Bobby Amlani (30), (nick alias: Blaster) founded UKChatterbox whilst studying at the Anglia Ruskin University, along with his brother Parul, aka Paz. This year marks it’s 10th anniversary, during which time, the service has seen a lot of changes, users, staff members and problems. What follows is an in-depth history of UKChatterbox (UKCB) from it’s beginning as a small IRC network, upto the present day, the largest moderated UK based chatrooms provider with ~2 million registered users.

Firstly, UKChatterbox didn’t first appear on the net as “UKChatterbox”, it’s beginning dates back to 2001. A website called gasbubbles.com created by Bobby, provided chat targeted at university students. Profiles had more details then the current UKCB, with users allowed to post contact details for IM (AOL, MSN).

UKCB’s predecessor; Gasbubbles

 
Gasbubbles was a laid-back service, few rules and regulations. In time the website-side of it would fade as UKChatterbox grew, although for a large time UKCB’s chat rooms were on the same server as GasBubbles, eventually these would merge.
Mid-2002 saw the first appearance of UKChatterbox, this was accompanied by UKStudentChat and UKTeenChatrooms, all with their own sites, although seemingly all sharing the same database, little-known fact, ukstudentchat.co.uk will, to this day take you to ukchatterbox.

UKChatterbox was aimed at both users in the UK, and users from outside, who just wanted to talk to people in the UK. At this time the site still was somewhat of a free-for-all, rules-wise.

Profiles on UKCB at this time contained a mass of info, some of which you probably wouldn’t make public nowadays, this includes, real name, date of birth, star-sign, location, uni, hobbies, favourite food/tv/film, likes/dislikes, and like gasbubble’s profiles; instant messenger details. Some time after this, and before 2003, Jackal joined as part of the help team, he later went on to become administrator, then running the site as Network Administrator when Blaster and Paz took a step back from things.
At the start of 2003, the website went through an apparently temporary change as it’s user-base increased and a newer, cleaner looking website was desired. They also introduced their website’s messaging inbox system for registered users, encouraging users to register for more features.

UKChatterbox was still small, it’s worth noting at this time that MSN and Yahoo still had their own chatrooms open, it wouldn’t be until they closed that UKCB would see a significant rise in users.
During the first half of 2003, the website saw numerous improvements including the ability to search for users using postcodes, encouraging users to chat to people near them. A flirt room also existed, but this was quite short-lived as UKCB would soon start their clean-chat policy, this is apparent in a simple change in wording that appeared on the website, February 2003 displayed the title ”UK Chat – Adult Chat”, the following month this became “UK Chat – Clean Adult Chat”. This month also saw significant updates to their forum system, the ordering of posts, displaying the most recent, at the top, this is common in most forum software, but a change that UKCB have (for some unknown reason) reverted.

UKCB was gaining attention, some of this attention was unwanted. I can’t verify if it was the first (it’s possible that previous chat downtime was also the result of attacks) but UKCB attracted it’s first attack on the website in May 2003.
In July 2003 UKChatterbox introduced the “yellow site”, very similar to the one you see today, new features included a quiz system, improved forum, searchable profiles, a buddy list, and a regulars list (much forgotten and hidden, but still working at www.ukchatterbox.com/regulars.php). They also added more IRC servers to support more users, allowing UKCB to move away from its GasBubbles homed chatrooms, and for it to become a complete service in its own right. At this stage user numbers hovered around the 100-400 mark.

September was a big month, UKCB started attracting users, and revenue by advertising for TV programmes, such as Big Brother, The Salon and the Terry and Gaby show. They were also changing their policies, nickname rules were introduced, and cyber-sex and dirty talk was being stamped out, promoting a cleaner and safer place for younger users.
They needed to too, this was the same time alot of media attention focused on the negatives of the internet, and chatrooms, specifically for young users, this was also the same month that MSN announced they would be closing their chatrooms the next month, which would result in a mass of people looking for new places to chat. UKChatterbox was going to benefit from this. Paz, wrote an article on this effect for The Guardian.

Side-note: MSN closed their chatrooms as moderating them and protecting its younger users was becoming harder, cases of adults pretending to be teenagers to solicit (groom) young users, was on the rise, and the accountability was growing for any service that provided chatrooms for young users. Whilst they were pushing the MSN instant messenger as a method for people to stay in contact, this lacked the social feel and variety of a chat room. Users started to look for chat rooms elsewhere, often un-moderated, with little to no rules or regulations.

