loco12

So if I discover it has been hacked ( likely) what is there I can do to make sure it doesn't happen again?

V_RocKs

Hire a security guy to show you what to do. And to comb the server for backdoors. Password hackers love to leave ways to get back in.

[ScreaM]

Yes thats some good advice.

Spudstr

Any programmer with a brain can do what phantomfrog does.

__________________
Managed Hosting - Colocation - Network Services
Yellow Fiber Networks
icq: 19876563

justsexxx

Just curious, the passwords are encrypted. Is there a way to 'decrypt' them?

__________________
Questions?

ICQ: 125184542

cem

Yes, there is.

To the topic poster, if you still need any help hit me up.

loco12

I have just had the server thoroughly checked and there's no infections at all. I have changed all passwords and am going to remove wordpress as well.

I was hoping to find something so I can solve the problem. Wordpress is being removed this week just incase that's the cause.

Then install Phantom Frog and see what happens. Hopefully it was a case of Wordpress or a hacked password for root, in which case it will be solved.

Michaelious

Hope this thing doesn't happen to you again mate

__________________

Robbie

And for the Wordpress, just get yourself another server....even a piece of crap virtual server, like VRocks said. That way when someone hacks into it they don't have anything important to mess with and you can still run the blog.

__________________
-Robbie
ClaudiaMarie.Com

Why

to help prevent it from happening again try to keep all software(especially scripts) that are on your server as up to date as possible.

i would also recommend having more then one person check your server, as differant parties have differant ways of checking. I know hackers that can hide stuff on your server in amazing places.

raymor

loco12, I think we got an email from you and Ali is responding right now.
In summary, any script anywhere on the server could be exploited by a
hacker to retrieve your password list. PHP scripts tend to be particularly
vulnerable. In brief, what you'll need to do is a standard security check
getting rid of any old, unused scripts or scripts that shouldn't be there at
all, then check for security updates on any scripts that you contniue to use.
The idea is to get rid of any means the cracker may have of getting the
password file. This is seperate from any protection you might use such as
Strongbox, Password Sentry, Frog, etc. These systems will alert you to the
problem, but they can't patch up other scripts elsewhere on the server that
may allow an attacker to get the file.

Secondly, we'll look at the encrpytion on the password file so that even if a
cracker DOES get it, it does them no good. justsexxx brought this topic up:

Yes, it's incredibly easy to decrypt the old DES encryption that most people use.
It takes only a few seconds to start getting working passwords. That's why we
strongly recommend modern strong encryption and provide you the tools to do
that. This is of course where the people suggesting Phantom Frog have it totally
backwards - in it's recommended configuration using strong encryption, a
Strongbox password file is several million times harder to crack than a
standard Phantom Frog installation. What would take a cracker 14 seconds
with Phantom Frog's normal install would take 181 years with ours.



Wilson, you like to spout your mouth off based on some personal feelings you
have against someone involved with Strongbox, but despite our offer of a
$10,000 reward if you could ever brute force a Strongbox site you don't
come up with the goods. Why is it that you talk so much trash but can't back
it up even when we offer you $10,000 to do so? Perhaps because you have
no idea what you're talking about and just like to make yourself look stupid?

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

Tat2Jr

raymor - I've loved Strongbox and your customer service for quite a few years now. Your program beat the hell outta pennywize. I've only been happy with it from day one.

The automatic reissue of a password being emailed to the member, and that geo-ip thing sounds interesting. Any chance of having either of those features added to strongbox in the near future?

__________________
NICHE MONEY >> Ass Worship • Panties • Solo Teen • Pantyhose
Serving up exclusive fetish sites since 1997!

V_RocKs

How a hacker hides the backdoor.

He writes a SIMPLE PHP script.

Then places said script inside a directory like:

/yourwebsite/galleries/12/4050/script.php

So that it is somewhere you won't find it without basic command line knowledge.

Socks

loco: I have a friend who is amazing at unix security, has been programming since he was 6.. often wrote basic code on paper at school.. ;)

He wouldn't be very expensive, and I'd trust him with my home. If you're interested, get in touch and he will make sure your server is "unfucwiddable" as he would say.

dial

becuase everyone on GFY is ALL talk and no action

most couldn't put up a basic html page without help of dreamweaver or frontpage, much less figure out how to brute force into a server

__________________

V_RocKs

Actually, someone already posted it.. do a search.

jeffrey

See now this is something I dont get.
Even if the PhantomFrog was just plain text only the first person to try would get in, all following attempts would be blocked.
And you say "normal install" a lot. Please back up your statement.




