phpBB Weekly

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (99.8 MB)

Episode Duration: 1:49:01
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Phil Crumm (iWisdom), Josh Woody (A_Jelly_Doughnut), Ashley Pinner (NeoThermic), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

The phpBB community suffered a double-whammy this week: a hack and crack of a PHPList vulnerability (NOT a phpBB vulnerability) led to an extended outage of phpBB.com since last Saturday, and the current phpBB3 CAPTCHA (as of 3.0.4) was formally cracked, causing a significant and sudden spike in spam registrations on boards starting around the middle of the week. In this special episode, David and Douglas are joined by Phil Crumm (iWisdom), Support Team Member; Josh Woody (A_Jelly_Doughnut), MOD Team Member; Ashley Pinner (NeoThermic), Styles Team Member; and Micheal Cottingham (Techie-Micheal), Security Expert and former team member.

During this episode, we learn a number of new details about the zero-day exploit that caused the phpBB.com outage, and that also explain the reasons why it has taken so long for the teams to clean up the damage and restore the site, as well as how herculean this task really is. We also discuss some of the details of the zero-day exploit in PHPList, and some of the coding practices in PHPList that allowed these kinds of security exploits to take place. Micheal also shares a bit of his expertise on security policy and gives us a bit of an outline for what phpBB will do and other websites should do to ensure that they stay secure and avoid these kinds of attacks.

However, the most critical repercussion from this attack as far as users are concerned is the security of their passwords, particularly if they have not logged into phpBB.com since before March 2007 (which was when phpBB.com was updated to phpBB3). Due to an inferior hashing technique used by phpBB2, user passwords that have not been changed or used on phpBB.com since the phpBB2 days have been brute-forced, read, and published publicly by the attacker. Interestingly enough, an analysis of the passwords have shown that the most popular passwords on the list will poor throwaway passwords such as “password” and “123456″. We discuss in great detail the importance of having a very secure, hard to guess/remember password, changing it frequently, and (if possible) using an encrypted password manager such as 1Password. Speaking of which, the teams highly recommend that if you share any of the passwords that you have used on any of the parts of phpBB.com (forum, wiki, code forge, etc.), you should change them just in case, as well as changing your phpBB.com password as soon as it comes back online.

We then chat about the cracking of the phpBB3 CAPTCHA, which has caused a stir over a massive spike in spam registrations on phpBB boards. Interestingly enough, the teams were actually pleasantly surprised that the CAPTCHA lasted as long as it did until it got cracked (nearly two years!); pretty good for a CAPTCHA generated by open-source, freely downloadable code for one of the most widely-used bulletin board platforms on the net. While phpBB 3.0.5 will include a new functionality that introduces an optional wave distortion to the CAPTCHA, 3.0.5 will not be ready to go out the door very soon due to obvious reasons, and a number of people, including some of us, think that it’s a bit hard on some people’s eyes (see example 1, example 2). A number of admins have utilized a number of other anti-spam MODs and tools which utilize other methods to fight off spambots. We discuss some of these various options and whether they would be appropriate as part of a future default phpBB installation or not. We also describe some of the other options that admins have available, such as altering activation settings or enabling the post queue (a new feature since 3.0.3) to sequester spam posts before they are publicly visible.

Additional Links Mentioned in This Episode:
phpBB.com Downtime and Server Compromise — Details
Lessons to Learn from the Downtime
StarTrekGuide Security Class forum
Spambots Topic on Area51
Spambots Topic on StarTrekGuide

There is no MOD of the Week, Style of the Week, or Poll Question of the Week this week, however to end the show on a lighter note, we did throw in a funny Easter Egg conversation about earthquakes during the closing music. We’ll hopefully have a more lighthearted episode during our special Valentine’s Day show next Saturday; we hope you’ll join us.

We highly encourage you to share this episode with any other phpBB administrators you know. A lot of relevant information, some of it exclusive, is presented in this episode that will be helpful to many phpBB administrators and users. Click on the ShareThis button below to spread the word about this episode on your social network, blog, or via e-mail. Thanks for listening, and thanks for your support of phpBB Weekly.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (46.1 MB)

Episode Duration: 1:20:35
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), Francis Lewis (Handyman), Eric Faerber (wGEric), and Micheal Cottingham (Techie-Micheal)

Sponsor: Online meetings made easy. Try GotoMeeting FREE for 30 days! www.gotomeeting.com/techpodcasts/

After all the um, interesting results we had on last week’s episode involving multiple people connected via SkypeOut on their cell phones, you’d think that we’d want to jump back to normal this week, but no. David and Francis were both out of town this weekend in the Middle of Nowhere, Montana, at a horse show, and joined us on this episode via their phones in the middle of the horse show, as could be somewhat easily heard throughout the episode. In addition, we were joined on this episode by phpBB’s new Operations Manager, Eric Faerber (wGEric), by former team member Micheal Cottingham (Techie-Micheal), who claims to be married to Bertie on Facebook, and by Francis Lewis (Handyman) who is serving as the head manager of SCOFF Media, Bertie Mons’ independent media organization.

