| 0 |
Subject: Forum "Security"
Posted by: Guru
- [330592710] Fri, Mar 15, 2002, 13:02
I'm mulling over some ideas for improving forum security. Current issues include:
1. Imposters. Sometimes, people use redundant names by accident - if they are common names. But more often than not, this is done in an attempt to create misimpressions. While the perpetrators are usually discovered pretty quickly, it would still be helpful to be able to protect handles from unauthorized duplication.
2. Blocking. Sometimes, it is very easy to block users from posting. Sometimes, it is more difficult, depending on the sophistication of the user, and depending on a number of other parameters that I'd prefer not to go into. It would be helpful to have a more controlled means of limiting the access of those who do not behave appropriately.
3. GuruPatron ID. Again, this tracking system has some loopholes that require periodic intevention.
One way of controlling these issues is to have a registration requirement. I am generally opposed to this, at least in its conventional form. A lot of people are simply reluctant to register, and I don't think a full registration scheme is warranted.
However, I am thinking that some sort of limited password system might be effective without being intrusive. This thread presents my initial thoughts on how it might work. I'll admit upfront that I haven't thought through all of the possible implications of this framework, but I wanted to use this thread as a sounding board to get some preliminary feedback before proceeding down this path.
Here is my suggestion. Each person who posts a message would save a password on the server. That password would be linked to a handle (posting name). For example, if there is a password associated with the handle "Guru", and if you don't supply that password, then you can't post a message as "Guru".
Handle/password combinations would be stored on the server, but they would also be saved in a cookie on your local computer. As long as you have the correct password (for your handle) stored in a cookie file, you won't even need to supply it. The forum will work just as it does now, as far as you are concerned. But if your cookie ever disappears, you will be prompted for a password before you can post a message.
You will also have the ability to change a password. Of course, in order to change a password, you'll first have to supply the existing password.
If someone tries to post under a "registered" handle, and they cannot supply the correct password, then they will be unable to complete the posting process. They will have the ability to change their handle, however. If they supply a previously unregistered handle, they will be prompted for an initial password.. That will establish a new (and subsequently protected) handle/password combination.
Anytime you enter a password correctly, it will automatically be stored in a cookie file. However, if you are using a public computer and do not wish to store the password, you will have that option. Essentially, when you are prompted for a password, there would be a checkbox that you could select that says "do not remember the password on this computer". In this case, you would need to enter the password each time you try to post a message.
When you register a handle/password combo, you will not need to provide any other info (real name, email, etc.), and thus, there should be no sensitive privacy issues to overcome.
Benefits:
No one could post under a previously registered handle without knowing the password. Because of this, it would be important that passwords are easily recalled by the originator, but difficult to guess for an imposter.
Misbehaving users could more easily be blocked, simply by me changing their password. If this happens, the blocked user will probably try to reregister using another handle. During these times, I could put a temporary moratorium on new handle registrations. Or, I could temporarily require a new registrant to provide an email address, to which I would assign and send a random password. This would give me one additional piece of tracing information that would probably deter at least some of those who were depending on maintaining anonymity. Clearly, this issue is one that needs some more thought. But I think there are ways to keep the forum reasonably protected while not unduly limiting the ability of legitimate users to post freely.
GuruPatron identifiers could easily be assigned to a handle/password combo. Multiple users from the same computer would be able to retain unique GuruPatron identifiers. GuruPatrons using multiple computers would be consistently identified. Apparent imposters (those choosing a similar, but slightly different handle) would be more easily exposed.
Ultimately, this could also give me an ability to link a poster to his/her biographical info at the registry, if they have chosen to register there. Currently, the bio registry is independently maintained, but this could allow me to generate an automated link to listed posters. Food for thought.
I would plan to continue the current ID number system. While it would have limited usefulness, it would at least provide some detection for posters who consistently use multiple handles (i.e., carrying on artificial conversations with themselves).
Questions:
1. Does this sound like a good approach? Would anyone be unwilling to post a message if they first had to store a password?
