List of goals, suggestions and ideas for future releases.

[Maikuolan]

List of goals, suggestions and ideas for future releases.
This list isn't static; Entries may be added and/or removed without notice. Listed order does not represent priority. List is not comprehensive (issues may exist that aren't listed).

• v1.1.0: Configurable font size magnification (Implemented 2017.07.31).
• v1.1.0: Directive to enable/disable number localisation (Implemented 2017.07.31).
• v1.1.0: Improve hotfix mechanism for version reporting (Implemented 2017.07.31).
• v1.1.0: More email options (Implemented 2017.08.15).
• v1.1.0: Improved L10N for handling DAT files (Implemented 2017.08.16).
• v1.1.0: ON/OFF switch (Implemented 2017.08.17).
• v1.2.0: In-built IPv4+IPv6 aggregator (Implemented 2017.09.19).
• v1.2.0: Add statistics page to the front-end (Implemented 2017.10.04).
• v1.2.0: Metadata cleanup routine (Implemented 2017.10.07).
• v1.2.0: Ability to fetch extended descriptions from L10N data (Implemented 2017.10.09).
• v1.2.0: CI reports/tests on the front-end updates page (Implemented 2017.10.26).
• v1.2.0: Split out front-end closures from the main functions file (Implemented 2017.10.26).
• v1.2.0: Remove PHP < 5.4.0 syntax (Implemented 2017.10.27).
• v1.2.0: Prepare Cronable API (Implemented 2017.10.28).
• v1.3.0: Enable/Disable Hostname lookups as default (Implemented 2017.11.07).
• v1.3.0: Expand documentation to properly describe and explain "infractions" (Implemented 2017.11.25).
• v1.3.0: Expand documentation to include information about writing modules and about blocking hostnames (Implemented 2017.12.03).
• v1.8.0: 2FA (Two-Factor Authentication) (Implemented 2018.08.12).
• v1.8.0: Explore additional/alternative arrangements for custom bypasses and custom hostname blocks (Implemented 2018.09.25).
• v1.13.0, v2.0.0: Implement mechanisms for platform contingencies/redundancies (Implemented 2019.05.31).
• v1.13.0, v2.0.0: Remotes redirect for handling updates when primary update sources are unavailable (Implemented 2019.05.31).

[harryqt]

One question, no GUI?

[Maikuolan]

A GUI for managing CIDRAM exists (the "front-end"), but it's disabled by default for security (in case people using CIDRAM didn't realise it was there and an attacker tried to hijack it and things like that). You'll need to manually change the value of "disable_frontend" to "false" (in config.ini) to enable it, and after enabling it, you can then access it by accessing the loader.php file directly from your browser. :-)

[harryqt]

Just installed it on my wordpress setup, pretty far it's super awesome.. really man, it's awesome.. I was actually looking for this kind of thing.. thank you for letting me know about this awesome script. You are my new Batman. 👍

Question:

1. How's the false/positive rate?
2. How often the database updates? And if the database updates do I need to do anything?
3. Any plan to add support of hostname blocking? Like Wordfence plugin does? - https://image.prntscr.com/image/82QdY2VAQRyc7NicjnXBdQ.png
4. Why India is blocked on macmathan.info? - http://prntscr.com/hccvzi

[Maikuolan]

Glad to hear that it's working well, and you're welcome. 😄 👍

How's the false/positive rate?

It varies, depending on the signature files and modules used. Described below are the current estimated false positive rates (or "risk") for the various "components" (signature files and modules) available:

Component	False positive risk
IPv4 signatures (cloud services)	Low
IPv4 signatures (bogons)	Low
IPv4 signatures (spammy/bad ISPs)	Medium
IPv4 signatures (other; VPNs, proxies, etc)	Medium
IPv6 signatures (cloud services)	Low
IPv6 signatures (bogons)	Low
IPv6 signatures (spammy/bad ISPs)	Medium
IPv6 signatures (other; VPNs, proxies, etc)	Low
Default signature bypasses	Low
Cookies module	Low
Optional security extras module	Medium
Baidu blocker module	Low
Yandex blocker module	Low
Bad hosts module (cloud services)	Medium
Bad hosts module (ISPs)	High ⚠️
Stop Forum Spam module	Low
Empty UA module	Low

(Of course, take in mind that the false positive risk for each component listed here is based on the intentions of each component; If it blocks something that we don't want blocked, if it's a mistake, or something that it shouldn't be blocking, it would be regarded as a false positive, but if it's not a mistake, or if it's something that the component is actually meant to block, that wouldn't be regarded as a false positive. An example here would be with the "Baidu blocker module" or "Yandex blocker module": Using either of those two modules would most likely completely destroy any SEO work and PR for Baidu and Yandex search engines specifically, due to that it would be blocking them, and so, anybody that cares about those two search engines shouldn't use those two specific modules, but at the same time, because blocking those two search engines is what those two modules are designed to do, this would not be regarded as a false positive. On the other hand though, if they suddenly started blocking other search engines, or other unrelated traffic, then that would definitely be considered a false positive).

