ZDoom

yum13241 wrote: ↑Thu Jan 19, 2023 9:01 am Having someone hack such a person's account would mean that they could give the game away for free, or post an update that ruins the project's rep. Again, I don't get the fuss.

What can you say? Some people truly value their own laziness and convenience over everything else and no good argument will ever be ablr to convince them that they might be wrong.

Graf Zahl wrote: ↑Thu Jan 19, 2023 9:37 am Some people truly value their own laziness and convenience over everything else and no good argument will ever be ablr to convince them that they might be wrong.

And this thread has perfectly shown proof of that.

Graf Zahl wrote: What can you say? Some people truly value their own laziness and convenience over everything else and no good argument will ever be ablr to convince them that they might be wrong.

If it were up to me, such people wouldn't be welcome here.

Rachael wrote: And this thread has perfectly shown proof of that.

It also shows that they believe anyone with a colored name here is an idiot. (spoiler alert: all of our names are colored here)

To all people who sell games here, I hope you don't complain about the new pwd reqs, because spoiler alert, $$$ requires effort. (or if you're a big corporation, some -ness )

(yes I know Rachael sells games here)

i think that next time this kinda thing happens. explain it in the password stuff or whatever. cause not knowing what's going on with no one giving any explanation is really annoying

In a security context, telegraphing your actions often gives bad actors time to react and adapt to it, and possibly even nullify it. I had considered this, but ultimately I decided the best way to handle this was to pull the rug out from under them. Yes - that does annoy legitimate users, I am well aware of that and I regret it, but in the end it was worth it to thwart those with bad intent, both for the sake of the legitimate users, and for the site overall, making it a less valuable target (hopefully) for those who seek to do wrong.

I haven't screwed up typing my new long password yet.

yum13241 wrote: ↑Thu Jan 19, 2023 1:40 am What if I reset my device? Too bad then/

I fail to see how that's a response to what I said? You said you can't back up the codes, I said you can generate a QR code in the app to do so which is a backup. Yes, if you don't rely on the cloud then you're responsible for doing the backups yourself. That should be obvious. As you also indirectly mentioned in your post, Google Authenticator just implements the standard OTP algorithms (RFC 6238 and RFC 4226). Many cloud backed password managers do so as well and you're free to use them if you don't have the ability to manage backups yourself.

This is of course ignoring that everything with OTP should also be giving you backup recovery codes to store somewhere safe as a last resort, so there's that answer to your scenario as well.

wildweasel wrote: ↑Thu Jan 19, 2023 8:49 am It's not about what information remains private. It's what information your account can be used to spew. Are you perfectly alright with your account being used to spam for crypto?

In this scenario your account will be suspended immediately. If you care about your account, you will also reset the password when you notice it has been compromised, and undo most of the damage.

CandiceJoy wrote: ↑Thu Jan 19, 2023 8:00 am I have personally brought up several ways to try to combat this OTHER than more complex passwords, but there are legitimate reasons why most or all of them, cannot or would not work, unfortunately leaving us with little option but to increase password complexity.

All these legitimate reasons are bullshit. Almost every other website doesn't enforce a 20+ long password. Why this forum is special?

yum13241 wrote: ↑Thu Jan 19, 2023 9:01 am Having someone hack such a person's account would mean that they could give the game away for free, or post an update that ruins the project's rep. Again, I don't get the fuss.

Is there a feature of selling games through zdoom forums? Very curious about that.
About project reputation, again, you can reset your password account and partially undo the damage. Considering you even will be hacked in first place.
Again, give it as an option, as a recommendation. If you are prone to be targeted due to be working on a large project or a project that involves money - better change your password. If you just have made a couple of mods that aren't very popular, or no mods at all, why will you be targeted before the former (if at all)?


Defending this change makes no sense. Any other website doesn't require such a long password, meaning there has to be something wrong with backend security for a large amount of accounts to be compromised. But you all seem to be missing that point.

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am In this scenario your account will be suspended immediately. If you care about your account, you will also reset the password when you notice it has been compromised, and undo most of the damage.

