Highway8

iTrader: (11)

Until today I had always been able to go back and edit or delete a post. Today I noticed that older post could not be edited or deleted. While I can see some merit to the change, I see more problems with it.

For 1, my thoughts and words are my own and even though I post them on a forum they will always be mine. I should be able to remove or edit them at my discretion. Unless I missed something, once I post something to a forum they do not become the property of the forum. ????

2- (and this is how I discovered the change) Some post are information or schedules that can change. This is especialy true for the 1st post of a thread, such as my Nor Cal Track Day Schedule.

Suggestion: Change it back, or add a request to edit post. The button is pressed and everything is identical to a regular post edit, except the change must be reviewed by a moderator before the change is made. This feature can only be used to correct information, up dates and changes but not for spelling corrections. Post can be deleted in a similar fashion and for similar reasons.

RIWWP

iTrader: (2)

It's been like this for at least a few weeks, if not over a month. Basically the Admins found that some spammers were using the edit feature to insert spam and unwanted links into prior posts, often through account take-overs of existing members. So they enabled a feature that only allows edits for about 2 weeks or so after the post was originally made.


It is causing me issues in the New Owners thread too, but I can understand the reason for it. I believe they are working on a solution with IB.

Speed_8

I think even thou the thoughts are yours.. once posted they belong to the rx8club. Just like Facebook. Once u post a picture legally it belongs to Facebook

Highway8

iTrader: (11)

Would not surprise me.

Highway8

iTrader: (11)

Its always the spammers.

I figured there was a reason for it and I can understand it, I am just saying there needs to be a solution. So I hope your right that they are working on something.

RIWWP

iTrader: (2)

Yes, of course. It's a massive conspiracy theory to steal all the information possible on the RX-8, to market it and make lots of money off of every new owner that pays through the nose to be able to research and read all day long without having to post up a new topic asking for something in the stickies. This conspiracy will eventually come to dominate the entire automotive world, and you will be unable to avoid involving yourself, becoming brainwashed to log in every day and contribute to the collective hive mind. Disconnecting yourself in an attempt to resist assimilation will result in immediate destruction of your engine.







...

zoom44

if you need a change to an OP of an event thread just send to me or one of the other mods and we'll take care of it for now. in fact pm me and I might be able to give you "privileges" to that particular thread or forum. I did it for Phil for WHIVSIV

RIWWP

iTrader: (2)

Mind giving me that privilege for my New Owners thread?

It's the only old thread I go back to edit.

jobidia

So if I understand, because of a bug in the software and/or the fact the IB doesn't enforce the members to create a strong password, the members are handicapped with a 2 week edit grace period so spammers cannot take advantage of the weaknesses.

Due to the incompetence of IB technical team to perform software updates and create acceptable security policies it's long term members must be the ones that suffer? The ones that provide the kernal knowledge and make this site worth coming too.

RIWWP

iTrader: (2)

It's not a "bug". It's an intended bit of software. This is just being exploited by some spammers, and IB has to take steps to figure out a better way of doing it.


It's like driving a car. The steering wheel is intended to control the direction of the car. Everyone uses it (usually). One person using it to deliberately crash into another car does not mean that steering wheels are inherently flawed.

How about we remove keyboards? Input methods. Make everyone unable to type. I'm sure that would prevent spammers.


It's not "incompetence" for someone to design a method of communication, and then someone else use all the intended features of that method to communicate unwanted material. Hell, plenty of newbies use it to generate unwanted communications all day long!




But yes, likely they will end up coming up with an answer that satisfies no one, causes problems, and then later correct it to something that works. (After all, I'm not aware of anyone getting it right the first time)

StealthTL

iTrader: (1)

Plenty of forums don't allow editing after a brief period.

.....makes for stupid discussions if someone can edit a week old post and claim "I never said that"

Speed_8

well you are obviously taking what I said out of proportion..glad you wasted your time replying to my comment

RIWWP

iTrader: (2)

Does that mean I get to waste more time?



Seriously though, posting something in public doesn't make it anyone elses "property" and more than you retain "ownership" of it when you post it in the first place. It becomes free domain. IB has no interest in trying to legally retain "ownership" of forum posts and content.

jobidia

Mr. RIWWP please don't shake your head at me.
My point in the end was that IB's assets are this audience. Yet there interim solution is to but the burden of inconvenience on that audience.

And you are right, no one typically gets it right the first time but IB is lacking is some of the most basic security practices which are known to work, easy to implement and relatively cheap. Like the steering wheel lol

First, from the above quote of yours you sort of implied it might have been a bug/exploit of the edit button but mostly it was account take overs.
This is why I suggested perhaps (with an and/or) software bug.
However that is not the case so it would seem, so fine I didn't read it that way.

But this makes it worse in a way. (and I still say security incompetence)
IB brands has now had a issue with unauthorized account take overs and they didn't say anything to the community?

Responsible disclosure would have been to notify the users (forum members) that a preach of security had occurred and we suggest the forum members to change their passwords immediately.
Even something this simple. It's this community that makes IB money, what does it say about them if they don't even have the respect to tell us that our account and passwords have been comprised.
I wonder how many users use their same passwords for more than one account? Would be nice to tell them to change their passwords.
Have all our emails now been harvested?

