# New Platform - What do you think?



## ddave (May 28, 2010)

Disclaimer:  This is somewhat techy but I have tried to make it straight forward and easy to understand.
 

Quote:


bmudd14474 said:


> Not sure that is related Rob. That sounds like spywares and viruses that would cause that issue. I would go to malwarebytes.org and download the program. It should scan and detect almost all issues.


I must admit I'm kind of surprised at how the security and privacy concerns regarding Huddler are getting swept aside as evidenced by how quickly this thread http://www.smokingmeatforums.com/forum/thread/94572/some-concerns-about-huddler

was closed.

I too noticed some strange behavior regarding redirects when clicking in white space and the fact that when I go to the forum, NetNanny (hey, I have young kids 
	

	
	
		
		



		
			






) says that someone is trying to get to Facebook.







So I decided to do some checking as to what other sites my browser was going to when I went to the forum.  So using a network capture packet tool called Wireshark http://www.wireshark.org/

I decided to analyze the traffic leaving and coming into my computer.  The following screenshot shows a capture of just loading the main page.







The results have been filtered (trust me you 
	

	
	
		
		



		
		
	


	





   don't want to see the entire capture) to just show the names of the site and not each and every packet.  Lots of advertising/social networking and data mining sites there but I guess we already knew about that.

The other thing that we techy types like to capture is the login sequence.  Wireshark has a function called Follow TCP Stream where you can see the conversation between your PC and the server.  Most of the info is gobbleygook which is normal.  Some stuff will be in plain text.  Some stuff SHOULD NOT be in plain text.  Imagine my shock when I saw my password was in plain text as well.







I changed my password for the demonstraton and changed it to something else after so don't anyone try and get into my account.
	

	
	
		
		



		
		
	


	





Out of curiosity, I captured the login sequence of another forum I am a member of.







As you can see, the password is encrypted, as it should be.  Incidentally, as you can see, that site is a vBulletin site.

What does this mean?  It means that your passwords are travelling to the server in plain text, folks.  That means they can be easily read and collected.  Will they be?  I don't know.  Will I be using the same password that I used to use for other accounts.  Absolutely not!! 

Probably an oversight on the Huddler folks part but a pretty poor security practice none the less.  Something to think about.

Dave


----------



## abigail4476 (May 29, 2010)

*Regarding "plain text" passwords:  (Question answered by Huddler)*

_"What he describes in his post as a security flaw is actually a fairly common practice across the Internet.  *Wikipedia* (the 11th most popular site on the Internet), *Digg* (the 36th most popular), and *every phpBB forum* out there all send passwords over plain text.  It is true that vBulletin encrypts the password before sending it, *but it does so using an algorithm that is so insecure that the US Government describes it as "cryptographically broken and unsuitable for further use"*.  In other words, the encrypted version of the password that vBulletin uses is almost no more secure than sending it in plain text._

_He is right about one thing though.  When he says "Will I be using the same password that I used to use for other accounts.  Absolutely not!!", that is absolutely the right attitude.  *Security best practices suggest that you should use different passwords for different websites that you visit.*  And __*any time that you do not see the "lock" which indicates that a website is encrypted using SSL, you should always assume that any information that you send will be transmitted in plain text.*_

_[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]---[/color][/color]_

_[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]Kyle Harmon[/color][/color]_

_[color= rgb(0, 0, 0)][color= rgb(0, 0, 0)]Partner Services - Huddler.com[/color][/color]_

*****

The last portion of his response is the most important, and that is a reminder that this site is not a secure site, nor was it secure on the original vBulletin platform.  

e.g., feel free to analyze the security of Huddler, but remember to compare fairly to other sites that are also using ads--such as vBulletin forums that use *Google ads*.  (like www.sharky.com/forum/, www.smoked-meat.com/forum/  or www.bbq-brethren.com/forum/) Also, www.sausagesource.com/forum/index.php  is a phpBB forum, so you might try capturing their traffic as well, and see if your full password turns up.   (I'm curious about that, too.)

No one is going to sweep aside privacy and security concerns, however, there needs to be a fair comparison between other similar forums in order to ascertain what _unique_ problems actually exist.  Those unique problems can be analyzed and addressed as they are found.


----------



## bmudd14474 (May 29, 2010)

Also remember that you should never use the same password for normal browsing and your banking. You should always have different ones. Also remember to not use passwords that are easy to guess like your birthday, last 4 of your ssn, name. You should try to use a combination of letters and numbers. Also use uppercase and lowercase. Change a i into a 1 or O into 0. I know its not easy to keep track of all of these passwords but your identity and financial information are worth the hassle.


----------



## abigail4476 (May 29, 2010)

ROFL!!!!!  Brian--insider alert/high-five!!!!!  
	

	
	
		
		



		
		
	


	





   (P.S.  You are 100% right!)


bmudd14474 said:


> Also remember that you should never use the same password for normal browsing and your banking. You should always have different ones. Also remember to not use passwords that are easy to guess like your birthday, last 4 of your ssn, name. You should try to use a combination of letters and numbers. Also use uppercase and lowercase. Change a i into a 1 or O into 0. I know its not easy to keep track of all of these passwords but your identity and financial information are worth the hassle.


----------



## TulsaJeff (May 29, 2010)

Tru dat!!


