Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Arantor
6661
Features / Re: New revs - Public comments
« on August 20th, 2011, 11:35 PM »
Nope, not that. I'm not using AJAX either in what I'm thinking about, though I suppose it could be added since it's in an area that does have JS available, but I don't really see it as being needed.
The real question for me is whether I make it for all relevant users or a per-user thingamabob, but that has other consequences to be fixed since it would then be related to a vulnerability we discussed recently.
The real question for me is whether I make it for all relevant users or a per-user thingamabob, but that has other consequences to be fixed since it would then be related to a vulnerability we discussed recently.
6662
Features / Re: New revs - Public comments
« on August 20th, 2011, 10:39 PM »
I do have one idea I haven't shared yet that I think you'll like but I'll demo it when I've got it working how I'd like.
6663
Features / Re: New revs - Public comments
« on August 20th, 2011, 10:28 PM »
I think that makes sense, so go for it :)
6664
Features / Re: Login with eMail instead of username
« on August 20th, 2011, 10:27 PM »
The only reason you knew you were being attacked is because of being logged out. In fact, there is a much better defence already in place for the style of attack.
Especially since I consistently see both username and email spam attacks in attempts to brute force access... Meaning that they'll still try it, and it actually is not a defence any longer.
What might be good is to provide a blacklist of the most common passwords and bar them from being used, since of the attack you're referring to (and in fact most brute force attempts), the top 20 or so most commonly used passwords were just cycled through a rotation.
Especially since I consistently see both username and email spam attacks in attempts to brute force access... Meaning that they'll still try it, and it actually is not a defence any longer.
What might be good is to provide a blacklist of the most common passwords and bar them from being used, since of the attack you're referring to (and in fact most brute force attempts), the top 20 or so most commonly used passwords were just cycled through a rotation.
6665
Features / Re: New revs - Public comments
« on August 20th, 2011, 12:25 PM »
I was able to get a limited version working in SMF in under an hour. The biggest part is marrying up the stuff in wedit, like the bbc converter, and having Wedge control what buttons there are rather than CKEditor doing it itself.
That sort of assumes we stick with bbc and have it perform the same kind of mutant bbc/HTML mashup that the current editor does because complex bbc can't be represented in simple HTML and vice versa, like the quote and gallery bbcode items.
That sort of assumes we stick with bbc and have it perform the same kind of mutant bbc/HTML mashup that the current editor does because complex bbc can't be represented in simple HTML and vice versa, like the quote and gallery bbcode items.
6666
Features / Re: Login with eMail instead of username
« on August 20th, 2011, 12:00 PM »
Yes, I know exactly what it's about, since earlier this year there was an alarming rate of login attempts being made.
What it comes back to is whether people would rather be secure or convenient, and most people would rather be convenient. Sad, but true.Quote It always refers to the username you signed up with. There's a simple, practical and immediate defence right there: have a different display name to username. It is as secure as using an email address in this context.
In fact, in another context it may actually be more secure to leave it as is. Consider the case of key loggers, logging email and password. If you're a good person and use a different password for each service, it doesn't make a lot of difference, but if you're not, you just provided one extra way for them to get your email + password combination.
What it comes back to is whether people would rather be secure or convenient, and most people would rather be convenient. Sad, but true.
while you may not be sure whether 'user name' may refer to your actual user name or current display name...
In fact, in another context it may actually be more secure to leave it as is. Consider the case of key loggers, logging email and password. If you're a good person and use a different password for each service, it doesn't make a lot of difference, but if you're not, you just provided one extra way for them to get your email + password combination.
6667
Features / Re: New revs - Public comments
« on August 20th, 2011, 11:31 AM »Oh, I fucking hate IE... I'm looking at the post editor under IE7 and IE8. It's so incredibly broken, especially in Wysiwyg... There are glitches everywhere, it's comical. I wouldn't even know where to start.
6668
Features / Re: Login with eMail instead of username
« on August 20th, 2011, 11:30 AM »
You know that the system already actually does this internally, right? If you supply an email address it will attempt to use it.
Facebook quite happily accepts both.
I should point out that there is a convenience factor attached here, typing a username is a whole lot shorter than typing an email address in most cases, though most people will just stay logged in 'forever'.
Facebook quite happily accepts both.
I should point out that there is a convenience factor attached here, typing a username is a whole lot shorter than typing an email address in most cases, though most people will just stay logged in 'forever'.
6669
Features / Re: More stuff for the removal of
« on August 19th, 2011, 11:26 PM »The user would just display as hidden. Nevermind then.
I'm literally only talking about the little icon:
Specifically whether that's displayed or not, and now it's forcibly displayed (except when you can't send PMs, but I think we'll end up changing that)
Posted: August 19th, 2011, 11:25 PM
@Nao: There's a bug in the Noisen code for the img tag; it's eating all the whitespace around it (even if that space happens to be newlines/line breaks!)
6670
Features / Re: More stuff for the removal of
« on August 19th, 2011, 11:18 PM »There are certain uses for not showing a user's online status to all other users on the system.
If a user doesn't want their status known, that's fine, they have the power to opt out. But I have yet to see a case where you would summarily rule it out entirely, especially given how you can see who's online on the front page.
6671
Features / Re: New revs - Public comments
« on August 19th, 2011, 11:17 PM »I looked at your commit... Is it normal that you reverted my change to the MySQL version test...?
6672
Features / Re: New revs
« on August 19th, 2011, 10:59 PM »
Revision: 953
Author: arantor
Date: 13:18:52, 19 August 2011
Message:
! Fixed installer doing very strange things like never actually getting past the DB settings stuff. (install.php)
----
Modified : /trunk/other/install.php
(Bah, meant to post this earlier.)
Author: arantor
Date: 13:18:52, 19 August 2011
Message:
! Fixed installer doing very strange things like never actually getting past the DB settings stuff. (install.php)
----
Modified : /trunk/other/install.php
(Bah, meant to post this earlier.)
6673
Features / Re: New revs - Public comments
« on August 19th, 2011, 10:37 PM »
Bah, I forgot to post the change log again :/
6674
Features: Theming / Re: New theme
« on August 19th, 2011, 09:32 PM »
I have to say, I never really looked at 1.1.x themes before, but I gotta say, I just took a look at your work and it does look pretty good. I'd love to see any more themes you work on. :)
6675
Features / Re: New revs - Public comments
« on August 19th, 2011, 07:41 PM »
I already committed the fix hours ago :P
This is what prompted me to muck about with my setup because the installer worked as expected, and failed to allow me to finish installation.
This is what prompted me to muck about with my setup because the installer worked as expected, and failed to allow me to finish installation.