Show me the server you have set up for someone to brute force and give me a couple days.
Although I know several people that have had some hard core attempts, and I know why its un brutable, its because it crashes the server.
I also dont know why your "image verification" is just a rotation of 40 or whatever images, not even a true random image for verification, why is this?

__________________
Coming Soon!

ladida

His server is "unbrutable" because the only combo that gets you in is something like "ksl#59basBZkvlmadA:Abj4090bBZ-biadfmkdf" most likelly, and that defies the purpose of the bruteforce, since if you ONLY had such logins in your user base, you wouldn't need strongbox (or any fancy brute protection systems like pennywize, frog ...). You could protect that with basic auth (where the speed of tries/sec goes considerably higher then when sending complete data through post) and it would never get bruted. So his challenge is stupid to begin with.

But we all know that users don't have such user/pass combos.

__________________
agentGFY *at* gmail.com

cem

Heh, i'll take that $10.000 I am not bashing or anything, i really love the script you guys have created, it's one of the better bruteforce protection scripts out there. HOWEVER i know for a fact that Strongbox is actually bruteforcable. We weren't sure which script to use for our sites and we were strongly leaning towards Strongbox, however we decided not to do so after some deep research.

What makes you 100% sure that your script is not bruteforcable ?

madfuck

Idk, But That Is A Good Question Tho ???

raymor

That was true in 1998. That's why we wrote Strongbox - to have something a
bit smarter than just counting IPs. Strange, it took 9 years for anyone else to
catch on that they needed to do something other than just count IPs. Then
suddenly though Frog had existed years, in 2007 suddenly people heard about
it and now we have TWO systems that aren't completely stupid - Strongbox and
Frog.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

raymor

Yes, it is. We just don't promote that because we think it's a BAD idea for
most webmasters. For huge sites with thousands of members the
customer service workload might be so that that it makes sense, but for most
it doesn't make sense automatically to give someone a new password after
they've already given theirs out. With our recommended configuration, you can
almost guarantee that any compromised passwords were given out by the
member, so the webmaster may want to use some judgement in giving out
new ones.

When we set up such a system for a webmaster who insisted on trying it,
we found that indeed people would keep giving out their passwords everytime
one got caught if you do a "dumb" system like Frog has. So before promoting
such a thing we're waiting until we're done developing an intelligent
system that isn't open to this kind of abuse.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

raymor

Password mailed to member exists, but is currently lacking in intelligence,
it just emails new passwords like Phantom Frog does. We think that's a BAD
idea for most webmasters. We're currently developing a more intelligent
system as part of Strongbox 4.0, to be released soon.

Regarding geo-ip, as you may know, Strongbox was the first such system to
use any kind of geo-ip. Country based geo-ip seems to work quite well,
possibly better than Frog's assumption that the database can be trusted to be
more specific than that although the company who makes the database says
it's wrong as much as 40% of the time, depending on the region. However,
Frog's "feature" is great marketing since most webmasters don't realize it's
based on an admittedly inaccurate database, so in Strongbox 4.0 we're blending
both approaches. Whereas Frog RELIES on the database being more acurrate
than it's creators claim, Strongbox 4.0 will CONSIDER the more specific geo-ip
information ALONG WITH other factors including basic bio-metric indicators
which look at the person on the other side of the monitor.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

raymor

Nothing could be further from the truth. Geez, why does everyone who has
absolutely no clue what they are talking about feel the need to post as though
they do? Actually we set up the test server EXACTLY the same way as we
do any other site. The user names and passwords arer short, memorable
passswords generated from our publicly available tool that you can use even
without Strongbox. It's used many times per day by many webmasters.
Have you even bothered to browse our web site before making up total BS to post?

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

raymor

Seriously, people, before you post any more total crap about Strongbox
take five or ten minutes to at least look at the site even if you aren't going to
do do something strange like say look at the actual product before posting
about it.

Actually, come to think of it, taking five minutes to get their facts straight
is too much to ask of people who argue on the internet. I know that.
let me suggest something simpler that takes only three seconds - when you
DO post, just be honest by including the sentence "I've never seen Strongbox
and so have no idea what I'm talking about".

