Young

I will not promote any sponser that uses it. Why? Because I find it to be a pain in the ass to use....so why do I want my surfers to go through the same shit?

The images are so fucking hard to read now. Some requier spaces...others don't. Sometimes it takes 2-3 attempts just to get it right. I understand it protects against scripts and brute force...but its a fucking pain.

[/rant]

that is all.

__________________

bbe

Never seen one with whitespace in it. Maybe that's why it's taking your two,three times to get in. Bf'ing is a bigger headache, it's a good development imo.

BoyAlley

Learn to read

JoeMeca

boyalley when u get a chance hit me on icq i needa buy my mom a christmas present lol

BIGTYMER

Spaces? I don't think so. Can you show us one that uses them?

Dynamix

Never seen spaces, either, but I do agree that they blow.. especially the ones that have gone through 3-5 distortion filters..

__________________

Marshal

i hate this shit! too hard to read...

__________________
---
Busy ranking websites on Google...

Splum

Which sponsors use it?

Babagirls

I love you.

__________________




Need a Text Writer?
Blogs|Reviews|Descriptions|Paysites|TGP's|Stories
ICQ: 397892500

brand0n

you mean to tell me you think its asking to much to type in 1 fucking word?

i mean youve convinced them to break out there cc, type that number in, name addy, all that jazz, and a 4-8 letter combo is 2 much to ask?

__________________

FreeHugeMovies

Very good post. Some of this latest shit, it's rediculous at what level they expect you to see.

Splum

Do they ask you to do that at the supermarket too? Ive actually been halfway through purchasing something and they come up with some dumb jump through the hoops shit and I say fuck it. Lost sale. Shrug.

Rob

I had one the other day that used Wingdings...talk about a pain in the ass.

__________________

V_RocKs

Without image verification:

Bruteforce Basic Auth - 25,000 to 250,000 an hour depending on your connection.

Loss: 10 to 200 passwords a day. Used by 10 to 2000 people a day. Money lost is in the millions a year, BW costs are 50 times higher because these surfers are going to download the entire website since they don't know when they will get a password again. Login screen is unresponsive to others because it is being bruteforced which is essentially DOS'ing it.

Form Login - 8,000 - 50,000 tries per hour.

Loss - 5 to 50 passwords a day. Used by 5 to 500 surfers. Because the entire form is being sent at 70K per request, that is 1,750,000,000 bytes total or about a gig and a half per entry attempt. So without a security code you are wasting 87.5 gigs a day just to the login attempts. Add that to the 50 people site sucking 200gigs each... all of a sudden that ultra cheap BW is extremely expensive.

Many sponsors think that if they allow 'some' cracking to go on then it is OK because when the password monitoring scripts kick in and block the account, some of the surfers then break down and signup. This is not the case. You can go into many forums and IRC channels and have someone crack a password that will only be given to you. If someone else asks for one, they will crack them a different account. You password monitoring software will not stop them since they are not triggering any alarms...

#1 - Use MD5 password hashing, not DES. At least then they take a lot longer to crack if they steal your password file.
#2 - Encrypt passwords that go into the DB. Most of you have them stored in plain text or DES.
#3 - Make the users passwords for them. The only reason DES decrpytion even works is because most people use the same password EVERYWHERE. So if you run Nubiles.net and they still a comparable sites password file, your encrypted passwords are easy to crack.
#4 - Use a form login and a security code. Make sure that there is no other part of the website that you can force basic autentication. With some free/cheap authorization software you can bypass the form and code login by just entering a direct link to a file inside the members area.


Some of you require a member to choose a password with an uppercase letter and a number. Big mistake. You actually made it easier to guess passwords, not harder.

