Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Nao
4606
Off-topic / Re: PHPSESSID Brute force
« on August 22nd, 2012, 08:27 PM »
I find it a bit sad that someone would release a security report like this one -- i.e. something that can be applied to any dynamic website, and thus can't be 'fixed' magically by something else... (Like a dev patch!)

Don't worry, I have trouble understanding myself the implications of that page.
Heck, maybe it's really not much to worry about. Or maybe it is, for everyone, and it's an early Apocalypse Christmas 2012!
4607
The Pub / Re: RSS feeds (Was: Some admin options required)
« on August 22nd, 2012, 07:02 PM »
Quote from Arantor on August 22nd, 2012, 06:57 PM
I was purely talking about icons and hiding links on boards that aren't accessible.
But, if the boards are inaccessible, surely the links are as well...? (Unless you mean they're shown in the sidebar even though one gets a "Board doesn't exist" error...?)
Quote
To implement this is massively more complicated because it requires either fudging and re-calling the loading of the user (to re-handle board access) or doing it all manually.
Obviously, we'd have to reload the user yes.
Quote
It's not pretty, anyway (and either way has performance issues),
But it may be better than simply showing nothing if you're adding your favorite private board to Google Reader... (or any other web reader.)
Quote
the other option is to intercept rsskey or whatever in the user loader and do it that way
Good idea...
Quote
but even that's a check that would have to be performed for every guest on every page load since user authentication is done before almost anything else.
An isset() should be quick enough... :P
Quote
The alternative is to support username/password the way Google Reader etc supplies it, which is in the URL through the proper username/password parameters,
Which implies that one would want to supply Google with their username & password for a site...? I certainly wouldn't. But I would be perfectly fine with providing it a custom key for reading private boards. As long as no one at Google can actually get access to my account with it...
Quote
Side note: there's another case where sessions are used but shouldn't be, since someone requesting an RSS feed would still be online IIRC...
ORLY...?
4608
Off-topic / Re: PHPSESSID Brute force
« on August 22nd, 2012, 06:58 PM »
Quote from Arantor on August 22nd, 2012, 06:46 PM
Brute forcing a couple of billion combinations is sufficiently big it's going to be noticed. But if you can do a much smaller number of requests and be able to understand how mt_rand is going to be seeded, you can access sessions with a much, much lower number of hits, probably enough it's going to get under most radars.
But the thing is, once you get a forum up and running... Are you spending your time checking for weird session behavior? I would bet not...
Quote
Which is the sticking point of the argument. I do not believe who's online is actually that useful for guests,
Well, it's useful for me: (1) spotting what could be a bot, (2) spotting links that shouldn't be accessible to guests and yet are being accessed, (3) generally determining whether my host is cutting my access because I have too many regular users (like, was I mentioned on a high-profile blog?), or a horde of spammers/hackers/whatever, or just your usual Chinese search engine not giving a shit about your resources...
Well, I'm certainly accessing the Who's page more often than the intrusion log. :)

All in all... Well, I'd rather spend this week making some progress in other areas :P
4609
Off-topic / Re: The Humble Indie Bundle V
« on August 22nd, 2012, 05:56 PM »
Reminds me, I should really get started on Super Meat Boy or Sword & Sorcery... Maybe I'll like them, if I can find some cheat codes or trainers first :P
Unfortunately, not the right time with my stupid idea of trying to release a private alpha of Wedge for this weekend... :^^;:
4610
Other software / Re: More thoughts on SMF 2.1
« on August 22nd, 2012, 05:54 PM »
Any thoughts on my font-related blurb above..?
4611
Off-topic / Re: Doctor Who
« on August 22nd, 2012, 05:51 PM »
Quote from Arantor on August 10th, 2012, 03:02 PM
I do also quite like The Christmas Invasion (pre-season 2 Christmas special) and The Impossible Planet/The Satan Pit (if nothing else the Doctor is out of his depth for once)
That reminds me, I really need to watch The Christmas Invasion one day (as well as 2x01), and re-watch the Fireplace episode which I don't remember much about...

