Security: "The Sleeper Awakes!"

Want to chit chat about anything, do it here ... posting here won't increase your post count (or shouldn't!). Please do not post any "phpBB" specific topics here unless they do not fit into the category above. Do not post bug reports, feature or support requests!
Forum rules
Please do not post any "phpBB" specific topics here unless they do not fit into the category above.

Do not post bug reports, feature or support requests! No really... Do not post bug reports, feature or support requests! Doing so will make Bertie a very sad bear indeed. :(
Post Reply
Redscape
Registered User
Posts: 7
Joined: Mon Jun 06, 2005 7:33 pm
Contact:

Security: "The Sleeper Awakes!"

Post by Redscape »

I heard the default PHPBB2 Visual Confirmation code has been cracked and (probably old news, but...) I've noticed a surge of probable bot registrations the last few couple weeks, on my forum with no posts by these suspicious accounts.

My concern: could these (potential) sleeper accounts be lying dormant until Olympus comes out and then awaken to pounce on the first security exploit after everyone upgrades?

...I hope I'm just being paranoid! :oops:
Deluxe Diplomacy Online
http://www.redscape.com

R45
Registered User
Posts: 236
Joined: Tue Nov 27, 2001 10:42 pm

Re: Security: "The Sleeper Awakes!"

Post by R45 »

Cracking is really not an approriate term for being able to bypass a CAPTCHA, and regardless, it is more of a spam implication than a future security worry.

User avatar
karlsemple
Registered User
Posts: 480
Joined: Mon Jan 23, 2006 8:49 am
Location: Hereford
Contact:

Re: Security: "The Sleeper Awakes!"

Post by karlsemple »

not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: Security: "The Sleeper Awakes!"

Post by Cheater512 »

karlsemple wrote: not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!
I cracked it because someone on these forums challenged me to and reported it to the security tracker with my source code. (I didnt release my code)
Proof enough? ;)

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Security: "The Sleeper Awakes!"

Post by NeoThermic »

Cheater512 wrote:
karlsemple wrote: not to mention any proof that the phpbb 2 VM has been broken should be reported in the correct places. I know i know there are sites out there and it is likely it has been, but the team need proof to be able to act on it and prevent future problems!
I cracked it because someone on these forums challenged me to and reported it to the security tracker with my source code. (I didnt release my code)
Proof enough? ;)

There *is* however, a diffrence between writing a script to take a saved VC image and making it OCR-able to making a script auto-sign up to a register page without messing up. While you did the former, you've not done the latter. (Although that isn't a challenge, its just a point)

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Security: "The Sleeper Awakes!"

Post by psoTFX »

As per neo ... this isn't news. Before I left peeps had written source to discover the captchas of many implementations. There's a difference though between doing this as proof of concept and implementing it in a fully automated system.

Let me reiterate why the phpBB captcha was as it currently is. When I wrote the original I wanted something that wasn't beholding to gd or imagemagick. Not all hosts installed either so we were potentially cutting off a big chunk of users. Equally a gd implementation worth the time and trouble to implement was actually quite slow (I suspect several versions on it's much improved now with gd2). So I wrote a system that didn't require anything bar zlib which after some investigation I found was very very common amongst hosting providers installs. In that regard it was substantially superior to any other comparable boards captcha at the time.

I suspect time has moved on for the team now and that they're investigating gd2 based approaches which skew/rotate the text on multicoloured/filtered backgrounds. Even there peeps will overcome it with some clever (and I dare say) existing ocr libraries.

User avatar
DavidMJ
Registered User
Posts: 932
Joined: Thu Jun 16, 2005 1:14 am
Location: Great Neck, NY

Re: Security: "The Sleeper Awakes!"

Post by DavidMJ »

The current code in CVS does not require Zlib at all! Instead, we emulate the output of gzcompress at a compression level of zero. The only real computation issue happens to be Adler hash generation (we provide a few ways to do this via extensions, along with a ported version of Classpath's code).

As to new approaches, we have some really nice image generation but it still needs some love :D
Freedom from fear

User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: Security: "The Sleeper Awakes!"

Post by psoTFX »

David, I wrote the original code ... I know what I wrote ;) I very clearly stated that I was talking about "the origins of the captcha". As for new approaches ... well, I think to be perfectly honest time would be better spent completing what you have now. I know that may sound funny coming from me but that was the path we were on aside from the coding projects. New captchas could easily await 3.2.

Redscape
Registered User
Posts: 7
Joined: Mon Jun 06, 2005 7:33 pm
Contact:

Re: Security: "The Sleeper Awakes!"

Post by Redscape »

Ouf of curiosity, what are your thoughts on the idea (as stated in another forum) of having each forum define a personal security question (and answer) in the phpbb configuration file for new registrations? Since each server question would be completely different, would that serve as an entropic barrier to auto-registration bots?
Deluxe Diplomacy Online
http://www.redscape.com

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Security: "The Sleeper Awakes!"

Post by NeoThermic »

Redscape wrote: Ouf of curiosity, what are your thoughts on the idea (as stated in another forum) of having each forum define a personal security question (and answer) in the phpbb configuration file for new registrations? Since each server question would be completely different, would that serve as an entropic barrier to auto-registration bots?

My own thoughts is that its a bad idea. Just one question won't be enough, and I can't see *every* admin sitting there adding questions to the config. The whole idea behind a good captcha is that its all automated. Hence why most captchas are about random codes which can be generated on the fly.

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

Post Reply