This password:

surkfloi

- requires 218,340,105,584,896 tries. Because I don't know if I need an uppercase letter, lowercase letter or a number for each place. 62 different combos per 8 places.
Or - 62*62*62*62*62*62*62*62
Surkflo1

- Now I know that 85% of the lazy American public will make the first letter a capital and the last character a 1. Now I need:
26*62*62*62*62*62*62*1 = 1,476,806,125,184

218340105584896/1476806125184=147

What do all of these numbers mean? Well, with DES I can decrypt the larger number and get a password to spit out about once every 3 months.. hardly worth the trouble. Doing the second number I can get a password about once or twice a day... And if I take over a few networked dual/quad XEON's I can do it in hours... Which means it is actually 147 times EASIER to get into your website when you require an uppercase letter and a number in the 6 to 8 character password.

Allow 6 character passwords and I can use my home machine to get about 5 password per hour... or 30 with the stolen .edu network.

Rob

If he complains about typing in 8 characters for verification do you really think he will read all of that?

__________________

Violetta

it has happend that I had to give in!

__________________
M&A Queen

Fetish

Good thread

smack

it's hard enough for the average surfer to keep a boner long enough to fumble out their credit card. without having to take a typing test.

__________________
Cry havoc and let slip the dogs of war.

Splum

You people arguing that image verification is a good security tool need to really figure out how the internets works You can BLOCK IPs *GASP* after x amount of tries for x amount of time with x account. I have no idea what the hell image verification is going to accomplish.

V_RocKs

Right and when I run a bruteforce attack with 2,000 proxies @ 30,000 tries per hour, each proxy will only hit you 15 times per hour. This means if you block me, you also need to block AOL customers...

kmanrox

bookmarked this thread, thx

__________________
Crypto HODLr
Crypto mining
Angel investor

devnull

What a clueless piece of shit, maybe you should learn how the "internets work" you dumbfuck.

Ace-wtf

w0rd
there will be one in the entrance to the show in vegas
be prepared lol

__________________

Don't miss out on the new HYPE!!!
icq: 226370630

Pete-KT

Ive never had a problem with image verification I love it

fris

ya its a pain even when joining forums, but some sites have image verify and are clear and can read it. sometimes they make it with gradient so its so hard to read they make you do it like 3 or 4 times over. like they are trying to make you fail.

__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.


WP Stuff

who

Are you colorblind?

Crypt

Clueless idiot , maybe you should learn how internet work

Young

i love you too baba

anyways...for me its hard to read. the letters are distorted. its just a pain. maybe i just don't understand the technology because i don't run a program or website that needs it.

__________________

Young

the gradient ones are an extreme pain in the ass



smack...you nearly made me blow coca cola out my nose

__________________

u-Bob

If it's easy to read, no problem.
If they are like the ones blogspot uses (or worse), then it sucks big time.

andi_germany

Sorry but there is a lot of bull in this post and a lot of conclusions that actually are so wrong that it gives you such a false sense of security.

1. Fact. Image verification is broken. ALL images have been proven to be broken by machines so you are in false security. You get keep the script kiddies out but the serious crackers are in.

2. Fact. Brute force starts with dictonary attacks as hardly anyone not forced to use capital or numbers not uses a normal word which renders your calculations kind of useless.

3. Fact. You actually assume a lot in your chance calculation but forgot to calculate that if you don't require people to use capital or numbers people simply use lowercase and even a dictionary word for the same reasons you assumed they use a capital first letter.
Dictionary words bring you to about 1:100000 or even less or at most 1:26^8

4. Fact. You might actually break laws using captcha verification. In many countries there are accessability laws for people that have disabilities. Given that blind people won't watch porn but some lawmaker might actually use this to fuck you because they cannot get you otherwise.

__________________
SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

Doctor Dre

In adult there are probably 80 % of the attacks that are caused by script kiddies.

__________________

Splum

Bottom line its about sales, I know for a fact that people get turned off by long and tedious sign up processess(which is only that way to stop criminals). Its akin to blanketing everyone as a criminal until proven otherwise, is that any way to do business?

Splum

So everyone on the internet brute force attacks porn websites? The percentage of brute force attacks on websites are proportionately insignificant compared to honest potential customers. Dumbass stop being so fucking paranoid and use other methods to filter incoming traffic.

