Zybez RuneScape Community was shut down on September 17th, 2018. You're viewing an archive of this page from 2018-12-01 at 13:24. Thank you all for your support! Please get in touch via the Curse help desk if you need any support using this archive.

Join us on Discord, ZybezNet clan and Zchat friendchat.

We have updated our Terms of Service and Privacy Policy.
Dismiss

Jump to content


Photo

Introducing Sharkbrew


  • Please log in to reply
73 replies to this topic

#61 Wee Man

Wee Man

    Чистой ненависти номер один

Posted 28 August 2018 - 4:28 AM

I have no comment on any of the community-aspect of a site like this however the "security" features you are featuring here raise concern from me.

For one, there is nothing to indicate to anyone outside the operation or administration of the site that proper IP masking is taking place. Going to a php page and seeing a printed IP is not proof or confirmation of anything of the sort, given you can just write a very quick script to print any valid IP you want from a list. I would NEVER trust any operators word that my public IP is properly protected, and nor should anyone here, given the complete lack of transparency on this. You should trust your own means of protection, ie using a VPN or proxy before accessing the site.

Also, I don't understand how you think removing a properly implemented hashing function (bcrypt) and replacing it with something else makes me feel any better. bcrypt, when used properly is more than sufficient to protect against db leaks. You are free to modify the software however you wish but coupled with your pseudo-security posturing with the "IP encryption" technology doesn't lead me to believe that it was done with expertese.

Be very careful with the claims being made by this website in regards to security, it should be assumed that it a) doesn't work, or b) doesn't exist.

 

I agree with what you're saying about the IP masking, without viewing the source code or having access to IPs it's impossible to tell how it works which means you can't tell if it works well at all but if you did have access that'd give you a starting point into breaking the code apart and nullifying it so I think they're kind of stuck there. At a minimum it's a least slightly safer than having your real IP printed on every post.

 

As for replacing the hashing function, assuming it was implemented correctly, argon2 is very strong although it hasn't been put through the kind of testing Bcrypt has. The main gain is that Argon hits GPU cracking speed harder than Bcrypt does forcing you to spend a lot more money to get the same kind of speeds you would against a bcrypt hash. Both are very slow to crack, nearing impossible against all but the weakest passwords but I like the idea of not using the default hashing bundled with IPB 4 mainly because of how slow Invision were to upgrade once their MD5+Salt hashing was made redundant.

 

I completely agree you have to take security claims like this at face value but I respect the attempt to address an issue that's plagued the RS community for many years now whether or not the idea that people sell/leak your information is blown out of proportion and whether or not the measures taken by Sharkbrew actually work in the first place.


  • 0

A2xdnTr.png

X2LvGU2.png


#62 Sharkbrew

Sharkbrew

    Junior Member

  • Posts:24
  • Joined:04-July 14
  • Rating: < -5 | 0 | +5 >

Posted 28 August 2018 - 5:00 AM

I have no comment on any of the community-aspect of a site like this however the "security" features you are featuring here raise concern from me.

For one, there is nothing to indicate to anyone outside the operation or administration of the site that proper IP masking is taking place. Going to a php page and seeing a printed IP is not proof or confirmation of anything of the sort, given you can just write a very quick script to print any valid IP you want from a list. I would NEVER trust any operators word that my public IP is properly protected, and nor should anyone here, given the complete lack of transparency on this. You should trust your own means of protection, ie using a VPN or proxy before accessing the site.

 

Hi, Thanks for your concerns. As a person who has to deal with NetSec and Application Security for his job, all your concerns are valid, and that is why I created that php page. You may go ahead and test the output by hopping onto a VPN and going back to prove that your IPs are not being "taken" from somewhere. Furthermore, I have got 20~ ranks from at least 15 different clans. All of them can see IPs on the boards, and they all can attest to the fact that IPs are encrypted and there's no pesudo generation of IPs.

 

VNes39t.png

 

I have more to lose by being untruthful to the community than gaining a few IPs.

 

 

 

Also, I don't understand how you think removing a properly implemented hashing function (bcrypt) and replacing it with something else makes me feel any better. bcrypt, when used properly is more than sufficient to protect against db leaks. You are free to modify the software however you wish but coupled with your pseudo-security posturing with the "IP encryption" technology doesn't lead me to believe that it was done with expertese.

Be very careful with the claims being made by this website in regards to security, it should be assumed that it a) doesn't work, or b) doesn't exist.

 

BCrypt is properly implemented in IPB? Ha ha ha ha ah a. Have you even seen the IPB source or developed on IPB forum software before?

