Google is releasing an update to their anti-spam reCAPTCHA system that includes – wait for it – a single checkbox.

http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html

A few weekends ago I upgraded php to the latest version. I also broke my largest remaining phpBB2 board.

My first (and largest and still active) phpBB2 board was based on the 2.0.4 codebase. Over the years I implemented some (but not all) of the suggested upgrades, because as soon as I got the code I started changing it. That made applying updates a bit more challenging. Anything that was related to security (such as the hole in the search code) was patched, but other items were not necessarily patched.

One of the bits of code that was added later along the line was to check the $_POST array for values and restore everything back into $HTTP_POST_VARS. I never bothered to do that, and until last month everything still worked fine. With the latest version of php, they finally stopped supporting those arrays altogether so I had to update my code accordingly.

The board is functional again, but the writing is on the wall. phpBB2 is probably (finally) on the way out.

I have a particularly persistent spammer that has been driving me nuts. They’re coming from Indonesian IP addresses and are clearly human spammers. As a temporary solution I added some code to the flood control code that sends any post they make into the “flood warning” error message.

It’s not a permanent solution, but it’s fun.

Tonight I added some code to log their attempts so I can figure out a more permanent solution. Just like with the Checkbox Challenge, if I can capture their behavior I can start to look for patterns, and once I find a pattern I can try to do something more interesting to block them. As a final resort, I may have to finish writing up my Post Approval MOD that I started so many years ago.

I haven’t touched any phpBB2 code in years. It was fun to get back into it, even if only for a little while tonight…

I found it interesting to read that phpBB is participating in the Google Summer of Code this year. One of the features that they hope to get out of the process is a post revision history… something that I started designing years ago, and will be releasing into production on my largest board within the next few weeks! Great minds thinking alike and all of that…

Turns out that in this case, phpBB2 was probably easier to work with than phpBB3. With phpBB2 the post text is already separated from most of the other post meta data (such as poster, poster IP address, and so on) which made it very easy to design a way to track post revisions. In phpBB3 they combined the phpbb_posts and phpbb_posts_text tables into a single table. In order to track post revisions in that case, the design would call for splitting the text out into a separate table in order to track the post text revisions without having to duplicate all of the other post meta data.

In any case, I have finished the coding and testing for everything and it’s functional. What’s left is going back and adding in some security checks to make sure people can’t do things they’re not supposed to do…

Some years back I purchased a couple of NetGear Duo RAID disk enclosures. Each enclosure was loaded up with dual 1TB disk drives from Western Digital. Everything written to one drive was mirrored to the second drive. This helped protect against a single disk failure.

I also had a very old (PIII processor!) computer that was running linux. At one point I was using it as a development environment, but it had long since been retired from that duty. Why was it still around? I had created mount points for each of the RAID arrays on this linux box, and it was responsible for going to my web server (which hosts this blog, among other things) and downloading the nightly database backup files. (My web server runs a hot backup at 1AM each morning using the mysqldump command.) This linux box also had a script (running at 2AM) that would ftp to my web server, retrieve all of the database dumps, download them, add a date stamp to the file name, and then copy the resulting files out to the RAID array. The entire process was automatic, transparent, and for a long time was quite robust.

Until a few weeks ago. More…

I have posted a topic on phpbb.com letting folks know I’m not going to renew my phpBB3 MODs-related domains. If you’re interested, hop on over to phpbb.com and send me a PM to let me know.

First come, first served.

I’ve seen several phpBB boards over the years that swap out the regular graphic objects for holiday objects at certain times of the year. At phpbb.com they have previously done this for Halloween as well as the year-end holidays. I’ve done the same thing for my biggest board “BOB” by replacing the regular logo:

with one of several holiday logos:

And of course this:

During the American Thanksgiving week we used this:

Over at the phpBB2 Refugees site we’ve swapped our normal refugee tent for one with a more holiday feel for the last several weeks:

Right now this is a manual process, which means I have to remember to edit the php code to invoke the new logo (or alternately use ftp to upload a replacement logo with the same name over the current one). Manual process? for Dave?

