• Content count

  • Joined

  • Last visited

  • Days Won


Morgin last won the day on April 18 2014

Morgin had the most liked content!

1 Follower

About Morgin

  • Rank
  • Birthday

Recent Profile Visitors

5,930 profile views
  1. @Rikki sorry for adding to your list!
  2. That's false. From an admin perspective, 2FA ensures that even if a moderator reuses their password on a less secure site, someone who obtains that password will not be able to login to my site under that mod's credentials unless they also have physical access to a device that generates the 2FA code. That's the whole point - you cannot trust that your users who have been given elevated credentials follow best security practices, so you can impose additional layers of security on them at your discretion to minimize risks. 1) You are making up statistics. IPS has the data to know which features to focus attention on. You do not. 2) Moderator accounts have elevated forum privileges. A compromised moderator account could (and often does) cause significant headache for an admin. You may not personally see this as important, but any forum of significant size has had to deal with managing large teams of mods. Imposing security on them is a far better solution than trying to teach best password practices. 3) "significantly more users need faster forums, better usability, and fewer bugs". How is this not better usability? There were multiple threads on the community forums asking for this feature and it solves a significant security issue. Look, I probably am coming across overly defensive of this one feature, but it bothers me when people waltz into a feature post and make up stats and just complain without any merit. If you don't personally need 2FA, that's fine. I sincerely hope you don't ever have to deal with a compromised moderator account - it's a gigantic pain in the ass. For those of us who have had that unpleasant experience, this is a fantastic feature. It's not a questionable feature in 2017. /end rant.
  3. "Our 8 Community Apps" should read 7 now.
  4. I have to voice disagreement. In the current atmosphere of online services, any hint of a data breach can be overwhelmingly crippling. Being able to "double lock the door" with accounts that have elevated access to the forums, even if its just mod tools (which can allow access to confidential conversations), is extremely helpful. 2FA is now a web standard for services that deal in any sort of personal information, which many of our communities do. This is a welcome addition, and the way it was implemented by IPS was extremely thoughtful in terms of the various use cases. When you say very few people need this, I'm not sure what group you are talking about. Any community of any significant size is going to be targeted at some point or another for vulnerabilities. It could be as simple as a mod who reused a password and account name from another company who got hacked and had usernames and passwords dumped who gets exploited. This helps protect against that, and I'm grateful for it being in IPS4.
  5. To take this a step further, you (used to) be able to actually set this up as a topic multi moderation action - set up a variety of preset messages that makes it easy to edit a post to complete rule enforcement. Someone more familiar with 4 will need to chime in if you could do a multi-moderation to warn a user, edit their post with a preset appended edit, and then lock topic or not.
  6. Just want to bump this one
  7. which holidays? summer holidays? labour day weekend?
  8. I know why you want this, but it's a lost cause. Browsers come with built in tools to grab media from pages. Right click blocking isn't really worth considering in 2016. What you may want to try is finding a way to host/link a high quality version of an image that requires an account to access, and the low res is shown to all.
  9. Anecdotal evidence time (if you had boring work stuff to catch up on, now would be the time!) but my extremely non-techy wife who can't even figure out password managers (no really, lastpass is too complicated so she won't use it) somehow figured out how to enable sms 2fa on her gmail. I was so proud! I agree sms 2fa is pretty ubiquitous, and I think is going to be pretty much be regularly used by mainstream non-power users more often than not the more that people get exposed to it.
  10. Lindy, Hopefully I've posted enough rational stuff in the past that you know I don't tend to complain without having put a modicum of thought into it, but IMO this is an extremely crud position for IPS to take right now :/ I should clarify that's on 2FA not being across the entire platform (and just planned for ACP), as well as the idea that password policies are relevant or helpful in 2016 as a standalone solution. Also, for what its worth, yes having 2FA would have helped even if the moderator has a weak password, because the unauthorized user could not have got in without physical access to the moderator's token (be it on a phone, or delivered via SMS, or usb token, whatever). That would have prevented the unauthorized user from having access to mod tools, which would have prevented the data loss, which is what prompted the initial query. Almost every major platform that I use, aside from IPS, has a 2FA option or is implementing 2FA for users, and a lot are pushing it as non-optional. We've hit the point where passwords of any level of complexity are simply not enough, and it's really a matter of when (not if) there will be a data leak of some sort when passwords alone are the only