OpenCPN Homepage hacked

[Eben]

Quote:

Originally Posted by rgleason

Yes, Eben your thoughts on a better captcha too? If I can help with the mop up let me know

re-captch is the industry standard.

But I can explain to you how captchas can be defeated too... hint: you don't use a machine but humans. This can be automated too...

I'll wait for Dave to get back to me first though... ultimately it would be up to him to make or endorse any changes.

[bcn]

[CarCode]

It is irresponsible not to take this website offline immediately. It may get online again when it has been checked for malware.

Gerhard

[Lake-Effect]

Quote:

Originally Posted by Eben

... from a quick inspection the site is running on php so it's highly likely there's some vulnerability somewhere, php is very hard to secure properly.

<derail> Ok, that's just bull. It's not that hard to secure PHP or use it safely.

Now if you're saying that many punters use PHP incorrectly or insecurely... I'd agree.

Blame the n00bs (or lame frameworks), not the language.

Anyway, opencpn.org looks much nicer now.

[Eben]

Quote:

Originally Posted by Lake-Effect

<derail> Ok, that's just bull. It's not that hard to secure PHP or use it safely.

Now if you're saying that many punters use PHP incorrectly or insecurely... I'd agree.

Blame the n00bs (or lame frameworks), not the language.

Anyway, opencpn.org looks much nicer now.

How many PHP sites have you PEN tested?

Have a look on exploitdb for Word Press Vulnerabilities... surely the WP team should know what they are doing with PHP....

Your argument is the same as saying the unchecked buffers in C is not a language fault but a developer fault. If that was the case why do all modern languages have automatic boundary checking on it.

The bottom line is that you need to know about all the pitfalls in PHP in order to avoid them, this is hard in my books, it's a huge cognitive load on the developer and from experience when you're under pressure these are the first things to be neglected. If you're a developer you'll know that you're under pressure more often than not...

Next you'll be telling me that Visual Basic isn't responsible for a lot of half baked applications in the wild...

Anyway I'm not going to argue with you, I come to this forum to escape from work, not to widen my scope...

[Lake-Effect]

Hooray - a code pissing contest on CF! Thought I was on /. for a minute

Quote:

Originally Posted by Eben

How many PHP sites have you PEN tested?

Zero. (That's QA's job! ) Whatever the language, they beat us if we're not using best practices. We expend effort when evaluating and selecting frameworks.

Quote:

Have a look on exploitdb for Word Press Vulnerabilities... surely the WP team should know what they are doing with PHP....

Blame WP, not PHP. There are some pretty good commercial-strength PHP frameworks.

Quote:

Your argument is the same as saying the unchecked buffers in C is not a language fault but a developer fault.

The bottom line is that you need to know about all the pitfalls in PHP in order to avoid them, this is hard in my books, it's a huge cognitive load on the developer and from experience when you're under pressure these are the first things to be neglected. If you're a developer you'll know that you're under pressure more often than not...

If you are releasing/exposing C apps to the public, yeah you should bloody well know how to use it.

When a language is easy and popular, yes there's going to be alot of crap implementations. Blame the implementations...

Quote:

Next you'll be telling me that Visual Basic isn't responsible for a lot of half baked applications in the wild...

Anyway I'm not going to argue with you, I come to this forum to escape from work, not to widen my scope...

While I'm no lover of VB, it's not the language... it's the people using it. Anything that makes Uncle John think he's a commercial developer because he wrote some Excel macros... Uncle John's still the problem (... til he gains enough experience and insight). I will humbly suggest that the amount of useful stuff (in-house or otherwise) that people using VB have kicked out outweighs the amount of VB crapware.

I won't continue this derail. (unless you say something really outrageous ) I just couldn't let PHP === insecure go unchallenged . It's a sailing forum.

Fair winds.

[rgleason]

The website is in reevaluation mode. Problems such as this are from a healthy dose of inherent code vulnerabilities and the creators who may be second or third party (said with admiration and respect and honor to all creators), and the event is forced by other much more nefarious human beings!

We all have generally the same goals, .....except when we do not.

So lets help fix it? How can I help? I'd like it if this incredible talent could come up with some good suggestions for a rock solid captcha to start with.

[Eben]

Quote:

Originally Posted by Lake-Effect

Hooray - a code pissing contest on CF! Thought I was on /. for a minute

Does anybody still go to /. ???

Quote:

Originally Posted by Lake-Effect

Zero. (That's QA's job! ) Whatever the language, they beat us if we're not using best practices. We expend effort when evaluating and selecting frameworks.

Now you're just trolling, I've never met a QA person who can PEN test...

Quote:

Originally Posted by Lake-Effect

Blame WP, not PHP. There are some pretty good commercial-strength PHP frameworks.

I just gave you one of countless examples....

Quote:

Originally Posted by Lake-Effect

If you are releasing/exposing C apps to the public, yeah you should bloody well know how to use it.

So Microsoft don't know what they are doing as almost all native exploits is some form of buffer over run?

I realise that this example is slightly rhetorical...

How about the Linux kernel team, same principals apply....

