Compromised Moderator Login; your data is safe though

[Samson]

One need not literally offer both services to know about audiences reactions. The effect of increasing complexity on accessibility and user base size can easily be observed from any number of cases where this *was* done already.

In more general terms also, studies of consumer behaviours and actions allow for some reasonably quite well educated guesses as to whether making the registration process more complex would harm accessibility (and usage) of a service in the long run.

Even pushing Passkeys as the default option and requiring an extra step for people to chose an alternative could do that. For most online services, the risks taken versus potential benefits are just not there to make this a reasonable option to push.

Just a little clickable logo in the bottom of the page would be quite enough really, and remember I am not directly comparing passkeys to username/passwords, but to username/passwords as one factor and one of the previously mentioned methods as another "factor" in the sort of 2FA that The_J mentioned. KeePassXC is easier for me a lot easier than both factors, and frequently counts as two.

How can one program count as two factors? I can list some different methods of 2FA:

Username/passwords: Everything does that, including KeePassXC.
TOTP, ie. Google / Microsoft authenticator: KeePassXC does this, and does not require you to go to big tech
Hardware based: If you want to buy for example a YubiKey KeePassXC integrates with that well
Out of band One time passwords, ie. SMS/email link: That depends on the definitions really, but it should not be able to do this. Off course, that frequently means going through big tech, which considering the current climate I am not sure is a great idea to be driving people towards.

Which two of these would be really easier than one well supported open source tool, that came easily through the GUI install tool on my system?

 

[aimeeandbeatles]

You're never going to get widespread buy-in for an authentication system that needs to include a "you might lose access to all your accounts if you lose access to your device" as a warning, because (as most people perceive it), loss/damage/destruction/theft of the physical device is a far more *real* threat than someone managing to get into their online accounts.

A few years ago, the battery in my phone swelled up dangeorusly (not quite a spicy pillow, but didn't trust it) and it meant I was unable to access some accounts until the replacement came. I don't like 2FA that depends on a small device that is easy to break, lose, or get stolen.

 

[SammyKhalifa]

A few years ago, the battery in my phone swelled up dangeorusly (not quite a spicy pillow, but didn't trust it) and it meant I was unable to access some accounts until the replacement came. I don't like 2FA that depends on a small device that is easy to break, lose, or get stolen.

I'm work from home, and we require a cell authentication to get onto the vpn. One morning my phone died and I was pretty much dead in the water. I still appreciate the extra security, though (and I appreciated the little extra "off" time while I got everything transferred to an old backup pohone, heh).

 

[The_J]

Do mod accounts have that much freedom to change things, or was this the absolute worst that could happen? (manipulating threads and banning some users)
Also, was this a programming-wise illiterate hacking (just making use of a poor password by guessing etc), or something which also implies use of code/tools?
Tbh, it could have been used more stealthily, by impersonating the mod, instead of immediately banning people ^^

You are pretty much right.
Merging is probably the worst direct thing he could do, but yes, impersonating would have been a big threat too.
I guess he thought that the actual mod might reset the password if he finds out, as we don't think the email was compromised. So there was only limited time.

To me this all sounds more like an angry person kicked from the site (for being an idiot) who wanted revenge, and anger is seldomly stealthy

I think you are right on that too.

 

[The_J]

Thunderfall got a reply back from Xenforo. It seems it's either rolling back or not, and this got now way too late.
It seems that @Blake00 found an option which will allow me to program something to get the threads back. That will not be fast, but I hope I can get to this over the weekend.
In case you see another post from @lymond , then give him a "like", as he's restored some other big thread in the meantime.

 

[danjuno]

Cheers, @lymond

 

[innonimatu]

Dropped by to post a piece of news in a thread that seems to have vanished. Attacked? Nothing's ever safe in the internet. This forum ought to be small enough that the best strategy is to accept loss of modifications and load recent backups. You do have them right?

 

[Arcaian]

Dropped by to post a piece of news in a thread that seems to have vanished. Attacked? Nothing's ever safe in the internet. This forum ought to be small enough that the best strategy is to accept loss of modifications and load recent backups. You do have them right?