I’m setting up a database table with dates and alternate logo names, and will set up a cron job that every night at midnight checks to see if holiday logos are needed for the following day or not. On BOB we rotate among several logos, so there could be more than one logo at any given time. The logo information is then written to a cache file where it will be used for the following 24 hours.

Easy as pie.

Holiday pie.

I read this morning a topic in the MOD Authors forum at phpbb.com where the topic poster was trying to figure out a way to encrypt / decrypt private message text. The technical challenge was easily overcome, as someone posted some code that allows the board owner to do exactly that.

The problem is, it accomplishes nothing.

Private messages are often a hot topic for board owners, probably because of the privacy implications of the name “private” message. As most board owners probably know, private messages are not truly private. Anyone with database access can read the private message text. Anyone with access to a backup SQL dump can do the same. But who has this type of access, and what can be done to prevent it? More…

One of the biggest complaints I’ve had with running my boards on phpBB2 is that the javascript used for BBCode and smilies insertion during the posting process offers poor (if any) support for modern browsers. Rather than reinvent the wheel, I spent some time to port parts of the subSilver2 template from phpBB3 back to phpBB2. While testing is not completely done, it seems to have been a success. I copied editor.js straight out; I don’t think I made any changes to that file but I will go back and verify that before I post a MOD. There were some minor changes made to posting_body.tpl and posting_smilies.tpl to call the new functions. For example in phpBB2 to insert a smilie we called the emoticon() function and now it’s calling insert_text() just like the BBCode insertion process.

I used the same function to update my canned messages MOD as well.

Oh, and I updated the color picker just a bit. The original color picker used values of 00, 40, 80, and two more to create an array of colors that was 5×5x5. I changed it to the old “Netscape Safe” color palette and used 00, 33, 66, 99, CC, and FF and created a 6×6x6 grid instead.

I have the new posting form activated on two different boards for the moment. As long as I don’t find too many issues I will write it up as a MOD.

As I was working through some code last night I found another “in progress” MOD that I wanted to add to the list of MODs in progress that I published yesterday. Over the years I’ve seen cases where someone from the other side of the planet has a dicey Internet connection and they end up submitting the same post twice because their browser submit times out. Or someone might post the same question in more than one forum, thinking that they’ll get more attention. Or a spammer might hit multiple forums with the same post multiple times.

I think I’ve managed to come up with something that definitely helps solve the first two scenarios and as a bonus helps the spammer problem as well. I call this my “Cross Post / Double Post” MOD, and it’s being tested on my beta board now.

The MOD design has so far turned out to be fairly simple. I tie into the flood control process and retrieve the post text for the last three posts by the user. From there I take the current post text and compare it to the prior posts. The first check is a straight equality check, meaning I check for the exact same post text. This will catch the “copy/paste” folks with very little overhead. If the post text is not identical, then next I use a function called similar_text(). (similar text reference at php.net) This function takes three arguments. The first two are the two strings to compare, and the third is a variable to store the results of the comparison, which is a number from 0 to 100. The result code should essentially be treated as a percentage. If the two posts are 95% similar then I check to see if the original post already in the database is in the same forum as the new post being attempted. If the forums are the same, then a “Double post” exception is triggered. If the forums are different, then a “Cross post” exception is triggered instead.

The number of posts (3) and percentage of similarity (95) are both controlled via the board configuration screen, so it’s quite flexible. Setting the percentage threshold to zero (0) is the same as turning the comparison process off.

This MOD is being tested on my “beta release” board right now. The first version of the MOD did not use the similar_text() function mentioned above. I attempted to use the soundex() function instead. However it seemed that the soundex() function did not look at enough text, so posts that were clearly different were still being reported as being the same. Switching functions solved that issue.

I’m now wondering if I need to deal with setting different threshold values for different forums. I hate to do that, as it drastically increases the complexity of the code. But for example there are many forum “games” that people play in an “off topic” type of forum. Some of those games look very repetitive, and would potentially trigger the CP/DP exception handling. Then again, the current logic looks across all forums, so as long as the person is active in more areas than just the off-topic games area it might be okay. I don’t want this feature to get in the way of normal use, but I do want to help out the moderator team by capturing / rejecting double post and cross post events.

Stay tuned for details as we start user testing this week.