The New Forums

[maxtherabbit]

While your personal security habits might be antiquated and unsafe, we're not being responsible if we continue to use just HTTP.

yes you're right by transmitting my vintage computer ragchew password in cleartext I am risking my entire personal fortune and even my physical security

I have seen the error of my ways and am now loading mags and fortifying my home to prepare for the coming wave. My God save my soul

 

[ajacocks]

If folks really want to access the site, using vintage browsers, you can use any of the various proxy-ish solutions (like browservice) to make that happen. Don't forget that making https optional is a risk not just to you, but to the site, itself.

- Alex

 

[lowen]

yes you're right by transmitting my vintage computer ragchew password in cleartext I am risking my entire personal fortune and even my physical security

I have seen the error of my ways and am now loading mags and fortifying my home to prepare for the coming wave. My God save my soul

While many who frequent these forums may follow basic security practices, like never reusing passwords, I'm sure there are just as many who don't follow those basic precautions. I can see someone who is in a coffee shop using the open wifi in that shop to log in, using the same password they use for their bank website recovery email, and then wondering why the VCF site didn't protect them from the wifi snooper who just hacked in to their bank. It is basic risk management in 2021 for a website operator who has logins to use HTTPS to secure those logins; legal liability trumps vintage computer browse-ability.

I have indeed experienced theft of my credentials, for a different website, over an HTTP connection made over an open wifi access point; but since I don't reuse passwords, that didn't get them anywhere. You don't know at any given time which open access points are being surveilled; there are 'war drivers' who make it their hobby to go around to different open access points, set up kismet or similar, sit there for a few hours, then drive to the next open wifi and do it all again; they later take the packet captures and carve out credentials that they then sell on the dark web at a profit. This actually happens; it's not a fantasy.

I personally would love to just go back to plain Usenet, with all its warts. For that matter, there IS the cctalk mailing list; even the most basic vintage computer can participate in that. But the operators of a forum have the right to reduce their risk, and furthermore have the right to operate the forum as they see fit, within the law, of course; as a user, I have the choice to use it or to leave.

Yeah, this new software is going to take a bit of getting used to, but that's ok. I'm not a fan of change for the sake of change, either; but as the saying goes the only constant in life is change.

 

[maxtherabbit]

Can you cite a case which establishes any legal liability whatsoever for a website owner in such an occurence? I'm unaware of any such precedent. As far an I'm concerned a user reusing passwords for financial services on random forums would be filed squarely under "not my problem"

As an aside: I wonder how many of these cybersecurity wonks who dictate these policies even train physically? Imagine locking down your virtual presence tighter than fort knox but getting knocked over by a bum at 7-11 for your lunch money lmao

 

[lowen]

Can you cite a case which establishes any legal liability whatsoever for a website owner in such an occurence? I'm unaware of any such precedent. As far an I'm concerned a user reusing passwords for financial services on random forums would be filed squarely under "not my problem"

Can you cite a case where a website owner was absolved of such liability? Risk management is about what could happen, and having no precedent at all is worst case; any website operator won't want to be the test case.

 

[Timo W.]

Can you cite a case which establishes any legal liability whatsoever for a website owner in such an occurence?

Why is that important? Do you think any modern security can be dropped just because the website owner would not be liable anyway?

 

[maxtherabbit]

Can you cite a case where a website owner was absolved of such liability? Risk management is about what could happen, and having no precedent at all is worst case; any website operator won't want to be the test case.

Liability doesn't exist until established by statute or case law, you're asking me to prove a negative

 

[maxtherabbit]

Why is that important? Do you think any modern security can be dropped just because the website owner would not be liable anyway?

I'm not sure I understand what you are asking but; in the absence of legal liability, yes I think they could do whatever they want. Caveat Emptor

 

[Timo W.]

That was an easy question. You are basically saying they should not care about security if they don't have to. That's a very weird way of thinking.

But it doesn't matter anyway, as they are liable. The forum is accessible also from Europe, so they have to fulfil the GDPR. Article 5 states:

Personal data shall be:
[...]
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

[mbbrutman]

maxtherabbit:

We don't run this site for any specific person; we run it for a group. We make decisions based on what is best for the group. That group includes people who have poor security practices, such as reusing passwords.

I'm sorry if HTTPS offends you or others, but in 2021 it is an industry best practice.

 

[maxtherabbit]

That was an easy question. You are basically saying they should not care about security if they don't have to. That's a very weird way of thinking.

But it doesn't matter anyway, as they are liable. The forum is accessible also from Europe, so they have to fulfil the GDPR. Article 5 states:

Or else what? You going to extradite me to Brussels to stand trial?

 

[maxtherabbit]

maxtherabbit:

We don't run this site for any specific person; we run it for a group. We make decisions based on what is best for the group. That group includes people who have poor security practices, such as reusing passwords.

I'm sorry if HTTPS offends you or others, but in 2021 it is an industry best practice.

It doesn't practically bother me. I don't even care to access this site from vintage systems. What I am arguing against is the notion that some sort of moral imperative exists to protect foolish people from the consequences of their actions. That ideal is destroying the entire western world

 

[mbbrutman]

It doesn't practically bother me. I don't even care to access this site from vintage systems. What I am arguing against is the notion that some sort of moral imperative exists to protect foolish people from the consequences of their actions. That ideal is destroying the entire western world

You are entitled to your beliefs, but that is not what this thread is for. As an organization this is our decision, not yours. It is time to move on.

 

[maxtherabbit]

You are entitled to your beliefs, but that is not what this thread is for. As an organization this is our decision, not yours. It is time to move on.

