new draconian rules for keep forum accounts valid
- Posted by jimcbrown
I have unilaterally made up the following rules:
User accounts that successfully go through validation but then never make a forum post or wiki edit will be unvalidated.
User accounts that have not been logged into the past 30 days will have to be revalidated through the same process as for new forum accounts (that is, you send the admins an email from your registered email address to revalidate the account).
For either old or new user account validation, a response will be sent out that will contain some special text ( a random md5 sum ) included. A reply including that text will need to be received. This is to prevent forged email addresses from being used - one cycle of send - receive - reply will need to occur.
Even if a reply is received, if a human suspects that the emails are either auto-generated or coming from a troll, validation may be declined on this basis. No response notifying the sender of the failed validation will be sent.
These changes are effective immediately.
1. Comment by CraigWelch
Why? It seems like overkill.
2. Comment by jimcbrown
The reason this seems like overkill is probably because it is overkill.
We seem to be dealing with highly skilled individuals who have the ability to reliably mask their ip address, making it appear that they are coming from all over the world.
This, combined with those individuals' extensive use of freely available (and somewhat anonymous) webmail services, means we have no practical way of banning these users.
Now, that by itself isn't a big deal. If someone otherwise obeys all the rules and has a hobby of creating forum accounts, I don't think anyone would care all that much. What is a big deal is that some of these individuals using this high level of anonymity to break the rules (such as the CodeOfConduct ). Basically, this meant that in the case of a serious breach, we'd have had no way of kicking these users off the forum.
The new approach should adequately deal with this problem, at the cost of quite a bit of inconvenience to others. In time, these restrictions will probably be loosened as better ways of dealing with this problem are thought of.
3. Comment by petelomax
Can you at least whitelist the regulars?
4. Comment by jimcbrown
admins, moderators, and devs are already whitelisted, no matter how long they are gone.
For everyone else, there is an additional tag I can use, to tag any accounts that should be whitelisted.
But what counts as a regular? mattlewis just logged in less than half an hour ago, so he probably counts. As would _tom, who just posted. But DerekParnell hasn't been around in nearly half a year. jeremy has been gone for over a year. It's been even longer for jaygade.
If you stop visiting a place for an extended period of time, are you still a regular of that joint?
5. Comment by katsmeow
Re: "User accounts that have not been logged into the past 30 days will have to be revalidated"
It's not clear to me that this is a one-time clearing of the roles, or a moving window thru time, meaning that for any time in the future when an account isn't logged into for 32 days, that account is closed. If you do mean to have accounts closed every 30 days from now on, how will continuity of names on posts be handled? Will anyone be able to grab Jeremy's nick on this forum? What if he IS Jeremy?
6. Comment by jimcbrown
It's a moving window.
Accounts will remain, they just won't be useable. However, a person who wants to have an old account re-activated can do so - provided that they can prove that they are the original user of that account.
Howerver, in general, no one but the original user will be permitted to re-activate that account. The username can not be reused.
7. Comment by katsmeow
So if i am afk for 32 days, anyone you have accused of being me can take my username and claim all my posts as theirs?
8. Comment by jimcbrown
Sounds about right.
In normal cases, one would usually be required to either demonstrate that they know the password to the account or else have control over the email address that is registered on the account.
9. Comment by Mike777b
I think the new rules are counterproductive and should be rolled back. Two reasons. 1) It is no secret that traffic, along with development, has slowed. I see that some contributors (e.g., Derek, Jeremy, Matt, among others) have taken much longer than 32 days between activity. It is foolishness to put impediments in the way of contributions, even if some people consider those impediments tolerable. If Jeremy only has five minutes available to comment about something, I don't want him to shrug his shoulders and say to himself: I would comment if I had the time, but I don't because I need to prove myself to somebody. If Jeremy is a bad example, substitute somebody lower on the OE food chain who still has something positive to contribute. 2) The noise and behaviour being vilified here is an insignificant nuisance. It sounds like somebody got their feelings hurt and wants to retaliate with an over-the-top policy that, effectively, does nothing except discourage intermittent participation.
10. Comment by jimcbrown
I disagree on both points. While I did state that the restrictions would probably be loosened over time as better ways of dealing with the problem are thought of, I do not think it makes sense to roll any policies back without having better replacements for them that deal with the original problem.
1a) While traffic has been slowing down for a very long while in general, it has actually picked up a little since the new policy.
1b) I do see your point of view. However, I don't think the new policy is actually a change with regards to this, as new signups have had to go through manual email verification for a few years now, with the same implications for intermittent participation.
2a) Actually, that sort of behavior led to the original adoption of the CodeOfConduct in the first place. Hardly insignificant. When confronted with the same problem, other forums have taken even harsher measures: http://www.mydellmini.com/forum/ubuntu/ disabled forum registration and now requires using Facebook to set up a new posting account. http://www.eslcafe.com requires real name registration (including home address and other significant personal information). Another forum even required that new signups submit a photocopy of their passport! I think the steps taken here are relatively modest by comparision.
2b) While most likely plenty of individuals here have had their feelings hurt, I can assure you that this policy is preventative in nature (to prevent future occurances of the problem from occuring), rather than punitive in nature.
