<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Marlon,<br>
<br>
<div class="moz-cite-prefix">On 21/07/2020 14:54, Marlon Deerr
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!561b5eb010fbb7a85e384183333621c66d9fb679a24221c54e4fea9e99443aee465bddbfd24a06a751f3467bca733eb4!@mx.jul.es"><!-- Template generated by Exclaimer Signature Manager Exchange Edition on 09:54:24 Tuesday, 21 July 2020 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">P.ImprintUniqueID {
MARGIN: 0cm 0cm 0pt
}
LI.ImprintUniqueID {
MARGIN: 0cm 0cm 0pt
}
DIV.ImprintUniqueID {
MARGIN: 0cm 0cm 0pt
}
TABLE.ImprintUniqueIDTable {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}</style>
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Jules,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Awesome. Glad I
was able to help.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">As for your
explanation, it makes perfect sense now. If only everyone in
the world was really nice and had no knowledge of brute
force attacks.</span></p>
</div>
</blockquote>
It's about the simplest possible form of "side channel" attack. You
discover bits of information about the thing you are trying to break
by watching it in some way. In this case, it's as simple as watching
for when the error message would change. As I say, it's the simplest
one.<br>
<br>
Once you start having to be really careful, you suddenly realise you
need things like a simple function that compares 2 strings (did
their encryption key match the real one?), that *always* takes
exactly the same length of time regardless of whether the strings
match or not. Otherwise you're vulnerable to a time-based
side-channel attack.<br>
<br>
When you get into the world of chip+pin credit cards, you have be
sure that whether the PIN matches or not, the *input* power required
to run the chip doesn't change. Otherwise an ammeter (an electrical
current probe) can watch and (very fast!) log the power consumption,
and so you can make deductions about the internal decisions on the
chip. Try lots of different input combinations and watch how the
trace of current vs time is different for each input value you try.<br>
<br>
There are literally thousands of examples, but they are a couple of
the most common.<br>
They rarely give you a direct answer or a direct way into hacking
something, but they will provide more little nuggets of information
that the hacker needs.<br>
<br>
"Security by design" is fundamental. And extremely difficult!<br>
But a very interesting subject. Try googling "side channel attack",
I'm sure you'll find some interesting reading.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:WM!561b5eb010fbb7a85e384183333621c66d9fb679a24221c54e4fea9e99443aee465bddbfd24a06a751f3467bca733eb4!@mx.jul.es">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">With that said
however, as for not showing the message to let the user know
that they have been locked out, is there a way for an email
to be sent to the administrator (maybe an option that can be
turned on/off by the admin) whenever someone’s account has
been locked.</span></p>
</div>
</blockquote>
That's what the package "logwatch" is for. It's very good at it
already, so I'm not going to reinvent it. :-)<br>
Install and learn how to setup that.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:WM!561b5eb010fbb7a85e384183333621c66d9fb679a24221c54e4fea9e99443aee465bddbfd24a06a751f3467bca733eb4!@mx.jul.es">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"> This way if I
am the admin, I am full aware of who’s account was locked
before they even generate a ticket to me. Receiving a
notification email of this can be a feature I choose to turn
on or off if I don’t want to be notified but will rather
manually check logs on my own schedule to see what’s
happening on my ZendTo server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
</div>
<br>
<p class="ImprintUniqueID"><font
style="font-family:Helvetica;font-size:9pt;color:#17365D;font-weight:bold;font-style:normal;">Marlon
Deerr</font>,
<font
style="font-family:Helvetica;font-size:9pt;color:#17365D;font-weight:bold;font-style:normal;">Technology
Manager</font><br>
<font style="font-family:Helvetica;font-size:9pt;color:#17365D;">416-572-8795</font><font
color="#17365d"> <font size="2" face="Helvetica">(direct)</font>
|</font>
<span style="font-family:Helvetica;font-size:9pt;"><a
href="mailto:MDeerr@hshlawyers.com" title="Click to send
email to Marlon Deerr" target=""
style="font-family:Helvetica;font-size:9pt;"
moz-do-not-send="true"><span style="font-family:Helvetica;
font-size:9pt;">MDeerr@hshlawyers.com</span></a></span><br>
<a href="https://www.hshlawyers.com" target=""
moz-do-not-send="true"><img style="border: 0px Solid ; "
src="cid:part2.9F5F6F41.5E1A7730@Zend.To" class=""
width="624" height="82"></a>
<table class="ImprintUniqueIDTable" style="HEIGHT: 17px; WIDTH:
80.83%; BORDER-COLLAPSE: collapse" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<td style="HEIGHT: 27px; WIDTH: 115px"><a
href="https://www.linkedin.com/company/howie-sacks-&-henry-llp---personal-injury-law/"
target="" moz-do-not-send="true"><img style="border:
0px Solid ; "
src="cid:part4.78EEAB9D.148881A5@Zend.To" class=""
width="24" height="23"></a> <a
href="https://twitter.com/hshlawyers" target=""
moz-do-not-send="true"><img style="border: 0px Solid ;
" src="cid:part6.42F61FC7.C4B49B47@Zend.To" class=""
width="24" height="23"></a> <a
href="https://www.facebook.com/HSHPersonalInjuryLawyers/"
target="" moz-do-not-send="true"><img style="border:
0px Solid ; "
src="cid:part8.FBACDD75.743FF580@Zend.To" class=""
width="24" height="23"></a> <a
href="https://www.youtube.com/user/hshlawyers"
target="" moz-do-not-send="true"><img style="border:
0px Solid ; "
src="cid:part10.D7253398.B60F71C8@Zend.To" class=""
width="24" height="23"></a></td>
<td style="WIDTH: 471px"><font size="2" face="Helvetica"
color="#002060">3500 - 20 Queen St. W., Toronto, ON
M5H 3R3<br>
</font><font size="2"><font face="Helvetica"><font
color="#002060">Fax: 416-361-0083 | Toll Free:
877-474-5997</font> |
</font></font><span
style="font-family:Helvetica;font-size:10pt;"><a
href="https://www.hshlawyers.com" title="" target=""
style="font-family:Helvetica;font-size:10pt;"
moz-do-not-send="true"><span
style="font-family:Helvetica; font-size:10pt;">www.hshlawyers.com</span></a></span></td>
</tr>
</tbody>
</table>
<br>
</p>