 

It is no way close to even being properly implemented. For starters, blowfish's main defense against brute force attacks is the exponential memory cost which to compute the hash. Higher the cost, the longer it takes to break the hash. Over the years as computing powers increase, this cost must be adjusted. IPB uses a static cost which hasn't been changed since 2014... Furthermore, various attack tools taking advantage of this static memory weakness , especially against Bcrypt hashes, that on FPGA are available for rent in the black market.

 

Furthermore, I wouldn't equate IPB with security. IPB is probably the only established forum software in the past 3 years to suffer a very elementary and catastrophic SQL injection attack that allowed attackers to craft their own SQL queries.

 

I would appreciate if you actually seek clarifications with me first as I don't think you are technically inclined in this domain.


Edited by Sharkbrew, 28 August 2018 - 6:52 AM.

  • 4

New community site for mains & pures ~ http://sharkbrew.com


#63 Ekstra

Ekstra
  • Posts:1,154
  • Joined:27-January 09
  • Rating: < -5 | 0 | +5 >
  • RS Name:Ekstra
  • RS Status:Member
  • Clan:Divine Forces

Posted 28 August 2018 - 11:26 AM

What if one day u go rogue and just remove the ip protection ?


  • 1

euo26.png


#64 Sharkbrew

Sharkbrew

    Junior Member

  • Posts:24
  • Joined:04-July 14
  • Rating: < -5 | 0 | +5 >

Posted 28 August 2018 - 12:31 PM

What if one day u go rogue and just remove the ip protection ?

 

I been running sharkbrew since 2013, and I have hosted nearly 150 clan forums, and even rival clans trust me to host their sites and not leak/sell information to each other.


Edited by Sharkbrew, 28 August 2018 - 12:35 PM.

  • 0

New community site for mains & pures ~ http://sharkbrew.com


#65 Ace

Ace

  • Posts:3,143
  • Joined:24-February 12
  • Rating: < -5 | 1 | +5 >
  • RS Status:Oldschool
  • Clan:Renegades Fan Club

Posted 28 August 2018 - 1:15 PM

You can't do this man, I'm still in mourning. 


  • 0

#66 .Ravose.

.Ravose.

    Member

  • Posts:2,541
  • Joined:30-September 06
  • Rating: < -5 | 1 | +5 >
  • RS Status:Member
  • Clan:The Rising

Posted 30 August 2018 - 5:56 PM

With Zybez becoming read-only soon and seeing as how others will be migrating onto Sharkbrew, I figured why not. 

 

https://www.sharkbre...le/8187-ravose/


  • 0

#67 Fremennik

Fremennik

    Member

Posted 31 August 2018 - 9:20 AM

 

I have no comment on any of the community-aspect of a site like this however the "security" features you are featuring here raise concern from me.

For one, there is nothing to indicate to anyone outside the operation or administration of the site that proper IP masking is taking place. Going to a php page and seeing a printed IP is not proof or confirmation of anything of the sort, given you can just write a very quick script to print any valid IP you want from a list. I would NEVER trust any operators word that my public IP is properly protected, and nor should anyone here, given the complete lack of transparency on this. You should trust your own means of protection, ie using a VPN or proxy before accessing the site.

 

Hi, Thanks for your concerns. As a person who has to deal with NetSec and Application Security for his job, all your concerns are valid, and that is why I created that php page. You may go ahead and test the output by hopping onto a VPN and going back to prove that your IPs are not being "taken" from somewhere. Furthermore, I have got 20~ ranks from at least 15 different clans. All of them can see IPs on the boards, and they all can attest to the fact that IPs are encrypted and there's no pesudo generation of IPs.

 

VNes39t.png

 

I have more to lose by being untruthful to the community than gaining a few IPs.

 

 

 

Also, I don't understand how you think removing a properly implemented hashing function (bcrypt) and replacing it with something else makes me feel any better. bcrypt, when used properly is more than sufficient to protect against db leaks. You are free to modify the software however you wish but coupled with your pseudo-security posturing with the "IP encryption" technology doesn't lead me to believe that it was done with expertese.

Be very careful with the claims being made by this website in regards to security, it should be assumed that it a) doesn't work, or b) doesn't exist.

 

BCrypt is properly implemented in IPB? Ha ha ha ha ah a. Have you even seen the IPB source or developed on IPB forum software before?

 

It is no way close to even being properly implemented. For starters, blowfish's main defense against brute force attacks is the exponential memory cost which to compute the hash. Higher the cost, the longer it takes to break the hash. Over the years as computing powers increase, this cost must be adjusted. IPB uses a static cost which hasn't been changed since 2014... Furthermore, various attack tools taking advantage of this static memory weakness , especially against Bcrypt hashes, that on FPGA are available for rent in the black market.