Arguing on the internet is like competing in the Special Olympics -
even if you "win" you're still a retard.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

raymor

Indeed all of the user names would quickly be blocked and noone could
get in, which is pretty much the subject of this thread. The idea with our
approach is to make sure that they don't get blocked because they don't get out.
You are correct, with a typical Phantom Frog install all the user names would
be blocked. We think it's better if the paying customers are able to log in to
your site.

I'm not sure what you mean by "backing up" a reference to a "normall install"
of PF, Pennywize, Proxypass, etc. as opposed to some special installation they
may have done once that's different from the way they normally do things.
As a computer science person, I'm very precise in my language.
We install and develop Strongbox all day everyday, we don't spend all that
time looking at the "competition", so I don't know the details of every installation
they've ever done. Therefore I can't say that "Proxypass always ..." or
"Frog always ... ". I can only compare our approach to what others NORMALLY
do. For example Phantom Frog is NORMALLY extremely strict. They normally
focus more than we do on trying to catch every compromised password the
first time, at the expense of accidently blocking a lot more legitimate members.
We normally use settings that are more geared to making sure that paying
members can get in OK, knowing that the variety of factors we consider will
catch almost all compromised passwords pretty quickly. Strongbox COULD
be set up to be super strict, like Phantom Frog is, and perhaps Frog COULD
be set up to be more lenient, but it's useful to talk about how they are
NORMALLY installed. Thus I say that Phatom Frog will NORMALLY block more
legitimate members in an attempt to block compromised passwords more
quickly than Strongbox NORMALLY does.


I'll be glad to set up a test server for you and send you that information.
Just shoot me an email and I'll send you some specifics.
You DO intend to try something special that might actually work, right?
This isn't 1996 and a dumb brute force would just be a huge waste of time.
When we posted the $10,000 on the cracker forums we had a couple of
guys claiming they had some exploit they wanted to test out and it later
turned out all they had was a list of 10,000 proxies. PULEAZE! Spreading
requests like that isn't going to get you anywhere close. Most of those will
probably already be in our database which includes hundreds of thousands
of open proxies and any that aren't in the database will be detected by our live
detection. So anyway, yeah, just email me and I'll set it up for you.


There are a lot more than 40 words in our dictionary.
We use words rather than random characters because random
characters are really fucking annoying for the customer.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

Tat2Jr

Thanks for the reply. I'm so looking forward to Strongbox 4! I've got some new sites going online soon, and will want my old ones updated to the latest version too! I've loved strongbox since the day it was installed. No monthly fees, and works as promised. Haven't had a huge unexpected server bill since.

__________________
NICHE MONEY >> Ass Worship • Panties • Solo Teen • Pantyhose
Serving up exclusive fetish sites since 1997!

raymor

Well as far as actually brute force that's simple math. You'd need millions
of proxies and hundreds of servers manageing those millions of proxies.
Just do the math. Common sense tells us that no hacker has millions of
proxies at his disposal. Even if a single cracker controlled ALL Windows
Vista or Windows XP machines on the planet it wouldn't be enough.

Now some other attack besides brute force is another question, and one that
can't be simply answered with ten minutes of simple arithmetic. We wanted to
be sure that Strongbox couldn't be penetrated any other way, and that is
of course the reason we posted the $10,000 offer on all the big hacker boards
way back when. Some really bright hackers made some valiant efforts and
none succeeded, so I'm now pretty confident about Strongbox. That's not to
say it couldn't ever happen, but all of the big name hackers pretty much give
the same answer when asked how to get past Strongbox - they tried it, they
failed, so go find a Pennywize site with similar content. Of course at the time
I went all over the hacker boards with the offer I could actually AFFORD to pay
$10,000 to a smart bright hacker who pointed out a weakness. It would be a
pretty big hit to take today. I'll still stick by it with these smartasses on GFY,
but I'm no longer going around taunting the top hackers with the offer. ;)

