LIT and security
- Thread starter Draco
- Start date
Never
Come What May
- Joined
- Jun 20, 2000
- Posts
- 23,234
Draco:
"Any website that uses Security (Username & Password) then lets you log in again into that same account while already logged in IS UN-SECURE.
Is that simple enough for you....?
You’re telling me something you’ve already said. I know what you think it insecure. I want to know why or how it’s insecure.
If someone has hacked into Lit to get your password then they’ve already learned how to breach the security. If they’ve hacked into your computer and found the password somewhere then they already know your network location.
What your suggesting is a bit like suggesting that someone add barbwire to their fence to stop someone who’s already in the building.
"Any website that uses Security (Username & Password) then lets you log in again into that same account while already logged in IS UN-SECURE.
Is that simple enough for you....?
You’re telling me something you’ve already said. I know what you think it insecure. I want to know why or how it’s insecure.
If someone has hacked into Lit to get your password then they’ve already learned how to breach the security. If they’ve hacked into your computer and found the password somewhere then they already know your network location.
What your suggesting is a bit like suggesting that someone add barbwire to their fence to stop someone who’s already in the building.
Draco
2bOrNot2b
- Joined
- Mar 30, 2001
- Posts
- 6,762
Lancecastor said:
Not a problem Lance, just doing my bit. I've never been afraid of a bit of controversy, and I'm not knocking the LIT board in any way shape or form, and not knocking Laurel or Manu either, they both do a fine job in running the place. It was just something I discovered totally by accident and wondered if others had too. I didn't know that I would be sticking my head "into the lions den" with this one.
Draco
2bOrNot2b
- Joined
- Mar 30, 2001
- Posts
- 6,762
Never said:
WTF...???? I tried this on another V-Bulletin site where I am a member. Blubster Music Sharing. I logged in on my desktop machine, then fired up my laptop, dialed up and tried to log into my account ...it BLOCKED it.
Funny thing is, it is the EXACT same version of V-Bulletin
Now, if they can employ a simple security measure like "detecting and blocking" a secong log-in attempt, surely it can be employed here.
Thats the whole CRUX of it...if others are using security settings...why aren't they in use here. Specially after all the bullshit a few weeks ago about SO & SO's account getting hacked and PM"s being emailled here, there and everywhere?
AND THAT FOLKS IS MY FINAL WORD ON THIS MATTER.
AMEN.
JerseyBoy
in search of...
- Joined
- Apr 18, 2001
- Posts
- 5,538
so...if you log into Lit at grandma's house and forget to log out you'll never be able to log back in again until you make that 12 hour drive again next thanksgiving?
course you could call grandma and have her log you out...
Each and every site could allow multiple accounts to be logged in at the same time. Pay sites will track this to check for password sharing.
Like Never said I just don't see how this is unsecure...
course you could call grandma and have her log you out...
Each and every site could allow multiple accounts to be logged in at the same time. Pay sites will track this to check for password sharing.
Like Never said I just don't see how this is unsecure...
The Heretic
Literotica Guru
- Joined
- Oct 26, 2002
- Posts
- 28,592
Draco, I have to go along with Never and others; I still don't see this as a security problem. To me, the issues of being able to log on multiple times and the hypothetical ability of people being able to hack into your account are two different and separate issues.Draco said:
Suppose I could no longer log in on multiple accounts at the same time. How does this prevent me from hacking into someone else's account? How would allowing multiple logins at the same enable me to hack into someone else's account?
I see the ability to login to multiple accounts as an issue with preventing people from carrying on conversations with themselves, etc. - the kind of stuff that trolls do to lend support to their own opinions. I just don't see how this enables anybody to read my PMs or to hack my password.
With all due respect, I don't see where anybody, including yourself, have presented any information or rational to support an assertion that this is a security issue.
