Which is why I said paid to charity, receipt to be enclosed....easier to do.
And you type in the details of the payment to another e-mail ID on the forum.
So double verification. Safer.
There are QR and embedded codes in there on our cards. When I got vaccinated, the people took a photo of the code, got my photo on their cell phones, and second time they even had the details of the first dose. Both times I got SMS messages within minutes of being vaccinated, and a link to download the certificate.
But implementing security on an international forum is difficult.
And you type in the details of the payment to another e-mail ID on the forum.
So double verification. Safer.
There are QR and embedded codes in there on our cards. When I got vaccinated, the people took a photo of the code, got my photo on their cell phones, and second time they even had the details of the first dose. Both times I got SMS messages within minutes of being vaccinated, and a link to download the certificate.
But implementing security on an international forum is difficult.
The best way would be to have the forum send postal mail to the user with a code to enter but that costs money.
Another option would be a call system where the user receives a call and enters a code they hear.
Another option would be a call system where the user receives a call and enters a code they hear.
Understand the mindset of spammers, what they are doing is gaming search engine results.
The main reason the forum is being targeted is due to the fact user accounts are publicly visible to webcrawlers and search engines, once that avenue has been cut off its no longer a viable proposition.
Seriously......some of these ideas are becoming absurd.
Some people would be comfortable with a Google / WhatsApp /Facebook / similar login. Worth thinking about...
I refuse to use any site that requires a social media account to log onto, it's just making it harder for normal people not spam bot operators.
We have a GST system here for businesses, among their security requirements is an Income Tax account, house and office utility bills. The Income Tax accounts are linked to the national ID cards.
They make us change the passwords regularly, and similar ones are not accepted.
When filing returns, an option is to use a USB token (a memory stick with a security code, many identities are allowed on the same token, useful for accounting firms), or the other one is a code sent to both cell phone and e-mail of the person who is responsible for filing the returns.
The USB tokens are issued by the government, mostly to CPAs, and are not writable, read only.
Something like that can be done here too, particularly asking for regular change of passwords.
But first, like the old version, pictures should not be visible without logging in, it is easy to embed code in picture details.
They make us change the passwords regularly, and similar ones are not accepted.
When filing returns, an option is to use a USB token (a memory stick with a security code, many identities are allowed on the same token, useful for accounting firms), or the other one is a code sent to both cell phone and e-mail of the person who is responsible for filing the returns.
The USB tokens are issued by the government, mostly to CPAs, and are not writable, read only.
Something like that can be done here too, particularly asking for regular change of passwords.
But first, like the old version, pictures should not be visible without logging in, it is easy to embed code in picture details.
Last edited:
I disagree. Google != Social media. How is it harder for normal people? You simply hit "log in using Google" and you're logged in (or the account creation is 95% complete)..
I rarely use FB to log into anything, but using Google is just plain convenient. Creating an account online using email and password is archaic IMHO. Using a phone number is fine until you change your phone number...
There are a couple advantages to using an OAuth service, namely that you can have a single-sign-on for websites, and your account security is tied to Google, rather than a smaller organization on shared computing platforms. Since you're logging into the site on a Google-owned service, you're not bound to the security practices of the local forum. (Which I'm sure is top notch on DIYA. 😀)
Apple has a good OAuth service; they even set up a private relay so that you're not exposing your e-mail address.
I didn't know that about Apple's OAuth. Nice.
Eventually I think people will authenticate using blockchain tech...
Eventually I think people will authenticate using blockchain tech...
I have done nearly that. A long long time ago. I printed the application and mailed it 1/3rd the way around the world with my personal check. IIRC the check had to clear before I got login permission. That forum was essentially spam-free.
Even before, another chatroom, I had to give a bank account because we paid $12/hour to be connected (but $8/hr after 5pm).
I'll omit the discussions of blind sysops working on TeleType machines.....