This is correct...assuming, of course, that there are moderators around to take action. However, we are people too, as much as we might not like to admit it at times, which means that, unfortunately, we can't be around all the time. Believe me, we do our best and, in some cases, more. But even we need sleep sometimes, as much as we might be loathe to admit it at times. In addition, PHPBB gives us very few options to deal with this sort of issue beyond changing the password requirements. We've discussed multiple alternatives and, much to my personal dismay, every alternative would be worse for y'all, much harder to implement, or technically/financially not feasible. Trust me, I wish there were alternatives as well, but PHPBB ties our hands

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am All these legitimate reasons are bullshit. Almost every other website doesn't enforce a 20+ long password. Why this forum is special?

That's absolutely true, very few websites require a password 20+ characters in length. Unfortunately, most of the websites that allow shorter passwords aren't running PHPBB, which means an apples-to-apples comparison can't really be drawn. I have run PHPBB forums in the past myself and I can personally vouch for the fact that keeping them secure isn't easy in the least. I've thrown up PHPBB forums only to have them spammed with adult imagery in mere days, even with some of the more advanced security measures offered by PHPBB. It's honestly a wonder Rachael has kept these forums as secure as she has for as long as she has.

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am Is there a feature of selling games through zdoom forums? Very curious about that.

Not directly, no. But, people can and do get hired through private messages, and a compromised account can do a surprising amount of damage in a short period of time. As a web developer, I can tell you that it only takes minutes for a bot to delete an entire large account's worth of messages, possibly 10k posts or more, and you can't undo that kind of damage, not really.

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am About project reputation, again, you can reset your password account and partially undo the damage. Considering you even will be hacked in first place.
Again, give it as an option, as a recommendation. If you are prone to be targeted due to be working on a large project or a project that involves money - better change your password. If you just have made a couple of mods that aren't very popular, or no mods at all, why will you be targeted before the former (if at all)?

Technically correct, but in reality, not so much. You can partially undo the damage, but that part may be 1% or less depending on how big your account is, how long your posts are, how much information you posted, etc etc etc. We can suggest as much as we like but, in the end, very few people would actually do it without this change. If we don't stay on top of this, spam could very quickly bury legitimate posts and cause months worth of work for moderation staff; like I said, I've seen it happen myself. This is one reason we take compromised accounts so seriously: if we didn't, the entire forum could be overrun within hours. I seriously, honestly, truly wish I were joking or exaggerating about that, but I've had it happen to my own forums. As long as we stay on top this, though, things will be just fine. The forums I've seen get hacked didn't have these sort of password requirements, nor a difficult-to-guess question guarding signup (yes, that was back in my noob days a decade or two ago when I didn't know any better; luckily the forums that got hacked had very low populations, so the damage was minimal...which is the exact opposite of what would happen if ZDF had the same issue )

cyber_cool wrote: ↑Fri Jan 20, 2023 3:33 am Defending this change makes no sense. Any other website doesn't require such a long password, meaning there has to be something wrong with backend security for a large amount of accounts to be compromised. But you all seem to be missing that point.

It may not make sense to you, and in truth, it may never make sense to you, though I have endeavoured to explain it to the best of my ability. I sincerely apologise for the inconvenience and grief this has caused you. It was never our intent <3 I assure you, however, that backend security is just fine. The only things we lack that the larger sites have, we cannot afford. Because ZDF sees a lot of traffic, and commercial traffic as well, we would have to use enterprise-level services to alleviate these sorts of issues, which are very expensive. In addition, there would likely be no guarantee that those services wouldn't have unintended side effects, such as banning all Russian users, which we will never want or allow, possibly even without our prior knowledge. I work in IT at my day job, and I can't tell you the number of times a company purchases a product without understanding what it will take to implement the product or what the product can actually do. You have my word, though, that if I ever become independently wealthy, I will personally do everything I can to prop up backend security.

I do want to reiterate, however, that we do sincerely and honestly apologise for the inconvenience, as well as any anguish or grief it may cause you. This was never and never will be our intention. We simply wish to protect the information of our users and the security of this platform

Sincerely,
CandiceJoy
on behalf of ZDoom Moderation Team

Let's be serious: I have the feeling that the people complaining the loudest here are those who - to paraphrase an earlier post - still think that "memory" is the most secure password manager.
The reality is: These people are, unless kept in check by strict password requirements, the biggest thread a website can face - because they are easiest to hack.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am This is correct...assuming, of course, that there are moderators around to take action.

Why not allow users to take action? You can send a e-mail notification when an account is accessed from a new IP address, and that's just one possibility.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am In addition, PHPBB gives us very few options to deal with this sort of issue beyond changing the password requirements.

