Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 29-08-2016, 05:38   #31
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by rgleason View Post
Yes, Eben your thoughts on a better captcha too? If I can help with the mop up let me know
re-captch is the industry standard.

But I can explain to you how captchas can be defeated too... hint: you don't use a machine but humans. This can be automated too...

I'll wait for Dave to get back to me first though... ultimately it would be up to him to make or endorse any changes.
__________________

__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 05:46   #32
bcn
Registered User

Join Date: May 2011
Location: underway whenever possible
Boat: Rangeboat 39
Posts: 2,282
Re: OpenCPN Homepage hacked

__________________

__________________
bcn is offline   Reply With Quote
Old 29-08-2016, 06:21   #33
Registered User

Join Date: Jul 2010
Location: Monastir, Tunisia
Boat: Westerly Pentland
Posts: 1,571
Re: OpenCPN Homepage hacked

It is irresponsible not to take this website offline immediately. It may get online again when it has been checked for malware.

Gerhard
__________________
CarCode is offline   Reply With Quote
Old 29-08-2016, 17:26   #34
Registered User

Join Date: May 2011
Location: Toronto
Boat: Sandpiper 565
Posts: 2,662
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by Eben View Post
... from a quick inspection the site is running on php so it's highly likely there's some vulnerability somewhere, php is very hard to secure properly.
<derail> Ok, that's just bull. It's not that hard to secure PHP or use it safely.

Now if you're saying that many punters use PHP incorrectly or insecurely... I'd agree.

Blame the n00bs (or lame frameworks), not the language.

Anyway, opencpn.org looks much nicer now.
__________________
Lake-Effect is offline   Reply With Quote
Old 29-08-2016, 17:38   #35
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by Lake-Effect View Post
<derail> Ok, that's just bull. It's not that hard to secure PHP or use it safely.

Now if you're saying that many punters use PHP incorrectly or insecurely... I'd agree.

Blame the n00bs (or lame frameworks), not the language.

Anyway, opencpn.org looks much nicer now.
How many PHP sites have you PEN tested?

Have a look on exploitdb for Word Press Vulnerabilities... surely the WP team should know what they are doing with PHP....

Your argument is the same as saying the unchecked buffers in C is not a language fault but a developer fault. If that was the case why do all modern languages have automatic boundary checking on it.

The bottom line is that you need to know about all the pitfalls in PHP in order to avoid them, this is hard in my books, it's a huge cognitive load on the developer and from experience when you're under pressure these are the first things to be neglected. If you're a developer you'll know that you're under pressure more often than not...

Next you'll be telling me that Visual Basic isn't responsible for a lot of half baked applications in the wild...

Anyway I'm not going to argue with you, I come to this forum to escape from work, not to widen my scope...
__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 18:06   #36
Registered User

Join Date: May 2011
Location: Toronto
Boat: Sandpiper 565
Posts: 2,662
Re: OpenCPN Homepage hacked

Hooray - a code pissing contest on CF! Thought I was on /. for a minute

Quote:
Originally Posted by Eben View Post
How many PHP sites have you PEN tested?
Zero. (That's QA's job! ) Whatever the language, they beat us if we're not using best practices. We expend effort when evaluating and selecting frameworks.

Quote:
Have a look on exploitdb for Word Press Vulnerabilities... surely the WP team should know what they are doing with PHP....
Blame WP, not PHP. There are some pretty good commercial-strength PHP frameworks.

Quote:
Your argument is the same as saying the unchecked buffers in C is not a language fault but a developer fault.

The bottom line is that you need to know about all the pitfalls in PHP in order to avoid them, this is hard in my books, it's a huge cognitive load on the developer and from experience when you're under pressure these are the first things to be neglected. If you're a developer you'll know that you're under pressure more often than not...
If you are releasing/exposing C apps to the public, yeah you should bloody well know how to use it.

When a language is easy and popular, yes there's going to be alot of crap implementations. Blame the implementations...

Quote:
Next you'll be telling me that Visual Basic isn't responsible for a lot of half baked applications in the wild...

Anyway I'm not going to argue with you, I come to this forum to escape from work, not to widen my scope...
While I'm no lover of VB, it's not the language... it's the people using it. Anything that makes Uncle John think he's a commercial developer because he wrote some Excel macros... Uncle John's still the problem (... til he gains enough experience and insight). I will humbly suggest that the amount of useful stuff (in-house or otherwise) that people using VB have kicked out outweighs the amount of VB crapware.

