PUBLIC-NOTICES: Forum Changes/Fixes. Any Questions?

**TheCotMan** · February 3, 2015, 12:56

Originally posted by astcell

I don't know if I'd cut at 2 years, I see a few names of users who are not posting who are very definitely still active. Or if so, can we have a tick-box on the user account to avoid any scraping programs cleaning out the nest here.

The clearing-house process we had before was to drop accounts with zero posts, and 2 years of inactivity. Having even one post or blog entry was enough for accounts 2+ years old avoid being reaped. A plus for this was people that forgot their username or password, or access to their email address could reclaim their username if it was never used to post.

The process we have for the forums computing "active users" does not force any action to their accounts.

What are your thoughts on the above? Still okay to reap accounts inactive for 2+ years with zero posts? Would you prefer a longer window of inactivity or is the "zero posts" requirement enough?

-Cot

**wrøng!** · February 3, 2015, 13:02

Re-using usernames is a scary thought.

**TheCotMan** · February 3, 2015, 14:32

Originally posted by wrøng!

Re-using usernames is a scary thought.

It is a worry when users previously using those usernames post content, which could lead to confusion about which nickname is posting a new item -- the old one or the new one. Reputations are often attached to nicknames. This is another reason for not reaping accounts with posts attached to them. It also would ruin continuity with their old content.

Any single post (forums or blogs) made in an account would make that account immune from being reaped and avoid this confusion.

This has helped at least 10 people recover a username they once had here, but never used to post.

**TheCotMan** · February 3, 2015, 15:17

Also, I should clarify the following:
1) This is not new, I've been doing this once a year for about 6 years.
2) This does not include accounts that are in groups like Mods, Admin, Goons, Forum Leaders/Organizers, etc.

The filters include the above plus no activity in 2 years and zero post count. The idea is to reclaim unused usernames without disrupting use of forums or blogs or introduce confusion.

Thanks to the person that emailed me this question about other usergroups being protected. Since they used email to reply, I take that as an indication that privacy is desired. They are welcome to post their contribution here and take credit for it if they want.

**VideoPod** · February 3, 2015, 18:28

Do what Ya' gotta' Do Man. I'm totally New and just l lurking until I can get up to speed. I'm still looking for Def Con folks that might be close enough to Green Bay Wisconsin to meet for coffee.

**TheCotMan** · February 3, 2015, 19:17

Originally posted by VideoPod

Do what Ya' gotta' Do Man. I'm totally New and just l lurking until I can get up to speed. I'm still looking for Def Con folks that might be close enough to Green Bay Wisconsin to meet for coffee.

There is a DCG (DEF CON Group) in Wisconsin. The last post on the forum we make available to them (which they are not required to use) is fro a few years ago:
https://forum.defcon.org/forum/gener...4-milwaukee-wi

However, there is a link to their DCG which appears to show activity as of December 2014:

https://www.dc414.org/

Hope this helps. Good luck!

[For those that complain this is a violation of the rules in not starting a new thread for a new topic, I am investigating why some users can't post new threads. There is no value only harm in enforcing a rule that people can't follow because a mistake make in the upgrade, which is my fault. Don't blame the users for my mistakes. :-]

**VideoPod** · February 3, 2015, 19:52

Ok, CotMan... Sorry I missed this before. I'll reach out. Thank's!

**TheCotMan** · February 7, 2015, 20:43

Upgraded forum software (again) to newer release. I have other upgrades to complete on the server due to new software releases that the forums software uses, too. That should happen this weekend, probably Sunday night if not tonight.

**VideoPod** · February 8, 2015, 04:37

Actually I've used forum software before but not for a few years. May I ask what your using? I like it.

**TheCotMan** · February 8, 2015, 19:05

Originally posted by VideoPod

Actually I've used forum software before but not for a few years. May I ask what your using? I like it.

There was a time when I felt free to answer that. Anyone else that knows and is willing & able to say is welcome to say -- I won't stop them or censor their claims. However, I don't own the forums, server or software that runs here, and a few years ago Jeff switched to remove vendor and application or service names and versions in much of our session from server to client, and I don't want to undermine that effort.

I have no doubt that there is enough evidence provided in generated content, image names, and more to indicate which forum product we are using, and yes I understand obscurity is not security. My purpose in not naming vendor or version is not about security, but looking to not undermine policies described by Jeff. He is welcome to say, and he has stated forum vendor on twitter before -- these are his forums and this is his conference, he can reveal whatever he wants whenever he wants.

I hope you understand. Maybe someone else will answer.

Good luck!
-cot

**TheCotMan** · February 8, 2015, 19:06

At 8:30pm pacific time, I have work to perform on the DB, web server, and php. I expect service to be interrupted for about 30 minutes and be restored at 9pm.

**VideoPod** · February 8, 2015, 19:49

Originally posted by TheCotMan

There was a time when I felt free to answer that. Anyone else that knows and is willing & able to say is welcome to say -- I won't stop them or censor their claims. However, I don't own the forums, server or software that runs here, and a few years ago Jeff switched to remove vendor and application or service names and versions in much of our session from server to client, and I don't want to undermine that effort.

I have no doubt that there is enough evidence provided in generated content, image names, and more to indicate which forum product we are using, and yes I understand obscurity is not security. My purpose in not naming vendor or version is not about security, but looking to not undermine policies described by Jeff. He is welcome to say, and he has stated forum vendor on twitter before -- these are his forums and this is his conference, he can reveal whatever he wants whenever he wants.

I hope you understand. Maybe someone else will answer.

Good luck!
-cot

Ok... Got it... I don't mind you not saying. This is a "Hacker" Group 8-)
My intent was innocent but I understand.
i just happened to like the set up. No big Deal..8-)

**TheCotMan** · February 8, 2015, 20:01

Originally posted by VideoPod

Ok... Got it... I don't mind you not saying. This is a "Hacker" Group 8-)
My intent was innocent but I understand.
i just happened to like the set up. No big Deal..8-)

Thanks for understanding!

In other news, all other forum maintenance that was planned between 8:30pm and 9:00pm is complete. There were 2 periods of down-time during this 30 minute window. The first lasted about 1 minute, and the second lasted about 4 minutes.

**TheCotMan** · February 20, 2015, 20:52

Now that service is mostly working, I've re-enabled several headers disabled during transition. These are meant to help with client security for things like XSS, and where certain kinds ot data/requetss are valid.

Let me know if you see problems. If you can't post or PM reports, try email: defconforums@gmail.com

Thanks!
-Cot

**Dark Tangent** · February 21, 2015, 04:33

Announcing: DEF CON Forums now supports both DANE (TLSA records) as well as HPKP for your security pleasures.

HPKP is the Host Key Pinning Extension https://tools.ietf.org/html/draft-ie...key-pinning-21 that tells compatible browsers what ssl certificate to pin to the site you are visiting and for how long. This helps prevent and MITM attacks with forged TLS certificates. This is lightweight and just works if your browser supports it. (FireFox, Chrome)

DANE / TLS https://tools.ietf.org/html/rfc6698 relies on DNSSEC and if you are using a plug in like the TLS Validator plugin https://www.dnssec-validator.cz/ for Internet Explorer, Firefox and Chrome it will give you visual feedback on if the sites you are browsing to support DNSSEC as well as if the page you connecting to with TLS is protected by DANE. DANE pretty much assures that the site and certificate you were expecting to get is actually the certificate you received.

PUBLIC-NOTICES: Forum Changes/Fixes. Any Questions?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment