**** Please enable 2FA on your OcUK forum account ****

EVH

EVH

Don
Joined
11 Mar 2004
Posts
29,975
Location
Wales
I do have some experience with XenForo, and I can't imagine what specific set up they could have that would prevent them from doing that.
I think a large part of it is that when we moved from vbulletin to Xenforo there were a lot of permissions and weird user groups that got ported over as part of the database, so it’s not just a simple change as a vanilla install.

The entire “trust” system for instance (which is vital to operate the MM) was written by someone and bolted on as an afterthought,
 
Soldato
Joined
6 Jan 2003
Posts
5,204
I'm being asked to do this every time I log in which is a bit frustrating, I guess it's because I clear all cookies and site data when I close Firefox. I've added https://forums.overclockers.co.uk/ to the Exceptions list but that didn't stop 2FA. Anyone know how I can stop this?
 
Soldato
Joined
29 Mar 2007
Posts
4,341
Location
Swindon UK
I guess ultimately 2FA is worth it for stuff that matters ( emails, bank accounts). A forum where you can post stuff and that's about it feels a little overkill for forced 2FA?
Yep it should be optional.

This is the only forum I'm currently active on that operates the system and that includes at least two official game developer boards!
 
Commissario
Joined
17 Oct 2002
Posts
30,794
Location
Panting like a fiend
It would be a trivial task in XenForo to only allow access to MM if you have 2FA enabled. Problem is that if someone's account is stolen then the hacker can just enable 2FA themselves to gain access. I'd suggest giving people the option to permanently disable MM access on their accounts to remove the 2FA requirement.
If you can tell us how to do it we'd be all ears:)

The forums as you see them now have been through something like 3 different sets of software and 6 different (major) versions of that software over 20 years with several customised bits that mean some settings don't work how you'd expect if it was a clean install.

We've turned on 2fa not because we think it's fun, or want to inconvenience users but because from our point of view it's the best way to secure a part of the forum where goods and money are involved.
 
Soldato
Joined
18 Aug 2007
Posts
9,214
Location
Liverpool
This makes no sense. If I want to post crap I can create a dozen accounts and post crap from them. If you are a mod then sure, you should have 2FA as you have some vague powers. The average user has none and should have the choice on 2FA.

But again, it's not just all about you. The MM, as stated dozens of times in this thread by now, is a fairly high value economy. If you want to post here, you need to take a step to protect everyone else - not just yourself. The choice resides with the people who own, run and administer the site/forum, not the user. You might never meet measles/mumps/rubella/polio/covid in the wild, but you're definitely sensible to vaccinate for everyone's sake as much as your own.

If you have any comprehension of how security works on the web then you wouldn't be suggesting that being compromised in "one or two weak places" causes it to domino. My main "I don't really care about this account" password that I have used for years has been leaked dozens of times. I don't care. Unless they have access to my gmail, my phone and my authenticator app they ain't getting anything of value and any accounts I care about have 20+ character password, 2FA and sometimes more.

Christ, most sites with super vital information don't force you to use 2FA because they know that some people don't want it and are happy with their current security level. On your head be it.

Most people don't have a clue about OPSEC, INFOSEC, COMSEC or DEVOPS etc. They aren't informed enough to decide what is sufficient to be 'happy' with. To stretch the analogy further, see: AntiVaxxers. Most people with no care, knowledge or regard for things like MFA are also the sort to use the same dictionary username and password across all their logins. Once one leaks...

If you've never seen a DEFCON demo of taking one piece of info from a volunteer, and then spending 20 mins to use that to gain (eg) their email listed in that one account provided; then using that to link to their social media and their mobile number; then their address and other details; and then owing their email and mobile accounts through a combination of dumps/leaks, social engineering and layering one nugget of info on top of the other as they tunnel through your online life... Well... It's pretty eye opening.

I don't claim to have 'any comprehension of how security works on the web', I've only been coding and using it for >30 years for (mostly) fun. Like anyone who isn't obtuse, I learn something new every day and am no way an expert in... anything. My main interest is Unix, networking and cryptography. I just happen to have a side eye on red teaming due to my main interests.

Regardless, it's a fuss over nothing. Using 2FA is easy, can be made literally seamless and touch free, and only adds to your layered security. Why wouldn't you? It's hardly laborious - even my technologically illiterate OAP mother can do it.
 
Commissario
Joined
17 Oct 2002
Posts
30,794
Location
Panting like a fiend
I think a large part of it is that when we moved from vbulletin to Xenforo there were a lot of permissions and weird user groups that got ported over as part of the database, so it’s not just a simple change as a vanilla install.

The entire “trust” system for instance (which is vital to operate the MM) was written by someone and bolted on as an afterthought,
This.