October 15th 2003: the day after Microsoft’s MSN chat rooms closed, UKCB launched their own safety initiative, vowing to improve chat safety, this came along with more changes on the UKCB website, in an effort to move into a more regulated and professionally run service.
Over the following year, more of the other major chat rooms closed, including AOL and Yahoo. UKCB’s users kept growing, at this time the average number of users online was 500-1000, with few users registering, but using the option to jump straight into chat.
In June 2005 UKCB reached 1000+ registered users, this resulted in an increase in staff members and rooms, whilst the number of rooms open to non-registered users lowered. The site also changed very slightly, to the same layout you see today, this design hasn’t changed since, although talk of a “new” site has been in the air since 2006/2007.

By late 2006 UKCB was at it’s peak, they had more regular chatters then ever (regular, is significant, as UKCB has +2 million users, but most of which are people with multiple accounts, and people who have registered and not returned). Staff numbers were also at a high, they had over 80 chat room moderators; added to other staff for profiles, forum and administration, totalling 100+ staff, over 3 times the number today.

The 2nd of December 2006 saw the first of UKCB’s major service losses, a database was lost meaning loads of users had to re-register, I don’t know the exact cause of this, I do know though that UKCB suffered an sql hack not too far from this time, it is possible this was the same time, UKCB are famed for covering up security exploits though, as more reading will reveal.

As other services grew users had more and more ways of interacting, outside of UKCB, the largest of these being Facebook, a combination of those services and UKCB’s lack of updating has led to an obvious fall in users. I won’t go into my thoughts of how I think the administration and moderating on UKCB has contributed to this, if not directly, then indirectly by users being put off by idiots who get away with murder.

2011: A bad year

2011 saw the result of UKCB’s old website, and over-stressed server baring the brunt of a number of attacks and exploits. The UKCB infrastructure and website was never meant for the number of users it has, it’s old functions have no business on a site with more then a few thousand users.
Beginning in July, the server suffered a denial of service attack, this was a relatively small attack, but seemingly impossible for them to defend against as their server was already running at near-full capacity (this is the response they gave). The end result was their server host denying all access to the IP of the  irc.ukchatterbox.com IRC/chat server, the authorization software that deals with users passwords on connect, is based on this server, meaning their other 2 servers, mars and venus are quite useless, eg. users are set to Guest nicknames.

During August/September, more attacks were launched, with the website becoming the target, and sql injections being found. Initial reports about such were practically laughed at and ignored by the administration, the response being to just “duck heads and hope it goes away”, this wasn’t the case.

An sql injection allowed users details to be viewed, this included registered emails and passwords, the result of which was staff accounts being compromised and malicious activity being carried out on the chatrooms, eg. banning other staff members
UKCB spent days in chaos, the Operations manager (Dragon) and Blaster, had no idea what was being accessed and how, their only response was to disable all admin logins, this eventually spread to staff logins and even the entire user database being disabled, with the chat service being closed, on more then one occasion, days at a time.

Side-note: An sql injection is a vulnerability especially common in old methods of mysql database access, basically information submitted to functions on the website isn’t sanitized or cleaned up, allowing a user to feed their own text and mysql commands to the server, this can allow a user to retrieve info, and even alter/delete entries.

Fluentcode, the last and only competent programmer and technical administrator of UKCB, who had previously quit, was bought back temporarily to fix some of the problems. Whilst some of the injections were cleared up, a newer issue was being exploited, social engineering, with access to staff members names, most of them appearing on Facebook, dilvulging personal information for the world to see, it was no longer necessary to “hack” into UKCB, it was a matter of gaining enough information on a user to guess details to their email accounts, eg. via a password reset page, specifically, security questions. Over 3 weeks after the initial database attack, staff accounts were still being accessed on the server, even Blasters accounts were compromised.
In-house staff communications mentioned choosing secure passwords and security details more then 3 times, they never listened, one administrators personal accounts were still being accessed into November. I only mention it because staff put alot of blame on the people working on the website itself, no matter how much the website was fixed and patched up, it was useless if their emails were insecure. Logging into UKCB as staff only stopped when the quite drastic step was taken to disabling staff members password resets.

