 | | | | | | |
| |
|
LUGNET's article rating system is now running and hungry for input!
As the community continues to grow, so does the challenge in keeping up. Some
days it can be difficult to find exciting content among the hundreds of new
messages.
To aid browsing, each news article now carries a rating in the range 0 (low)
to 100 (high).
This feature is designed to benefit all, but particularly to benefit casual
readers who cannot devote time.
How it works:
Each signed-in[1] LUGNET Member may mark a read article from "low" (0) to
"high" (100) using a row of buttons. This input affects the average rating
for that article.
To absorb and dampen extreme input conditions which would otherwise allow a
small number of inputs to "peg the scale," all articles start out with an
automatic midpoint rating of 50, which also participates in the average just
as any human-entered rating would.[2]
The marking process is lasting and unlimited. Thus, you could rate messages
from weeks, months, or even years ago, and since the composite rating is
simply a numerical average, it doesn't matter which order you go in.
Only LUGNET Members can rate articles, but anyone can view and benefit from
the ratings. Your individual ratings are shown to you only.
In the long-term:
* Stronger content becomes easier and easier to find, rather than the
opposite.
* Spotlight[3] news becomes easier to identify and more representative of
community opinion.
* As you contribute more input, the system can learn how your input correlates
with the input of others. It could even attempt to highlight things it
thinks you might find particularly interesting.
* The rating engine could be put to generalized use, for example, in rating
LEGO sets, voting on sites for CLSotW, in judging contests, and so forth.
A sort of match-making service may even develop!
--Todd & Suz
[1] http://www.lugnet.com/people/members/sign-in/
[2] Thus, if a first person rates an article 90, its rating becomes (50+90)/2
or 70. If a second person then rates the same article 100, its rating
then becomes (50+90+100)/3 or 80. Average ratings of 0 or 100 are
extremely improbable, by design.
[3] http://www.lugnet.com/?p=spotlight
| | | | | | | | | | | | | | | |
This looks really neat! :) Is there a table with the top articles on it?
There's little point voting on something from a year ago if no-one will see it
:)
Richard
| | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> This looks really neat! :) Is there a table with the top articles on it?
It's on the "to-do" list.
--Todd
| | | | | | | | | | | | | | | | | | | | | | |
I really want the ability to set my own password. I've lost my password
somewhere and don't have a prayer of remembering what it is. SO I can't
rate my articles 100 and Todd's 0 until I either find it again or get my
pw set to something easy for me to remember (but impossible for anyone
else to get right)
Todd Lehman wrote:
>
> In lugnet.admin.general, Richard Franks writes:
> > This looks really neat! :) Is there a table with the top articles on it?
>
> It's on the "to-do" list.
>
> --Todd
--
Larry Pieniazek - lpieniazek@mercator.com - http://my.voyager.net/lar
http://www.mercator.com. Mercator, the e-business transformation company
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
Note: this is a family forum!
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> I really want the ability to set my own password. I've lost my password
> somewhere and don't have a prayer of remembering what it is. SO I can't
> rate my articles 100 and Todd's 0 until I either find it again or get my
> pw set to something easy for me to remember (but impossible for anyone
> else to get right)
> Larry Pieniazek
So I suppose Todd is going to have to call you on the telephone again to give
you your password. I guess that we can forgive you as you have recently moved
into a new home and that can increase anyones confusion/disorganization factor.
Are you super-ultra concerned that someone will get your password? I have my
password written on my monitor in pencil so that it is always handy. No one
else has a clue what it is there for or what it means. Maybe because I have
notes penciled in all over my monitor--mostly telephone numbers, filemanes, and
lDraw part numbers.
I kinda like the complete randomness of my password. If I ever memorize it I
surely will remember it forever. But I could never pick such a random
assortment of letters, numbers, and special characters as my Lugnet password
contains.
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Kevin Salm wrote:
>
> In lugnet.admin.general, Larry Pieniazek writes:
> > I really want the ability to set my own password. I've lost my password
> > somewhere and don't have a prayer of remembering what it is. SO I can't
> > rate my articles 100 and Todd's 0 until I either find it again or get my
> > pw set to something easy for me to remember (but impossible for anyone
> > else to get right)
> > Larry Pieniazek
>
> So I suppose Todd is going to have to call you on the telephone again to give
> you your password. I guess that we can forgive you as you have recently moved
> into a new home and that can increase anyones confusion/disorganization factor.
>
> Are you super-ultra concerned that someone will get your password?
No. I just couldn't think of a place to put it. I don't write on my
laptop screen and the plastic around the edge is black. No other place
is likely to be always near me. I forgot to put it into my top secret
password file. (which is used only for unimportant passwords, all my
real ones are memorised)
> I kinda like the complete randomness of my password. If I ever memorize it I
> surely will remember it forever. But I could never pick such a random
> assortment of letters, numbers, and special characters as my Lugnet password
> contains.
I can. It's not hard.
Here's one algorithm that works well.
Pick an easily memorable phrase that has special meaning to you and no
one else. It might be anything. Pick a number less than 5. Take that
letter out of each word of the phrase and use it in your password.
Tres random and quite unguessable, even under dictionary attack.
Especially if the phrase is something memorable only to you (this is
where I go off the rails, I use obscure founding fathers quotes, which
theoretically are guessable if you know me well enough.)
But I am in general much much much less concerned with my Lugnet
password than I am with, for example, my X password, which currently is
securing over 1000 USD, or my AmEx password, which, since I have some
stunning charge habits (not just LEGO, all those last minute airline
tickets at 2K each add up fast), is good for 30K a month of charges if
it were cracked. Not that it would be very defeatable but you get the
idea.
So I'd change my L password to something very easy to remember. Written
passwords are not secure. Passwords given to you by others tend to get
written down more than passwords you pick.
--
Larry Pieniazek - lpieniazek@mercator.com - http://my.voyager.net/lar
http://www.mercator.com. Mercator, the e-business transformation company
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
Note: this is a family forum!
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Kevin Salm writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > I really want the ability to set my own password.
Probably there will be a way to set an additional password to use on top of
the main password as a simple sign-in/sign-out layer, or to choose one of
several machine-generated passwords.
> > I've lost my password
> > somewhere and don't have a prayer of remembering what it is. SO I can't
> > rate my articles 100 and Todd's 0 until I either find it again or get my
> > pw set to something easy for me to remember (but impossible for anyone
> > else to get right)
> > Larry Pieniazek
>
> So I suppose Todd is going to have to call you on the telephone again to
> give you your password.
By design, that is impossible. There is no way to look up Larry's password
because it isn't stored anywhere! What's stored instead is a one-way
encryption of his password (much safer). However, I could generate Larry
a new password and call him on the phone with that.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> I really want the ability to set my own password. I've lost my password
> somewhere and don't have a prayer of remembering what it is. SO I can't
> rate my articles 100 and Todd's 0 until I either find it again or get my
> pw set to something easy for me to remember (but impossible for anyone
> else to get right)
Actually, I'd seen someone rating quite a few of your articles highly, and I
kinda assumed that it was you :) :) My password is kinda easy to remember as
passwords go, containing my initials, a single repeated digit and a naff name
that I remember for its naff-ness, all handily symetrically mirrored too! I
assume that it's an almighty coincidence because I remember Todd saying
something complex about how they were randomly generated..
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > I really want the ability to set my own password. I've lost my password
> > somewhere and don't have a prayer of remembering what it is. SO I can't
> > rate my articles 100 and Todd's 0 until I either find it again or get my
> > pw set to something easy for me to remember (but impossible for anyone
> > else to get right)
>
> Actually, I'd seen someone rating quite a few of your articles highly, and I
> kinda assumed that it was you :) :) My password is kinda easy to remember as
> passwords go, containing my initials, a single repeated digit and a naff name
> that I remember for its naff-ness, all handily symetrically mirrored too! I
> assume that it's an almighty coincidence because I remember Todd saying
> something complex about how they were randomly generated..
It would be a total coincidence, yes, and BTW you shouldn't be giving away
details like that about your password. You just made it 2,050 times easier
for someone to brute-force crack your password. :-(
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 04:54:53 GMT, Larry Pieniazek <larryp@novera.com>
wrote:
> I really want the ability to set my own password. I've lost my password
> somewhere and don't have a prayer of remembering what it is. SO I can't
> rate my articles 100 and Todd's 0 until I either find it again or get my
> pw set to something easy for me to remember (but impossible for anyone
> else to get right)
Yeah, I don't think I've ever "signed in" simply because I can't
bother to keep up with another password I didn't pick. Once I hear I
can login ONCE with this password I refuse to put any effort into
holding onto or remembering and change it to something I can remember
without effort, I'll do it. Until then, having a password without the
ability to change it isn't of much value to me.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Mike Stanley wrote:
>
> On Sun, 26 Mar 2000 04:54:53 GMT, Larry Pieniazek <larryp@novera.com>
> wrote:
>
> > I really want the ability to set my own password. I've lost my password
> > somewhere and don't have a prayer of remembering what it is. SO I can't
> > rate my articles 100 and Todd's 0 until I either find it again or get my
> > pw set to something easy for me to remember (but impossible for anyone
> > else to get right)
>
> Yeah, I don't think I've ever "signed in" simply because I can't
> bother to keep up with another password I didn't pick. Once I hear I
> can login ONCE with this password I refuse to put any effort into
> holding onto or remembering and change it to something I can remember
> without effort, I'll do it. Until then, having a password without the
> ability to change it isn't of much value to me.
Totally agreed. Machine generated, unchangeable passwords get written
down. That compromises them. If this system is so important that
security is paramount over ease of use (which I have a hard time seeing,
it doesn't control human lives or large sums of money, but then I'm just
a user) put some password rules in place to avoid easy to break ones and
to avoid easy dictionary attack.
But the design of forcing use of a machine generated, hard to remember
password is just plain wrong.
--
Larry Pieniazek - lpieniazek@mercator.com - http://my.voyager.net/lar
http://www.mercator.com. Mercator, the e-business transformation company
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
Note: this is a family forum!
| | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> Yeah, I don't think I've ever "signed in" simply because I can't
> bother to keep up with another password I didn't pick. Once I hear I
> can login ONCE with this password I refuse to put any effort into
> holding onto or remembering and change it to something I can remember
> without effort, I'll do it. Until then, having a password without the
> ability to change it isn't of much value to me.
Currently you *can* login "ONCE" by selecting "never log me out" (or something
similar, I don't remember the exact wording). I logged in once at home, and
have never re-entered my passwd. When I come back and dial up, opena browser,
and go to Lugnet, I'm still logged in.
I will admit that here at work I'm not logged in because I haven't bothered to
jot down my passwd and bring it in, though.
IMHO, the ability to change your passwd would be nice, but I'd rather see
wholly new features like article rating than that particular improvement on an
existing feature.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Lorbaat wrote:
>
> In lugnet.admin.general, Mike Stanley writes:
>
> > Yeah, I don't think I've ever "signed in" simply because I can't
> > bother to keep up with another password I didn't pick. Once I hear I
> > can login ONCE with this password I refuse to put any effort into
> > holding onto or remembering and change it to something I can remember
> > without effort, I'll do it. Until then, having a password without the
> > ability to change it isn't of much value to me.
>
> Currently you *can* login "ONCE" by selecting "never log me out" (or something
> similar, I don't remember the exact wording). I logged in once at home, and
> have never re-entered my passwd. When I come back and dial up, opena browser,
> and go to Lugnet, I'm still logged in.
I use too many machines for this to be useful to me. Plus I lose my
cookies (sounds kinda gross) often enough on the machines I DO use on a
regular basis.
> I will admit that here at work I'm not logged in because I haven't bothered to
> jot down my passwd and bring it in, though.
>
> IMHO, the ability to change your passwd would be nice, but I'd rather see
> wholly new features like article rating than that particular improvement on an
> existing feature.
Disagree strongly.
If the spiffy new feature isn't usable because of an easy to fix
limitation that prevents or hinders a large subset of the population
from using it.
Again, fixed passwords are wrong. They are less secure and less user
friendly. We can go into this in depth in .geek if you want.
--
Larry Pieniazek - lpieniazek@mercator.com - http://my.voyager.net/lar
http://www.mercator.com. Mercator, the e-business transformation company
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
Note: this is a family forum!
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> Lorbaat wrote:
> >
> > Currently you *can* login "ONCE" by selecting "never log me out" (or
> > something
> > similar, I don't remember the exact wording). I logged in once at home, and
> > have never re-entered my passwd. When I come back and dial up, opena
> > browser,
> > and go to Lugnet, I'm still logged in.
>
> I use too many machines for this to be useful to me.
That must be a lot of machines. I use one at home (which happens to get
multiple IPs from dynamic IPaddressing from my ISP, but that makes no
difference in the way that the Lugnet server sees me, thanks to cookies) but I
use one of a pool of 20 machines at work. Fortunately, they're using an NFS
system for my /home directory, so my Netscape is actually the same on all of
them. Even if they weren't, I'd just jot down the passwd, carry it with me for
a couple of days, and apply it to each machine.
> Plus I lose my
> cookies (sounds kinda gross) often enough on the machines I DO use on a
> regular basis.
How does that happen? And is user error really something that Lugnet needs to
accomodate?
> > IMHO, the ability to change your passwd would be nice, but I'd rather see
> > wholly new features like article rating than that particular improvement on
> > an
> > existing feature.
>
> Disagree strongly.
I guess we're just going to have to agree to disagree, then.
> If the spiffy new feature isn't usable because of an easy to fix
> limitation that prevents or hinders a large subset of the population
> from using it.
It's far from unusable. It happens to be above a threshold you consider
convenient for your particuslr situation. It doesn't prevent or hinder you
from using it; your own decision that it's more comfortable for you to forget
it than to take the effort to log in prevents you from using it.
This probably sounds like I'm calling you lazy in a roundabout way, which is
not my intention. I have no idea what kind of undertaking it might be for you
to actually get all the machines you use to be logged in and not drop cookies.
It might be truly garagantuan. But I'd be willing to bet you're in a very,
very small subest of the Lugnet community there. And even at that, you could
log in on one or two "primary" machines and use those exclusively for features
that require you to log in (which, AFAIK, are limited to changing your personal
info and rating posts.... not much).
I'd much rather see Todd's Lugnet Development Time spent on totally new
features. But, as I said, that's just my opinion.
> Again, fixed passwords are wrong. They are less secure and less user
> friendly. We can go into this in depth in .geek if you want.
I don't see the need to move it. We aren't talking about a theoretical case,
we're talking about Lugnet specifically.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 16:19:07 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> > Plus I lose my
> > cookies (sounds kinda gross) often enough on the machines I DO use on a
> > regular basis.
>
> How does that happen? And is user error really something that Lugnet needs to
> accomodate?
Well, in that LUGNET should "accomodate" the ability to set your own
password (something _every_ online store/site I use does) yes. And I
doubt Larry is losing his cookies due to "user error". Saving your
password in a cookie is nice, but its a boneheaded way of doing it
given the reality that some of us use many machines and don't always
have a home area mounted for personal stuff to go to.
> This probably sounds like I'm calling you lazy in a roundabout way, which is
> not my intention. I have no idea what kind of undertaking it might be for you
> to actually get all the machines you use to be logged in and not drop cookies.
> It might be truly garagantuan. But I'd be willing to bet you're in a very,
> very small subest of the Lugnet community there. And even at that, you could
> log in on one or two "primary" machines and use those exclusively for features
> that require you to log in (which, AFAIK, are limited to changing your personal
> info and rating posts.... not much).
Given the fact that Todd has expressed such concern over browser
compatibility, which could literally mean "accomodating" 2 or 3
people, changing the password system to work like every other site I
visit seems a small thing to ask.
> I'd much rather see Todd's Lugnet Development Time spent on totally new
> features. But, as I said, that's just my opinion.
I'd rather see Todd's LDT spent on fixing something that was broken to
begin with. :)
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 15:50:32 GMT, Larry Pieniazek <larryp@novera.com>
wrote:
> > Currently you *can* login "ONCE" by selecting "never log me out" (or something
> > similar, I don't remember the exact wording). I logged in once at home, and
> > have never re-entered my passwd. When I come back and dial up, opena browser,
> > and go to Lugnet, I'm still logged in.
>
> I use too many machines for this to be useful to me. Plus I lose my
> cookies (sounds kinda gross) often enough on the machines I DO use on a
> regular basis.
Ditto to that. I currently can (and do) access Lugnet from at least 5
machines at home, 3 machines in my cube at work, and any number of
machines scattered around campus (what else am I supposed to do while
waiting for a server to do something time-consuming). No way I'm
saving my password to all those machines - that would be stupid.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 14:16:00 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> In lugnet.admin.general, Mike Stanley writes:
>
> > Yeah, I don't think I've ever "signed in" simply because I can't
> > bother to keep up with another password I didn't pick. Once I hear I
> > can login ONCE with this password I refuse to put any effort into
> > holding onto or remembering and change it to something I can remember
> > without effort, I'll do it. Until then, having a password without the
> > ability to change it isn't of much value to me.
>
> Currently you *can* login "ONCE" by selecting "never log me out" (or something
> similar, I don't remember the exact wording). I logged in once at home, and
> have never re-entered my passwd. When I come back and dial up, opena browser,
> and go to Lugnet, I'm still logged in.
That might be fine for home (or maybe it wouldn't be - maybe my wife
and I share a computer to access LUGNET (we don't, since I have more
than a few computers, but we could)?) but it wouldn't work for work.
My LUGNET packet is sitting in my desk at work, waiting for me to use
that password, if I ever get to change it myself. Until then I won't
be using it. I have to keep track of more passwords than most people
because of my job - I'm not using any more brain cells to keep track
of one I had no say in.
> I will admit that here at work I'm not logged in because I haven't bothered to
> jot down my passwd and bring it in, though.
>
> IMHO, the ability to change your passwd would be nice, but I'd rather see
> wholly new features like article rating than that particular improvement on an
> existing feature.
But what good are those cool new features if you can't access them
without signing in? IMNSHO the inability to change your password to
something of your choice (even within certain length/composition
restrictions) is a serious flaw, especially from the user perspective.
Both Larry and I agree on this - that means we have to be right.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> > Currently you *can* login "ONCE" by selecting "never log me out" (or
> > something
> > similar, I don't remember the exact wording). I logged in once at home, and
> > have never re-entered my passwd. When I come back and dial up, opena
> > browser,
> > and go to Lugnet, I'm still logged in.
>
> That might be fine for home (or maybe it wouldn't be - maybe my wife
> and I share a computer to access LUGNET (we don't, since I have more
> than a few computers, but we could)?) but it wouldn't work for work.
> My LUGNET packet is sitting in my desk at work, waiting for me to use
> that password, if I ever get to change it myself. Until then I won't
> be using it. I have to keep track of more passwords than most people
> because of my job - I'm not using any more brain cells to keep track
> of one I had no say in.
Why would you have to keep track of it if you were always logged in? You'd
type it in once and that would be that.
Trust me, my job requires no small amount of passwds to be remembered by me,
too.
> > IMHO, the ability to change your passwd would be nice, but I'd rather see
> > wholly new features like article rating than that particular improvement on
> > an
> > existing feature.
>
> But what good are those cool new features if you can't access them
> without signing in?
Who said all the new features were going to ba available only to logged-in
Lugnet Members?
> IMNSHO the inability to change your password to
> something of your choice (even within certain length/composition
> restrictions) is a serious flaw, especially from the user perspective.
I think it's something that probably should be changed, but I'm afraid I don't
think it's nearly as urgent as you and Larry.
> Both Larry and I agree on this - that means we have to be right.
Basing logical arguments on cults of personality is generally also a bad idea.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 16:34:08 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> > Both Larry and I agree on this - that means we have to be right.
>
> Basing logical arguments on cults of personality is generally also a bad idea.
Yeah, but the point is we ARE right. You're not concerned about it,
Todd may not be concerned about it, but the market backs us up. Can
you change your password at Amazon.com? BN.com? Any other major
online retailer you care to name? How about eCircles? MyCNN.com?
Sure you can.
So while I might joke about Larry and I being important enough to
suggest that _our_ opinion on this issue is the _right_ one (we are
and it is) the reality is companies that are making millions
(billions?) from online users every single day agree with us.
Sometimes it doesn't make sense to reinvent the wheel - especially
when you make it some other shape than circular.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> On Sun, 26 Mar 2000 16:34:08 GMT, "Lorbaat" <eric@nospam.thirteen.net>
> wrote:
>
> > > Both Larry and I agree on this - that means we have to be right.
> >
> > Basing logical arguments on cults of personality is generally also a bad
> idea.
>
> Yeah, but the point is we ARE right.
In your opinion. And I am right in mine.
> You're not concerned about it,
> Todd may not be concerned about it, but the market backs us up. Can
> you change your password at Amazon.com? BN.com? Any other major
> online retailer you care to name? How about eCircles? MyCNN.com?
> Sure you can.
And how is Lugnet a retailer, exactly?
