PHP help for simple (not to me) issue

harrumph

Thank you for taking the time to read this.

I run a vBulletin 4.1.x forum, a primarily PHP/MySQL forum software that most of you are doubtless familiar with in one degree or another. I think that the fact that it is vBulletin is irrelevant however, the same PHP code should apply to any forum software.

I prefer that my users encrypt their private messages, however since the discussions they are having are purely above-board, I do not wish to require that the Private Messages be encrypted. I only wish to encourage good security practice among members.

To this end, I want to be able to add a little bit of code to vBulletin which, upon the user hitting the Send button, checks the Private Message for the ---BEGIN PGP MESSAGE--- text. If that text is not present in the message, I wish the user to be prompted to verify that they are willingly sending an insecure message.

Again, this is not intended to be used as a real security mechanism, but rather just as a training too to hopefully get some people into the habit of using good security practice. The fact that the user could simply insert the ---BEGIN PGP MESSAGE--- text into their message at any point and fool this little PHP hack is irrelevant. This is intended as a seat belt, but not as a seat belt law.

Is there anyone who might be able to provide my fully-PHP-ignorant butt with instructions on how to do this? A friend of mine did it several years ago and so I know that it can be done, however unfortunately I did not pay attention to what he had changed to add those few lines of PHP to vBulletin.

I would be eternally grateful - which, as we all know, these days buys zero ounces of $5/cup coffee, but gratitude and courtesy are becoming a lost art, and I am hoping to appeal to those of us who want to keep helpful tradition alive. Please help me to help my forum members.

Thank you very kindly for any consideration. Please note that if you require any assistance in helping me, for instance small snippits of code from my vBulletin PM module, just say the word and I will be happy to oblige right away. Naturally I will not violate any copyright laws by pasting more than necessary, but I am highly motivated to make this happen. With some of the things going on in less free parts of the world, sadly, just the daily world news is important to get to certain people. That is all that I can say about who you will be helping.

traq

harrumph;11002987 wrote:
...I think that the fact that it is vBulletin is irrelevant however, the same PHP code should apply to any forum software.

Actually, no - integrating code with an existing system (especially one as complex as vBulletin) is usually the hardest part of the job.

harrumph;11002987 wrote:
I prefer that my users encrypt their private messages, however since the discussions they are having are purely above-board, I do not wish to require that the Private Messages be encrypted. I only wish to encourage good security practice among members.

To this end, I want to be able to add a little bit of code to vBulletin which, upon the user hitting the Send button, checks the Private Message for the ---BEGIN PGP MESSAGE--- text. If that text is not present in the message, I wish the user to be prompted to verify that they are willingly sending an insecure message.

Here's the problem: by the time PHP checks that message to see if it needs to be encrypted, the message has already been sent: it's too late, one way or the other. Encryption needs to be done before transmission, which means it has to happen on the client's side. Your best solution would be to use HTTPS throughout your site.

harrumph;11002987 wrote:
Again, this is not intended to be used as a real security mechanism, but rather just as a training too to hopefully get some people into the habit of using good security practice.

You would be "training" them with a false sense of security - which, I would argue, is far more harmful than doing nothing at all.

harrumph

traq;11002990 wrote:
Actually, no - integrating code with an existing system (especially one as complex as vBulletin) is usually the hardest part of the job.

It was very easy last time, unfortunately I do not have the user on the forum who did it previously. He considered it a quick hack, and it worked perfectly for quite some time. It is simply a matter of the quality and skill of the coder.[/quote]

traq;11002990 wrote:
Here's the problem: by the time PHP checks that message to see if it needs to be encrypted, the message has already been sent: it's too late, one way or the other. Encryption needs to be done before transmission, which means it has to happen on the client's side. Your best solution would be to use HTTPS throughout your site.

I would explain the difference between GPG and transport security to you, but time is money and I don't have that kind of time.

traq;11002990 wrote:
You would be "training" them with a false sense of security - which, I would argue, is far more harmful than doing nothing at all.