"Low", "Medium", and "High" are used as descriptors for the false positive risk as a means of keeping it simple, due to that the different demographics and different needs of different websites would likely result in significant variances in the actual specific numbers of false positives ultimately seen by any particular website. "High" is almost an absolute guarantee that there'll be significant false positives seen, any I would recommend only using components marked as "high" if they're absolutely required for meeting the needs of a specific website. Any components marked as "Low" are considered reasonably accurate at even the worst of times, and false positives should be either zero, or extremely rare. "Medium" covers basically everything between the two extremes (although generally favouring more towards "low", rather than "high").

---

It's quite possible that you already know this, but due to that discussion is public, for the benefit of anyone reading this that might not already know this, the definition of "false positive" in relation to and in the context of CIDRAM, according to the CIDRAM documentation, is as follows:

What is a "false positive"?

The term "false positive" (alternatively: "false positive error"; "false alarm"), described very simply, and in a generalised context, is used when testing for a condition, to refer to the results of that test, when the results are positive (i.e., the condition is determined to be "positive", or "true"), but are expected to be (or should have been) negative (i.e., the condition, in reality, is "negative", or "false"). A "false positive" could be considered analogous to "crying wolf" (wherein the condition being tested is whether there's a wolf near the herd, the condition is "false" in that there's no wolf near the herd, and the condition is reported as "positive" by the shepherd by way of calling "wolf, wolf"), or analogous to situations in medical testing wherein a patient is diagnosed as having some illness or disease, when in reality, they have no such illness or disease.

Related outcomes when testing for a condition can be described using the terms "true positive", "true negative" and "false negative". A "true positive" refers to when the results of the test and the actual state of the condition are both true (or "positive"), and a "true negative" refers to when the results of the test and the actual state of the condition are both false (or "negative"); A "true positive" or a "true negative" is considered to be a "correct inference". The antithesis of a "false positive" is a "false negative"; A "false negative" refers to when the results of the test are negative (i.e., the condition is determined to be "negative", or "false"), but are expected to be (or should have been) positive (i.e., the condition, in reality, is "positive", or "true").

In the context of CIDRAM, these terms refer to the signatures of CIDRAM and what/whom they block. When CIDRAM blocks an IP address due to bad, outdated or incorrect signatures, but shouldn't have done so, or when it does so for the wrong reasons, we refer to this event as a "false positive". When CIDRAM fails to block an IP address that should have been blocked, due to unforeseen threats, missing signatures or shortfalls in its signatures, we refer to this event as a "missed detection" (which is analogous to a "false negative").

This can be summarised by the table below:

	CIDRAM should NOT block an IP address	CIDRAM SHOULD block an IP address
CIDRAM does NOT block an IP address	True negative (correct inference)	Missed detection (analogous to false negative)
CIDRAM DOES block an IP address	False positive	True positive (correct inference)

---

Anyhow. In regards to any of the other available components, that haven't been lised above (e.g., Macmathan's country blocklists): Due to the frequency of updates, I assume that they're quite accurate, and that false positives would be quite rare, but that said, I haven't described any specific risk level for them, due to that I haven't extensively tested any of them in regards to false positives (those that I've listed above though, I've tested).

---

How often the database updates?

Different components (e.g., different parts of the signatures database) have different update frequencies. Most of Macmathan's country blocklists are updated once per month, but some of them are occasionally updated more frequently. The components that I maintain myself, I tend to update either whenever I've got enough spare time to go through them and on an "as needed" basis (e.g., when it becomes apparent that updates are required, or when false positive are reported); This tends to result in updates occurring, on average, about ~4 times per month.

And if the database updates do I need to do anything?

To keep up-to-date, yep. 😄

If you've enabled the front-end, you can update everything automatically via the "updates" page. On the front-end, there should be an updates page linked, and all components (installed, and available for installation) should be listed on that page. Whenever visiting that page, if anything is outdated, an "Update all" button should appear on the top of the page. Clicking that button will automatically update everything.

Alternatively, if the front-end is disabled, it's also possible to update everything manually, but it'll probably take a little more time to do, and doing it manually is a little less convenient than doing it automatically: Because CIDRAM uses "flatfiles" (i.e., no SQL database, no external drivers, etc), if you're able to identify which components are outdated, you can update them by simply replacing the files corresponding to those components with their up-to-date counterparts, and then everything should be up-to-date again and working correctly as per normal. The trick, however, is identifying which components are outdated, and which files correspond to them (this is something that the updates page will handle automatically, which makes it an easier solution for updating everything). The best bet for doing it manually, would be to monitor the repository here, and Macmathan's blocklist page (if using any of his blocklists), to be able to see when updates are announced/listed/etc.

There's also Cronable, which is a separate package I maintain, that can be used to truly automatically update everything (with Cronable, everything is done via Cron, and you don't need to even worry about visiting the updates page at all), but I would only recommend Cronable to people that are very familiar with how to create and schedule cronjobs on their server (due to using Cron, the technical debt is slightly higher, and I've had some users in the past mention that they couldn't get it working properly, but it could be a preferable solution for anyone that's short on spare time and has experience working with cronjobs).

Any plan to add support of hostname blocking?

In a manner, it's already supported: CIDRAM is capable of blocking hostnames, and there are some modules available already for the purpose of blocking bad/dangerous hostnames. It doesn't currently have any GUI or front-end page comparable to that seen in your screenshot for adding custom hostnames to be blocked though. It's a good idea though. I can definitely add that to the to-do list and try to implement something like this in the future. 😄 👍

Why India is blocked on macmathan.info?

My understanding of it is that Macmathan's website has come under attack multiple times in the past from spammers and hackers using Indian IPs, and as a result, he's decided to block all Indian IPs from accessing any of the pages on his website as a precaution against future attacks. I think there are some other countries blocked there too, but I'm not entirely sure exactly which countries are and aren't blocked (I know that India, China, and North Korea are blocked there; I know that my own country, Australia, is not blocked there; as to exactly which countries are and aren't blocked though, he would probably need to answer that question himself, I think). In any case though, it's definitely nothing personal against specific places or people; his decisions about what he blocks are based on the kind of web traffic he sees to his websites (friendly guy that cares about security, and a great ally in the fight against bots and spammers). And, of course, we both definitely welcome users from everywhere around the world. 😄

AFAIK though, the CIDRAM front-end is not subject to any of the blocklists at his website, and it should be possible to download+install any of the blocklists that he maintains via the CIDRAM front-end, regardless of which country the requests route through (although I haven't tested it extensively for all countries; I've only done some cursory testing for some specific ISPs and providers).

I don't think he uses this platform at all (GitHub), but if you needed to contact him for support specific to the country blocklists, or about his website, if you're able to access it via a VPN or something, he has a bug tracker page available here that you could use, or alternatively, he does frequently visit one of our other support endpoints, hosted by Spambot Security (that said though, Spambot Security has its own set of signatures and security policies, most of which haven't been updated in a few years and are now very outdated, so I have no idea whether you'll be able to access it at the moment; a different person, "Zaphod", maintains that, and he hasn't updated it in a while now).

(GitHub is the primary and recommended support endpoint for CIDRAM, but there are a few other support endpoints around, Spambot Security being one of them; I'm not sure how long into the future Spambot Security will continue to exist though, so, although it could be good to register there if you're able to, GitHub definitely remains the preferred support endpoint).

[harryqt]

Consider adding Google's new powered by AI Invisible reCaptcha ?

[DanielRuf]

reCaptcha should be already available.

[DanielRuf]

You should be able to configure this to use the invisible mode.

[DanielRuf]

Ok, then please open a new issue for this.

[DanielRuf]

It still makes sense to track it separately in another issue or this thread here would get very long over the time.

[harryqt]

@Maikuolan How about adding Browser Integrity Check?

is it possible? so, people cant retrieve data using some basic get contents functions, like

file_get_contents($url);

what do you think about this?

This might help you,

https://github.com/ItayRosen/Browser-Integrity-Check

I also worried about how Google, Bing, Yandex, Facebook will handle it.

[Maikuolan]

(Above comment seen. Definitely sounds like a cool idea. Was planning on replying earlier, but had a busy night and didn't get to it; Also sick with the flu at the moment and feeling like I need a few hours downtime. I'll take a closer look at this either later today or tomorrow and reply properly afterward).

[ghost]

OK folks, a bit of necro-reply but I joined GitHub just a bunch of days ago and thought the issue could do with an "official" statement regarding the question about my domain.

