phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (38.5 MB)

Episode Duration: 42:02
On This Episode: Douglas Bell (Fountain of Apples), Micheal Cottingham (Techie-Micheal), and Paul Sohier (Paul)

Michael and Douglas are joined on this episode by an old friend, Paul Sohier, who is now on a new team: the Support Team. For obvious reasons, Micheal is pleased and Douglas a bit confused, but Paul explains that he’s been working in support longer than he’s been working with MODs, and has been enjoying the change of pace.

The MOD Team, however, hasn’t been standing still. Once again, a new release to talk about: AutoMOD has hit RC-1. Exciting, you bet, particularly since EasyMOD never made it out of beta! While it’s not approved for fully-stable use yet, AutoMOD is about to hit the big time, and we’ll continue to follow its progress over the summer.

Micheal mentions that this old blog post simply identifies possibilities that injections could be created by MODs if the authors aren’t careful–it does NOT list actual injection vulnerabilities in phpBB3! Beware the naysayers!

And for our main topic of discussion, a new phpBB.com blog post discusses the Gumblar and Martuz trojans, two trojans which track down your FTP credentials and then use them to trash your site(s). We go over the blog post and discuss what these trojans do, how they work, and how to keep yourself safe (hint: keep your antivirus definitions up-to-date!). Also be sure to keep regular backups of your site so that if it does get hacked (it may not be your fault if your site IS hacked), you can completely wipe the hacked site and start fresh. If your site has been hacked, use Unmask Parasites to do a thorough check once you’ve cleaned house.

The MOD of the Week is Posting Template by eviL<3, and the Style of the Week is Prospace by spaceace.

Be sure to join us on Saturday, May 30th, for David Lewis’ return to phpBB Weekly and important announcements about this show, as well as Douglas’ post-graduation attempts to stay awake!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (34.6 MB)

Episode Duration: 37:47
On This Episode: Douglas Bell (Fountain of Apples) and Micheal Cottingham (Techie-Micheal)

On this shorter episode, we clean up from the deliciousness of last week and get back to “normal.” Douglas and Micheal take a look back at a number of the April Fool’s pranks from the previous week (see links below) from phpBB communities and other websites.

UMIL 1.0 RC-2 was recently released by the MOD Team, and we briefly recap UMIL and what it does, but don’t get into many details about the new RC without David’s expertise on the subject.

Finally, Micheal discusses a recurring issue of people claiming that phpBB3 has vulnerabilities and exploits that do not exist (like this recent example). We discuss a bit about the ramifications of these and the best way that phpBB, other security firms, and web hosts can respond to these. See also this phpBB.com blog post and this discussion topic.

April Fools Links Mentioned on the Show:
Community April Fools Jokes
Deck 15–DO NOT ENTER!
New Tech “Products” for April 1st
Google’s Gmail Autopilot
Woopra’s Webcam Enablement Feature
UC San Diego’s Acceptances April Fools

Our ongoing Poll Question of the Week is “What should be featured on the next episode of BBGourmet?” Vote in the poll on the sidebar to the right. Poll ends on Saturday, April 11.

The MOD of the Week is Save full drafts by asinshesq, and the Style of the Week is SpringFlowers by BillStur Styles.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (62.6 MB)

Episode Duration: 1:08:20
On This Episode: Douglas Bell (Fountain of Apples) and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

We have done it! Our one-hundredth episode of phpBB Weekly, a significant milestone for any podcast. There may be tens or hundreds of thousands of podcasts out there, but only some of them make it to this milestone, particularly for a podcast that we never thought would make it this far ourselves.

Unfortunately, despite the high demand from our listeners, we were unable to book a guest to join us on this episode. But we had someone almost as good! Our new temporary co-host, Micheal Cottingham, joined us in his new role for this first time on this show, and Douglas and he chatted a bit about security. We discuss a number of the topics from the StarTrekGuide Security Class forum (including an important one for EVERYONE to read about protecting your passwords), and we also go over some common injection vulnerabilities that MOD authors and all PHP developers need to keep an eye out for. And if you think you know all of the injections by heart, why not try the “Find the Injection” games over on the Security Class forum?

We also take a look at a recent blog post about Area51 (the phpBB development site, not the secret military base) and discuss a bit about its past role during Olympus development and its likely role during Ascraeus development.

Our last poll question was “What’s your favorite web browser?” There were 6 votes (55%) for “Firefox!”, 3 votes (27%) for “Safari!”, 1 vote (9%) for “Internet Explorer,” and 1 vote (9%) for “I seem to have an inability to pick a web browser and stick with it.” This week’s poll will be “What’s the best April Fool’s prank to pull on your users?” The poll will open up later this week and run until March 28; plus there will be an “Other” option for you to submit your own suggestions!

The MOD of the Week is User Reminder by lefty74, and the Style of the Week is AutumnsColor by BillStur Styles.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (47.6 MB)

Episode Duration: 1:23:15
On This Episode: Douglas Bell (Fountain of Apples) and David Lewis (Highway of Life)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

We had a lot of things to be happy about on this episode of phpBB Weekly: not only was there a large amount of news for us to cover, but it was the one-year anniversary of the release of phpBB 3.0.0 Gold, which put us in an excited mood (enough to make a few people in the chat room question us about whether or not we were sober).

In a somewhat surprising move, phpBB 3.0.4 was released on Friday, exactly one month after the release of 3.0.3, marking a major shift change as the Development Team begins focusing on making subsequent revisions of phpBB3 less, um, “huge” than 3.0.3 was. We cover the fixes, changes, and the one new feature in-depth, as usual.

David gives a grand welcome to this week’s new team members: two more Support Team members, and one new MOD Team member who was promoted from the Junior Validators Team. David also gives us a bit of an update on how the Junior Validators have been doing and a glimpse of where the idea will be heading.

Earlier this week, Meik (AcydBurn) that PHP 5.2.7 posed a security risk for phpBB2, due to an issue that PHP 5.2.7 caused with “magic_quotes_gpc.” We take a look at this risk in more detail, including why this affected phpBB2 but not phpBB3, and we also discuss why PHP 5.2.7 was retracted in the first place.

Finally, voting in the phpBBHacks.com 2008 Awards is almost over, so we take a look at the MODs/hacks, styles/templates, phpBB boards, and their authors up for the award.

The MOD of the Week is Annual Stars by eviL<3, and the Style of the Week is MG Xmas by Mighty Gorgon.

In honor of one of David’s favorite songs (as we discovered midway through this episode), the closing music is Black Horse and the Cherry Tree — KT Tunstall.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.