Simple security policy that should have been put in place?
While we are thinking of passwords because IB uses no strong password enforcement you could probably use a list of the most common passwords to login to a users accounts.

Which brings us to the login ID which is the same as the User ID ... bingo I now have a list of valid accounts then I could script the most common passwords against and try and login. kewl.

But wait there is more. How many login attempts do I get? Dunno I've not tried but I bet it's a lot before the account gets locked if indeed this is even in place.
(I bet there is no account lock out with failed login attempts)

But wait there is more! Have you ever heard of Firesheep? Session hijacking at open wifi hot spots, like coffee shops and airports, you know.

The Twitters and Facebooks had a real problem with this as they "use to" offer un-encrypted login. Firesheep this simple open source application that allowed you to sidejack these session cookies which you could then assume their identity.
(ngrep is another application used to scrap unencrypted wifi data)

Furthermore I would suspect a spammer could set in a coffee shop or something and just harvest all the un-encrypted logins for use later.

All these security principles are not new, not even close to being new. The hardest one, and costing the most $$$ is setting up the https server for encrypted logins.

Mr RIWWP with respect I am saying that IB should be more responsible about security and have some respect of the information they hold about their members. (as little as it is)

I hope IB doesn't run anything important with real information.
eeek

That's it, makes me wonder why a solution is taking so long to implement.
What did you say, almost a month now?

RIWWP

iTrader: (2)

The account take-overs that I have seen evidence of myself all appeared to be in the nature of someone's password getting compromised on an individual basis. Either through having keyloggers on their system or wifi hijacking, etc... I am not aware of anyone breaching IB's data and mining passwords. If they did, I think we would see this on a significantly larger scale.

I am sure some of it is where the spammers create accounts themselves, create posts that aren't spam and just sit there dormant, and then re-edit later trying to get their spam out. Nothing much you can do about that security other than (the needed) increase in registration verification methods.

I also don't see it as much of an inconvenience to more than a handful of people. It doesn't remove the edit button, as you can see. It just adds a timer, so that after about 2 weeks, you can't edit any more. Very few of us on the boards have a reason to edit posts that old.

And Zoom pointed out that they can get around this issue for individual people and individual threads.

I 100% get what you are saying, that there are plenty of security methods out there. And I agree, IB hasn't really bothered to implement many of them. I was mostly just reacting to your implication that them allowing someone to edit their post is "incompetence."

Your 2nd post re-directed that label to an area more fitting, their overall security plan.

jobidia

True enough.
Still I've seen a lot of threads where the first post is maintained.

Like RIWWP's and Green04 First Hundred dollar thread.

I see a lot of people quoting posts, sort of a self preserving system.

I've been on plenty of forums and so I do agree with you but you know the saying.

"It's easier to give users functionality than it is to take it away"

jobidia

Like this idea, often labor intensive to implement and maintain.

zoom44

first of all. Ib didnt find it- we did. the mod staff noticed a few ****/spam links creeping into sigs. a member who was effected noticed it alerted us and gave us some information. someone found that perhaps a script had been run that caused the "infection" we alerted IB about it who then said they'd get to work on it. I instigated the no edit after two weeks period (its actually after 'x" number of hours but i did the math( ask anyone - me doing the math is scary i dont do math) and figured roughly 15 days.

has it been a month? i dont know i havent really checked back on it since theres lots of stuff going on forum wise and personal life wise to keep me busy that this just isnt front and center on the radar. combine that with part time seasonal side job im working and the fact that this effecting about 5 forum members including riwwp and highway its just not abig deal for us to work around for awhile.

there is plenty of security available . some we use some we dont to make the forum user friendly. Elara for instance spend ALLOT of time with the new users when she can filtering through them. thats labor intensive and a complete bore. we could enforce strong passwords right from the admin cp but for why? to stop a few errant spam links once in a blue moon while inconveniencing everyone?

there is no need for massive wholesale contact with members to change passwords etc. or really any need for an announcement. we identified a problem. IB was alerted. itll be fixed. at some point ill go back and turn the edit time length off.

except maybe for anyone who has been here less than a month who complains about it being a burden to long time members

StealthTL

iTrader: (1)

Shows how intertube savvy I am (does anyone under 70 still say 'savvy'?)

I just noticed the exploit today....

Mazurfer

Touche'

Lots of long semi-in-depth posts for a newb. I'm all for making things better, but jeez. Need life?

ASH8

And yeah, many other forums prevent any Editing after time.

Mazurfer

Yeah, but it kinda sucks because I had(have) a for sale thread made way back even before the "trader score" thing came about. I would edit this thread with updates and such, and hold it down to only one thread with history in it, so others could see that I sent what I said I would(etc.) and now I can't edit the first post.
I know I can copy it into buffer, create a new one, then paste the contents in, and then go back a delete the original, but that kind blows.............IMHO.


Using just one for sale thread since 1/4/2009. https://www.rx8club.com/rx-8-parts-sale-wanted-44/f-s-various-stuff-163778/

ken-x8

These days an author automatically keeps copyright ownership, unless there's an agreement otherwise. The Facebook deal was that they inserted that kind of clause into the user agreement. There were some photo sharing sites that tried the same stunt: having the user agreement declare that the site owned any photos that were uploaded.

If I were IB, the last thing I'd want would be ownership and responsibility for what gets posted here. Each of us is stuck with that.

Ken