Don't know a thing about the old Who episodes (I really only watched 5 minutes of Genesis of the Daleks and City of Death, and have yet to find the motivation to go beyond these appalling minutes, sorry about that...), so I'll just keep my mouth shut about the characters :P

These days I've been watching Joking Around, which is the last remaining Moffat show I had to watch (loved Sherlock, Who and Coupling, and after J/A, well, can't find anything, let alone with English subtitles...)
And well, I have to say it doesn't make me laugh much... I actually took the break from the show because it was so depressing. It was like watching some of my past failed relationships all over again. :^^;: Plus, the direction is quite flat, even though they made quite a fuss about it being handled by Bob Spiers. (Fawlty Towers certainly was better in terms of rhythm.)
4612
Off-topic / Re: Nexus 7
« on August 22nd, 2012, 05:46 PM »
Quote from Dragooon on August 18th, 2012, 07:46 PM
If it's any incentive, you get true Opera Mobile on Android. And it is a pretty good browser.
As I said, the S3 I tested already had Opera Mobile on it. And it wasn't a memorable experience either...
(Then again, maybe I just need to get the hang of Android. I could only use that S3 for about 5 minutes and I was talking with the guy about what Wedge is...)
4613
The Pub / Re: RSS feeds (Was: Some admin options required)
« on August 22nd, 2012, 05:44 PM »
It would make sense -- as long as we provide a way to access these boards through a URL key representing the requesting user...
e.g. store in {db}members a field called 'rss_key', something complicated or whatever, and whenever you're trying to register a RSS feed that includes hidden material, provide ;uid=1234;rsskey=(md5??)(123456789)' in its URL... (Could be strengthened by offering more variables, of course.)
I thought we already had discussed that though... It's even in my to-do-list, as cryptic as my 'English for myself' may sound:

"rss feeds for users, with userid and a password automatically generated for user...?"
4614
Off-topic / Re: PHPSESSID Brute force
« on August 22nd, 2012, 05:16 PM »
Quote from Arantor on August 22nd, 2012, 05:04 PM
If session ids are guessable, and can be brute-forced, they can be brute-forced for session spoofing. Delivery method of that makes no difference.
OTOH, anything with a ID less than 2 million bytes long will be guessable by brute force... It's just that something was discovered that makes it faster to brute force.
Quote
As far as using sessions for guests, the answer currently is all the time. Every request either creates a new session or perpetuates an existing one, with the intent to try and get an idea of the number of 'unique' browsers.
So, the alternative would be..? Storing a log of all recent guest requests, along with IP and requested URL? Otherwise, what are we gonna show in whosonline..?
Quote
Anyone who really cares is going to install an analytics package anyway, which is probably more reliable than Wedge doing it itself,
I do care (a bit) about stats, I check them at least every once in a while (like, 6-7 times a year), and yet if I suddenly found myself without any non-member stats, I'd be quite upset... And I'll never use GA for something like that -- it's okay for websites that sell you something, I guess, but we're talking about a forum system... GA will only make it slower.
4615
Off-topic / Re: PHPSESSID Brute force
« on August 22nd, 2012, 04:50 PM »
It's too complicated for me.
- If PHPSESSID being 'guessable' is the problem, then it's also a problem when it's stored in a cookie. Meaning, we can't have guest sessions AT ALL. Of course I'm not sure at which point we're using sessions for guests, but still..?!
- Guest count is important to me, although I agree that it's unreliable at best (if only because there are countless unnamed bots over the web.) But I can already see people saying, "ever since I installed Wedge, my forum's visit count has dropped by 1857%! This is an outrage to SEO gods!"
- And yes, I have this annoying tendency to forget about earlier topics... So many things we discussed in the past. So many features/ideas we decided to implement, but none of us added it to a to-do-list, and it gets forgotten forever etc...
4616
Features / Re: New revs
« on August 22nd, 2012, 04:45 PM »
rev 1669
(5 files, 2kb)

! IE10 didn't actually get the unprefixed version of gradiant CSS. Oops. (Class-CSS.php)