 

Furthermore, I wouldn't equate IPB with security. IPB is probably the only established forum software in the past 3 years to suffer a very elementary and catastrophic SQL injection attack that allowed attackers to craft their own SQL queries.

 

I would appreciate if you actually seek clarifications with me first as I don't think you are technically inclined in this domain.

 

smoked


  • 0

Your signature has been removed because it was breaking the rules of this community. It was too big (either too wide or too tall) and/or its file-size was too large. To find out more, please see our signature and avatar rules. If you need any help, feel free to contact me. Thanks, Magick.


#68 The duck

The duck

    The Community Duck™

  • Posts:18,024
  • Joined:06-April 08
  • Rating: < -5 | 4 | +5 >
  • RS Name:Elysian Duck
  • RS Status:Member

Posted 31 August 2018 - 9:32 AM

Good luck with your forum
  • 0

pLiLWr2.png

5y3uOuI.png

4w3Bc9n.png

MA8JzzV.gif

Ppj1oVu.jpg


Blogs Team Leader & CL of Questions, feel free to PM me with suggestions or ideas


#69 We1

We1

    ★★★★★

  • Posts:572
  • Joined:15-October 16
  • Rating: < -5 | -2 | +5 >
  • RS Status:Oldschool
  • Clan:Sovereign
  • Team:Alpha

Posted 03 September 2018 - 8:52 PM

https://www.sharkbre...ofile/8107-we1/


  • 0

raIa1f7.gif

Ylzfind.png

17Ku6OX.png

 


#70 Unrated

Unrated
  • Posts:5,865
  • Joined:12-October 09
  • Rating: < -5 | 0 | +5 >
  • RS Name:Evangalion
  • RS Status:Oldschool
  • Clan:none

Posted 09 September 2018 - 2:55 AM

Nice forums, nice atmosphere!


https://www.sharkbre...e/8146-unrated/

Edited by Unrated, 09 September 2018 - 3:34 AM.

  • 0

Discord Server | Graphics ProvidenceTeamspeak


#71 Lavigne

Lavigne

    Member

  • Posts:7,525
  • Joined:04-April 09
  • Rating: < -5 | 2 | +5 >
  • RS Name:Wonder Woman
  • RS Status:Retired

Posted 09 September 2018 - 3:32 AM

https://www.sharkbre...e/8218-lavigne/

Whether I'm active there is doubtful for a number of reasons. It's not like I don't trust the site (if someone wants to hack a forum, encryption becomes entirely irrelevant because they'll find the answer - they will do it), but it's simply not the same scene nor attitudes shown on Zybez. Just seems like an archaic zoo lol.


  • 0

KrPODlD.png

xuLlzzs.png

Miiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiillllllllllllllllll


#72 Unrated

Unrated
  • Posts:5,865
  • Joined:12-October 09
  • Rating: < -5 | 0 | +5 >
  • RS Name:Evangalion
  • RS Status:Oldschool
  • Clan:none

Posted 09 September 2018 - 3:37 AM

https://www.sharkbre...e/8218-lavigne/
Whether I'm active there is doubtful for a number of reasons. It's not like I don't trust the site (if someone wants to hack a forum, encryption becomes entirely irrelevant because they'll find the answer - they will do it), but it's simply not the same scene nor attitudes shown on Zybez. Just seems like an archaic zoo lol.


You've always been an upstanding figure Lavigne, show us the ways.
  • 0

Discord Server | Graphics ProvidenceTeamspeak


#73 DarkPulex

DarkPulex

    104K

Posted 09 September 2018 - 10:14 AM

Is this sure? Then all to sharkbrew?
  • 0
Revolution Elite Clan Leader/Founder- 2010 / 2013
Latin Crew Founder - 2017/2017
Ex Elite Assassins Member & Latin Unit

#74 Lavigne

Lavigne

    Member

  • Posts:7,525
  • Joined:04-April 09
  • Rating: < -5 | 2 | +5 >
  • RS Name:Wonder Woman
  • RS Status:Retired

Posted 09 September 2018 - 12:15 PM

 

https://www.sharkbre...e/8218-lavigne/
Whether I'm active there is doubtful for a number of reasons. It's not like I don't trust the site (if someone wants to hack a forum, encryption becomes entirely irrelevant because they'll find the answer - they will do it), but it's simply not the same scene nor attitudes shown on Zybez. Just seems like an archaic zoo lol.


You've always been an upstanding figure Lavigne, show us the ways.

 

I DO NOT KNO DE WAE. BWAHBWAHBWAHBWAH


  • 0

KrPODlD.png

xuLlzzs.png

Miiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiillllllllllllllllll





Font:
Arial | Calibri | Lucida Console | Verdana
 
Font Size:
9px | 10px | 11px | 12px | 10pt | 12pt
 
Color: