Josh Wieder

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance . For my project, neither LDAP nor Active Directory were options. I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin t

Recently a division of the Australian Department of Human Services released an authentication mechanism to secure smart card transactions. They named their creation Protocol for Lightweight Authentication of Identity, or PLAID. The plan was to allow other Australian government agencies to use the auth protocol for free. Feeling very sure of themselves, Ozzy's DHS released the protocol for inspection. A group of cryptographers from two universities stepped up to do the deed. The Information Security Group of Royal Holloway, University of London was one such school. Representing the Continent was Cryptoplexity of Technische Universität Darmstadt, Germany. And do the deed they did. As it turns out, PLAID is a lemon. It does just about everything wrong. It implements an RSA encryption function poorly, which is a bit suspicious given RSA's recent history with that Five Eyes Intelligence service from the Western hemisphere we all love to hate, the NSA. Beyond that, the function i