EvilZone
Community => News and Announcements => : Kulverstukas November 01, 2013, 03:52:39 PM
-
Merge fail, ignore this message :/
-
Hello EZ!
Some of you may be familiar with project Alpha and some of you may not. So here are some explanations:Project AlphaProject Alpha is the code name for a project to re-design and re-code many of Evilzone's systems from scratch, such as the IRCd and the website.Project Alpha started as a design concept, very unlike this one, about one and a half year ago and have ever since evolved into something bigger and bigger.In addition to re-designing and re-coding we also wanted to add new features and services such as a webOS, web terminal, challenges, EvilShop, pastebin, exploitDB and much more. I wont go into details about those sub-projects right now. But they are also under development. Some more information can be found in the AWESOME STUFF page.
Introduction
This is an public early beta release. There have been several development versions for staff and VIP, but this is the first real public publication of the webpage.
Please keep in mind that this is a beta and is not complete. The only major part that is open to public that is not yet complete is the profile and all its systems (account settings, private messages, etc) (and sub-projects like the webOS).
Try it, break it, smash is and hack it. But please don't do any harm and report to me when you are done. Although I am pretty confident in the security part of the project.
http://alpha.evilzone.org/index.php?page=forum&sub=thread&thread=1 (http://alpha.evilzone.org/index.php?page=forum&sub=thread&thread=1)
Oh and merry christmas! ;D
-
Very sexy! Thanks for the gift :)
(http://oi43.tinypic.com/vnmes5.jpg)
What's with the broken characters?
-
Looks beautiful. Can we have the list of people who worked on this, so we can give thanks?
Really good job guys :)
-
Very sexy! Thanks for the gift :)
(http://oi43.tinypic.com/vnmes5.jpg)
What's with the broken characters?
That's because it's showing you raw binary output in ASCII thus giving you random ascii stuff.
-
Really awesome work.
Its worth the wait.
-
Very sexy! Thanks for the gift :)
(http://oi43.tinypic.com/vnmes5.jpg)
What's with the broken characters?
Its supposed to be a joke/representation of an exploit doing some sort of overflow.
Looks beautiful. Can we have the list of people who worked on this, so we can give thanks?
Really good job guys :)
The website is mostly me.
-
Everything is so smooth and lovely. 10/10 would visit again.
Also, what's up with the client side hashing when logging in?
-
Everything is so smooth and lovely. 10/10 would visit again.
Also, what's up with the client side hashing when logging in?
Not sure how to answer this. The client side hashing is done for obvious reasons: Not sending your password in plaintext to the server.
-
I visited this when you first posted about it yesterday and was extremely impressed. Very nice work ande.
I visited today, when I had more time, and what can I say other than holy shit. I mean, the terminal, exploitdb, ctf, challenges. Ande you are taking EZ to a whole nother level. Hats off to you my friend!
-
I WANT TO LOGIN!! When is our acct. info transferred over?
-
The client side hashing is done for obvious reasons: Not sending your password in plaintext to the server.
Theoretically, couldn't an attacker just modify the function if the site is not using https? I get that it would make password sniffing harder, but still. Oh, and wouldn't I need JS enabled just to login?
I skimmed this (http://stackoverflow.com/questions/1380168/does-it-make-security-sense-to-hash-password-on-client-end) and this (http://programmers.stackexchange.com/questions/76939/why-almost-no-webpages-hash-passwords-in-the-client-before-submitting-and-hashi), and it's generally agreed to be insecure, but it does prevent the sniffer from logging into other sites that are using the same credentials, obviously (but you'd have to be stupid to use the same password twice).
Forgive me if some of this is fatally flawed, I just woke up and security isn't my speciality. Sorry if my tone sounds a bit unusual, I couldn't think of how to put it.
Anyway, merry Christmas.
-
I WANT TO LOGIN!! When is our acct. info transferred over?
You can register :P
Theoretically, couldn't an attacker just modify the function if the site is not using https? I get that it would make password sniffing harder, but still. Oh, and wouldn't I need JS enabled just to login?
I skimmed this (http://stackoverflow.com/questions/1380168/does-it-make-security-sense-to-hash-password-on-client-end) and this (http://programmers.stackexchange.com/questions/76939/why-almost-no-webpages-hash-passwords-in-the-client-before-submitting-and-hashi), and it's generally agreed to be insecure, but it does prevent the sniffer from logging into other sites that are using the same credentials, obviously (but you'd have to be stupid to use the same password twice).
Forgive me if some of this is fatally flawed, I just woke up and security isn't my speciality. Sorry if my tone sounds a bit unusual, I couldn't think of how to put it.
Anyway, merry Christmas.
If you modify the function to send some other form of hash you will not be able to log in because the server is expecting 100x SHA512 and anything else will just give you wrong username / password. Removing the function all together will give an error/warning message when the server detects you are sending in plaintext, and you wont be able to login.
When hashing the password at client side you ensure that sniffers only gets the hashed version of the password thus not revealing your actual password.
However, the password sent from a given account will always be the same as no sort of salt is introduced. So simply replying the same password and username would effectively log you in. Maybe one could implement the client's IP as salt, thus making it impossible for anyone else to use your pre/client-hashed password.
-
I once made an implementation in which every user had to login with username + password + secret. Then, the hash was calculated with a SHA256-HMAC(password, secret), and username + hash were sent to the server. I was never sure about if that was secure or not, so I finally removed it.
Btw, looks amazing :)
-
You can register :P
Indeed, I was just wondering when my uber leet posts and super hardcore gmod status will be transferred. Although I imagine it won't be until the final release is out.