Splum

Incorrect. You can ban specific IPs there is no cause for a blanket ban. Most common proxies are known and can be banned easily. There is even programs out there that can monitor specific patterns in network traffic no matter the source(time,length,etc). Oh and you can NEVER stop a hacker no matter what tools you use, you CAN stop 99.9% of the script kiddies.

Splum

1 post - December 05 sign up date...

Im gonna brute force your mouth if you dont STFU surfer.

Deek

password cracking....

Ok first, md5 is busted, mainly because of the invention of the rainbow tables. Basically what people have done is taken and computed the md5 hashes then simply compare the hash to those stored in their database

2nd.. Sure if your inside of the network you have direct access to the hashes, most wont and will be attempting to break into the site via webform. Thats what the image verification is trying to prevent.. Not attacks against the hash it self.

The proxy comment, the propper use of the published lists via ARIN can reduce the number of attacks from proxies considerably. Why? most of these attacks happen from outside of the united states. And this is also related to vuln scanning/port scanning. Blocking this at your edge device (router/firewall etc NOT YOUR SERVER!)

Im new to porn, so this statement may be wrong... It doesnt seem like many people care much for traffic outside of north america/europe. IE china/asia/russia, this is where a great deal (not alot of them) of proxies exist. So blocking the not so well liked countries servers two perposes, both security and more legit traffic. Again im new so im unsure how well this paragraph will fly.

Also most attacks by "Script kids" are not even geard towards adult. Its geard towards a pool of addresses. One of the botnets i busted in Feb 05 had bots which were assigned seperate areas of the net to search for open window file shares.

Im going post a poll after this... asking about how many actually check their logs...

Image verification is a major hassel. Dont get me wrong it upsets me. However image verification is typically implemented on community websites to prevent spammers. This is what i like. The use of a image verification on a pay site prior to payment does not make sense to me, because its unlikly (to me being new to the porn industry) that someone is going to take a credit card and apply to a whole series of pay sites.. If a person has the loot, their likly going for electronics which are easier to sell say on ebay.

As a gentleman stated before, theres no fool proof security mechinism, you can however be aware of the risks around you, and implement as many speed bumps as you can.

In security you must balance the "CIA", confidentiality, integrity, and the availability.

-Deek
3420164

Deek

sorry i just caught something.

regarding my comment "Inside of the network" , gaining access to the password files should be rather difficult unless they have put them in an improper location.

And rather then saying "inside of the network" i should have stated shell access to the server.

Apologizes for the mis-type

nexcom28

I think image verification sucks.. I will leave a site that asks me to verify some stupid letters unless it's easy..

V_RocKs

A lot of reaction.. I will start with this guy.

1 - You point in #1 is pointless. Give me an article, give me a white paper. Just because you say hackers are all knowing doesn't mean shit. You say all images are broken... The only way to thwart image varification is to create signatures. Similar to virus software. You create an image of what a set of numbers with lines running through them look like, now you know what the number is. With SPARTA this is to tedeous. The people hacking porn are working 40 hours a week or going to school or both. They don't have 2000 man hours to do this. They have instead A.D.D... they couldn't keep their attention on the task of creating signatures for SPARTA no matter how much they would like to.

2 - Bruteforcing does start with a dictionary attack. What takes longer smart-guy, finding 8 characters in a dictionary with 62 possibilities per letter or only having to find 6*62 because I know that the first character is always going to be a capitol and the last is always going to be a number? I said always... I guess I should say 85% of the time. But with 85% of the 8,000 member passfile, who gives a flying fuck about the other 15%?

3 - I stated over and over that the best option is to make the password for the customer. If you all them to make it then the hacker doesn't need to look for trillions of passwords, he only needs to look for the 70,000 commonly used words, and then apply simple rul3s t0 f1nd 3v3n m0r3.

4 - You think I give a fuck about some arcane Isreali law saying I can't use Captcha? Why do I need to go to one of these countries anyway?

It seems like you just wanted to rant. I am offering sound advice and you sound like a sleezy defense lawyer trying to protect someone who got caught in the act of a crime and even confessed offering an account of the crime that could only be known by the perpatrator...