The phpBB teams made some dramatic reorganizational changes this week by expanding their group of Team Leaders into a new “Management Team,” which in addition to the team leaders consists of three “managers.” wGEric is the new Operations Manager, ChrisRLG is the new Business Manager, and dhn continues his work under his newly-renamed title, Website Manager. And, taking Eric’s place, Igor Wiedler (eviL<3) is succeeding Eric as the new MOD Team leader. Douglas, David, and Eric talk in-depth about these changes, why they were made, and what they mean for the future of phpBB.

Oh, and by the way, the MOD Team just posted a Q&A with the MOD Team topic, so if you have questions you’ve been dying to ask the MOD Team members, hie thee hence to that topic!

Finally, our panel of guests analyzes the campaigns in our President Bertie Election Contest, looking at the progress of the four candidates and discussing what strategies they’ve done well and what more they could/should have done. Voting for the candidates in our contest begins Monday, November 3rd at 9 PM EST (0200 UTC on Tuesday), so be sure to participate! More details will be posted later this week in the contest forum.

The MOD of the Week is Post Count Requirements by SyntheticChaos and the Style of the Week is AZ_Retro by ayashazoelle.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts. Also, be sure to check out and vote in the People’s Choice Podcast Awards! Voting ends this Thursday, so don’t miss out!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (37.4 MB)

Episode Duration: 1:05:20
On This Episode: David Lewis (Highway of Life), Paul Sohier (Paul), and Micheal Cottingham (Techie-Micheal)

Douglas missed this episode because his return flight from Long Beach the day before suffered a seven hour delay (read more if you’re interested), effectively turning it into a red eye flight, so he slept in during this episode. TalkShoe apparently wasn’t being cooperative, but in a fairly Official Podcast-esque episode of phpBB Weekly, he is joined via a Skype conference call by phpBB team members Paul and Techie-Micheal.

This episode, like about a third of our episodes to date, is all about MODs. David, Paul, and Micheal talk extensively about MOD Development, the MOD Database, and other things MOD authors may want to know. Finally, they talk a bit about the tribulations of giving support for boards with MODs on them, and what the Support Team can and cannot do to help you when a MODded board needs help.

The MOD of the Week is Prime Memberlist Filter for phpBB3 by primehalo, and the Style of the Week is Brushed Metal for phpBB3 by Robin Huurman.

phpBB Weekly is a proud member of the Tech Podcast Network. Check them out for other great technology podcasts.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Download MP3 Episode (49.3 MB)

Episode Duration: 1:26:12
On This Episode: Douglas Bell (Fountain of Apples), David Lewis (Highway of Life), and Micheal Cottingham (Techie-Micheal)

In this episode of phpBB Weekly, David and I are joined by guest host Micheal Cottingham (Techie-Micheal), the phpBB Support Team Leader. In what is so far our longest episode ever, David, Douglas, and Micheal talk about a number of different things, particularly relating to phpBB3, and also have a good time. MOD authors, server admins, and users concerned about security will really enjoy some of the more technical aspects of the conversation, while regular phpBB enthusiasts will also enjoy other parts of the episode.

David and MIcheal touch on a number of different things in phpBB3, including how phpbb_root_path is now handled as a defined constant instead of a variable, custom template paths, the new phpBB error handler, modularity, the naming of language files in modules, the hidden create_schema_files.php script and the DBMS, and the opening of the new MOD and Styles Databases. They also talk a bit about the various things in phpBB3 that make it more secure, including the “http only” cookie setting, request_var(), the removal of HTML support in posts (improved BBCode), serving avatars and attachments through download.php, SSL, XSS and SQL injection, and leaving vars unset along with the dangers of register_globals. In addition, Micheal asks an interesting question that stumps Douglas (although the jury’s still out on whether or not Douglas was actually stumped).

The MOD of the Week is Clickable forum and topic rows by tumba25, the very first phpBB3 MOD to be approved by the MOD team. The Style of the Week is Poolhall Junkies by Scott Stubblefield, also for phpBB3. Again, if you want to recommend a MOD or Style to us, bookmark it on del.icio.us with the tag “phpbbwmod” or “phpbbwstyle”.

Be sure to join us next week on August 11th for phpBB Weekly #027 where David will talk about phpBB3 modules in detail, for both administrators and MOD authors. Thanks again to Micheal for joining us. Also thanks to phpBB Weekly’s new sponsor, Audible.com. For your FREE audiobook, go to Audible.com/TalkShoe.