Look, I'm not saying that I wouldn't like to see the feature. But I don't
think it's "broken" in any way, I don't think it's "unusable" by a "majority of
the Lugnet population".
Throwing around words like that really waters down your argument.
> So while I might joke about Larry and I being important enough to
> suggest that _our_ opinion on this issue is the _right_ one (we are
> and it is)
Uh-huh. Pardon me if I fail to crumble before your almighty wisdom.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 17:10:17 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> > Yeah, but the point is we ARE right.
> In your opinion. And I am right in mine.
Can you name a major website with the sort of long-term goals that
LUGNET has that sides with your "setting your own password isn't
important" opinion?
> > You're not concerned about it,
> > Todd may not be concerned about it, but the market backs us up. Can
> > you change your password at Amazon.com? BN.com? Any other major
> > online retailer you care to name? How about eCircles? MyCNN.com?
> > Sure you can.
>
> And how is Lugnet a retailer, exactly?
Well, did you read the rest of that paragraph? eCircles isn't a
retailer - it is a _community_ site. Kinda like LUGNET. MyCNN.com
isn't a retailer - it is a customized news site.
So LUGNET may not, at the moment, be a retailer, although it does have
affiliate links to other retailers and there may eventually be an
auction system here that members will use for a price. Add to that
the fact that a membership at LUGNET actually _costs_ money.
LUGNET is a user-based community. Right now it is a user-based
community with an anti-user password system. That is _unlike_ every
other online community site *I* know of on the web.
> Look, I'm not saying that I wouldn't like to see the feature. But I don't
> think it's "broken" in any way, I don't think it's "unusable" by a "majority of
> the Lugnet population".
It is conter-intuitive and unlike the websites we ALL use every day
(if we use them).
> Throwing around words like that really waters down your argument.
Insomuchas Larry and I are promoting the _right_ side of this issue,
there really isn't much of an argument. You want to carry your
password around on a card? Fine. You want to log yourself in
permanently at a machine that anyone can use? Also fine. I don't,
and I shouldn't be made to do so.
> > So while I might joke about Larry and I being important enough to
> > suggest that _our_ opinion on this issue is the _right_ one (we are
> > and it is)
>
> Uh-huh. Pardon me if I fail to crumble before your almighty wisdom.
Well, you're the only one who has stepped into the personal attack
realm (referring to Larry's cookie problem as user error and now
this). If I were concerned about YOUR opinion, I'd worry about it.
But you're wrong, so I'm not.
As long as Todd pulls his head out of the sand I'll be happy. Your
head can stay exactly where you have it right now.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> On Sun, 26 Mar 2000 17:10:17 GMT, "Lorbaat" <eric@nospam.thirteen.net>
> wrote:
> LUGNET is a user-based community. Right now it is a user-based
> community with an anti-user password system.
A password system that, I remind you, controls your access to *two* things-
neither one of which even approaches being essential to normal use.
> > Throwing around words like that really waters down your argument.
>
> Insomuchas Larry and I are promoting the _right_ side of this issue,
> there really isn't much of an argument.
I think that Todd's reasoning, posted elsewhere in this thread, is
well-thought-out. Trying to deny there's another side to the issue doesn't do
much to refute it.
> You want to carry your
> password around on a card?
No, and I don't.
> You want to log yourself in
> permanently at a machine that anyone can use?
No, and I don't.
> I don't,
> and I shouldn't be made to do so.
Does someone have a gun to your head? You'll just have to accept that from
certain machines, for now, you can't access all the features. That's a choice
you're making. It's also a choice that I'm making. It's really no big deal.
I promise.
> > > So while I might joke about Larry and I being important enough to
> > > suggest that _our_ opinion on this issue is the _right_ one (we are
> > > and it is)
> >
> > Uh-huh. Pardon me if I fail to crumble before your almighty wisdom.
>
> Well, you're the only one who has stepped into the personal attack
> realm
Huh?
> (referring to Larry's cookie problem as user error
.... is not a "personal attack". It simply insinuates that his browser wasn't
designed to lose cookies (is there some browser that is that I don't know
about?) and that fixing his browser falls into his (ie, the Lugnet user's)
territory, and Lugnet didn't need to be designed around that.
> and now
> this).
So, you're allowed to make tongue in cheek comments about your perfect wisdom,
and I'm not?
> If I were concerned about YOUR opinion, I'd worry about it.
> But you're wrong, so I'm not.
Yes. You are right because you say you are, so you must be.
As I said, that kind of recursive logic really doesn't win any points in
debate. If this really is the best you can do, I'm done discussing it.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Eric Joslin writes:
> In lugnet.admin.general, Mike Stanley writes:
> > On Sun, 26 Mar 2000 17:10:17 GMT, "Lorbaat" <eric@nospam.thirteen.net>
> > wrote:
>
> > LUGNET is a user-based community. Right now it is a user-based
> > community with an anti-user password system.
>
> A password system that, I remind you, controls your access to *two* things-
> neither one of which even approaches being essential to normal use.
Well, there you go. I didn't even know there was something else that
required you to sign in to access it. So that is two features right now
that I cannot access (as a paid member) unless I choose to compromise the
same security these silly machine-generated passwords are supposed to protect.
That's two features now - maybe 20 features in 6 months.
I'd say if BN.com, Amazon.com, X.com, and others (all of which either store
my credit card info or my money) can let me pick a password, LUGNET can.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> I'd say if BN.com, Amazon.com, X.com, and others (all of which either store
> my credit card info or my money) can let me pick a password, LUGNET can.
It's been a month since this was brought up, just about. Any sort of timeline
on when we can expect a fix? Reminder, not being able to change passwords means
passwords are broken. It's that simple.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> It's been a month since this was brought up, just about.
It's been far more than that. It was first brought up in November.
> Any sort of timeline on when we can expect a fix?
Likely before the end of April. It's not a crisis situation.
> Reminder, not being able to change passwords means passwords are broken.
> It's that simple.
Heard you the first 3 times. Agreed twice.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> Yeah, I don't think I've ever "signed in" simply because I can't
> bother to keep up with another password I didn't pick. Once I hear I
> can login ONCE with this password I refuse to put any effort into
> holding onto or remembering and change it to something I can remember
> without effort, I'll do it. Until then, having a password without the
> ability to change it isn't of much value to me.
You can sign in once with your password and stay permanently signed in.
(Simply use the middle radio button at the Sign-In page.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 16:54:30 GMT, Todd Lehman <lehman@javanet.com>
wrote:
> In lugnet.admin.general, Mike Stanley writes:
> > Yeah, I don't think I've ever "signed in" simply because I can't
> > bother to keep up with another password I didn't pick. Once I hear I
> > can login ONCE with this password I refuse to put any effort into
> > holding onto or remembering and change it to something I can remember
> > without effort, I'll do it. Until then, having a password without the
> > ability to change it isn't of much value to me.
>
> You can sign in once with your password and stay permanently signed in.
>
> (Simply use the middle radio button at the Sign-In page.)
So what do I do when I login at a publicly accessible machine in a
lab? What does anyone in a college environment do? People who are
lucky enough to have a spouse who reads (and has a membership) at
LUGNET but uses the same computer?
To be so concerned about password security as you seem to be (2,050
times easier to brute-force?) having the permanently signed in option
as a solution to not being able to create our own passwords seems a
little silly.
I don't have my computer save my Yahoo! username and password - why
would I do it for LUGNET?
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> On Sun, 26 Mar 2000 16:54:30 GMT, Todd Lehman <lehman@javanet.com>
> wrote:
>
> > In lugnet.admin.general, Mike Stanley writes:
> > > Yeah, I don't think I've ever "signed in" simply because I can't
> > > bother to keep up with another password I didn't pick. Once I hear I
> > > can login ONCE with this password I refuse to put any effort into
> > > holding onto or remembering and change it to something I can remember
> > > without effort, I'll do it. Until then, having a password without the
> > > ability to change it isn't of much value to me.
> >
> > You can sign in once with your password and stay permanently signed in.
And how secure is that?
I'm sensing that you're dug into this position and are now in Defensive Mode.
Whatever.
Fact is, I use a lot of different machines, not all under my control, sometimes
at a different client each week. Cookies in that context are bad. They're bad
for passwords and bad for the posting authentication process, which I contend
is still broken, lo these many months since I first complained about what a
pain it is.
Todd, you can stop this by saying "tough". Your site, your code. But till then
don't try justifying it as "right". It's not. I have enough HF experience to
know that, and so does Mike.
Lorbaat seems to relish digging in without regard to research so we'll leave
him out of it, but the fact of the matter is that research into human behaviour
tells us that machine generated unchangeable passwords are less safe than
changeable ones and machine generated unchangeable passwords are less user
friendly that user changeable ones. You could look it up. I didn't need to.
That's two strikes. You're out.
Spoken as an architect, not a developer.
PS I found my password. Think I'll go set a cookie on a machine at a NW
worldclub with it and leave myself permanently logged in with lugnet set to the
home page. Just kidding. Or maybe not.
++lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> > > You can sign in once with your password and stay permanently signed in.
>
> And how secure is that?
Well, obviously, don't do that on a machine that's not under your control.
That's for your home system or your laptop -- whatever you use regularly.
> I'm sensing that you're dug into this position and are now in Defensive Mode.
No, not dug in, just a bit skeptical and need to think changes through
carefully. No doubts that you could pick an excellent password. It's the
average non-geek who is the potential weak link.
Your use of many different machines may be an extreme case, but clearly the
current situation is quite broken for you, and probably many others.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 19:13:03 GMT, Todd Lehman <lehman@javanet.com>
wrote:
> No, not dug in, just a bit skeptical and need to think changes through
> carefully. No doubts that you could pick an excellent password. It's the
> average non-geek who is the potential weak link.
>
> Your use of many different machines may be an extreme case, but clearly the
> current situation is quite broken for you, and probably many others.
I'm thinking of the fairly large percentage of UTK students who live
in the dorms but don't own computers. Those kids use my labs (or
various friends' machines) for all of their net business.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> > Your use of many different machines may be an extreme case, but clearly the
> > current situation is quite broken for you, and probably many others.
>
> I'm thinking of the fairly large percentage of UTK students who live
> in the dorms but don't own computers. Those kids use my labs (or
> various friends' machines) for all of their net business.
Or the non-US people who have to pay for access and will spend most of their
internet time on machines at university or at work.
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Mike Stanley writes:
>
> > > Your use of many different machines may be an extreme case, but clearly the
> > > current situation is quite broken for you, and probably many others.
> >
> > I'm thinking of the fairly large percentage of UTK students who live
> > in the dorms but don't own computers. Those kids use my labs (or
> > various friends' machines) for all of their net business.
>
> Or the non-US people who have to pay for access and will spend most of their
> internet time on machines at university or at work.
>
> Richard
You guys have got it worse than most. Timed local calls! Which donkey let that
one go through? Probably the same donkey that wants to implement it here!
At least I can have my home machine permanently wired into the web for hours
and it only costs me AUD$0.25 plus my normal monthly all-you-can-eat ISP deal.
And I want to move to the UK in three months!!! Why? .... ;-)
Pete Callaway
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > > > You can sign in once with your password and stay permanently signed in.
> >
> > And how secure is that?
>
> Well, obviously, don't do that on a machine that's not under your control.
> That's for your home system or your laptop -- whatever you use regularly.
>
>
> > I'm sensing that you're dug into this position and are now in Defensive • Mode.
>
> No, not dug in, just a bit skeptical and need to think changes through
> carefully. No doubts that you could pick an excellent password. It's the
> average non-geek who is the potential weak link.
OK, make me confirm my confirm (each time warning the non geeky that maybe,
just maybe, they ought to use the one the were given) when I go to pick my
password, then subject it to a few quick checks to see if it was a good choice
(I prefer trying a quick brute force attack to try to guess it rather than
enforcing "must be more than 6 letters must contain at least one number" kind
of rules which actually cut into the password space.
> Your use of many different machines may be an extreme case, but clearly the
> current situation is quite broken for you, and probably many others.
Thank you. I feel better now.
++lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> > No, not dug in, just a bit skeptical and need to think changes through
> > carefully. No doubts that you could pick an excellent password. It's the
> > average non-geek who is the potential weak link.
>
> OK, make me confirm my confirm (each time warning the non geeky that maybe,
> just maybe, they ought to use the one the were given) when I go to pick my
> password, then subject it to a few quick checks to see if it was a good
> choice (I prefer trying a quick brute force attack to try to guess it
> rather than enforcing "must be more than 6 letters must contain at least
> one number" kind of rules which actually cut into the password space.
OK, I've done more research into human factors of passwords and have crufted
together[1] what I hope is a rather froody password checker.
First, it's got a _moby_ database of more than 2.7 million words, names,
phrases, numbers, and other common sequences culled from more 100 free
wordlists covering more than 20 world languages. It consults this database
to identify risks based on known, non-arbitrary character sequences. Second,
it checks for other manners of dubious sequences (substring repetition,
palindromes, backwords, and other cleverless human tricks). Third, it knows
how to unmung upside-down calculator words like 07734 or 0937 and it knows
that $#!+ is a weak disguise for a common 4LW). And then it's got a couple
of other recursive risk-sensors too.
Anyway, you give it some password to analyze, and it comes back with an
appraisal of that password's strength. It *will* allow you to have a
5-character password, but only if it thinks it's really good. Similarly,
it will fail a 9-character password containing uppercase and lowercase
letters, numbers, and special characters if for some reason it feels that
password is still too risky.
Doing some statistical analysis on randomly generated passwords (assuming a
character set of a-z, A-Z, 0-9, and -, all with equal probability), it fails
about 85% of all 5-character passwords, 40% of all 6-character passwords,
15% of all 7-character passwords, 8% of all 8-character passwords, and 7%
of all 9-character passwords. Thus it does not adversely limit the domain
of all choices -- although it is very picky about what it likes, and if you
want a 5-character password, you have to work hard.
I'll put this password thingy up on a webpage for people to try out, maybe
later tonight. If we can all agree that it does a good job of weeding out
bad passwords, then I'll put it into place for where you can actually change
your own password.
--Todd
[1] I'd like to blame NIHS but I did not find any adequately strong freely
available drop-in solutions.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman wrote:
> OK, I've done more research into human factors of passwords and have crufted
> together[1] what I hope is a rather froody password checker.
just a suggestion - have it also check against known personal info -
like name, initials, birthday, etc... also Jenn pointed out you should
check against obvious words, like lugnet, lego s@h, etc... :)
I can't wait to try it out...
Great job!
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> Todd Lehman wrote:
> > OK, I've done more research into human factors of passwords and have crufted
> > together[1] what I hope is a rather froody password checker.
>
>
> just a suggestion - have it also check against known personal info -
> like name, initials, birthday, etc... also Jenn pointed out you should
> check against obvious words, like lugnet, lego s@h, etc... :)
Right! do all the really obvious checks first (the ones that would say things
like "you know, using your first name may not be a good choice for a password")
to save cycles.
Well, let's have at it, I have some pw's I'd like an opinion on, and believe it
or not, this actually is work related, someone set a password on a box that has
a dialin line that I think wasn't a very wise choice...
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Larry Pieniazek wrote:
> Right! do all the really obvious checks first (the ones that would say things
> like "you know, using your first name may not be a good choice for a password")
> to save cycles.
good idea :)
>
> Well, let's have at it, I have some pw's I'd like an opinion on, and believe it
> or not, this actually is work related, someone set a password on a box that has
> a dialin line that I think wasn't a very wise choice...
just curious - how do you know what your users set their passwords to?
;)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> just curious - how do you know what your users set their passwords to?
It's my box, and it's going to a show, I was there when the password was set
and I know it's not a very good one. But despite being the PM of the project I
don't just want to stamp my foot and make them change the password, I'd rather
provide some proof, as it were, before I force the issue.
It's important because it's the administrator account for the box, and it's an
important box to the show.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> [...]
> I'll put this password thingy up on a webpage for people to try out, maybe
> later tonight. If we can all agree that it does a good job of weeding out
> bad passwords, then I'll put it into place for where you can actually change
> your own password.
OK, here it is:
http://www.lugnet.com/people/members/pwsa/
Executive summary:
Type in a password and it tells you "pass" or "fail".
First important question:
Are there any bad passwords which this fails to reject? (If it rejects
a seemingly good password, that's not necessarily a problem. Failing to
reject a bad password is a far more serious problem.)
Second important question:
Are there words that you can think of which this fails to detect as
potential weaknesses? (Try to stump it!)
Notes:
The box that you type into does _not_ display *'s over the top of the text
you type. (This makes it easier to edit, re-edit, and experiment.) Thus,
don't run this with people looking over your shoulder (unless you're just
playing around and have no intention of using the passwords you test).
The pages that come back show your whole password on the screen and many
fragments of it, so Clear Out Your Browser's Cache After Running This if
anyone but you can read files on your machine. (I'll probably make it set
the 'no-cache' and 'expires' HTTP headers on the output pages tomorrow, but
it still wouldn't hurt to wipe out your cache afterwords.)
The analysis is very slow. It may take several seconds to check your input,
so please be patient. The CPU time is displayed at the bottom of the results
page, and you may notice that the CPU time shows much smaller values than the
elapsed time. Partially, this is due to typical issues like network latency
and multiple processes competing for resources, but mainly, in this case,
this is due to the fact that the words dictionary (30+ MB of 2.7*10^6 words,
names, acronyms, phrases, etc.) doesn't fit into core memory. (Well, it
fits, but it doesn't stay cached long, so there are often lots of pagefaults
which result in access to secondary storage, which slows things down.)
Subsequent analyses of similar-looking input may result in quicker responses.
If it identifies risky words that you've never heard of, keep in mind that
it's looking through words from more than 20 human languages, and that it
also knows names, computer words, science words, and all kinds of other
obscure stuff.
Non-English words containing characters outside of the strict 7-bit ASCII
character set are not yet handled (detected) properly. This is because the
original word lists for those languages encoded these non-ASCII extended
characters using double-byte sequences which I haven't yet figured out how
to decode. (Some are simple and obvious, for example :a for umlaut-a, or
/o for slash-o, but others, like curly braces and angle brackets, are still
mystifying. There was no decoding documentation available with the source
files (or else I missed it somehow) but if a few people are willing to have
a look at a few examples in each language, we can probably figure it out
pretty quickly. (I'll double-check again for decoding docs first.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Todd Lehman writes:
> > [...]
> > I'll put this password thingy up on a webpage for people to try out, maybe
> > later tonight. If we can all agree that it does a good job of weeding out
> > bad passwords, then I'll put it into place for where you can actually change
> > your own password.
>
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
Thanks!
Well, joke's on me. The password I thought wasn't so great is not stunning, but
it got a "adequate". Sorry, I can't tell you what it is right now, though.
Handy tool. Appreciate your making it available.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
> > http://www.lugnet.com/people/members/pwsa/
> Well, joke's on me. The password I thought wasn't so great is not • stunning, but
> it got a "adequate". Sorry, I can't tell you what it is right now, though.
>
> Handy tool. Appreciate your making it available.
Indeed. I got an excellent. : ) At least I got some decent passwords, if
nothing else!
Scott S.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> Well, joke's on me. The password I thought wasn't so great is not stunning,
> but it got a "adequate". Sorry, I can't tell you what it is right now,
> though.
A couple questions about its structure...I don't know if you can answer these
but it seems like you could maybe: Without giving away any hints about what
it was, why did you think it was risky? Did it contain a word? Did it
contain a word which wasn't caught by the checker? If it passed ("adequate"
is a pass, not a fail) a password that you didn't think was good then would
you say, in your professional opinion, that its bar is too low? Or, after
having seen some results, do you agree with the assessment? The pw's entered
at the test-page aren't logged or stored anywhere so I can't go back and try
them out to look for issues -- I can only go by what (if any) details or
meta-details you can safely offer as feedback. TIA (if it applies).
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > Well, joke's on me. The password I thought wasn't so great is not stunning,
> > but it got a "adequate". Sorry, I can't tell you what it is right now,
> > though.
>
> A couple questions about its structure...I don't know if you can answer these
> but it seems like you could maybe: Without giving away any hints about what
> it was, why did you think it was risky?
If I even say that I can't answer without giving a hint, that's a hint.
Therefore: I can't answer without either giving or not giving away hints as to
what it is. :-(
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> > A couple questions about its structure...I don't know if you can answer
> > these but it seems like you could maybe: Without giving away any hints
> > about what it was, why did you think it was risky?
>
> If I even say that I can't answer without giving a hint, that's a hint.
>
> Therefore: I can't answer without either giving or not giving away hints
> as to what it is. :-(
Bummer -- that makes me suspect that it really truly is a horrible password
then (as you surmised, and pointed out to your coworker). Yet it passed,
which makes me nervous.
Welp, if you someday are able to convince your coworker that this particular
password was indeed bad, causing it to get abandoned, I'd love to know what
it was (if that still doesn't hurt your security), so I can see what its
flaw was/is and see if I'm missing something fundamental in the tests.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > > A couple questions about its structure...I don't know if you can answer
> > > these but it seems like you could maybe: Without giving away any hints
> > > about what it was, why did you think it was risky?