Ok I'll drop it. Stay frosty outside 7-11

 

[whartung]

It doesn't practically bother me. I don't even care to access this site from vintage systems. What I am arguing against is the notion that some sort of moral imperative exists to protect foolish people from the consequences of their actions. That ideal is destroying the entire western world

Perhaps, but it's the world we have to live and operate in.

I don't know much about GDPR or the California rules, only that they exist, and the cookie popup and other spam that afflicts every. single. site. on the internet is very annoying.

But.

If they do not do this, then the assorted governments CAN take action. People are not complying with these rules because they want to, it's because they have too.

I don't know what the consequences are. I imagine the real threat is minimal and ramification remote. But, people are complying with the regulations, they're spending money to do it, they're annoying everyone because of it, but they do it anyway.

I assume their lawyers are more adept at the nuances of this than I am so I cede to their judgement that "playing along" is the right thing to do, and not playing along is an unwarranted hazard not worth searching for.

I'm on another site, with little tech support, running an ancient copy of VB, that does not use HTTPS. Specifially they don't use it for the login and registration system, I really could careless about the rest. But even though they are a niche, low traffic site (less than this), that doesn't mean that in todays day and age, not having HTTPS for the passwords is simply irresponsible. But the burden on them is too high to do it. I don't expect some EU agency is going to darken the skies with lawyers to attack this site, but...it's possible.

Thankfully, there's no ADA mafia running around suing sites to implement this stuff...at least I don't think so.

 

[vol.2]

I don't know GiG, I don't have a problem with it; i.e. Vogons, Overclock.net, Overclocker.com, and many more.

IMHO, what I don't like about those sites is that the text is full-bleed. It is a chore to read the entire length of a 16:9 screen like that. There is a very good reason that sites like twitter and reddit have crunched the desktop version into the center of the screen. It's far more visually ergonomic.

I think these "full bleed" designs were a fad that is already outdated and was never really a good idea to begin with.

 

[VileR]

VileR, the images you posted don’t work for me; when I click on them it just brings up a tiny, low-quality thumbnail.

I will say I appreciate your efforts to help improve the look and feel though!

Oh, I tried to make the thumbnails link to external hosted images (to keep the original size), guess that didn't work right.

Let me try again.... these should be 1920x1200 (that's what my changes look like at my desktop resolution).
That's bigger than what the forum allows, so click "full size" for external hosted versions:

Forum list (full size)	Forum list (more) (full size)	New topics (full size)
Thread list (full size)	Thread view (full size)	Blog view (full size)

I've also verified that it still plays nice with mobile:

Forum list (mobile)

latest activity (mobile)

Thread list (mobile)

Thread view (mobile)

Blog view (mobile)

Again, this is really just a quick modification that could theoretically be injected into the current style (vBulletin says).
Done because Erik indicated that they could use the help - so if the admins would like to try it out, the updated css is here: View attachment style-overrides.css.txt

 

[VileR]

Also, I was finally able to upload it to userstyles.org, so anyone using a browser with the Stylish extension (Firefox, Pale Moon, or Chrome) can try it out: https://userstyles.org/styles/201604/vcfed-vb5-wip

There's more that I could try, for instance:

• Bring back the user's Location field next to each post
• Restore the number of threads per forum page from 10 to 20
• Restore the little pagination links that showed up for long threads in the forum view, so you could access a specific page directly

...but those things can't be done with CSS, so the templates would have to be modified. As Erik suggested, I could try vBulletin 5 on my own hosting package and have a go at it.
OTOH, that stuff could conflict with other changes that the admins may already be working on. So any input from them would be appreciated.

 

[VileR]

IMHO, what I don't like about those sites is that the text is full-bleed. It is a chore to read the entire length of a 16:9 screen like that. There is a very good reason that sites like twitter and reddit have crunched the desktop version into the center of the screen. It's far more visually ergonomic.

I think these "full bleed" designs were a fad that is already outdated and was never really a good idea to begin with.

Twitter is using 75% of my desktop monitor's width, so each side margin only takes up 1/8th of the screen. That's not bad at all in terms of "crunching", especially when you bear in mind that the entire idea behind Twitter is very short pieces of text.
Reddit's desktop design is just utter trash, and should never serve as an example of anything, but even they seem to have increased their max-width recently - at least it looks slightly less cramped now.

I agree, reading is far more ergonomic when lines don't get too long; but that's why newspapers (for instance) have always laid out their content in columns, and column-based grid layouts are finding similar usage on the web. Beats wasting screen real-estate on useless whitespace any day.

That still applies to the visual paradigm of message boards. You'll notice that most of the views provided by forum software are tabulated, including the one you're looking at right now. It's always possible to use the space more efficiently, and/or to increase the font size where needed (which can already be customized in our case), rather than just squash things horizontally and call it a day.

In any case, I wouldn't say full-width designs were ever a "fad". They were just how the web worked from the get-go, when resolutions and physical display sizes were less varied than they are today. Some designers have managed to adapt to the changes intelligently, others... less so.

 

[vol.2]

In any case, I wouldn't say full-width designs were ever a "fad". They were just how the web worked from the get-go, when resolutions and physical display sizes were less varied than they are today. Some designers have managed to adapt to the changes intelligently, others... less so.

Yeah, ok, I get your point. Websites started off "full bleed" and then the screen geometry changed. But the fact remains that the old geometry simply didn't need to squished because it was a sane width to begin with. Also screens were generally a lot smaller and you wouldn't want to go wasting real estate like that.

And yes, there are times that I want to make the text bigger, like if I'm in my recliner and I want to read the screen from 4-5' away, but that's what Ctrl-mousewheel zoom is for. If I'm at my desk, I don't ever want the text I need to read to be more than 15" across.