In Closing

So there it is, nearly 10 years, 2 million registered users have registered, over 300 staff, later, UKCB is still going, not as strongly as it was, but still. We should expect a new website in the near future, with advances in web standards and browser technology, it’s way behind the times; further details to come when they announce it. See you around.

Sources for main article: The guardian. Old website info (http://web.archive.org)
Feel free to contact me about any inaccuracies.

Extra Info

*There has been a gradual decline, this has been in-line with the decline of average users online.

Software Used 

Website: Custom Coded
Server Software: Apache/2.2.16 (Debian) - PHP/5.2.6-1
IRC web-client: Pjirc
IRC Server: Unreal-3.2.9 (custom modules)
IRC Services: Anope-1.8.2 (custom modules), – Denora Stats-v1.4.5.411
Gateway: A custom coded php bot (may need revision).

This works on recent versions of Anope-1.8 and requires us altering ChanServ’s levels.
ChanServ’s levels can only be altered and implemented when XOP is turned off, meaning you’ll need to add new users access using numeric values eg. VOP=3, AOP=5, SOP=10.

1. So, first thing’s first, disable XOP if it’s enabled using /cs set #CHANNEL XOP OFF.
2. If you do /cs levels #CHANNEL list you can see the required access levels for various commands, the one we’re after is AUTOVOICE.
3. Do you want just registered users to get voiced, or all users? An unregistered user has level 0, a registered one has 1. For ALL users type /cs levels #CHANNEL set autovoice 0, and for REGISTERED users use /cs levels #CHANNEL set autovoice 1.

And that’s all there is to it, you may wish to use this for a degree of damage control in the event of flood-bots, eg. Setting the channel to +m and having ChanServ autovoice registered users. There are many possibilities, and the same idea can also be applied to the AUTOHALFOP, AUTOOP levels.

Module designed and tested on the 1.9.5 release.

To enable the command add the following to nickserv.conf
module { name = “ns_massset” }
command { service = “NickServ”; name = “MASSSET”; command = “nickserv/massset”; permission = “nickserv/massset”; }

Download

Suggested GoogleMaps Route:

View Larger Map
Actual Route:

Lost in Bracknell

4 miles / 6.437376 km

m_privdeaf adds a umode +D which, when set blocks private messages from non-opers. This module could do with more testing, especially on a multi-server network, future versions will include configuration options to disallow opers, etc. It has been tested on InspIRCd-2.0.5.

Download

1. On the old Facebook image albums you could right click an image select “open..” this would open the image directly as it’s saved on Facebooks servers, allowing you to show anyone else. This isn’t possible with the new image viewers. From the album, click the image, opening it in Facebooks image “slider/viewer”.
2. To the right of the comments, and underneath the image and album info is a “Download” link, right click it and select “Copy link Location/address” (exact wording will vary depending on browser).
3. You should now be able to paste the link anywhere eg. https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc6/179836_10150392776725167_892115166_16729198_2760362_n.jpg?dl=1
   This link will not just open in a browser like we want, it will ask if you want to download/save/open it. This is easily fixed by removing the ?dl=1  from the end. Giving us  https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc6/179836_10150392776725167_892115166_16729198_2760362_n.jpg

For a more advanced how-to on downloading videos from Facebook using Firefox’s cache check out http://lethality.me.uk/2011/08/getting-that-facebook-video-advanced/

The announcement which can be found at http://www.ukchatterbox.co.uk/article/170 reads as follows:

The UKChatterbox website has recently been the target of several attacks intended to disrupt services, and as part of an ongoing security update, all UKChatterbox users are being asked to change their passwords as a precautionary measure.

Some general tips for passwords and security:

- If you have the password to other sites and services set the same as your UKChatterbox password (or have done in the past), we would recommend changing those passwords too. It is never really a good idea to use the same password for multiple sites. In particular, passwords to your e-mail and bank accounts should always be unique and not used elsewhere.

- Choose a password that is sufficiently complex. Make sure that it is at the very least 8 characters long, a mixture of letters and numbers and preferably mix in some capital letters too.

- Check your security questions for your e-mail and other sites. If a site you are signed up to operates a security question system to retrieve lost passwords, make sure that the answer to the question is not something anyone could answer but you. There have been a lot of issues recently with peoples’ e-mail accounts being accessed because the answer to their security question was on their Facebook profile.