> >
> > If I even say that I can't answer without giving a hint, that's a hint.
> >
> > Therefore: I can't answer without either giving or not giving away hints
> > as to what it is. :-(
>
> Bummer -- that makes me suspect that it really truly is a horrible password
> then (as you surmised, and pointed out to your coworker). Yet it passed,
> which makes me nervous.
>
> Welp, if you someday are able to convince your coworker that this particular
> password was indeed bad, causing it to get abandoned, I'd love to know what
> it was (if that still doesn't hurt your security), so I can see what its
> flaw was/is and see if I'm missing something fundamental in the tests.
I can say this much. It's not your tests. It's the context.
Just like your tests give (hypothetically speaking) Lugnet123 a so so score
because Lugnet isn't a word, but we know that lugnet isn't a very good root for
a password to lugnet because that's the context.
helps?
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> I can say this much. It's not your tests. It's the context.
OK, that helps...that's all I need to know...thanks!
> Just like your tests give (hypothetically speaking) Lugnet123 a so so score
> because Lugnet isn't a word, but we know that lugnet isn't a very good root
> for a password to lugnet because that's the context.
Yup! (Although "Lugnet" is a word in Swedish, and it finds this. :)
> helps?
Yup! I don't think I'll lose any sleep over it.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Thu, 30 Mar 2000 12:28:05 GMT "Larry Pieniazek" <lar@voyager.net> wrote
concerning 'Re: Automated password appraisal (Re: New feature: Article rating)':
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Todd Lehman writes:
> > > [...]
> > > I'll put this password thingy up on a webpage for people to try out, maybe
> > > later tonight. If we can all agree that it does a good job of weeding out
> > > bad passwords, then I'll put it into place for where you can actually change
> > > your own password.
> >
> > OK, here it is:
> >
> > http://www.lugnet.com/people/members/pwsa/
>
> Thanks!
>
> Well, joke's on me. The password I thought wasn't so great is not stunning, but
> it got a "adequate". Sorry, I can't tell you what it is right now, though.
>
> Handy tool. Appreciate your making it available.
heh, it might be interesting to see a log of the passwords... though
I'm sure that Todd isn't keeping one... :P
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
> > > OK, here it is:
> > >
> > > http://www.lugnet.com/people/members/pwsa/
> >
> > Thanks!
> >
> > Well, joke's on me. The password I thought wasn't so great is not stunning, but
> > it got a "adequate". Sorry, I can't tell you what it is right now, though.
dang... I'm terrible... though, i did find one that got a %507... :)
thanks todd, i love this :)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> > Handy tool. Appreciate your making it available.
> heh, it might be interesting to see a log of the passwords... though
> I'm sure that Todd isn't keeping one... :P
I really would love to see how the failure, but it's not work the risk to
log them, just as it's not worth the risk to store raw, non-crypted passwords.
In the end, this can never be perfect, and I'm sure it will end up
accidentally passing some things that it probably shouldn't, but those
things are likely to be pretty darn obscure (like QWERTY<->Dvorak shifts).
No doubt it'll need some manner of common sense applied on top.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Wow, your wordlists are just nice. They even knows me and my wife..:-)
Selçuk
Todd Lehman wrote:
>
> In lugnet.admin.general, Dan Boger writes:
> > > Handy tool. Appreciate your making it available.
> > heh, it might be interesting to see a log of the passwords... though
> > I'm sure that Todd isn't keeping one... :P
>
> I really would love to see how the failure, but it's not work the risk to
> log them, just as it's not worth the risk to store raw, non-crypted passwords.
>
> In the end, this can never be perfect, and I'm sure it will end up
> accidentally passing some things that it probably shouldn't, but those
> things are likely to be pretty darn obscure (like QWERTY<->Dvorak shifts).
> No doubt it'll need some manner of common sense applied on top.
>
> --Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Selçuk Göre writes:
>
> Wow, your wordlists are just nice. They even knows me and my wife..:-)
Cool! And thanks for checking!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
"Todd Lehman" <lehman@javanet.com> wrote:
> In lugnet.admin.general, Todd Lehman writes:
> > [...]
> > I'll put this password thingy up on a webpage for people to try out, maybe
> > later tonight. If we can all agree that it does a good job of weeding out
> > bad passwords, then I'll put it into place for where you can actually change
> > your own password.
>
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
>
>
...Hmmm. I dug up old passwords from long dead servers (don't u hate it when u remember
passwords, but not the login id? :-)
...But anyway, I tried '4Gxc5t'... it came back failed but its reasoning was strange...
(try it urself :-) the 'slight risk' ones just baffle me... what's a slight risk about the
fragment 'xc'? I can see a slight risk for 'cst' (central standard time?), but 'agx'?
...Most of the other ones I knew were weak came back failed, but it fequently chided me
for 'slight risk' fragments that dont seem to make sense. The above was the only one that
I would have suspected to get at least an 'adequate' :-/
...I noticed as I tinkered with some of the weak ones and watched the changing reasoning,
perhaps an additional feature would be to list 'good features' of the password. such as
saying "Good: 8 characters" or once it complained that 'unique charactes <75%' perhaps say
'good: >75% unique characters'... by watching the positive feedback, it may be possible to
'tune' bad passwords easier.
...you can go back to ignoring me now...
wubwub
stephen f roberts
wamalug guy (http://wamalug.org)
wildlink.com
lugnet #160
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Stephen F. Roberts writes:
> ...But anyway, I tried '4Gxc5t'... it came back failed but its reasoning
> was strange... (try it urself :-) the 'slight risk' ones just baffle me...
For one things, it's being a bit too harsh on numeric->alpha conversions like
4->A and 3->E...it should divide the intermediate results by 2 or something
internally while computing the score after a transformaion like that.
> what's a slight risk about the fragment 'xc'? I can see a slight risk for
> 'cst' (central standard time?), but 'agx'?
They might be host name fragments, for example xc.foo.bar.edu or
agx.plonk.com, or AGX might be some acronym.
> ...Most of the other ones I knew were weak came back failed, but it
> fequently chided me for 'slight risk' fragments that dont seem to make
> sense. The above was the only one that I would have suspected to get at
> least an 'adequate' :-/
I'll try to massage the number->letter conversions into being a little more
lenient in those cases. But false positives (positive in the medical sense
of testing for something bad) are OK here. What we don't want is missed
negatives.
> ...I noticed as I tinkered with some of the weak ones and watched the
> changing reasoning, perhaps an additional feature would be to list 'good
> features' of the password. such as saying "Good: 8 characters" or once it
> complained that 'unique charactes <75%' perhaps say 'good: >75% unique
> characters'... by watching the positive feedback, it may be possible to
> 'tune' bad passwords easier.
Ahh, OK.
> ...you can go back to ignoring me now...
No, thanks for the feedback!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
I have a suggestion, you may want to test substitute things like "!" as
a substitute for "l" or "i".
Have you thought about vowels being dropped and K/c substitutions. I
have a password which I would consider a worthless password the way you
are scoring them which depends on these two transformations. I'll be
happy to e-mail it to Todd directly if he wants to look at it and
consider how to detect (of course that may start to become hard to ever
find a password, for things like this, the weakness may depend on
context [i.e. what is the account being used for, or what are the
person's interests]).
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Frank Filz writes:
> I have a suggestion, you may want to test substitute things like "!" as
> a substitute for "l" or "i".
You mean, change from checking !->i to checking both !->i and !->l ? (It
does currently check !->i -- did that not work for you in some instance?)
> Have you thought about vowels being dropped and K/c substitutions.
Good idea!
> I have a password which I would consider a worthless password the way you
> are scoring them which depends on these two transformations. I'll be
> happy to e-mail it to Todd directly if he wants to look at it and
> consider how to detect
Lemme see about the above suggestions and then you can try it again later
without having to email it...
> (of course that may start to become hard to ever
> find a password, for things like this, the weakness may depend on
> context [i.e. what is the account being used for, or what are the
> person's interests]).
Well, in the end, the checker is doing more of a "randomness evaluation"
than anything else. Memorability and practicality aside, the best passwords
are those which are close to being truly random and far away from being
generateable by looping or cracking algorithms. So the trick is to find
a password which is still memorable and typeable while being randomish
enough.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
>
> In lugnet.admin.general, Frank Filz writes:
> > I have a suggestion, you may want to test substitute things like "!" as
> > a substitute for "l" or "i".
>
> You mean, change from checking !->i to checking both !->i and !->l ? (It
> does currently check !->i -- did that not work for you in some instance?)
Ah, checked again, it didn't detect "7!" as a mapping for "li", but did
detect "7i" as "li". It did reject both passwords though, but it had a
lot fewer problems with the "7!" version, and the level changed from
"worthless" to "weak". Interestingly, it didn't detect the word that I
used, but a bunch of sub words.
What is good I guess is that the passwords that I did create as sort of
"random" passwords both pass (though only one of them do I use enough to
remember it).
I guess I need to reconsider my passwords (it's just that at work we
have to change our passwords every 6 months which makes it a pain).
There has to be some way to have memorable passwords which are decently
secure, and some way to deal with the fact that these days you can have
tens if not hundreds of logins.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> > Have you thought about vowels being dropped and K/c substitutions.
> Good idea!
Hmmm...not sure how to go about doing this... The way the checker achieves
its speed is by looking up all substrings in its dictionary rather than
passing every single diciontionary word over all substrings (which could take
hours). So, for example, in order to find a match on something like "lgsstm"
("lego system" minus vowels), it would either have to know exactly which
letters you dropped (in which case the lookup would be speedy) or it would
have to examine millions of permutations of each vowel in each position (in
which case it would be excruciatingly slow) and it might even find whole
bunches of unwanted matches -- for example "leagues steamy" matching
"lgsstm" when all you meant was "lego system", or "mound mayor angie" or
"money dime ring" matching "mndmrng" when all you meant was "mondaymorning".
I don't mean to say it's not a good idea to check (I think it is a good idea,
just as a diagnostic for people) -- I just don't know how to do it quickly
and efficiently without some really big iron.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Todd Lehman writes:
> > > Have you thought about vowels being dropped and K/c substitutions.
> > Good idea!
>
> Hmmm...not sure how to go about doing this... The way the checker achieves
> its speed is by looking up all substrings in its dictionary rather than
> passing every single diciontionary word over all substrings (which could take
> hours). So, for example, in order to find a match on something like "lgsstm"
> ("lego system" minus vowels), it would either have to know exactly which
> letters you dropped (in which case the lookup would be speedy) or it would
> have to examine millions of permutations of each vowel in each position (in
> which case it would be excruciatingly slow) and it might even find whole
> bunches of unwanted matches -- for example "leagues steamy" matching
> "lgsstm" when all you meant was "lego system", or "mound mayor angie" or
> "money dime ring" matching "mndmrng" when all you meant was "mondaymorning".
>
> I don't mean to say it's not a good idea to check (I think it is a good idea,
> just as a diagnostic for people) -- I just don't know how to do it quickly
> and efficiently without some really big iron.
>
> --Todd
The way I've done something similar in the past is to create a larger
dictionary: create a temp file with all words having their vowels removed, and
do the c/k mutations too, if desired. Sort and remove duplicate entries.
Finally, merge back into the original dictionary. This makes the dictionary
much larger, of course. I wasn't using one as large as yours already seems to
be, but it might still work.
If the size gets too unweildly, an alternative might be to just use the temp
file you created above AS the dictionary. Preprocess the submitted passwords
to remove vowels from them as well. It doesn't matter that there are dozens
or more possible ways that a word with its vowels removed could have come
from. Any word that would have been rejected would still be rejected, but
soom otherwise 'good' words will now also be tagged as bad. Eg: reversing the
vowels on a word might have been a good password before, but is useless
now. "Airuke" vs "Eurika" -- both become simply 'rk', illustrating what looks
to be a possible flaw: the passwords look shorter. Though this isn't really a
problem, since the user still needs to type all the letters anyway. What this
lacks is a simple way of telling the user which words his password choice
collided with. Not a big deal, IMO.
Actually I assume you already do *something* like this: do you reduce all
passwords to lower case, and have your dictionary in all lower case? This
would make sense to do. Is a word with random caPitAliZatiON that much more
secure than the same word in one of the three 'normal' senses? (Capitalized,
capitalized, CAPITALIZED)
In any case, the idea is to find passwords that aren't good. The explanations
of why they aren't is secondary.
--
David Schilling
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, David Schilling writes:
> > I don't mean to say it's not a good idea to check (I think it is a good
> > idea, just as a diagnostic for people) -- I just don't know how to do it
> > quickly and efficiently without some really big iron.
>
> The way I've done something similar in the past is to create a larger
> dictionary: create a temp file with all words having their vowels removed,
> and do the c/k mutations too, if desired. Sort and remove duplicate
> entries. Finally, merge back into the original dictionary.
OK, so work it backwards, IOW. Cool. That sounds doable, and wouldn't even
increase the time it took to evaluate pw's by more than the tiniest percent.
> This makes the
> dictionary much larger, of course. I wasn't using one as large as yours
> already seems to be, but it might still work.
Well, if the dictionary grows from 2.7 million to 3.5 million entries,
that's OK -- it won't slow down probing since it already hits the disk on
almost every probe, and the dictionary DB is only ~30MB.
> [...]
> Actually I assume you already do *something* like this: do you reduce all
> passwords to lower case, and have your dictionary in all lower case?
> This would make sense to do.
Yup!
> Is a word with random caPitAliZatiON that much more
> secure than the same word in one of the three 'normal' senses?
> (Capitalized, capitalized, CAPITALIZED)
Well, I guess a long word like that, assuming equal probability (1/2) on
each letter, would be 2^14 / 3 = ~5000 times more secure than the three
canonical cases? (Speaking only from a brute-force attack standpoint.)
> In any case, the idea is to find passwords that aren't good. The
> explanations of why they aren't is secondary.
Roit! OK, thanks for the insights...it's just a couple one-liners to add
these permutations (er, removals)...
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> First important question:
>
> Are there any bad passwords which this fails to reject? (If it rejects
> a seemingly good password, that's not necessarily a problem. Failing to
> reject a bad password is a far more serious problem.)
It allows: a1b2c3, but fails 1a2b3c, I thought it would (and probably does)
check for numeric sequences?
> Second important question:
>
> Are there words that you can think of which this fails to detect as
> potential weaknesses? (Try to stump it!)
It fails: LL-918 as worthless, but gives LL-928 an excellent :) Maybe you
should add lots of LEGO set names and abbreviations? EG RBR, SES, etc?
Also, my LUGNET password got a bravissimo, and all the passwords I normally use
were worthless :)
squiff9 worked, probably because squiff isn't a word. but people do make up
words.. so if there was a way to check if the words conform to spelling rules?
Did you enter 'fibblesnork' to the DB? I couldn't get that to work even with
slight multilation :)
As an aside, would you actually allow someone to brute-force hack into a LUGNET
account? Or disable the account for X hours automatically after Y fails? If Y
was 5 or something else low, then the possibility of brute-force hacks is
significantly reduced?
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Thu, 30 Mar 2000 16:30:51 GMT "Richard Franks" <spontificus@yahoo.com> wrote
concerning 'Re: Automated password appraisal (Re: New feature: Article rating)':
> In lugnet.admin.general, Todd Lehman writes:
> Also, my LUGNET password got a bravissimo, and all the passwords I normally use
> were worthless :)
heh, my lugnet password came up weak (FAIL)... my personal password
came up ok (like 150%) and my root password came up 300% :)
> As an aside, would you actually allow someone to brute-force hack into a LUGNET
> account? Or disable the account for X hours automatically after Y fails? If Y
> was 5 or something else low, then the possibility of brute-force hacks is
> significantly reduced?
defenitly - disable for 30 minutes after 5 failed attempts, counting a
bad cookie as an attempt...
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> > As an aside, would you actually allow someone to brute-force hack into a
> > LUGNET account? Or disable the account for X hours automatically after Y
> > fails? If Y was 5 or something else low, then the possibility of brute-force
> > hacks is significantly reduced?
>
> defenitly - disable for 30 minutes after 5 failed attempts, counting a
> bad cookie as an attempt...
You could make it stricter I think, send out an email warning with a code# to
the member, and block access until they have replied. You could either use the
code# to automate unblocking the account, or as part of a manual check. The
code# would prevent the potential hacker from forging the members email
address. Mind you, if the hacker had hacked into the mail account, then they
could unblock it that way. The mail account would probably be easier to hack
into than LUGNET anyway ;-)
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd:
> http://www.lugnet.com/people/members/pwsa/
> First important question:
>
> Are there any bad passwords which this fails to reject? (If it rejects
> a seemingly good password, that's not necessarily a problem. Failing to
> reject a bad password is a far more serious problem.)
Grasp your French MacKeyboard. Start with the 'a' (upper
left letter), next you go one up to the '&', then you go one
right to 'é', one down to 'z', one right to 'e', one up to
'"' (double quote), one left to ''' (single quote), and
finally one down to 'r'.
a&éze"'r
is a very easy to type password (and maybe I shouldn't have
revealed it here).
> Second important question:
>
> Are there words that you can think of which this fails to detect as
> potential weaknesses? (Try to stump it!)
Legoland translated one row down and slightly to the left
(on a US MacKeyboard) is
<svk,` x
which isn't all that bad a password.
I don't know if this really is a bad password, but I
couldn't resist trying it:
2x4=3001
Another lost password choosing algorithm :-(
> Non-English words containing characters outside of the strict 7-bit ASCII
> character set are not yet handled (detected) properly. This is because the
> original word lists for those languages encoded these non-ASCII extended
> characters using double-byte sequences which I haven't yet figured out how
> to decode. (Some are simple and obvious, for example :a for umlaut-a, or
> /o for slash-o, but others, like curly braces and angle brackets, are still
> mystifying. There was no decoding documentation available with the source
> files (or else I missed it somehow) but if a few people are willing to have
> a look at a few examples in each language, we can probably figure it out
> pretty quickly. (I'll double-check again for decoding docs first.)
I wouldn't mind having a look. I don't know if you have a
copy of "my" wordlists [1,2].
Play well,
Jacob
1) <URL: http://www.sslug.dk/locale/ispell/autobuild/ >
2) <URL: http://hugin.ldraw.org/ifaroese/autobuild/ >
------------------------------------------------------------
-- E-mail: sparre@cats.nbi.dk --
-- Web...: <URL: http://www.ldraw.org/FAQ/ > --
------------------------------------------------------------
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Jacob Sparre Andersen writes:
> Grasp your French MacKeyboard. Start with the 'a' (upper
> left letter), next you go one up to the '&', then you go one
> right to 'é', one down to 'z', one right to 'e', one up to
> '"' (double quote), one left to ''' (single quote), and
> finally one down to 'r'.
>
> a&éze"'r
>
> is a very easy to type password (and maybe I shouldn't have
> revealed it here).
It catches the isomorphic QWERTY instance of this ("q12we34r") but I'd love
to add xy-tables for Dvorak and non-US keyboards. Any data pointers?
> Legoland translated one row down and slightly to the left
> (on a US MacKeyboard) is
>
> <svk,` x
>
> which isn't all that bad a password.
That's a sneaky one! :)
> I don't know if this really is a bad password, but I
> couldn't resist trying it:
>
> 2x4=3001
>
> Another lost password choosing algorithm :-(
Ooh -- I'd better make sure that it dislikes [0-9]+[xX][0-9]+ and [0-9]{4} .
> I wouldn't mind having a look.
OK, thanks -- I'll email you...
> I don't know if you have a copy of "my" wordlists [1,2].
> 1) <URL: http://www.sslug.dk/locale/ispell/autobuild/ >
> 2) <URL: http://hugin.ldraw.org/ifaroese/autobuild/ >
Ahh, splendid!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> It catches the isomorphic QWERTY instance of this ("q12we34r") but I'd love
> to add xy-tables for Dvorak and non-US keyboards. Any data pointers?
I could probably write one for hebrew keyboard, if you want... what format do
you want it?
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> > It catches the isomorphic QWERTY instance of this ("q12we34r") but I'd love
> > to add xy-tables for Dvorak and non-US keyboards. Any data pointers?
>
> I could probably write one for hebrew keyboard, if you want... what format
> do you want it?
Cool! OK, how about like this:
------------------------------------------------------
QWERTY
0 0 ~!@#$%^&*()_+
0 0 `1234567890-=
1 1 QWERTYUIOP{}|
1 1 qwertyuiop[]\
2 1 ASDFGHJKL:"
2 1 asdfghjkl;'
3 1 ZXCVBNM<>?
3 1 zxcvbnm,./
------------------------------------------------------
TIA!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
>
> In lugnet.admin.general, Dan Boger writes:
> > > It catches the isomorphic QWERTY instance of this ("q12we34r") but I'd love
> > > to add xy-tables for Dvorak and non-US keyboards. Any data pointers?
> >
> > I could probably write one for hebrew keyboard, if you want... what format
> > do you want it?
