Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
astralman
New Member
New Member


Joined: Sep 22, 2006
Posts: 4

PostPosted: Fri Sep 29, 2006 7:43 am Reply with quote

I have set up a new site and am testing various functions. This is the first time I've used Sentinel and that's part of what I was testing. One thing I did was enter my site without logging in (on the informed assumption that though people I'll be inviting to my community are brilliant in their various fields, they aren't brilliant in the field of php). While not logged in, I clicked on the Admin link and was promptly booted and my IP permanently banned from my own site.

Of course, I'll find my way back in, but that's not the point. The point is, my site will be visited by people of upstanding character, with masters degrees and above in things like political science, social anthropology and history. They aren't computer wizards. It wouldn't be strange if they forget to log in, nor would it be strange if they accidentally hit the Admin button while trying to click on something beneath it.

The big black scary page that shows accuses whomever of making a hack attempt on the site. My visitors would take this as a personal affront, and would likely not return to my site should such a thing occur to them. Moreover, such a mistake can hardly be called an "Author's Table attack." I find that to be a bit extreme.

I also discovered Sentinel automatically notified my ISP (Comcast) that I've made a hacking attempt (on my own site), reporting me for internet abuse. Comcast has a very active program to enforce their policy against such things as this, and I was forced to write them a pre-emptive e-mail in the hopes of heading off any precipitous action they might take. Sure, I could (in time) iron all this out. However, it seems like a radical measure for such an honest mistake, regardless of the ferocity and fear inspiring nature of the hackers out there.

Not only would my visitors be affronted by the accusation, they'd be accused in e-mail by a script to their ISP, and would likely face having their service terminated. At the least, they'd be plunged into a beaureaucratic run around to prevent such from happening, all the while calling into question their good names.

I hope the only answer you have isn't, "Well, don't use Sentinel, then." If it is, spare me the trouble. I do think this is a larger issue than the module writers realize. I also think the resonse screen was rather adolescent. To think anyone brazen enough to hack sites would be intimidated by that black on white "ATTENTION!" Preposterous.

Stephen A. Willhite Only registered users can see links on this board! Get registered or login!

PS If my service provider (Comcast) does deny me service as a result of this, I assure you, you will be hearing from my legal beagles.
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Fri Sep 29, 2006 8:16 am Reply with quote

You can customize the response screen to say anything you want. The one you see is just the default. On my bike club web site I made it say "oops" or something like that and told them precisely what to do (email me) to get relief. I believe you could also take the admin link off the page so people wouldn't stumble into it by accident.

Likewise you can customize the responses in the blocker settings of Sentinel ... so it wouldn't write to comcast.

My users are cyclists in the Albany region of NY. They wouldn't be hackers anymore than your users would be. That didn't stop hackers from Turkey and Brazil and Russia from finding my site due to the powers of Google and trying to hack it. And succeeding in one case before I found out about Sentinel.

Finally, could I politely suggest a slight attitude adjustment. You are going to consider sicking legal beagles on people who work for hours, days, weeks and years to provide you with absolutely free software? Perhaps you could spend a little more time learning how it can be customized due to the consideration and hard work of those authors.
 
View user's profile Send private message Visit poster's website
astralman
PostPosted: Fri Sep 29, 2006 8:25 am Reply with quote

You might say I need an attitudinal adjustment, as is your right. However, I must say that in the eyes of Comcast, and the Feds, I've been accused of attempting to commit a crime. Things like that cannot be taken lightly. If one wants to write code that automatically sends formal documentation to an entity with legal powers that be, without knowledge that any crime has been attempted (and attempting a crime is illegal, as well...conspiracy to commit a misdemeanor is a felony, and such an attempt can be adjudicated as a conspiracy with ones self) then said code writer must be (apparantly) prepared to bear the brunt of such a decision. This is no small matter. Attempts to minimalize it are ill considered.

If this code is so user friendly, then why does one need to become well-versed in it to use it? As I said, I can find my way back onto my site, and now knowing what the foible is, I can make the adjustment. The one thing I cannot do is retrieve the e-mail the script sent to my ISP. The ramifications of that aren't subject to debate.

EDIT: I was just reading this about that - Only registered users can see links on this board! Get registered or login!
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Fri Sep 29, 2006 8:35 am Reply with quote

sorry but is this some joke?

Quote:
PS If my service provider (Comcast) does deny me service as a result of this, I assure you, you will be hearing from my legal beagles.