LukkyKnight
Equal Opportunity Enjoyer
- Joined
- Oct 26, 2001
- Posts
- 58,516
Not afraid of controversy, but telling me if I disagree I shouldn't reply? I believe you said, "...if you dont like the thread content, dont reply..."Draco said:
Draco, old salt, you contribute a lot around here, and this was not an attack or a holier-than-thou discussion on my part in spite of trying to get one individual to carry on a valid, sane debate. The one clear point remains there are security choices made by all sites, and that you don't like how this one's been set up. To take a page from your own book, then, one might suggest:
If you dont trust the site's security, dont patronize it.
Aside from articulating some technical realities, I suggested, instead, that such conversations were more apt to bring about positive change by being conducted in other venues, whereas pointing out features one presumes represent exploitable holes right on as site where they're manifesting tends to convey the appearance that one is more interested in telling anybody who will listen than in addressing the underlying decisions of the implementation.
The appearance of disinterest in affecting an actual change is magnified when those championing change fail to address the points raised with anything more speficic than some dismissive statement such as, 'if you dont like the thread content, dont reply.'
I'm not surprised when certain posters adopt that tone/tactic, but frankly from your past behaviors I've come to have somewhat higher expectations of your participation here, because until reading your more recent posts I would have indeed agreed that you aren't afraid of controversy. What's the deal?
Lancecastor
Lit's Most Beloved Poster
- Joined
- May 14, 2002
- Posts
- 54,670
Draco said:
Ahhhh....I think you've touched upon the crux of the matter indeed.
Multiple log-ins would also enable House Trolls & Fluffers to increase posts and steer discussions, particulary in the absence of Unregistered as an option.
Why else would it be left on? I'm open to suggestion, as always.
Lance
Lancecastor
Lit's Most Beloved Poster
- Joined
- May 14, 2002
- Posts
- 54,670
JerseyBoy said:
That's what makes this one so special.
crysede
coulda been a lady
- Joined
- Nov 23, 2001
- Posts
- 5,748
Lit automatically logs you out after you've been inactive for about 20mins or so (I don't know exactly, but seems around that), that's why your 'on-line' indicator in your posts doesn't stay highlighted even when you've set your account to auto-login. So, assuming you hadn't accessed your account from grandma's for at least that long, you'd be able to access it from your house.JerseyBoy said:
But I agree with you about the whole security breech thing though. Obviously Lit is not secure - so what? Most web-severs aren't, and unless the server is used for internet banking or the like, I fail to see the problem.
What's the worst someone could do if they hacked Lit and got my password? Impersonate me on lit until I contact Laurel and get the account banned? Ooooooo, scary! lol
Last edited:
sterlingclay
The Brown Hey-Zues
- Joined
- May 12, 2002
- Posts
- 7,569
Draco said:
This is a protocol discussion whether you believe it or not, because of what the programs are built on. Strange that one of your visited Vb sites only allows one connection though because it's http based. Http allows all to see, provided you are allowed to enter the site either anonomously or through a user account. Site access in http is granted through cookies handed out by the web server to any node with access permission. Icq, messenger, etc, is a point to point thing making multiple access requests impossible. Point to point requires point A to point B directions, so multiple point A's would just confuse the protocol.
It's still a little weird that you would call this insecure. I mean, to have you and some other person login at the same time and with the same user account at two separate locations is just as insecure as someone using your account when you are not logged on. So, what difference does it make if you are logged in at this time or not? The fraudulant one still gets in. At least if you are logged in at the same time you'll notice the fishiness sooner and be able to stop it.
What about the plus side of multiple access nodes? Say you forgot to log out at home or whatever because you were in a rush to get somewhere. Then you wanted to check up on the board from a cyber cafe or work, etc. In this current system you could do it. Wouldn't it be a pain in the ass if you left yourself logged in and you were going on vacation for two weeks? Oh no, no Lit for two weeks!