Quote:

Originally Posted by Lake-Effect

When a language is easy and popular, yes there's going to be alot of crap implementations. Blame the implementations...

That's like saying cars shouldn't have airbags or seat belts, blame the drivers not the tools....

Quote:

Originally Posted by Lake-Effect

While I'm no lover of VB, it's not the language... it's the people using it. Anything that makes Uncle John think he's a commercial developer because he wrote some Excel macros... Uncle John's still the problem (... til he gains enough experience and insight). I will humbly suggest that the amount of useful stuff (in-house or otherwise) that people using VB have kicked out outweighs the amount of VB crapware.

Sweet I hit a nerve there....

How many times have you had to clean up a mess left by one of these VB rock stars? Even better how many times have you had to deal with customer expectations because it was quick and easy to make a mess with VB but now they want it done properly at quick a dirty cost?

Quote:

Originally Posted by Lake-Effect

I won't continue this derail. (unless you say something really outrageous ) I just couldn't let PHP === insecure go unchallenged . It's a sailing forum.

Fair winds.

I don't think I've said anything that can be classed as outrageous, my views on these things are quite polarising, I'll admit that. I have high standards and would prefer to cull the bottom 80% of the dev pool, my theory is that the remaining 20% would move faster and the world would be a better place...

Also start by culling bad tools.... you wouldn't use a hammer that has a tendency to hit your thumb at random when you least expect it, why tolerate bad tools in the dev world...

Also for the record it's many years of hard work to get as cynical as I am... don't try to mitigate my efforts in one thread on a sailing forum

[Eben]

Quote:

Originally Posted by rgleason

The website is in reevaluation mode. Problems such as this are from a healthy dose of inherent code vulnerabilities and the creators who may be second or third party (said with admiration and respect and honor to all creators), and the event is forced by other much more nefarious human beings!

We all have generally the same goals, .....except when we do not.

So lets help fix it? How can I help? I'd like it if this incredible talent could come up with some good suggestions for a rock solid captcha to start with.

Stop it!

You're trying to re-invent the wheel, re-captcha will do the job better than anything any of us can dream up and build. It's this whole not in my back yard attitude that leads to the fractured state of software...

Ok that's the last cookie I'm giving this troll....

[rgleason]

Captchas try to separate bots from humans....
https://www.usertesting.com/blog/201...-alternatives/
https://www.usertesting.com/blog/201...-alternatives/
visualCaptcha Static jQuery Demo - The best captcha alternative
https://www.smashingmagazine.com/201...rfect-captcha/
https://www.dexmedia.com/blog/honeypot-technique/
Publishers II Solution for Every Need
Sweet Captcha - Free Human Friendly Captcha

Off course the spambots are all made by humans.
So is separating human from machine going to solve the problem?

Double authentication, sms to cell, might help, but create other barriers.
We need some good practical solutions that can be easily implemented.

[rgleason]

Eben, I know very little, except I inherited a website with Wordpress CMS and we suffered abuse for a year. AWS became my friend byzantine as it was.

[Eben]

Quote:

Originally Posted by rgleason

Captchas try to separate bots from humans....
https://www.usertesting.com/blog/201...-alternatives/
https://www.usertesting.com/blog/201...-alternatives/
visualCaptcha Static jQuery Demo - The best captcha alternative
https://www.smashingmagazine.com/201...rfect-captcha/
https://www.dexmedia.com/blog/honeypot-technique/
Publishers II Solution for Every Need
Sweet Captcha - Free Human Friendly Captcha

Off course the spambots are all made by humans.
So is separating human from machine going to solve the problem?

Double authentication, sms to cell, might help, but create other barriers.
We need some good practical solutions that can be easily implemented.

Quote:

Originally Posted by rgleason

Thanks. Eben. I am no troll. Just a problem solver.

Quote:

Originally Posted by rgleason

Eben, I know very little, except I inherited a website with Wordpress CMS and we suffered abuse for a year. AWS became my friend byzantine as it was.

Maybe you should build the captcha to rule them all, clearly those of us building software (Only 20 or so years experience, still relatively inexperienced in the scheme of things), are too stupid to solve these problems.

The comment about bots being built by humans being the same as humans is quite naive... AI is just glorified searching, granted with big data it appears quite convincing. I suggest you pick up a computer science text book on AI and discover this for yourself. A person can reason, a machine cannot. I don't care who says what about AI, study it and then come tell me otherwise...

[Snore]

Ok---- for us non-programmers. Is the site safe to use?


Sent from my iPhone- please forgive autocorrect errors.

[nohal]

Snore...
Of course.

Pavel

[transmitterdan]

Quote:

Originally Posted by Snore

Ok---- for us non-programmers. Is the site safe to use?


Sent from my iPhone- please forgive autocorrect errors.

Snore,

It's hard to say. Some jerks have been able to make accounts and add bogus tasks to the bug tracker. Since the web pages themselves can be edited by users with accounts it's possible these same jerks have put malicious links into some of the web pages. Just looking at the home page it seems to look normal now. There were no bots or spammers logged in just a few minutes ago.

What do you need from the web site?

Edit: if Pavel says it's ok that's good enough for me.