2. Are there other complications that I need to address? (Undoubtedly.)
3. If a user forgets his/her password, how should I control reminders?
4. Is there a simpler way to accomplish the objectives? This seems pretty simple and unobtrusive, but perhaps the devil is in the details.
Clearly, this would require some new programming, and I don't expect to be prepared to implement such a system for awhile - certainly not until after baseball gets going. So we have some time to mull it over in advance.
What are your reactions?
|
| 1 | Mattinglyinthehall
ID: 1832399
Fri, Mar 15, 2002, 13:18
|
This would surely quell some of the annoyances like the one in that basketball forum thread we are currently seeing, but if multiple people are posting under the same handle in conjunction with each other (which I believe is the case with at least one name that frequently posts in the basketball forum) then his would not assist in stopping that activity.
1. Yes and not at all, respectively.
2. Other than the above, almost certainly but nothing I can come up with.
3. If someone can post as any old handle requesting that his/her forgotten password be emailed to him/her, you or a moderator should oblige, provided that the ID number matches previous (but not questionable) posts by that handle. Obviously, this still leaves open the possibility for some mischief, but gurupies should also reserve be given the ability to change their passwords.
4. I wish I were qualified to suggest a simpler and more foolproof solution.
|
| 2 | biliruben
Sustainer
ID: 3502218
Fri, Mar 15, 2002, 15:38
|
No obvious down-side occurs to me, and the upside could be great. Particularly if this coaxed some of the older posters back to be more active, given (I hope) or more congenial atmosphere this change would create.
|
| 3 | silver-n-black
ID: 297382911
Fri, Mar 15, 2002, 15:57
|
I am mostly a lurker and an occasional poster, I'm thinking that you would some how want to ensure that the regulars get to register their original name with a password. Otherwise someone could attempt to register under say MITH, KKB, or RSF with their own password, blocking those people from using their unique almost legendary handles.
|
| 4 | allhair allstars
Sustainer
ID: 52112514
Fri, Mar 15, 2002, 16:24
|
Was going to post the same as silver-n-black. The process seems mostly behind the scenes and unobtrusive. We all type in so many passwords on a daily basis that typing in one more (for a considerably longer period of time) hardly seems an issue. Question - is there a way to limit users to one logon?
After reading again, I think the section regarding how to handle "misbehaving users" seems a little cumbersome. No suggestions - just that temporarily limiting enrollment could potentially block other, legitimate users from logging on (if they are new or have lost their cookies).
I like the idea of the link to the Gurupie Bio area. That would be a nice feature.
Agree on continuing to utilize the current ID system. That helps solve some of the issues with "misbehaving users."
Last thought -- On occasion I like to post under a different name. "hirsute allstars" is one, for example. It's rare but all in good fun. Would this option be lost to us?
|
| 5 | Guru
ID: 330592710
Fri, Mar 15, 2002, 17:28
|
allhair -
You could always register multiple handles, as long as the second handle was available. No need to use the same password, although I'd think you would want to. (hirsute allstars is likely to be available.) Given this issue, why did you ask for users to be limited to one logon? I don't know why that would be desirable, nor do I know how it could be enforced.
I would plan to launch the registration in a controlled process. GuruPatrons and registered users would be given first opportunity to register, and this would be done "quietly" before the system was instituted, just to avoid troublemakers attempting top block existing names. Once the initial flood of registrations is done, I think the process should go pretty smoothly.
