Turns out that in this case, phpBB2 was probably easier to work with than phpBB3. With phpBB2 the post text is already separated from most of the other post meta data (such as poster, poster IP address, and so on) which made it very easy to design a way to track post revisions. In phpBB3 they combined the phpbb_posts and phpbb_posts_text tables into a single table. In order to track post revisions in that case, the design would call for splitting the text out into a separate table in order to track the post text revisions without having to duplicate all of the other post meta data.

In any case, I have finished the coding and testing for everything and it’s functional. What’s left is going back and adding in some security checks to make sure people can’t do things they’re not supposed to do…

NetGear Duo Backup Process

My last post on this blog was about how I used a shell script on my NetGear Duo to automate the backup process for my various phpBB2 boards and other web sites. As part of that post I wrote:

To make sure I didn’t miss out on backup files any more I also added a line at the end of the process to email me the results of the backup script. Now each morning I can check my smartphone and confirm that the backup process ran correctly the night before.

For a while this backup process ran just fine. The notification came in to my phone just as expected. Then at some point I noticed that the back up process which was supposed to run at 2AM was instead running at 3AM. I did not worry about it too much. I just assumed that there was something going on with the cron schedule and I would look at it later when I had time. The important issue (downloading the back up files) was being handled, albeit at a different time than expected.

Ancient Virus

Remember nimda? It was a virus that came out back in 2001. I guess the formal classification is that it was really a worm, not a virus, but many folks use the terms interchangeably even though they’re not the same. I had some friends with some older computer hardware that they were trying to retire, but they still had some data on the older machines that they were trying to retrieve. The problem is that the files they needed to move were too big for a thumb drive, this particular computer had no cd-writer (it was from 2000, after all), and they weren’t comfortable removing the hard drive and moving it to a new machine. So they brought it over to my house.

I first tried removing the hard drive and putting it into an external drive chassis to read the files. Interestingly enough, the drive would not get show up. I wasn’t sure why, but that wasn’t the problem I was trying to solve. I noticed that the original computer case had a network port, so I decided to put the hard drive back in the box and connect it to my network. We had already established that the machine would boot up so I knew that would work.

As soon as we did that, my own computer started going crazy, making all sorts of beeps and noises! Turns out that this ancient machine was infected by the Nimda worm, and as soon as it got connected to my network it started to spread. Funny, being attacked by a ten-year old worm! I say “funny” because my AVG installation seemed to be doing its job and properly sending all of the infected files to the quarantine. I guess if you’re in the anti-virus (anti-worm) market, you had better make sure that you can capture anything that’s ten years old just as efficiently as newer stuff.

Ultimately we were able to recover the files for my friends, and I learned my lesson. The next time they brought over a computer I set up an isolated network between their machines rather than attach them to my network.

Interesting footnote: my iTunes library is stored on my NetGear device, both for redundancy and for file sharing purposes. Because it’s shared, that particular volume is open to the network. Because it’s open to the network, I think Nimda dropped a file into every single folder, which I then had to clean up. More on this later.

iTunes Difficulties

Around the same time iTunes released a new version (10.6) that was supposed to handle album artwork better. Now normally I am not a fan of jumping on the latest update. In fact I have my “automatic update” turned off for iTunes just to avoid experiencing a broken system when something that I have is already working. But in this case I had experienced a number of issues with managing my iTunes art, so I decided to install the update. It does, in fact, handle album artwork much better so I was pleased with the update.

A few days later I made a trip to a local used book / compact disc store and came home with a stack of about 20 cds or so. I ripped them using iTunes, reset the artist from “First Last” format to “Last, First” as I like to do, and downloaded album art from my favorite album art site Album Art Exchange. These are all steps that I normally would do. While performing these various steps I was also listening to some of the new music that I had purchased. (”New” is a relative term, as I recall on this particular trip I found a number of “classic rock” artists from the 80’s so it was a nice blast of nostalgia.) Once I had performed all of my updates I synced iTunes to my iPod.

Here’s where it gets weird.