See above - the security they are being trained for is to incorporate localized encryption into their daily use. It has been a very effective strategy for a very long time, and your lack of understanding does not diminish our current ability to work with companies in politically unfriendly nations safely, partly as a result of years of training. If we have helped them to keep solid security techniques in mind, then we have served our clients as CISSPs well.

harrumph

...when I started with TOPS10 we didn't use passwords, usernames were sufficient. Interestingly, this was a popular system in my branch of the military.

I greatly appreciate the wisdom you have both contributed to this thread and for pointing me in what may be a better direction. I will discuss the issue with someone in the next few days and one way or another have it addressed, I was just hoping that since I had a few minutes, I'd be smart enough to do it myself.

Nope. 🙂

Thanks everyone. 🙂

traq

harrumph;11002992 wrote:
I would explain the difference between GPG and transport security to you, but time is money and I don't have that kind of time.

Meaning GnuPG?

I do understand the difference: which is my point. PHP works on the webserver. If you use PHP to check for encryption, the message has already been transported as plain text. HTTPS would offer some protection in that case.

Encryption (PGP, whatever) would only be effective if it happened before that.

harrumph;11002992 wrote:
See above - the security they are being trained for is to incorporate localized encryption into their daily use. It has been a very effective strategy for a very long time, and your lack of understanding does not diminish our current ability to work with companies in politically unfriendly nations safely, partly as a result of years of training. If we have helped them to keep solid security techniques in mind, then we have served our clients as CISSPs well.

"Certified Information Systems Security Professional," I presume? I love all the acronyms you're using. Why would a "professional" be looking for a "hack" as a solution?

Anyway, perhaps I misunderstood your objective. Are you only looking to point it out when they don't encrypt messages before sending? (A "slap on the hand," so to speak?) I'd agree with Brad: look for a javascript solution. Since it's not "critical," let the client handle it: as an added benefit, this would allow users to correct themselves (go back and encrypt the message) before actually sending.

Best of luck,

-Adrian

harrumph

GnuPG is one very specific implementation of GPG, yes. The idea is for the web server to examine the text, locate the desired ---BEGIN PGP MESSAGE--- then allow the transaction. Perhaps Javascript is best for this, I wouldn't be the one to know.

If you study a little bit about computer science, you will see the fine line between what you seem to be misinterpreting as a hack as being an evil thing. This is simply one of many very common and oft-implemented security measures used in low-to-no security fields. If you don't care for it, I encourage you to write your congressman and tell hir to stop paying me to do it. You will either be laughed at, or if you are fortunate enough to get in touch with someone more patient and more bored than I, you may learn how the human mind works and how real security exists much more in our behavior than in our technology.

I have not had to build such a hack for my own use before on any system, much less a vBulletin forum used for the purpose it is, and when this challenge broke, I thought I would ask people here in the hopes of being able to do it myself. It apparently IS much more specific to the application than I had anticipated, and it could well be that she ended up doing it in javascript anyway. All I know is that delegation is a good thing. 🙂

Props and thanks to the individual who PMed me here with a solid attempt at a solution - by the time I posted it, the issue had been resolved. I noticed the prompt as soon as I tried to PM it to her 🙂 In any case thanks, it was nice to see one person satisfied with the size of their genitalia and not feeling the need to try to puff it up.

traq

Not necessarily "evil," but potentially fragile.

You say "...He considered it a quick hack, and it worked perfectly for quite some time." Presumably, it worked until something about the environment changed - maybe an upgrade to a newer version of vBulletin? I was trying to say that, in a situation like this, I would want a solution that was robust enough to be well-integrated and reusable, not something that the author considered "a quick hack."

My intent was (is) to provide a helpful response to your post. No "puffing" was intended. I am not concerned with being laughed at, nor envious of your understanding of computer science or the human mind, nor particularly interested in how bored you are. Since you asked the question, I assumed you wanted an answer. I gave the answer I considered most appropriate and useful: not functional code that does what you describe, but an assessment of the underlying concept.

If you are interested in considering constructive input, please allow me to start again.

I think that you may have overlooked, or misunderstood, this concern with your approach.

From your first post:

I wish the user to be prompted to verify that they are willingly sending an insecure message.

your most recent post:

The idea is for the web server to examine the text, locate the desired ---BEGIN PGP MESSAGE--- then allow the transaction.

Your posts seem to indicate that you want the user to be aware of the risk before it's too late (which would make sense).

