phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (61.5 MB)

Episode Duration: 1:07:11
On This Episode: Douglas Bell (Fountain of Apples) and David Lewis (Highway of Life)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

Emerging from the serious tone of last week’s episode, we decided to have a little bit more fun this week in light of it being Valentine’s Day. (Or, as Techie-Micheal frequently reminds us, Singles Awareness Day.) And so in honor of SAD, we led the show off with Always the Bridesmaid (Never the Bride) by Michael Weston King.

However, the phpBB news continues, and on Tuesday, phpBB.com made its triumphant return. It’s currently residing on a temporary server at OSUOSL while the main phpBB.com server continues to be investigated. Of course, PHPList is no longer being used on phpBB.com, and it’s so far not fully clear what will replace phpBB’s mailing list or how much differently the teams will address the use of third-party software on their site.

Lost amidst the downtime was the fact that on February 1, support for security patches for phpBB2 officially ended, and as a result, so did all support for phpBB2 MODding. All of those fora have been condensed into a phpBB2 Forum Archive. The styles fora continue to be open until May 1, when it is believed that all phpBB2 information on phpBB.com will be hidden from public view. Of course, we will continue to keep an eye on the continuing phpBB2 retirement process over the coming weeks.

And finally, we continue our coverage of the cracked phpBB 3.0.4 CAPTCHA by taking a look at some of the other new settings that have currently been added to the CAPTCHA in phpBB 3.0.5-dev. However, since it’s likely that most people will not want to take the time to check out a copy of the new CAPTCHA in Subversion, David put together a list of anti-spam MODs that offer a number of different tactics to help prevent automated spambots from reaching your board, and we provide an overview of what each of these MODs do and which ones may be appropriate for your boards. Given how many spambots David dealt with on STG, he’s also been installing some of these MODs for himself as well.

Our last Poll Question of the Week was “If you could add one more feature to the new WhiteHouse.gov website, what would it be?” There were 10 votes (58.82%) for “A community bulletin board, powered by phpBB.”; 3 votes (17.65%) for “The ability to comment on that new blog of theirs.”; 2 votes (11.76%) for “A slideshow of presidential pets.”; 1 vote (5.88%) for “Twitter. Need I say more?”; and 1 vote (5.88%) for “Assurances that the new government is NOT putting secret spyware on my computer that is tracing every move I make…”. This week’s poll is “What’s the best Valentine to give to a forum moderator?” Vote in the poll on our right-hand sidebar, and leave a comment as well if you want to. The poll closes on February 21st.

The MOD of the Week (although not really a MOD) is phpBB3 Website Integration Framework by Highway of Life, and David talked a bit about how you can use it to utilize the phpBB framework (sessions, auth, DBAL, request_var, etc.) for your website. The Style of the Week is WintersDay by BillStur Styles.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (53.1 MB)

Episode Duration: 1:32:51
On This Episode: Douglas Bell (Fountain of Apples) and David Lewis (Highway of Life)

Sponsor: Try GotoMeeting free for 30 days! For this special offer, visit www.gotomeeting.com/techpodcasts/.

We start out this episode of phpBB Weekly first by taking a look back at last weekend’s MOD Authors Convention and briefly recapping some of it (see last week’s episode for full coverage of the event). Then, we tackle a topic that we didn’t get to last week: a discussion about CAPTCHAs in phpBB, as well as some of the difficulties of utilizing CAPTCHAs in open-source projects, along with a look at some of the other efforts at preventing spambot registration on various websites. The moral of the story: whatever you do, turn on User Activation in your phpBB Settings, because no CAPTCHA is perfect.

Then, we turn to the first part of our segment on “Building a Successful Community,” in which Douglas and David discuss the things that a user who wants to create a brand new community needs to plan out from the start, and the skills and qualities that new administrators will need for their community to be successful in the long run. Most of the content for this segment comes out of Patrick O’Keefe’s book, Managing Online Forums.

The MOD of the Week is th23 Domain by th23, and the Style of the Week is Black Pearl by Mighty Gorgon.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (47.1 MB)

Episode Duration: 1:22:14
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), and Yuriy Rusko (Marshalrusty)

David did do one thing for this show when he joined the phpBB teams: he found a bunch of team members who were anxious to be guest hosts on phpBB Weekly. On this episode, we’re joined by guest host Yuriy Rusko, better known on phpBB.com as Marshalrusty, a member of the Support Team.

First off, David and Yuriy talk about the first episode of the new Official phpBB Podcast, which I guess is meant to differentiate it from this podcast. But then, they end up talking about the Official phpBB Podcast so much, including recapping a bit on their talk about the COPA and COPPA laws, that this show effectively is now the phpBB Podcast podcast.

However, we do have an interesting discussion with Yuriy about dealing with spam, (including CAPTCHAs and other anti-spam measures), security, and his experiences giving support for phpBB. David also takes a moment to recognize a few of the phpBB team members who have recently stepped down to return to their normal lives, and their many many contributions to the phpBB project.

The MOD of the Week is Font Type BBcode for phpBB2 by Templater, and the Style of the Week is BF Vista Style for phpBB3 by Frost.
If you want to recommend a MOD or Style for us to promote, bookmark it on del.icio.us with the tag “phpbbwmod” or “phpbbwstyle”, and we might feature it on a future episode.

Additional links mentioned during the show:
Marshalrusty’s Preventing SPAM post
Dave Rathbun’s Doctor Blog
Marshalrusty’s Registration Auth Code (RAC) MOD
Info/Application to be a MOD Team Member

Thanks to our sponsor, Audible.com. For your free audiobook, go to audible.com/talkshoe. phpBB Weekly is also a proud member of the Tech Podcast Network.