Planet Skyron

In the article, PHPBB 3.0x Registration Spam Control Mechanism, a guide was presented on how to tighten up access to the well-known bulletin board software, focusing on the registration component where anyone can sign up as a new user. The scheme was meant to make it more difficult to automatically sign up using common exploits. At the time of writing, the software version of interest was 3.0.4. As of the current version, 3.0.6, the scheme described will not work, owing to changes in the software. This article will briefly go over a new scheme that suits the newest version.

The image verification method has been incorporated into its own class and is located in the normal install directory, here: /includes/captcha/plugins/captcha_abstract.php. This class affects both registration and anonymous posting, unlike before, when the code was specific to the target areas. So, in addition to registration access control, anonymous posting will receive the same treatment with the following modifications to the file (line numbers are approximate):

25 class phpbb_default_captcha
26 {
27         var $confirm_id;
28         var $confirm_code;
29         var $confirm_char; // mod
30         var $code;

41                 // read input
42                 $this->confirm_id = request_var('confirm_id', '');
43                 $this->confirm_code = request_var('confirm_code', '');
44                 $this->confirm_char = request_var('confirm_char', ''); // mod
45                 $refresh = request_var('refresh_vc', false) && $config['confirm_refresh'];

308                                 AND confirm_type = " . $this->type;
309                 $result = $db->sql_query($sql);
310                 $row = $db->sql_fetchrow($result);
311                 $db->sql_freeresult($result);
312
313                 if ($row)
314                 {
315
316                         $this->code = $this->confirm_char . $row['code']; //mod
317                         $this->seed = $row['seed'];
318                         $this->attempts = $row['attempts'];
319                         return true;
320                 }
321
322                 return false;

The lines of code, added or altered, shown above, are marked with “//mod”. So, lines 29, 44, and 316 are the mods. Line 44 is the bit that retrieves the symbol randomly generated in the functions.php file (see previous article for more details). Line 316, having a slightly different look from the previous version, is the section of code where the symbol is integrated with the CAPTCHA code during the verification stage. These changes replace those described in the previous article affecting the ucp_register.php file located in /includes/ucp.

The changes to the templates described in the previous article are basically the same, but now include the template for anonymous posting, for example, posting_editing.html. The javascript code placed originally in the ucp_register.html template should go into the head portion of the overall_header.html template. The latter would cover both contingencies. The call to the dencoder function might also be placed in the footer template, but seems benign enough in the respective templates for registration and posting anonymously. Of course, depending on your theme, you may need to refresh the templates after you’ve made changes to these files. Needless to say, the image verification service should be activated.

This page, showing a recipe for Blancmange (Blank maunger), is from Fourme of Curye, compiled by master cooks to king Richard II of England, part of the Medieval Collection at the library of John Rylands University, Manchester.

Original BBC story located here.

This post is dedicated to the memory of tapes erased by the Beeb. They erased at will nearly everything Spike Milligan had done. They erased everything Dudley Moore and Peter Cook had done. They would’ve erased the Monty Python Flying Circus tapes, but time was on the side of that lot. This practice was carried on in the name of saving money on video tape. You’d think the war had still been on and rationing was in force. According to this authority,

The BBC routinely erased tapes to use them over again, and Python almost fell victim to the devastation. It was apparently saved because of two reasons. First of all, the shows were in color, rather than black-and-white. Monty Python’s Flying Circus was one of the earliest BBC comedy shows to be recorded in color; most of its predecessors (including programs by Peter Cook and Dudley Moore and Spike Milligan) were routinely wiped. And, American interest in running the series also gave the BBC reason to think that they might be able to squeeze a little more life out of the shows before giving up on them. Fortunately, they were correct.

According to Terry Jones,

the BBC execs initially didn’t particularly like Monty Python’s Flying Circus and that the BBC had a habit of wiping old shows to make room in their archives. “The shows nearly got wiped,” Terry is quoted as saying. “I smuggled the tapes out of the BBC before they could be erased. I copied them on to a Phillips VCR, the only home video then available. For a long time I thought the copies in my cellar would be the only evidence of the show.” Of course, the original tapes survived and have since become one of the biggest international selling videos and DVDs.