But a Vb site that secure? Come on! Why would the administrators spend that much time configuring that type of security for a public board?
sterlingclay
The Brown Hey-Zues
- Joined
- May 12, 2002
- Posts
- 7,569
crysede said:
Ah, it makes sense now. I figured lit would log you out after a certain time.
Byron In Exile
Frederick Fucking Chopin
- Joined
- May 3, 2002
- Posts
- 66,591
Re: It's all done with cookies
As for security, I've seen several Microsoft-based systems compromised or infected, but never a unix system, and I've used unix more. And all the viral trash you see in server logs comes from infected Microsoft-based systems. They're more popular, and therefore more of a target, but still it appears that the security problems they do have, while fewer, are more severe. With their resources, it seems one should expect better.
I don't know if I'd call it good software. The words "bloated" and "buggy" come to mind, although I understand they've cleaned up their act a lot. (I recently had to shut down a unix web server that had been running with 1116 days' uptime. That's stability. Try running a Windows-based server for three years straight without a reboot!) But Microsoft still seem to be fixated on this idea of violating industry standards in order to force the use of their software. They have been and are very successful, but I'm not jealous. I just think they're evil.
True. It also makes it difficult to lock someone out of their account if you do have their password.The Heretic said:
Well, ya gotta admit that for a company that uses underhanded means to wreck its competitors, with all their billions of dollars in resources, to have on the market as an even remotely viable alternative a system written by college geeks with too much spare time on their hands is pretty damn funny.
As for security, I've seen several Microsoft-based systems compromised or infected, but never a unix system, and I've used unix more. And all the viral trash you see in server logs comes from infected Microsoft-based systems. They're more popular, and therefore more of a target, but still it appears that the security problems they do have, while fewer, are more severe. With their resources, it seems one should expect better.
I don't know if I'd call it good software. The words "bloated" and "buggy" come to mind, although I understand they've cleaned up their act a lot. (I recently had to shut down a unix web server that had been running with 1116 days' uptime. That's stability. Try running a Windows-based server for three years straight without a reboot!) But Microsoft still seem to be fixated on this idea of violating industry standards in order to force the use of their software. They have been and are very successful, but I'm not jealous. I just think they're evil.
Byron In Exile
Frederick Fucking Chopin
- Joined
- May 3, 2002
- Posts
- 66,591
But then, if someone had your password, they could log in while you were logged out, and prevent you from logging in again. How would that enhance your security?Draco said:
A simpler, and, I'd suggest, much more effective security measure would be to not give your password to anyone.
The Heretic
Literotica Guru
- Joined
- Oct 26, 2002
- Posts
- 28,592
Re: Re: It's all done with cookies
I don't think they are evil, although they sometimes do bad things to maintain their predominance. I liken them more to a cult, and believe me, it is a very apt analogy. I know a lot of people who have worked there and who still work there, and I am very familiar with how they indoctrinate their people and why they hire the people they do.
But like many monopolies, they are being attacked and reviled on many fronts, and while they may last longer than many other monopolies, they will eventually either go under or be broken up - and I am not talking about government interference. Anyone who wonders what I mean should read what Peter Drucker has to say about monopolies some time.
In short, don't worry, the "Evil Empire" will go down for the same reason the other "Evil Empire" (USSR) did.
It is down right hilarious.Byron In Exile said:
Most of what you talk about is server side stuff - an area where MS is woefully behind in almost all respects, including security. OTOH, they are the leader on the desktop - but slowly loosing market share (but not their technology lead) there.
I don't think they are evil, although they sometimes do bad things to maintain their predominance. I liken them more to a cult, and believe me, it is a very apt analogy. I know a lot of people who have worked there and who still work there, and I am very familiar with how they indoctrinate their people and why they hire the people they do.
But like many monopolies, they are being attacked and reviled on many fronts, and while they may last longer than many other monopolies, they will eventually either go under or be broken up - and I am not talking about government interference. Anyone who wonders what I mean should read what Peter Drucker has to say about monopolies some time.