At the same time, you don't seem to recognize (or acknowledge) that, if PHP does the warning, then it's already too late.

The transaction has already been allowed to begin, and the security of the message has already been left to chance at least once. Asking the user to "verify" a choice implies that it's not too late to reconsider - and therefore, that the user is still "safe," which is not true at all. This is the "false" sense of security I was concerned about.

I understand that in the particular situation, security is not a critical issue. But what happens when someone does need to send a secure message? You've trained them to click "Send Message" first, and then think about security.

This is the outcome I had in mind when I said you'd be better off doing "nothing at all": at least the user might stop and think that, since they're doing something they don't normally do, they might need to take a different approach. Instead, they may recall that their "normal" approach already accounts for security (but in actuality, only appears to).

You say, "real security exists much more in our behavior than in our technology." I completely agree. Therefore, ineffective (because it's too late for correction) or superficial (because you don't actually check that the message is encoded) behaviors are not desirable.

harrumph

traq;11003017 wrote:
Not necessarily "evil," but potentially fragile.

You say "...He considered it a quick hack, and it worked perfectly for quite some time." Presumably, it worked until something about the environment changed - maybe an upgrade to a newer version of vBulletin? I was trying to say that, in a situation like this, I would want a solution that was robust enough to be well-integrated and reusable, not something that the author considered "a quick hack."
At the same time, you don't seem to recognize (or acknowledge) that, if PHP does the warning, then it's already too late.

See there IS no "too late" because this is training. It is psyops, it is just getting the user in the habit of doing this properly. If a user never ever encrypts one single document, they will be reassigned to something more menial. Missing one in a while though is par for the course - how many times in college did you drop a single ; in a COBOL program and spend hours tracking it down? 🙂

"Qucik Hack" is something I used a lot with coworkers when I was at IBM. IBM called hotfixes "PTS" short for Program Temporary Fix. We always called it permanent temporary fix, because that was more likely the case. So when I say that my previous fix was a "quick hack" I mean it is a long-lasting fix that has worked for many years without any trouble.

You are doubtless on the money when you say something changed, and my task now is to find out what. If you have it in your heart, please wish me luck - as you can see, SQL/PHP are NOT my forte.

The transaction has already been allowed to begin, and the security of the message has already been left to chance at least once. Asking the user to "verify" a choice implies that it's not too late to reconsider - and therefore, that the user is still "safe," which is not true at all. This is the "false" sense of security I was concerned about.

Once again I wish I could argue with you, but I think we are saying the same thing in different ways. If the security information was Secret or Top Secret, we have two rooms of people double-checking one another's work. At this low level of federal government if a mistake is made, someone else will catch it, yell at the minority employee who made the mistake because they don't speak or read English, and I end up getting yelled at.

But this is another topic. Thank you kindly for all of your valuable assistance. Time is money, and I appreciate yours. If you find your self in Charlotte, NC, shoot me a PM and I will owe you a beer. 🙂

harrumph

harrumph;11003019 wrote:
See there IS no "too late" because this is training. It is psyops, it is just getting the user in the habit of doing this properly. If a user never ever encrypts one single document, they will be reassigned to something more menial. Missing one in a while though is par for the course - how many times in college did you drop a single ; in a COBOL program and spend hours tracking it down? 🙂

"Qwick Hack" is something I used a lot with coworkers when I was at IBM. IBM called hotfixes "PTS" short for Program Temporary Fix. We always called it permanent temporary fix, because that was more likely the case. So when I say that my previous fix was a "quick hack" I mean it is a long-lasting fix that has worked for many years without any trouble.

You are doubtless on the money when you say something changed, and my task now is to find out what. If you have it in your heart, please wish me luck - as you can see, SQL/PHP are NOT my forte.

Once again I wish I could argue with you, but I think we are saying the same thing in different ways. If the security information was Secret or Top Secret, we have two rooms of people double-checking one another's work. At this low level of federal government if a mistake is made, someone else will catch it, yell at the minority employee who made the mistake because they don't speak or read English, and I end up getting yelled at.

