Compromised Moderator Login; your data is safe though

[Flintlock]

Check now, Flint

Perfect! Thanks again.

 

[lymond]

Everyone - Please post here if you find any missing threads or resources, and we will try to address it best we can. At minimum, and as a start, we can try to get the OPs set back up. For larger threads though, that disappeared, this is a rather large job. We did restore quite a few things today. I've noted FoxAhead's stuff from the earlier mention, and will try to get to it tomorrow. My brain is fried right now

Thank you for your understanding and patience.

 

[Finwickle]

The discussion thread for civ 7 map tacks is still missing: https://forums.civfanatics.com/threads/wltks-detailed-map-tacks.697164/

 

[justanick]

https://forums.civfanatics.com/threads/warrior-city.697486/

Is it possible to restore this thread opened by kaskavel?

 

[Civinator]

In the OT- Humor & Jokes-forum, the thread about the funny images (I don´t know the correct title) seems to be missing, too.

 

[Samson]

This all sounds a bit nasty, though with an intrusion like that my first thought is that it could have been a whole lot worse. Well done to all those involved with dealling with this. Can I ask if lost posts are likely to come back, or should we rewrite then?

Many moderators have now activated 2-factor authentication.

As it is one of my bugbears I shall add my thoughts here, but I am not a profesional in this or anything:

Most things called 2FA are what I would call "Wish it was two factor". I think the answer is to make the one factor a good factor, and the answer to this is passkeys. It is implemented in free software as KeePassXC. It seems to answer all the primary security problems. A google seems to indicate then are available in Xenoforo, but I know less about forums than I do about authentication.

My thoughts on the two main "Wish it was two factor" methods:

• Time based one time passwords (MS/Google authenticator) This solves the MITM problem, and prevents the use of weak passwords if the server chooses the key (but you could do this with traditional passwords). It weakens the defence agaisnt server attacks as they must store the key in full rather than a hash.
• Out of band communications (SMS/email code) This just pushes the problem a level up, and makes login dependant on a third party.

 

[Noble Zarkon]

I think the answer is to make the one factor a good factor, and the answer to this is passkeys

I think passkeys will be the answer but aren't there yet.

Passkeys: they're not perfect but they're getting better

Passkeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.

www.ncsc.gov.uk

 

[Samson]

I think passkeys will be the answer but aren't there yet.

Passkeys: they're not perfect but they're getting better

Passkeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.

www.ncsc.gov.uk

I think this is flawed:

> Inconsistent support and experiences

The lack of widespead built in support is an issue, and I think there needs to be a fallback text box based procedure, but I using minority OS and browsers I have managed to get them working. The FIDO Alliance and W3C have already a lot of "standards, guides and tools" that make this quite achivable today.

> Device loss scenarios

This is no different to any solution other than a password that is simple enough to remember, and we all know how bad that is. If you store your username/passwords, TOTP and passkeys in your password manager and have a backup procedure in place for that you are covered. If you do not you are likely to lose any authentication you cannot store in your head.

> Migration issues

I do not understand this at all. If I store the passkey details (principally KPEX_PRIVATE_KEY_PEM but the others are needed too) I can recreate it in a new copy of KeePassXC. Sure it may be a bit difficult if it is a completely new program that is not set up to take those credentials, but that is the same for any software system.

> Account recovery processes

That is not a flaw in passkeys, but a seperate problem that needs its own solution.

> Platform differences

"People use different words"? Seriously? Like what?

> Suitability for all scenarios

It is true that it does rely on the indavidual have exclusive access to some data. If you can come up with a solution for that then great, but it hardly seems like a fault of passkeys that they do not solve that problem.

> Implementation complexity

If you are serving your stuff on multiple TLDs then you are going to have authentication complexities.

> Inconsistent use

"Some people use them differently". Tis is true for4 any tool, and the flexability is an advantage rather than a disadvantage.

> Uncertainty around multi-factor status

That is only because people do not understand what the words they use mean, not helped by the NCSC describing TOPT as 2FA.

> Uncertainty around syncing and sharing

This is not exactly a problem with passkeys but with anything but hardware tokens or biometrics. If you need to identify something other than "this person knows this secret" then you need a different solution to most of the web.

 

[Noble Zarkon]

I using minority OS and browsers I have managed to get them working

I have no doubt that technically competent people can cope with passkeys, that's not the issue!

 

[Samson]

I have no doubt that technically competent people can cope with passkeys, that's not the issue!

If the primary problem preventing the implementation is "it is too hard for non-technical people to set up" then they could say that explicitly. I would counter with have you tried:

• Install KeePassXC
• Install KeePassXC browser extension for your prefered browser
• Connect the two tools
• Test at https://webauthn.me/debugger

If you have tried that on a major OS/browser configurtion and it fails I would be interested to hear your experiences. Nothing there requires any technical skill, and is really not very different from using a password manager.

