Keep your accounts safe!

Everyone can be an attack vector.

Then ban everyone from uploading. 2FA does not prevent this. All it prevents is people gaining access to “trusted” accounts. As I said multiple times, I have no problem with you requiring it for trusted users. I have a problem with requiring it for users who posses nothing a fresh account doesn’t already have.

There are other measures being used already to prevent bad actors from creating alts and doing this like users get flagged to us when multiple users share an IP. I have mass deleted users before for having clear alt-behavior.

This is just arms race behavior, and I’m sure you already know, but I’ll point it out here: making alts with different IPs and 2FA is not impossible or even hard, you simply raise the barrier of entry. This doesn’t actually make anything more secure, it just makes lazy bad actors quit earlier. Lazy bad actors aren’t bothering to try to infiltrate places like this in the first place. The community is too small to be worth the effort.

Are you going to maintain that list?

Do you not already do moderation? Same shit.

You should be using 2FA everywhere importance of an account doesn’t matter.

Importance of the account absolutely matters. The effort is not worth it when there is nothing meaningful to lose. I am not putting barbed wire fences around every blade of grass in my yard just to make sure nobody steals one.

you become an attack vector for the community

I am no more an attack vector than any other fresh account is, which is the entire point. You stated this was about people leveraging trust within the community to distribute malware. If you set the bar for “trust” as “having an account” 2FA does nothing to actually increase security. It’s just security theater in that sense.

It’s generally unsafe and it’s better to eliminate that vector.

Security is always at odds with convenience. When my account is unsafe, but contains nothing of value, I will trade the convenience for the lack of security. People make these kinds of determinations every day.

I am certain to some extent you have made these choices yourself for you own security. How many locks does your front door have? Surely it’s as many as you can physically fit on it, right? Because otherwise it’s generally unsafe and you should eliminate the attack vector of someone being able to get through n existing locks. Better add n+1.

This is unfortunately just a reason. Not a good one.

I have seen plenty of niche communities die over comments like this. User experience is the most important factor in any niche site. If your site isn’t nice to use, people will simply not use it. When you have few people to lose, losing them matters more.

Whether you like it or not, this enforcement makes the forum safer for everyone

No. It makes you feel like it’s safer for everyone. Requiring it for prominent uploaders would accomplish 99% of the safety with 5% of the pain. Instead, you are pushing the pain out to everyone, trying to squeeze out that last 1% ineffectively.

I’m not sorry for trying to keep everyone safe

The core concept isn’t the issue. The issue is that you’re refusing to acknowledge that you are pushing too far in the direction of inconvenience for the cost-benefit to be worth it. You could make the site perfectly safe by airgapping it and making it so nobody can login at all, but that wouldn’t be very productive either, would it?

I hosted a stream on discord to educate via QnA and 3 people showed up.

Yes, because people don’t care that you think this increases security for them. They care that you’re making their experiernce worse. Most of the issue around 2FA is not about education, it’s about inconvenience. Plenty of people know exactly how MFA works, myself included, and still don’t want it for this for various reasons.

You’re a vocal minority and I’m still trying to help educate and you so you understand.

I already understood from the getgo. I also work in tech. That doesn’t mean I want anything to do with this site on my phone, nor do I have anything worth protecting on this account.

Do you put 2fa on throwaway emails too?

Also, you call it a vocal minority, but you won’t actually know how many people consider 2fa a dealbreaker until you launch it. I won’t be surprised if you find that lots of people simply quietly stop using the site because it’s a pain in the ass. If I, a person who uses 2FA more than most, am not willing to bother, why would random Joe Schmoe want to bother? One of the few things you have going for you is that the community is niche and there aren’t a ton of other places to get this kind of content, but that only goes so far. Like I said, I’ve seen other highly opinionated admins kill their niche communities with their strong opinions before.

Both you and I will never truly understand the number of threats possible due to account hijacking.