If I have to temporarily block new posters, that would only be in extreme situations when needed to maintain order. This would only impact those who had not previously registered a handle/password combo. Simply having your cookie erased would not cause a problem, since the data would still be residernt on the server.
|
| 6 | allhair allstars
Sustainer
ID: 52112514
Fri, Mar 15, 2002, 17:36
|
Guru,
I see my inconsistancy. At first I was thinking that limiting posters to one screeen name would limit people from screwing around and causing trouble. Then, of course, I asked about having multiple screen names because I like to screw around and cause trouble. A subtle distinction, I admit... Let's just say I was using my ineptitude to prove a point. Regardless, you have other security measures at your disposal to limit the amount of craziness that might occur, so multiple logons seems not to be a problem. All else sounds great, IMHO.
|
| 7 | Dan
Donor
ID: 0229323
Fri, Mar 15, 2002, 21:31
|
Guru, that looks like a great idea if you can implement it. We don't want you spending too much time on that! :-) But I think its perfect how you outlined it above, if we can get a password system in place it should help the situation quite a bit! Only question I had has now been answered, regarding users getting other user's names. But as you said you will send out an email before the system is public to all forum regulars, so that sounds great. Thanks again for all the hard work, and Good Luck!
|
| 8 | rockafellerskank
Donor
ID: 359283123
Fri, Mar 15, 2002, 22:10
|
Guru, If I understand you correctly, regisering would be arequirement to post anything, yes?
Here ar some other (random) thought that make be better/worse or not helpful at all.....
1) What if you kept things as they are, but required registration to use the goodie tools like sartibles, assimilator and 4-week scheduler, for example?
2) What would stop me (for example) from registering Erik B or allhair allstars before the real person got to do so?
3) What if registration was voluntary to protect a handle(s) such as rockafellerskank or rfs ® ?
4) What about putting the posting handle of certain undesirables in the "dirty word library" For example, if Johnny Badboy didn't obey the rules, you could prevent ANYONE from posting under that handle. It would just be posted and thus discourage him to go away?
All in all, I think some kind of control is a good idea.
rfs ®
|
| 9 | Dan
Donor
ID: 0229323
Fri, Mar 15, 2002, 23:06
|
rfs, in response to your 2nd question (which was initially a question of mine)
2) What would stop me (for example) from registering Erik B or allhair allstars before the real person got to do so?
It has already been answered...
I would plan to launch the registration in a controlled process. GuruPatrons and registered users would be given first opportunity to register, and this would be done "quietly" before the system was instituted, just to avoid troublemakers attempting top block existing names. Once the initial flood of registrations is done, I think the process should go pretty smoothly.
|
| 10 | allhair allstars
Sustainer
ID: 3501317
Sat, Mar 16, 2002, 08:52
|
rfs and Dan,
That's part of it (and I assume that the people that Guru would initially send out emails to would have enough sense to only register their own screennames (and variations). A different issue is if this isn't the case - for example, say I lose my mind and opt to register "rockafellerskank." I would assume that such an act would immediately freak rfs out and my ruse would be discovered. Plus, Guru still has the user ids to fall back on if this were to happen.
|
| 11 | Bungers
ID: 3421630
Sat, Mar 16, 2002, 10:48
|
AA, in your "mind losing" scenario it might be wise for Guru to store a secret question in his database that only the real rfs would know. This could be like how the credit card companies often ask for mother's maiden name.
I also like to goof around...no kidding, really...and I do enjoy using different handles in that situation, and that situation only. The best example I can think of is if someone were to make a comment that Pete Rose will never go in the HOF, I would change my handle to Pete Rose and say, "Wanna bet?".
|
| 12 | Perm Dude
Leader
ID: 6235820
Sat, Mar 16, 2002, 12:35
|
I agree. Just last week I used the handle "PolPotintheHall."
I'm still a bit up in the air about the proposal, partly because it's not yet formed. I'll mull it over.
pd
|
| 13 | KrazyKoalaBears
Donor
ID: 266182910
Sat, Mar 16, 2002, 22:03
|
Personally, I have no problems with requiring registration. 99.9% of message forums require registration now and it's become expected, so anything along these lines is fine by me. Require some sort of "registration" (or username/password combo) for posting, but not for reading would probably be the best way to handle it. This is also common practice in 99.9% of message forums.
|
| 14 | blue hen, almighty
Leader
ID: 27048221
Sat, Mar 16, 2002, 22:22
|
I would like to opine that I don't deem this security necessary, and might create more future problems than actually solve current ones. I'm not negatively affected by the imposters, for the most part, and any system requiring registration, even free and simple registration, is going to deter users.
|
| 15 | KnicksFan
Donor
ID: 52025160
Wed, Mar 20, 2002, 12:21
|
I agree with BH that some users will be detered, but this measure is necessary (at least for the basketball forum).
