pesapower
-
Posts
17 -
Joined
-
Last visited
Posts posted by pesapower
-
-
-
I'm not making a claim about any particular implementation. I'm saying that in general, open source software is more secure because more people have reviewed the source. Closed-source software has been generally been reviewed fewer times by fewer people. And we have a long long history of proprietary software makers who simply ignore security problems with their products, even after they've been notified.
I am particularly suspicious of closed-source security software, since the risks are higher, and since we have seen examples of trojans disguised as security software. Nothing personal against you; it's just that you've been preceded by a lot of charlatans.
Thank you for clarification.
Anyway I think that this forum or the site play0ad.com can try Colobe for a time period, then if the administrators will think that the service is bad (or other) they will be able to remove it. Because before of this post the play0ad.com site hasn't any system of protection for the login page... and I have uploaded into this thread the PHP file that is required from the service (and the WordPress plugin code is open source). Then, if some people in this forum think that my service (that I have made in free time, I'm a student) is not secure for this community (for any reasons) I will close this thread for ever. Simply
-
Colobe-lib.php file is okay?
-
That download host you've selected requires us to "sign up" before accessing the file. Can you host it somewhere more customary?
Sorry! I have just uploaded the file into MediaFire
Download link: colobe-lib.php
-
Because it is closed source, you simply can’t tell whether it is secure or not.
It's right, but I think that it's wrong say that the closed source security technology is not secure before trying it, or not?
-
I categorically reject security technology whose design is hidden. You should too.
Hi, I have a question for you: have you never used some antivirus softwares on your personal computer? I use Avast antivirus, it is closed source but I never thought that it is NOT secure because its algorithms are hidden!
-
I thank you for your advice about the Wordpress problem though. I have remedied the issue.
You're welcome.
Thank you for your feedback about Colobe's documentation.
In oder:
- "How does it detect malicious users before they try to brute force?"
Colobe does NOT detect a malicious clients before before they try to brute force, it is not magical. BUT if a client try to brute force a site (for example pippo.com) he being detect, then if the same client try to attacks any other site that using Colobe, he will be detected before to attacking.
Every client added to the list of Colobe has a "warning level" that indicates if he is more or less reliable.
- "I see documentation about a library, which I cannot download until I register for your service. But nothing about the working of the API."
The algorithms used by Colobe are not public for a safety reason. Sorry if you can't download a sample copy of the library! Here you can download a copy of the library: colobe-lib.php.
- "Warning! In the library there is also the Secret Key associated with the site! This Key must remain secret!"
Yes, there is a secret key and an ID in the library that an user can download after adding a site into Colobe.
- "One thing that I also wonder about: how do you warrant privacy for 3rd parties (the customers of your customers)? Your privacy statement talks about a person's personal privacy; what about their users? Since I cannot access your library and do not have any API documentation, I can't know exactly -what- is sent to your service, but there is user data sent along with every API request I'm sure. What happens with this data? What is stored, where is it stored, how securely is it stored and what is it used for?"
The only informations that the library (or the WordPress plugin) sends to Colobe are: an IP address and a boolean value (0 or 1). Any username, password or email is NOT send to Colobe, for 2 reasons: privacy and security for the sites that use this service. The informations are stored into Colobe's databases and they are used only to identified the malicious clients and to improve the service. "how securely is it stored?" I don't say it to others.
- "While I think everyone here appreciates you offering your services, I honestly don't see it happening with the current tidbits of information you have provided. Especially not in exchange for advertising space."
Your question is right. Colobe is a economic cost for me but I have decided to not sell advertising space because I think that a secure service without advertising is more professional and also because I want guarantee the privacy and the security of my users. To return from the costs Colobe use a service of plans where the users that have a commercial (or non-personal) site pay to use the service in proportion to size of site. For personal sites that don't gain money (beyond their cost) and for open source project sites with small-medium size that don't gain money the service is free.
I hope to have answered your questions in a comprehensive manner
-
So, is there someone from on the team that intends to try Colobe into this forum?
-
We all should!
The privacy is very very very very very very important!
But really does people should use Tor to logged into THIS forum??
-
An undesirable side effect of assigning an IP address to a malicious user, is that innocent people using the same IP (for example, a Tor exit node) will be unable to use it to connect to the Wordpress server. Obviously that's less of a problem if the block time is shorter. Probably any block time, even minutes, is sufficient to make the attacker move on to another target that can be attacked efficiently.
It's correct, anyway who use Tor to logged into an account of play0ad.com or wildfiregames.com/forum?!
And use the IPs has the advantage that if a Bot server that attacks a site, it won't can attack any other sites that use Colobe for protect the login page.
-
Yes, a "malicious" IP is blocked for a determined period of time, also the recidivism of a malicious client is important to determine the block time.
Anyway an attack with multiple IPs is more sophisticated but with the time the list of malicious clients will automatically be updated.
-
Sorry, play0ad.com doesn't locking anything, and I think (imho) that stopping a malicious user (client) is more intelligent that blocking an account because if you block an account the malicious client can attacks other accounts during those famous 15 minutes, block an account is a way but stop a client is another better way, imho.
-
-
I tried using a wrong password, it says the account is blocked for 14 minutes, and indeed it is on that machine (tried with 2 different browsers), but from a different machine it properly logins (supposedly it checks the client IP). So I see no security DoS here.
Thanks for the correction.
About that why don't you propose it for mainlining it in the upstream project? I am a bit sceptical about using plugins that, being used by few and not well code reviewed, may introduce themself security problems. It happened already in the past. Sometime they were themself backdoors
.I don't think that my plugin contains backdoors because the code of the plugin is very simple, anyway if you want see it check out here http://wordpress.org...olobe-security/
-
Yes, it is true, O A.D. hasn't financial information to be stolen but in the world there are enough crazy people to think that this problem is not completely insignificant ( IMHO ).
I think that my project can resolve this problem (as far as possible, the perfect system doesn't exist).
-
Hi, my name is Nicola. I am an engineering student and programmer.
Before writing this post I contacted 0 A.D. with the "Contact Us" form and a community member has kindly suggested to post a thread here.
I have been playing 0ad for several years and I think that in the future it will become one of the best rts! However, in my opinion play0ad.com has a security problem.
It has not an adequate protection against theft of password with brute-force attacks. Using WordPress as CMS, the login page is vulnerable. For instance, a malicious user could easily discover the admin username and then try to steal its password.
This forum as well has a security problem. If I enter the wrong password while logging in, my account gets locked for 15 minutes. This security measure can be annoying for real users, but doesn't even provide a real security control. In fact, if someone creates a script to enter random usernames and passwords, in a short time he could block every account on the forum.
I'm writing here to propose the service I developed as a solution.
It is called Colobe and protects your site against brute-force attacks. It has a dynamic list of malicious users, which is real time updated to guarantee the highest level of protection for your site. Rather than only protecting from brute force attacks, Colobe prevents them. It uses its dynamic list to identify maliciuos users during the login process to block the login attempt, before it is even carried out. I also have created a plugin for WordPress to make things easier.
I can offer it to WildFire Games community for free. In return I only ask to put the logo of the service in the login page, with something like "protected by Colobe " written aside. Just to let users know what Colobe is and that it works.
If you are interested, you can find more information in the website or in the attached presentation.
The project page: Colobe.net
The Wordpress plugin: wordpress.org/plugins/colobe-security/
Thank you for your attention
Security problem and possible solution
in Game Development & Technical Discussion
Posted
Ok, thank you