The Blockland Bulletin

[Flatirons]

I loved the post about the Clannie Awards.

and look - here comes fabio to defend his reputation. oh no, I'm scared out of my pantyhose.

[Ad Bot]

[Killer2]

I loved the post about the Clannie Awards.

and look - here comes fabio to defend his reputation. oh no, I'm scared out of my pantyhose.

Ikr.

[Tom]

I think you need to stop posting so many opinion articles or you'll end up like Fox News. You'll have so much opinion stuff people might start discrediting your more serious journalism as well.

[Sheath]

I think you need to stop posting so many opinion articles or you'll end up like Fox News. You'll have so much opinion stuff people might start discrediting your more serious journalism as well.

An opinion is the views of the author. If would make no sense for you to discredit news, which is written from a 3rd person perspective unless clearly stated otherwise.

[Kalphiter]

You don't understand why it was removed. Cucumberdude has refused to learn how to encrypt passwords client-sided. I have warned him several times and nothing has happened.

Here is some attached code so you could possibly understand:

   <td align="center" valign="middle">
   
                  You must login in order to rate users<br> or add yourself (or others) to the database.<br><br>
            <form action="logcheck.php" method="post">
            Login:<br><br>
            Username: <input type="text" name="username"><br><br>
            Password: <input type="password" name="password"><br><br>

            <input type="submit" value="Login"><br>
            </form>
            <hr>
            Not yet a member? <a href="createaccount.php">Create an account</a>!
                  
   </td>

Credentials are submitted raw.


Ephialtes Censoring Blockland: Membership-based Services Blocked

even after an encryption feature was added to the service

WRONG

Such a rule is not an official part of the forum, making this decision a random policy. While some may agree Ephi's initial concern towards the service was justified, this recent move seems riddled with conflict.

Sorry, some guy (Cucumberdude) doesn't know what he's doing and complains when people bring up problems. He then wonders why the site was removed...

The RTB service Ephialtes runs requires membership itself, which puts further question on if this is a hypocritical unfair move against the RateBlocklanders service, something which cucumberdude also agrees is a moral dilemma.

RTB is trusted, uses a forum system made by a 3rd party, and already has encryption.


EXCLUSIVE: Ephialtes Mad With Power; Accuses RateBlocklanders Of Being handicapped And Malevolent

After the service openly admitted to not encrypting passwords due technical difficulties when handling password recovery, the services forum topic was pulled down by Ephialtes. Manager of the website cucumberdude addressed the issues adding encryption and re-releasing the website, when he was then told he could no longer post his website due to Ephialtes effectively deciding any player run service that requires membership should not be allowed to be posted within the community, a major contradiction to the RTB service he operates and shares on the website, and a rule that was purpose made for his decision on the spot.

I'm sure if you've read my post, encryption has STILL not been implemented.

"If I were you I would remove the handicapped login feature - it's unnecessary and just causes more trouble than it's worth. I'm not allowing you to advertise your site on these forums, and not just because of your flippant attitude towards basic security." Ephialtes said in the leaked chat, using angry and shocking language against the service and cucumberdude, effectively saying there were other reasons beyond the security issue that prompted him to remove the website-- the question is, what were they?

While it seems odd what those other reasons are, Ephialtes has a point -- Cucumberdude refuses to obey with common security practices.

Further reading of the leaked chat shows that Ephialtes believes the service has malicious intent, accusing cucumberdude of actions he has not yet done.

This seems like a reasonable claim. So far, not a shred of evidence that Cucumberdude has implemented any security measures has appeared. At any moment, Cucumberdude can read any member's submitted password. This ability, combined with refusal to make it secure, can lead to suspicions of password harvesting.

After this mess, Ephialtes then admits that his decision may be unreasonable but he finds the service isn't "substantial" enough to run "risk" despite the security issue being addressed. In other words, Ephi doesn't think its good enough for the Blockland public, and that there is no benefit for him or the forums for it to be advertised.

"Unreasonable or not, that's my decision. Your website doesn't bring anything substantial to the Blockland experience so the risk vs. reward just doesn't make any sense."

Yes -- it's quite a small loss. Although not being a very nice decision, it was probably the best one. Based on a previous actions of Cucumberdude, I really don't expect anything good and stunning to come from him.

This shocking series of messages exposes a conversation where Ephi attempts to justify his decision by using Badspot as a defensive measure for his argument. We also see his admittance to only wanting to remove the service which he believes will be used for malevolent purposes. Due to the fact it is not a practical service and doesn't have productive benefit, Ephi also thinks it should be removed. This outrageous justification for removal of a service is improper for any level-headed administrator. Has Ephialtes gone power mad?

JUST
STOP

[Sheath]

/controversy

[Scout31]

I agree with Kalphiter, being one of the rare moments when I do.

Also, very biased against Ephi. Example:

Twice in the discussion Ephialtes is shown to pass the responsibility of his decision onto Badspot and hide behind him to get away with his decisions.

Perhaps he felt as if Badspot could handle the issue better.

[cucumberdude]

"Here is some attached code so you could possibly understand:Credentials are submitted raw."

You're joking right? Maybe I'm confused as to when encryption is supposed to happen.

As I understand, you use encryption on the passwords in the database, and on the plaintext password entered by users logging in...

Code: [Select]

if(md5($_POST['password'] == md5($pass_from_db))
{
      login
}
else
{
      nope.avi
}

Obviously, that's pseudo-code - input needs to be sanitized and whatnot.

Is there a way to directly encrypt post data?

EDIT: Just to clarify, passwords ARE encrypted.

DOUBLEEDIT: Just saw this.

Based on a previous actions of Cucumberdude, I really don't expect anything good and stunning to come from him.