Thank you for your cooperation.

UKChatterbox

Hopefully they can carry on improving the site for the future.

PDO (PHP Data Objects) is basically a database abstraction API that works with different types of remote databases, eg. you can create code, one line defines the database driver you’re using, be it mysql, sqlite, etc, you can then switch between drivers without editing your actual queries, that’s the main benefit, along with prepared statements and OOP.

So my rant is this, the difference going from mysql to mysqli is marginal, the step to PDO is a much larger one, don’t get bullied by people in the trade into using PDO just because it’s “hip”. I’m about to start building a new site, and renovate another, I will be using mysqli as I have no intention of ever switching databases so this suits me fine. If you’re building for other people and/or are in the trade, PDO would be useful to add to your skillset if they ever changed. In my experience, people don’t. So although right now I don’t care for it, I will of course be using it for phpAnope and probably my phpBot if I release publicly. \o/

There was a disruption to both the web and chat services from 18:00hrs Friday 1st July 2011 to 21:00hrs Sunday 3rd July 2011 due to a machine failure. This has now been resolved.

What happened was, (and this will no doubt be denied by them) was that the website was attacked using a popular form of exploit (SQL Injection aka sqli), this is when a user inserts extra characters and commands for example, when using a login form, to carry out tasks such as logging a user in as an admin, returning information that shouldn’t be available publicly. UKChatterbox has had problems with sql injections in the past, and apparently never bothered to fix them properly or learn anything, the website (whilst most users are blindly happy with it’s presentation) is full of old, out-dated code. Updating the code to use newer methods of accessing databases can stop this. Incidentally the recent bold red maintenance message on the homepage was fluentcode fixing these issues now they’ve been made fully aware of them.

Anyway, back to UKChatterbox’s delayed downtime notices. Their next step was a server migration:

July 6th 2011: A major migration of the UKChatterbox website has been performed in order to remedy earlier problems. Access to the website may be unstable in some cases for up to 48 hours.

They either seriously thought the machine was at fault or were ignorant enough to ignore what was going on and palm users of with a feeble excuse. Whatever it was, this so called “migration” took a week, I can only imagine they really thought the machine was at fault, as none of the exploits were fixed. Whilst they had supposedly fixed it, their admin logs, gateway records and users were being dumped (downloaded using the exploit).

Then to skip to the most recent activities:

September 9th 2011. The chat service is undergoing maintenance and may be unavailable at certain times during the next 48 hours.

This was a result of a different kind of attack, some may have wondered what happened to WhiteStar, and who Time_Lord was. Whitestars UKCB account was compromised thanks to the user database revealing his email, using freely available information this allowed someone to access the email account he used, resetting the UKCB password to one of his own choosing, and logging into UKCB and acting as a UKCB staff member for 5 YES FIVE hours before being sussed. Proof: fake whitestar entered friendly at 11:58am on the 1st September, after issuing warns and profile suspensions, it wasn’t until 5:16pm he was banned by UKChatterbox’s staff administrator Mackemlady:

[17:16] * Quits: @Whitestar (Whitestar@admin.ukchatterbox.com) (Suspected impersonation of UKCB admin/hacking or unathorised use of account)

Using the same method the account was accessed numerous times, a note to the unaware: A ukcb’s admin password allows them to issue suspensions, akills (IP bans), password/email resets, and the viewing of Channel/PM logs as well as a users personal information. The password used to /oper and issue more powerful commands on the chat server is different, and stored in an md5 hash in the chat servers config. For the record, at no time was the UKChatterbox shell account accessed, no one used /oper (Why the main guy running UKChatterbox kept insisting it was, I do not know).

Once this method of entry had been used it was ridiculously easy to keep accessing UKCB, changing current administrators emails to one the “hacker” possessed to resend that administrators UKChatterbox password.
The reason for UKChatterbox’s catastrophic fail is that the 2 most senior administrators are clueless dinosaurs (no offense), they have no idea in the techniques used on IRC and the internet, and were absolutely clueless as to what was happening, how, and from who. They continued to exchange personal information on IRC when their own stupid unethical logging systems were compromised and providing people with all the ammunition needed.