One hacker who asked that I not reveal his name DID find HALF of a possible
attack vector - not anything he could actually use, but something that would
get you half way there to getting past one of our security measures, then he
postulated that if he were able to complete that attack and also find some way
around another of our security measures, it would then become a brute force
type of situation. We of course patched that up real quick and that's been
taklen care of for quite some time now.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

ladida

Lol. It's stupid arguing with you so i'll stop right here. I've seen you argue with other people, you just reiterate same shit. You have too high estimate of yourself while infact you can't even keep your server safe, so keep talking the talk. Your software is weak, whether you admit it or not.
And your "big hacker boards" = you googled for "xxx password" and similar bullshit and advertised there. You've never seen a hacker board in your life. It's the same bullshit you're selling to your customers on the "active spider" plan. All those password boards are run by webmasters anyway. And your "proxy database" rofl, same thing. Keep marketing tho

__________________
agentGFY *at* gmail.com

jeffrey

I have noticed that after the user has requested a new password be automatically emailed to them that there isnt any unauthorized people using that pass for several days. There are people attempting with the old pass, but not getting in.
Then a few days later maybe someone else will attempt to get in... but here is the best part, they still cant get in.

SB will let 4-5 completely different people in every single day as long as the member name is active.
How is that better?

The user has to request the pass be automatically emailed to them, it doesnt just get mailed out the moment its been blocked.

Also about the accuracy of the Geoip DB, this is a quote striaght from the geoip database site.
"Over 99% accurate on a country level, 85% accurate on a state level, 80% accurate for the US within a 25 mile radius."

Thats slightly better then the 40% you claim.
Frog also does not only reply on geoip.

If a legit member is blocked they can very easily get a new password instantly to their email, resulting in the member staying happy.
SB cant block more because then you would have more people pissed they cant log in for hours and hours while they wait for the webmaster to reisue a new one for them. That is if they ask in the first place and dont just cancel their membership.
Automation is a good thing.

40.... 100 same difference. Its still a HUGE pain in the ass, and really fucking annoying for the customer.



I always find it odd in threads where it comes down to SB and PF you feel you need to bash PF more then just back up your own program.

__________________
Coming Soon!

justsexxx

Frig looks nice, but I don't like the monthly plans..

__________________
Questions?

ICQ: 125184542

Dennis69

I agree, some nice features but I'd rather a one time fee

__________________
HaHaHa

D Ghost

yeah a script issue here most likely

Robbie

I don't mind paying a monthly fee for a good service. Bill has to make a living. I pay a monthly fee to Stats Remote and a monthly fee to Phantom Frog. Cost of business. Hell I think it's a pretty inexpensive service quite frankly.
Just imagine if we were "normal" brick and mortar businesses. Our overhead would be huge.
As is, I pay bandwidth and a couple of small services. Paysites' only been up a few months and is already netting me over 30 grand a month and growing by leaps every month. So 55 bucks a month for the premium phantom frog is a small price to pay...especially since it has saved me so much more money than it costs in so many ways.
Bottom line is...I don't mind paying a fee for something that works good for me. Especially in a business where the profit margin is so high.

__________________
-Robbie
ClaudiaMarie.Com

ladida

Actually, frog looks like quite an expensive solution compared to what others offer. If you look on the pricing page, bellow the 2 solutions advertised
"Up to 3 domains allowed per subscription. There is a $50 installation fee for each domain. If you have cascaded billing, linux clusters or a total membership base of more than 600 ...Contact us for quote. "

So by that quote, licencing for a bit bigger company would bring the bill quite high. Ofcourse, bigger the company, more money to spend around, but i'm just comparing it to other solutions that would be more affordable.

__________________
agentGFY *at* gmail.com

raymor

What's with this almost religious zealotry where you try SO hard to bash
Strongbox, so much that you'd be so completely dishonest as to take that
quote and totally skip the very next sentence? The very next sentence is
the link saying "see GeoIP City Coverage and Accuracy". What I said was
that at the city level, it's wrong up to almost 40% of the time in certain regions.
Some examples from their site, linked as the very next sentence after the one
you quoted:
France 37%
Greece 38%
Italy 36%
Saudi Arabia 46%
Poland 37%
Switzerland 36%

You were obviously staring right at that link since you copied and pasted
the sentence right before it, so are you illiterate or are you dishonest?