What? I don't think I've ever released any web sites to the forums before. I've made maybe one or two addons. What previous actions are you referring to?

[Scout31]

You have no idea what you're doing. Stop, and come back in about a year.

[Kalphiter]

and on the plaintext password entered by users logging in...

There's your problem.

You just told us all that you have no clue what you're doing. We can't prove you're hashing them server-sided. If they are hashed a few times client-sided, we know that you cannot possibly harvest any passwords. You offered no evidence that you care and do not seem to have the knowledge to do so.

[cucumberdude]

There's your problem.

You just told us all that you have no clue what you're doing. We can't prove you're hashing them server-sided. If they are hashed a few times client-sided, we know that you cannot possibly harvest any passwords. You offered no evidence that you care and do not seem to have the knowledge to do so.

So you're suggesting that someone would hypothetically be intercepting login attempts between the client and server? Very unlikely, I'd say.

If you're worried that I'm not hashing serverside, I can't prove that to you.

Code: [Select]

<form action="/login.php" method="post">
                        <div id="login-form">
                            <table width="100%" cellspacing="5" cellpadding="0">

                                <tr>
                                    <td width="50%"><label>Username:</label></td>
                                    <td width="2%">&nbsp;</td>
                                    <td width="48%"><input name="username" type="text" maxlength="40" size="20" /></td>
                                </tr>
                                <tr>
                                    <td width="50%"><label>Password:</label></td>
                                    <td width="2%">&nbsp;</td>

                                    <td width="48%"><input name="password" type="password" maxlength="25" size="20" /></td>
                                </tr>
                            </table>
                            <div id="forgot-pass">
                                <span class="small"><a href="/recover.php">Forgot your password?</a></span>
                            </div>
                        </div>
<input type="submit" style="visibility: hidden" />

                    </form>
From the RTB login. What am I doing differently? Is my princess in a different part of the code? I'd honestly love to improve RBL.

EDIT: Haha.

You have no idea what you're doing. Stop, and come back in about a year.

Code: [Select]

<html>
<head>
<link rel="stylesheet" href="http://backupblockland.us/include/style.css" />
<link rel="shortcut icon" href="http://backupblockland.us/favicon.ico"/>

<script type="text/javascript">

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-20064500-1']);
  _gaq.push(['_setDomainName', '.backupblockland.us']);
  _gaq.push(['_trackPageview']);

  (function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-brown townytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();

</script>
<meta http-equiv="X-UA-Compatible" content="IE=9" />
<title>Back-up Blockland | Log-in</title>
</head>

<body>
<h1>Back-up Blockland</h1>
<div id="nav">
<ul id="nav">
<li><a href="http://backupblockland.us/index.php">Home</a></li>
<li><a href="http://backupblockland.us/news.php">News</a></li>
<li><a href="http://backupblockland.us/service.php">Services</a></li>

<li><a href="http://backupblockland.us/contact.php">Contact</a></li>
</ul>
</div>
<br />
<br /> <div id="contentbox" align="center">
<div id="content">
<form name="input" action="index.php" method="post">
<table>
<tr><td>Username:</td><td><input type="text" name="user" /></td></tr>

<tr><td>Password:</td><td><input type="password" name="pass" /></td></tr>
<input type="hidden" name="filled_login" value="1"/>
</table>
<input type="submit" value="Submit" />
</form>
</div>
</div>
</body>

</html>
Login code from your site.

ANOTHEREDIT:
And, by the way, client side hashing is trivial in terms of stopping potential attackers - because the serverside is waiting for a hashed password, if someone intercepts the clientside hashed password they can login anyways.

[Kalphiter]

So you're suggesting that someone would hypothetically be intercepting login attempts between the client and server? Very unlikely, I'd say.

If you're worried that I'm not hashing serverside, I can't prove that to you.

But if it was hashed client-sided, then you couldn't possibly reverse that process and thus you can't retrieve any passwords.

[Scout31]

That I made a year ago, stopped, then came back knowing more about web stuff. Plus, it wasn't even done or advertised, where you advertised yours a done feature. Its practical for anything WIP to be insecure and buggy.

[Sheath]

I think you need to be careful about what you consider bias.

Bias is not something you disagree with
Bias is not something thats written from a perspective you don't like
Bias is not something thats opinionated

Just because you disagree with the article doesn't make it bias. Its reporting is based on words from other users, quotes from Ephi, and a perspective thats there for you to agree or disagree with. There is no prejudice or favor in what was written. Obviously someone in higher power is expected to be more responsible, and the article was exposing what could be considered irresponsibility.

[cucumberdude]

That I made a year ago, then came back knowing more about web stuff. Plus, it wasn't even done or advertised, where you advertised yours a done feature. Its practical for anything WIP to be insecure and buggy.

Actually, I made it quite clear that it was constantly under devellopment - it was even taken down a couple of times initially to address some other non-hash related security concerns.

But if it was hashed client-sided, then you couldn't possibly reverse that process and thus you can't retrieve any passwords.

That's true. I'll go and add a SHA256 javascript encryption clientside if that helps. Presumably, JS and PHP SHA256 work with the same exact algorithm?

On the topic of my knowledge of PHP;
It's true. I'm by no means a professional, especially when it comes to web security. But everything is a learning process. If I can't make mistakes, then I can't progress. I'll admit, it was stubborn and silly of me to initially refuse to hash passwords. With passwords safely hashed in the database, there is no longer a real security threat - apart perhaps to those who believe that I have some sort of password collection agenda (to what, end I don't know - having access to a random bunch of lego game forum accounts seems pretty useless).

It's worth keeping in mind that the registration clearly asks users NOT TO USE THEIR FORUM PASSWORD - if I were trying to collect passwords, why on earth would I try and discourage users from doing that?