I went back to play some of the songs, and they were gone! The files were physically missing from the hard drive.

Investigation Part I

Remember that earlier I mentioned that my iTunes library is stored on a public network share, and that it had been attacked by Nimda, right? That was the first area I investigated. I first did a full scan of the entire system with AVG. I did a search for the file “droppings” that Nimda had left behind, and when I found them I deleted them or removed them from the AVG quarantine. I wondered if the worm was renaming some of my audio files rather than creating these as new files, but the only songs that were deleted were new ones. Nothing that had been ripped months (or years) ago was being deleted, it was only the new files.

I downloaded some specific scanners designed to find and remove Nimda and confirmed that I was infection free. Now what?

Investigation Part II

I re-ripped the music from cds, and carefully repeated the process. It seemed that once the songs were on the iPod, as long as I recovered them somehow iTunes was fine. It did not do any further deleting. I wasn’t sure what was going on, but at least the problem was something I could recover from. Next I ran a controlled test. Here’s what I did, and what I observed.

1. I ripped three new cds (new meaning ones that I had not ripped from my collection yet)
2. I navigated to the folder and confirmed that all songs had been ripped. I then zipped up the contents of each folder.
3. I made some minor edits to the data once the cds were ripped. As mentioned above, I prefer artist names to be “Last, First” rather than “First Last” so I generally update the artist and the album artist to reflect this. I also have a group tagging strategy, so every song has at least one entry in the grouping field. All of this worked fine.
4. I sync’d to my iPod. But this time I kept a Windows Explorer session open on one of the new folders. Gotcha… I watched some (but not all) of the files disappear.
5. I then checked my iPod. The files were there on the iPod, they just were no longer on my hard drive. Of the 3 new albums, here are the specific details.

   Album 1 – 11 tracks ripped, track 1, 3, 5, 6, 8, and 10 missing after sync
   Album 2 – 9 tracks ripped, track 1 missing after sync
   Album 3 – 11 tracks ripped, all 11 tracks deleted during sync process

   Seemingly a random sequence of events. I am not sure what to make of this right now.

6. To recover I unzipped the archived files I made for each album, and verified that iTunes could see the data (no more ! next to the song).
7. I sync’d to my iPod again. Now remember that the songs already exist on my iPod, they were just deleted from my hard drive. So there’s nothing to update. After the sync (the second time) the songs are still there on the hard drive, still on the iPod, and no issues.

What About Other Data?

At this point I had eliminated the Nimda worm from consideration. I went through some other applications and carefully created specific files on various folders throughout my network disk device. I opened / edited / closed and did a number of other operations. Nothing I did deleted files in other areas of the network disk device, so at this point I eliminated that from consideration. It really seemed to be the iTunes 10.6 update that was the culprit here, but how to fix it?

10.6.1 came out a few weeks later, and I immediately updated. It did not fix my problem.

Investigation Part III – Isolation

I decided to try a different iTunes installation. I repeated this experiment with the same cds on another computer. This computer also has iTunes 10.6 but is only used to sync to an iPhone belonging to my wife. There were no songs on this computer prior to me adding these test albums, so the library is very small. The library on my computer contains over 40,000 songs. Nothing went wrong on my wife’s computer, which is also running Windows XP. The primary difference is that on the second computer the iTunes library is stored locally rather than on the network device.

But I have already done what I can to eliminate the network device as the culprit.

I’m going in circles.

On my last test, back on my computer, I ripped a single cd and did not do any of my normal steps. I ripped and then moved immediately to sync to my iPod. The entire album – all 21 tracks – was deleted. Even the folder was removed!

Butterfly Wings

Yesterday (Sunday) I checked my email for the back up process. It ran, but all of the files were stamped August instead of April, and the year was 1992! I opened a shell session on the network disk device and confirmed that yes, it thought the date was 1992. I opened the administrator tool and confirmed that the date there was also showing as 1992. The device was set up to sync to a time server hosted by NetGear, so I turned that off and reset to the proper time manually. I confirmed that the new date took, and then went back and reset to the NetGear time service. It was back in 1992 again. A quick check of the NetGear forums found several other posts about the same thing, some of which suggested moving to a different time service.

