[SEL] Curious

[Bill Dickerson]

Thanks Paul, I may just contact you. You are never done as far as security.
The bad guys have a lot of resources and keep trying.
Security alone can be a full-time job.

My son uses gmail............ He lives in Korea and needs the "portability"
it allows (and the price is right)
Unfortunately, a lot of "legit" businesses use those mail providers, it's
hard to say "no" and lose major players.
We are watchful, however, and are working with the software vendor on more
changes - requirements, etc.
I've found he's a security nut and often won't add features if he believes
it will have a negative impact on security....

When some dust settles, I've saved your email....  ;-)

Bill 

-----Original Message-----
From: Paul Pavlinovich [mailto:pjp at steamengine.com.au] 
Sent: Thursday, January 03, 2008 6:32 PM
To: The SEL email discussion list
Subject: Re: [SEL] Curious

Hi Bill,
Your team is a rare one mate! Well done on such forward thinking - your
forum will probably succeed long term partly because you have a limited and
dedicated audience and because you are running it well. If all forum sites
had the leadership that you discuss then they would all do better. 
Typically successful sites that I've used or been involved with are those
that are commercially managed with people paid to do the moderation. They
don't have a political need to one-up the next guy and resist the formation
of cliques.

Do you allow hotmail, gmail, yahoo, etc email addresses? If you do, then
your verification is only as good as their verification (which is
negligable). If you only allow a real reverse-lookup domain with a valid MX
and a valid email MTA then you're up there with a chance, otherwise you have
a little false security there. Not much that you can do but keep mindful of
what is being posted. CAPTCHA is a great tool, but it has been broken. Each
time it is broken the suppliers of the tool insert some new line here or
there to trick the OCR (optical character
recognition) so make sure you keep your CAPTCHA software up to date. Of
course for someone to break your particular site there has to be some
incentive - if your messages are only visible to members then they'll stop -
if what they post is automatically visible to the general public then
they'll abuse and post spam.

I don't know that there is anything wrong with using freeware - it is often
better debugged than the commercial offerings (there is also an amazing
amount of unmaintained junk). But that is an argument for another list.
Whatever fits the purpose best and is within the reach of the people with
the need is the best solution. In your case this is paid software on a paid
site. Nothing wrong with that choice at all.

I'd be happy to discuss site security with your further off list if you like
- I've had quite a bit to do with it and may be helpful. I think you've
covered it fairly well from what you say about your site, but the general
wording does concern me that you think you've done what you need to do. The
main key is to remain vigilent.

Regards
Paul

Bill Dickerson wrote:
> You mention some things that we've covered in our theamcforum.com 
> SPAMMING is prevented by the software. Members MUST use a valid email 
> address and confirm by clicking a link. The register, CAPTCHA is used 
> to prevent automation, they can't automatically join and create bogus
users.
> We can restrict access or ban based on several criteria.
> I am the administrator and hold all the keys, however, I've written 
> documentation that prevents what's happened to a couple of AMC forums 
> in the past - the admin vanishes and so does the forum. I've 
> documented everything, and given that info to the other 5 mods, all 
> passwords, etc. the whole shooting match is backed up every night. I 
> also do local backups of the forum sofware AND the sql database, burn 
> it to CD and give copies to the others.
> Even if the ISP goes away, we can get back in business in hours.
> The software is secure (we pay, we don't use FREEWARE) SQL makes it 
> faster than most text file based forums, and the software is written 
> to make minimal SQL requests, and closes the connection quickly.
> This forum will not disappear, we got together and formed a sort of 
> loose "club" to prevent that. If I die tonight, it might take a few 
> hours for them to sort out certain "how do we" but they CAN continue. 
> If the ISP loses a server, the stuff is simply restored elsewhere. MS 
> servers and SQL database means we pay money, but donations from a few key
AMC folks has it covered.
> (there are enough AMC addicts to ensure this will continue) The load 
> is pretty well distributed and there are enough of us, and to a large 
> extent, the caliber of folks we have makes it somewhat self-policing.
> We've been told "this is the best AMC forum yet" and "this forum is so 
> helpful and friendly" and "I actually feel at home here for the first 
> time on any forum".
> We have our bases covered SO well, we have the coveted documents of an 
> AMC historian, Tom Benvie. The forum I put up and we jointly mod and 
> maintain is the first one he's ever felt comfortable enough with to 
> post his rare and unique documents and photos.
> There also exists software to enable database conversion for this 
> forum software we use. SQL is pretty widely used and it can even be 
> ported to MYSQL fairly easily.
> Forums can and do work with the right forumula and the right people. 
> The real trick is to let the personality of the forum be a mix of the 
> admin, mods and members without any one overwhelming the others.
>
> But granted, they are NOT right for everyone! Never will be............
>
> Bill
>
>   

_______________________________________________
SEL mailing list
SEL at lists.stationary-engine.com
http://www.stationary-engine.com/mailman/listinfo/sel