- Shortened quick topic edit code. Can anyone tell me if there's any reason to believe $topic's topic ID or first post ID could be empty or non-numeric..? (MessageIndex.template.php)

* Replaced a couple of ID searches with $(this) in case of events called from within a named form item. Well, I could also remove the ID as a result, but I'm not sure it'd be for the best. Or, in French, "I don't have time to test for that, anyone up for it?" (ManageBoards.template.php, Merge.template.php, Profile.template.php)
4617
The Pub / Re: Print Page
« on August 22nd, 2012, 04:30 PM »
Quote from Arantor on August 22nd, 2012, 04:16 PM
If the prev/forward navigation relies on robot_no_index, something's wrong because it shouldn't really be.
It's a choice of mine... Really it's all about saving bandwidth. Guests will mostly get to see the prevnext version anyway (we could even make it even simpler by providing them with canonical page links in 'recent posts' and SSI functions, rather than a msgXXX link).
I could also restrict these meta links to guests...
Quote
No... Google will still index all 15 pages normally. The actual problem is that printpage specifically fucks around with page canonicalisation by having content that isn't at the canonical URL. Even though it's nofollow'd, Google still follows it!
I've never seen a wedge.org print page being indexed, though. Heck, I don't remember a single SMF print page being indexed, at all... It's always the wireless content crap that gets the treatment. (And that's no longer an issue in Wedge, eh eh.)
Quote
That's the point, it is NOT handled progressively. It is queried, pushed entirely into $context and then output. When I first went to the URL, it was actually blank.
Hmm...
Well, so it should be done like in Display.php right..? Callback and everything...
Quote
Display does that somewhat bizarre process of having a callback per message specifically so that you can have truly massive messages or vast threads without any problems with memory_limit. Printpage does not do that, it just queries, pushes everything into $context before going to the template. On low memory configurations it's quite possible to overflow that on long threads.
And would that be fixed with a callback?
Quote
If Apache is set up to do it, and not PHP, PHP just has to output its content back to Apache, and PHP just has to make sure that it doesn't run out of memory in whatever it's doing.
Well... That's interesting.
I'm not sure I remember -- does PHP still gzip the page if enabled in Wedge, even if Apache can handle it? If yes, then maybe we should first add a test to see if Apache handles gzipping of HTML pages, and then disable PHP gzipping internally..?
Quote
I'm not disputing the validity of such things. My point is that I don't believe it should be in the core by default. If admins want the ability to archive parts of the forum, that should be up to them.
It can still be core but made to be enabled or disabled...
Quote
The fact we get SEO benefits, plus streamlining parse_bbc a little, these are just nice side benefits.
I don't think it would have that much of an influence over parse_bbc... ;) Plus, I think Aeva Media has some tricks in it, too. (That, and my Subs-BBC.php file has so much custom data in it, I'd rather not see any changes until I'm done with my own ahah...)
Quote
Interesting approach.
Close enough to mine :P
Quote
I had actually thought about doing so. I'm just not convinced that people actually use print-page for printing, and that as a result it isn't needed in the core by default.
Agreed, for the default aspect. Not sure about not-core though.

PS: and once again, I didn't get any warnings for spoogs' post above mine, which was sent after I started my reply... My 'last' variable was set to 281415, so I should have gotten a warning, no..?
4618
Archived fixes / Re: Logging password errors
« on August 22nd, 2012, 03:34 PM »
Ah, yes, I believe I implemented that last month or so... 8-)
4619
Features / Re: Virtual selectors in WeCSS
« on August 22nd, 2012, 03:33 PM »
I settled for extra (singular) a few days ago ;)
4620
Off-topic / Re: PHPSESSID Brute force
« on August 22nd, 2012, 03:32 PM »
No guest sessions is unlikely, to me... Can't we just store sessions per IP address? (Didn't we already have this discussion..?)
Posted: August 22nd, 2012, 03:27 PM

And I don't understand that confusing page, really -- what exactly does it do in reality?
And shouldn't this be a private topic?
And PHPSESSID -- can't we just get away by changing the var name? :lol: :lol: :lol: That's something vblamer would do I'm sure!