Looking for crackers/hackers. - Tilted Forum Project Discussion Community

LoganSnake · 08-04-2007, 09:47 AM

Hey guys. My friend wrote his own verification sequence for his forums and needs hackers/crackers to test the security of it. If you are interested in trying to bypass it, please reply either here or send me a PM.

Thanks!

Dilbert1234567 · 08-04-2007, 10:16 AM

do we get access to the source code?

LoganSnake · 08-04-2007, 12:46 PM

No, source code will not be provided.

Dilbert1234567 · 08-04-2007, 01:08 PM

security through obfuscation is not security.

LoganSnake · 08-04-2007, 01:33 PM

That's great, but he simply wanted me to ask for people to try and get around it as a normal user would if he wanted to create a spambot. I doubt he'd have access to the source code then.

Pragma · 08-04-2007, 05:29 PM

Out of curiosity, why did your friend write his own code instead of using some freely available spambot proof forum code? Basic rule of thumb is that if you think you're clever and will come up with your own verification / encryption algorithm ... you're not. Tried and true really does tend to be the best option.

That being said: if the algorithm is at all good, publishing it won't diminish the security of the application.

Dilbert1234567 · 08-04-2007, 05:44 PM

if you can stand up and say, "here is my code, here is how it works, you can't beat it, you can't stop it, you can't disrupt it," only then do you have a good algorithm. if you feel that you have to hide it, there is probably a reason you need to hide it.

LoganSnake · 08-04-2007, 06:01 PM

I'll summarize what he replied with.

He got a custom script because loopholes are always found in open source software and he didn't want to be exposed to those. His company's PHPBB board has been hacked before. As soon as he removed the line that shows the PHBB version, there hasn't been an attempt to hack it. He says it's a very simple algorithm and that there are no problems within it. What he's looking for is to see if somebody could read the image verification, not bypass it (I guess that was my mistake). And for that, you don't need the source code.

billege · 08-04-2007, 07:27 PM

Quote:

Originally Posted by LoganSnake

... loopholes are always found in open source software ...

First let me say that I'm sorry it feels like I'm going to help "gang up" on you, when you just want one thing, and everyone's taking a slightly different tact on this question instead of what you actually asked for.

Second, I'd be happy to simply help, if I was any kind of hacker/cracker; but, I'm not.

I'm compelled to add a comment about your friend's possible mis-understanding of open source software. The idea that "loopholes are always found in open source" software indicates either a poor or deliberate mis-understanding of what open source is, and also why mistakes are found in it.

Open source software is not inherently flawed, except in the sense that it's written by human beings. If the software source is found to have flaws, they're known, identified, and fixed. If open source software is thought to have "more errors" than closed source, it's because the flaws in open source are talked about openly. Closed source flaws are not talked about, and often are unknown.

With the same similarly flawed closed-source software; no one identifies flaws and shares them, they are not dealt with. Often, they're only discovered by those exploiting them and kept secret.

Closed-source anything is a bad philosophy which only came about because of an economic system that prized secrecy. It's a foolish system of thought and should go away.

Somewhat generally speaking, anyone who thinks open source software "always has loopholes" is wrong, and is making a public display of how little they know about the subject matter.

LoganSnake · 08-05-2007, 05:26 AM

The thing is that he's using an older version of PHPBB with very well known exploits that he does not want to be subjected to.

billege · 08-05-2007, 07:43 AM

Aye sea.

Word up.

catback · 08-05-2007, 10:28 AM

open source has spoiled the children, the thought that openly viewable code somehow makes for better security due to flaw identification and the update that comes afterwards is foolish. While it's true that flaws are found and updated by the public or the creator the time from identification to fix leaves the software knowingly at risk and even after the fix the users of the software are still at risk until they get the patch/update. Closed source is better secured, yes obscurity is good security, so long as it's not forgotten and checked/updated every so often. Put it this way is it better that the whole world knows you keep a spare key to your home under your doormat or if only a few people in the world know? I mean sure if everyone on earth knows your key is under your doormat someone can tell you that you need to get rid of the spare under the doormat but if your at work you have to wait to get home all the meanwhile everyone knows that your key is under the doormat unless you fixed the situation. So is that more secure than just a few people knowing and no one really telling you you shouldn't have it there.