Now it gets interesting. When I moved to a public time service (off of the private NetGear hosted service) not only did I get the correct time, but the hour difference mentioned at the very beginning of this post was also corrected!

All of a sudden a light went off. Could the one-hour time difference be impacting my iTunes?

Problem Resolved

In my earlier tests, when I ripped and immediately synced a single album, it meant that the entire set of songs was processed within an hour. I wondered if these songs were being deleted because iTunes was confused. According to my network disk device, these files would have been ripped one hour into the future! I know iTunes tracks a ton of data, including last played date, last skipped date, and of course the ripped date. Since the ripped date and the file create date on the operating system were out of sync by an hour, I can only assume that iTunes was doing something weird and ultimately deleting the files. The reason the deleting was more random when I ripped a bunch of songs was because (I guessed) the overall process took longer than one hour. If I worked quickly, more songs got deleted. If I took my time, fewer songs were deleted.

To test this concept I deleted the most recent album from iTunes and synced my iPod to clear everything up. I then ripped and synced the same album and none of the tracks got dropped. Everything was processed just fine. Earlier using these same steps all 21 tracks had been deleted.

Ultimately it appears that the Nimda worm was a red herring. It had nothing to do with the issue. The network drives were also functioning perfectly from a mechanical perspective. The network was also fine. I was not having a problem with any other application, only iTunes.

It was a combination of the network time service being wrong in conjunction with some weird program bug in iTunes that was causing random files to disappear. Once I reset my time using a public time service (the same one used for my Windows system) iTunes functioned fine.

That’s the butterfly effect. A clock is wrong by one hour and random music tracks are deleted as they are synced to my iPod.

That was my fun for the month. How was yours?

I also had a very old (PIII processor!) computer that was running linux. At one point I was using it as a development environment, but it had long since been retired from that duty. Why was it still around? I had created mount points for each of the RAID arrays on this linux box, and it was responsible for going to my web server (which hosts this blog, among other things) and downloading the nightly database backup files. (My web server runs a hot backup at 1AM each morning using the mysqldump command.) This linux box also had a script (running at 2AM) that would ftp to my web server, retrieve all of the database dumps, download them, add a date stamp to the file name, and then copy the resulting files out to the RAID array. The entire process was automatic, transparent, and for a long time was quite robust.

Until a few weeks ago.

At various points I would go out to the disk array and check to see that the backup files were properly being retrieved. The last time I checked, it seemed that I was not getting any backup files… at least not for the past several weeks. Attempting to log in to the development / backup box via ssh proved to be unsuccessful. After rebooting the box, though, everything came up and seemed to work. I was able to run the backup script without errors.

The next morning, however, there was no backup file from the prior night, and the box was once again locked up. To be honest, it wasn’t worth fixing. It was noisy, a power hog, and the only thing it was doing at this point was downloading the nightly backup files. The NetGear Duo was also running a variation of linux, so why not try that? I installed an add-on that enabled ssh access to the device and went to town. After a couple of different attempts I eventually got a cron job set up that would connect to my web server and do all of the same things my old linux box used to do, with the added advantage that the Duo was already on as a file server anyway so it was now taking on an additional task.

Life was good, and backup files began to show up on a regular basis once again. To make sure I didn’t miss out on backup files any more I also added a line at the end of the process to email me the results of the backup script. Now each morning I can check my smartphone and confirm that the backup process ran correctly the night before.

Time To Upgrade

But never one to leave well enough alone I decided to try upgrading one of the Duo devices to a newer model, the Ultra 2 Plus. This new device had a lot more memory, dual network ports, and a multi-core CPU. Everything should be faster. I also upgraded to the “black” series of Western Digital disk drives as I had experienced intermittent problems with using the “green” series inside the RAID enclosures. Everything came in last week and was installed with only a little fuss. I got my security configuration reset so that I can use the scp command (secure copy) to download the files from my web server. The last hurdle was that the new Ultra 2 Plus device did not have a mail command installed! After some research and posting on the ReadyNas forums (which by the way run phpBB) I got the answer: I have to use the sendmail command instead. This command is not quite as friendly as the mail command, but I got it to work.

