phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (61.5 MB)

Episode Duration: 1:07:11
On This Episode: Douglas Bell (Fountain of Apples) and David Lewis (Highway of Life)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

Emerging from the serious tone of last week’s episode, we decided to have a little bit more fun this week in light of it being Valentine’s Day. (Or, as Techie-Micheal frequently reminds us, Singles Awareness Day.) And so in honor of SAD, we led the show off with Always the Bridesmaid (Never the Bride) by Michael Weston King.

However, the phpBB news continues, and on Tuesday, phpBB.com made its triumphant return. It’s currently residing on a temporary server at OSUOSL while the main phpBB.com server continues to be investigated. Of course, PHPList is no longer being used on phpBB.com, and it’s so far not fully clear what will replace phpBB’s mailing list or how much differently the teams will address the use of third-party software on their site.

Lost amidst the downtime was the fact that on February 1, support for security patches for phpBB2 officially ended, and as a result, so did all support for phpBB2 MODding. All of those fora have been condensed into a phpBB2 Forum Archive. The styles fora continue to be open until May 1, when it is believed that all phpBB2 information on phpBB.com will be hidden from public view. Of course, we will continue to keep an eye on the continuing phpBB2 retirement process over the coming weeks.

And finally, we continue our coverage of the cracked phpBB 3.0.4 CAPTCHA by taking a look at some of the other new settings that have currently been added to the CAPTCHA in phpBB 3.0.5-dev. However, since it’s likely that most people will not want to take the time to check out a copy of the new CAPTCHA in Subversion, David put together a list of anti-spam MODs that offer a number of different tactics to help prevent automated spambots from reaching your board, and we provide an overview of what each of these MODs do and which ones may be appropriate for your boards. Given how many spambots David dealt with on STG, he’s also been installing some of these MODs for himself as well.

Our last Poll Question of the Week was “If you could add one more feature to the new WhiteHouse.gov website, what would it be?” There were 10 votes (58.82%) for “A community bulletin board, powered by phpBB.”; 3 votes (17.65%) for “The ability to comment on that new blog of theirs.”; 2 votes (11.76%) for “A slideshow of presidential pets.”; 1 vote (5.88%) for “Twitter. Need I say more?”; and 1 vote (5.88%) for “Assurances that the new government is NOT putting secret spyware on my computer that is tracing every move I make…”. This week’s poll is “What’s the best Valentine to give to a forum moderator?” Vote in the poll on our right-hand sidebar, and leave a comment as well if you want to. The poll closes on February 21st.

The MOD of the Week (although not really a MOD) is phpBB3 Website Integration Framework by Highway of Life, and David talked a bit about how you can use it to utilize the phpBB framework (sessions, auth, DBAL, request_var, etc.) for your website. The Style of the Week is WintersDay by BillStur Styles.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.

This has been one heck of a week for phpBB, as evidenced by the dozens of e-mails that David and I have been sending back and forth to each other. (We rarely e-mail each other at all usually.) Not only has phpBB.com suffered a major outage caused by probably the most severe hack they have experienced to date (noting, of course, that it was NOT a fault of the phpBB software itself), but in a completely unrelated incident, many phpBB users have been reporting a sudden spike in spam registrations on phpBB boards. Of course, this has been quite a lot for the phpBB teams to handle all at once, and I commend them for their hard work to stay afloat this week.

David and I have been preparing for a very significant episode of phpBB Weekly tomorrow during which we will fully cover and address all of the details surrounding these two critical issues. David is also arranging to hopefully have some members of the phpBB teams join us to provide more inside details on both of these issues, but we will not know for sure in advance who will be joining us because of the massive amount of work that the teams are facing right now.

Nevertheless, we would like to invite you to join us tomorrow, Saturday, February 7th at 12:00 EST (1700 UTC) for this critical episode of phpBB Weekly, and please spread the word about this episode as much as you can, in particular to any administrators of phpBB boards that are being affected by the spam registrations issue. We also want to remind you that we invite you to participate in the show by asking us questions either in the chat room or by calling in live. We represent all of you, the listeners, and so we want to be sure that we fill you in on the current situations that the phpBB community is facing. We will also do our best to release the episode on phpBBWeekly.net within 12 hours of the end of the live stream.

If you can’t join us during the episode tomorrow but have any questions that you would like us to cover, you may also feel free to ask them in this topic on our forum.

Click on the ShareThis button below to quickly spread the word about this episode on one of your social networks or blogs, or e-mail it to your friends. And we hope to see you during tomorrow’s episode. Thanks!
–Douglas Bell
Co-Host and Editor, phpBB Weekly

You may have noticed that since late Saturday night/early Sunday morning (depending on your timezone), phpBB.com has been down. According to this post from Yuriy Rusko (Marshalrusty), a hacker utilized a vulnerability in PHPList to gain unauthorized access to phpBB.com and take down the phpBB.com website. PHPList is used by the phpBB teams for their opt-in mailing list which they use to send out e-mail notifications of new phpBB releases. The PHPList vulnerability was patched in a version 2.10.9 security release which was put out on Thursday morning. The teams had not updated their installation of PHPList during the three days after the 2.10.9 release, and as a result, an attacker was able to use that info to access the phpBB.com Database, including the database for the community forums.

David really wanted us to be able to do a special mid-week episode of phpBB Weekly to cover the outage, but unfortunately life is busy for us and so we will not be able to do so. However, we will be having a very comprehensive discussion of the outage on Saturday’s episode of phpBB Weekly, including a discussion with one or more team members on the issues behind this outage.

Until then, please read the post for more details, including some important warnings if you have not logged in on phpBB.com since March 2007 (before phpBB.com was upgraded to phpBB3) concerning your password security. Support is temporarily available on the Area51 forums. And the next time we tell you to be prompt in keeping your software up-to-date, remember this as a very good reason why you should do so.

Hello everyone,

As I am blogging right now, the weather folks are predicting a very bad rain/wind storm headed towards the San Francisco Bay Area (where I’m located), and have mentioned that it’s very possible that the high winds could cause power outages tomorrow and Saturday. With any luck this will not happen, but in the slight chance that I am without power on Saturday morning, I will not be able to alert anyone online about it, nor will I be able to be here live for phpBB Weekly. Furthermore, David will also not be on this Saturday’s episode as he is still in the process of moving to Spokane. So, in the chance that I am unable to make it this Saturday for phpBB Weekly due to power outage or any other possibility, you’d just have to live with the fact that the TalkShoe stream would be silent and that episode #046 would be postponed to next weekend.

I am not canceling this weekend’s episode, I am just alerting you all to the possibility, due to this storm, that I may not be able to make it in the event that there is a power outage here. Hopefully nothing will happen and phpBB Weekly #046 will proceed as normal. See you all (hopefully) on Saturday!
–Douglas Bell