ProxyPass and PhantomFrog, Anyone ran both? - Page 2 - GoFuckYourself.com

FelixFlow · 09-03-2007, 02:40 PM

Quote:

Originally Posted by raymor

Very rarely is the IP also blocked if a username is blocked. It's usually one or the other. If it's the IP that gets blocked, you should re-enable the IP. You can also set usernames specifically to never get blocked.

but the issue is you (the webmaster) can't manually over-ride the strongbox block, and its very frustrating (and costly) when paying members can't get into the site because they've logged in/out too many times in a day

FelixFlow · 09-03-2007, 02:45 PM

Quote:

Originally Posted by pr0

you obviously don't run a large program, that shit happens anyways, no matter what

all you can do is put a b/w limit on your users to stop that...& once again, it might be someone who just wants to watch movies non-stop for an entire weekend, so you cut him off & bam...chargeback

systems should re-issue passwords to the persons e-mail that signed up when compromised, then it should be up to the webmaster to manually kill the account if they see it being abused

an account should NEVER be completely shut off automatically, its just a bad idea.........

maybe not a large program, but a VERY popular site with many thousands of members - i think i'm well qualified to speak on this

putting a b/w limit on your users HELPS stop ripping, but if you have a pass being shared it also helps stop it

if you have a password being used during the same time frame, from different locations, its OBVIOUS its being shared. a b/w limit isnt needed in that case - a password re-issue & even a temporary "block" is necessary at that time

anyway, we're both agreeing to the same thing, that re-issuing passwords is good

jeffrey · 09-03-2007, 03:03 PM

Quote:

Originally Posted by raymor

No, that's not what I mean. Well, that's a small part of it.
Just using random passesthey can and often are ripped just the same as
if the user chooses them, which is why Frog has to issue new passwords,
because the original passwords aren't secure. There is more that we
do to make sure that crackers can't get the passwords, unless of course
the member gives it out.

All it takes is one line in his .procmail file and then the server side include
in the page keeps it updated. I don't have to PICTURE this happening, I SEE
it all day long in the wild.

That is NOT correct. Several people use Strongbox with a similar zip set type
site, and at a reasonable price. Strongbox is not priced per protected area,
but per site.

So your saying random alphanumeric with special charactors is LESS secure then the passwords that strongbox uses for preventing brut force attacks from getting a successfull user/pass....
Maybe its just me, but RANDOM alphanumeric with special charactors is about as secure a password as you can create.
Or are you just talking about that picture that members have to enter, the one that every member hates have to fill in to get into the site?

Seems to me most of the big password sharing sites are forums, I dont know of many forums that alow php tags in posts.
And even then I would be surprised if you got one user a week that would do this and require you to manually dissable his account. That seems a whole lot less work then having to deal with users every single day all the time.

I have only heard of one person using strongbox with zips, and how they got it working is well interesting I guess you would call it. Everyone else says not to even try using strongbox for zips.

jeffrey · 09-03-2007, 03:06 PM

"Avoid strongbox like the plague. If you get a big brute force attempt it will crash your server."
From a Server admin...

"All I can say if is that if you use CCBILL and want to sell zip sets you cannot use Strongbox......

Thats why i switched."
From serveral people.

If this stuff isnt true you should make sure people know about it, because it seems people dont.

gmr324 · 09-04-2007, 01:58 PM

Just to add a little more clarification regarding the
sequence of events and operation of Frog's
AMS for replacing blocked passes automatically
and directly to valid members.

When Frog detects password abuse the password is
changed but NOT emailed. Only when the valid member
returns (could be days or weeks) is the password
emailed --- after the member validates himself.

Both events trigger a notification to webmaster. If a
webmaster sees to much activity, he can take the
appropriate action. Usually a simple, polite email to
the member--along with Frog's proof of abuse copy/pasted
into the email--is sufficient to stop the behavior. The
webmaster almost never has to take further action.

raymor · 09-05-2007, 11:32 AM

Quote:

Originally Posted by jeffrey

So your saying random alphanumeric with special charactors is LESS secure then the passwords that strongbox uses for preventing brut force attacks from getting a successfull user/pass....
Maybe its just me, but RANDOM alphanumeric with special charactors is about as secure a password as you can create.

No, what I said was that how the passwords are chosen is just one small part
of keeping them secure. Randomly generated passwords are worthless if they
are posted everywhere. There are other important considerations to making sure
that the bad guys don't get the passwords in the first place. To my knowledge,
none of the other "password trading protection" like systems addresses that
at all, except of course for brute force attacks. They just try to detect
compromised passwords after the fact. If you've ever had your entire
password list posted you know that while detecting it is good, preventing it in
the first place would have been a whole lot better.

jeffrey, you sure do spend a lot of time attacking Strongbox, mostly posting
total BS that's not anything like the truth, which I guess means you've probably
never even seen Strongbox. Do you work for proxypass or did one of us
piss you off in a previous life?

09-03-2007, 03:06 PM	#54
jeffrey Confirmed User Industry Role: Join Date: Jul 2004 Location: Alberta Posts: 1,864	"Avoid strongbox like the plague. If you get a big brute force attempt it will crash your server." From a Server admin... "All I can say if is that if you use CCBILL and want to sell zip sets you cannot use Strongbox...... Thats why i switched." From serveral people. If this stuff isnt true you should make sure people know about it, because it seems people dont. __________________ Coming Soon!

09-04-2007, 01:58 PM	#55
gmr324 Confirmed User Industry Role: Join Date: Aug 2006 Posts: 1,199	Clarification about AMS Just to add a little more clarification regarding the sequence of events and operation of Frog's AMS for replacing blocked passes automatically and directly to valid members. When Frog detects password abuse the password is changed but NOT emailed. Only when the valid member returns (could be days or weeks) is the password emailed --- after the member validates himself. Both events trigger a notification to webmaster. If a webmaster sees to much activity, he can take the appropriate action. Usually a simple, polite email to the member--along with Frog's proof of abuse copy/pasted into the email--is sufficient to stop the behavior. The webmaster almost never has to take further action.