No, but we can understand that account highjacking fundamentally relies on the concept that the attackers time is limited and that they, as such, focus on attacking accounts of value. You are far better off focusing efforts on protecting valuable accounts rather than trying to make everyone safer and chasing them off in the process.

This site does not have anything meaningful on it in regards to personal security. The main and only important threat vector is people using stolen accounts to distribute malware, and there are far more effective ways to curb that which don’t negatively impact end users significantly.

I’ve already provided multiple, but here’s more. Require virustotal links for all uploads. Require vetting of users by moderation to be allowed upload permissions. This, and every other suggestion I’ve mentioned previously would give a better return on security to pain ratio than requiring 2fa globally (or something like SSO). Some of them require more work on the moderation front than others, but the onus for keeping a site safe should always be on administration and not on users.

Its your site, and that obviously means you’re free to do what you want with it, but many people have been signaling to you that they find it unacceptable, and those are just the people bothering to interact instead of quietly leaving. Instead of feeling imperious and trying to “educate” people, you should instead focus on the fact that the site isn’t useful if users don’t want to use it.

It sounds like you’re pushing forward either way. We’ll see how many people leave because of it, and we’ll see if that causes you to backtrack or just dig your heels in. Maybe it’ll work out, but frankly I don’t think so, and if much is lost, this community doesn’t seem big enough to weather a large loss. You have to maintain a critical mass of users for a community to sustain itself.

5 Likes

“2FA doesn’t prevent the threat, it just prevents the threat”
This is what you just said to me. This is a forum where people share IoT firmware and software. Banning uploading is not an option. Think before you post.

It provides enough friction to make it impractical for mass alt creation.

I do way more than moderation. I’m not trying to add to that workload, and again, discourse doesn’t support that.

no

Exactly

This is not the only threatmodel. I have said this multiple times.

Always is not true. I have demonstrated that security can be convenient if well implemented. Passkeys and MFA are capable of this. You’re just ignorant or lazy.

Fun fact, my front door has 2 locks. The regular lock I use normally, and the second lock is an RFID deadbolt that I unlock with an NFC implant in my hand. I don’t expect most people to do that, but I do know a lot about physical pentesting and how the strike plate can sometimes be bypassed and I know how to pick locks. Like I said, I take security seriously.

This is an opinion. I don’t think that’s true. User experience is important but safety is number 1 in my opinion.

Once again, discourse doesn’t have this functionality anyway.

I interpret not showing up as not caring enough to dissent.

Yes. Throwaway emails handle compartmentalisation, not security. I also use passkeys for throwaway emails.

right now, I have counted no more than 10 people complaining about this. This forum sees almost 10K users daily. You are a minority.

So why do you say ignorance to me? Are you an infosec analyst? Do you know anything about how we actually protect assets? Working in tech doesn’t make you a cyber expert.

1 Like

You are mixing your job and your passion for it- the security expert - with what you are doing here as an admin.

As others said, this is a porn forum.

Potentially.
As in some careless dude just clicking on anything fancy?
If you wanna stay safe from such risks, close the forum.

Which says a lot.
I could line up a few admin’s who’d tell you that it’s THE ONLY reason, and staff members, and users, I mean from other communities I was/be a part of over the last few decades.
Some would go that far to say that a good time, a positive experience for the users is what admins, moderators and staff members - and active users! - are working their ass off for, what makes them invest and spend countless hours of their free time.

What else is this place for if not to have a good time here?
If it’s just the scripts, post a table with links and you are done, a text document maybe.

Why the community event team invest an unbelievable amout of time, work, effort?
Why scripters post their scripts here - for money? Maybe, a few, maybe money is part of it but not everything - for those who sell.
What about the scripters posting their hard work for free?
It’s about communication, it’s about likes, comments, feedback, and what is it that comes from communication, likes, comments, feedback?
A positive experience.

“Not a good one.” ???
It’s the essence of communities of this kind, of all communities which are about hobbies and other free-time-activities.