Granted, there have been recovery of historically significant video, often owing to resources in Australia, for some reason. Archival footage of 1960s Not Only, But Also was found there and distributed as a DVD relatively recently.

The Beeb is not alone in the practice of degaussing prime video material. Last July, NASA admitted the loss of the original television taping of the first manned lunar landing mission.

NASA admitted in 2006 that no one could find the original video recordings of the July 20, 1969, landing.

Since then, Richard Nafzger, an engineer at NASA’s Goddard Space Flight Center in Maryland, who oversaw television processing at the ground-tracking sites during the Apollo 11 mission, has been looking for them.

The good news is he found where they went. The bad news is they were part of a batch of 200,000 tapes that were degaussed — magnetically erased — and re-used to save money.

(…)

[T]here may be some unofficial copies of the original broadcast out there somewhere that were taken from a NASA video switching center in Sydney, Australia, the space agency said. Nafzger said someone else in Sydney made recordings too.

Instead of picking up the phone and calling Sydney, the bloke had a Hollywood studio restore material from secondary sources. No rocket science going on there. Un-effing-believable.

Back in the late 1990s, I discovered a very interesting new alternative in search engines, called, Google. They were still testing out their new search engine and I remember making suggestions for improvement at the time. I remember they appreciated those suggestions. Eventually, Google overtook every other search engine in popularity, the measure of which was the transformation of their brand into a verb.

In more recent times, Google has become an engine for spammers, with search results cluttered by utter dross with little coherence or relevance. It is a signal to, once again, reevaluate the options. One promising candidate comes from the evil empire, Microsoft, who invented the malware, called, Windows. The newest incarnation of their search engine is called Bing. It is a very respectable achievement and Microsoft is to be commended. The search results tend to be far more relevant and quite free of spam. It’s possibly another example of copying someone else’s creation and making it better.

Give it a go. Make it your new search home page in your preferred browser. And remember, no search engine is forever. That is especially true for Google.

Update: Bing maps seem more up-to-date than Google maps.

As of the date of this post, the website is subject to the iron-fisted pre-emptive actions of what is called the Badware Website Clearinghouse. In a partnership with Google, they seek out websites that could be potentially harmful to visitors in terms of hardware, software, and data. They’ve peremptorily branded this site as a badware site. Who are these people?

StopBadware.org seeks to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. They aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware.

The Badware Website Clearinghouse currently has more than 182 thousand reported URLs. You can search the URLs that have been reported to them by their partners and view statistics from their top clearinghouse pages. If you are a site owner and you are flagged by Google and you would like StopBadware.org to review the inclusion of your website in the Badware Website Clearinghouse, you can request a review by filling out their form.

Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute are leading this initiative with the support of several prominent tech companies, including Google, Lenovo, and Sun Microsystems. Consumer Reports WebWatch is serving as an unpaid special advisor.

John Palfrey, Executive Director of the Berkman Center and Harvard Clinical Professor of Law, and Jonathan Zittrain, Harvard Law Visiting Professor and Professor of Internet Governance and Regulation at Oxford University (who not long ago wrote his best seller “The Future of the Internet — And How to Stop It”), are StopBadware.org co-directors. The Advisory Board also has some “big names” like for example Vinton G. Cerf, who is vice president and chief Internet evangelist for Google. But he is more known as one of the “Fathers of the Internet,” he is the co-designer of the TCP/IP protocols and the architecture of the Internet.

In other words, they’re really big shots in the industry.

Their intentions may be sincere and aboveboard, but the execution of their mission is not all it’s cut out to be. For one thing, there’s no early warning that a site is being targeted by them. They just swoop down and strap a boot to the wheel, without so much as a by your leave. In most cases, webmasters are not aware their wards are under attack, but they pay the price of being locked out by an organization acting as law enforcer, judge, and jury, all in one go and with equal stealth.
Read the rest of this entry »

Forum registration is the gateway to all manner of forum spam and staunching spam at the front door is the most effective policy. In the case of PHPBB forums, a particular method has been developed that is not unique in concept, but perhaps in execution.