<p class="ImprintUniqueID" style="FONT-SIZE: 9pt; FONT-FAMILY:
Helvetica; FONT-STYLE: normal">
<table class="ImprintUniqueIDTable" style="WIDTH: 100%;
BORDER-COLLAPSE: collapse" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td><font size="1" face="Helvetica" color="#3f3f3f">This
Howie Sacks & Henry e-mail is privileged,
confidential and subject to copyright. Any
unauthorized use or disclosure is prohibited.</font></td>
</tr>
</tbody>
</table>
<br>
<br>
</p>
<div class="WordSection1">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jules
[<a class="moz-txt-link-freetext" href="mailto:Jules@Zend.To">mailto:Jules@Zend.To</a>] <br>
<b>Sent:</b> Tuesday, July 21, 2020 9:43 AM<br>
<b>To:</b> ZendTo Users <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Cc:</b> Marlon Deerr <a class="moz-txt-link-rfc2396E" href="mailto:MDeerr@hshlawyers.com"><MDeerr@hshlawyers.com></a><br>
<b>Subject:</b> Re: [ZendTo] Failed to unlock user $user
as did not match usernameRegexp from preferences.php<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Marlon,<br>
<br>
You are doing a thorough job of this, thank you!<br>
<br>
I have fixed the bug(s) you described. It now behaves exactly
as expected, including the logging. This will be in the next
release.<br>
<br>
As for the feature request, the current behaviour is by
design.<br>
Someone nasty (a "bad actor" in the jargon) is using your
ZendTo site to brute-force break your password.<br>
They keep trying different passwords, but always get the same
simple "incorrect" response.<br>
They don't know ZendTo very well, and don't know your
configuration settings at all.<br>
As a result, they can't tell if or when they should give up
trying to break your username/password, and try some other
username instead.<br>
<br>
As soon as you display *anything* different, the attacker
knows the lock-out limit has been reached and so they should
abandon their current attempt and try another one.<br>
<br>
So you *never* give away any hints as to why the login attempt
failed, beyond a simple fixed error message.<br>
<br>
It logs it in the ZendTo log (/var/log/zendto/zendto.log is
the file that the "System Log" button shows you the end of),
so you can check there.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. The "start" and "expiry" date/time selectors on the
"Request a drop-off" form are nearly there. I just want to
tidy up that page design layout, it's a bit of a mess and I
would prefer it to use a grid or two and a flex box like the
"new drop-off" form now does.<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 21/07/2020 13:45, Marlon Deerr via
ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-CA">Hi Jules,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">I was testing ZendTo.
I wanted to see what the log files will report when a user
is locked out after 10 unsuccessful login attempts. I
noticed that the log file (I think) is incorrectly
reporting that a user was not unlocked after
administratively unlocking the account, when in fact the
user was successfully unlocked. Here are the steps I
performed.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Purposely
attempted to log in as a user with incorrect password 10
times</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Logged in
as an admin user and examined the System Logs</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">3.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">System Log
file successfully identified this locked user</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">4.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Clicked on
“Unlock User” from the main screen and selected the user
to unlock and unlocked her</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">5.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Examined
the System Logs again, but this time it said “<b>Failed to
unlock user $user as did not match usernameRegexp from
preferences.php</b>”</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">6.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Logged out
as the administrator user</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l1 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">7.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Tried
logged in as this “supposedly” locked user
<b>BUT</b> the login was successful.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">Does this mean that
the System Log file is incorrectly reporting that the user
was not unlocked, when in fact the user was unlocked?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-CA">ALSO:</span></b><span
lang="EN-CA"> Feature Request (if possible)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">When a user is
approaching the maximum allowed failed login attempts can
you include a message that</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo4"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">Warns the
user that you have x more attempts before you get locked
out (where x is a number)</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo4"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]--><span lang="EN-CA">After the
user has failed to login after 10 attempts, instead of
just saying “Authentication Error. The username or
password was incorrect”, can it not say something like
“Authentication Error. You have attempted more than the
allowed failed attempts to log in. Your account therefore
has been locked. Please contact your administrator to have
it unlocked”</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-CA">While testing this
feature above, I found that I was not keeping track of how
many times I made a failed login and must have tried over
and over again waiting for a message to let me now that I
was locked out. I think having such a message will help
reduce IT Tickets from staff wondering why they can’t log
in. They may not even know they have been locked out.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The current UK shipping forecast:<o:p></o:p></pre>
<pre>Trafalgar: Cyclonic 6 to gale 8 at first in southeast, otherwise northerly 5<o:p></o:p></pre>
<pre>to 7, becoming variable 3 or 4 in southeast. Moderate or rough, occasionally<o:p></o:p></pre>
<pre>very rough. Thundery showers. Good, occasionally poor.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Think globally, act locally.' - Friends of the Earth
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>