>
> Cool! OK, how about like this:
>
> ------------------------------------------------------
> QWERTY
>
> 0 0 ~!@#$%^&*()_+
> 0 0 `1234567890-=
>
> 1 1 QWERTYUIOP{}|
> 1 1 qwertyuiop[]\
>
> 2 1 ASDFGHJKL:"
> 2 1 asdfghjkl;'
>
> 3 1 ZXCVBNM<>?
> 3 1 zxcvbnm,./
hmmm... I guess I wasn't thinking when I posted... the english part of
the herbew keyboard is exactly the same as the US one... The hebrew
part of it, cannot really be expressed in ASCII, so I guess my offer was
meaningless... sorry... Unless you can think of a way to make use of
it? do you have any kind of hebrew words list? ;)
btw, I just ran across a ftp collection of dictionaries in a lot of
languages - you interested in that? I'm going to use it to try and
crack my users' passwords - since most of them are foreign, the english
dict doesn't do much anymore... ;)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> btw, I just ran across a ftp collection of dictionaries in a lot of
> languages - you interested in that? [...]
Sure! If it's not the one at Oxford[1] University, pls. send URL! :)
--Todd
[1] I always think that looks like a hex number :)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman wrote:
>
> In lugnet.admin.general, Dan Boger writes:
> > btw, I just ran across a ftp collection of dictionaries in a lot of
> > languages - you interested in that? [...]
>
> Sure! If it's not the one at Oxford[1] University, pls. send URL! :)
ftp://sable.ox.ac.uk/pub/wordlists/
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> Todd Lehman wrote:
> > In lugnet.admin.general, Dan Boger writes:
> > > btw, I just ran across a ftp collection of dictionaries in a lot of
> > > languages - you interested in that? [...]
> >
> > Sure! If it's not the one at Oxford[1] University, pls. send URL! :)
>
> ftp://sable.ox.ac.uk/pub/wordlists/
Yup -- those are the ones from Oxford! Great lists!!!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Dan Boger writes:
> hmmm... I guess I wasn't thinking when I posted... the english part of
> the herbew keyboard is exactly the same as the US one... The hebrew
> part of it, cannot really be expressed in ASCII, so I guess my offer was
> meaningless... sorry... Unless you can think of a way to make use of
> it? do you have any kind of hebrew words list? ;)
LOL... that reminds me. My sis used to use a password for this game we had,
she was just 4 and needed something she could remember, when all she knew to
write was her name. But she didn't want something SO obvious (never mind that
I helped her chose the password, and there was no one around to break into it
but me ;) so she chose the english letters that are actually (on the keyboard)
the hebrew spelling of the word... IOW, her password was a four letter
gibberish in english but if you retyped it with the language set to hebrew
you'd get her name.
So, I guess foriegners can use foreign language things... but I guess that
doesn't help Todd whatsoever :-/
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> > I don't know if this really is a bad password, but I
> > couldn't resist trying it:
> >
> > 2x4=3001
> >
> > Another lost password choosing algorithm :-(
>
> Ooh -- I'd better make sure that it dislikes [0-9]+[xX][0-9]+ and [0-9]{4} .
OK, try that again now. Seeing that this site is LEGO-related, it's best to
treat "x" and "X" as part of numeric stuff. In fact there are many other
things besides 'x' and '=' which are numeric-related. :-o
It now very much dislikes numerical and/or mathematical substrings (the longer
the worse) consisting of two or more of the following characters:
0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Thu, 30 Mar 2000 22:42:11 GMT, Todd Lehman <lehman@javanet.com> wrote:
> In lugnet.admin.general, Todd Lehman writes:
> > > I don't know if this really is a bad password, but I
> > > couldn't resist trying it:
> > >
> > > 2x4=3001
> > >
> > > Another lost password choosing algorithm :-(
> >
> > Ooh -- I'd better make sure that it dislikes [0-9]+[xX][0-9]+ and [0-9]{4} .
>
> OK, try that again now. Seeing that this site is LEGO-related, it's best to
> treat "x" and "X" as part of numeric stuff. In fact there are many other
> things besides 'x' and '=' which are numeric-related. :-o
>
> It now very much dislikes numerical and/or mathematical substrings (the longer
> the worse) consisting of two or more of the following characters:
>
> 0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
>
> --Todd
You might want to add ^ for exponentiation. I just posted a list passwords
that passed, including 4 variations of the Theory of Relativity.
Rob
-
Rob Farver - mailto:rfarver@rcn.com
http://www.farver.com/lego/
http://members.ebay.com/aboutme/rfarver
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Robert Farver writes:
> > the worse) consisting of two or more of the following characters:
> >
> > 0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
>
> You might want to add ^ for exponentiation. I just posted a list passwords
> that passed, including 4 variations of the Theory of Relativity.
Ah yes!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
By the way, for the special characters, it knows what "selcuk" is but
doesn't know the "selçuk", which is actually the correct form. Do you
want any Turkish wordlists?
Selçuk
Todd Lehman wrote:
>
> In lugnet.admin.general, Robert Farver writes:
> > > the worse) consisting of two or more of the following characters:
> > >
> > > 0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
> >
> > You might want to add ^ for exponentiation. I just posted a list passwords
> > that passed, including 4 variations of the Theory of Relativity.
>
> Ah yes!
>
> --Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Selçuk Göre writes:
> By the way, for the special characters, it knows what "selcuk" is but
> doesn't know the "selçuk", which is actually the correct form.
I haven't decoded the ASCII+127 yet on those...sorry.
> Do you want any Turkish wordlists?
I would love them, if you have any in their native ISO-8859-# encoding.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote in message ...
> In lugnet.admin.general, Todd Lehman writes:
> > > I don't know if this really is a bad password, but I
> > > couldn't resist trying it:
> > >
> > > 2x4=3001
> > >
> > > Another lost password choosing algorithm :-(
> >
> > Ooh -- I'd better make sure that it dislikes [0-9]+[xX][0-9]+ and • [0-9]{4} .
>
> OK, try that again now. Seeing that this site is LEGO-related, it's best • to
> treat "x" and "X" as part of numeric stuff. In fact there are many other
> things besides 'x' and '=' which are numeric-related. :-o
>
> It now very much dislikes numerical and/or mathematical substrings (the • longer
> the worse) consisting of two or more of the following characters:
>
> 0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
Waahh, now it hates one of my passwords...
Hm, would you consider parametizing some of the things (or is the code
something easily portable)? I'd like to check passwords for all sorts of
things, and the bias against numeric equations may not always be appropriate
(the password that just went from good to bad was not at all intended to be
an equation, it just happens to have an x between two numbers).
Frank
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Frank Filz wrote in message ...
>
> Todd Lehman wrote in message ...
> > In lugnet.admin.general, Todd Lehman writes:
> > > > I don't know if this really is a bad password, but I
> > > > couldn't resist trying it:
> > > >
> > > > 2x4=3001
> > > >
> > > > Another lost password choosing algorithm :-(
> > >
> > > Ooh -- I'd better make sure that it dislikes [0-9]+[xX][0-9]+ and • [0-9]{4} .
> >
> > OK, try that again now. Seeing that this site is LEGO-related, it's best • to
> > treat "x" and "X" as part of numeric stuff. In fact there are many other
> > things besides 'x' and '=' which are numeric-related. :-o
> >
> > It now very much dislikes numerical and/or mathematical substrings (the • longer
> > the worse) consisting of two or more of the following characters:
> >
> > 0 1 2 3 4 5 6 7 8 9 : . , + - * / x X # % < = > $ ¢ £ ¤ ¥
>
>
> Waahh, now it hates one of my passwords...
>
> Hm, would you consider parametizing some of the things (or is the code
> something easily portable)? I'd like to check passwords for all sorts of
> things, and the bias against numeric equations may not always be • appropriate
> (the password that just went from good to bad was not at all intended to be
> an equation, it just happens to have an x between two numbers).
Thought of another reason to allow parameters or options to the checker...
Some systems have restrictions on length of password, some systems are not
case sensitive, some systems may not allow non-alpha-numeric characters, and
some systems may have requirements of having numeric and alpha in certain
positions or not in certain positions.
Frank
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Frank Filz writes:
> Hm, would you consider parametizing some of the things (or is the code
> something easily portable)? I'd like to check passwords for all sorts of
> things, and the bias against numeric equations may not always be appropriate
> (the password that just went from good to bad was not at all intended to be
> an equation, it just happens to have an x between two numbers).
Down the road prolly... Gotta get this cut over ASAP and get the pages
stuff finished up... Did it give you enough flexibility that you could
find something it liked that you could use? (That's it's only real purpose,
even if it happens to be fun or useful out of context. :)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
<pw checker, play away... some design notes>
Played with it some more and I am not sure I totally trust it.
It thinks MT-5561 is a GREAT password and LEGOSystem4558 is a really bad one.
I'm happy to report that it liked d*l6zpv9wl%cl though. Right now I am trying
to come up with one that the CPU consumed is over 1 sec... :-)
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Thu, 30 Mar 2000 17:32:25 GMT, "Larry Pieniazek" <lar@voyager.net> wrote:
> In lugnet.admin.general, Todd Lehman writes:
>
> <pw checker, play away... some design notes>
>
> Played with it some more and I am not sure I totally trust it.
>
> It thinks MT-5561 is a GREAT password and LEGOSystem4558 is a really bad one.
>
> I'm happy to report that it liked d*l6zpv9wl%cl though. Right now I am trying
> to come up with one that the CPU consumed is over 1 sec... :-)
>
> ++Lar
I've been playing with the 5 character passwords trying to see how high I can
get. So far I've got a 156% (Good).
Rob
-
Rob Farver - mailto:rfarver@rcn.com
http://www.farver.com/lego/
http://members.ebay.com/aboutme/rfarver
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
<pw checker, play away... some design notes>
Oh, and can you post the rank order list somewhere on the page or something?
That is, is Outstanding better or worse than Bravissimo!
Thanks.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Todd Lehman writes:
> > [...]
> > I'll put this password thingy up on a webpage for people to try out, maybe
> > later tonight. If we can all agree that it does a good job of weeding out
> > bad passwords, then I'll put it into place for where you can actually change
> > your own password.
Inconsistent results. It quite happily failed obvious stuff like "James1" or
"Galliard" or "June15", but also missed some glaring ones.
For example, it failed my Social Insurance number, but only because it was all
from 1 keyboard row. It passed (albiet grudgingly) a version with some
numbers straight substituted for alpha equivalents.
It also thought "06/15/72" (my birthdate) was "Great" -->*Very Bad*
It doesn't seem to account for keyboard shifting. "Galliard" (from my e-mail)
failed, but "Tqoo8q4e", a straight keyboard shift up, passed. Other shifts
(from my name, for example) only failed for other reasons.
It doesn't check QWERTY vs Dvorak translations, for example "Ham.o1" is
"James1" in Qwerty on a Dvorak keyboard, and it got a "great". Some other
obvious/common words failed the translation.
Also, just as an aside, it generates "mild risk" for the weirest things!
James
http://www.shades-of-night.com/lego/
I'm getting paid for this --> alladvantage.com
Sign up via me, the reference $$ go to fund Lugnet.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, James Brown writes:
> Inconsistent results. It quite happily failed obvious stuff like "James1"
> or "Galliard" or "June15", but also missed some glaring ones.
>
> For example, it failed my Social Insurance number, but only because it was
> all from 1 keyboard row. It passed (albiet grudgingly) a version with some
> numbers straight substituted for alpha equivalents.
>
> It also thought "06/15/72" (my birthdate) was "Great" -->*Very Bad*
Try again now. :)
> It doesn't seem to account for keyboard shifting. "Galliard" (from my
> e-mail) failed, but "Tqoo8q4e", a straight keyboard shift up, passed.
> Other shifts (from my name, for example) only failed for other reasons.
It doesn't check for up/down/left/right keyboard shifting, no.
> It doesn't check QWERTY vs Dvorak translations, for example "Ham.o1" is
> "James1" in Qwerty on a Dvorak keyboard, and it got a "great". Some other
> obvious/common words failed the translation.
It doesn't check for cross-keyboard translations either, no. If I can get my
hands on more keyboard xy tables, maybe I can check for these too.
> Also, just as an aside, it generates "mild risk" for the weirest things!
Ya, its dictionary of matching words is pretty insane. One of the input
files had several megabytes of unique words from USENET. Many of the other
weird things come from acronyms and non-English words.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> It doesn't check for up/down/left/right keyboard shifting, no.
>
> > It doesn't check QWERTY vs Dvorak translations, for example "Ham.o1" is
> > "James1" in Qwerty on a Dvorak keyboard, and it got a "great". Some other
> > obvious/common words failed the translation.
>
> It doesn't check for cross-keyboard translations either, no. If I can get my
> hands on more keyboard xy tables, maybe I can check for these too.
>
>
> > Also, just as an aside, it generates "mild risk" for the weirest things!
>
> Ya, its dictionary of matching words is pretty insane. One of the input
> files had several megabytes of unique words from USENET. Many of the other
> weird things come from acronyms and non-English words.
>
> --Todd
Okay, what is left??
I am wondering what kind of imagination I will need to generate an acceptable
password. So far I have had no problem generating passwords that exceed 300%
acceptance, but if the acceptable parameters continue to become more narrow my
passwords of choice may require modification.
BTW--pleased to report that my lugnet randomly generated password returns a
534% approval rating. I think I may stick with this password for a while.
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
I guess this can be fun.
With a bit of tweaking here and there, I just generated a password which
returned a 1269% approval rating. Anyone think they can top that?
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
[snip]
> --Todd
Very interesting results. It seems to LOVE NASD and NYSE rule numbers:
NASD15a-6 got a 252%
What is the percentage range that will display? Its very hard to tell what is
really good or bad by the percentages that display until you enter a lot of
passwords. Shouldn't the "ideal" percentage range be 0% to +100%? Shouldn't
all fails be less than 60%?
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Ed Jones writes:
> In lugnet.admin.general, Todd Lehman writes:
>
> > OK, here it is:
> >
> > http://www.lugnet.com/people/members/pwsa/
>
> [snip]
> > --Todd
>
> Very interesting results. It seems to LOVE NASD and NYSE rule numbers:
> NASD15a-6 got a 252%
>
> What is the percentage range that will display? Its very hard to tell what is
> really good or bad by the percentages that display until you enter a lot of
> passwords. Shouldn't the "ideal" percentage range be 0% to +100%? Shouldn't
> all fails be less than 60%?
It likes the Uniform Commercial code even better: UCCart8-9 - 368% Excellent
However, LUGNETTODD - gets a "terrible" :')
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Ed Jones writes:
> It likes the Uniform Commercial code even better: UCCart8-9
> - 368% Excellent
OK, try again now. It should dislike the "8-9" part enough to fail it.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Ed Jones writes:
> Very interesting results. It seems to LOVE NASD and NYSE rule numbers:
> NASD15a-6 got a 252%
OK, try again now. (BOY is this thing getting picky now about numbers and
stuff. I hope it's not getting too restrictive. I'll have to stop tinkering
at some point soon.)
> What is the percentage range that will display?
Theoretically infinite in both directions. It's just a number, and it's
only displayed as a percentage for fun. :) Anything less than 1.0
(equivalent to "100%" strength") is failed, and anything 1.0 and higher is
passed.
> Its very hard to tell what
> is really good or bad by the percentages that display until you enter a lot
> of passwords. Shouldn't the "ideal" percentage range be 0% to +100%?
> Shouldn't all fails be less than 60%?
It's normalized for +100% being (hopefully) "unbreakable". +200% would mean
extra unbreakable -- above and beyond what's needed. (Again, it's just a
numba.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman wrote:
> Second important question:
>
> Are there words that you can think of which this fails to detect as
> potential weaknesses? (Try to stump it!)
How about some of the following? They seem topically weak to me.
lg*mnfg - 389% excellent
shp@hm8354386 - 236% great
m:trn6989 - 272% great
Steve
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
> In lugnet.admin.general, Todd Lehman wrote:
>
> > Second important question:
> >
> > Are there words that you can think of which this fails to detect as
> > potential weaknesses? (Try to stump it!)
>
> How about some of the following? They seem topically weak to me.
>
> lg*mnfg - 389% excellent
> shp@hm8354386 - 236% great
> m:trn6989 - 272% great
I got a 421%, and then a -125%. Very interesting, i might have to switch
some of my passwords here now! :)
Scott S.
>
> Steve
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Steve Bliss writes:
> In lugnet.admin.general, Todd Lehman wrote:
> > Second important question:
> > Are there words that you can think of which this fails to detect as
> > potential weaknesses? (Try to stump it!)
>
> How about some of the following? They seem topically weak to me.
>
> lg*mnfg - 389% excellent
Not sure how to detect this...it isn't that terrible anyway, is it? (I can
see that it comes from "lego*minifig" but it's still probably strong enough?)
> shp@hm8354386 - 236% great
Now gives a -1030%.
> m:trn6989 - 272% great
Now gives a 200%. If LEGO sets weren't an issue it would be a pretty good
one.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
It really likes: fnark-5- (345%)
but hates: fnark-5-lego (-104%)
Surely that's squiffy? Or is it based on the theory that being able to guess
the 'lego' part will make the 'fnark-5-' more obvious?
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> It really likes: fnark-5- (345%)
> but hates: fnark-5-lego (-104%)
>
> Surely that's squiffy? Or is it based on the theory that being able to guess
> the 'lego' part will make the 'fnark-5-' more obvious?
It's a side-effect of downrating fluffy portions even though they don't hurt.
That is, if you have a wicked strong 8-character pw (call it "X" for short),
then even though "Xlego" is no worse than "X", it takes points off for the
fluffy part ("lego"). Taking points off for that is a good thing to do when
the fluff serves only to artificially grow the size of the pw, but it's not
particularly helpful on pw's that are already long enough.
The simple answer is that this pw evaluator is trying to do more of an overall
randomness check than a pw strength check. Surely "fnark-5-lego" is no weaker
than "fnark-5", but it is significantly less random.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Richard Franks writes:
> > It really likes: fnark-5- (345%)
> > but hates: fnark-5-lego (-104%)
> >
> > Surely that's squiffy? Or is it based on the theory that being able to guess
> > the 'lego' part will make the 'fnark-5-' more obvious?
>
> It's a side-effect of downrating fluffy portions even though they don't hurt.
> That is, if you have a wicked strong 8-character pw (call it "X" for short),
> then even though "Xlego" is no worse than "X", it takes points off for the
> fluffy part ("lego"). Taking points off for that is a good thing to do when
> the fluff serves only to artificially grow the size of the pw, but it's not
> particularly helpful on pw's that are already long enough.
>
> The simple answer is that this pw evaluator is trying to do more of an overall
> randomness check than a pw strength check. Surely "fnark-5-lego" is no weaker
> than "fnark-5", but it is significantly less random.
I am starting to think that this password checker, in its current form (which
I'd like to see left accessable as it IS useful) shouldn't actually block a
password. It should tell me that "maybe this isn't a good choice" but it
doesn't know enough about MY context to comment on passwords that might be
unsafe in my context.
If we assume for the sake of the next bit that nn/nn/nn isn't a bad password in
and of itself (actually it is, too small a pattern set) ...
Then my birthday is a not very good password FOR ME because it's guessable from
context, my birthday is easily obtainable. But it's not a bad password at ALL
for Ed Jones, who has no explicit connection to me that anyone knows of,
because it's just a random string of dates and slashes. It has no meaning that
an attacker can guess and so is as strong as any other random string of numbers
and slashes of the form nn/nn/nn. Similarly, my SSN is a bad password for me,
but some random 9 digit string with dashes in the SSN places isn't all that bad
FOR ME even though it's most likely somebody's SSN.
Right now it might be that it's way too picky. It's flagging passwords that are
reasonable. (elegant work, mind you, from a coding standpoint) If you eliminate
too many passwords from the universe, you reduce the total set that brute force
attack has to use (that is, if you ENFORCE that people can't have unsafe
passwords you increase their safety a lot, but decrease everyone's safety
marginally over all.)
Food for thought.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> [...]
> Right now it might be that it's way too picky. It's flagging passwords that
> are reasonable. (elegant work, mind you, from a coding standpoint) If you
> eliminate too many passwords from the universe, you reduce the total set
> that brute force attack has to use (that is, if you ENFORCE that people
> can't have unsafe passwords you increase their safety a lot, but decrease
> everyone's safety marginally over all.)
>
> Food for thought.
Yum, yum! :-s
Well, ya gotta also figure that decreasing the safety margin from 100,000
to 1000 is one thing (bad -- and I don't think that's case here), but
decreasing it from, say, eleventeen hundred quintrillion down to fifty-seven
quintrillion is quite another thing. Is the latter truly hurtful in any
practical way? (I can't justify losing sleep over it. :)
It may be pickier than we'd like about the passwords that we can easily
think up, but according to my statistical tests, it doesn't really cut very
much into the set of all possible passwords. (One tenth of a gooberzillion
is still a gooberzillion.)