V_RocKs

There is no such thing as a common proxy dude. You show me the IP's that are common.. Please man.. you are too funny. Your COMMON proxies are NOT COMMON. Common would infer that the majority of proxies fall within a certain set of address blocks. They do not. I have been collecting proxies for 5 years now and I have NEVER seen a common address block of proxies. There are address blocks that commonly have proxies but there are also billions of addresses. And there are plenty of proxies on "un-common" address blocks so I have no need to use one that is on one of these common blocks.

Script kiddies are the people giving out 98% of the passwords. The real hackers don't get caught up in the 'game'.

Also a good portion of big name sponsors don't even keep logs because the server can't handle it. Do you really think it can handle filtering the massive amount of traffic that comes in on any given day?

V_RocKs

1 - Ever made tables? Takes a long time to make ones with any significance. I have. I actually crashed a drive making them because it got over heated after the abuse on day 10. The majority of password crackers and hackers are no smarter than your Maytag repairman. Even still, cracking MD5 with rainbow tables still takes a lot longer than 400,000 c/s with DES.

2 - Belive it or not... most websites have been hacked at some point. When I say most I mean 80% and I am being generous. When Globill got hacked, every single member they ever processed became public domain. All 1.2 million. Consiquently they filed for bankruptsy not long after. Hackers don't care about strongbox, they prey on the idiot webmaster using phpBB, Awstats or a host of other hackable apps. They still the password DB/file and then decrypt it or get lucky because it is in plain text and just use the account in reverse figuring the last person that signed up has another 30 days left. No bruteforce needed.

Proxies - From my own experience, 10% give or take a few points is how much money comes in from outside UK, CA, US, DE and MX. If you ask someone to give up on those sales, you are asking the wrong industry unfortunately. Everyone here is just way to greedy.

Most crackers who are cracking basic auth or the form are not port scanning and doing other shit. Why would they? They are planning on going in on port 80, why do I care if port 3306 has mysql running if I won't be using it?

Script Kids - I lived in the cracking world for years. They are 99% Script Kids... and when I say Kids, I mean Kids... as in 15 - 22.

Log Checking - Most of the people here that run porn sites have no clue about their logs or even if they do log. They 'pay people to do that sort of stuff.' But no one ever gets around to it. Or they think their managed hosting includes such services and don't realise the host is only responsible for the server hardware, apache and mysql and the kernal. Everything else is the clients problem.

Image Verification - ??? I don't know of many pornsites that require it to signup, but I know of a lot who require it to login. If you cannot figure out the image we have Darwin Awards available on your way out. I personally think that if it is to hard, perhaps you should live with someone who takes care of you because you must be a fucking retard.

As the gentleman - Dude, there are no gentlemen here...

Ohh, before I forget...

V_RocKs

Obtaining shell access to the server is pretty easy. Especially in the PHP world.

andi_germany

1. Ok do a simple google search "captcha broken" and you get a trizillion articles.

2. You still don't get it. Your assumtion is false. If you don't require a capital and/or number the hacker has it in about 1000-40000 tries. Your count of 62 is based on 26 + 26 + 10 but the hacker doesn't need to find the secure password but a couple of insecure ones. Calculationg means nothing here as he simply goes down his dictionary list. If you do require he has to modify the lists to cope with people replacing chars with Capital or numbers. He might still get it fast but not as fast as with no requirement.

3. This is correct but with your statement you just make my point on 2.

4. This is your personal choice. Just be aware if you visit the UK someday ;)

__________________
SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

andi_germany

And here is another point. With adding captchas you introduce a new layer to the security system that also might add additional security holes and more reqirements for the user that could turn them to the competition.

__________________
SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

spacemonk

Break this



(I know it can be done, but cmmon ;) )

__________________
I sale fu-fme, hit me up for a killer deal!

spacemonk

I think you are overlooking the fact that AOL forces multiple users to go through the same proxy at the same time.

__________________
I sale fu-fme, hit me up for a killer deal!

V_RocKs

Almost a Woj post...