I don't know much about PHPBB or just PHP frameworks in general, but from what I have gathered it has a handful of mods, some of them are security-oriented too.
Even if there aren't any security changes you can do to the backend, this doesn't mean changing password requirements is the ultimate solution. Accounts can be compromised by many other ways: hacking into user's e-mail address and then resetting the password, or finding (or using existing) exploits in backend.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am Unfortunately, most of the websites that allow shorter passwords aren't running PHPBB

This isn't the only website that uses PHPBB. This is not the best source, but you can still look some of them up: https://trends.builtwith.com/websitelist/phpBB
They may not have the same amount of traffic as zdoom forum has, but some come close. And, of course, no 20+ character password.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am Not directly, no. But, people can and do get hired through private messages

And then they proceed to discuss all the details via private messages. And after that, they send their work through private messages.
No sane person would even do that. Doing freelance work is already like going through hell, and you imply someone is doing it through PMs on a forum.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am I sincerely apologise for the inconvenience and grief this has caused you.

No need, it only causes minor annoyance. It's just the fact that there is a miriad of ways to improve security and the worst possible way was chosen.

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am The only things we lack that the larger sites have, we cannot afford. Because ZDF sees a lot of traffic, and commercial traffic as well, we would have to use enterprise-level services to alleviate these sorts of issues, which are very expensive.

What kind of attacks did servers suffer that you need an enterprise-grade security? For a PHPBB forum?

CandiceJoy wrote: ↑Fri Jan 20, 2023 4:23 am You have my word, though, that if I ever become independently wealthy, I will personally do everything I can to prop up backend security.

Can't wait.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:12 am Why not allow users to take action? You can send a e-mail notification when an account is accessed from a new IP address, and that's just one possibility.

My friend, you profess simplicity - where there is none.

Do you have a handy addon for this?

cyber_cool wrote: ↑Fri Jan 20, 2023 5:12 am I don't know much about PHPBB or just PHP frameworks in general, but from what I have gathered it has a handful of mods, some of them are security-oriented too.
Even if there aren't any security changes you can do to the backend, this doesn't mean changing password requirements is the ultimate solution. Accounts can be compromised by many other ways: hacking into user's e-mail address and then resetting the password, or finding (or using existing) exploits in backend.

That ship's already sailed - we did it, it's done, there's no going back on it now. Even if there was, I strongly disagree with you, and I think you are making assumptions thinking you know my position, when you really do not.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:12 am This isn't the only website that uses PHPBB. This is not the best source, but you can still look some of them up: https://trends.builtwith.com/websitelist/phpBB

It doesn't matter. I've ran this board without security once, and woke up to 160 posts I had to disapprove for being spam. I am *NOT* doing that again.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:12 am No need, it only causes minor annoyance. It's just the fact that there is a miriad of ways to improve security and the worst possible way was chosen.

Quite a stink you're raising for such a "minor annoyance." Yes there are many ways to improve security - we chose the one that works best for us with the tools and people power that we have.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:12 am What kind of attacks did servers suffer that you need an enterprise-grade security? For a PHPBB forum?

The internet is full of daemons from compromised sources, including bot nets and worms and the like. If you have an unpatched machine spend literally 2 minutes in your router's DMZ, I guarantee it will be a zombie. Even a fully patched machine might not fare long, unless you take certain steps to close unwanted services and such. Yes, most of these are "script kiddie" bullshit scripts that run 24/7, but it doesn't matter - if an attacker (even an automated one) finds a vector they can use, they will take advantage of it immediately. Any type of forum software happens to be one of those vectors - what better way to push your grey-market dubious products than to plaster links in every possible location in order to shove your listing on top of the Google search results artificially?


----

To be clear:

We did *not* do this to annoy you. Yes, it is annoying, we realize that, but that was *not* the intent.

The intent of this was to really fuck up the day of those very compromisers and attackers. And to that end, I think I was fairly successful. Yes, it comes at a cost, but the goal was to do it in a way that legitimate users could recover from the action easily, and the bots would suffer a critical blow in their battle to take over the forum.

And I know you disagree with me on this point, but I am going to make it anyway: Security is everyone's responsibility. If you give even an inch on it, bad actors will take a mile. We would not have scammers if there weren't victims to fall for scams. We would not have phishers if there weren't people who didn't check their browser's location bar when entering their password. Etc, etc. The reason why we have such awful shit to deal with to begin with, is because people don't take it seriously enough.