But this is another topic. Thank you kindly for all of your valuable assistance. Time is money, and I appreciate yours. If you find your self in Charlotte, NC, shoot me a PM and I will owe you a beer. 🙂

I understand that in the particular situation, security is not a critical issue. But what happens when someone does need to send a secure message? You've trained them to click "Send Message" first, and then think about security.

This is the outcome I had in mind when I said you'd be better off doing "nothing at all": at least the user might stop and think that, since they're doing something they don't normally do, they might need to take a different approach. Instead, they may recall that their "normal" approach already accounts for security (but in actuality, only appears to).

Your point is taken, however we are not really talking about professional spys or anything, just basically average citizens and housewives who are more trained than they are learned. If we train them early off in their career to do things properly, they are better prepared to automatically, without thinking, pick up the phone and answer discreetly. Heck which the exception of legal interviews (banks and jobs and mortage, etc) I can't even remember the last time gave my real name to anyone for anything. The other day an AT&T salesperson came to my door, the fourth one selling the same thing. I explained that my internet connection comes directly from God's penis, he obligingly drops it down from heaven when I want to get online. He demanded to know my SSN - I told him it was 666-00-1234.

I mention that fully off-topic rant because it demonstrates that 99% of the things that people demand THEY DON'T NEED TO KNOW.

So bottom line is all related to what is called memetics. We program people to behave the way that suits their task best, and we then let them go.

You may want to read Michael Aquino's doctoral thesis sometime, it is fascinating. Dr. Aquino was literally the man in charge of staring at goats as the movie implied.

So * up and send a plaintext message - no big deal whatsoever. * up and send a plaintext message once you have Top Secret clearance, and you may end up cellmates with Bradley Manning.

You say, "real security exists much more in our behavior than in our technology." I completely agree. Therefore, ineffective (because it's too late for correction) or superficial (because you don't actually check that the message is encoded) behaviors are not desirable.

See once again there is no need for protection. Ever notice how firemen go out on practice runs now and then? This entire debate is about the practice runs people make practicing encryption. The more they proactive, they better they get and the more prepared they'd be.

If we had it your way, firemen and policemen would not be trained. Would you prefer to fight on the side of an army who has had SOME training, or on an army which has had NO training, knowing that the training army is fully aware of the possibility that they MIGHT make a mistake, but that the enemy army is rife with mistakes.

I don't know how to explain this any more basically without going back to 4th grade McGraw Hill English books to describe the grammer. You seem to be an on the ball guy, you just don't seem to be getting the point that if a plaintext email is actually sent, it doesn't matter because the people sending those plaintext emails are not sending highly classified documents, only mindless paperwork while they practice using crypto.

Does any of this make sense? I used to teach math, and so my teaching skills are very solid and mechanical and dry, and often difficult to follow even for the brightest person.

Weedpacket

Doesn't the encryption model depend on the security model - i.e., what the encryption is supposed to be securing? What is supposed to be secured in this case? Misdeploying security technology is like training a fire service to water the garden.

harrumph wrote:
...often difficult to follow even for the brightest person.

Which is a negative quality for a teacher.

harrumph

Yes, that was one of the first things we learned. I was surprised that most people ddn't realize it, considering it was a class of security devotee.

Again, had you any familiar with security procedure, you would see the vast majority of it is training and not technology. That answers your question.

Fortunately I am not a teacher - that is why I am not bothering to teach the participants in this thread what security is and how it is implemented by the U.S. government. You would not have he intellectual capacity to understand - that is not a slight against you, some people are just born with smaller cranial capacity.

harrumph

harrumph;11003028 wrote:
Yes, that was one of the first things we learned. I was surprised that most people ddn't realize it, considering it was a class of security devotee.

Again, had you any familiar with security procedure, you would see the vast majority of it is training and not technology. That answers your question, despite your apparently repeated failure to understand how.

cretaceous

heh - another contender for post of the week...

harrumph

Agreed. yOU are unable to understand what side of thee poll you're firmly rooted yourself.

harrumph

harrumph;11003035 wrote:
Agreed. yOU are unable to understand what side of thee poll you're firmly rooted yourself.

Let me guess - you're an Obama guy with below averagre income, right?

harrumph

Remedial reading courses are available at most adult education centers. Focus on English, your obvious weak point other than the manners your parents brought you up with.