is captcha2? Something like web2 :S.
Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.
[Discussion] Downtime and Server Compromise
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact:
Re: [Discussion] Downtime and Server Compromise
Available on .com
Support Toolkit developer
Support Toolkit developer
Re: [Discussion] Downtime and Server Compromise
Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.Erik Frèrejean wrote:What is captcha2? Something like web2 :S.
I won't sit here and exclaim "captcha is captcha" but there are similarities in both structure and implementation that tell me your concerns are well founded. Glad to see you're thinking about it.Erik Frèrejean wrote:Anyhow, Rich was referring to the phpBB captcha, your article talks about the captchas from Gmail, Yahoo and Hotmail which are completely different as the one used by phpBB.
But as I've stated earlier in this thread we have suspicions that the phpBB captcha is broken we however don't know this for sure yet.
Good Luck!
- Erik Frèrejean
- Registered User
- Posts: 207
- Joined: Thu Oct 25, 2007 2:25 pm
- Location: surfnet
- Contact:
Re: [Discussion] Downtime and Server Compromise
reCaptcha is doing a good job indeed. But as you need to sign up for it reCaptha will never ship as the default phpBB captcha. phpBB3.2 will however have the reCaptcha included (its in the trunk right now).woodp wrote:Sorry, I meant to say reCaptcha (http://recaptcha.net/). I've had it in use in one application for six months and so far no problems. (famous last words.) And I'm even getting reasonably favorable comments from the usual Captcha-hating crowd.Erik Frèrejean wrote:What is captcha2? Something like web2 :S.
But let us now go back on topic and discuss the Downtime. Captcha discussions are fine, but please start a different topic regarding this.
Especially as the breaking of the captcha isn't related to the hack.
Available on .com
Support Toolkit developer
Support Toolkit developer
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: [Discussion] Downtime and Server Compromise
No, that wouldn't help for phpbb.com, but could be included with an update to phpbb3 in the future to prevent passwords from leaking in case their server got hacked as well.Dog Cow wrote:Are you offering this as a solution for phpbb.com? If so, there's one problem: the plain-old MD5 password hashes are out there, no doubt being cracked. Just changing the hash doesn't help at all now, since it's going to be the exact same password anyway.EXreaction wrote:Yes, that's an idea. One could rehash the old 2.0.x MD5's with the new system and just store a flag saying it's the old password type. If it is the old type, when that user logs in it would check the MD5 of the password they entered as the submitted password, and then reset it using the new method if they got it right.
It's a rather huge problem, the fact that the users table was released publicly. There's basically no fix, now that all 300,000 user ID, emails, usernames, passwords, etc are out there. Even if you say, "Well, let's just delete/lock/ban those accounts, there are still many many people who can be traced by email or username (outside of phpbb.com), and use the same usename/password everywhere, often some moronic phrase such as an english word, or the exact same as the username.
There is nothing you can do about the released information, all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.
Re: [Discussion] Downtime and Server Compromise
It really seems that the phpBB GD captcha went circumvented and worst, that some script was released to use the trick to massively spam phpBB3.0.4 forums.
This was probably already raised elsewhere, but I'm wondering if the current phpbb.com downtime was not part of the spamming plan, which seemed to have started around the same time. As a way to win time for spam.
Because even though the data stolen is a lot, it's not like visa account number where compromised, I don't think that many of the unconverted passwords where in deed interesting, a portion of it maybe, but among many other that really where not most likely.
Anyway, good luck with putting things back on !
++
This was probably already raised elsewhere, but I'm wondering if the current phpbb.com downtime was not part of the spamming plan, which seemed to have started around the same time. As a way to win time for spam.
Because even though the data stolen is a lot, it's not like visa account number where compromised, I don't think that many of the unconverted passwords where in deed interesting, a portion of it maybe, but among many other that really where not most likely.
Anyway, good luck with putting things back on !
++
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
Indeed.EXreaction wrote:There is nothing you can do about the released information
Agreed, that's a good point. What about all of the Team Members private infos and telephone numbers and real-life data, though? They are all public now.EXreaction wrote:all you can do is reset the passwords (forcing them to get a new password with the I forgot my password link) for those users on phpbb.com and send them all emails notifying them of what happened with the email address they used.
Another good point could be the fact the "hacker" promised to spread some topic found into the private forums. No skeleton at all I guess, but.. it's really a huge inconvenient this time IMHO.
Anyway, show must go on. Keep up the great work guys, c'mon.
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Re: [Discussion] Downtime and Server Compromise
I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.
Rusty
Rusty
- 3Di
- Registered User
- Posts: 951
- Joined: Tue Nov 01, 2005 9:50 pm
- Location: Milano 🇮🇹 Frankfurt 🇩🇪
- Contact:
Re: [Discussion] Downtime and Server Compromise
Being phpbb.com and PHPBB itself the best and more used GPLed BBS around the world, indeed the fact it has been hacked (also if via an external app) got the attention of the spambots/spammers, that's because the WEB. got it? Nothing less nothing more, IMHO.rusty105 wrote:I am also thinking it is a multipronged event. As I have mentioned in a few posts above, I have a forum that has been around for about a year, just sitting, with only 3 real members (we are getting ready to relaunch), ans since Jan 30th almost 2 doz. Spam registrations. Too coincidential for me.
Rusty
Free support for our extensions also provided here: phpBB Studio
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
- darcie
- Community Team
- Posts: 189
- Joined: Mon Mar 12, 2007 7:32 pm
- Location: Davis, California
- Contact:
Re: [Discussion] Downtime and Server Compromise
I am absolutely convinced that the sudden influx of spam registration and the hacking event occurring at the same time are a complete coincidence. It is unfortunate that they have both taken place at the same time, but there is no way to link the two. A test board I have set up online with no posts, no members, no inward links (other than Google knowing it exists), and no relation to the information I have at phpbb.com has also incurred the same problem. There is absolutely no way to link it to the release of information taken from phpbb.com, and therefore I see no relation between the two events.
Sometimes coincidence is just that.
So let's please leave the spam discussion to the topic existing in the support forum. Thanks.
Sometimes coincidence is just that.
So let's please leave the spam discussion to the topic existing in the support forum. Thanks.
Re: [Discussion] Downtime and Server Compromise
I am not knocking phpBB at all. I started with phpBB, and I never see myself using anything else! I am just saying that I think it might be related, wether intentional or not, by the same party(s) or not. We the phpBB comunity have been attacked. Our boards are getting spammed hard, and our 'Mother' support forum is down, HARD! I know the admins are doing their best, and I would rather wait longer to be sure everything is sanitized before it comes back up.
Sorry to be beating this horse
Rusty
Sorry to be beating this horse
Rusty