Why India is blocked on macmathan.info?

My understanding of it is that Macmathan's website has come under attack multiple times in the past from spammers and hackers using Indian IPs, and as a result, he's decided to block all Indian IPs from accessing any of the pages on his website as a precaution against future attacks. I think there are some other countries blocked there too ...

Correct assumptions. It is my personal domain after all, and I have had to deal with my share of some countries wealth of spammers, exploit searching hackers and script kiddies. To make one thing clear, it is never a personal thing against any country or group of people or similar (and so says my disclaimer as well). But with the internet being what it is the blocks are a sad necessity for the time being to keep the site safe. The actual list can and will not be disclosed because of the nature of it. I'm sorry for the inconvenience it might cause.

AFAIK though, the CIDRAM front-end is not subject to any of the blocklists at his website, and it should be possible to download+install any of the blocklists that he maintains via the CIDRAM front-end, regardless of which country the requests route through...

I can confirm that CIDRAM is supposed to be able to download and install any of my lists and modules from within the front-end, even from blocked countries and hosts. If it doesn't work, let me know.

I don't think he uses this platform at all (GitHub), but if you needed to contact him for support specific to the country blocklists, or about his website, if you're able to access it via a VPN or something

I didn't use this platform until a few days ago. I'll keep an eye on it from now on, but for the time being the main support for my lists is on my site.
(I am evaluating alternatives for the future, but nothing is planned to change immediately. Please respect that although my lists tie into CIDRAM very intimately, and we all work closely together, CIDRAM itself and my lists are separate projects.)

[DanielRuf]

Well, a versioned variant of the lists eg using Git may be an idea. But it is not recommended.

[DanielRuf]

I joined GitHub just a bunch of days ago

Welcome on GitHub. 🎉

[100percentlunarboy]

For Wordpress users

Would be great if CIDRAM was accessible in the admin dashboard.

Unless I am doing something wrong, every time I run an update of CIDRAM from the WordPress plugin update section the update wipes out all my settings. After updating I have setup everything from scratch - country blocks, ignore files, etc. A lot of work when you have multiple sites.

My dream is to open the WordPress admin panel, select CIDRAM, push the update button.

As usual, thanks for all the hard work!

[DanielRuf]

In general settings should still be stored and not wiped on update

https://wordpress.org/plugins/cidram/

@Maikuolan where do we have the repo for the WordPress plugin?

[100percentlunarboy]

It definitely wipes them all out for me. The config.ini is wiped clean. The entire CIDRAM/Vault is reset to a clean install and all loaded modules are gone. Admin password to front end reset to default.

I am referring to running the CIDRAM plugin update from within WordPress/Plugins Section–not from the CIDRAM front end.

[Maikuolan]

In the documentation currently:

Warning: Updating CIDRAM via the plugins dashboard results in a clean installation! If you've customised your installation (changed your configuration, installed modules, etc), these customisations will be lost when updating via the plugins dashboard! Logfiles will also be lost when updating via the plugins dashboard! To preserve logfiles and customisations, update via the CIDRAM front-end updates page.

Unfortunately, this is due to the way that WordPress updates are performed: WordPress doesn't compare actual individual changed files between different package (plugin, theme, etc) versions, nor provides any way to implement more controlled update mechanisms specific to individual packages. Instead, it simply downloads a ZIP of the entire latest version of whatever's being updated, decompresses its contents, and replaces all the files of the old package with the files of new package (essentially like a fresh install, minus the database changes).

For plugins that hook into the WordPress database itself, this isn't usually problem, due to that their settings, configuration, customisations and so on will usually be stored in the database, which isn't affected by these updates. For plugins/packages such as CIDRAM however, which don't touch the WordPress database at all, and instead store their own data internally (in the case of CIDRAM, in the form of the data in the vault directory, such as the config.ini file, logfiles and so on), this can be problem, due to that simply overriding the entire directory would mean a loss of those customisations and configuration settings.

To fix this problem, I think I'd probably need some way to temporarily override the WordPress update system when updating CIDRAM via the plugins dashboard. Not quite sure currently how viable that is though.

@Maikuolan where do we have the repo for the WordPress plugin?

The WordPress plugins database has its own internal version control (SVN, rather than Git; a bit unfortunate IMO, as I prefer Git over SVN, but it is what it is). SVN repository for the CIDRAM WordPress plugin can be accessed via: https://plugins.svn.wordpress.org/cidram/

Content there should be the same as here though. Usually what I'll do is just copy/paste the latest CIDRAM codebase as is available on GitHub (but with config.ini.RenameMe pre-renamed to config.ini so that it won't completely break people's WordPress installations or inadvertently lock them out when updating) whenever tagging a new version/release to the corresponding repository at WordPress under the same new tag, keeping all development to here, at GitHub (the SVN repo for CIDRAM at WordPress actually only has code under the various tags, and no trunk directory).