----------



## ddave (May 29, 2010)

> feel free to analyze the security of Huddler, but remember to compare fairly to other sites that are also using ads--such as vBulletin forums that use *Google ads*.  (like www.sharky.com/forum/, www.smoked-meat.com/forum/  or www.bbq-brethren.com/forum/) Also, www.sausagesource.com/forum/index.php  is a phpBB forum, so you might try capturing their traffic as well, and see if your full password turns up.   (I'm curious about that, too.)


Okay.  I included a screenshot of the smoked-meat.com login sequence in my original post, but can do so again.  I replaced the image with one that I took AFTER I changed my password  
	

	
	
		
		



		
		
	


	





 so if anyone is wondering why that post is edited, now you know.

I am not a member of Sharky or SausageSource but here are the DNS queries that occur when the Smoked-Meat, BBQBrethren and QJoint sites load.














> _What he describes in his post as a security flaw is actually a fairly common practice across the Internet.  *Wikipedia* (the 11th most popular site on the Internet), *Digg* (the 36th most popular), and *every phpBB forum* out there all send passwords over plain text._


Can you imagine the uproar if Microsoft used that response when someone pointed out a potential security flaw?  Just because it is common practice doesn't mean it is a good idea.  And clearly forum software can be made to encrypt passwords.  But it doesn't sound like Huddler is going to do that anytime soon.


> _It is true that vBulletin encrypts the password before sending it, *but it does so using an algorithm that is so insecure that the US Government describes it as "cryptographically broken and unsuitable for further use"*.  In other words, the encrypted version of the password that vBulletin uses is almost no more secure than sending it in plain text._


 Okay, then tell me what my password was?  I changed mine back after the demo, but I posted a screen shot of the traffic capture.  If there encryption is almost no more secure than plain text, then decrypt it and tell me what it was.

I did not set out to prove that vBulletin is/was more secure than Huddler.  But with all the discussion of strange behavior that users have been experiencing as far as strange pages popping up and how these reports were dismissed as "problems with your ISP" or "the problem is on your end" I was curious about what was going on behind the scenes on the network.

  When I originally posted this, Jeff moved it to the Mod forum and PMed me saying that it shouldn't be in the general forum.  I responded that I felt the members should be aware of it so they could take appropriate measures as they see fit as far as their password choice.  He has done that after checking with Huddler, and I commend him for that.

However, I think it is pretty evident that there is more going on here than meets the eye.  I don't think it is something that is intentionally being allowed and I would hope that the bug reports will be taken seriously and not casually dismissed.  The new platform has a ton of potential.  I'll admit some of the new features are really starting to interest me but all the strange background stuff is concerning me.

Okay, I am taking off my propeller head cap now and getting ready to select some ribs for tomorrow's smoke.
	

	
	
		
		



		
		
	


	





Dave


----------



## abigail4476 (May 29, 2010)

Well..thanks for the detailed reply!  I appreciate that. 
	

	
	
		
		



		
		
	


	





    You're obviously a smarter cookie than I am--my eyes are crossing just staring at the screenshots!  The diversity between the screen shots probably has to do with the fact that we're on an ad network instead of just on Google ads, so since we're pulling ads from multiple sites, I would assume there to be multiple, diverse sources. With that said, the number of links may be less important, comparatively speaking, than the types of links.  Is there something to be concerned about by the sheer number of addresses shown?  Are there any malicious things in there that we should be worried about?  

As far as the passwords go, I agree with Brian that it's a good precaution to use a new [unique from your normal] password for the new platform until all the kinks have been worked out, and unless or until the passwords can be encrypted in the code.   Good work, btw.

In the meantime, asking Huddler to encrypt passwords is a reasonable request.  The complaint has been submitted to Huddler, and hopefully they'll get back to us with a resolution.


----------



## ddave (May 29, 2010)

> Well..thanks for the detailed reply!  I appreciate that.


 You're welcome.


> my eyes are crossing just staring at the screenshots!


 Sorry about that.  Occupational hazard. 
	

	
	
		
		



		
		
	


	






> Is there something to be concerned about by the sheer number of addresses shown?


 Not really.  Not as long as each site provides a necessary function that can be explained and that you and Jeff are comfortable with.  It will just take longer to completely load the page for some folks.


> Are there any malicious things in there that we should be worried about?


You may want to do some research on secure-us.imrworldwide.com.  It has been associated with various spyware problems as this Google search illustrates.

http://www.google.com/#hl=en&q=secu...&oq=secure-us.im&gs_rfai=&fp=7c72d76feb718279

It could be the source of the as yet unexplainable behavior discussed in the  "Not Sure What the Problem Is" thread.  For what it's worth, I've had pages pop up when I clicked on white space in the forum pages.


> In the meantime, asking Huddler to encrypt passwords is a reasonable request.  The complaint has been submitted to Huddler, and hopefully they'll get back to us with a resolution


 Given Huddler's response that plain text password transmission is a "fairly common practice across the Internet" makes me think it's not too high on their list of priorites.

But at least the membership knows about the issue and can take steps to safeguard their passwords.

Dave


----------



## chefrob (May 30, 2010)

thx dave for some insight............now i must go and uncross my eyes!


----------



## chefrob (May 30, 2010)

just had another malware alert..............


----------