For example, even the set of all 6-character passwords (short), using
A-Z, a-z, 0-9, and - as the input set starts out with gooberzillion being
63^6 = 62,523,502,209 (62 US trillion) possibilities (a LOT). Enforcing
"good" passwords on this cuts out approximately 50% of the possibilities
(running on the current implementation). Is 50% a big deal? It sounds like
a lot. But it still leaves 31,261,751,104 (31 US trillion) possibilites.
Sounds pretty safe to me!
Looking at 5-character passwords, there are 63^5 = 992,436,543 (about 1 US
billion) possibilities using the same 63-character alphabet. Right now it's
failing about 99 out of 100 of those, which reduces the set of possibilities
to about 10 million. That's getting too low for comfort, so 5-character
passwords probably shouldn't be allowed. OTOH, increasing the alphabet to
include all 95 printable ASCII characters pumps up the set of possibilities
to 95^5 = 7,737,809,375 (7 US billion) and now it only fails about 3/4 of
those, leaving 2 US billion, give or take a hundred million.
I totally hear what you're saying -- and IMHO it's an extremely important
thing to bear in mind -- but from these results, and from some of the things
that people have been saying they've been trying, the only thing I can say
for sure is that I'd lose far more sleep not having a strict check in place.
Yes, it may give a false sense of security in certain extreme situations, but
overall I can't imagine not using it. The only question in my mind is whether
or not to automatically fail all 5-character pw's.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Larry Pieniazek wrote:
<snip>
> Then my birthday is a not very good password FOR ME because it's guessable from
> context, my birthday is easily obtainable. But it's not a bad password at ALL
> for Ed Jones, who has no explicit connection to me that anyone knows of,
> because it's just a random string of dates and slashes. It has no meaning that
> an attacker can guess and so is as strong as any other random string of numbers
I'm not a guru on the subject by any means, but while an attacker using
wordlists and trying to crack a password with bruteforce or something
like, I mean, by trial and error, I think any combination of dates are
just easy cakes. for a format of mm/dd/yy, there are only 36500
possibilities for a 100 year period, for example. Just a thought..:-)
Selçuk
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Selçuk Göre writes:
>
>
> Larry Pieniazek wrote:
>
> <snip>
>
> > Then my birthday is a not very good password FOR ME because it's guessable • from
> > context, my birthday is easily obtainable. But it's not a bad password at • ALL
> > for Ed Jones, who has no explicit connection to me that anyone knows of,
> > because it's just a random string of dates and slashes. It has no meaning • that
> > an attacker can guess and so is as strong as any other random string of • numbers
>
> I'm not a guru on the subject by any means, but while an attacker using
> wordlists and trying to crack a password with bruteforce or something
> like, I mean, by trial and error, I think any combination of dates are
> just easy cakes. for a format of mm/dd/yy, there are only 36500
> possibilities for a 100 year period, for example. Just a thought..:-)
This was a hypothetical example. Dates are not actually good passwords, but
they're easy to use to demonstrate differences in context. my birthday is a bad
password for me (one of the first few things to check if you know me) but not
nearly as bad for someone else (because it takes brute force, although as you
say, not much)
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Second important question:
>
> Are there words that you can think of which this fails to detect as
> potential weaknesses? (Try to stump it!)
I got p@$$\/\/0?oI through it as a 169. Mwhahahahahahaha!
Alan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Alan Gerber writes:
> In lugnet.admin.general, Todd Lehman writes:
> > Second important question:
> >
> > Are there words that you can think of which this fails to detect as
> > potential weaknesses? (Try to stump it!)
> I got p@$$\/\/0?oI through it as a 169. Mwhahahahahahaha!
> Alan
I meant to put in p@$$\/\/0roI in, but messed up. p@$$\/\/0roI got a 100%
Alan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Thu, 30 Mar 2000 11:23:41 GMT, "Todd Lehman" <lehman@javanet.com> wrote:
> First important question:
>
> Are there any bad passwords which this fails to reject? (If it rejects
> a seemingly good password, that's not necessarily a problem. Failing to
> reject a bad password is a far more serious problem.)
Formulae:
e=mc^2 - Great (266%)
E=mc^2 - Excellent (303%)
e=m*c^2 - Outstanding (556%)
E=m*c^2 - Outstanding (594%)
Keyboard runs:
zdt7cgu9 - Outstanding (491%)
zcbmadgj - Outstanding (462%)
zfu0xgi- - Outstanding (529%)
Software Titles:
MSvc++ - Great (200%)
MSvb++ - Great (219%)
MSsql7.0 - Great (247%)
You know, this is getting addicting. Even worse than your random theme
generator. :)
Rob
-
Rob Farver - mailto:rfarver@rcn.com
http://www.farver.com/lego/
http://members.ebay.com/aboutme/rfarver
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Neat Todd!
In lugnet.admin.general, Todd Lehman writes:
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
> First important question:
>
> Are there any bad passwords which this fails to reject?
It thinks <({})> is fine 250% and doesn't detect it as a pallindrome even
though it is from a human point of view. You might want to add something that
recognizes stuff encapsulated within open and close of the same type of
containing symbols as being at least slightly weak.
Anyone out there targeting specific numbers? How hard is it to get exactly 0%
I've only managed it once, but I keep trying.
Chris
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Are there any bad passwords which this fails to reject?
Ouch... it passes @%)^*$, which is a +shift version of my birthdate. Now
that's a bad password!
Just like it doesn't allow an only numeric sequence, or an only alphabetic
sequence, it should not allow an only spec. character sequence.
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
Playing with this, I figured out that I toggle ASCII+127 in Windows by pressing
the ~ key (without pressing Shift) Here are the keyboard rows:
0 1 å/-À¶ØÖ¤µ¨¢ª
0 1 +ñòóôÙßõö÷øù
1 1 æäÓ¾ÐÑÕùºţ
1 1 ð"®±¸íê³Ï°,¥
2 1 ¿Ë¡´àéèÒÊǧ
2 1 Ħ¯â¬çëÉÈ«.
3 1 ¼»áÍÔ×·Áã½
3 1 ()©ÎÚì?²ÌÆ
Might want to take that into consideration...
--Bram
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> potential weaknesses? (Try to stump it!)
The checker should equate the following IMHO:
|_ L
+ t
< k
~ n
\/ V
() O or 0
"\/()+eF0rMe" (Vote for Me) for example gives a 788% success rate.
"|_uGn3+" which is a complicated way to write "Lugnet" passes with 481%
"|_eGoBr|<K5" (LegoBricks) passes with 794%
Just some thoughts...
I found it interesting that the password "100%" comes out as -666% secure. So,
in other words, perfect = evil :)
Ben Roller
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman wrote:
> In lugnet.admin.general, Todd Lehman writes:
> > [...]
> > I'll put this password thingy up on a webpage for people to try
> > out, maybe later tonight. If we can all agree that it does a good
> > job of weeding out bad passwords, then I'll put it into place for
> > where you can actually change your own password.
>
> OK, here it is:
>
> http://www.lugnet.com/people/members/pwsa/
What a neat tool! (Almost said "toy", but some people might take it
the wrong way. "Toy" as in "geek thing to play with" rather than as in
"insignificant".)
> First important question:
>
> Are there any bad passwords which this fails to reject? (If it
> rejects a seemingly good password, that's not necessarily a
> problem. Failing to reject a bad password is a far more serious
> problem.)
Yes! Several passwords of the form "[l3G0]" (with brackets but without
the quotation marks) get an adequate passing grade of ~149%. Try
things like !Ll1 for the L, 3E for E, G6 for G, 0O or the () pair for
O.
--
Susan Hoover
Houston, TX
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Susan Hoover wrote:
> In lugnet.admin.general, Todd Lehman wrote:
>
> > In lugnet.admin.general, Todd Lehman writes:
> > > [...]
> > > I'll put this password thingy up on a webpage for people to try
> > > out, maybe later tonight. If we can all agree that it does a
> > > good job of weeding out bad passwords, then I'll put it into
> > > place for where you can actually change your own password.
> >
> > OK, here it is:
> >
> > http://www.lugnet.com/people/members/pwsa/
>
> What a neat tool! (Almost said "toy", but some people might take it
> the wrong way. "Toy" as in "geek thing to play with" rather than as
> in "insignificant".)
>
> > First important question:
> >
> > Are there any bad passwords which this fails to reject? (If it
> > rejects a seemingly good password, that's not necessarily a
> > problem. Failing to reject a bad password is a far more serious
> > problem.)
>
> Yes! Several passwords of the form "[l3G0]" (with brackets but
> without the quotation marks) get an adequate passing grade of ~149%.
> Try things like !Ll1 for the L, 3E for E, G6 for G, 0O or the ()
> pair for O.
Ugh. "[l3G()]" gets a 506% passing grade.
--
Susan Hoover
Houston, TX
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman <lehman@javanet.com> wrote:
> http://www.lugnet.com/people/members/pwsa/
Oh, hey, I'd missed this. Two suggestions:
1. Can you use https for this?
2. How about a 'passwords submitted aren't logged' privacy statement?
Why? 'Cause it's so cool I was instantly tempted into typing in old
passwords that I no longer use, and was almost tempted into typing in
passwords _currently_ in use. (And by Larry's posts, I see he was tempted
too...) Bad. :)
Also:
/|\@++|>/|\ = 361% Excellent (PASS)
:)
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Matthew Miller writes:
> Todd Lehman <lehman@javanet.com> wrote:
> > http://www.lugnet.com/people/members/pwsa/
>
> Oh, hey, I'd missed this. Two suggestions:
>
> 1. Can you use https for this?
What's involved in setting up an https server? I remember reading once upon
a time (it must've been about 2 years ago) that it could be kind of a mess,
and that connections often took 1 second to authenticate. That would be a
problem for random HTTP requests using cookies, but the password isn't plain-
text there so it's less risky. For a sign-in or a change-password page, it
would be OK if it took a second or two.
> 2. How about a 'passwords submitted aren't logged' privacy statement?
OK.
> Why? 'Cause it's so cool I was instantly tempted into typing in old
> passwords that I no longer use, and was almost tempted into typing in
> passwords _currently_ in use. (And by Larry's posts, I see he was tempted
> too...) Bad. :)
>
>
> Also:
>
> /|\@++|>/|\ = 361% Excellent (PASS)
Do those symbols that supposed to mean something?
--Todd
> :)
>
>
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman <lehman@javanet.com> wrote:
> What's involved in setting up an https server? I remember reading once upon
> a time (it must've been about 2 years ago) that it could be kind of a mess,
It's not too hard. But I forgot; you're using a web hosting place. (Pair?)
Depending on what level of service you're paying for, you may already have
ssl support. (Or conversely, it may not be an option.)
> and that connections often took 1 second to authenticate. That would be a
I've not noticed that bad of a lag.
> > 2. How about a 'passwords submitted aren't logged' privacy statement?
> OK.
:) thanks.
> > Also:
> > /|\@++|>/|\ = 361% Excellent (PASS)
> Do those symbols that supposed to mean something?
m /|\
a @ (could have also been /-\, but that dropped the score to 168%)
t + ___
t + (should have been | but that takes two lines)
d |>
m /|\
_____ . _
/|\/-\| | |-|[-\/\/ /|\||_|_[-|-\
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Your use of many different machines may be an extreme case, but clearly the
> current situation is quite broken for you, and probably many others.
Yep, you can be sure he's not the only one. I have two computers at home, but
regardless I often get online from the school library or the ESL room (1). At
those times I can only read, not post or rate or anything. OTOH, when I want
to read my email I can do that easily be logging in my password. I think
lugnet should enable a personally-chosen password, that allows for posting as
well as membership stuff.
-Shiri
(1) Ssssh! Don't tell! :-)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
I log on to Lugnet on a minimum of 4 different machines, 2 from home, 2 from
work, and may be logging on from my Libretto on the road this summer. So
anything making it easier to log in and have settings be the same, the better.
Shiri Dori wrote:
> In lugnet.admin.general, Todd Lehman writes:
> > Your use of many different machines may be an extreme case, but clearly the
> > current situation is quite broken for you, and probably many others.
>
> Yep, you can be sure he's not the only one. I have two computers at home, but
> regardless I often get online from the school library or the ESL room (1). At
> those times I can only read, not post or rate or anything. OTOH, when I want
> to read my email I can do that easily be logging in my password. I think
> lugnet should enable a personally-chosen password, that allows for posting as
> well as membership stuff.
>
> -Shiri
>
> (1) Ssssh! Don't tell! :-)
--
Tom Stangl
***http://www.vfaq.com/
***DSM Visual FAQ home
***http://ba.dsm.org/
***SF Bay Area DSMs
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> And how secure is that?
Depends on the location. Clearly, as both you and Mike are capable of pointing
out, there are inappropriate places to use that tactic in. That just means
there are places you can access Lugnet from that you can't use all the features
from, that's all. I don't see this as being as big a deal as you do,
apparently. It has no control over reading or posting.
> I'm sensing that you're dug into this position and are now in Defensive Mode.
Not really, I've just yet to see an argument convincing enough to make me
change my mind. There is a difference.
> Lorbaat seems to relish digging in without regard to research
No, he doesn't. Don't go assuming that people who don't hang out in
off-topic.geek know nothing about computing, or network security.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 19:29:47 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> In lugnet.admin.general, Larry Pieniazek writes:
>
> > And how secure is that?
>
> Depends on the location. Clearly, as both you and Mike are capable of pointing
> out, there are inappropriate places to use that tactic in. That just means
> there are places you can access Lugnet from that you can't use all the features
> from, that's all. I don't see this as being as big a deal as you do,
> apparently. It has no control over reading or posting.
^^^^^^^
That's actually a bad thing, imo. I don't know when this changed (and
sometimes I am glad it did) but I don't really like the fact that I
can post AS ME from any machine simply by typing in my name and e-mail
address. I _think_ this is true, as I've wiped out various machines I
use and been able to post without any sort of verification process. I
think you _should_ have to sign in to post via the web interface.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
The main thrust of this whole conversaion has gotten very far away from my
original point, which I feel I made just fine, but:
In lugnet.admin.general, Mike Stanley writes:
> I
> think you _should_ have to sign in to post via the web interface.
My vote would be to keep Lugnet a place where you can post from any interface
without paying for a membership. There are a lot of people (myself included)
who won't pay for a membership without trying a place out first.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Eric Joslin writes:
> In lugnet.admin.general, Mike Stanley writes:
> > I think you _should_ have to sign in to post via the web interface.
>
> My vote would be to keep Lugnet a place where you can post from any interface
> without paying for a membership. There are a lot of people (myself included)
> who won't pay for a membership without trying a place out first.
I agree.
But if Mike's suggestion is taken a little differently, i.e.,
"I think _I_ should have to sign in to post via the web interface."
...then that's probably a good thing. Once you do decide to beomce a member,
you should (it would be nice if you could) be able to say, "OK, make me sign
in with my password (because I want it this way) before letting me post under
my name."
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Eric Joslin writes:
> > My vote would be to keep Lugnet a place where you can post from any
> > interface
> > without paying for a membership. There are a lot of people (myself
> > included)
> > who won't pay for a membership without trying a place out first.
>
> I agree.
Me 2.
> But if Mike's suggestion is taken a little differently, i.e.,
>
> "I think _I_ should have to sign in to post via the web interface."
>
> ...then that's probably a good thing. Once you do decide to beomce a member,
> you should (it would be nice if you could) be able to say, "OK, make me sign
> in with my password (because I want it this way) before letting me post under
> my name."
Definitely. I also think this should be possible even if you're not a member,
but that's just my view of it. (I'm a member, so I'll have that anyway :)
Oh, and Todd...?
Todd wrote:
> to beomce a member,
^^^
Your second three-letter switch in a while now ;-) Thanks for a great laugh!
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 19:47:31 GMT, "Lorbaat" <eric@nospam.thirteen.net>
wrote:
> The main thrust of this whole conversaion has gotten very far away from my
> original point, which I feel I made just fine, but:
>
> In lugnet.admin.general, Mike Stanley writes:
>
> > I
> > think you _should_ have to sign in to post via the web interface.
>
> My vote would be to keep Lugnet a place where you can post from any interface
> without paying for a membership. There are a lot of people (myself included)
> who won't pay for a membership without trying a place out first.
Then implement a username/password system that doesn't require a
membership but can accomodate one.
Pretty simple, just have a membership field in the record. People who
are just trying it out can read and post, but not access member-only
features until they've paid for a membership.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Eric Joslin writes:
> > Lorbaat seems to relish digging in without regard to research
>
> No, he doesn't. Don't go assuming that people who don't hang out in
> off-topic.geek know nothing about computing, or network security.
Don't assume you know what I'm assuming! However, you didn't refute my points,
I note. Just glossed over them as "not convincing enough"...
So something that is less secure and harder to use is better in your book?
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> Don't assume you know what I'm assuming!
Touche. :D
> However, you didn't refute my points,
> I note. Just glossed over them as "not convincing enough"...
No, I feel that I explained well enough many times why I feel that the current
system is fine, and why you don't have to carry around a card with your passwd
on it. Several times. And I don't care to again.
So, since you basically keep saying the same things, and I basically keep
saying the same things, we're pretty much done. It's not my place to convince
you that things are fine the way they are, and I couldn't change anything even
if you did convince me things were broken, so it's all really pretty
meaningless anyway.
eric
| | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> > > Yeah, I don't think I've ever "signed in" simply because I can't
> > > bother to keep up with another password I didn't pick. Once I hear I
> > > can login ONCE with this password I refuse to put any effort into
> > > holding onto or remembering and change it to something I can remember
> > > without effort, I'll do it. Until then, having a password without the
> > > ability to change it isn't of much value to me.
> >
> > You can sign in once with your password and stay permanently signed in.
> >
> > (Simply use the middle radio button at the Sign-In page.)
>
> So what do I do when I login at a publicly accessible machine in a
> lab? What does anyone in a college environment do?
Use either the top radio button and close the browser when you're done, or
use the bottom radio button and set a timeout like 1 hour in case you forget
to sign out manually.
> People who are
> lucky enough to have a spouse who reads (and has a membership) at
> LUGNET but uses the same computer?
Leave yourself signed in, or sign out manually when you're done, or let your
spouse sign in on top of your sign-in (replacing your sign-in cookie with your
spouse's).
> To be so concerned about password security as you seem to be (2,050
> times easier to brute-force?) having the permanently signed in option
> as a solution to not being able to create our own passwords seems a
> little silly.
That would be silly, yes, if that were the case, but that's not the case.
That is, having the permanently signed in option has absolutely nothing to
do with not being able currently to pick arbitrary passwords. There will
always be a permanently-signed-in option, even when you can pick your own
password.
> I don't have my computer save my Yahoo! username and password - why
> would I do it for LUGNET?
Dunno. Point being that you can, if you want to. When you said...
"Once I hear I can login ONCE with this password I refuse to put any effort
into holding onto or remembering and change it to something I can remember
without effort, I'll do it."
...you seemed to be saying that you couldn't -- that you had to log in each
time rather than just once.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 21:27:11 GMT, "Todd Lehman" <lehman@javanet.com>
wrote:
> > I don't have my computer save my Yahoo! username and password - why
> > would I do it for LUGNET?
>
> Dunno. Point being that you can, if you want to. When you said...
>
> "Once I hear I can login ONCE with this password I refuse to put any effort
> into holding onto or remembering and change it to something I can remember
> without effort, I'll do it."
>
> ...you seemed to be saying that you couldn't -- that you had to log in each
> time rather than just once.
But I don't _want_ to, and to suggest that as an alternative to
carrying around a machine-generated password seems a little
boneheaded. I don't _want_ to leave myself logged into Lugnet just
like I don't _want_ to leave myself logged into Yahoo! It's dumb to
do so. Maybe less dumb now with Lugnet, but what about when real
buying and selling can be done here?
As a matter of fact I DID log in permanently today at work, on my
primary machine, which is locked whenever I step away from it
(religiously). But I still don't like it. I have little choice right
now, though, as this doesn't seem to be a priority.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> > > I don't have my computer save my Yahoo! username and password - why
> > > would I do it for LUGNET?
> >
> > Dunno. Point being that you can, if you want to. When you said...
> >
> > "Once I hear I can login ONCE with this password I refuse to put any
> > effort into holding onto or remembering and change it to something I
> > can remember without effort, I'll do it."
> >
> > ...you seemed to be saying that you couldn't -- that you had to log in
> > each time rather than just once.
>
> But I don't _want_ to, and to suggest that as an alternative to carrying
> around a machine-generated password seems a little boneheaded.
Thick-skulled, maybe...dunno if I agree about boneheaded. :)
I guess next time I'll hafta read your mind. I only had what you wrote
to go on -- which seemed to be implying something false. I was only replying
to point out that it -was- indeed possible to sign in once. I think what
you meant was that you wanted to sign in once and once only using the
proscribed password, but then change that to a new password, and then use
that password periodically?
--Todd
| | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Thick-skulled, maybe...dunno if I agree about boneheaded. :)
Same thing? :)
> I guess next time I'll hafta read your mind. I only had what you wrote
> to go on -- which seemed to be implying something false. I was only replying
> to point out that it -was- indeed possible to sign in once. I think what
> you meant was that you wanted to sign in once and once only using the
> proscribed password, but then change that to a new password, and then use
> that password periodically?