And it worries me that it seems that you don’t get this very important point.
As an admin who actively posting in the forum you are a community leader - if you like it or not, and as such, it should be your MAIN interest to ensure that a visit to this place is a positive experience.
An admin - a community leader - should have a vision of a good forum, a place people want to be, where they enjoy their stay.
What is your vision? Where do you see this forum in 3 years?
Safe and secure as Fort Knox but ghosted?
Zombies posting quickly generated scripts for 1 minute clips to make a dime or two?
Or full of passionate scripters who share their work, their passion, their knowlege?
If it’s the latter, you may take in account that what it takes to have them here is (you might can guess what I have in mind:) A positive experience.

And btw, what about YOUR experience?
Is it fun for you - to be the admin here?
Is it passion? Is it something you are looking forward to over the day, to come home and (have a good time) / (have to do your job here)?

Now, you could ask how MFA can ruin the experience.
What I’ve got from the postings about this topic, it’s for most not the MFA, it’s the enforcement.

It bothers people, and oh yes, it bothers me personally as well.
And if it’s really such a threat, then please tell me why this is the only place of this kind that needs or consider such a MFA necessary?
Are all the other webmasters and admins stupid? Careless? Do they have no idea? Are they not IT-professionals? (I’ve worked with some of them for many years, and those I know are none of that).

But even more of a problem in my eyes is the way you’ve handled the feedback to this.
As an admin you should always - and I mean ALWAYS - keep a calm and professional level - if it’s a professional/commercial page/forum or not.
You’ve begun to take it - that’s my impression - personal, reacted emotional, as a human that we are all, it’s understandable, it’s normal, it’s OK.
But as an admin, you shouldn’t let it out. Shout to the wall, destroy your keyboard, run 10 miles or do whatever it takes, but once back posting: Calm and professional.
Terms you’ve used (“Obtuse, lazy, ignorant, stupid”), those are no-no’s, and nobody - admin or not - who has solid arguments would need them anyway, it makes it look - again, that’s my impression - like a desperate try to justify something unjustifiable.

Well, for now, for me, from my point of view, the damage is already done, the fun is gone, since this has started I recognize my usual evening visits on this board got shorter and shorter, no motivation to browse or post, a quick look here and there and that’s it, or in other words, to me it’s not a positive experience anymore, maybe fun comes back, maybe not, whatever.

I don’t expect this or any other post could change your decision, you want it this way - your board, your rules.
I just was in the mood to express my opinion and describe the situation from another (my) perspective.
And one last hint: Your actions, your rules, the way you communicate, all of that has an impact, not for all users and not necessarily immediately, maybe it could be a good idea if you ask people with a better feeling for community work to help you, have them as co-admins maybe - community-admins, a good team is always better than a one-man army.

4 Likes

You are conflating “all accounts” with “trusted accounts”. This is obviously false. If you thought this, you would stop people from being able to register, or you would stop all accounts from being able to upload.

Banning uploading is not an option. Think before you post.

Banning it without vetting is most certainly an option. Banning it without 2FA is also certainly an option, considering you’re effectively banning using the site at all without 2FA. You can’t seriously argue this isn’t an option but forcing 2FA for everyone is.

It provides enough friction to make it impractical for mass alt creation.

Mass alt creation isn’t a prerequisite, it just makes it harder for you to ban all the bad actor accounts. Regardless, the friction is friction, not prevention. A motivated actor will do it regardless.

I do way more than moderation. I’m not trying to add to that workload, and again, discourse doesn’t support that.

So instead you’re force a change that makes the usabilitty poor for everyone? You could also resolve this by allowing non-logged in users the ability to actually use the site too. Does Discourse also not support that?

no

Yes. See? Both of us can do that. It doesn’t make for a strong argument.

Exactly

I don’t see you making it impossible for bad actors to make fresh accounts.

This is not the only threatmodel. I have said this multiple times.

