Silk Road forums

Discussion => Silk Road discussion => Topic started by: dumnab on October 09, 2012, 09:23 am

Title: mayb a way to stop spam & suggestions / questions
Post by: dumnab on October 09, 2012, 09:23 am
hi!
maybe some pretty easy ways to stop spam that can improve security other places aswell

example, this forum login, (unless changed recently).. when you try login, the forum script will POST  something like this (cant remember exact-):   
login.php?user=someUser&pass=somePass&hash=<hash>

and that hash, I could not figure it out..unknown salt. I googled a few custom encryptions for SMF, standard ones and tried a few combinations myself, but it did not match, so I assumed this was a custom encryption made by SR staff with some hidden salt.
And this seems pretty foolproof, as it seems you need to POST that hash matching the user & pass to be able to login.
But this is not the case.. as it is now, this hash seems useless? You can just POST the string like ?user=<user>&pass=<pass>&hash=  and leave hash blank, and it still works.
So if this is indeed a custom encryption thing to improve security... it doesnt work

For same reason its very easy to attack forum user accounts.. add to that the full public list (forum memberlist) where you can auto-extract all valuable usernames, just a lil script to automate logins with a decent wordlist.. and all accounts without complex passes should only take some time getting into.
I noticed you removed the login throttle earlier (? guess someone was hammering the login--) by doing that you effectively removed the crackers limits, and their scripts can now run at full speed 24/7 without delay

So I suggest you just complete this hash security thing (?or whatever it is) for the login, having the browser/server do some hidden/secret calculation to generate the hash and require that to match user/pass and be sent along with username/password when logging in. This way it should not be possible to automate logins, posts etc. with very simple scripts.
gimme 5 min and Ill make a script that auto-registers accounts and spams every forum sections with thousands++++ posts to make a hell for mods to clean up without automated tools..stuff like that-  too easy, and for sure its just a matter of time before shit like that happens too.

May be many things can be fixed if you just fix that login hash feature? Sry if its fixed past weeks tho (but doubt), havent checked recently, or i misunderstood something.
It seems to already be in place, just not functioning..  its very easy to hammer forum logins, automating everything and all... very easy to fix.   Just the spam, just ask for a captcha or something more complicated should fix it too?
BTW., maybe add another thing in addition to captcha on SR site? login hammering there too is very possible.. theres loads of OCR software to automate solving captchas. The hardest ones (like Google's captcha), theres even websites where you can pay like $1 per 1000 captchas solved, and implement a feature in the cracker-script that auto-sends unsolved captchas to real people to solve! Captcha is never safe, so logins on SR is surely at risc too, for those who really wanna put effort in cracking it. More security there too would sound nice! even tho ppl are expected to have good passes already!

when you watch the data the browser sends to the forum when logging in, it does seem a bit weird with that unknown sha1 hash... and that it seems to be completely useless, no point its there?
and why have memberlists with usernames, admin accounts ppl never see otherwise, full list of vendors on forum etc., lots of unneeded features and graphics. hide it all, just incase; no use for users only, for ppl to exploit it
or?


Also, as this forum is visible thru Google... why not take the full step and make SR main market searchengine friendly?  make it visible and accessible thru clearweb search thru relays like tor2web etc, so the market can be accessible without TOR, an easy entry for first-time-users that could get them interested to look deeper, for ppl that otherwise wouldnt bother/know how to use TOR etc.  Like PGP- available and reccomended.. but not required, taking this risc is up to the user.
Make the attractive menu on the frontpage without registration required, loginpage more friendly.. SEO optimize etc?  why not!=)


dam this spam is annoying, should be many easy ways to fix!? Im sure many here will help if they can
Title: Re: mayb a way to stop spam & suggestions / questions
Post by: microRNA on October 09, 2012, 09:42 am
please if any one knows any way to automatically prevent the spam i would really appreciate you suggesting it

i deleted 200 threads earlier today, then am gone for thirty minutes and come back to another 180. i go through one by one and delete them

does anyone know of a better way?