08-04-2007, 09:47 AM	#1 (permalink)
LoganSnake We work alone Location: Cake Town	Looking for crackers/hackers. Hey guys. My friend wrote his own verification sequence for his forums and needs hackers/crackers to test the security of it. If you are interested in trying to bypass it, please reply either here or send me a PM. Thanks! __________________ Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques

08-04-2007, 10:16 AM	#2 (permalink)
Dilbert1234567 Devils Cabana Boy Location: Central Coast CA	do we get access to the source code? __________________ Donate Blood! "Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

08-04-2007, 12:46 PM	#3 (permalink)
LoganSnake We work alone Location: Cake Town	No, source code will not be provided. __________________ Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques

08-04-2007, 01:08 PM	#4 (permalink)
Dilbert1234567 Devils Cabana Boy Location: Central Coast CA	security through obfuscation is not security. __________________ Donate Blood! "Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

08-04-2007, 01:33 PM	#5 (permalink)
LoganSnake We work alone Location: Cake Town	That's great, but he simply wanted me to ask for people to try and get around it as a normal user would if he wanted to create a spambot. I doubt he'd have access to the source code then. __________________ Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques

08-04-2007, 05:29 PM	#6 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Out of curiosity, why did your friend write his own code instead of using some freely available spambot proof forum code? Basic rule of thumb is that if you think you're clever and will come up with your own verification / encryption algorithm ... you're not. Tried and true really does tend to be the best option. That being said: if the algorithm is at all good, publishing it won't diminish the security of the application. __________________ Eat antimatter, Posleen-boy!

08-04-2007, 05:44 PM	#7 (permalink)
Dilbert1234567 Devils Cabana Boy Location: Central Coast CA	if you can stand up and say, "here is my code, here is how it works, you can't beat it, you can't stop it, you can't disrupt it," only then do you have a good algorithm. if you feel that you have to hide it, there is probably a reason you need to hide it. __________________ Donate Blood! "Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen

08-04-2007, 06:01 PM	#8 (permalink)
LoganSnake We work alone Location: Cake Town	I'll summarize what he replied with. He got a custom script because loopholes are always found in open source software and he didn't want to be exposed to those. His company's PHPBB board has been hacked before. As soon as he removed the line that shows the PHBB version, there hasn't been an attempt to hack it. He says it's a very simple algorithm and that there are no problems within it. What he's looking for is to see if somebody could read the image verification, not bypass it (I guess that was my mistake). And for that, you don't need the source code. __________________ Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques

08-05-2007, 05:26 AM	#10 (permalink)
LoganSnake We work alone Location: Cake Town	The thing is that he's using an older version of PHPBB with very well known exploits that he does not want to be subjected to. __________________ Maturity is knowing you were an idiot in the past. Wisdom is knowing that you'll be an idiot in the future. Common sense is knowing that you should try not to be an idiot now. - J. Jacques

08-05-2007, 07:43 AM	#11 (permalink)
billege Watcher Location: Ohio	Aye sea. Word up. __________________ I can sum up the clash of religion in one sentence: "My Invisible Friend is better than your Invisible Friend."

08-05-2007, 10:28 AM	#12 (permalink)
catback Psycho Location: North America	open source has spoiled the children, the thought that openly viewable code somehow makes for better security due to flaw identification and the update that comes afterwards is foolish. While it's true that flaws are found and updated by the public or the creator the time from identification to fix leaves the software knowingly at risk and even after the fix the users of the software are still at risk until they get the patch/update. Closed source is better secured, yes obscurity is good security, so long as it's not forgotten and checked/updated every so often. Put it this way is it better that the whole world knows you keep a spare key to your home under your doormat or if only a few people in the world know? I mean sure if everyone on earth knows your key is under your doormat someone can tell you that you need to get rid of the spare under the doormat but if your at work you have to wait to get home all the meanwhile everyone knows that your key is under the doormat unless you fixed the situation. So is that more secure than just a few people knowing and no one really telling you you shouldn't have it there.