It’s Getting to Be No Fun Anymore

Spammers. Script kiddies who spend their time writing bots to deface websites. Internet frauders like the U.K.’s Peter Francis-Macrae (a.k.a. Weaselboy). People who deploy DDOS attacks.

They’re all getting to me, both figuratively and literally. Click below to enlarge how one of my installations of phpBB has been defaced.

phpBB Deface

Yeah, this gets on my tits in a big way, not because I got punk’d, but because of the very existance of these effin’ little pricks. And in fact, I’m convinced we’re literally talking about little pricks in the same manner as guys who drive around with big honkin’ muscle cars.

I’m fuming on all sorts of levels right now. For one, I’m pissed with developers of scripts like phpBB for fabricating such vulnerable trash. I’ve installed their scripts even though I could plainly see how they didn’t bother taking measures to prevent illicit admin access (e.g., storing passwords in a publicly accessible directory). But I have neither the time nor the inclination of coming up with my own script like a bulletin board to circumvent such shortfalls, nor is modifying their script to patch these vulnerabilities easy or obvious (not to mention how they’d only get overwritten in an upgrade). Secondly, I’m pissed at the time I have to spend to fix scripts because it amuses some losers to go around and causing havoc. And for what? The thrill. To be able to say they’ve done it. And then you have folk like me who have to waste countless hours undoing the shit they’ve done. And “shit” is the right word: It’s like someone coming to your home and defecating in the middle of your living room floor, and you’re left with the job of picking it up.

You start by searching the cause and source of the hack or defacement, how common it is, how it can be patched up and how it can be prevented from happening again. Judging from the number of other sites that look just like yours, you quickly figure out that you’re the victim of a very common defacement. But the vast majority of what you find to reverse the defacement is hopelessly unhelpful because it’s written by well-intended script kiddies who can only write in indecipherable geekspeak. And, of course, I recognize there’s a Catch 22: post too many explanations of the vulnerability and what was done to fix it, and hackers will use that information to launch another exploit. *ARRRGH*!!!

After considerable probing, I discovered that this specific exploit was database related and was easily fixed by editing two fields in a given table. But that, in itself, really scares me. What bugs the bejusus out of me that this script, like many other PHP scripts that are being distributed, store the database login info in plain text in a file stored in a publicly accessible directory! I mean, ferfucksake! Even when I began scripting in PHP in 1999, I knew that was the dumbest thing anyone could do! And yet I see it all the time. (Of course, TextStyleM isn’t set up that way.) With that what-ought-to-be precious information, even the dimmest hacker can figure out how to get admin access and cause a real mess. In fact, the defacing could have been much worse, but I refuse to feel thankful to the hackers for not going any farther.

And here’s another thing that gets on my tits! Every time I use a script other than my own, I’m reminded why I got into this crazy adventure of creating my own CMS. I keep seeing these “very kewl features” popping up in these other scripts, but simple, commonsense features that would make day-to-day management so much easier are nowhere to be found. For instance, registering a new user/poster in a phpBB installation can only be done on the public side of the board; it can’t be done on the admin side. What’s more, turning off registration entirely requires a hack (i.e., a manual change to the source code), which most likely will end up being overwritten if later you upgrade to the newer version of phpBB.

It just never ends! It seems we keep making more work for ourselves by taking shortcuts earlier on or not thinking things through properly. Then you have fuckwits whose only goal in life is to waste other people’s time, just because they can. In the end, this line of work is fraught with pointless frustrations and is becoming less and less fun.