 

[Noble Zarkon]

Nothing there requires any technical skill, and is really not very different from using a password manager.

I'm not talking about myself I run my own IT Consultancy lol - the issue is that you are way overestimating the technical ability of ordinary users, many of whom struggle with things like password managers. In case you haven't realised that link I shared is from the UK Government's National Cyber Security Centre!

 

[lymond]

https://forums.civfanatics.com/threads/warrior-city.697486/

Is it possible to restore this thread opened by kaskavel?

I do recall seeing this and will look into it today. I almost did yesterday, but had a little trouble figuring out the OP.

edit: Thread restored

 

[Samson]

I'm not talking about myself I run my own IT Consultancy lol - the issue is that you are way overestimating the technical ability of ordinary users, many of whom struggle with things like password managers. In case you haven't realised that link I shared is from the UK Government's National Cyber Security Centre!

I did absolutely know that, I even quoted them back claiming TOTP are 2FA.

As I say, if the answer is "passkeys are too hard to use" then people should say that, and then we can have a chance of fixing it. It is not like the algorithm is uniquely hard to implement, the only reason that passkeys are harder than TOTPs is because no one has make such a slick app as MS/Google authenticator with the passkey algorithm.

I will also say we are not actually talking about ordinacy users, but A) mods and perhaps most importantly B) the admins who would have to implent something.

 

[Askia Muhammad]

Any word on restoring the player count thread? Assuming it’s even possible given that it was so many pages

 

[lymond]

RHQ mod discussion thread disappeared too (Civ 7)

Old bookmark: https://forums.civfanatics.com/threads/rhq-artificially-intelligent-ai-mod.695214/

I believe I got this restored yesterday. Please lemme know if you find an issue. (your link won't work though) edit: now I remember. The discussion OP was restored and linked to resource, but the other posts have not been added. I will try to do that at some point but that one is a particularly large job.

 

[lymond]

Also:

https://forums.civfanatics.com/threads/making-a-clone-of-civ-ii.649543/

Should we post here all missing links? Or there will be some automatic backup restore?

OP restored at least. Other stuff will be much more difficult.

 

[lymond]

Fox Ahead's mod thread in Civ2, too.

https://forums.civfanatics.com/threads/civilization-ii-mge-user-interface-additions-civ2uia.623515/page-22#post-16812699

OP restored

 

[Samson]

I did absolutely know that, I even quoted them back claiming TOTP are 2FA.

As I say, if the answer is "passkeys are too hard to use" then people should say that, and then we can have a chance of fixing it. It is not like the algorithm is uniquely hard to implement, the only reason that passkeys are harder than TOTPs is because no one has make such a slick app as MS/Google authenticator with the passkey algorithm.

I will also say we are not actually talking about ordinacy users, but A) mods and perhaps most importantly B) the admins who would have to implent something.

I should be clear this is not a critism of this site but ot "the establishemnt", including the NCSC. If it was easy to add passkey login I would at least try to use it, but it would make you better than a lot of big tech.

 

[Solver]

As I say, if the answer is "passkeys are too hard to use" then people should say that, and then we can have a chance of fixing it. It is not like the algorithm is uniquely hard to implement, the only reason that passkeys are harder than TOTPs is because no one has make such a slick app as MS/Google authenticator with the passkey algorithm.

Not to take this too far off topic, but this seems to be an eternal problem. I did a couple years in information security research, a while ago now, and one of the things constantly coming up at any conference was "we have X which is clearly superior for authentication/key exchange/signing/whatever but it seems harder because of the UI/terminology/lack of polished implementation/other issue".

Personally at least, I'm long since convinced that usability is by far the most important aspect of security in almost all applications. In most cases, most users will only use whatever is convenient enough, and other technologies may as well not as exist except for technically minded users or very security-sensitive environments.

 

[Samson]

Not to take this too far off topic, but this seems to be an eternal problem. I did a couple years in information security research, a while ago now, and one of the things constantly coming up at any conference was "we have X which is clearly superior for authentication/key exchange/signing/whatever but it seems harder because of the UI/terminology/lack of polished implementation/other issue".

Personally at least, I'm long since convinced that usability is by far the most important aspect of security in almost all applications. In most cases, most users will only use whatever is convenient enough, and other technologies may as well not as exist except for technically minded users or very security-sensitive environments.

If passkeys were the standard option when registering online, and I had to click some sort of "Other Options" button to use a username/password to register I would be more ready to accept that this is principally a user problem. I went down the list of passkey sites and could not find out that allowed passwordless registration. Surely everone who actually implements a web site understands how bad passwords are, so why is it impossible to register for basically any online service without one? It does not obviously seem like a user drive problem to me.