[100percentlunarboy]

Hi Maikuolan

Yes. I am aware of all this already. 😃

I always RFTM. I thought this was a sorta wish list so I put it out there.

I think that one issue that will stop the WordPress community from adopting CIDRAM fully is the lack of integration into the database, as you said, it does not "hook into the WordPress database itself."

If I didn't like the plugin so much I would not go through the hassle of setting it up again whenever there is a WordPress plugin update. I would love to see the usage really take off in the WP community. You guys fight the good fight. CIDRAM is a fantastic complement to other security plugins that do not have the ability to block by country.

[Maikuolan]

I always RFTM. I thought this was a sorta wish list so I put it out there.

Much appreciated, and no problem. 👍

I figure worth replying with that anyhow, in case anyone reads these messages which hadn't yet seen that part of the documetation (a few less whats and whys down the track to deal with).

In any case, I agree; Definitely something worth pursuing.

[Maikuolan]

"Implement mechanisms for platform contingencies/redundancies."

Working on this currently, and so far, everything looks good at my end. I just need to update the documentation and L10N data for it now, before I commit. Next commit to the repo should have that box ticked off, hopefully.

Edit: Done and pushed.

[Maikuolan]

"Possible expansion of the format allowed for some configuration directives (tracktime, etc)."

This has been on the list for long time now, since way back when IP tracking was first introduced, I think.. if I'm remembering correctly. Kind of a small item, and should technically be easy to implement.. but I'm a little stuck on ideas for exactly what it should look like, or.. whether we really still need it, for that matter.

Anyone have any thoughts about this? Strike it from the list? Keep it on the list and try to come up with something? If the latter.. any ideas? Would prefer to stick to standards, if at all possible, because coming up with something totally different, and totally original, could just add further confusion, because that would mean that users would then need to learn something totally different and totally original to work with it. I haven't really found too many "standard" ways of doing this though.

If I implemented something like 1m2w3d for one month, two weeks, three days, it would most likely make sense to native English speakers, because we could safely assume what the "m", "w", and "d" represented, but it could be totally confusing to non-English speakers, and also isn't backed by any particular standards anywhere, AFAICT.

I could go the SI approach, implementing something 5º4′3″ for five hours, four minutes, three seconds (or "arcminutes", "arcseconds", etc), but that's (1) a super antiquated way of measuring time, not really practically used by many people anywhere nowadays, and (2) a bit of a PITA to actually type for most users, given that degrees, prime, and double-prime characters are not a part of most standard keyboard layouts (thus potentially defeating the whole point here of expanding the format).

Worth noting that following through with this would just be to provide an extra convenience for those that don't want to type in actually whole integers to represent a unit of time (as is the case for the format currently), and isn't necessarily adding a new "feature" to CIDRAM or anything like that. Likewise, it isn't something particularly needed, and wouldn't really impact anything if it was to be struck from the list.

[Maikuolan]

"Possible expansion of the format allowed for some configuration directives (tracktime, etc)." (i.e., the to-do mentioned by my previous reply).

No feedback received yet, I also don't have any new ideas for how to progress further with it yet, and it has always been regarded as very low priority, so I'm thinking I might just scratch it from the list (i.e., not something really wanted/needed anymore anyway).

"Stable/unstable updates selector option (maybe?)."

The codebase has changed quite a lot since that to-do was first added to the list (the channel switcher, for example, hadn't been added to the codebase yet). Between the channel switcher, the ability to just push any future unstable or questionable commits into their own branch (until further testing, further improvements, or whatever else that might be needed can be done), and better, improved testing practices from herein and into the future, I'm not sure we necessarily need to explicitly code in the ability to distinguish and choose between stable/unstable updates from the front-end. Scratching that from the list too, would mean that there wouldn't be any remaining to-do items on that list (and we could then close this issue and move onto other things).

There are some other things mentioned in the discussion attached to this issue, such as the suggestion to be able to manage CIDRAM via the WordPress admin dashboard. I'll create new, separate issues for any such things mentioned in the attached discussion (more maintainable that way, rather than leaving open really old issues that deal with multiple, unrelated to-do tasks, problems, etc).

Will mark this issue as "implemented" as close accordingly shortly.