I won't continue this derail. (unless you say something really outrageous ) I just couldn't let PHP === insecure go unchallenged . It's a sailing forum.

Fair winds.
__________________
Lake-Effect is offline   Reply With Quote
Old 29-08-2016, 18:48   #37
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 7,829
Re: OpenCPN Homepage hacked

The website is in reevaluation mode. Problems such as this are from a healthy dose of inherent code vulnerabilities and the creators who may be second or third party (said with admiration and respect and honor to all creators), and the event is forced by other much more nefarious human beings!

We all have generally the same goals, .....except when we do not.

So lets help fix it? How can I help? I'd like it if this incredible talent could come up with some good suggestions for a rock solid captcha to start with.
__________________
rgleason is offline   Reply With Quote
Old 29-08-2016, 19:06   #38
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by Lake-Effect View Post
Hooray - a code pissing contest on CF! Thought I was on /. for a minute
Does anybody still go to /. ???
Quote:
Originally Posted by Lake-Effect View Post

Zero. (That's QA's job! ) Whatever the language, they beat us if we're not using best practices. We expend effort when evaluating and selecting frameworks.
Now you're just trolling, I've never met a QA person who can PEN test...

Quote:
Originally Posted by Lake-Effect View Post

Blame WP, not PHP. There are some pretty good commercial-strength PHP frameworks.
I just gave you one of countless examples....

Quote:
Originally Posted by Lake-Effect View Post

If you are releasing/exposing C apps to the public, yeah you should bloody well know how to use it.
So Microsoft don't know what they are doing as almost all native exploits is some form of buffer over run?

I realise that this example is slightly rhetorical...

How about the Linux kernel team, same principals apply....

Quote:
Originally Posted by Lake-Effect View Post
When a language is easy and popular, yes there's going to be alot of crap implementations. Blame the implementations...
That's like saying cars shouldn't have airbags or seat belts, blame the drivers not the tools....

Quote:
Originally Posted by Lake-Effect View Post

While I'm no lover of VB, it's not the language... it's the people using it. Anything that makes Uncle John think he's a commercial developer because he wrote some Excel macros... Uncle John's still the problem (... til he gains enough experience and insight). I will humbly suggest that the amount of useful stuff (in-house or otherwise) that people using VB have kicked out outweighs the amount of VB crapware.
Sweet I hit a nerve there....

How many times have you had to clean up a mess left by one of these VB rock stars? Even better how many times have you had to deal with customer expectations because it was quick and easy to make a mess with VB but now they want it done properly at quick a dirty cost?

Quote:
Originally Posted by Lake-Effect View Post
I won't continue this derail. (unless you say something really outrageous ) I just couldn't let PHP === insecure go unchallenged . It's a sailing forum.

Fair winds.
I don't think I've said anything that can be classed as outrageous, my views on these things are quite polarising, I'll admit that. I have high standards and would prefer to cull the bottom 80% of the dev pool, my theory is that the remaining 20% would move faster and the world would be a better place...

Also start by culling bad tools.... you wouldn't use a hammer that has a tendency to hit your thumb at random when you least expect it, why tolerate bad tools in the dev world...

Also for the record it's many years of hard work to get as cynical as I am... don't try to mitigate my efforts in one thread on a sailing forum

__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 19:08   #39
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by rgleason View Post
The website is in reevaluation mode. Problems such as this are from a healthy dose of inherent code vulnerabilities and the creators who may be second or third party (said with admiration and respect and honor to all creators), and the event is forced by other much more nefarious human beings!

We all have generally the same goals, .....except when we do not.

So lets help fix it? How can I help? I'd like it if this incredible talent could come up with some good suggestions for a rock solid captcha to start with.
Stop it!

You're trying to re-invent the wheel, re-captcha will do the job better than anything any of us can dream up and build. It's this whole not in my back yard attitude that leads to the fractured state of software...

Ok that's the last cookie I'm giving this troll....
__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 19:24   #40
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 7,829
Re: OpenCPN Homepage hacked

Captchas try to separate bots from humans....
https://www.usertesting.com/blog/201...-alternatives/
https://www.usertesting.com/blog/201...-alternatives/
visualCaptcha Static jQuery Demo - The best captcha alternative
https://www.smashingmagazine.com/201...rfect-captcha/
https://www.dexmedia.com/blog/honeypot-technique/
Publishers II Solution for Every Need
Sweet Captcha - Free Human Friendly Captcha

Off course the spambots are all made by humans.
So is separating human from machine going to solve the problem?