Database Backup Script

My web server already has a cron job scheduled at 1AM that uses the mysqldump command to create a database dump of every database that I want to back up. Here is the following cron job which is scheduled on the Ultra 2 Plus. It’s responsible for connecting to the server, downloading the files, adding a date stamp, and then copying the files out to the designated sub-directory on the RAID. Finally it creates the mail file and sends it out. The list of databases to back up is included in a text file so that I don’t have maintain that script.

#!/bin/bash

# first establish local path location
cd /w_drive/incoming/

# next get updated copy of dbnames.txt
scp username@example.com:db_backups/dbnames.txt .

for dbname in `cat dbnames.txt`; do

#       Go get database backup file
        echo "Processing $dbname "
        scp username@example.com:db_backups/$dbname.sql.gz .

#       Establish some local variables
        filename="_`date +%Y-%m-%d`.sql.gz"
        filename="$dbname$filename"
        outputpath="/w_drive/$dbname/$filename"

        echo "Moving $dbname.sql.gz to $outputpath"

#       Rename local copy of db backup file to include date
        mv $dbname.sql.gz $filename

#       Then move dated backup file to proper output path
        mv $filename $outputpath
        chmod 644 $outputpath

done

# Build mail formatted file
echo "date: `date +%Y-%m-%d`" > mail.txt
echo "to: email@example.com" >> mail.txt
echo "subject: Backup" >> mail.txt
echo "from: email@example.com" >> mail.txt
cat /w_drive/incoming/getbackup.out | grep -v "tty" >> mail.txt

# Send the email
/usr/sbin/sendmail email@example.com < /w_drive/incoming/mail.txt

As an additional bonus, my office is a lot quieter without the extra server running. I don't know that it will make a noticeable difference in my power bill, but it will certainly help at least a little bit.

First come, first served.

Pet Names Don’t Make Good Passwords

People often struggle with remembering passwords. Yes, there are programs that can help you with that, but are they really that much more secure than writing things down on a piece of paper? Here’s one take from one of my favorite web comic authors:

The bottom line is that a password is supposed to protect an account from unauthorized access. It’s not supposed to prevent authorized access, but for infrequently used resources it can do that as well.

Password Storage

One indicator of concern to me is whether a web site can send you your existing password when you forget it. That means they’re likely using an encryption process rather than a hashing algorithm to store passwords. And that means anyone with access to the decryption key can read every password in the system. phpBB2 uses a hashing algorithm which means as a board owner / administrator I can safely say to any of my users that I cannot tell them what their password is. I can assign them a new one, and of course there is a self-service option available to phpBB2 users that will do just that, but I cannot tell them what their existing password is. In a default phpBB2 installation a user password is hashed and stored as a 32 character string. Similar passwords will generate very dissimilar hash strings, so there is no way for someone to easily guess what a password might be simply based on the results of the hash. For example, here are a few similar input values and the resulting MD5 hash outputs:

test     098f6bcd4621d373cade4e832627b4f6
Test     0cbc6611f5540bd0809a388dc95a615b
tset     751ec45015a704a39dc403001c963e97
test1    5a105e8b9d40e1329780d62ea2265d8a

Despite the similarity of the input values they all have very different hash values. That means that similar hash values are going to have very different input values as well. Also, because a hash is generated by a one-way function there is no way to recreate the input value based on the hash. (There are some cases where two different input values could generate the same output hash; that’s allowed.)

If that’s the case, then how can I tell if a user has entered the correct password when they log in? It’s actually really simple. When a user logs in, phpBB takes the password provided on the form, hashes it, and then compares the resulting hash value to the hash stored in the database. As long as the input values are the same (entering “test” as my password will always generate 098f6bcd4621d373cade4e832627b4f6 as the hash value) then the password matches and the user is logged in.