-
I once made an implementation in which every user had to login with username + password + secret. Then, the hash was calculated with a SHA256-HMAC(password, secret), and username + hash were sent to the server. I was never sure about if that was secure or not, so I finally removed it.
Btw, looks amazing :)
It wouldn't be secure because you would have to send the secret to the client, thus making it possible to sniff. However I guess you COULD implement some sort of asymmetric encryption request to get the secret, by generating a new key on the client side every time and sending the public key. (Actually not a bad idea).
Indeed, I was just wondering when my uber leet posts and super hardcore gmod status will be transferred. Although I imagine it won't be until the final release is out.
Full conversion of the old data wont be done before we have a good release candidate.
-
It wouldn't be secure because you would have to send the secret to the client, thus making it possible to sniff. However I guess you COULD implement some sort of asymmetric encryption request to get the secret, by generating a new key on the client side every time and sending the public key. (Actually not a bad idea).
Secret was chosen by the user when registering, and never sent to the server (password was hashed then).But this is off-topic here.
-
Secret was chosen by the user when registering, and never sent to the server (password was hashed then).But this is off-topic here.
But the user or javascript would have to know the secret in order to perform the hashing. But you are right, this is off-topic. We could create a new client side hashing/encryption thread?
-
Hi there!
Just want to let you know that a early beta version of our new site can be found at:
http://alpha.evilzone.org
Merry xmas!
That popup is already annoying. Every EZ page I visit makes it show up. Can't you make it a one time thing?
-
Had been waiting to see this awesome thing from such a long time.
A few quick questions :
1) Did you guys build it up with a PHP framework or its entirely simple PHP?
2) Aren't you guys going to use slug urls?
3) It says that ande ate up all the cookies, does that mean there'll be no cookie system? Or everybody will start from 0?
-
That popup is already annoying. Every EZ page I visit makes it show up. Can't you make it a one time thing?
That's odd. It is only supposed to show once. What browser are you using?
Had been waiting to see this awesome thing from such a long time.
A few quick questions :
1) Did you guys build it up with a PHP framework or its entirely simple PHP?
2) Aren't you guys going to use slug urls?
3) It says that ande ate up all the cookies, does that mean there'll be no cookie system? Or everybody will start from 0?
1) Not using any existing framework. Built from scratch.
2) As in SEO friendly URL's? Maybe, its been discussed in the new board (feedback board I think)
3) Thats just bluechill having fun lol. There will be some sort of cookie/karma/reputation system. Not sure how it will work yet.
-
I have the same problem, on Firefox 25.0.1. The alert box appears on every single topic I access.
Your best bet is to leave a notice on the header or something less intrusive. Alert boxes are a relic of old that needs to die.
-
I have the same problem, on Firefox 25.0.1. The alert box appears on every single topic I access.
Your best bet is to leave a notice on the header or something less intrusive. Alert boxes are a relic of old that needs to die.
Done.
EDIT:
Introducing beta of the new upload service: http://upload.alpha.evilzone.org/
Featuring:
- 1GB size limits for files and 30MB for images
- Upload with your account to look at download and view statistics as well as being able to delete files you have uploaded
- Support multiple files
- No file extension limit
-
Is this accessible from EZ Alpha? Doesn't seem to be.
-
Is this accessible from EZ Alpha? Doesn't seem to be.
Just updated the links at the "awesome stuff" page so that they link up. You can login with the same account, but if you are logged in at alpha.evilzone.org you should already be logged in.
EDIT: The beta upload service now supports multiple files :)
-
Cool! Can't wait for the other Awesome Stuff stuff to be implemented. Specially the WebOs and EvilTerminal.
-
Cool! Can't wait for the other Awesome Stuff stuff to be implemented. Specially the WebOs and EvilTerminal.
Ill see if I cant do some work on those tonight :)
-
Man I am really stoked to see this stuff, great work!
-
Ez, growing too enormous i pity those in its way. This is awesome stuff, hope its not copyrighted cos alot of copycats are coming.
-
Ez, growing too enormous i pity those in its way. This is awesome stuff, hope its not copyrighted cos alot of copycats are coming.
They'll do a bad job, everything is from scratch so they can't really copy it...
-
Stuff fixed again for those who even noticed :P
-
I noticed, it's nice. ^.^
-
Haven't been around for a while. Now back and seeing this beautiful new page, impressive!
Fell in love with it, really great job!
-
Awesome design, really like it.
Just some thoughts I had when browsing.
When registering a html5 validation would minimize unnecessary request to server, I know you have server side validation but just a thought to have both.
Also how about forcing a secure password?
Also say you don't use mod_rewrite for urls, maybe thats a later question when everything is finished but imo it looks nicer with it.
Also the "can you crack" it challenge (without saying to much) does the answer physically exist on server?
I'm aware that stuff is not done, implemented and its a early teaser alpha but I like it so far, keep up the good work ande
-
Awesome design, really like it.
Just some thoughts I had when browsing.
When registering a html5 validation would minimize unnecessary request to server, I know you have server side validation but just a thought to have both.
Also how about forcing a secure password?
Also say you don't use mod_rewrite for urls, maybe thats a later question when everything is finished but imo it looks nicer with it.
Also the "can you crack" it challenge (without saying to much) does the answer physically exist on server?
I'm aware that stuff is not done, implemented and its a early teaser alpha but I like it so far, keep up the good work ande
We might add nicer URLs later, its been discussed. The "can you crack it" answer does not exist yet, but good work if you found it ;)
-
This is beautiful, and it being totally from scratch, I cant even begin to fathom the work that into this. I haven't had a chance to poke around yet and discover all the nooks and crannys of the site, but it looks like there are some really cool ideas in the awesome stuff section, not sure how much help I can be, but if you want me to learn anything, I'm here and ready to help in anyway possible!