Security: "The Sleeper Awakes!"

[Redscape]

I heard the default PHPBB2 Visual Confirmation code has been cracked and (probably old news, but...) I've noticed a surge of probable bot registrations the last few couple weeks, on my forum with no posts by these suspicious accounts.

My concern: could these (potential) sleeper accounts be lying dormant until Olympus comes out and then awaken to pounce on the first security exploit after everyone upgrades?

...I hope I'm just being paranoid!

[R45]

Cracking is really not an approriate term for being able to bypass a CAPTCHA, and regardless, it is more of a spam implication than a future security worry.

[karlsemple]

not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!

[Cheater512]

not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!

I cracked it because someone on these forums challenged me to and reported it to the security tracker with my source code. (I didnt release my code)
Proof enough?

[NeoThermic]

not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!

I cracked it because someone on these forums challenged me to and reported it to the security tracker with my source code. (I didnt release my code)
Proof enough?

There *is* however, a diffrence between writing a script to take a saved VC image and making it OCR-able to making a script auto-sign up to a register page without messing up. While you did the former, you've not done the latter. (Although that isn't a challenge, its just a point)

NeoThermic

[psoTFX]

As per neo ... this isn't news. Before I left peeps had written source to discover the captchas of many implementations. There's a difference though between doing this as proof of concept and implementing it in a fully automated system.

Let me reiterate why the phpBB captcha was as it currently is. When I wrote the original I wanted something that wasn't beholding to gd or imagemagick. Not all hosts installed either so we were potentially cutting off a big chunk of users. Equally a gd implementation worth the time and trouble to implement was actually quite slow (I suspect several versions on it's much improved now with gd2). So I wrote a system that didn't require anything bar zlib which after some investigation I found was very very common amongst hosting providers installs. In that regard it was substantially superior to any other comparable boards captcha at the time.

I suspect time has moved on for the team now and that they're investigating gd2 based approaches which skew/rotate the text on multicoloured/filtered backgrounds. Even there peeps will overcome it with some clever (and I dare say) existing ocr libraries.

[DavidMJ]

The current code in CVS does not require Zlib at all! Instead, we emulate the output of gzcompress at a compression level of zero. The only real computation issue happens to be Adler hash generation (we provide a few ways to do this via extensions, along with a ported version of Classpath's code).

As to new approaches, we have some really nice image generation but it still needs some love

[psoTFX]

David, I wrote the original code ... I know what I wrote I very clearly stated that I was talking about "the origins of the captcha". As for new approaches ... well, I think to be perfectly honest time would be better spent completing what you have now. I know that may sound funny coming from me but that was the path we were on aside from the coding projects. New captchas could easily await 3.2.

[Redscape]

Ouf of curiosity, what are your thoughts on the idea (as stated in another forum) of having each forum define a personal security question (and answer) in the phpbb configuration file for new registrations? Since each server question would be completely different, would that serve as an entropic barrier to auto-registration bots?

[NeoThermic]

Ouf of curiosity, what are your thoughts on the idea (as stated in another forum) of having each forum define a personal security question (and answer) in the phpbb configuration file for new registrations? Since each server question would be completely different, would that serve as an entropic barrier to auto-registration bots?

My own thoughts is that its a bad idea. Just one question won't be enough, and I can't see *every* admin sitting there adding questions to the config. The whole idea behind a good captcha is that its all automated. Hence why most captchas are about random codes which can be generated on the fly.

NeoThermic