How, then, were hackers able to decipher the passwords stored in the phpBB.com database if there is no way to reverse a hash process? They didn’t. Instead they used a lookup table (also called a rainbow table) to match up known hash values with their source value. Imagine taking a dictionary and running every word in it through the hashing process. When you’re done, you have a list of hashes and their source. By matching password hash values against the list of known entries the hackers were able to figure out what a number of phpBB.com user passwords were.

To help defeat this sort of process, phpBB3 now uses a salted hash which provides even more security. I imagine someone has back-ported this to phpBB2 as a MOD but I have not had time to look for one yet. But the fact is if a secure password is used (a combination of words and numbers, or as the cartoon above suggests several words run together) the odds of the password appearing in a rainbow table are extremely slim, and even the simple hashing algorithm used in phpBB2 is essentially safe. Even changing the case of one letter helps, as shown in these two hash examples from earlier:

test     098f6bcd4621d373cade4e832627b4f6
Test     0cbc6611f5540bd0809a388dc95a615b

Changing the “t” to a “T” changes the hash. It might be even better to change something other than the first letter, for example changing the “e” to an “E” as in tEst. That’s a very easy word to remember and it’s not likely to show up on any rainbow table, unless a hacker wants to run every possible combination of upper and lower case letters for every possible dictionary word. Ultimately it would be better to use a combination of letters (mixed case), numbers, and even symbols where allowed.

So how important is it that phpBB3 uses a salted algorithm for passwords? If people were smart about what passwords they use then it really would not matter so much. But as shown in some of the related links at the end of this post, people are not very smart about the passwords they pick. In that case, the salting process is quite beneficial.

Social Engineering

Which brings me to my final issue for this post: people can be fond of certain passwords and often use (reuse) them on more than one site. If you use the same password for a phpBB board that you use for your banking system, then change it. Change it now. For one thing, most phpBB board owners do not use a secure protocol (such as HTTPS rather than HTTP) for their sites. That means the password is exposed during the transmission of the form data. Ultimately no matter how a password is stored or how complex the password might be, if people can be tricked into giving up their passwords by phishing emails, web site plugins, and other techniques, that’s a problem. If a hacker manages to grab the password for one site, they may then be able to use it on other sites. I have made a practice of using a unique password on every service I sign up for in order to prevent this for a very long time. But once again, xkcd.com says it better:

Related Links

• phpBB Password Analysis
• 500 Worst Passwords

with one of several holiday logos:

And of course this:

During the American Thanksgiving week we used this:

Over at the phpBB2 Refugees site we’ve swapped our normal refugee tent for one with a more holiday feel for the last several weeks:

Right now this is a manual process, which means I have to remember to edit the php code to invoke the new logo (or alternately use ftp to upload a replacement logo with the same name over the current one). Manual process? for Dave?

I’m setting up a database table with dates and alternate logo names, and will set up a cron job that every night at midnight checks to see if holiday logos are needed for the following day or not. On BOB we rotate among several logos, so there could be more than one logo at any given time. The logo information is then written to a cache file where it will be used for the following 24 hours.

Easy as pie.

Holiday pie.

The problem is, it accomplishes nothing.

Private messages are often a hot topic for board owners, probably because of the privacy implications of the name “private” message. As most board owners probably know, private messages are not truly private. Anyone with database access can read the private message text. Anyone with access to a backup SQL dump can do the same. But who has this type of access, and what can be done to prevent it?

Board Owner Access

In many cases, only one person owns and manages a web site that includes a phpBB board. In this case, that person is likely to have the administrator passwords for the phpBB board, the SQL database password, and ftp or even shell access to the server itself. Even if that person does not start out knowing the SQL database password, they can get it easily enough by downloading the config.php file and getting it from there. Now suppose that private messages are encrypted as suggested in the topic listed above. Is the data safe?

No, I’m afraid not. The data in the database is encrypted, but by definition the information has to be able to be unscrambled for the PM recipient to be able to see it. All the board owner has to do is download the php code to obtain the encryption key and then use it to decrypt the data. It turns out it’s not the fact that the data is encrypted or not, because the board owner has access to the data and the tools required to decrypt it. The board owner can still read private messages, it just takes longer.

