1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

**** Please enable 2FA on your OcUK forum account ****

Discussion in 'General Discussion' started by Feek, 14 Oct 2021.

  1. DeliciousStorage

    Hitman

    Joined: 29 Oct 2019

    Posts: 610

    I do have some experience with XenForo, and I can't imagine what specific set up they could have that would prevent them from doing that.
     
  2. EVH

    Don

    Joined: 11 Mar 2004

    Posts: 28,802

    Location: Wales

    I think a large part of it is that when we moved from vbulletin to Xenforo there were a lot of permissions and weird user groups that got ported over as part of the database, so it’s not just a simple change as a vanilla install.

    The entire “trust” system for instance (which is vital to operate the MM) was written by someone and bolted on as an afterthought,
     
  3. molinari

    Soldato

    Joined: 6 Jan 2003

    Posts: 5,196

    I'm being asked to do this every time I log in which is a bit frustrating, I guess it's because I clear all cookies and site data when I close Firefox. I've added https://forums.overclockers.co.uk/ to the Exceptions list but that didn't stop 2FA. Anyone know how I can stop this?
     
  4. SexyGreyFox

    Man of Honour

    Joined: 29 Mar 2003

    Posts: 53,204

    Location: Stoke on Trent

    Ta
     
  5. Vern1961

    Mobster

    Joined: 29 Mar 2007

    Posts: 4,237

    Location: Swindon UK

    Yep it should be optional.

    This is the only forum I'm currently active on that operates the system and that includes at least two official game developer boards!
     
  6. Feek

    Commissario

    Joined: 16 Oct 2002

    Posts: 233,688

    Location: In the radio shack

    And how many of them have a section where items of significantly high value are sold?
     
  7. Werewolf

    Commissario

    Joined: 17 Oct 2002

    Posts: 30,146

    Location: Panting like a fiend

    If you can tell us how to do it we'd be all ears:)

    The forums as you see them now have been through something like 3 different sets of software and 6 different (major) versions of that software over 20 years with several customised bits that mean some settings don't work how you'd expect if it was a clean install.

    We've turned on 2fa not because we think it's fun, or want to inconvenience users but because from our point of view it's the best way to secure a part of the forum where goods and money are involved.
     
  8. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 9,041

    Location: Liverpool

    But again, it's not just all about you. The MM, as stated dozens of times in this thread by now, is a fairly high value economy. If you want to post here, you need to take a step to protect everyone else - not just yourself. The choice resides with the people who own, run and administer the site/forum, not the user. You might never meet measles/mumps/rubella/polio/covid in the wild, but you're definitely sensible to vaccinate for everyone's sake as much as your own.

    Most people don't have a clue about OPSEC, INFOSEC, COMSEC or DEVOPS etc. They aren't informed enough to decide what is sufficient to be 'happy' with. To stretch the analogy further, see: AntiVaxxers. Most people with no care, knowledge or regard for things like MFA are also the sort to use the same dictionary username and password across all their logins. Once one leaks...

    If you've never seen a DEFCON demo of taking one piece of info from a volunteer, and then spending 20 mins to use that to gain (eg) their email listed in that one account provided; then using that to link to their social media and their mobile number; then their address and other details; and then owing their email and mobile accounts through a combination of dumps/leaks, social engineering and layering one nugget of info on top of the other as they tunnel through your online life... Well... It's pretty eye opening.

    I don't claim to have 'any comprehension of how security works on the web', I've only been coding and using it for >30 years for (mostly) fun. Like anyone who isn't obtuse, I learn something new every day and am no way an expert in... anything. My main interest is Unix, networking and cryptography. I just happen to have a side eye on red teaming due to my main interests.

    Regardless, it's a fuss over nothing. Using 2FA is easy, can be made literally seamless and touch free, and only adds to your layered security. Why wouldn't you? It's hardly laborious - even my technologically illiterate OAP mother can do it.
     
  9. Werewolf

    Commissario

    Joined: 17 Oct 2002

    Posts: 30,146

    Location: Panting like a fiend

    This.

    As I say the forum as it is at the moment is the cumulative legacy of 20 years and multiple modifications to get things working across multiple platforms and has a bunch of "legacy" stuff that we can't easily just disable or turn off, as you say Trust was a bolt on written about 20 years ago by Dave_M for an old version of VBB (might even have been UBB) and at a time when to allow users to gain access to the members market we had to manually move them to a new usergroup when they'd hit the right post count/length of membership and activated their trust.
    Then when we moved to a later version of VBB it was modified so that from memory the forum would check the trust status and automatically do the promotion, and the move to xenforo changed that again as xenforo allowed far more options for user permissions per sub section but was still using a modified version of that code (updated for security/compatibility) that war originally written for the software when the forum was running on a k6-2 350 with something like 2gb of ram.
    that's just one example.

