AXTE INCAL AXTUCE MUN
This wiki did use a phpBB system for about a year. It got hacked. Fast Eddie decided that continuing to use a pre-existing forum software package would basically entail leaving the site security in the control of people outside the site. He didn't want any of that, and decided to homebrew something.
No, this forum is not at all a standard feature of PM Wiki. In fact, even on the wiki itself, Fast Eddie has modified the software so much that all that remains of PM Wiki is the name.
I didn't write any of that.
Human
Ahhhhh. That explains a lot. It didn't occur to me that one person would decide to single-handedly build and support a system for a busy site, in their spare time.
And something I have to say is: security through obscurity is no security at all. Plus, phpBB used to have some big security issues (probably has improved by now).
DUMB
EDIT2: Having basically just clicked "Edit" then "Send", the smilies are now showing up.
Yeah, that's one of the weird edge things that happens with this custom software.
The thing about the phpBB switch is that we've had tons of security problems since, but eh
edited 10th Aug '11 12:11:25 AM by Tzetze
[1] This facsimile operated in part by synAC.
![[up]](https://static.tvtropes.org/pmwiki/pub/smiles/arrow_up.png "[up]"){kind=icon}
Given that passwords are stored in plain text, that doesn't surprise me.
EDIT: Just to be clear, I do appreciate that a lot of time and effort must have been invested.
edited 10th Aug '11 3:18:46 AM by 2Samildanach
We haven't had any security problems. Some nuisance things with wise guys posting forms outside their presentation. Took about a minute to close that. Those aren't problems.
Problems are things like how phpBB permitted direct access to the database and allowed files disguised as images which contained scripts allowing total site lock out. Those are problems. Another problem would be the piss-poor performance of phpBB trying to keep up with the performance our traffic needs.
Stuff like password storage ... the system is here to protect the site not personal accounts. It is not a bank.
edited 10th Aug '11 7:29:34 PM by FastEddie
Goal: Clear, Concise and Witty
watching down on us
Just give the passwords some proper encryption and resources for every account to be able to freely change their own password, Eddie. There is nothing to be lost by it.
Banned entirely for telling FE that he was being rude and not contributing to the discussion. I shall watch down from the goon heavens.
Y'know, it is entirely possible to protect the site, while at the same time not displaying people's passwords and IP addresses...
adopting kitteh
How long ago were those tests with phpBB and problems, Eddie? It's free software and considered "the" alternative to vBulletin; I'd expect it to have improved in such important regards in the last N years. Also, considering how close is our base markup to Markdown anyway, making the wiki format somewhat compatible with a forum system is not much of a big issue. There's already the inverse going on, eg.: BB Code plugins for the major Mediawiki-style wiki engines.
Also yes, password encryption. Would be a nifty improvement, even if it is not immediately "visible" to the public.
edited 11th Aug '11 8:12:48 AM by SilentReverence
Fanfic Recs orwellianretcon'd: cutlocked for committee or for Google?
Face Time
I agree with password encryption. After that PSN incident, we can't afford to be lax on security.
edited 11th Aug '11 3:49:20 PM by RocketDude
"Hipsters: the most dangerous gang in the US." - Pacific Mackerel
PSN incident?
Goal: Clear, Concise and Witty
He's referring to the recent attacks on a number of high profile targets including Sony's PlayStation Network by hackers.
edited 11th Aug '11 5:41:57 PM by SpruceZeus
Has nothing to do with us in any way.
Goal: Clear, Concise and Witty
There's no personal information stored on this site. If they hack into your account, all they're going to see is the wiki.
Reality is that, which when you stop believing in it, doesn't go away. -Philip K. Dick
No, but if they hack into the site, they'll have thousands of passwords, many of which are going to be the same password as on other sites.
the future we had hoped for
Having bugs is fine. Refusing to acknowledge them for what they are is not.