Encryption Versus Hashing

Passwords are hashed, not encrypted. This means that even though the board owner can see what the hash string is in the field in the database, there is no way to de-hash the data. By definition a hashing algorithm is one-way. But if the private message text is hashed, then there would be no way to get the original text back! That’s why as a board owner I can change a password to something new, but I cannot tell you what your original password was.

The point is, hashing is secure. My password is relatively safe. Encryption by definition has to be reversible, and there is really no way to eliminate all avenues of accessing that information as long as access to the raw data is possible.

It’s About Trust Not Technology

Even in a more complex environment where there is more than one person with access to and permissions to manage a web site there is only so much that can be done to compartmentalize the issue. Someone, at least one person, is going to have access to the server. Even if it takes two or more people (one to get into the database, the other to decrypt the data) private messages are still not so private.

It all comes down to trust. If I don’t want someone to read what I wrote, I don’t write it down. I have to trust that a board administrator is not going to go about reading private messages, or that they’re not going to edit my post to make it look like I’m saying something that I didn’t, or that they’re not going to install a key-logger that captures my password as it’s entered on the login screen, or that they’re not going to try to … well, it goes on from there. Adding encryption to private messages doesn’t fix the issue.

And here’s one more loophole. I mentioned above that password information is hashed and therefore I cannot log in as “you” because I cannot determine your password. But I can do this:

• Log in to the SQL database and retrieve the hash for my password
• Also retrieve the hash for your password and save it
• Update your account so that your hash value is equal to mine. No I “know” your password because it’s the same as mine.
• I log in and do whatever I want to do as “you” because I have effectively stolen your identity
• When done, I reset your password hash back to the original value so you can log in again, and you have no idea that anything has happened

Not very nice, but certainly possible. You just have to trust me not to do these things.

It’s for this and other reasons I have removed the PM feature from the boards that I manage. By removing the illusion of privacy implied by the name “private message” I don’t have to deal with this.

I used the same function to update my canned messages MOD as well.

Oh, and I updated the color picker just a bit. The original color picker used values of 00, 40, 80, and two more to create an array of colors that was 5×5x5. I changed it to the old “Netscape Safe” color palette and used 00, 33, 66, 99, CC, and FF and created a 6×6x6 grid instead.

I have the new posting form activated on two different boards for the moment. As long as I don’t find too many issues I will write it up as a MOD.

I think I’ve managed to come up with something that definitely helps solve the first two scenarios and as a bonus helps the spammer problem as well. I call this my “Cross Post / Double Post” MOD, and it’s being tested on my beta board now.

The MOD design has so far turned out to be fairly simple. I tie into the flood control process and retrieve the post text for the last three posts by the user. From there I take the current post text and compare it to the prior posts. The first check is a straight equality check, meaning I check for the exact same post text. This will catch the “copy/paste” folks with very little overhead. If the post text is not identical, then next I use a function called similar_text(). (similar text reference at php.net) This function takes three arguments. The first two are the two strings to compare, and the third is a variable to store the results of the comparison, which is a number from 0 to 100. The result code should essentially be treated as a percentage. If the two posts are 95% similar then I check to see if the original post already in the database is in the same forum as the new post being attempted. If the forums are the same, then a “Double post” exception is triggered. If the forums are different, then a “Cross post” exception is triggered instead.

The number of posts (3) and percentage of similarity (95) are both controlled via the board configuration screen, so it’s quite flexible. Setting the percentage threshold to zero (0) is the same as turning the comparison process off.

This MOD is being tested on my “beta release” board right now. The first version of the MOD did not use the similar_text() function mentioned above. I attempted to use the soundex() function instead. However it seemed that the soundex() function did not look at enough text, so posts that were clearly different were still being reported as being the same. Switching functions solved that issue.