    Basically there are some bits of how the forum operates that aren't covered by the normal built in forum tools and we can't/won't touch them lightly.

    Life for the admins would be much simpler if we had started off from scratch with the very latest version of xenforo, rather than something that's older than some of the moderating team's kids (who are now in uni...;)).
     
  10. Angilion

    Man of Honour

    Joined: 5 Dec 2003

    Posts: 19,894

    Location: Just to the left of my PC

    All that's needed for the full traditional mess is for some crucial part(s) to have been written by someone who can't be contacted any more in a language hardly anyone has used for a couple of decades (in my day it was usually COBOL) and without any documentation.
     
  11. chrcoluk

    Sgarrista

    Joined: 27 Feb 2015

    Posts: 8,400

    Overall I do agree with 2FA been enabled, considering MM is done on the forum.

    Mods did also say if the 30 days was customisable it may have been explored.

    Hopefully one day in the forum software it becomes tunable.

    I havent had to relogin since the first time I ticked the 30 days box. I think when you initially activate 2FA, it isnt 30 days by design, so you will have to relogin after you set it up the first time.
     
  12. Bubo

    Soldato

    Joined: 18 Oct 2002

    Posts: 7,058

    Location: Scun'orp

    It was a good job I was forced to lose my Authenticator App virginity recently with the Twitch security breach, otherwise I would have had a slight moan about having to do it on OCUK, being the technical luddite I probably am. The app does seem to be a simple way to do this kind of stuff since you don't have to phaff entering any codes in the app itself, just look at the screen and beat the timeout clock doodah. It's not that bad really. In fact I am mildly fascinated how the numbers work in these apps, I guess it is some kind of algorithm like a car key fob.
     
  13. Ahleckz

    Capodecina

    Joined: 7 Nov 2009

    Posts: 18,663

    Location: Glasgow

    This sounds interesting, and I haven't seen such a demo. Any links?
     
  14. Feek

    Commissario

    Joined: 16 Oct 2002

    Posts: 233,688

    Location: In the radio shack

    Same, I'd really like to see that.
     
  15. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 9,041

    Location: Liverpool

    There are loads of such examples on YouTube, for example. They get into one account (say, OcUK). From there, they find your mobile number and call your provider and blag your email address and/or home address. Then they link those to find your social networks, then (maybe using dumped data or known exploits or social engineering) get into those and your email accounts... and it's all downhill from there.

    Here's one quick demo. Once you have a mobile number, and an email address, or a single account login that has some personal info (such as an email address in the profile/settings) it's game over. It's possible to basically ruin your life and get access to almost anything. Enable. MFA. Everywhere.

     
  16. Diddums

    Capodecina

    Joined: 24 Oct 2012

    Posts: 21,100

    Location: London

    There was a vid a few years ago on Youtube which involved people walking in to a coffee shop, and being told that their coffee would be free if they liked the coffee shop's facebook page. By the time their coffee was handed to them it had everything about them written on it. Place of work, how long they'd worked there, their phone numbers, marital status, kids, addresses, everything that was posted online could be found in seconds. Pretty interesting stuff.

    Here's the vid:

     
  17. V F

    Capodecina

    Joined: 13 Aug 2003

    Posts: 19,089

    Location: UK

    Funny. Reminds me of the saying in the early 2000s. All Ur Base R bel0ng to Us.
     
  18. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 9,041

    Location: Liverpool

    Since there doesn't seem to be a thread about this on OcUK (hardly surprising), today is the first Global Encryption Day. This thread is as good a place as any to mention it and post the URL, which has some advice on why and how to encrypt All The Things. Which you should. Don't forget, 2FA/MFA using OTP codes is a form of encryption too. :p
     
  19. [FnG]magnolia

    Pancake

    Joined: 29 Aug 2007

    Posts: 27,407

    Location: Auckland

    You probably need a secure forum before making someone like me a mod. Everything seems to be coming together nicely :thumbs up:
     
  20. Diddums

    Capodecina

    Joined: 24 Oct 2012

    Posts: 21,100

    Location: London

    Greta Thunberg would roll coal on a diesel Harley through an iceberg before you would be considered for moderation duties :D