TV Tropes Org

Forums

search forum titles
google site search
Kickstarter Message
TV Tropes Needs Your Help
X
Big things are happening on TV Tropes! New admins, new designs, fewer ads, mobile versions, beta testing opportunities, thematic discovery engine, fun trope tools and toys, and much more - Learn how to help here and discuss here.
View Kickstarter Project
Total posts: [50]
1
2

Reasons for using PMWiki's forum inplementation?:

Human
Having lurked these forums for a while, and posted on 'em a bit, I have to say that they don't work as well as forums based on software that specialises in forums. So I figure its worth exploring the reasons for using it.

What I can see:

  • Integration with the wiki; being able to use markup in posts, user accounts, etc.
  • Its there; as part of the Pm Wiki package, it requires no/little additional setup.

To contrast this, here are some good points I can see for using dedicated software:

  • Possibly better moderation/administration tools (I have experience with SMF [which I'm a fan off, I admit tongue] and phpBB, but not PmWiki).
  • Probably easier to extend; most have plugin/extension systems and many, many documented mods.
  • Can still integrate user management with the wiki (this one is more of a counter-argument to a problem than a true pro, I know).
  • Better usability and readability (perhaps debatable, but I'm pretty sure a lot of people will agree with me here).

Despite my covering positives of alternative software, the intention of this thread is not to discuss them, or switching to them. Neither is it for complaining about problems with it.

I simply want to find out what PmWiki's forum software has in the way of good points smile.

EDIT: Trying to figure out why emoticons aren't working for me. Are they deliberately disabled in OP's?

EDIT2: Having basically just clicked "Edit" then "Send", the smilies are now showing up.

edited 9th Aug '11 7:45:56 PM by 1Samildanach

 2 Meta Four, Tue, 9th Aug '11 11:52:39 PM from mistletoe and molasses
AXTE INCAL AXTUCE MUN
This wiki did use a phpBB system for about a year. It got hacked. Fast Eddie decided that continuing to use a pre-existing forum software package would basically entail leaving the site security in the control of people outside the site. He didn't want any of that, and decided to homebrew something.

No, this forum is not at all a standard feature of PM Wiki. In fact, even on the wiki itself, Fast Eddie has modified the software so much that all that remains of PM Wiki is the name.
Human
Ahhhhh. That explains a lot. It didn't occur to me that one person would decide to single-handedly build and support a system for a busy site, in their spare time.

And something I have to say is: security through obscurity is no security at all. Plus, phpBB used to have some big security issues (probably has improved by now).

 4 Tzetze, Wed, 10th Aug '11 12:10:29 AM from a converted church in Venice, Italy
DUMB
EDIT: Trying to figure out why emoticons aren't working for me. Are they deliberately disabled in OP's?

EDIT2: Having basically just clicked "Edit" then "Send", the smilies are now showing up.

Yeah, that's one of the weird edge things that happens with this custom software.

The thing about the phpBB switch is that we've had tons of security problems since, but eh

edited 10th Aug '11 12:11:25 AM by Tzetze

[up] Given that passwords are stored in plain text, that doesn't surprise me.

EDIT: Just to be clear, I do appreciate that a lot of time and effort must have been invested.

edited 10th Aug '11 3:18:46 AM by 2Samildanach

 
We haven't had any security problems. Some nuisance things with wise guys posting forms outside their presentation. Took about a minute to close that. Those aren't problems.

Problems are things like how phpBB permitted direct access to the database and allowed files disguised as images which contained scripts allowing total site lock out. Those are problems. Another problem would be the piss-poor performance of phpBB trying to keep up with the performance our traffic needs.

Stuff like password storage ... the system is here to protect the site not personal accounts. It is not a bank.

edited 10th Aug '11 7:29:34 PM by FastEddie

Goal: Clear, Concise and Witty
 7 annebeeche, Thu, 11th Aug '11 5:48:34 AM from by the long tidal river
watching down on us
Just give the passwords some proper encryption and resources for every account to be able to freely change their own password, Eddie. There is nothing to be lost by it.
Banned entirely for telling FE that he was being rude and not contributing to the discussion. I shall watch down from the goon heavens.
Y'know, it is entirely possible to protect the site, while at the same time not displaying people's passwords and IP addresses...
 
 9 Silent Reverence, Thu, 11th Aug '11 8:11:50 AM from 3 tiles right 1 tile up
adopting kitteh
How long ago were those tests with phpBB and problems, Eddie? It's free software and considered "the" alternative to vBulletin; I'd expect it to have improved in such important regards in the last N years. Also, considering how close is our base markup to Markdown anyway, making the wiki format somewhat compatible with a forum system is not much of a big issue. There's already the inverse going on, eg.: BB Code plugins for the major Mediawiki-style wiki engines.

Also yes, password encryption. Would be a nifty improvement, even if it is not immediately "visible" to the public.

edited 11th Aug '11 8:12:48 AM by SilentReverence

 10 Rocket Dude, Thu, 11th Aug '11 3:49:01 PM from AZ, United States
This hat doesn't fit!
I agree with password encryption. After that PSN incident, we can't afford to be lax on security.

edited 11th Aug '11 3:49:20 PM by RocketDude

Tumblr | "Hipsters: the most dangerous gang in the US." - Pacific Mackerel
PSN incident?
Goal: Clear, Concise and Witty
He's referring to the recent attacks on a number of high profile targets including Sony's PlayStation Network by hackers.

edited 11th Aug '11 5:41:57 PM by SpruceZeus

Has nothing to do with us in any way.
Goal: Clear, Concise and Witty
 14 shimaspawn, Thu, 11th Aug '11 6:17:53 PM from Here and Now Relationship Status: In your bunk
There's no personal information stored on this site. If they hack into your account, all they're going to see is the wiki.
Reality is that, which when you stop believing in it, doesn't go away.