lock on the door. You simply can't force moderators to use password managers, and requiring the level of password complexity to make it "uncrackable" also means it's unlikely to be remembered and the avenues for social engineering or someone being sloppy with it written down are higher. This statement "If anything, it reinforces the need for password policies -- something else we have planned" is actually not widely supported in the security community - password policies have not actually shown to have any tangible effect on securing user's accounts. That comes down to two things - platform security, and user account security. We rely on IPS for the former, but we can't do anything about the latter - there is no way even with a password policy that I can enforce a moderator not reusing a password that meets my password policy on another site that it also qualifies for, and that other site (say, linkedin) having a massive data breach and then that mod's account, notwithstanding it met the complex password requires, is ripe for unauthorized access. Google. Apple. Lastpass. Facebook. Valve. Blizzard. Slack. Sparkpost. Linode. Digital Ocean. Rackspace. Amazon. Microsoft. The list of companies that have recognized passwords in 2016 are not a solution in and of themselves (regardless of how complex you require them to be) is growing every day. I think IPS should be on that list. Please rethink this. 2FA isn't a quaint feature request. In 2016, multi-factor authentication as an option for admins should be a requirement for a social platform, and not just to secure the ACP. I know it wasn't intentional, but your reply really makes me uncomfortable in that it seems like you are speaking as if this is a done decision as not being high on the priority list. I'd really love to hear from your security team on this, because I can't believe they would agree this approach makes sense in light of how unreliable single authentication has shown itself to be. And implementing TOTP isn't (in the scheme of things) that difficult.
  11. Is this likely to come before 4.2 do you think? 2FA is starting to become a must have given the number of data dumps that have happened and users simply cant be trusted to not reuse passwords (even moderators).
  12. I know what you are getting at, but spending as much time on my own forum as I do, I often don't want to spend a bunch more here. It's a bit of an uphill battle for IPS to develop a community of people when I'm sure there are people who are like myself who will poke their nose in once in awhile but mostly don't have the time. I'm not as passionate about forum software as some of the people who are regulars on places like adminzone or whatever. I suspect there are a lot of people who use IPS who are like me.
  13. It's a bit of a tough thing though when your customers are all people running active websites that require a fair bit of attention. This is obviously just my opinion, but in my view having spent time at the adminzone forums and on the xenforo forums, you can generally categorize forum admins into two camps - those who are enthusiasts about the actual software (and having a community using it is a bit of a bonus), and those who just want the software to function and devote much more of their energy to their actual community itself. I find there are far more of the former on those sites vs here - not to say IPS isn't used by very smart people who love good software, but moreso that the customer base tends to skew more towards - corporate customers? Not sure if that's the right way to put it. In any event, I absolutely think there are less active IPS enthusiasts here and on other community related websites out there vs those for xenforo or other competitors. People who like to tinker, who are trying every mod under the sun, who just love digging into the nuts and bolts of their software - those people don't gravitate to the IPS forums or IPS (they go to adminzone to extol the virtues of IPS). This software, for better or worse, seems to attract a different type of admin. From the sounds of it, targeting people of my ilk (who have active, stable communities that want first class software but are resistant to changes to their experience, such that I'm very rarely doing any tinkering) has been a great strategy for IPS. I'm glad there is choice because at least for my use case, IPS is a better overall experience for me vs those other options (I came from phpbb which probably biases me against the nuts and bolts crowd a bit). The downside is that these forums are a bit lower traffic than others, and it sometimes it does take longer to get an answer to a generic type question (or maybe not at all). However, look at the flipside of that - if your customer base changes to become overwhelmingly "software enthusiast" driven, it necessarily requires adjustments to development strategies, and I'm not convinced those changes that would result (and which tend to form the basis of 95% of the complaints about IPS over at the adminzone for not being implemented) would result in better software for me or customers like me. So I'll take the good with the bad. At least right now, IPS has unrivaled developer to customer support directly through the ticket system, and on top of that, the developers will generally spend some time on these community forums to just shoot the sh*t which often ends up with them answering stuff even in the peer to peer forums. (Edit: Changing Sh*t to faeces though? Really guys!? )
  14. Yeah. They used to be terrible at this but it has improved dramatically.