Yes, although I would say use that new password every time. I don't cache
passwords other than at home, and not all the time there.
| | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> Yes, although I would say use that new password every time. I don't cache
> passwords other than at home, and not all the time there.
Just a side note about the sign-in cookie... Your member ID and password are
stored in the cookie, but in murfled form. Thus, if someone is able to steal
your sign-in cookie, they can impersonate you, but they still won't know your
password, and they won't be able to change your password. But you know your
password, and if you change it, then the cookie they stole a copy of would
stop working.
--Todd
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> LUGNET's article rating system is now running and hungry for input!
>
> As the community continues to grow, so does the challenge in keeping up. Some
> days it can be difficult to find exciting content among the hundreds of new
> messages.
>
> To aid browsing, each news article now carries a rating in the range 0 (low)
> to 100 (high).
>
> This feature is designed to benefit all, but particularly to benefit casual
> readers who cannot devote time.
>
>
> How it works:
>
> Each signed-in[1] LUGNET Member may mark a read article from "low" (0) to
> "high" (100) using a row of buttons. This input affects the average rating
> for that article.
>
> To absorb and dampen extreme input conditions which would otherwise allow a
> small number of inputs to "peg the scale," all articles start out with an
> automatic midpoint rating of 50, which also participates in the average just
> as any human-entered rating would.[2]
>
> The marking process is lasting and unlimited. Thus, you could rate messages
> from weeks, months, or even years ago, and since the composite rating is
> simply a numerical average, it doesn't matter which order you go in.
>
> Only LUGNET Members can rate articles, but anyone can view and benefit from
> the ratings. Your individual ratings are shown to you only.
>
>
> In the long-term:
>
> * Stronger content becomes easier and easier to find, rather than the
> opposite.
>
> * Spotlight[3] news becomes easier to identify and more representative of
> community opinion.
>
> * As you contribute more input, the system can learn how your input • correlates
> with the input of others. It could even attempt to highlight things it
> thinks you might find particularly interesting.
>
> * The rating engine could be put to generalized use, for example, in rating
> LEGO sets, voting on sites for CLSotW, in judging contests, and so forth.
> A sort of match-making service may even develop!
>
> --Todd & Suz
>
>
> [1] http://www.lugnet.com/people/members/sign-in/
>
> [2] Thus, if a first person rates an article 90, its rating becomes (50+90)/2
> or 70. If a second person then rates the same article 100, its rating
> then becomes (50+90+100)/3 or 80. Average ratings of 0 or 100 are
> extremely improbable, by design.
>
> [3] http://www.lugnet.com/?p=spotlight
So, of course, us slugs who don't have a membership have to put up with others
opinions without being able to inflict ours on others (well, numerically
speaking). :-)
Bruce
| | | | | | | | | | | | | | | | | |
cool! I also like where it says "you just rated this message" and "2
minutes ago you rated this message" :) now, what about putting an
X-message-rating in the outgoing mail/news so we can see the rating of
messages in our newsreaders/mail? Shouldn't be too hard to implement,
no?
Great work :)
Dan
| | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> cool! I also like where it says "you just rated this message" and "2
> minutes ago you rated this message" :) now, what about putting an
> X-message-rating in the outgoing mail/news so we can see the rating of
> messages in our newsreaders/mail? Shouldn't be too hard to implement,
> no?
Easy to do in the outgoing mail, very hard to do in the outgoing news.
But almost all the outgoing mail goes out within 60 seconds of the article
being posted, so they'd all say 50 anyway.
--Todd
| | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Easy to do in the outgoing mail, very hard to do in the outgoing news.
> But almost all the outgoing mail goes out within 60 seconds of the article
> being posted, so they'd all say 50 anyway.
Doh! didn't think of that... hmm... what I was getting at is that the avid.cgi
will spit it out... since most users can't/wont modify their newsreaders
anyhow, it'll only help those of us that use a custom made reader anyhow...
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> In lugnet.admin.general, Todd Lehman writes:
> > Easy to do in the outgoing mail, very hard to do in the outgoing news.
> > But almost all the outgoing mail goes out within 60 seconds of the article
> > being posted, so they'd all say 50 anyway.
>
> Doh! didn't think of that... hmm... what I was getting at is that the
> avid.cgi will spit it out... since most users can't/wont modify their
> newsreaders anyhow, it'll only help those of us that use a custom made
> reader anyhow...
Maybe a header could be snuck in there, yeah. Or maybe there should be a
counterpart to avid.cgi (or a URL-line switch) to fetch (for updating) the
latest article ratings without having to fetch the bodies again.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Dan Boger writes:
> > In lugnet.admin.general, Todd Lehman writes:
> > > Easy to do in the outgoing mail, very hard to do in the outgoing news.
> > > But almost all the outgoing mail goes out within 60 seconds of the article
> > > being posted, so they'd all say 50 anyway.
> >
> > Doh! didn't think of that... hmm... what I was getting at is that the
> > avid.cgi will spit it out... since most users can't/wont modify their
> > newsreaders anyhow, it'll only help those of us that use a custom made
> > reader anyhow...
>
> Maybe a header could be snuck in there, yeah. Or maybe there should be a
> counterpart to avid.cgi (or a URL-line switch) to fetch (for updating) the
> latest article ratings without having to fetch the bodies again.
>
> --Todd
MAYBE Lugnet should publish a newsreader for NNTP purposes. I am sure that
Todd could do it and could certainly get assistance from other Lugnetters. It
may be the copywrite/proprietary stuff that will get messy.
Whattaya think Todd?? Ever considered this?
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Kevin Salm writes:
> MAYBE Lugnet should publish a newsreader for NNTP purposes. I am sure that
> Todd could do it and could certainly get assistance from other Lugnetters.
> It may be the copywrite/proprietary stuff that will get messy.
> Whattaya think Todd?? Ever considered this?
Sproat is working on something really cool.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Kevin Salm writes:
> > MAYBE Lugnet should publish a newsreader for NNTP purposes. I am sure that
> > Todd could do it and could certainly get assistance from other Lugnetters.
> > It may be the copywrite/proprietary stuff that will get messy.
> > Whattaya think Todd?? Ever considered this?
>
> Sproat is working on something really cool.
>
> --Todd
Excellent. In my mind, he certainly seems to be the best candidate for such a
thing.
Makes me think I should get some training in computer language and programming
as I do not have any knowledge of such things. Certainly would widen the
career options for me, too.
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Maybe a header could be snuck in there, yeah. Or maybe there should be a
> counterpart to avid.cgi (or a URL-line switch) to fetch (for updating) the
> latest article ratings without having to fetch the bodies again.
I think that a URL-line switch for this would be great. Now if only I'd become
a member sooner so that I could have my membership packet by now. :)
Ben Roller
| | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> Only LUGNET Members can rate articles, but anyone can view and benefit from
> the ratings. Your individual ratings are shown to you only.
That'll require my password...I hope this doesn't sound pushy, but when are the
260's packets going out?
--Bram
| | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Bram Lambrecht writes:
> In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> > Only LUGNET Members can rate articles, but anyone can view and benefit from
> > the ratings. Your individual ratings are shown to you only.
>
> That'll require my password...I hope this doesn't sound pushy, but when are
> the 260's packets going out?
Monday morning...?
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Bram Lambrecht writes:
> > In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> > > Only LUGNET Members can rate articles, but anyone can view and benefit
> > > from the ratings. Your individual ratings are shown to you only.
> >
> > That'll require my password...I hope this doesn't sound pushy, but when are
> > the 260's packets going out?
>
> Monday morning...?
An apology -- these are still sitting. Thought the pw stuff would go a lot
smoother. Really want to get the pw stuff ironed out before subjecting any
more people to those awful machine-generated default pw's. I'll post again
tomorrow saying whether they're in transit or still sitting.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> An apology -- these are still sitting. Thought the pw stuff would go a lot
> smoother. Really want to get the pw stuff ironed out before subjecting any
> more people to those awful machine-generated default pw's. I'll post again
> tomorrow saying whether they're in transit or still sitting.
OK. I can wait a little longer :)
--Bram
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Bram Lambrecht writes:
> In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> > Only LUGNET Members can rate articles, but anyone can view and benefit from
> > the ratings. Your individual ratings are shown to you only.
>
> That'll require my password...I hope this doesn't sound pushy, but when are • the
> 260's packets going out?
> --Bram
Be patient. Todd gets them out relatively quickly, I think. Certainly faster
than Auczilla winnings--much less counting and packaging. At least I was happy
with the short time it took for my member packet to arrive.
Speaking of memberships and this new article rating system being implemented--
I now think I now know why Mr. Tom Stangl has recently become a member.
Personally I am surprised he was not one of the first 50 or so people to send
along his membership fee. Perhaps Tom has some personal issues or something
along those lines making him relunctant until now.
Membership to Lugnet is/will soon be an excellent thing. I am anxious for new
developments to come to fruitition as I know Todd has said there are a few more
in the works right now. Thinking back to the original Lugnut plan [1][2] and
looking it over again now, it really shows how well planned this whole lugnet
experiment has been all along. A few features discussed in the plan are being
offered at/by other locations, such as galleries at brickshelf.com, but as a
whole I think that lugnet has turned out well.
I would like to see a few more customized message search options from the web
interface, and I am confident that those features will appear soon. The
message rating system is just part of such customized searches, but may a
critical component of such a thing. It may also have some impact in regard to
any type of archiving of messages in case the need to purge messages arises.
From a fantasy perspective, I can see a mirror site, for example, lugnet_2.com,
that is a boiled down archive of news messsages that are finely referenced and
cross referenced on specific issues and topics providing the reader with the
best information and informed opinions possible without a lot of ~noise~
content or unrelated conversation. This will require a lot of objective input
and even some subjective decision making, but may be a very worthwhile
endeavor. Again, this new message rating system may provide the basis for such
a thing.
But don't take my opinions as fact, read the messages in lugnet.admin.general
regarding article scoring. The main thread starts here -->
http://www.lugnet.com/admin/general/?n=4819
_______________________________________________________
Kevin Salm
....The biggest fan of the Gray Lego brick....
_______________________________________________________
[1] http://www.lugnet.com/admin/plan/
[2] as I remember, the initial name for Lugnet WAS Lugnut
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Kevin Salm writes:
> Thinking back to the original Lugnut plan [1][2] and
> looking it over again now, it really shows how well planned this whole lugnet
> experiment has been all along.
I have to "me too" here - I especially like the idea of the visual-community
with road-layouts based on Pac-Man levels :) Actually, one of the nice things
about reading through that plan is that it does have little things like that in
there - like the mini-history of street design from the Victorian era onwards!
Any thoughts of VRML'ing the visual community bit?
> [1] http://www.lugnet.com/admin/plan/
> [2] as I remember, the initial name for Lugnet WAS Lugnut
I didn't know that :)
Richard
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Kevin Salm writes:
> Speaking of memberships and this new article rating system being
> implemented-- I now think I now know why Mr. Tom Stangl has recently become
> a member. Personally I am surprised he was not one of the first 50 or so
> people to send along his membership fee. Perhaps Tom has some personal
> issues or something along those lines making him relunctant until now.
Tom Joined within a matter of hours, as soon as learned that we were accepting
payment via PayPal.
> [2] as I remember, the initial name for Lugnet WAS Lugnut
Nope, never.
--Todd
| | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> * As you contribute more input, the system can learn how your input
> correlates with the input of others. It could even attempt to highlight
> things it thinks you might find particularly interesting.
>
> * The rating engine could be put to generalized use, for example, in rating
> LEGO sets, voting on sites for CLSotW, in judging contests, and so forth.
> A sort of match-making service may even develop!
In my initial excitement, I missed the above - that's a really cute idea!
Although if it correlated two people that liked the same themes there may be
fights in TRU :)
The ability to change how much you score the article is cool, and it probably
is not an issue - but should there be a way to change your mind so
that you can express 'no opinion' after you have voted?
Richard
| | | | | | | | | | | | | | | | | |
Could you put up a thing that lets each person view their average rating?
Alan
| | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Alan Gerber writes:
> Could you put up a thing that lets each person view their average rating?
The database doesn't track that. It actually doesn't even know that it's
tracking news articles that have been posted by individual people.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Alan Gerber writes:
> > Could you put up a thing that lets each person view their average rating?
>
> The database doesn't track that. It actually doesn't even know that it's
> tracking news articles that have been posted by individual people.
>
> --Todd
Plus, article scoring is not a popularity contest. It is intended to save time
for readers and also to help direct readers towards messages that have the best
content on the subject they wish to read about.
If you think you may be concerned about your article ratings, just be certain
that your posts are carefully worded, are on-topic, and have content that
people will want to read a long time from now.
Several types of posts are not really subject to article scoring--like auction
and buy-sell-trade posts, posts asking a question (the response posts with the
answer may be entitled to high scores, though), and posts that are akin to
saying ~ME TOO~
But, if you wish, you can always rate all of your own posts at 100% that would
give you a 75 rating unti someone else rates it differently.
__Kevin Salm__
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Kevin Salm writes:
> Plus, article scoring is not a popularity contest. It is intended to save
> time for readers and also to help direct readers towards messages that have
> the best content on the subject they wish to read about.
Agreed!
> Several types of posts are not really subject to article scoring--
> [...]
> posts asking a question (the response posts with the answer may be entitled to
> high scores, though)
I think questions should be voted - especially if the answer is wanted by a lot
of people, but does that mean that the question post should be voted lower once
it has been answered? From a "Show me all the best articles" perspective it's
good, from a history "What sort of posts are good" persepective, it's not so
good though! It perhaps depends on whether the table is time-based or not?
Richard
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> I think questions should be voted - especially if the answer is wanted by a
> lot of people, but does that mean that the question post should be voted
> lower once it has been answered? From a "Show me all the best articles"
> perspective it's good, from a history "What sort of posts are good"
> persepective, it's not so good though! It perhaps depends on whether the
> table is time-based or not?
Elapsed time (or article age) will be a parameter to that display, yes.
Selectable at view-time, and using some kind of bell curve to weight it.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Alan Gerber writes:
> Could you put up a thing that lets each person view their average rating?
IMHO it should be more information-centric than person-centric - it shouldn't
be whether a person posts lots of good posts or lots of bad posts (and I know
you were talking about someone viewing their own rating), but what information
is out there.
I think the average rating would be kinda meaningless - eg - a newbie may
casually say how annoyed he is as there isn't any new LEGO at his local shop,
just lots of old gray space ships. Obviously an important post! Someone may
post a legitimate question that was answered 30-something seconds ago, and it's
scored low because of unfortunate timing.
My thinking is - what useful conclusions can be drawn from comparing the
average ratings of these two people?
Richard
| | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> LUGNET's article rating system is now running and hungry for input!
Can't be as hungry as I thought it would be.
It won't let me rate cancelled messages.
A Default rating of 50 for a cancelled message seems a bit high for me. It
might be more appropriate for a cancelled message to have a score of zero.
__Kevin Salm__
| | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman & Suzanne Rich writes:
> LUGNET's article rating system is now running and hungry for input!
>
> As the community continues to grow, so does the challenge in keeping up. Some
> days it can be difficult to find exciting content among the hundreds of new
> messages.
>
> To aid browsing, each news article now carries a rating in the range 0 (low)
> to 100 (high).
>
> This feature is designed to benefit all, but particularly to benefit casual
> readers who cannot devote time.
Excellent.
I do foresee one possible area that could be a problem (but I could be
overreacting) - Auction/Sale/Trade announcements could all end up with a 75
rating (the initial 50 and then the poster gives it a 100). This could give a
false rating for those announcements.
One minor kvetch. Logging in asumes that I know my password (which I don't and
have to dig it out each time). Is "changing your pasword" in the works?
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Ed Jones writes:
> I do foresee one possible area that could be a problem (but I could be
> overreacting) - Auction/Sale/Trade announcements could all end up with a 75
> rating (the initial 50 and then the poster gives it a 100). This could give
> a false rating for those announcements.
It'll probably get counter-balanced by people marking some of the more annoying
ones down. Anyway, it's up to each individual reader whether or not they wish
to pay attention to the ratings.
> One minor kvetch. Logging in asumes that I know my password (which I don't
> and have to dig it out each time).
Do you sign in often from a public place such a library?
> Is "changing your pasword" in the works?
Thinking more about it -- but it needs to be thought through very carefully.
For example, if people can pick just any old password they want, then there
has to be some sort of check by the server to make sure that the password
isn't too insecure. Usually these checks involve scanning a dictionary of
words and names doing permutations on them, etc. The check has to be able to
identify double-word as well as single-word problems, for example "giraffe"
(one word) or "puppydog" (two words) or "boxed" (one word, but also two
portions of a name).
That's for the user's protection. Secondly, for LUGNET's protection, there
has to be some way to ensure that people don't use passwords here that they
might use elsewhere. For example, if someone uses the password "blorkshmork"
everywhere online, that's bad from LUGNET's point of view, because it opens
up potential questions or finger-pointing if someone's account on some other
system ever was compromised. Consider this hypothetical situation: "Someone
broke into my PayPal account yesterday and took all my money. The only other
place I use that password is at LUGNET. Not that I particularly suspect
anyone, but this certainly does raise some questions." From a risk assessment
point of view, it's imperative to take this possibility under consideration
and prevent even the possibilty of it happening, if at all possible.
Of course, there are solutions (at least two I can think of so far*):
1. Allow people to select from several machine-generated passwords and to
choose a favorite.
2. Allow people to add an easy-to-remember password of their own choosing
on top of the main password, and require both passwords in order to be
fully signed-in. This would allow people to store their main password in
a main cookie on machines at work, and use the secondary easy-to-remember
password for quick signing in and signing out whenever they wanted. Thus
they would only have to remember one short password which someone snooping
on their machine probably couldn't guess, yet the main password would
still be there for other security reasons.
--Todd
* I've been thinking about this for more than two years and have still only
come up with these two solutions.
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> 2. Allow people to add an easy-to-remember password of their own choosing
> on top of the main password, and require both passwords in order to be
> fully signed-in. This would allow people to store their main password in
> a main cookie on machines at work, and use the secondary easy-to-remember
> password for quick signing in and signing out whenever they wanted. Thus
> they would only have to remember one short password which someone snooping
> on their machine probably couldn't guess, yet the main password would
> still be there for other security reasons.
I think people should be able to be fully signed in without machine-generated
passwords - otherwise it is discriminating against those who use a lot of
different machines. What about using the double-login idea with two distinct
user-definable passwords?
Or making it (if you can legally do so) the *users* responsibility to choose a
secure password, by making them click a "I accept total responsibility if
LUGNET is hacked into and this password is used to get into some of my other
accounts because I'm too dumb to use a unique password". But in a (more
polite?) legalise fashion.
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Richard Franks writes:
> I think people should be able to be fully signed in without machine-generated
> passwords - otherwise it is discriminating against those who use a lot of
> different machines. What about using the double-login idea with two distinct
> user-definable passwords?
> Or making it (if you can legally do so) the *users* responsibility to choose
> a secure password, by making them click a "I accept total responsibility if
> LUGNET is hacked into and this password is used to get into some of my other
> accounts because I'm too dumb to use a unique password". But in a (more
> polite?) legalise fashion.
That would potentially shift some of the blame if something bad did happen to
someone, but could it prevent blame or suspicions from occurring in the first
place? It seems to me that such wording or agreement would not actually
lessen the potential maximum amount of damage. We're talking about a type of
damage where there is an infinite amount of difference between impossible and
extremely improbable, and no difference between improbable and extremely
improbable. If someone's account on some other system did ever get compromised
somehow and they'd used the same password on LUGNET, it doesn't protect LUGNET
in any way except financially if someone has agreed not to hold LUGNET
responsible for problems of that nature.
--Todd
p.s. It's already covered, BTW, in the Terms of Use Agreement, under agreeing
to indemnify and hold LUGNET harmless for any problems.
| | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Ed Jones writes:
> > I do foresee one possible area that could be a problem (but I could be
> > overreacting) - Auction/Sale/Trade announcements could all end up with a 75
> > rating (the initial 50 and then the poster gives it a 100). This could give
> > a false rating for those announcements.
>
> It'll probably get counter-balanced by people marking some of the more annoying
> ones down. Anyway, it's up to each individual reader whether or not they wish
> to pay attention to the ratings.
Hrmmm .... or maybe article scoring could be turned off for the market
groups where listings are posted? Probably not, though, since those groups
often contain discussion in addition to listings.
> > One minor kvetch. Logging in asumes that I know my password (which I don't
> > and have to dig it out each time).
>
> Do you sign in often from a public place such a library?
Dunno about Ed, but I read LUGNET from public places every day - meaning
places other than my primary machine at work or at home. Labs, publicly
accessible machines, coworkers cubicles, etc.
> Thinking more about it -- but it needs to be thought through very carefully.