As I say the forum as it is at the moment is the cumulative legacy of 20 years and multiple modifications to get things working across multiple platforms and has a bunch of "legacy" stuff that we can't easily just disable or turn off, as you say Trust was a bolt on written about 20 years ago by Dave_M for an old version of VBB (might even have been UBB) and at a time when to allow users to gain access to the members market we had to manually move them to a new usergroup when they'd hit the right post count/length of membership and activated their trust.
Then when we moved to a later version of VBB it was modified so that from memory the forum would check the trust status and automatically do the promotion, and the move to xenforo changed that again as xenforo allowed far more options for user permissions per sub section but was still using a modified version of that code (updated for security/compatibility) that war originally written for the software when the forum was running on a k6-2 350 with something like 2gb of ram.
that's just one example.

Basically there are some bits of how the forum operates that aren't covered by the normal built in forum tools and we can't/won't touch them lightly.

Life for the admins would be much simpler if we had started off from scratch with the very latest version of xenforo, rather than something that's older than some of the moderating team's kids (who are now in uni...;)).
 
Man of Honour
Joined
5 Dec 2003
Posts
20,148
Location
Just to the left of my PC
I think a large part of it is that when we moved from vbulletin to Xenforo there were a lot of permissions and weird user groups that got ported over as part of the database, so it’s not just a simple change as a vanilla install.

The entire “trust” system for instance (which is vital to operate the MM) was written by someone and bolted on as an afterthought,

All that's needed for the full traditional mess is for some crucial part(s) to have been written by someone who can't be contacted any more in a language hardly anyone has used for a couple of decades (in my day it was usually COBOL) and without any documentation.
 
Soldato
Joined
27 Feb 2015
Posts
9,390
Overall I do agree with 2FA been enabled, considering MM is done on the forum.

Mods did also say if the 30 days was customisable it may have been explored.

Hopefully one day in the forum software it becomes tunable.

I havent had to relogin since the first time I ticked the 30 days box. I think when you initially activate 2FA, it isnt 30 days by design, so you will have to relogin after you set it up the first time.
 
Soldato
Joined
18 Oct 2002
Posts
7,168
Location
Scun'orp
It was a good job I was forced to lose my Authenticator App virginity recently with the Twitch security breach, otherwise I would have had a slight moan about having to do it on OCUK, being the technical luddite I probably am. The app does seem to be a simple way to do this kind of stuff since you don't have to phaff entering any codes in the app itself, just look at the screen and beat the timeout clock doodah. It's not that bad really. In fact I am mildly fascinated how the numbers work in these apps, I guess it is some kind of algorithm like a car key fob.
 
Soldato
Joined
7 Nov 2009
Posts
18,926
Location
Glasgow
If you've never seen a DEFCON demo of taking one piece of info from a volunteer, and then spending 20 mins to use that to gain (eg) their email listed in that one account provided; then using that to link to their social media and their mobile number; then their address and other details; and then owing their email and mobile accounts through a combination of dumps/leaks, social engineering and layering one nugget of info on top of the other as they tunnel through your online life... Well... It's pretty eye opening..

This sounds interesting, and I haven't seen such a demo. Any links?
 
Soldato
Joined
18 Aug 2007
Posts
9,214
Location
Liverpool
Same, I'd really like to see that.

There are loads of such examples on YouTube, for example. They get into one account (say, OcUK). From there, they find your mobile number and call your provider and blag your email address and/or home address. Then they link those to find your social networks, then (maybe using dumped data or known exploits or social engineering) get into those and your email accounts... and it's all downhill from there.

Here's one quick demo. Once you have a mobile number, and an email address, or a single account login that has some personal info (such as an email address in the profile/settings) it's game over. It's possible to basically ruin your life and get access to almost anything. Enable. MFA. Everywhere.

 
Soldato
Joined
24 Oct 2012
Posts
21,931
Location
London
Same, I'd really like to see that.

There was a vid a few years ago on Youtube which involved people walking in to a coffee shop, and being told that their coffee would be free if they liked the coffee shop's facebook page. By the time their coffee was handed to them it had everything about them written on it. Place of work, how long they'd worked there, their phone numbers, marital status, kids, addresses, everything that was posted online could be found in seconds. Pretty interesting stuff.

Here's the vid:

 

V F

V F

Soldato
Joined
13 Aug 2003
Posts
20,306
Location
UK
There was a vid a few years ago on Youtube which involved people walking in to a coffee shop, and being told that their coffee would be free if they liked the coffee shop's facebook page. By the time their coffee was handed to them it had everything about them written on it. Place of work, how long they'd worked there, their phone numbers, marital status, kids, addresses, everything that was posted online could be found in seconds. Pretty interesting stuff.

Here's the vid:


Funny. Reminds me of the saying in the early 2000s. All Ur Base R bel0ng to Us.
 
Soldato
Joined
18 Aug 2007
Posts
9,214
Location
Liverpool
Since there doesn't seem to be a thread about this on OcUK (hardly surprising), today is the first Global Encryption Day. This thread is as good a place as any to mention it and post the URL, which has some advice on why and how to encrypt All The Things. Which you should. Don't forget, 2FA/MFA using OTP codes is a form of encryption too. :p
 
Top