Calico Jack Posted April 19 Posted April 19 Hello, sorry if this has been brought up before. I noticed there are a lot of posts about spam, scammers and such. I also noticed if you go to "Online Users", you can see "Guest" users viewing pretty much anything they want. I realize people may check the SASS forum from many devices and not always be logged in, but I feel a layer of security/protection the forum is missing is simply now allowing anyone who is not signed in and registered to view the forum. Commonly on other forums there are general rules/faq sections and new/guest user sections which can be viewed by users/guests that are not logged in. This way there is still something for a guest/newUser or member not signed in - to be able to see relevant content but also limit exposure of member information. If any guest can see any post, new or old, we can essentially force anyone looking to harvest data to take extra steps. Another thing missing from this forum is 2FA/MFA. This may not be supported by the host, but its an industry standard and would go a long way to help protect people. I realize setting that kinda thing up is not always fun but frankly - I would rather volunteer my time helping members set that up then continue to allow people to attempt to scam good people. Anyway - I hope a mod or admin could humor me with their thoughts on the above. Thank you, be well and be safe! Quote
Eliphalet R. Moderator Posted April 19 Posted April 19 Right now, we have Google Authenticator available to all who wish to use it. (sorry, no other 2FAs available to us at this time) Go to the dropdown arrow next to your name in the blue top bar. Choose "Account Settings". Then click on "Security and Privacy" Re-enter your password and reauthenticate. Follow the directions to download the app and set up Google Authenticator. If on a computer and cannot access the QR code, click on the "can't use QR code" link. 1 Quote
John Kloehr Posted April 19 Posted April 19 (edited) 54 minutes ago, Calico Jack said: I also noticed if you go to "Online Users", you can see "Guest" users viewing pretty much anything they want. Any forum member who does not have a SASS number is a "guest." SASS numbers are only required at state or higher level matches, or for those who want to keep exclusive use of their alias. With that understood, the forum is also publicly readable and is indexed by search engines. I suppose it could be closed to public readability without logging in, I do find using google to search the forum as far more accurate and useful than using the built-in search feature. I don't think the Invision software supports finer control such as not being able to PM, not seeing or not being able to post certain sections like Classifieds, or other restrictions. Not being able to PM or post in Classifieds until a certain post count might help eliminate some bad apples, having some way for verifying SASS numbers would be a good thing (some scammers have simply made up a number). The biggest things to cut down on scams is not having public contact info. Not sharing contact info in a thread, conducting actual business (addresses, payment details, real names) only by PM by both buyers and sellers would also cut down on a lot of scams. The biggest weakness here is the trusting nature of us cowboys. Even with locking this forum down from public view, the only barrier at that point is creating an account to still gain access. Even assuming a modest post count to get Classifieds access, all the other scam means and methods would still be there. Not really a solution to the people problem. On edit: My former life was working as a cyber security expert. Edited April 19 by John Kloehr 1 Quote
Eliphalet R. Moderator Posted April 19 Posted April 19 We currently have no way of forcing Wire Members to use two-factor log-in, nor to force a password change en masse. 1 Quote
Calico Jack Posted April 19 Author Posted April 19 10 minutes ago, Eliphalet R. Moderator said: Right now, we have Google Authenticator available to all who wish to use it. (sorry, no other 2FAs available to us at this time) Go to the dropdown arrow next to your name in the blue top bar. Choose "Account Settings". Then click on "Security and Privacy" Re-enter your password and reauthenticate. Follow the directions to download the app and set up Google Authenticator. If on a computer and cannot access the QR code, click on the "can't use QR code" link. Good lookin out! I missed that on the main account page, I was expecting to see it under the Password section or section for other settings. I didn’t realize an additional drop down menu shows up to get to more security settings. Thanks! MFA not being enforced on all users may be another area to cut down on scammers and spammers. An additional step for them to go through to try and rip someone off may dissuade some from trying - I always prefer to make it as difficult as possible for someone with ill intent to accomplish their goal. Quote
Calico Jack Posted April 19 Author Posted April 19 3 minutes ago, Eliphalet R. Moderator said: We currently have no way of forcing Wire Members to use two-factor log-in, nor to force a password change en masse. Dang, just saw this - that’s too bad! Thanks for discussing this with me. Quote
Calico Jack Posted April 19 Author Posted April 19 13 minutes ago, John Kloehr said: Any forum member who does not have a SASS number is a "guest." SASS numbers are only required at state or higher level matches, or for those who want to keep exclusive use of their alias. With that understood, the forum is also publicly readable and is indexed by search engines. I suppose it could be closed to public readability without logging in, I do find using google to search the forum as far more accurate and useful than using the built-in search feature. I don't think the Invision software supports finer control such as not being able to PM, not seeing or not being able to post certain sections like Classifieds, or other restrictions. Not being able to PM or post in Classifieds until a certain post count might help eliminate some bad apples, having some way for verifying SASS numbers would be a good thing (some scammers have simply made up a number). The biggest things to cut down on scams is not having public contact info. Not sharing contact info in a thread, conducting actual business (addresses, payment details, real names) only by PM by both buyers and sellers would also cut down on a lot of scams. The biggest weakness here is the trusting nature of us cowboys. Even with locking this forum down from public view, the only barrier at that point is creating an account to still gain access. Even assuming a modest post count to get Classifieds access, all the other scam means and methods would still be there. Not really a solution to the people problem. On edit: My former life was working as a cyber security expert. John, just to clarify, someone can be logged into an account with a Display Name set, but if they have not entered a SASS number in then they will show as a “Guest” in Online Users? I trust you, I just feel like that does not make sense - why would it just show guest instead of their display name? As I understand it, the field to set the SASS number is just an entry box - it doesn’t verify the numbers validity in any way. Let me know if I am wrong on that! I agree that minimum restrictions for private messages and the classifieds forum as a whole should be implemented. No one should be able to post something for sale on their first post with no verification at all. There needs to be some rapport or history. In other places I have seen trade feedback reported on users profiles so when a sale is complete both buyer and seller can honor each other to indicate the deal completed without issue. Appreciate your insight my fellow nerd! Quote