They state in the OP that they run a backup every 12 hours, but at the time of detection the last backup had been affected, so it was either lose 24 hours of the forum, or try to manually untangle the merged threads. It has now been even longer, and they've stated they're not going to rely on the backup at this point, and instead are going to try to code an automated way to un-merge the threads.

 

[VGT]

There is currently already a replacement thread, and there is not much actual content in this thread... so....
It seems we will accidentially restore it though while splitting of other content.

I would give argument that this thread could be very valuable in the future. I agree it was chaotic and often close to crossing the border of civilized discussion. But to show it's value - during this thread's life I tried to find similar thread for civ6 on the forum but didn't found anything. I was hoping for it to exist to be able to try to get some nice comparable data about player counts. We have steamdb, but old data is not that precise and similar thread would offer nice detailed snapshots of situation that could be used for comparison. Now we might at least have civ7 thread for the time civ8 will be released, so I'm still rooting for you to be able to revert it back.

 

[Kyriakos]

From the context, it would appear that in the future this can be avoided (even) by simply making mods bother to not have silly passwords ^^

 

[The_J]

As said, most have activated 2FA anyways now.

They state in the OP that they run a backup every 12 hours, but at the time of detection the last backup had been affected, so it was either lose 24 hours of the forum, or try to manually untangle the merged threads. It has now been even longer, and they've stated they're not going to rely on the backup at this point, and instead are going to try to code an automated way to un-merge the threads.

This is precisely the case.
As mentioned also in this thread, I will try to programatically restore the remaining threads over the next weekend.

 

[Birdjaguar]

I will try to programatically restore the remaining threads over the next weekend.

If you get it done by Sunday, you will get “resurrection” credit.

 

[The_J]

It will not be Sunday, I am afraid.
Going via the webinterface via a bot is a complete nightmare for me.
In addition, it seems that in the internet archive only roughly half of the necessary pages were conserved. I think I might be able to determine where the rest of the posts have to go depending on who posted it and at which time, but that will probably not work for all.

 

[VGT]

So idea was to somehow do webarchive scrapping to get list of posts belonging to a specific topic? Sounds like really big detour to achieve goal. If you still have db backup from 12h before incident, restoring it on the side or even on local PC could give you those posts much easier I feel. Although maybe I misunderstood your description.

 

[The_J]

No, you understood the idea correctly, and the scraping has been done already, so we got what is there public, but that is just not everything, as a lot is missing.
There is also a backup roughly 12h before everything happened.
Since everything is running at the Xenforo cloud, we don't have direct access though, and we'd need to ask them to spin up an independent instance with a backup. I have considered this, but I am not sure they'd do it, and right now the actual handling of the situation via the webbrowser is having more of my attention. Although I asked Thunderfall if I could get an API key to the forum with moving permissions, that would make everything easier.

 

[VGT]

Ah, now it's clear. I was a bit afraid that you maybe don't have in your staff anyone that would happen to be web app developer and would be able to help with this matter and you're trying big manual detours that such developer could solve easily. But having it hosted as cloud solution with limited access explains a lot.

 

[The_J]

Okay, I got an API key, figured out how it works, and then figured that the API gives me useful options like marking a forum read or reacting to messages, but not the option to move posts o_O -_- .

 

[Finwickle]

Okay, I got an API key, figured out how it works, and then figured that the API gives me useful options like marking a forum read or reacting to messages, but not the option to move posts o_O -_- .

Uhm, that sounds like regular user forum functionality, not anything that would need an API. Odd...

 

[VGT]

Uhm, that sounds like regular user forum functionality, not anything that would need an API. Odd...

Probably using API is a benefit that you could automate it via scripting.

 

[The_J]

Yes, sorry, exactly that.
I can do it via the forum interface manually. But now I wanted to automate it via the backend of the forum, which would have been sooooooooo handy. Alas, that option does not exist.
Means I will now go back to the original plan, and write a bot which goes via the browser to automate things.
I absolutely hate this, as I don't understand the layout of webpages n stuff sufficiently, and neither the underlying library to do this.
If anyone here has ever worked with Selenium before, then that'd be handy (I doubt it).
You can expect some swearing the next weekend lol, as I'm not sure I'll manage during the week.

EDIT: Well, 1h later and I already made a lot of progress. I need to be switching 1 radio button, which I right now don't manage, otherwise I'm kinda there.