phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (39.6 MB)

Episode Duration: 1:09:07
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), and Jordan Lewis (Hank the Cowdog, representing Albertie Einstein)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The era of change must be upon us. Not only did Barack Obama get elected as the next American president, but the changes within the phpBB teams just keep on coming with each passing week. This week it was announced that Ashley Pinner (NeoThermic) is stepping down as Support Team leader (but is staying as a member of the Support Team) and will be replaced by Yuriy Rusko (Marshalrusty). We briefly discuss this announcement, and there’s word that there could still be more structural changes coming soon to the phpBB project; stay tuned…

In the more immediate future, however, phpBB 3.0.3 RC-1 has been sent out to the QA Team for testing, which means that the long-awaited next update to phpBB3 is likely on the way very soon. Why is it long-awaited? There’s actually a number of new features coming in this release, such as template inheritance, changes to the moderation queue, and new permissions for sending private messages to multiple recipients. We go through the new toys coming in this next release in detail.

Finally, our President Bertie contest has officially ended with two elections that were held during the week, and on this episode, we announce the winner of the Bertie Mons Presidential Election: Albertie Einstein of the Intellectual Party, sponsored by Hank the Cowdog! We perform Albertie Einstein’s inauguration ceremony live on the show, and Jordan (Hank the Cowdog) delivers an inaugural address as well. The contest may be over, but Bertie Mons will continue to thrive on StarTrekGuide. Oh, and if anyone has figured out where the good people at SCOFF Media have disappeared to, please let us know…

The MOD of the Week is Activation Justification by TerraFrost and the Style of the Week is 4poziomSEO_orange by gokin.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (35.3 MB)

Episode Duration: 1:01:37
On This Episode: David Lewis (Highway of Life), Paul Sohier (Paul), and Ashley Pinner (NeoThermic)

Sponsor: Try GotoMeeting free for 30 days! For this special offer, visit www.gotomeeting.com/techpodcasts/.

Is your website secure? What if you learned that half a million websites have been hacked via SQL Injections just since last January? On this episode, David Lewis is joined by Paul (of the MODs Team) and Ashley Pinner (NeoThermic, Support Team Leader), in which they discuss how site owners can be aware of SQL injection vulnerabilities, how they can prevent vulnerabilities in their own site, and how you can identify possible SQL injections within MODs that you download. And for MOD authors out there, they discuss the phpBB3 framework and how you can use it to prevent SQL injections in MODs.

Plus, have you ever run phpBB3 and made a change to your site, but nothing changed? That’s probably due to phpBB3′s caching of content, templates, and themes. David and the others discuss how to properly purge the cache with phpBB3, as well as discussing the differences between the different kinds of cached content.

And of course, Londonvasion is getting ever-closer, and so we’ve got your latest fix on Londonvasion news right here, as usual. Stay tuned as we finalize phpBB Weekly’s own Londonvasion plans over the next few weeks; we’ll be keeping you posted.

The MOD of the Week is Purge cache from any page for phpBB3 by Elglobo, and the Style of the Week is Day Song for phpBB3 by APT92.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (50.3 MB)

Episode Duration: 1:27:53
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Ashley Pinner (NeoThermic), Yuriy Rusko (Marshalrusty)

Sponsor: Try GotoMeeting free for 30 days! For this special offer, visit www.gotomeeting.com/techpodcasts/.

Well, the inevitable has happened: it was announced this past week that phpBB2 will be going end of life later this year. Although nothing is happening immediately, download links for phpBB2 will be removed in October, followed by support ending in January, and all security patches ending in February, at which point phpBB2 will be officially retired and the teams will focus exclusively on phpBB3 from here on out. Other teams have or are in the process of announcing their individual plans surrounding the retiring of phpBB2.

We are joined on this episode by Ashley Pinner (NeoThermic), the Support Team Leader, and Yuriy Rusko (Marshalrusty), a Support Team Member, to talk about this announcement. They talk about the many reasons that led this announcement to be made, particularly this early, and why the teams have decided that this decision is for the best. We also discuss how users hearing about this can prepare for the change, as well as assessing opinions pulled from the discussion topic on phpBB.com and the discussion on Star Trek Guide.

Also, we look ahead to our giveaway drawing in three weeks, and share the finalized list of prizes that we’re giving away. Plus, we look at our latest Londonvasion plans.

The MOD of the Week is Users default avatar for phpBB2 by leviatan21, and the Style of the Week is TheEighties Template for phpBB2 by phpbbmodded.de.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (28.9 MB)

Episode Duration: 50:34
On This Episode: David Lewis (Highway of Life), Paul Sohier (Paul), Yuriy Rusko (Marshalrusty), Ashley Pinner (NeoThermic)

Sponsor: Try GotoMeeting free for 30 days! For this special offer, visit www.gotomeeting.com/techpodcasts/.

Douglas was off taking a test during this episode, so he couldn’t make it, but then again, David forgot that it was Saturday, which is why the live stream of phpBB Weekly never happened! Whoops. Anyway, David managed to grab together a couple of team members to talk to for what could almost pass as another episode of the Official phpBB Podcast.

Anyway, this past week, the inevitable phpBB 3.0.1 was released featuring dozens of bugfixes, including two security-related fixes. As this marks the first non-RC-related update to phpBB3, they spend a little bit of time reviewing the process for updating from 3.0.0 to 3.0.1 and the importance of keeping your boards up-to-date. In addition, they discuss other common support issues with upgrading and how upgrading relates to the importance of keeping core code changes in MODs down to a minimum for compatibility.

They then discuss the recent alpha release of a MOD by naderman (of the Development Team) of the Sphinx Search Plugin for phpBB. Sphinx is a free open-source SQL fulltext search engine that is now another option that you can use for indexing your board’s content on your search page, and will quite possibly be showing up in phpBB 3.2 “Ascraeus.”

Yuriy gives us a quick update on the latest Londonvasion details (and by the way, you should also check out phpBB Weekly’s latest Londonvasion plans), and David tells us about Star Trek Guide’s new MOD Manager, as well as how you can obtain the “Borg Invasion” style that was used for STG’s recent April Fools joke.

No MOD or Style of the Week was selected this week, but we promise that we will make up for lost time next week and get back into the MODs and Styles selections.

Technical Note: Apologies for the background sounds in this episode–David discovered after the fact that he forgot to turn off his Skype sound effects!

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.