|
|
on the (aptly named thread) Beyond strange[^]
Marc's reply seems to be to a now deleted message?
The author of the message is still an active account so it's not the account that got deleted (Slacker007 - Professional Profile[^])
Maybe the message itself got deleted?
It makes the thread look a bit weird.
Probably related (or equal? ) to this: Bugs and Suggestions[^]
Tom
|
|
|
|
|
I deleted the message/post.
This is a known bug and it has not been fixed. It has been a bug for a very long time now.
When someone or process deletes a parent/top level message, the child/related messages don't get deleted - they become non-sensical orphan records in the thread.
|
|
|
|
|
Keeping the thread as is and deleting just the content could solve this.
|
|
|
|
|
There appears to be some accounts of late that may have been hacked. Have you thought about adding 2FA support for sign in? If 2FA was compulsory, it may greatly reduce the number of spam accounts, depending on the implementation used.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
|
|
|
|
|
Adding 2FA support is a good idea, but it wouldn't help with the old dormant accounts which are being hacked (or sold). 
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Yes if they can't post actively until 2FA is done on both, registration email and the selected 2FA mode
M.D.V. 
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
You can't enforce 2FA on existing accounts without allowing them to set it up the next time they log in.
If the account has been stolen, then the person who stole it will set up 2FA the next time they log in.
All that will achieve is to make it harder for the real account owner to recover their account. It won't stop the thief from using it to post spam (at least until it gets clobbered). 
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
A good understanding of the Perverse incentive - Wikipedia AKA the Cobra effect.
"Mistakes are prevented by Experience. Experience is gained by making mistakes."
|
|
|
|
|
Agreed. It would take time to implement. It could require a re-verification email for accounts that have been inactive for a period of time, say 3 or 6 months of inactivity. That way, if hacked, the hacker won't get the re-verification email and remain locked out.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
|
|
|
|
|
You're assuming the hacker won't have changed the email on the account to one they control. And that they didn't originally hack the account by gaining control of the email address used to sign up.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
That would be the minority, not the majority of inactive accounts.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
|
|
|
|
|
Unfortunately this places an extra burden of inconvenience on the 99.999+% of accounts that are fine for a few accounts that have been compromised.
Is the goal to stop accounts being hijacked, or stop spammers? If it's the latter, that where spam detection comes in. For the former, it would be far better if we can detect unusual usage, and then alert the owner of the account. Doing that requires a phone or second email address, which would probably be the first thing changed if someone took over an account.
This is a tough one: I wish everything were totally 100% locked down and safe. That's eluded the entire IT community for 60 years. All we can do is make it more and more inconvenient until we hit the balance of point of (inconvenience for the majority) == (value in protecting the minority)
cheers
Chris Maunder
|
|
|
|
|
Regarding 2FA, I do hear what you are saying. We are all in IT here and we do understand the issues, only those who don't would find it annoying.
If 2FA was opt-in, it would not be a huge inconvenience. I use 2FA whenever possible. I am not sure how long the CP token is set for, however, once I am logged in, it is very rare that I need to again.
In my second post I mentioned maybe if an account is inactive for a period of time, say 3 or 6 months, chances are they're rarely going to come back and log on, so do a re-verification email before full sign in. That way, the 99.9999% of users are not inconvenienced.
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
|
|
|
|
|
I think I was thinking about this from the point of view of 'someone loses control of their email account', such as someone using a old hotmail account that they let lapse and then someone else takes it up, starts getting email notifications or whatever, and takes over.
From the point of someone having their password compromised that's a different story. In that case the re-validation (a nice idea) may not help since it provides a window of 3months for the perp to do as they wish.
Validating when signing onto a new device would be key here: On first login, after creating a new account, it's not needed since they just created the account. Maybe, as an option, each time you login via a different IP then your device (via cookie) gets validated via email.
That would need to be optional, I think, because you could be on a device where you just want to post but don't want to be signing in on your email account (eg shared computer). Authenticator app or SMS would help, but that's a bigger project. And then, if it's optional, then probably no something used by those most at risk of compromise.
IT all comes down to: how big a problem is this really?
cheers
Chris Maunder
|
|
|
|
|
The "from a different IP" bit would piss off those of us with dynamic IP home connections (which I suspect is more than a few). I've had about 4 different IPv4s so far this year. (Just don't ask about the pseudo-random dynamic stuff at the end of an IPv6 concocted by the ISP!)
Software rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
|
|
|
|
|
Not to forget Smart phone at home in WiFi or on the way with normal data, then the PC...
M.D.V. 
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Sounds like time for Code Project identity services. That would be a fun project.
|
|
|
|
|
We actually have that, but it's for the API and it's old and it's a little overengineered while, at the same time, not being what we actually want.
So...fun. Yes. That's a word for it
cheers
Chris Maunder
|
|
|
|
|
Writing my own identity provider has long seemed like an interesting mental challenge. It would be fun to tackle at some point.
|
|
|
|
|
You have such a different definition of fun than I do.
To me it's like painting a huge target on your back and calling out to everyone to line up and have a crack. It's terrifying.
cheers
Chris Maunder
|
|
|
|
|
Chris Maunder wrote: You have such a different definition of fun than I do.
You should see what I'm working on right now. For the last couple of months, I've been working on my most ambitious article set.
|
|
|
|
|
I'm scared.
cheers
Chris Maunder
|
|
|
|
|
So, the technologies I am using are:
- AWS services (using localstack to allow people to try this at home)
- Terraform (giving me a bit of IaC for AWS)
- Blazor WASM
- .NET 7
Is that too much? Are you going to be okay with articles that link out to localstack? There is a forever-free version so it shouldn't cost anybody anything.
|
|
|
|
|
If it's a tool or service an average developer in the space has access to in their day to day job (and a free tool fits this) then absolutely.
cheers
Chris Maunder
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
