Showing all articles tagged with Security
28 August 2007
PHP, Programming, Security, Web Design
One thing I keep noticing is the use of background noise or clutter in CAPTCHAS. It's now well known in the OCR (Optical Character recognition) field that background noise can be easily removed by computers. It's basically useless at hindering spam bots.
It's so easy that I was able to clean the following CAPTCHA up in only 20 lines of PHP code.
Here's how...
At a glance, you can see the CAPTCHA's background noise has a blue tint. 
Looking at the RGB value of the image in Photoshop, I can see that all parts of the background have a blue value higher than 180.
That's the only piece of information needed to remove the background.
The code simply loops through every pixel of the image and checks the RGB value of it. If the blue (B) value is higher than 180, color it white.
Here's the final image. The characters can now be easily separated and identified using OCR software.
So you can see why most background noise is basically useless in CAPTCHAS.
16 August 2007
PHP, Programming, Security
Most developers have now heard about Facebook's leaked index.php source code, which was anonymously posted here. If you haven't seen it already, there are a number of links listed on Techcrunch.
I've seen a few bloggers criticize Facebook developers for using procedural programming rather than classes and object oriented techniques. I'm not exactly sure why they've chosen to develop the site like this; but I am going to take a guess and say it was to improve speed and efficiency.
Object oriented programming was first introduced to PHP in version 4. However, the language wasn't originally designed around objects and classes, so the implementation was clunky and awkward. This meant that procedural code was often much faster than object oriented code.
Considering the size and popularity of social networks, I'm not surprised they chose procedural code over objects. That tiny boost in performance would easily outweigh the advantages of using classes.
Fortunately, most (if not all) issues with objects have been solved in PHP 5, which is now closer to a truly object oriented language.
29 May 2007
Security, Programming
MD5 is a popular hash function which is often used to encrypt passwords in web applications. In most applications, when a user enters their password, it is encrypted and compared to the one stored in the database. If both md5 hashes match, the user is granted access.
This approach is generally considered to be quite secure for authenticating users. However, it still has it's weaknesses.
MD5 hashes are vulnerable to dictionary and brute force attacks using rainbow tables; which store millions of passwords and their hashed values.
Which means if your database is compromised there's a good chance that your passwords can be recovered by an experienced cracker.
Here are a few tips for protecting your passwords...
Also make sure you're using SSL if your web application has any importance. It's extremely easy to intercept passwords using packet sniffers.