I’m now wondering if I need to deal with setting different threshold values for different forums. I hate to do that, as it drastically increases the complexity of the code. But for example there are many forum “games” that people play in an “off topic” type of forum. Some of those games look very repetitive, and would potentially trigger the CP/DP exception handling. Then again, the current logic looks across all forums, so as long as the person is active in more areas than just the off-topic games area it might be okay. I don’t want this feature to get in the way of normal use, but I do want to help out the moderator team by capturing / rejecting double post and cross post events.

Stay tuned for details as we start user testing this week.

1. Full-Text Search
   I created a full-text index on the post subject and text over a year ago to see if maintaining that index would cause any performance issues. I’m happy to say that I have not seen any challenges from inserts / updates with this index in place. I’m going to be altering the search screen to allow the full syntax offered by MySQL on this type of index and hope to release that in a few months. Some of the challenges I have not yet decided how to solve are things like limiting forums – either by security or user preference – and other criteria that can be entered on the standard search screen.
2. Capture Post Revisions
   I’ve also added some code to capture post revisions. We’ve had a couple of folks that come back to our board and edit their post, removing all of the text and leaving only something like “…” instead. This destroys the continuity of the topic, and as a result we’re going to now track post revisions by capturing the post text history. If needed a moderator will be able to review and then restore a prior post, and ultimately lock that post from further editing. As with the full text search I have done fairly extensive testing on how this is implemented in order to ensure that performance does not suffer, and I’ll have a few blog posts about that process. This MOD is completed and I expect to roll it out onto the main board in a few weeks. (FWIW, I first talked about this post several years ago, and am just now finally getting it completed.)
3. Moderator Posts
   I’ve added a new field to the post table that allows a moderator to designate whether it’s a moderator post or a user post. For example, moderators can certainly participate in a normal board conversation as a regular person. But they may also add posts in their role as a moderator. This new feature will format those posts differently so they stand out, will automatically remove the “personal” aspects of a post such as signatures, and does not increment a moderator post count for this type of post. It is intended to be a way for moderators to be able to separate out their moderator posts from their board participation posts. This MOD is also completed and expected to be released shortly.
4. Including External Content
   I’ve added some cron jobs that parse RSS feeds from several blogs owned by board members. Their blog posts are automatically set up as part of their signature (as “Latest Blog Posts”) and updated once an hour. For bloggers that our community wants to recognize, this is a great way for them to get additional exposure without having to manually update their signature every time they publish a new blog post. This part of the MOD is already in use on our board. Only board admins can currently enter blogger information, as we want to go through a review process and certify blogs rather than allowing just anybody to link to an external site. This was done by altering the administrator user edit form and leaving the regular user profile form alone.

   As an extension to this, I’m also pulling in the content from the blog post and storing that in a hidden forum. As the blog posts are added to the forum they are obviously added to the full-text index because they’re part of the same table. I am also adding these posts to the standard phpBB2 search tables at the same time. That way if someone searches for term “X” and that’s found in an external blog post, they’ll see a link in their search results. The blog address is stored on the topic table and a different icon is used to show the user that they’re leaving our board and heading to an external site. I have all of the main work done; the last requirement is altering search.php so that it offers the ability to include / exclude external content and then react to that setting accordingly. I hope to get this completed in the next few weeks.

5. Social Media Profile Links
   I’ve added Facebook, Twitter, and LinkedIn fields to user profiles. These are displayed along with the other profile links, using smaller 18×18 pixel logos. I’m planning on going back and redoing the other profile links to use the same form factor but that part hasn’t been done yet. Here are the images I’ve made, using logos or other material provided by each service provider.

One thing that many of these MODs have in common is my concern for performance. We’re over 750K posts now, and still running extremely well on a server that is hosting several dozen sites, although none of them as active as our big board. Every time I touch the code performance is a primary goal. Another MOD that I’ve been planning is to port the phpBB3 posting form back to phpBB2 since it does a better job of supporting modern browsers as well as proving some additional formatting features. I haven’t even started on that yet, but I think it would be good. Now that I’ve personally switched to Chrome as my standard browser I’m noticing some interesting quirks.

So that’s what I’ve been up to for the past few months.