Actually if you are able to read any post where I've ever mentioned Frog you'll
see I ALWAYS compliment them. I've included a couple of compliments of
Frog in this thread, saying they are one of two decent, modern systems.
In fact, I said here in this thread that a typical Frog installation will often stop
a compromised password SOONER than Strongbox will. I explained that
this is a difference between Frog and Strongbox - Frog is typically set up to
be stricter, so it stops passwords sooner, at the cost of blocking more legitimate
members. Our philosophy, by comparison, is to make sure we do NOT block
legitimate users, even if that means it takes a few minutes or hours longer
to catch all of the compromised ones. So again, if you've read any thread
where I mention Frog you've heard me compliment them and then give an
accurate comparison, one that they would more than likely agree with the
majority of. So again, did you read but not understand, or did you understand
but choose say something that you knew was not true? Are you illiterate or
are you dishonest?

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

jeffrey

I have 181 active members right now.
only 18 members are not in the US, 11 of those are in Canada.

Only having a 36% accuracy rate for Saudi Arabia doesnt matter in the least.
I didnt post those stats because they dont matter.

Even if 20% of my members were in these countries were the accuracy is under 40% all that means is that 20% of my members could share locally a little bit and get away with it, much as people anywhere can share a little bit with SB... right?


[quote[
Frog is typically set up to
be stricter, so it stops passwords sooner, at the cost of blocking more legitimate
members. Our philosophy, by comparison, is to make sure we do NOT block
legitimate users, even if that means it takes a few minutes or hours longer
to catch all of the compromised ones. So again, if you've read any thread
where I mention Frog you've heard me compliment them and then give an
accurate comparison, one that they would more than likely agree with the
majority of. [/QUOTE]

If a legitimate customer is sharing their password how are they still legitimate?
As far as I know I have only had one member get blocked when he was on vacation. He recovered his own password instantly and was on his way. He even emailed me later to say that the instant password recovery worked great and that more sites need it.
I would say at least half the passwords automatically recovered are just because they forgot them or lost the email with it because when I look at that user its the same ip from the same location.

I get about 3 passwords recovered in any given 48 hour time frame. This may not be lots, but my member base is still small.
But thats still 45 passwords I dont have to send out manually. I would think my time is worth more then the 55 dollar a month fee. Not to mention if it keeps even 1 member rebilling instead of just canceling then its worth every penny.

I got a little off track there.
You say you dont block as fast just to keep from blocking legitimate members. But if you let in lets say 5 "bad" users befor blocking. Now there are 5 people downloading my content without paying, using my BW, and then what if 1 of them shares it on the torrents or news groups?
Some people seem to think shared content is good for business, but I disagree.
I try and minimize content theft. I do this by keeping as many non legit members out of my members area.


I wasn't going to post this because I didnt know if it made any sense, but... sue me.

__________________
Coming Soon!

Robbie

ladida, do you own a paysite? Or just making observations? Just curious.

__________________
-Robbie
ClaudiaMarie.Com

raymor

I can certainly understand your reasoning there, but it's based on a mistaken
understanding of Frog and also a mistaken understanding of Strongbox.
The big problem with the inaccuracy in the geoip database is not that people
will get away with sharing, which may be true, but that paying members will
be wrongly blocked. For IPs that the database thinks are in France, for
example, the location will be wrong 37% of the time, so of those 45 blocked
members who said you have each month, 37% may have been blocked
because Frog THOUGHT they were logging in from different locations
when in fact all logins were from the same location. For example let's
say you have a member from northern France. He logs in with one IP,
which Frog correctly places in northern France. An hour later, he logs in
with another local IP, but Frog THINKs that IP is from southern France
and blocks him. That, to me, is the big problem caused by the inaccuracy
of the database - it causes legitimate users to be blocked. The folks at Frog
pride themselves on stopping passwords quickly, rather than on avoiding
blocking legitimate users and that's cool. Some webmasters who have
sites that are constantly on password sites may prefer that approach.
It's just not the approach that we think is best.

The misunderstanding of Strongbox implied by your question / comment is
that it assumes that Strongbox considers only geo-ip information. _IF_ Strongbox
considered only geo-ip, it would allow people in the same area to share a
little bit. That's not the case, though. Strongbox considers many other factors
such as which ISP they are using, how many times they've logged in recently,
the type of computer they are using, the type of proxy, if any,
whether or not another IP or computer is CURRENTLY logged in using that
user name, etc. The new version even considers basic bio-metric information
about the actual person on the other side of the screen. So while the
geo-ip indicators ALONE aren't as strict as Frog, which uses that information
almost exclusively, Strongbox can combine many different types of factors
and so quickly catch compromised passwords whether they are shared in
a small geographic area or across the globe. One or more of the several
factors will catch them, as many Strongbox webmasters who have tried to
share his their own user names know. (Though admin usernames get a little
extra latititude, a few times per year we have to explain to webmasters that
no, it's not OK for you and your designer in the office next door to use the
same name, that's why you got yourself blocked.)



