220 replies to this topic

[remiX]

But the ASCII bird is beyond awesome :[

..

Thunderwolf, lol

[Shnupbups]

How about ThunderRaven?

[CastleMan2000]

This is so cool! I have a few suggestions though: A checkbox for staying signed in (persistent), being able to see sent messages (an outbox maybe?), archiving all the messages you currently have into a folder, and a contacts list so you can keep your pen pals on a convenient list and click on their names and then compose a message quickly!

Also, sending files and a confirmation for deleting all your messages would be great.

[ChaddJackson12]

Seems really cool! I'll try it out

[Dlcruz129]

Thunderpigeon for sure.

[zekesonxx]

Thunderhawk. Enough said.

[pielover88888]

ThunderPie! \o/
Um, I found a problem..
Any time I attempt to message someone, it has a server error.
Edit: it worked. Gravityscore, check your inbox, LOL jk (but yes, it was sent to you, my test message.)

[GravityScore]

Ok well. Lieudusty was updating linux, which involved wiping the disk. We forgot to take backups of the PHP files and now they're gone.

So... dammit.

Expect downtime for the next few days while we re-write everything

[CastleMan2000]

zekesonxx, on 14 January 2013 - 09:15 AM, said:

Thunderhawk. Enough said.

Agreed, that sounds awesome.

[NeverCast]

Hashes are only as secure as their computational time. Just because SHA256 doesn't have any collisions doesn't mean it's more secure than SHA1, apart from the calculation time.

There is something very vital to strengthening your hashes that you need to do. That is use a salt. Although your system is rather strong against hackers and nothing you said was incorrect. You should be salting your hashes. That means adding some known garbage to the end of someones password, so even if the user types in 12345 as their password, It becomes 12345kjdfshafdksafkjsf before it is hashed, making it harder to brute force because you can't use pre-generated hashes to crack it.

On Topic: I like ThunderHawk, and this software looks very well done. Nice work.

[pielover88888]

So, Gravity, then how did I send one? o_o

also; DEBIAN FTW! *doesn't need re-installation to update*

[NeverCast]

A lot ( all? ) of linux installations don't need re-installation as the linux kernel is quite modular.
What do you mean pielover?

[pielover88888]

Doesn't Fedora need reinstallation to update? Or, arch..? I could've sworn at least one or two distributions needed it..

[lieudusty]

I'm using Arch Linux and everything in the system was screewy. Packages didn't install, can't update stuff, was using an old version anyways, stuff like that. So I decided wiping the harddrive and reinstalling would make everything be more smooth. (Which it did)

[GravityScore]

NeverCast, on 14 January 2013 - 11:44 AM, said:

Hashes are only as secure as their computational time. Just because SHA256 doesn't have any collisions doesn't mean it's more secure than SHA1, apart from the calculation time.

There is something very vital to strengthening your hashes that you need to do. That is use a salt. Although your system is rather strong against hackers and nothing you said was incorrect. You should be salting your hashes. That means adding some known garbage to the end of someones password, so even if the user types in 12345 as their password, It becomes 12345kjdfshafdksafkjsf before it is hashed, making it harder to brute force because you can't use pre-generated hashes to crack it.

On Topic: I like ThunderHawk, and this software looks very well done. Nice work.

Thanks

I know what salting a password is I'm far enough into the new version that I've already implemented it.

[theoriginalbit]

NeverCast, on 14 January 2013 - 11:44 AM, said:

That means adding some known garbage to the end of someones password, so even if the user types in 12345 as their password, It becomes 12345kjdfshafdksafkjsf before it is hashed, making it harder to brute force because you can't use pre-generated hashes to crack it.

Only problem with salting with Lua/CC programs is that unless the program is converted to byte-code, someone can easily just open your program and look at your salt... even with the program in byte-code they can still look up the salt ( it just takes a little longer )...

[Mads]

- snip -

[zekesonxx]

mad, on 15 January 2013 - 05:49 AM, said:

"Server error" when trying to log in.

GravityScore, on 14 January 2013 - 11:32 AM, said:

Expect downtime for the next few days while we re-write everything

[MudkipTheEpic]

Once PDA's come out, you could make a SHA-256 encoded PHP texting system in your spare time. I mean, for you it won't take long at all! XP

Edit: Edited for ungratefulness.

Edited by MudkipTheEpic, 15 January 2013 - 12:38 PM.

[GravityScore]

Ok status update on the PHP scripts:

- Salting has been implemented. The password is first hashed in SHA-256 client side, which is then sent to the server. The server adds a unique (to the account), randomly generated salt to the password, and the whole thing is then hashed again in SHA-512. Dictionary attacks are now useless
- A new system to better identify what is sending the request has been implemented (should help us in locking out hacking clients)
- Lieudusty has gotten Linux iptables to work, and I've implemented an IP address blocking system in the PHP
- Usernames, passwords, subjects, tos, etc... are now limited to letters and numbers only
- A new folder system has been implemented (only in the PHP at the moment)

Yet to do:
- Rate limiting of accounts and IP addresses.

Thanks for the support everyone! We're getting there...