-Philip K. Dick
 15 Ponicalica, Thu, 11th Aug '11 7:05:21 PM from facing Buttercup
No, but if they hack into the site, they'll have thousands of passwords, many of which are going to be the same password as on other sites.
We haven't had any security problems. Some nuisance things with wise guys posting forms outside their presentation. Took about a minute to close that. Those aren't problems.
These weren't just nuisances, these were exploits that bypassed site authentication mechanisms and let someone perform actions as another user. That is the very definition of a security problem. There were even privilege escalation bugs allowing normal users to perform actions normally restricted to moderators. Considering that failure to properly check credentials is exactly what left Dropbox accounts wide open for anyone to use a few months ago, this attitude astounds me.

Having bugs is fine. Refusing to acknowledge them for what they are is not.
 
[up] Do you happen to be shimaspawn.deviantart.com/ this]] shimaspawn? With your email address up for the world to see? If you are, and you've been silly enough to reuse your password for anything important (PayPal, etc.) -or even just for the email account- someone who's got your password from here will be able to bang 'em in and do unpleasant stuff. Even if that address is only used for DeviantArt, if www.nanowrimo.org/eng/user/672388 this]] account is yours and you've reused your password, someone could easily log in and grab whatever one you used there. And even if you haven't made any of these mistakes, I'm sure there are plenty of people who have. The problem is not groups like LulzSec, who are pretty much just vandals, the real problem is the black hats who crack in, steal data, then either sell it or sort through it to find stuff they can use to steal money or identities. And when you're a low hanging fruit with plenty of users, there are plenty of people who won't hesitate to take advantage. Saying, "Its not my problem, and there's nothing important here anyway" does not excuse you. Hashing and salting is not a 'nice to have', its on of the most basic things any site with user accounts should have. Not doing [i]either[/i] is irresponsible, and gives the impression that you know very little about data security. Also, phpBB is not the only option out there. In fact, I'd be disinclined to use it, too (for different reasons, perhaps, but still). I mentioned simplemachines.org/ Simple Machines Forum]] in my OP, but there's also fluxbb.org/FluxBB]] and others.

EDIT: Sorry for the messiness with the links, its a compromise between giving the information I wanted to give, and actually having this post show up (due to this being a new account, which, in turn, is due to me managing to stuff up something when changing my password). Which brings me to another point: there needs to be a password confirmation box on the change page.

edited 11th Aug '11 8:04:12 PM by 2Samildanach

 
 18 Ponicalica, Thu, 11th Aug '11 7:49:22 PM from facing Buttercup
Also, the fact that it took «about a minute» to close the edit-anyone's-posts bug just makes it all the more damning that the issue stood for months.

Fast Eddie, do you actually care?
 19 shimaspawn, Thu, 11th Aug '11 8:37:12 PM from Here and Now Relationship Status: In your bunk
[up][up] That's why you don't reuse passwords. Nor do any of those sites have personal information on them either aside from my e-mail which also has it's own completely different password.

There is no site that is unhackable and it's up to you to guard your own information.

edited 11th Aug '11 8:38:29 PM by shimaspawn

Reality is that, which when you stop believing in it, doesn't go away.

-Philip K. Dick
 20 Ponicalica, Thu, 11th Aug '11 8:45:41 PM from facing Buttercup
And yet, the vast majority of people do reuse passwords, because it's very very difficult to remember a password for every single website you ever go on. (Which is why everyone should be using OpenID, but I digress.)

And even if there's no «personal information» on those accounts, there's still quite a few things someone who wants to make your life miserable can do.

I mean, yes, there are things that have to be done by the user, but this is Security 101 stuff here.
I'm an Irene!
Okay, the fact that they use passwords on other sites isn't about this site, though. While I can understand there being a problem with security being hacked, and could be stronger, what happens on other sites is not our actual problem.
It's not that the security is bad here, it's that it's almost non-existent. Not even having password encryption is just sort of stupid.
 
Well, now you make me curious. How does showing a person their password create a security problem? Other than them being shoulder-surfed, that is?

Not that I really care. The system, what there is of it, is here to increase the odds the edits are coming from something other than a script. That's it. Not to protect the accounts. The accounts are information-free and just add some features for the account.

edited 11th Aug '11 9:28:14 PM by FastEddie

Goal: Clear, Concise and Witty
We store the passwords encrypted in the DB, by the way.
Goal: Clear, Concise and Witty
 25 shimaspawn, Thu, 11th Aug '11 9:16:21 PM from Here and Now Relationship Status: In your bunk
And if they're shoulder surfing you, they can watch your fingers.
Reality is that, which when you stop believing in it, doesn't go away.

-Philip K. Dick
Total posts: 50
1
2


TV Tropes by TV Tropes Foundation, LLC is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available from thestaff@tvtropes.org.
Privacy Policy