They aren't sharing - they are legitimate. It just LOOKS like they are sharing
because the geo-ip database is wrong so often.


I agree that a "I forgot my password" button should be a standard feature
on most sites. It's very handy that CCBill provides that functionality to the
user. I'm not sure what this has to do with automatically sending new
passwords to people who give them out. That's a totally unrelated topic as
far as I can tell.


Probably your time is worth that. Of course, if these are "lost password" cases,
you could just link to the CCBill lost password page and save the $55 / month,
so you're paying for nothing. If these are NOT "lost password" cases, but are
users blocked by Frog, isn't it be better to just not block the paying members in
the first place?

If they weren't shared, Frog blocked 45 people it shouldn't have. If the
member shared it, do you really want to keep giving them new passwords to
share, or do you want to stop them, like Strongbox does? if they were
cracked, wouldn't it be better to encrypt the file so it can't be cracked and
members don't get blocked, the way we do it? I can't think of any scenario
where it's better to block your members and have them request new
passwords than to handle it the way we do. Can you?


That's a good question to think about. Rather than five, the difference would
be closer to one. So the question is, would you rather have one person see
your porn for free, or block one paying member? Indeed you are correct that
many people with large sites credit "shared" content that has their URL on it
with a large portion of their sales. Other webmasters think the opposite - some
being frankly paranoid about shared content. After ten years in this business,
I feel that both sides have a point. I've personally seen member databases
with over 10,000 members where most of those members came to see more
of what they found on the P2P networks. At $30 / month, that's $300,000 per
month of income. If shared content earns me $300,000 / month, I want to
see my content shared everywhere! On the other hand, shared content of
course dilutes the value of porn, so overall more shared content is bad for the
industry. Anyway, so that's the decision each webmaster has to make - would
they rather have one person see the content free, or would they rather block
a paying customer who shouldn't be blocked? How strict or lenient do you
want to be? I don't know that there is a right or wrong answer here.
I guess you have to figure out how much it costs you in advertising to
get each paying member and how much a GB of bandwidth for a freeloader
costs you. Either Frog or Strongbox can be adjusted to your taste, but Frog
defaults to being quite strict. Strongbox defaults to being a bit more lenient,
knowing that all of the different factors we consider will catch any compromised
passwords quickly enough.



I think this post made a lot of sense. You intelligently discussed some
interesting questions. I was under the possibly false impression that your
earlier post was lacking intellectual honesty, but this post made a lot of sense to me.

__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids

PhantomFrog

Hi Folks,

IMHO, and with all due respect---there is an awful lot of mistaken information on this thread. I consider SB and Frog to be friendly competitors---both fine products with very different features. In fact, Ray and I have actually had a spirited, friendly, techie-talk phone chat.

The bottom line?? Why not go to PhantomFrog.com, and download the Frog Free Trial? Then make up your own mind. It installs in less than 5 minutes with a simple HTML tag. If you don't like Frog, you can uninstall it in 2 minutes.

Also, if you have questions or just wanna talk "tech", my phone and ICQ are on the Frog website. I will do my level best to give you straight answers in a clear, concise manner.

Kind regards,
Bill, "Chief Frog", PhantomFrog.com

__________________
PhantomFrog.com....Premium Password Protection
PhantomCart.com....CCBill + Phantom Cart = Clips Store Solution
PhantomFlicks.com .Token-based Clips Store

Michelle69

I use SB and recently had my server hacked. 17 PW were floating around and SB suspended them all within 2 days. If you just look at your report once a day you can easiely spot one or two PW used by illigit users and change the PW manually. I just manually resend 17 PW, manually banned RU, UA, EE & CN and was living happily ever after. Support from SB was superb. Only thing I would like to see is a more easy access to the config file to manually ban countries, IP ranges, etc. Apart from I can just recommend SB to the fullest extent!