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am My friend, you profess simplicity - where there is none.

Do you have a handy addon for this?

Well, okay, I get it, you don't consider writing something custom to resolve a security issue.

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am That ship's already sailed - we did it, it's done, there's no going back on it now. Even if there was, I strongly disagree with you, and I think you are making assumptions thinking you know my position, when you really do not.

How much people are really working on backend and how much people are just writing messages in this thread justifying the decision?

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am Quite a stink you're raising for such a "minor annoyance." Yes there are many ways to improve security - we chose the one that works best for us with the tools and people power that we have.

Best for you, not users? I already know that.

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am The internet is full of daemons from compromised sources, including bot nets and worms and the like. If you have an unpatched machine spend literally 2 minutes in your router's DMZ, I guarantee it will be a zombie.

Why would I ever put something in DMZ in first place?

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am Any type of forum software happens to be one of those vectors - what better way to push your grey-market dubious products than to plaster links in every possible location in order to shove your listing on top of the Google search results artificially?

That's how search engines work apparently? Amount of links on one website inflates search results for other website? Wow, I learn something every day. (Considering this attacks happen so often and in such amounts that you can't clear the forum from such spam links. Apparently it didn't happen yet.)

Rachael wrote: ↑Fri Jan 20, 2023 5:29 am It doesn't matter. I've ran this board without security once, and woke up to 160 posts I had to disapprove for being spam. I am *NOT* doing that again.

What doesn't matter? That other forums, somehow, achieve the same or better level of security without requiring 20+ character passwords? I am reading yet another huge reply and noone has answered this question I asked almost 3 pages above.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am Well, okay, I get it, you don't consider writing something custom to resolve a security issue.

If only we had 48 hours in a day or something ...

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am How much people are really working on backend and how much people are just writing messages in this thread justifying the decision?

Everyone has lives. Even among the ones we have doing backend stuff - we don't spend 24/7 here and it is unreasonable for you to ask us to. We are not your slaves.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am Best for you, not users? I already know that.

So you want our moderators to burn out from being overworked doing a bunch of shit while being paid absolutely nothing? Yeah, no, I will pass on that proposal, thanks. I have a fairly happy moderator team who is able to handle *human* issues because they are not burdened spending all their time handling unapproved posts from spammers at a rate of hundreds per day, and I like to keep it that way.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am Why would I ever put something in DMZ in first place?

You missed the entire point. The forum *is* in the DMZ.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am That's how search engines work apparently? Amount of links on one website inflates search results for other website? Wow, I learn something every day. (Considering this attacks happen so often and in such amounts that you can't clear the forum from such spam links. Apparently it didn't happen yet.)

Good to know you want the ZDoom forums to be used as a grey-market advertising area for people to push their Google search traffic. Yeah, this is really helping me to take you seriously.

cyber_cool wrote: ↑Fri Jan 20, 2023 5:46 am What doesn't matter? That other forums, somehow, achieve the same or better level of security without requiring 20+ character passwords? I am reading yet another huge reply and noone has answered this question I asked almost 3 pages above.

Good for them, I guess?

Rachael wrote: ↑Fri Jan 20, 2023 5:54 am Good to know you want the ZDoom forums to be used as a grey-market advertising area for people to push their Google search traffic. Yeah, this is really helping me to take you seriously.

Or that there are better attack targets. PHPBB has a market share of 0.2%, wordpress - 43.2% (https://w3techs.com/technologies/overvi ... management).

Rachael wrote: ↑Fri Jan 20, 2023 5:54 am So you want our moderators to burn out from being overworked doing a bunch of shit while being paid absolutely nothing? Yeah, no, I will pass on that proposal, thanks. I have a fairly happy moderator team who is able to handle *human* issues because they are not burdened spending all their time handling unapproved posts from spammers at a rate of hundreds per day, and I like to keep it that way.

You wrote the same thing thrice. I know for a fact that you are not paid. But I also don't believe that every other possible solution is so hard that you are not able to implement it.
You could, for example, make this password requirement last until you figure out how to, at least, notify users of a login attempt from other IP address. It would be understandable if it took you some time, like a month. But it would be much better than this dumpster fire.

Rachael wrote: ↑Fri Jan 20, 2023 5:54 am Good for them, I guess?

Still no answer.