Hey

I'm writing a new textboard that will revolutionize all textboards!

It is being written in the revolutionary programming language called Perl

This is what i have so far:


#!/usr/bin/perl
1;

>>80
https://security.stackexchange.com/questions/93886/dek-kek-and-master-key-simple-explanation

Basically i want to protect the user if he/she picks a shitty password

https://crypto.stackexchange.com/questions/22678/how-secure-is-it-to-use-password-as-aes-key

I'm just learning this stuff now, i'm just thinking about it while i finish other board features.

I'm planning to post an early beta soon in my machine with dyndns

Basically i want to protect the user if he/she picks a shitty password

Show a warning and/or use PBKDF with many rounds. There is no other solution.

Ok, i have this idea for the security in the site. What do you think?
Is just a small proof of concept, not the actual registration/identification procedure. So is not an actual algorithm, ok?

03E0A0CF676F1EA031A265685A552A34AB293D1852562ACB4D264YY7A16H

* An access_key is created. Is both your username and password
* On registration, a random password is created (we make sure is unique by concatenating a special timestamp)
* This random password is encrypted with your access key. used as a primary key in a table where yout personal data is stored (encrypted)
* This encrypted random password is stored in the personal data table together with the hash and the actual encrypted data
* After validating the encrypted random password with the hash, we can get the user's personal info
* The user_access_key is used as the decryption key, but this time, the salt is a fixed salt taken from the website config.

Please be nice to me. I am just learning this stuff. Please give me you're opinion.

#!/usr/bin/perl
use strict;

use Crypt::CBC;
use Crypt::PBKDF2;
use Crypt::URandom;
use Data::Dumper;

my $pbkdf2 = Crypt::PBKDF2->new(
hash_class => 'HMACSHA1',
iterations => 150000,
output_len => 26
);

#-- This is how we create the key the user will get
my $partial_user_access_key = uc $pbkdf2->PBKDF2_hex(Crypt::URandom::urandom(32), Crypt::URandom::urandom(20));
my $code = '4YY7A1'; #-- This code is generated for the user as part of the registration process. this is sent by email, with no links whatsoever. You just have to type it to register, so i kept it short.
my $extra_salt = '6H'; #-- 2 random extra characters, different for every user
my $user_access_key = $partial_user_access_key.$code.$extra_salt;

print "User access key: $user_access_key\n";
my $salt = substr($user_access_key, -8); #-- Last 8 characters in the user_access_key are the salt
print "Salt: $salt\n";
#-- This user_access_key is a decryption key
my $salt = Crypt::URandom::urandom(8);
#-- Encrypt and decrypt. This will hide the actual password.
my $cipher1 = Crypt::CBC->new(-key => $user_access_key,
-cipher => 'Blowfish',
-salt => $salt
);
my $random_internal_password = Crypt::URandom::urandom(32).time; #-- By adding time we make sure is unique (i have a way to make it unique beyond the level of the second. for simplicity i use only time here)
print "Random internal password generated. We will encrypt it with our user_access_key\n";
my $encrypted_internal_password = $cipher1->encrypt($random_internal_password);

#-- Since the encrypted_internal_password is unique we use it as an index
print "Store the encrypted internal password in a table as the index\n";

#-- We generate a hash from this internal password that is encrypted
my $hash = $pbkdf2->generate($encrypted_internal_password);
print "The hash is stored on the same row as the encrypted_internal_password\n";

if ($pbkdf2->validate($hash, $encrypted_internal_password)) {
print "hash and encrypted_internal_password do match: access granted\n";
} else {
exit(0);
}

my $site_salt = 'FR0GB0RD'; #-- 8 chars long string

my $user_id = 234;
my $user_email = 'supersecretemail@mail.com';
my $user_name = "NotSoAnonymous";

my $user_info = "$user_id\n$user_email\n$user_name";
my $cipher2 = Crypt::CBC->new(-key => $user_access_key,
-cipher => 'Blowfish',
-salt => $site_salt
);

my $encrypted_user_info = $cipher2->encrypt($user_info);

#The user personal info is encrypted. This time, the encryption key is the a combination of
#the user_access_key but the salt is taken from the frogboard's config.yml file

my @user_info = split /\n/, $cipher2->decrypt($encrypted_user_info);
print "===================\n";
print Dumper @user_info;

Fuck, i've realized that wanted to make this software since 2011.

https://archive.tinychan.org/read/prog/1301025211

what about cross site scripting?

>>86
ALERT MY ANUS

>>86
I did some manual tests yesterday to check XSS stuff. Seems safe for now. Of course i will use some automated tools in the future to be sure that the system is safe. I'm more concerned about the authentication mechanism i described in >>84

>>88
add rate-limiting for login attempts to protect against brute-forcing

>>85

Oh... i let that CMS since the installation.. .didn't touch it since day one. PS3 has many good games.

Are you still playing?

>>90
I sold it... Good machine, good times. Now i don't care about gaming anymore
>>89
You mean you don't like to be brute-forced as fast as possible?

I was thinking on relying on Cloudflare for this, using one of the free rules for this purpose.