The method in question basically imposes the requirement of additional information to be included with CAPTCHA code. Early versions required only a particular character to be prepended to the confirmation code value retrieved in the PHPBB3 forum file, ucp_register.php. However, the further enhancement described here involves random characters that are to some degree cloaked from detection by spam bots.

The cloaking method used is based on this article on cloaking emails. The character, itself, is generated by the following method

#random generator of non-alphanumeric ascii characters
while (is_numeric($randchar = chr(rand(33, 64)))) { continue; }

This random value is passed to a template variable in url encoded form. When the template is downloaded, a javascript decoder function found on Eric Meyer’s web site, converts the character back.
Read the rest of this entry »

It’s considered gauche, not to mention, fruitless, to block ips, but still there are times when brute force is required just to introduce some level of serenity on a site exposed to attack by web server spammers. The provision of subsidiary Apache directives for this purpose usually are not available at the document root level of the web server, so as to avoid unnecessary hits on server performance. In these instances, one has to make do without the handy .htaccess file full of directives to do all sorts of nifty things, among them, blocking ips with the ‘deny from’ command.

An alternative involves using a php script with methods for accomplishing the same objective placed at the head of a file. The targeted objective in this case is not the individual ip address, but ranges encompassing whole countries — as best as can be determined from resources on the web. The resource of interest here is called Country IP Ranges Generator. A target country from the list provided is selected. Next, ‘formatting by input’ is selected. The format to use: {startip}/{netmask}. A complete list is spat out when the “generate” button is clicked. Each line in the list represents a range of possible networks in the country selected. Here is the most current list for the whole of Afghanistan:

#Afghanistan
58.147.128.0/255.255.224.0
110.34.40.0/255.255.248.0
117.55.192.0/255.255.240.0
117.104.224.0/255.255.248.0
119.59.80.0/255.255.248.0
121.100.48.0/255.255.248.0
121.127.32.0/255.255.224.0
125.213.192.0/255.255.224.0
202.56.176.0/255.255.240.0
202.86.16.0/255.255.240.0
203.174.27.0/255.255.255.0
203.215.32.0/255.255.240.0
210.80.0.0/255.255.224.0
210.80.32.0/255.255.224.0

For larger areas, such as China or the Russia Federation, these lists can be quite long, but still quite manageable. The ip ranges can be used selectively or wholesale depending on one’s policy. If you’re targeting a language group for inclusion in your web service, such as a forum or a weblog, you need to avoid wholesale blocking of countries who might include potential participants of the friendly sort. The thing is, the foes tend to wage their exploits from far-flung areas outside North America, if they can get away with it.
Read the rest of this entry »

The subdomain is particularly challenging for those who don’t want to be mucking about with httpd.conf files or otherwise cannot. That’s not to say it is less onerous to achieve the same result within the confines of a domain.

Most often, a subdomain, e.g., wiki.blancmange.net, is nothing more than a virtual domain that points to some subdirectory in the htdoc/public_html root of the parent domain, i.e., blancmange.net (www.* is, as a rule, an alias of the parent domain, rather than a subdomain). In these cases, happily, the attainment of short urls involves only two simple steps (distilled from many hopeful but ultimately unworkable solutions):

• Edit the LocalSettings.php file in the MediaWiki root directory.
• Edit an .htaccess file that will reside in the same directory

In the LocalSettings.php file you will add or change the following to what was automagically generated during the setup of your MediaWiki install:

• $wgScriptPath  = “”;
• $wgArticlePath = “$wgScriptPath/$1″;

Just to be clear, the value assigned to the first variable is a pair of quotes (avoid using the smart quotes in this post).  The one assigned to the second variable is derivative of the first.  The effect is that the url for the main page will look like this:

wiki.blancmange.net/Main_Page

The next step is to add Apache mod_rewrite statements to the .htaccess file.  Here are the statements that seem to make it all happen:

RewriteEngine On
RewriteCond %{HTTP_HOST} wiki.blancmange.net
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?title=$1 [L,QSA]

The really key bit here is the second statement.  With it present where it is, the 404 errors you’ve been confounded by are finally brought to an end.

It should be noted that this was achieved on version 1.14.0.