Comcast is u.s largest spam house..

The appearance of sentinel (scary looks) is ment to be like that..
What you suggest?

A text like....."hello,im sorry but we had to ban you.We know you are generaly speaking a nice person and this might be a bad day for you but we still had to deny you access to the site...You have a nice day now.."

nobody forces you to use phpnuke or even sentinel as its security,your completely free to delete on of them or even both.

there are other content management systems outhere that you might like or enjoy even more.
 
View user's profile Send private message
srhh
Involved
Involved


Joined: Dec 27, 2005
Posts: 296

PostPosted: Fri Sep 29, 2006 8:43 am Reply with quote

Umm, excuse me!
Sentinel does NOT automatically report ISP's. Everybody has banned themselves at some point. We'd all be without internet access right now.
YOU get the e-mail with the ISP information, and YOU have the choice to forward it to an ISP if YOU feel it was a genuine hack attempt.

Perhaps having so many degrees has made you feel like you are above this: Only registered users can see links on this board! Get registered or login!
RTFM
You do catch more flies with honey than vinegar. Even though I do understand your concerns, the best way to get support is not with legal threats for future reference.


Last edited by srhh on Fri Sep 29, 2006 9:06 am; edited 1 time in total 
View user's profile Send private message
fkelly
PostPosted: Fri Sep 29, 2006 8:51 am Reply with quote

Well I wanted to see exactly what you were talking about so I did an author's attack on myself at a test site I run. Here is the exact text of the black screen response I got:

Quote:

You have been blocked from entering this site.

You have attempted an Authors Table attack on this site.

All of the following information has been gathered to assist the webmaster should this need to be reported to local or federal law enforcement.

If you think this is a mistake you can contact the site webmaster at fkelly(at)nycap(dot)rr(dot)com.

Be SURE to include the following information in any email!
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Remote Address: xx.xxx.xxxx.xxxx (I edited)
Client IP: none
Forwarded For: none
Date Blocked: 2006-09-29 @ 10:39:55 EDT GMT -0400
Block expires: Unknown


Yeah, I know it misses something by not having the black background but you get the point.

No email is automatically sent to Road Runner (or Comcast) that I can see. Sentinel automatically uses to the email that I set up as site admin to send me an email about the attack and I thank them for it. In that email they tell me information about Road Runner and where I should go to report the attack, if I, the web master choose to do so. But there is no email going to anyone but the web master unless I choose to do so.

As for user friendly, you get to choose the responses to each of a number of types of possible attacks from a drop down box on the Sentinel admin screen. Yeah, you have to read about what the attacks are and make decisions but that's the cost of running a web site these days.

Maybe I'm wrong about what email is sent automatically, and if so let's deal with it on a factual basis.
 
astralman
PostPosted: Fri Sep 29, 2006 9:06 am Reply with quote

I guess there's a point being missed here. First you hit a portal page that says "USE US! WE'RE GOOD! WE'RE WHAT YOU NEED!" Then, if something happens, it's "Nobody's forcing you to do this. You could have done something else." I do appreciate fkelly's civil tone, however. It's so easy for people that have been up and down and all through this code to know exactly what it does. However, to assume someone new to using it would know all these ins and outs is a bit on the disingenous side, just as are these "love it or leave it" comments.

Should what I suspected happened did actually occur, how would I have time to become well-versed enough in this code to deal with any repercussions that arose? How would knowing how to configure the site better retreive an accusatory correspondence?

Anyway, I recognize these nicks from posts on this forum as being those who actually do coding. That's probably why they can't see across the river to the side I'm standing on. I assumed from the fanfare on the portal of this site, this code was being developed for people other than the developers. I assumed there was some altruistic allegience to open source.

A "calm down, calm down, things are not what they seem and here's why..." would have sufficed. I am proficient in what I am proficient in. It's likely you are not proficient in the same area. It takes all kinds to make up this world. The trouble with computers and the web is, it seems to be turning into a closed system reserved for those with the nuts and bolts techno-knowhow, and those of us that want to use it as a medium to extend our capacities in our own chosen fields are pushed to the outside of this inner circle.