But it is the threatmodel you brought up in the other thread time and time again. You seem to have fallen back from it now that you realize it’s a poor argument for worsening the experience for many users.

Always is not true. I have demonstrated that security can be convenient if well implemented. Passkeys and MFA are capable of this. You’re just ignorant or lazy.

No. It is definitionally true. Passkeys and MFA are more convenient than some other types of security, but they are factually less convenient than no extra layers of security at all. If users are using their devices in a way that helps them maintain privacy otherwise, using Passkeys and MFA becomes more strenuous than it otherwise would be. Passkeys and MFA both require device level storage of keys which are now visible to anyone with access to the device. I think it’s fairly obvious why some people might want no outward signs of their usage of this site on their device.

Regardless, the main point stands. Security is always at odds with convenience. Just because you have your bar for convenience low does not change the definition of the words in an objective sense. More security is objectively less convenient than less security in all situations. We simply sacrifice convenience because sometimes security is more important. This is not one of those times.

Fun fact, my front door has 2 locks. The regular lock I use normally, and the second lock is an RFID deadbolt that I unlock with an NFC implant in my hand. I don’t expect most people to do that, but I do know a lot about physical pentesting and how the strike plate can sometimes be bypassed and I know how to pick locks. Like I said, I take security seriously.

I know how to pick locks too. I also know how to use a Rubber Ducky for RFID devices. Your house isn’t as secure as it could be, because you are only limited to those two locks. Why not 3? Why not 7? Why exactly are you not maximizing your security? Is it because it would be a pain in the ass to unlock 7 locks to get into your house?

This is an opinion. I don’t think that’s true. User experience is important but safety is number 1 in my opinion.

The site does not serve any purpose without users. Safety is great until nobody wants to use it because it’s too “safe”.

Once again, discourse doesn’t have this functionality anyway.

Then find another less destructive path that it does support. Forcing 2FA isn’t it. You’ve had a bunch of pushback on this change for a reason.

I interpret not showing up as not caring enough to dissent.

And you interpret all the people dissenting here as a vocal minority. You have established your stronghold of opinion already and you are coming up with excuses for why it cannot be wrong.

Yes. Throwaway emails handle compartmentalisation, not security. I also use passkeys for throwaway emails.

If you are throwing the email away after one use, there is zero need for security on it. The whole thing disappears anyways so there’s nothing to keep secure. This just indicates you like feeling secure, even if it’s just theater.

right now, I have counted no more than 10 people complaining about this. This forum sees almost 10K users daily. You are a minority.

No, I am vocal. Most users are not. They will simply silently stop using a service when it becomes inconvenient to use. All you’ve got preventing that is a niche, and that only goes so far as I said. We’ll see how it works out for you. You’ll almost certainly see a drop in traffic at the end of the month. Up to you whether that’s worth it for you to feel “safe” I guess.

So why do you say ignorance to me? Are you an infosec analyst? Do you know anything about how we actually protect assets? Working in tech doesn’t make you a cyber expert.

I don’t say ignorance to you. I have different priorities than you. I’m not an analyst, I’m a programmer. Yes I know how to actually protect assets because I have to write things to be robust out of the gate. I’m certainly not a cybersecurity expert, but I know enough to not get gishgalloped by you just because you know about different security protocols.

All the knowledge in the world can’t save you from making things a bad experience. Security is like UI design, at the end of the day, you can think everything is functional and optimal, but it doesn’t matter at all if the users hate it.

As the poster above so eloquently put it: What else is this place for if not to have a good time here?

If forcing MFA on everyone makes people have a bad time, that’s not something you should be diving behind your fortress walls to defend. It’s something you should be hearing users out on, because they care enough to actually tell you you’re making a mistake. Brushing them off and calling them ignorant is just a bad look.

5 Likes

I’m locking this thread. Close to everything I have already said is being ignored either by intention or cognitive dissonance.

1 Like