>>91

I was thinking on relying on Cloudflare for this

I hate when people say shit like that. It's like when people say they don't need to make their website validate input or protect against XSS or whatever because ``the WAF will take care of it''. That's a lazy cop-out. Don't rely on other tools -- make your code secure without bandaids.

I'm not saying you shouldn't use Cloudflare or a WAF, as both are important. But to say that you'll leave security in the hands of third party code and services is silly.

>>84
I realized that this is all stupid bullshit. A regular user/password combo is the most sensible solution, maybe with an option for client-side certificates. I think i can still provide a decent level of "safety" and anonimity for the users.

Anyway, ... what the fuck was i thinking!!!?!?!?!

Hi all

In the end, i have a user/password mechanism now. However, your username is PRIVATE. Only in special circumstances, under your control, you can make it visible to everyone. You still have a public name, that can change anytime to anything ('Anonymous' by default)

My idea is that, in the event of a hack, anyone that gets access to the DB will have a hard time relating a username to a user_id.

user side server side
~~~~~~~~~ ~~~~~~~~~~~

$username <---> $user_id

The relationship between username and id (and email too) is on a table, but encrypted.

So, for practical purposes, when a user logs in, i keep this relationship stored in a variable in the programs memory. If there are 50000 users logged in, this structure will have 50000 elements. There is no public end-point to access this, and the only function you have available publicly is Session::who_is($username) and is used in the code whenever i need the user_id (mostly when calling stored procedures)

What do you think about this? Do you think is a secure way to do it? Of course, anyone with direct control of the machine can always explore the memory to read directly the data with the relationships, but then, it will only get the ones of the currently active users.

A recent gif with the login process and a notification for a response you got in the background

https://imgur.com/a/FTQRFIm

So you're making a hackerjews competitor

>>95
use type="password" for the input element so that it gets converted to bullets instead of showing the password

>>97
If you care about so much about this, you can use ******* as you're password.

>>98
What's with your obsession with misusing ``you're'' and ``your''?
Also, check 'em

>>99
HEY CHECK MINE ALSO

/prog/ challenge: write a bot that scrapes and parses text boards and only logs dubs! wget, curl, grep... it don't matter

>>99
your're are an anus if you think that their's is only one person writing like that. nice dubs though

>>102
fuck off autismo
dont you have a diff to write?
mother fucker

>>103
your're are an anus

reeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
poast poast red cream cloan
API WIN

i maek poast on the {spoiler /prog/} board

i maek poast on the {spoiler /prog/} board

i maek poast on the {spoiler /prog/} board

i maek poast on the {spoiler /prog/} board

i maek poast on the {spoiler /prog/} board

check my dubs

Markup choice

Right now i am being inclined to a combination of sexpcode and markdown.

After trying them for a while, i found this comfortable to type. Now i am coding this and see how it goes

(All these works only on column 1)
: This will create a header (no multilevel headers. I'm keeping this intentionally simple)
+ Item List
++ Item List level 2
+++ Etc
> green text
# purple text


These are free to type anywhere
[b]
[i]
[u]
[h hidden] (AKA spoilers)
[sup]
[sub]

[code(end='\n]')
some source code
]

Yes, some will have parameters. In the case of code, end is showing the default value for it, meaning that a new line plus a closing ] indicates the end of the code block. Notice that there is NO space between code and the opening parenthesis.


[do action]
This will allow your post to trigger some specific action on posting. Example
[do dice]
This will throw a 6 side dice and print its value. (A nice replacement for trips i guess)


>>1 Points to post1
>>1:2 Points to heading 2 in post 1
>>1.3 Points to paragraph 3 in post 1


[table(title="this shows some data" separator="|" header="1" start="[" end="]")
[Column 1 | Column 2 | Column 3]
[ data1 | data2 | data3 ]
[ data4 | data5 | data6 ]
]


Since this has no JS there is no way to do markup except by typing it. So is imperative to keep it as simple as possible with sane defaults. Like >>1 for quick replies

>>112
why this weird sorta-bbcode-sorta-sexpcode instead of either one or the other? bbcode has [tag]value[/tag], sexpcode has {tag value} and for some reason your're are board will have [tag value]

>>112
I fucked up here:

it is this
[b bold]
[i italic]
[u underscore]
[s strike]
[h hidden] (AKA Spoiler)

Also, you can close all opened tags quickly with []

[b [u [i hello[]

>>113
I think that [ is much more different than ( visually, and (in english keyboards) is easier to type.

Just use Markdown. Nobody wants to learn a millionth markup language.

>>116
I do.

>>117
The average /frogrider has very different opinions from what the average person.

I considered getting into Perl but someone told me it was shitty ancient language destined for total extinction. I suggest you follow the same advice and rewrite it in FIOC or something.

>>119
Well.... it still get the job done, and is pretty good for it. Perl Dancer2 is amazing! Is not shitty nor ancient at all, though i wont use it for any systems that requires an object oriented design. The Moose and Mouse libraries are awful IMHO.

The good side of perl today, is that is one of the best paid languages. Unveliebable right? But it is true today.

I'm moving on to Perl6 for my next project's backend. I have my goal set very high ;)