In short, don't worry, the "Evil Empire" will go down for the same reason the other "Evil Empire" (USSR) did.
Byron In Exile
Frederick Fucking Chopin
- Joined
- May 3, 2002
- Posts
- 66,591
I'm never automatically logged out regardless of how long I've been inactive. If I forget to log out, the next day I'll still be logged in. It could be a function of something local like browser settings, I suppose.crysede said:
crysede
coulda been a lady
- Joined
- Nov 23, 2001
- Posts
- 5,748
Microsoft isn't evil, they just make really crappy operating systems. - Linus TorvaldsThe Heretic said:
Are you sure you aren't simply being automatically logged back in when you contact the Lit server?Byron In Exile said:
If you have the 'Automatically login when you return to the site' option selected, then that's what's happening.
Byron In Exile
Frederick Fucking Chopin
- Joined
- May 3, 2002
- Posts
- 66,591
I checked and that option is set to Yes, so apparently I am being logged out and in again transparently.crysede said:
But that means it would indeed be possible, if a user were inactive long enough, and multiple logins were disabled, to hijack their account, provided one knew the password, and to keep the account active to prevent their logging back in. (At least until they sent Lit an email... lol)
crysede
coulda been a lady
- Joined
- Nov 23, 2001
- Posts
- 5,748
Yup - that would definitely be possible: if multiple login's were not allowed, then the hijacker could keep you out of your account as long as they did something every 20 min's or so. (Of course, the moment they accessed your account they could just change the password to keep you out permanently.)Byron In Exile said:
But like you say, that's not any more worrisome than them being able to hijack your account at all - neither gives a good reason for being concerned about security, there ain't a hell of a lot at stake here. It's like getting upset over the fact that you forgot to lock your gym-locker, when all you left in there was a pair of cheap sweat socks
Last edited:
Dixon Carter Lee
Headliner
- Joined
- Nov 22, 1999
- Posts
- 48,682
Draco said:
In the three years I've been here I've had every trolly-yahoo with cyber delusions of grandeur from XxplorHer to Hanns Schmidt, every would be nemesis Literotica's EVER had, tell me they're going to apply their astounding hacking skills to find me and stuff me in their girly gym locker, and you know what? They haven't.
WE ARE SECURE.
crysede
coulda been a lady
- Joined
- Nov 23, 2001
- Posts
- 5,748
We're secure from trolly-yahoos with cyber delusions of grandeur - but someone who actually knew what they were doing wouldn't have a problem hijacking your account on Lit. Of course this still wouldn't tell them where you lived, or give them any other valuable information about you, or allow them actually affect your life in anyway whatsoever...Dixon Carter Lee said:
That's probably why no such people have ever wasted their time on something as pointless as hacking Lit - they're too busy earning mega-bucks as prof hackers or sandbox admin's.
Dixon Carter Lee
Headliner
- Joined
- Nov 22, 1999
- Posts
- 48,682
Yeah. Like I said. WE ARE SECURE.
Let's worry about something else now, like Flouride.
Let's worry about something else now, like Flouride.
Byron In Exile
Frederick Fucking Chopin
- Joined
- May 3, 2002
- Posts
- 66,591
Re: Re: Re: It's all done with cookies
They own the desktop, but I still miss OS/2.The Heretic said:It is down right hilarious.
Most of what you talk about is server side stuff - an area where MS is woefully behind in almost all respects, including security. OTOH, they are the leader on the desktop - but slowly loosing market share (but not their technology lead) there.
I know exactly what you mean, and it's a good analogy. I have a friend I knew in high school that eventually went to work for them. Since then, we don't speak much anymore. It wasn't conciously anything to do with that, he just... sort of... "changed."
I agree -- for lo, the time shall come when their great temples are converted into low-cost housing, and their priests and acolytes sold into training at more efficient and productive companies. Yea, and there shall be a great rejoicing upon the 'Net in those days.