In a previous post (#31) I wrote about the impossible to detect spammers that use Zombie accounts to evade detection, I have a list of accounts that appear to be zombies, I just managed to catch one in action and performed a internet search on the account name and my suspicions were confirmed. it is indeed a zombie.
These zombie accounts are generated by automated bots crawling the web looking for targets.
The bot behind this account (account reported) is so efficient that a bing search of the account name returns two pages of infected forum sites.
I outlined their motives in post #31.
Most of the spamming hitting diyaudio are these types of bots creating zombie accounts.
See attached, Perform a Bing search on account name.
These zombie accounts are generated by automated bots crawling the web looking for targets.
The bot behind this account (account reported) is so efficient that a bing search of the account name returns two pages of infected forum sites.
I outlined their motives in post #31.
Most of the spamming hitting diyaudio are these types of bots creating zombie accounts.
See attached, Perform a Bing search on account name.
Attachments
Someone else caught this one, I saw it earlier (I had my suspicions), another zombie dies - linh568
Here are a couple more spam bots, the latest changes to the forum hasn't dissuaded the Bots, they don't care as long as its easy to create an account.
After the bot created an account, 10mins later it created another identical account over at cyclingforums. Also this Bot returned 2 hours later to see if the account was still active......and it was......not for much longer.
The second bot has a good hit rate, most of the search results are forums.
Xenforo is like a drug to Bots..........
After the bot created an account, 10mins later it created another identical account over at cyclingforums. Also this Bot returned 2 hours later to see if the account was still active......and it was......not for much longer.
The second bot has a good hit rate, most of the search results are forums.
Xenforo is like a drug to Bots..........
Attachments
I hadn't noticed this phenomena, but I haven't been on the forum as much as I have previously.
Generally just personal free time, rather than anything else in the switch to this platform.
However, this vulnerability to bot attack seems to me to be, major issue that need sorting.
I am not particularly enamoured to have my public details, posts etc read in their entirety non members and non trusted members.
It does actually make me wonder what any member can do about it, unless they are new (joined after the switch).
This is almost practically a data leak, and I may be over reacting, but tbh, if I could deactivate and remove all my details, I would.
Since I can't,
Please Devs, fix this issue ASAP.
Generally just personal free time, rather than anything else in the switch to this platform.
However, this vulnerability to bot attack seems to me to be, major issue that need sorting.
I am not particularly enamoured to have my public details, posts etc read in their entirety non members and non trusted members.
It does actually make me wonder what any member can do about it, unless they are new (joined after the switch).
This is almost practically a data leak, and I may be over reacting, but tbh, if I could deactivate and remove all my details, I would.
Since I can't,
Please Devs, fix this issue ASAP.
@mondogenerator AFAIK, all posts were always public, even in the old site. I just tested it, and you need to be logged in to see user account pages. So your account info is as "safe" as it ever was.
The issue at hand is how easy spammers can sign up. Sometimes it's bots. Sometimes it's actual people who get paid pennies to spend their days creating accounts and posting links for spammer SEO. The more links you post, the more you get paid. This sort of thing is hard to combat.
The issue at hand is how easy spammers can sign up. Sometimes it's bots. Sometimes it's actual people who get paid pennies to spend their days creating accounts and posting links for spammer SEO. The more links you post, the more you get paid. This sort of thing is hard to combat.
I don't think you can see member information without being logged in. I tried it and it gave me a "please log in" page. Maybe you see something different?
https://www.diyaudio.com/community/members/ahankinson.284017/
Personally, I'm happy that the attachments are available without needing to log in. It's quite annoying to go to a forum to find a schematic, only to need to create an account to see it.
https://www.diyaudio.com/community/members/ahankinson.284017/
Personally, I'm happy that the attachments are available without needing to log in. It's quite annoying to go to a forum to find a schematic, only to need to create an account to see it.
Not sure if it's been mentioned but part of the issue will be that XenForo is just a larger audience. More people in the target group, so more resources dedicated to it.
- Status
- Not open for further replies.