I agree, but it needs to _happen_ or the "sign in to use 'em" features are
much less valuable to at least some users.
> For example, if people can pick just any old password they want, then there
> has to be some sort of check by the server to make sure that the password
> isn't too insecure. Usually these checks involve scanning a dictionary of
> words and names doing permutations on them, etc. The check has to be able >to
> identify double-word as well as single-word problems, for example "giraffe"
> (one word) or "puppydog" (two words) or "boxed" (one word, but also two
> portions of a name).
How about minimum of 8 characters with at least 2 numbers or other special
characters? 6 and 1 is fairly common.
> Of course, there are solutions (at least two I can think of so far*):
>
> 1. Allow people to select from several machine-generated passwords and to
> choose a favorite.
Still don't like it. And what's to prevent people from memorizing that
password and using it on other systems? You're back to the "what if LUGNET
is hacked and someone uses those passwords to empty Paypal accounts" scenario.
> 2. Allow people to add an easy-to-remember password of their own choosing
> on top of the main password, and require both passwords in order to be
> fully signed-in. This would allow people to store their main password in
But this would still require a user to carry that long password around with
them, especially if they used public machines. Storing a cookie on one of
my lab machines may do you some good for anywhere from a few hours to a few
days, depending on when that machine gets an image pushed down to it, wiping
those cookies out.
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> Still don't like it. And what's to prevent people from memorizing that
> password and using it on other systems? [...]
Excellent point. Thanks. You've just demonstrated that a machine generated
password does absolutely nothing to ensure (as in 100%) that a password is
actually unique to a particular system. It makes it more probable, but doesn't
unconditionally guarantee it.
(A side chuckle: In some future world where retinal scans are commonplace,
you're kinda limited there to two passwords. :-)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
On Sun, 26 Mar 2000 18:23:11 GMT, Todd Lehman <lehman@javanet.com>
wrote:
> In lugnet.admin.general, Mike Stanley writes:
> > Still don't like it. And what's to prevent people from memorizing that
> > password and using it on other systems? [...]
>
> Excellent point. Thanks. You've just demonstrated that a machine generated
> password does absolutely nothing to ensure (as in 100%) that a password is
> actually unique to a particular system. It makes it more probable, but doesn't
> unconditionally guarantee it.
What I used to do and still do in some cases where I think people
might be trying to get my passwords is to use a core word (I choose
one from about a dozen Latin or Russian words, sometimes spelled, in
the case of Russian, the way I like to spell them, not necessarily the
correct way) then wrap it or break it up with one of a half dozen
numbers (ranging from 2-6 digits) and then wrap or break that up with
the name of the site or some abbreviated form of it (lugnet might be
lugnet or lug or gn or whatever).
That usually comes up with a fairly secure password.
--
Tired of waiting for LEGO Direct? Bulk Parts Sales NOW!
http://www.guarded-inn.com/lego/sales/parts.html
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
On Sun, 26 Mar 2000 18:23:11 GMT, Todd Lehman <lehman@javanet.com> wrote:
> In lugnet.admin.general, Mike Stanley writes:
> > Still don't like it. And what's to prevent people from memorizing that
> > password and using it on other systems? [...]
>
> Excellent point. Thanks. You've just demonstrated that a machine generated
> password does absolutely nothing to ensure (as in 100%) that a password is
> actually unique to a particular system. It makes it more probable, but doesn't
> unconditionally guarantee it.
>
> (A side chuckle: In some future world where retinal scans are commonplace,
> you're kinda limited there to two passwords. :-)
>
> --Todd
That future world may not be as far off as you might think. I have a friend
that works for a company that is working on inexpensive retina scanners for NT
logon among other things.
Rob
-
Rob Farver - mailto:rfarver@rcn.com
http://www.farver.com/lego/
http://members.ebay.com/aboutme/rfarver
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Robert Farver writes:
> That future world may not be as far off as you might think. I have a friend
> that works for a company that is working on inexpensive retina scanners for NT
> logon among other things.
Is it true that those things cause blindness after 20 years use?
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Mike Stanley writes:
> In lugnet.admin.general, Todd Lehman writes:
> How about minimum of 8 characters with at least 2 numbers or other special
> characters? 6 and 1 is fairly common.
The argument here is that if you get too restrictive (requiring one non
alphanumeric, for example) you cut the set of passwords down far enough that
you make brute force attack easier!
I tend to favor trying a few quick checks on the pw to see if it's easily
guessable and if it is, telling the user that it's not the greatest choice, but
not actually preventing its use.
But then I haven't yet seen where Lugnet needs the level of security that, for
example, Derek S needs when he goes to work (in a missile silo).
X.com doesn't require anything special about PWs... when you use X you have
more at risk than at Lugnet (well, your honor and reputation are more at risk
here if someone starts posting in your name). Doesn't make their lax security
"right" but there is an appropriate level of effort to put into this, not sure
what it is yet.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> X.com doesn't require anything special about PWs... when you use X you have
> more at risk than at Lugnet (well, your honor and reputation are more at risk
> here if someone starts posting in your name). Doesn't make their lax security
> "right" but there is an appropriate level of effort to put into this, not sure
> what it is yet.
can't someone already post in your name without knowing your password? I
believe all you need to be able to post is your name and email address... heh,
going to test that in a sec.
btw, as far as password choosing and forcing - well, I believe one should be
allowed to set his own password. The people who don't care, or want to
carry/remember the automatic one will not change it, but the people who, for
reasons of their own, want to change it, will. The server could put some
restrictions on the password (say, no less than 5 characters) and should warn
if you choose a bad password (your first name is not a good password)... But
if I want my lugnet password to be a simple one, that means I'm not worried
about it being cracked - my problem, and my problem alone - no?
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> In lugnet.admin.general, Mike Stanley writes:
> > In lugnet.admin.general, Todd Lehman writes:
> > How about minimum of 8 characters with at least 2 numbers or other special
> > characters? 6 and 1 is fairly common.
>
> The argument here is that if you get too restrictive (requiring one non
> alphanumeric, for example) you cut the set of passwords down far enough that
> you make brute force attack easier!
I hope you'll forgive me if I'm skeptical of that statement. I haven't
studied human factors of cryptography in depth but my BS was in mathematics.
I know what you're saying, and why it might be true given a certain set of
assumptions, but how is it known that those assumptions are true?
If you pick a typical random person off the street and ask them to pick a
password, they're probably going to (at best) concatenate a short word or
two or reverse a 5 or 6 digit word, or do something with their initials or
their birthdate. Is it not highly probable that the domain of input symbols
a typical person would pick is a through z and maybe the digits 0 through 9?
If the answer to that is yes, then requiring at least one other special
character increases the size of the password domain, making brute force
attacks harder.
If the answer to that is no (geeks, for example, or anyone who understands
anything about cryptography or simple permutations), then requiring at least
one other special character probably doesn't increase the password domain at
all, and since geeks already know enough to use special symbols, it doesn't
arguably doesn't reudce the size of the password domain from what they would
have used anyway.
In other words, although "sriypc" (all letters) is a much better password
than "69vette" (letters and numbers) or "s@h-4-me" (letters and numbers and
so-called 'special' characters), isn't it still _more likely_ that requiring
something other than non-pure-letters results in better passwords overall?
Even better yet IMHO is to do these two things:
1. First, educate people on how to pick a good password (like what you
suggested earlier).
2. Check the password's strength (by trying to crack it) right when the user
tries to set a new one, and reject weak passwords.
The challenge lies in #2 (and surely this must still even today be a very hot
area of research) because it should allow "sriypc" but not "69vette", and
"vt9te6e" but not "crispy".
> I tend to favor trying a few quick checks on the pw to see if it's easily
> guessable and if it is, telling the user that it's not the greatest choice,
Any pointers to papers on this sort of thing would be highly appreciated!
> but not actually preventing its use.
Disagree on that one. :)
"Uh, you really shouldn't use 'abc' as your password. What, you want to
anyway? You idiot, that's a really dumb password. Are you *really* sure?
sigh...OK, well, there it is then...but don't say I didn't warn you."
[2 weeks later] "Hey, some luser just broken into your account using your
braindead password that I warned you about. Oh well, I guess it's OK because
I warned you three times. Too bad. Have a nice day."
> X.com doesn't require anything special about PWs... when you use X you have
> more at risk than at Lugnet (well, your honor and reputation are more at
> risk here if someone starts posting in your name). Doesn't make their lax
> security "right" but there is an appropriate level of effort to put into
> this, not sure what it is yet.
X.com is still in the membership-acquisition-is-priority-zero phase of their
growth. Any barriers that protect users but not X are useless baggage to X
at this point. After their "viral growth" slows, it'll be safe for them to
raise the barriers a little higher and protect users better. Nothing matters
more to X.com and PayPal right now than acquiring new members into their
network and capturing market segment as fast as possible.
(Disclaimer: I don't work for X.com or PayPal so obviously you'll want to
take this with a grain of salt. But this is nothing more than modern network
economics.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Personally, I'd love some tips on how to pick good passwords that are easy to
remember. I'll admit to using poor passwords, and re-using them. These days,
one seems to need so many passwords that I can't see how you can really work
well if you really do chose a different password for every site, and I'm
assuming somehow coding the site into an otherwise shared password is not
good. I.e. "lcp7j53qt" for Lugnet and "ebp7j53qt" for eBay is not a good idea
(though those might be sort of ok if all you have is those two, but if you
have a bunch, someone could discover your pattern).
Obviously one way to manage the number of passwords is to have some common
passwords for sites requiring low security (like sharing a password for a
bunch of buisiness related read only web sites is probably not that bad, sure,
if someone gets your password and shares it, one of the sites might get pissed
off that hundreds or thousands of people are logging into their site using
your account, but they can cut their losses pretty quickly, and you may just
lose out by having your account canceled).
What are peoples feelings on systems which require you to change your password
every 6 months or whatever? It seems to me that that just encourages people to
use weaker passwords.
Frank
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Frank Filz writes:
> Personally, I'd love some tips on how to pick good passwords that are easy to
> remember. I'll admit to using poor passwords, and re-using them. These days,
> one seems to need so many passwords that I can't see how you can really work
> well if you really do chose a different password for every site, and I'm
> assuming somehow coding the site into an otherwise shared password is not
> good. I.e. "lcp7j53qt" for Lugnet and "ebp7j53qt" for eBay is not a good idea
> (though those might be sort of ok if all you have is those two, but if you
> have a bunch, someone could discover your pattern).
Yes, although if someone has enough familiarity with you (and access to you)
to figure out what sites you freqent, under what names/aliases/IDs, and crack
(or attempt to crack) enough of your passwords to establish a pattern, you've
got bigger problems. (I'm speaking to a typical user here - obviously there
are some work-related situations where this could come about fairly easily)
> Obviously one way to manage the number of passwords is to have some common
> passwords for sites requiring low security (like sharing a password for a
> bunch of buisiness related read only web sites is probably not that bad, sure,
> if someone gets your password and shares it, one of the sites might get pissed
> off that hundreds or thousands of people are logging into their site using
> your account, but they can cut their losses pretty quickly, and you may just
> lose out by having your account canceled).
The easiest way to keep track of passwords is to use a personal association,
and munge the reference. Use a word (preferably not a name) that is relevant
to you, but not obviously so (don't pick "polarbear" if your office is
decorated in them), and then munge it, either by dyslexic swapping
(ploarbear), number/char inserting (pol3arbear, polarb@ear, but not p0larbear
or similar obvious swaps), deliberate misspelling (pularbar) or some
combination of the above (pula$rbar, poarbaer, etc). Mixing caps in at random
is good too - most systems are case sensitive, these days.
> What are peoples feelings on systems which require you to change your password
> every 6 months or whatever? It seems to me that that just encourages people to
> use weaker passwords.
From my observations, most people just get annoyed at these systems, and use
an incremental password. (polarbear1, polarbear2, etc) Not a good effect on
system security.
James
http://www.shades-of-night.com/lego/
I'm getting paid for this --> alladvantage.com
Sign up via me, the reference $$ go to fund Lugnet.
| | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Ed Jones writes:
> > I do foresee one possible area that could be a problem (but I could be
> > overreacting) - Auction/Sale/Trade announcements could all end up with a 75
> > rating (the initial 50 and then the poster gives it a 100). This could give
> > a false rating for those announcements.
>
> It'll probably get counter-balanced by people marking some of the more • annoying
> ones down. Anyway, it's up to each individual reader whether or not they wish
> to pay attention to the ratings.
Good point.
>
> > One minor kvetch. Logging in asumes that I know my password (which I don't
> > and have to dig it out each time).
>
> Do you sign in often from a public place such a library?
I sign in from various workstations in various training rooms in 2 different
buildings.
>
> > Is "changing your pasword" in the works?
>
> Thinking more about it -- but it needs to be thought through very carefully.
>
> For example, if people can pick just any old password they want, then there
> has to be some sort of check by the server to make sure that the password
> isn't too insecure. Usually these checks involve scanning a dictionary of
> words and names doing permutations on them, etc. The check has to be able to
> identify double-word as well as single-word problems, for example "giraffe"
> (one word) or "puppydog" (two words) or "boxed" (one word, but also two
> portions of a name).
>
> That's for the user's protection. Secondly, for LUGNET's protection, there
> has to be some way to ensure that people don't use passwords here that they
> might use elsewhere. For example, if someone uses the password "blorkshmork"
> everywhere online, that's bad from LUGNET's point of view, because it opens
> up potential questions or finger-pointing if someone's account on some other
> system ever was compromised. Consider this hypothetical situation: "Someone
> broke into my PayPal account yesterday and took all my money. The only other
> place I use that password is at LUGNET. Not that I particularly suspect
> anyone, but this certainly does raise some questions." From a risk assessment
> point of view, it's imperative to take this possibility under consideration
> and prevent even the possibilty of it happening, if at all possible.
>
> Of course, there are solutions (at least two I can think of so far*):
>
> 1. Allow people to select from several machine-generated passwords and to
> choose a favorite.
>
> 2. Allow people to add an easy-to-remember password of their own choosing
> on top of the main password, and require both passwords in order to be
> fully signed-in. This would allow people to store their main password in
> a main cookie on machines at work, and use the secondary easy-to-remember
> password for quick signing in and signing out whenever they wanted. Thus
> they would only have to remember one short password which someone snooping
> on their machine probably couldn't guess, yet the main password would
> still be there for other security reasons.
>
> --Todd
>
> * I've been thinking about this for more than two years and have still only
> come up with these two solutions.
Until you added Article Rating, the only function a member could perform by
logging in was to edit their profile (if I am correct - I doubt it). Now that
I have a reason to use my password.....
Hmm... actually, if someone wants to hack into LUGNET that badly, the basic
character (language, digits, scrambling, etc.) of their password isn't going to
stop them, as the last rash of major site stoppages demonstrated.
I personally hate generated passwords and change them as soon as possible to
something that has significant meaning only to me.
Perhaps if you required that members create a password that would:
- Only be used for LUGNET
- Not be stored in a cookie
I would certainly have no problem with that. Cookies get deleted/corrupted
anyway (for some reason I have to resubscribe to LUGNET about every 2 weeks
because my cookie gets deleted/corrupted). I would much rather rely on my
memory of my password that a cookie.
Anyway, just food for thought.
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Ed Jones writes:
> [...]
> Perhaps if you required that members create a password that would:
> - Only be used for LUGNET
This could be a polite request to people, but as Mike Stanley pointed out
yesterday, there's technically no way to ensure it 100%. (Which doesn't
diminish its desirability, only its effectiveness somewhat.)
> - Not be stored in a cookie
How would you use your member account if your info wasn't stored in a cookie
when you signed in? (That's the sole purpose of signing in.)
> I would certainly have no problem with that. Cookies get deleted/corrupted
> anyway (for some reason I have to resubscribe to LUGNET about every 2 weeks
> because my cookie gets deleted/corrupted). I would much rather rely on my
> memory of my password that a cookie.
I see what you mean, I think, but the cookie isn't there to help you remember
your password -- it's there to store your password so that you don't have to
type it in each time on every single form or input that needs to authenticate
you (not many now, but in the future with more whiz-bang things like marking
sets as wanted or bidding in auctions, it could be hundreds a day for some
people.)
I do agree that you do need to be able to change your password to something
that is easier for you to remember.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> I do agree that you do need to be able to change your password to something
> that is easier for you to remember.
Thank you.
And I do agree with you that there is value in making the password hard to
crack. Value to the user and value to Lugnet.
Now we're just down to figuring out how best to achieve both and what the
priority is...
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Ed Jones writes:
> > [...]
> > Perhaps if you required that members create a password that would:
> > - Only be used for LUGNET
>
> This could be a polite request to people, but as Mike Stanley pointed out
> yesterday, there's technically no way to ensure it 100%. (Which doesn't
> diminish its desirability, only its effectiveness somewhat.)
What I meant was that if you stated that use of your LUGNET password (as
descrived above) in any other online application would automatically relieve
LUGNET of any responsibility of hacking to appications other than LUGNET.
>
> > - Not be stored in a cookie
>
> How would you use your member account if your info wasn't stored in a cookie
> when you signed in? (That's the sole purpose of signing in.)
How about the Member sign-in screen.
>
> > I would certainly have no problem with that. Cookies get deleted/corrupted
> > anyway (for some reason I have to resubscribe to LUGNET about every 2 weeks
> > because my cookie gets deleted/corrupted). I would much rather rely on my
> > memory of my password that a cookie.
>
> I see what you mean, I think, but the cookie isn't there to help you remember
> your password -- it's there to store your password so that you don't have to
> type it in each time on every single form or input that needs to authenticate
> you (not many now, but in the future with more whiz-bang things like marking
> sets as wanted or bidding in auctions, it could be hundreds a day for some
> people.)
Again, signing into LUGNET via Member sign in should allow you to access all
the features of LUGNET. Why would I need a seperate cookie for each feature?
> I do agree that you do need to be able to change your password to something
> that is easier for you to remember.
>
> --Todd
8 characters with a mix of alpha-numeric would be great (and standard for most
sites).
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Ed Jones writes:
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Ed Jones writes:
> > > [...]
> > > Perhaps if you required that members create a password that would:
> > > - Only be used for LUGNET
> >
> > This could be a polite request to people, but as Mike Stanley pointed out
> > yesterday, there's technically no way to ensure it 100%. (Which doesn't
> > diminish its desirability, only its effectiveness somewhat.)
>
> What I meant was that if you stated that use of your LUGNET password (as
> descrived above) in any other online application would automatically relieve
> LUGNET of any responsibility of hacking to appications other than LUGNET.
Right. But, while that is an excellent polite request to make to people,
as Mike Stanley pointed out yesterday, there's no way to ensure that people
will follow that suggestion -- in either direction. But it's still a good
thing to politely ask of people.
BTW, the Terms of Use Agreement already relieves LUGNET of any such liability.
> > How would you use your member account if your info wasn't stored in a cookie
> > when you signed in? (That's the sole purpose of signing in.)
>
> How about the Member sign-in screen.
The purpose of the sign-in screen is to authenticate you and store a cookie.
> > > I would certainly have no problem with that. Cookies get deleted/corrupted
> > > anyway (for some reason I have to resubscribe to LUGNET about every 2 weeks
> > > because my cookie gets deleted/corrupted). I would much rather rely on my
> > > memory of my password that a cookie.
> >
> > I see what you mean, I think, but the cookie isn't there to help you remember
> > your password -- it's there to store your password so that you don't have to
> > type it in each time on every single form or input that needs to authenticate
> > you (not many now, but in the future with more whiz-bang things like marking
> > sets as wanted or bidding in auctions, it could be hundreds a day for some
> > people.)
>
> Again, signing into LUGNET via Member sign in should allow you to access all
> the features of LUGNET. Why would I need a seperate cookie for each feature?
Yes, we'd like to phase out the older legacy cookies in the case of members,
and let members access the non-member features using their single member
cookie.
--Todd
| | | | | | | | | | | | | | | | | | |
> To aid browsing, each news article now carries a rating in the range 0 • (low)
> to 100 (high).
...just my opinion
I think the score has little value without knowing how many people have read
the post and have chosen not to vote - it could be argued (not by me) that
these readers should register an automatic 50 score as they did not care
either way?
Furthermore, while I acknowledge the system is still in its early days of
use, I can't help thinking it is all very subjective. Take this post as an
example :
http://www.lugnet.com/market/auction/?n=5150
It has a current score of 25 (one vote of nil):
http://www.lugnet.com/news/rating-graph.cgi?lugnet.market.auction:5150
I can see nothing wrong with it. I can't see why somebody has got worked up
to vote nil for it? Additionally, I think quoting anything more than the
number of votes and the score is distracting.
....just my opinion.
Scott A
| | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Scott Arthur writes:
> > To aid browsing, each news article now carries a rating in the range 0 • (low)
> > to 100 (high).
>
> ...just my opinion
>
> I think the score has little value without knowing how many people have read
> the post and have chosen not to vote - it could be argued (not by me) that
> these readers should register an automatic 50 score as they did not care
> either way?