Do you happen to be shimaspawn.deviantart.com/ this]] shimaspawn? With your email address up for the world to see? If you are, and you've been silly enough to reuse your password for anything important (PayPal, etc.) -or even just for the email account- someone who's got your password from here will be able to bang 'em in and do unpleasant stuff. Even if that address is only used for DeviantArt, if www.nanowrimo.org/eng/user/672388 this]] account is yours and you've reused your password, someone could easily log in and grab whatever one you used there. And even if you haven't made any of these mistakes, I'm sure there are plenty of people who have.
The problem is not groups like LulzSec, who are pretty much just vandals, the real problem is the black hats who crack in, steal data, then either sell it or sort through it to find stuff they can use to steal money or identities. And when you're a low hanging fruit with plenty of users, there are plenty of people who won't hesitate to take advantage.
Saying, "Its not my problem, and there's nothing important here anyway" does not excuse you. Hashing and salting is not a 'nice to have', its on of the most basic things any site with user accounts should have. Not doing [i]either[/i] is irresponsible, and gives the impression that you know very little about data security.
Also, phpBB is not the only option out there. In fact, I'd be disinclined to use it, too (for different reasons, perhaps, but still). I mentioned simplemachines.org/ Simple Machines Forum]] in my OP, but there's also fluxbb.org/FluxBB]] and others.
EDIT: Sorry for the messiness with the links, its a compromise between giving the information I wanted to give, and actually having this post show up (due to this being a new account, which, in turn, is due to me managing to stuff up something when changing my password). Which brings me to another point: there needs to be a password confirmation box on the change page.
edited 11th Aug '11 8:04:12 PM by 2Samildanach
Also, the fact that it took «about a minute» to close the edit-anyone's-posts bug just makes it all the more damning that the issue stood for months.
Fast Eddie, do you actually care?
the future we had hoped for
That's why you don't reuse passwords. Nor do any of those sites have personal information on them either aside from my e-mail which also has it's own completely different password.
There is no site that is unhackable and it's up to you to guard your own information.
edited 11th Aug '11 8:38:29 PM by shimaspawn
Reality is that, which when you stop believing in it, doesn't go away. -Philip K. Dick
And yet, the vast majority of people do reuse passwords, because it's very very difficult to remember a password for every single website you ever go on. (Which is why everyone should be using OpenID, but I digress.)
And even if there's no «personal information» on those accounts, there's still quite a few things someone who wants to make your life miserable can do.
I mean, yes, there are things that have to be done by the user, but this is Security 101 stuff here.
the future we had hoped for
I'm an Irene!
Okay, the fact that they use passwords on other sites isn't about this site, though. While I can understand there being a problem with security being hacked, and could be stronger, what happens on other sites is not our actual problem.
Quest 64 thread
It's not that the security is bad here, it's that it's almost non-existent. Not even having password encryption is just sort of stupid.
Well, now you make me curious. How does showing a person their password create a security problem? Other than them being shoulder-surfed, that is?
Not that I really care. The system, what there is of it, is here to increase the odds the edits are coming from something other than a script. That's it. Not to protect the accounts. The accounts are information-free and just add some features for the account.
edited 11th Aug '11 9:28:14 PM by FastEddie
Goal: Clear, Concise and Witty
We store the passwords encrypted in the DB, by the way.
Goal: Clear, Concise and Witty
And if they're shoulder surfing you, they can watch your fingers.
Reality is that, which when you stop believing in it, doesn't go away. -Philip K. Dick
Having lurked these forums for a while, and posted on 'em a bit, I have to say that they don't work as well as forums based on software that specialises in forums. So I figure its worth exploring the reasons for using it.
What I can see:
To contrast this, here are some good points I can see for using dedicated software:
Despite my covering positives of alternative software, the intention of this thread is not to discuss them, or switching to them. Neither is it for complaining about problems with it.
I simply want to find out what PmWiki's forum software has in the way of good points
.
EDIT: Trying to figure out why emoticons aren't working for me. Are they deliberately disabled in OP's?
EDIT2: Having basically just clicked "Edit" then "Send", the smilies are now showing up.
edited 9th Aug '11 7:45:56 PM by 1Samildanach