The situation was so bad it resulted in the chat server being shutdown and the following “status messages”:

September 15th 2011. The website is undergoing maintenance and you may not be able to log in at certain times during the day. Some pages or functions may also be disabled.

September 11th 2011. The website is undergoing maintenance and you may not be able to log in at certain times during the day. The chat service is currently offline.

This wasn’t “normal maintenance” or them genuinely making changes for the benefit of it’s users (lol) this was a last resort. UKChatterbox can’t function without it’s moderators and administrators, and whilst their administrators accounts were constantly compromised the only way they could stop it was stopping the servers altogether, this action may have been largely prompted by the use of the countdown bot to ban all of the users in the #ukcountdown channel at which point they realized how deep the problem was and were actually made aware of how/what had happened. They then re-called Fluentcode, their last technical administrator who quit a few months ago and the only guy on UKCB’s staff list in the last 5 years with A LOT of programming/irc and internet know-how to put the problems right, and to secure the website.

So why this post? It isn’t some attempt at trolling. UKChatterbox has a long history of problems, some that were reported in newspapers and all too often they cover up and give amusing accounts of. What happened here though, was UKChatterbox’s databases were ACCESSED by an external party. This means, your username, email and password’s that have since been made readable are in someones hands. Why didn’t you hear about it from UKCB? Because they don’t do stuff like that. Which is the point of this post, to notify users of UKChatterbox of something they should have.
I’ll use some examples. Sony’s Playstation Network (PSN) was hacked back in April, it’s databases were accessed using the same method as the one used on UKChatterbox, the only difference with them is that the details included credit cards, and the sheer volume of users (80+ million). UKChatterbox has over 2 million users, and is the largest UK based chat service. They’ve shirked their responsibilities by not giving you information you NEED.

If you’ve read this full article you’ll realize why the following information is important, UKChatterbox’s admin accounts were “accessed” using nothing but an email account, which was accessed using the password reset security questions, with information available from Facebook, and searching some publicly available records.
This means that the immediate risks of your details being in someone else’s hands are that:

• They can login to your UKCB account.
• They can try accessing your email, and ANY website that uses an email login eg. Paypal with the password you use on UKCB (it’s a fact that most people use the same password on multiple services, whether it’s Facebook, personal email, work accounts).
• If they can’t access your email directly using your UKCB password they can try to get around security questions using the same method used for Whitestar and Scifi.
• They could just use your email in other ways eg. passing it onto spammers, sending phishing emails to attempt to extract information eg. passwords from you by pretending to be a well known site/service.

So now for the information UKChatterbox should’ve had the balls to tell you:

1.  Change your UKCB password now.
2. If you used your old UKCB password on other sites, change it on ALL of them.
3. Be wary of suspicious emails, eg sites like Paypal requesting you confirm your password. Most people get emails like this anyway.
4. Change your security settings on sites, most have options you aren’t aware off. Whilst I’m 100% positive you won’t fall victim to what UKCB have, you can never be too safe. Check out http://lethality.me.uk/2011/09/online-security/ for tips and help with choosing Passwords, Security questions and some other advise.

UKCB staff know what has happened. They’ve all been forced to change their passwords before being allowed back on to moderate and carry out their role.
The SQLi injections have been fixed.
The passwords in the user databases have now apparently been encrypted or hashed.

I gave “them” some time to get their house in order and let them have the chance to make the relevant announcements, it seems they couldn’t be bothered. Before one of the smart-arses try discrediting this, I do of course have proof to back everything ‘peace out.

Relevant Posts:
http://www.lethality.me.uk/vitalstats.html – Evidence of some of the information accessed.

Some other UKCB news you may not have heard:
Belfast telegraph – An article about an Ulster Unionist who was caught out on UKCB
http://www.chris-uk.org/paul-rogers/7241 – A 37 year old Crime Scene Examiner used UKCB, posing as a 14 year old girl, and attempted to meet a 12 year old girl, who was actually a reporter, even offering £100 to do so.

The module adds the ability for a services root, or services staff with the operserv/massmode permission to set/unset modes for ALL channels, registered or unregistered, ideal on a small net where you don’t quite want to go to the extreme of using Defcon. Note that on large networks, users may not appreciate you forcing modes on them, especially if they’ve not registered the channel.

Download