Double authentication, sms to cell, might help, but create other barriers.
We need some good practical solutions that can be easily implemented.
__________________
rgleason is offline   Reply With Quote
Old 29-08-2016, 19:33   #41
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 7,829
Re: OpenCPN Homepage hacked

Eben, I know very little, except I inherited a website with Wordpress CMS and we suffered abuse for a year. AWS became my friend byzantine as it was.
__________________
rgleason is offline   Reply With Quote
Old 30-08-2016, 01:23   #42
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by rgleason View Post
Captchas try to separate bots from humans....
https://www.usertesting.com/blog/201...-alternatives/
https://www.usertesting.com/blog/201...-alternatives/
visualCaptcha Static jQuery Demo - The best captcha alternative
https://www.smashingmagazine.com/201...rfect-captcha/
https://www.dexmedia.com/blog/honeypot-technique/
Publishers II Solution for Every Need
Sweet Captcha - Free Human Friendly Captcha

Off course the spambots are all made by humans.
So is separating human from machine going to solve the problem?

Double authentication, sms to cell, might help, but create other barriers.
We need some good practical solutions that can be easily implemented.
Quote:
Originally Posted by rgleason View Post
Thanks. Eben. I am no troll. Just a problem solver.
Quote:
Originally Posted by rgleason View Post
Eben, I know very little, except I inherited a website with Wordpress CMS and we suffered abuse for a year. AWS became my friend byzantine as it was.
Maybe you should build the captcha to rule them all, clearly those of us building software (Only 20 or so years experience, still relatively inexperienced in the scheme of things), are too stupid to solve these problems.

The comment about bots being built by humans being the same as humans is quite naive... AI is just glorified searching, granted with big data it appears quite convincing. I suggest you pick up a computer science text book on AI and discover this for yourself. A person can reason, a machine cannot. I don't care who says what about AI, study it and then come tell me otherwise...
__________________
Eben is offline   Reply With Quote
Old 30-08-2016, 05:11   #43
Registered User
 
Snore's Avatar

Join Date: Jan 2011
Location: SFL& St Petersburg
Boat: Tartan 33
Posts: 1,640
Re: OpenCPN Homepage hacked

Ok---- for us non-programmers. Is the site safe to use?


Sent from my iPhone- please forgive autocorrect errors.
__________________
"Whenever...it requires a strong moral principle to prevent me from deliberately stepping into the street, and methodically knocking people's hats off- then, I account it high time to get to sea..." Ishmael
Snore is online now   Reply With Quote
Old 30-08-2016, 05:15   #44
Registered User

Join Date: Feb 2010
Location: On the go. Not in Prague.
Posts: 3,927
Re: OpenCPN Homepage hacked

Snore...
Of course.

Pavel
__________________
nohal is offline   Reply With Quote
Old 30-08-2016, 05:27   #45
Registered User
 
transmitterdan's Avatar

Join Date: Oct 2011
Boat: Valiant 42
Posts: 3,210
OpenCPN Homepage hacked

Quote:
Originally Posted by Snore View Post
Ok---- for us non-programmers. Is the site safe to use?


Sent from my iPhone- please forgive autocorrect errors.
Snore,

It's hard to say. Some jerks have been able to make accounts and add bogus tasks to the bug tracker. Since the web pages themselves can be edited by users with accounts it's possible these same jerks have put malicious links into some of the web pages. Just looking at the home page it seems to look normal now. There were no bots or spammers logged in just a few minutes ago.

What do you need from the web site?

Edit: if Pavel says it's ok that's good enough for me.
__________________

__________________
transmitterdan is offline   Reply With Quote
Reply

Tags
enc, opencpn

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Homepage OCPN 4.2 Aart K. OpenCPN 0 08-03-2016 07:39
What's with the homepage? Vasco Forum Tech Support & Site Help 7 02-10-2008 09:26
Homepage... rubinum General Sailing Forum 19 04-01-2005 14:03
ericson homepage grover2 General Sailing Forum 1 27-04-2004 12:51


Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 22:47.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.