One thought: What if there is one person who posts under the handle "Dan" and only uses the baseball forum, and there is another "Dan" who exclusively uses the basketball forum. Assume they are both registered users and gurupatrons. Does one of them have to change his name?
|
| 16 | Guru
ID: 21020219
Wed, Mar 20, 2002, 12:39
|
I guess so... but I don't think that situation currently exists. Although there are multiple Dans, I think only one is a GuruPatron.
|
| 17 | Dan
Donor
ID: 0229323
Fri, Mar 22, 2002, 09:07
|
heh I am pretty active in each and every forum! But if the situation were to get out of hand, I suppose I could come up with a more creative handle! ;-)
|
| 18 | StLCards
Sustainer
ID: 27230119
Sat, Mar 23, 2002, 22:22
|
How about "The gurupie formerly known as Dan" ;-)
I don't have any problems registering if it makes Guru's life easier. I currently try to refrain from deleting cookie's as I know they store the patron type stuff, but I would prefer to delete them routinely. It doesn't take long to get tons of them stored. I do believe it would help guru with site management, so I am in favor of it.
|
| 19 | quik_ag
ID: 368423022
Wed, Mar 27, 2002, 15:06
|
how about if you require registration to reserve handles but not require it for merely posting. you could then differentiate between the types of users with a "registered" tag beneath their names. This would, at least, make it easy to tell who are the regulars and who may or may not be imposters, but it would also allow me to post as, say, "quik_ag, Guru Jr" without having to register this additional name.
This method, it seems, wouldn't deter posting and would continue the tradition of an open forum, but would institute some sort of regulation when it came to a user's handle -- which i assume is the main problem, correct?
|
| 20 | Bungers
ID: 5311343110
Wed, Mar 27, 2002, 15:08
|
quick_ag, lobbying for the Guru, Jr award already, eh? ;)
|
| 21 | quik_ag
ID: 368423022
Thu, Mar 28, 2002, 13:18
|
too soon? ;-)
|
| 22 | Farn
ID: 171128623
Tue, Apr 02, 2002, 09:37
|
if i get quik's idea i like it. the idea of allowing people to register if they choose would still not force people who choose not to. this way i could register "Farn" and be logged in, thus everyone would know its me. Someone could still post as Farn, but if people see its not registered they would likely understand its an imposter. Everyone wins that way. Those who want to register can, and those who prefer not to aren't forced to.
|
| 23 | Motley Crue
Donor
ID: 53857
Fri, Apr 05, 2002, 07:39
|
I haven't been around since the end of football season, so I freely admit that I don't know what sort of "evil ones" we are up against. It just seems to me that this is not necessary. I've always felt like this place has a wide-open door, and anyone should be and is allowed access. My feeling is that a large "PLEASE Don't Feed the Trolls" sign is warranted here and nothing else. Don't waste valuable time building new security features--it's not like we have blueprints for the next Air Force fighter plane prototype in here. Just ignore people who are counter productive or rude.
If the masses want to push and Guru agrees, then I feel that the suggestion above made by quik_ag will be the simplest and most effective modification to make. My initial vote remains "No Change," though.
//MC
|
| 24 | Stuck in the Sixties
Leader
ID: 12451279
Sun, Sep 22, 2002, 11:33
|
Anything new on registration, especially since hoops season is just around the corner?
|
| 25 | Guru
ID: 330592710
Sun, Sep 22, 2002, 22:38
|
The next challenge is to move the forum to the new server - most likely during October. Any security/registration issues will wait until after that.
Security breaches haven't been too troublesome lately. However, I do need to improve my GuruPatron tracking & recognition routines.
|
|
|
|
Post a reply to this message: (But first, how about checking out this sponsor?)
|
|