I assure you, if you were in my venue and expressed difficulty with one of its aspects, I would not try to make you feel dumb about it. I'd let you know what you needed to know, and make myself available for further inquiry. But, I have the feeling a lot of folks in the tech-world don't really care to know the difference between abstract expressionism and neo-classicism, or what is an imprimatura to a glaze. Enough said. Thanks for your responses. It's been...informative. I might add, while engaging in this textual joisting with you people, I was also doing some downloading from the Dragonfly site. Thanks, again.
 
srhh
PostPosted: Fri Sep 29, 2006 9:20 am Reply with quote

Actually, no one in these posts have been involved with coding Sentinel that I am aware of. I've only been using nuke since early this year and had absolutley no knowledge of nuke or php previous to that.
Yes, there is a learning curve with PHPNuke if you want to get the most out of it. Like with anything new, it does take time to learn the ins and outs, which is why these support forums are here. If you read these forums, they are filled with people who genuinely love what they do and love to help other people out. (For free I might add)

However, if someone came to you for support with outright threats right off the bat, how do you think you'd respond?
I assure I wouldn't threaten to sue you if I didn't understand the difference between a monet and a degas.

Best of luck to you.
 
astralman
PostPosted: Fri Sep 29, 2006 9:51 am Reply with quote

Thanks. As the man said, "It's not a threat. It's a promise." The title of this thread was "I have a bone to pick with you." I wasn't threatening to sue, I was promising a different kind of legal action. I also expected someone dealing with Sentinel to be answering this, not just anyone off the web who happened to be browsing a forum. That's why it's in the section entitled "Security - phpNuke."

Thanks for all your corrections. I'll put them where they belong. IN the round file. I also notice no one is willing to stand up and speak facts about this situation. You don't have to worry. I'm dumping Raven Nuke and installing Dragonfly. I hope the Not Nuke group gets their act together and comes up with something with integrity.
 
fkelly
PostPosted: Fri Sep 29, 2006 10:26 am Reply with quote

Have a nice life and I wish you success with Dragonfly.
 
themadhacker
Worker
Worker


Joined: May 30, 2006
Posts: 100

PostPosted: Fri Sep 29, 2006 11:10 am Reply with quote

Here is the stand up fact.

You cant be satisfied.

Nuff said.....enjoy Dragonfly. Goodbye Very Happy
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Sep 29, 2006 11:41 am Reply with quote

No more complaining here.

phpNuke is developed by FB only. We really have no influence or process into making it a better product.

We do, however, have much work to put into RavenNuke. And by some measure, Nuke Sentinel, since Bob Marion is on this site and all of us use Nuke Sentinel.

However, you are the one that has installed such software. We are not liable for any losses or problems from such usage. After all, it is free and widely available.
As to the whole closed community bit, this thread shows you otherwise. Many of us have responded to your post, despite the malacious threats and misunderstandings of the software.

So those are the facts. You are free to complain somewhere else now Smile

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sat Sep 30, 2006 6:35 am Reply with quote

Facts (leaving out unnecessary and irrelevant threats, innuendo, and attitude):
- You expressed a concern for how visitors who receive notifications from NukeSentinel will react to those notifications.
- Community members provided you with alternatives to the standard notification.
- You expressed a concern for what appeared to you to be an automatic notification to the visitor's ISP.
- Community members explained that there is no such notification and provided links to the manual for more information.
- You expressed concern that less experienced users might not understand how to properly configure the software.
- You expressed your expectation that NukeSentinel developers would address your concerns.
- You expressed your frustration with the support you received and your desire to use a different product.

If I missed something, I apologize. But it seems to me that the community did stand up and address the facts. You had valid concerns and received valid suggestions for how to address them.

Some suggestions for astralman:
- Read the license for Dragonfly and any other software you consider using, regardless of the price. It'll save you time and money when you feeling like threatening legal action of any kind.
- Read the installation instructions and manual, and check the author's website for issues and additional information for Dragonfly and any other software you consider using, regardless of the price. This will also help you.
- If you aren't comfortable with the technical aspects or documentation of a software product, consider hiring someone to assist you or consider another product (I think you will find Dragonfly and most other open source software operates in a similar manner)
- Understand that community supported software involves many people, such as those who responded to you here and tried to address your concern by suggesting ways to resolve your problem and explanations for you to understand what you were using. You are not likely to find that level of response with other software - even with commercial vendors.
- If you have "a bone to pick" with a developer and expect only him to respond, contact him directly instead of posting a message in a public forum. This appears to be an attempt to tweak people into a public response to support your legal "case."
- Don't accuse developers of mismanagement and not having integrity in a public forum - there could be legal ramifications for that (this is neither a threat nor a promise - simply a recommendation).

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Display posts from previous:       
Post new topic   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©