11. Comment by ne1uno
1a, the Menendez defense? pity us because we lost our parents? (they were convicted of killing their parents)
what we have here is a failure to communicate. what is the exact problem? a simple mention of botnet spam would have sufficed if relevant. instances of user spoofing is not obvious to anyone reading the forum.
logging people out so they will more likely not be logged in for 30 days now completes the transition to the new policy. maybe we can add the need to change the password every 29 days? we can invent 4 factor logins the possibilities are endless
BTW, reasonable people might also count access to HG or the dev forum as "logging in" for the purposes of determining login age. maybe that will be part of the looser policy at some point.
absolute power corrupts absolutely, but you already knew that.
12. Comment by jimcbrown
Mike777b: "It is no secret that traffic ... has slowed."
jimcbrown: "While traffic has been slowing down for a very long while in general, it has actually picked up a little since the new policy."
ne1uno: "1a, the Menendez defense? pity us because we lost our parents? (they were convicted of killing their parents)"
ne1uno, your reply is a non sequitur. Also, it's kind of offensive.
I was just saying, if the goal was to increase traffic, then the new policy appears to be working!
"absolute power corrupts absolutely, but you already knew that."
Ironically, most of the current policies were not my idea at all. I had nothing to do with the formulation or adoption of the CodeOfConduct, for example, which was adopted democracticly (via a vote IIRC).
Also, the current system of editing/deleting posts was not my idea - in fact I was originally opposed to it. But it won out as a compromise measure between those who wanted to wanted to uphold the ideal of free speech at any cost and those who wanted to immediately ban anyone they identified as trolling.
I own this latest policy, but for the most part I feel like I've become the fall guy for other people's ideas.
"a simple mention of botnet spam would have sufficed if relevant. "
It wasn't mentioned because it's not relevant. The CAPTCHA appears to be sufficient to stop the botnets. Even if this were not the case, I'd expect a botnet to trip up at the manual email verification stage. The new policy is not aimed at a botnet.
"instances of user spoofing is not obvious to anyone reading the forum."
I guess by this you mean user impersonation, or someone stealing another user's account. Again, the new policy is not aimed at this.
"logging people out so they will more likely not be logged in for 30 days now completes the transition to the new policy."
Actually, this was already the case.
"BTW, reasonable people might also count access to HG or the dev forum as "logging in" for the purposes of determining login age. maybe that will be part of the looser policy at some point."
There is no separate dev forum, and all dev activity now takes place on the mail forum. Logging into HG should already count as logging in, resetting the clock, though I haven't tested this.
"maybe we can add the need to change the password every 29 days?"
Thanks for the idea! I'll look into implementing this ASAP.
"we can invent 4 factor logins the possibilities are endless"
I'd put my foot down at requiring photocopies of a person's identification to be submitted and stored in a real-name database, myself. Maybe that's just me though...
"what we have here is a failure to communicate. what is the exact problem?"
Like I said in http://openeuphoria.org/news/260.wc#3951 individuals that we have otherwise have no practical means of banning have violated the CodeOfConduct with impunity on this forum.
Since they can't be banned, the new policy is meant to make it more difficult for them to get back on the forum once an account has been disabled for violations.
Based on the angry, frusted emails I've been getting recently from trolls (who seem to be campaigning against it), it seem to me that this policy is working.
13. Comment by katsmeow
Re: "I'd put my foot down at requiring photocopies of a person's identification to be submitted and stored in a real-name database"
I'd not comply, because 15 years or so ago there were people on this list (some are still on this list) who i feel would have shown up at my doorstep with intent to do me harm in the name of their god. Or to not have "goto" added to OE. Or maybe something about an internet lib. Or having "strings" in Eu.
Re: "Since they can't be banned, the new policy is meant to make it more difficult for them to get back on the forum once an account has been disabled for violations. "
The new policy makes little sense then, except as a run-around of the banning rules. I myself had a heck of a time getting and staying online in the 1990's, what with the first isp going bust after a year, the whole local telco being sold twice, and for a time needing a WATS line to another city to get online (and the WATS operator having a beef with the isp i chose and so routinely disconnecting, so i had to switch isps again). And now needing a VPN, which has not been a joy to use.
I don't know what problems you are fighting behind the scenes, but i hope you don't make the cure worse than the affliction.
14. Comment by jimcbrown
"The new policy makes little sense then, except as a run-around of the banning rules."
The new policy is meant to prevent users from being able to do a run-around of the banning rules.
15. Comment by katsmeow
3 months ago
It's now been 30 days and a week since the new fiat was done. How many of the olde tyme Eu contributors have been ejected from the forum? What percent of the forum "membership" rolls were thrown away?
16. Comment by jimcbrown
3 months ago
The first question is very difficult to answer, since the definition of an "olde tyme contributor" is not clear and it's not clear what counts as "ejected" (i.e. should a person still count if no contributions have been received for the past couple of years?).
For the second, the forum does not and never has had its own separate membership rolls, so it's 0 members thrown / 0 members total, or 0/0 * 100 = division_by_zero_error%
Assuming you mean how many forum/website accounts have been deleted, it's 0 accounts deleted or 0%.
However, you probably mean how many forum/website accounts lost the ability to post to the forum since the announcement (not including later revalidated accounts). In that case, it's about 14%.