Tyrel Cody Posted April 19 Posted April 19 19 minutes ago, John Kloehr said: I don't think the Invision software supports finer control such as not being able to PM, not seeing or not being able to post certain sections like Classifieds, or other restrictions. Even with locking this forum down from public view, the only barrier at that point is creating an account to still gain access. Even assuming a modest post count to get Classifieds access, all the other scam means and methods would still be there. Not really a solution to the people problem. I think they can and would be shocked if they couldn’t. Pretty sure there exists a Territorial Governer’s forum that is locked down so that only they can see. I’ve always been a proponent of locking the Classified’s down for only active members. 3 Quote
Eliphalet R. Moderator Posted April 19 Posted April 19 32 minutes ago, Calico Jack said: John, just to clarify, someone can be logged into an account with a Display Name set, but if they have not entered a SASS number in then they will show as a “Guest” in Online Users? I trust you, I just feel like that does not make sense - why would it just show guest instead of their display name? We have a major Invision update coming soon. I have no idea what it's going to look like or what controls will be available to us in "Invision Community 5". Right now, a person is "supposed" to enter their SASS number or type "Guest". But, there is nothing available to us to force that. So, when a new Wire member signs up, it can be blank. So, this is a bit labor-intensive; we manually check every new profile. If there is no SASS number, we enter Guest. We check the IP address against a locator program and remove access from anyone who is not from a country that has CAS-related activities. We enter the person's location in their profile. If they are using a proxy server or VPN, we check the abuse ratings. In their profile, we enter "Proxy/VPN no confirmed location". VPNs are finding wider use. I'd say about a fourth of our members use one. Indian spammers like to sign up at around 4 am EST. So, they might post their silly spam, but it's quite obvious, and we kill and bounce them as soon as we see it. I wish we had country-specific control.... There are a lot of controls I wish we had access to. It would make our lives easier. Perhaps in the next version. In the meantime, I continue to urge members to search for their "e-mail address"+SASS in Google and edit their posts to remove it. Or, report the post and ask us to delete the information. I ask everyone to check their profile and delete added contact information. We've been asking this for a couple of years now. But, I can't force them. We've suggested ways to make secure passwords. Obviously, this has fallen on deaf ears. 1 1 Quote
John Kloehr Posted April 19 Posted April 19 10 minutes ago, Tyrel Cody said: I think they can and would be shocked if they couldn’t. Pretty sure there exists a Territorial Governer’s forum that is locked down so that only they can see. I’ve always been a proponent of locking the Classified’s down for only active members. A forum here can be locked except to those who are members. There is likely also a moderators forum we don't even see. My comment was in the context of rules-based access such as in some other platforms. For instance must have 5 posts to enable PMs, 30 posts and 30 days before being able to post in classifieds. And the access turns on automatically without admin intervention. Fora has such features. Fora also has advertising. I like the lack of advertising (banners, sidebars, pop-ups). Except for automated registration and default access, all of the access restrictions/permissions on Invision are performed manually. There are other platforms/hosts who have offerings such as PHPbb. This can be an add-free platform, do not know how much can be automated for access. What I do know is the level of technical expertise on PHPbb and the host companies it runs on is much higher, serious sysadmin stuff. SASS can not afford what that would cost. I don't think SASS can even match all claimed SASS numbers to real people on this forum (as a bulk operation), the main office can verify for instance my SASS number matches my alias matches and login, and can probably compare my claimed real name in my private forum profile to my alias. This is helpful but still would not fully protect in the event my account is hijacked. Should I offer to sell something, posts here already invite these queries during business hours. 1 Quote
John Kloehr Posted April 19 Posted April 19 3 minutes ago, Eliphalet R. Moderator said: We have a major Invision update coming soon. I have no idea what it's going to look like or what controls will be available to us in "Invision Community 5". Right now, a person is "supposed" to enter their SASS number or type "Guest". But, there is nothing available to us to force that. So, when a new Wire member signs up, it can be blank. So, this is a bit labor-intensive; we manually check every new profile. If there is no SASS number, we enter Guest. We check the IP address against a locator program and remove access from anyone who is not from a country that has CAS-related activities. We enter the person's location in their profile. If they are using a proxy server or VPN, we check the abuse ratings. In their profile, we enter "Proxy/VPN no confirmed location" You are doing more than I thought you did. It is labor intensive. And I fear software updates LOL. 1 Quote
Calico Jack Posted April 19 Author Posted April 19 14 minutes ago, John Kloehr said: You are doing more than I thought you did. It is labor intensive. And I fear software updates LOL. My thoughts exactly! I wish we had some of the features everyone has mentioned, but in the end the weak point is the user lol Honestly, Eliphalet you do more for this forum than I see at some clients. Kudos to you. 1 Quote
Sedalia Dave Posted April 19 Posted April 19 3 hours ago, Tyrel Cody said: I’ve always been a proponent of locking the Classified’s down for only active members. Better would be to lock it down so that only verified members can access it. Quote
Tyrel Cody Posted April 19 Posted April 19 7 minutes ago, Sedalia Dave said: Better would be to lock it down so that only verified members can access it. Well I meant active SASS members, so no guests. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.