Interesting idea. If the server knew who saw what, perhaps! But we're not there
yet I don't think, especially if we take news into account (and mail
subscriptions... how is the server to know whether some one pored over it or
deleted it unread). Good idea though, keep brainstorming, I say.
> Furthermore, while I acknowledge the system is still in its early days of
> use, I can't help thinking it is all very subjective. Take this post as an
> example :
>
> http://www.lugnet.com/market/auction/?n=5150
>
> It has a current score of 25 (one vote of nil):
> http://www.lugnet.com/news/rating-graph.cgi?lugnet.market.auction:5150
>
> I can see nothing wrong with it. I can't see why somebody has got worked up
> to vote nil for it?
Totally agree. I voted "nil" on yours that was a bare post of a broken URL and
no other information but I think to vote 0 for a post that is correctly placed,
jaunty in tone, brief but not too brief, and has a correctly functioning URL
seems wrong to me.
Personally, I enjoy Lindsay's auction posts and his auction listings, they're
fun. And he must be happy today as Michigan State made the final 4 in
basketball...
> Additionally, I think quoting anything more than the
> number of votes and the score is distracting.
can you clarify what you mean by this? I think the >> to tell you you voted on
something is useful.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Scott A <s.arthur@hw.ac.uk> wrote in message news:Fs38I5.Dno@lugnet.com...
> > To aid browsing, each news article now carries a rating in the range 0 • (low)
> > to 100 (high).
>
> ...just my opinion
>
> I think the score has little value without knowing how many people have • read
> the post and have chosen not to vote - it could be argued (not by me) that
> these readers should register an automatic 50 score as they did not care
> either way?
I do not rate posts now. I am a beginner. I read in odd pockets of time
as much as I can across the board category wise on a daily basis. Much in
some groups is totally beyond me. I read anyway... I figure if the
concepts I don't understand go in enough times they will eventually clump
together in some sort of order and make sense.
I don't want these registered as a 50. I have made a conscience decision
not to rate . It does not bother me whether others rate or not. Their
business. Maybe rating help some decide what to read. More information
imho is always better.
Rating and knowing how many people have chosen to read a post seems to me
are 2 different things. Rating is a value judgement on content. Number of
people (hits) to a post is something else. Actually a hits # would be more
interesting to me. Maybe this is somehow already included in traffic, I
don't know. As I stated previously, I am still exploring.
I appreciate you putting the argument out here about the auto 50 rating. I
realize you are not arguing for it. (or against it?) It has given us all
something else to think.
Will I choose to rate at some future date? I have no idea... I am
interested in the evolution of this process and will keep reading......
sheree
>
> Furthermore, while I acknowledge the system is still in its early days of
> use, I can't help thinking it is all very subjective. Take this post as an
> example :
>
> http://www.lugnet.com/market/auction/?n=5150
>
> It has a current score of 25 (one vote of nil):
> http://www.lugnet.com/news/rating-graph.cgi?lugnet.market.auction:5150
>
> I can see nothing wrong with it. I can't see why somebody has got worked • up
> to vote nil for it? Additionally, I think quoting anything more than the
> number of votes and the score is distracting.
> ....just my opinion.
>
>
> Scott A
>
>
>
| | | | | | | | | | | | | | | | | | |
I think a great side benefit of the article rating system is the fact that
articles you've rated are marked with '>>'s. This alone makes it worth rating
every article you read, as now you don't have to rely on having your browser
remember which articles you've read. Especially useful for when you use
multiple machines to read messages!
Thanks!
--
David Schilling
| | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, David Schilling writes:
> I think a great side benefit of the article rating system is the fact that
> articles you've rated are marked with '>>'s. This alone makes it worth rating
> every article you read, as now you don't have to rely on having your browser
> remember which articles you've read. Especially useful for when you use
> multiple machines to read messages!
True, although for those of us with a 10mb+ history file, you already know
which ones you've seen or not :)
Richard
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, David Schilling writes:
> I think a great side benefit of the article rating system is the fact that
> articles you've rated are marked with '>>'s. This alone makes it worth rating
> every article you read, as now you don't have to rely on having your browser
> remember which articles you've read. Especially useful for when you use
> multiple machines to read messages!
Which clearly means Todd's sw knows articles we've read, if we've rated them.
Let's extend that to knowing ALL articles we've read. That enables a lot of
better browsing options. I would be willing to somehow mark articles as read
(if we can figure out an easy way) even if I decided against rating them...
As I said a while back if you show me a tree(nested all, not the dots tree)
view it may be reasonable to assume i read the whole tree even if I didn't rate
all the articles
And I never did hear back about whether there was an upper bound on ability to
rate nested all trees... or else i forgot
++Lar
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> Which clearly means Todd's sw knows articles we've read, if we've rated them.
> Let's extend that to knowing ALL articles we've read. That enables a lot of
> better browsing options. I would be willing to somehow mark articles as read
> (if we can figure out an easy way) even if I decided against rating them...
>
> As I said a while back if you show me a tree(nested all, not the dots tree)
> view it may be reasonable to assume i read the whole tree even if I didn't
> rate all the articles
I was thinking about this the other night a bit, and I think it could be made
to work. If you're willing to have it assume that you'll read anything it
shows you, and you're willing to have a "mark unread" button, then that could
end up being a lot faster than having to explicitly mark things read one by
one. (Kinda like the theory on setting a simple digital alarm clock -- one
fast-forward button and one slow-backward button.)
> And I never did hear back about whether there was an upper bound on ability
> to rate nested all trees... or else i forgot
Say again? (I remember the other subthread but what do yo umean by "to rate
nested all trees" and "upper bound on"?)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> I was thinking about this the other night a bit, and I think it could be made
> to work. If you're willing to have it assume that you'll read anything it
> shows you, and you're willing to have a "mark unread" button, then that could
> end up being a lot faster than having to explicitly mark things read one by
> one. (Kinda like the theory on setting a simple digital alarm clock -- one
> fast-forward button and one slow-backward button.)
YES, I'll take a fast, possibly inaccurate way to mark read and a slow but
guaranteed accurate way to unmark read. I mark read a lot more than I unmark.
> Say again? (I remember the other subthread but what do yo umean by "to rate
> nested all trees" and "upper bound on"?)
A "nested all" tree is what I just made up to mean what you get when you press
the "entire thread on one page/ nested _all_ " url. Upper bound on ability is
that I suspect if you can wait it out to display a tree with 200 posts in it,
if you go through and rate all of them and press update ratings, it doesn't
work. I'm wondering if you have seen that behavior (it's hard to reproduce, you
need to be willing to re-rate a bumch of posts to see if it took)...
++Lar
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> YES, I'll take a fast, possibly inaccurate way to mark read and a slow but
> guaranteed accurate way to unmark read. I mark read a lot more than I
> unmark.
Ah, YES! That's the wording I was looking for! Thank you -- well said!
> > Say again? (I remember the other subthread but what do yo umean by "to rate
> > nested all trees" and "upper bound on"?)
>
> A "nested all" tree is what I just made up to mean what you get when you
> press the "entire thread on one page/ nested _all_ " url.
OK, roger that.
> Upper bound on ability is that I suspect if you can wait it out to display
> a tree with 200 posts in it, if you go through and rate all of them and
> press update ratings, it doesn't work.
OK, thanks for clarifying.
> I'm wondering if you have seen that behavior (it's hard to reproduce, you
> need to be willing to re-rate a bumch of posts to see if it took)...
That's odd. No, I haven't seen it. I wonder if it's overflowing some form
size or something in the browser? Each "vote" is cast via a form field which
looks like this:
RATE~lugnet.foo.bar.baz:1234=56
But 200 of those is still pretty small (definitely less than 10K). Hmm.
And it's tough to imagine a browser limiting the number of fields to such
a low number as 200.
I wonder if it's confused in some worse way on the server. When you've
noticed this happening, did it give any error page (bad) or did the changes
simply fail to take hold (worse)? Have you noticed whether it was the latter
articles in the list or was it seemingly random? TIA for any more info.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> That's odd. No, I haven't seen it. I wonder if it's overflowing some form
> size or something in the browser? Each "vote" is cast via a form field which
> looks like this:
>
> RATE~lugnet.foo.bar.baz:1234=56
>
> But 200 of those is still pretty small (definitely less than 10K). Hmm.
> And it's tough to imagine a browser limiting the number of fields to such
> a low number as 200.
This was against the Tree That Shall Not Be Named for fear of stirring it up
again, at the time I think it was about 180 or so, and i had rated maybe 30 or
them. I went through and rated every single post. In some cases I changed
existing ratings, in some cases added new
Then I pressed the refresh the ratings button. None of my changes took. When
the page redisplayed (it took a while to render even over the fast network conn
I was on) everything was as it had been. No error message. So I went and found
another large tree (debate has enough of them) and tried it there too... in
that case I had never rated anything. That didn't take either.
Now, it is possible my browser is drain bamaged or that there's pilot error
here, I'm a bit more tired than normal, right now we're pulling 80-90 hour
weeks trying to get ready for the show.
I'm running NS comm 4.7 on NT 4, service pack 6, on an IBM 600X pentium III
with 192M of real mem.
> I wonder if it's confused in some worse way on the server. When you've
> noticed this happening, did it give any error page (bad) or did the changes
> simply fail to take hold (worse)? Have you noticed whether it was the latter
> articles in the list or was it seemingly random? TIA for any more info.
I could swear it was all of them, as if the value pairs never got submitted
rather than the server side (or the pair gatherer that processes the forms
inside of the rendering engine on the client side) choking out processing them.
++Lar
| | | | | | | | | | | | | | | | | | |
| |
|
All,
It seems at this point that the article rating feature -- intended to help --
is actually causing more harm than good to the community. It's difficult to
gauge how much harm is being done when opinions are so varied, but it's clear
that something needs to be changed.
Technically, the rating system is working extremely well and, from an admin
point of view, the composite ratings being produced seem very well consistent
with the rating system's main goal of being able to highlight recommended
reading to those short on time.
However, it seems that the high visibility of both the raw and composite
numbers are having an overall negative effect on the community's morale.
Some of the deeper concerns are raised in this message and its replies:
http://www.lugnet.com/admin/general/?n=6130
I also received a private e-mail last night describing the rating system as
"a fiasco and an embarrassment to LUGNET" and calling for its removal.
Clearly, these are very strong feelings being expressed by people. How many
others feel this way? What would you like to see happen? Post your thoughts
as a reply to this message (or reply privately if you prefer not to post your
thoughts publicly).
As to possible "fixes," there have been many suggestions over the past few
weeks, most of which center around making the rating numbers less obvious or
gone altogether. If you're curious, you can find most of these in the group
lugnet.admin.general -- but it's a lot to wade through.
The first, original purpose for having ratings was to be able to lay the
foundation for the later creation of variety of "what's hot" or "top X of
group Y" listings for quick browsing -- something akin to the current
Spotlight pages, only fully automated, instantly updating, and much more
representative of collective opinion. The second original purpose was to
lay the foundation for so-called "collaborative filtering" possibilities --
the server learns (could learn) what types of things you prefer to read,
and gives (could give) higher priority to you personally for messages rated
higher by people with similar interests. These two main purposes become
increasingly relevant as message traffic increases.
It was never a purpose of the ratings system to make anyone ever feel bad
or unwanted or unwelcome. It's core purpose is simply to highlight "neat or
noteworthy stuff" but not to downgrade "un-neat or un-noteworthy stuff" or
regular "fluff" (which there's nothing wrong with).
It seem that no amount of education about what the numbers mean will be able
to make a meaningful dent in the natural inclination to view, say, a 40 as
having been "marked down" from its default of 50. Even if the default were
changed from 50 to 0 (so that numbers tended almost always to climb rather
than to climb half of the time and fall half of the time), it seems likely
that feelings will still be hurt, because it seems that some people are hurt
by the fact that others are getting 80's and 90's while they are getting 40's
or 50's or 60's. Going with a scale 0 to 100, in retrospect, hasn't been any
better from an overall morale point of view than if a scale -100 to +100 had
been used.
Specific personal questions:
1. How would you feel (better or worse) if the numeric values of the ratings
were not displayed to you unless you specifically requested (via some simple
setting) that they be displayed to you?
2. How would you feel (better or worse) if the numeric values of the ratings
were not displayed ever to anyone but collected and used by the server only
for internal calculations, hotlist generation, and personal recommendations
to you?
3. How would you feel (better or worse) if the ratings were not even
collected and collated in the first place? (i.e. the destruction of the
feature altogether)
4. Have you ever felt victimized by the rating system? Have you posted
something which has obtained a low rating and felt uncomfortable or unhappy
about yourself or about LUGNET because of the low rating? How often?
5. Have you ever felt victimized indirectly by seeing someone else's post
get a high rating? How often?
6. Do you feel that the article rating system makes it easier for you or
harder for you to share your ideas? And does this bother you?
7. How does your initial reaction to the announcement of the article rating
system compare to your current opinion of it?
8. Do you feel that it is too early, too late, or the right time to address
these issues?
9. What other areas (besides news articles) can you imagine that a
collaborative ratings system would be most helpful to you? LEGO sets?
Websites? Individual web pages? etc...
Thanks for your time,
--Todd
[followups to .admin.general]
| | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
>
> Specific personal questions:
>
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
This is the best option I think, at least better than the option below
(which I was thinking as the best, until reading your message). It
doesn't included the feeling of "elitism is at the front door" by
satisfying an automated "top n list" feature at the same time.
>
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
>
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Actually, before I read your opinion request, I didn't care about
ratings of my posts (I use NNTP) so I checked the ratings of my posts
several minutes ago for first time. It's very interesting that my
highest rated post is the one in which I expressed my dislike about
rating system..:-) I won't hurt in anyway by seeing my posts are rated
low,. but this doesn't mean that (in anyway) I feel comfortable about
the procedure. Lugnet is not an academic place where participants
supposed to present scientific assays or defend their master thesis to
an academic council, IMHO. I visit Lugnet in my SPARE TIME, and it's an
integral part of my HOBBY, which is obviously a SPARE TIME activity by
nature, of which the purpose is nothing but FUN and RELAXING. I can
explain further but I'm sure you get what my point is.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Lego Set? Why not..:-)
Web sites? Yeah, may be. Web sites and news group posts are very
different in nature and I think former is very suitable for rating,
while the latter is no need to be rated (besides being not suitable),
especially in the Lugnet case, where signal to noise ratio is very very
low, or noise is organized in a way that never bothers not interested
people. Actually, don't we rate web pages already? Your CLSoTW elections
made primarily on "rating" basis, AFAIK.
Selçuk
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Selçuk Göre writes:
> This is the best option I think, at least better than the option below
> (which I was thinking as the best, until reading your message). It
> doesn't included the feeling of "elitism is at the front door" by
> satisfying an automated "top n list" feature at the same time.
OK, good, we need to get rid of any feelings of elitism...
> Actually, before I read your opinion request, I didn't care about
> ratings of my posts (I use NNTP) so I checked the ratings of my posts
> several minutes ago for first time. It's very interesting that my
> highest rated post is the one in which I expressed my dislike about
> rating system..:-)
Isn't that ironic? :) I've marked almost every message on this thread as
100 a recommendations to read and for the insightful comments. Perhaps
others did as well, or others agreed directly with the concerns (I agreed
with the concerns, BTW).
> I won't hurt in anyway by seeing my posts are rated
> low,. but this doesn't mean that (in anyway) I feel comfortable about
> the procedure. Lugnet is not an academic place where participants
> supposed to present scientific assays or defend their master thesis to
> an academic council, IMHO. I visit Lugnet in my SPARE TIME, and it's an
> integral part of my HOBBY, which is obviously a SPARE TIME activity by
> nature, of which the purpose is nothing but FUN and RELAXING. I can
> explain further but I'm sure you get what my point is.
Oh yes! :)
> Web sites? Yeah, may be. Web sites and news group posts are very
> different in nature and I think former is very suitable for rating,
> while the latter is no need to be rated (besides being not suitable),
> especially in the Lugnet case, where signal to noise ratio is very very
> low, or noise is organized in a way that never bothers not interested
> people.
I think you're onto something there, but I also think that the signal-to-
nosie ratio is an extremely personal thing. By "exteremely personal" I mean
that it varies widely from person to person. Someone said, for example, that
they found approximately 75% of the messages here to be fluff or noise, and
another said that they enjoy reading what they consider fluff.
Not everyone does or wants to read everything, and I know people for whom
90% of all the messages here are just noise -- because their time is limited.
That's a very _low_ signal-to-noise ratio.
> Actually, don't we rate web pages already? Your CLSoTW elections
> made primarily on "rating" basis, AFAIK.
The resulting list of sites spun out by CLSotW is a very crude "in or out"
list. The main (read: 99%) original purpose of of CLSotW was to give a place
to visit once a week to curl up with a cup of coffee and visit some "cool"
(and hopefully relatively new) LEGO-related website. The archive of past
picks is just a by-product (a nice freebie). The summaries of the sites are
the writings of one person -- not extremely helpful compared to what could be
possible instead.
But more importantly, there can only be one CLSotW per week, and at any given
time there are dozens of sites out there which most people would consider
"cool" but which, for one reason or another, aren't easily findable. The
CLSotW page (in its current form) can only show so much.
What I'd like to see someday (this is just me, and I haven't collected
opinions from others on this yet) is a system to rate not only whole websites
but individual pages of websites -- and then collate the ratings and produce
hourly revolving "top N" lists. Age of last addition would be an important
factor here, so that things would drop in their position on the list with the
passage of time. Currently, there is just no way to keep up with all the
great stuff that's being put on display at all the various fan websites.
Without some collaborative rating system for webpages, I'm going to miss at
least half of the great stuff no matter how hard I try...so I'd rather miss
the things that didn't get high ratings and see the things that did. Then
if I have a bit of extra time I can go down the list and look at slightly
lower-rated things. And it would be especially helpful to me if it knew my
preferences and also gave me the option to turn them off or to show me random
things. And categorizing and tagging is important too.
In other words, I trust the collective opinion of a bunch of people far more
than I trust random events which might lead me to something interesting. (Of
course, a mix of both is needed, otherwise one never exposes oneself to new
things -- but that should be a personal decision.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> The resulting list of sites spun out by CLSotW is a very crude "in or out"
> list. The main (read: 99%) original purpose of of CLSotW was to give a place
> to visit once a week to curl up with a cup of coffee and visit some "cool"
> (and hopefully relatively new) LEGO-related website.
If you consider this original purpose, CLSotW has definitely lived up to it
and much more! I look forward to the new pick every week, and I usually check
out the nominations too. I think it's a great thing as is and should not be
mixed with any other system that might come up-- it's just fun!
> What I'd like to see someday (this is just me, and I haven't collected
> opinions from others on this yet) is a system to rate not only whole websites
> but individual pages of websites -- and then collate the ratings and produce
> hourly revolving "top N" lists.
If you don't mind me inserting my 20 cents right about here...
I think that rating websites like we rate posts today would be EXTREMELY
harmful, much more so than rating posts can ever be. Websites are usually
results of hard work by individuals, and rating them "down" would always,
*always* be insulting, NO MATTER WHAT.
If, OTOH, the ratings for websites will be displayed only in "top N" fashion,
WITHOUT the rating number being visible AT ALL, that would be a good thing.
(I'm emphasizing the points which seem highly important from my POV so that
people don't get hurt.)
I also think that categorizing/tagging is extra-good. What I mean by tagging
(I don't know what Todd meant) is saying things like "MOCs", "Castle-related",
"Train-related", "b-s-t", etc about each site. I think that is much more
important than any rating; that way, I could ask to see only Castle related
pages, while someone else can check out b-s-t pages, and so forth. A database
of webpages that can be catagorized, or at least defined by *keywords*, would
be very useful. (Whether it involved rating or not!)
I'd love to help collecting websites if need arises; I don't want Todd to
spend his time on that, as cool as I think it could be. I think that this
would work better with combined efforts, though, and the more people that
contribute, the better.
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Selçuk Göre writes:
> > This is the best option I think, at least better than the option below
> > (which I was thinking as the best, until reading your message). It
> > doesn't included the feeling of "elitism is at the front door" by
> > satisfying an automated "top n list" feature at the same time.
>
> OK, good, we need to get rid of any feelings of elitism...
I can't pinpoint any concrete examples of elitism, per se...but,upon
reflection I can see where some debates degenerated into lowballing of
comments from opposing perspectives ...I view Lugnet as a Microcosm of the
internet information explosion: everyone has different standards and
criteria for syphoning usable content from the volumes of raw data
available. Some people will tolerate a higher "signal to noise" ratio...I
guess my speakers hum a little more than others = )
>
> > Actually, before I read your opinion request, I didn't care about
> > ratings of my posts (I use NNTP) so I checked the ratings of my posts
> > several minutes ago for first time. It's very interesting that my
> > highest rated post is the one in which I expressed my dislike about
> > rating system..:-)
That was my point in my "rating system is making me paranoid" post...Which
was my "highest rated-Thumbs-up post"
> Isn't that ironic?
I try not to whine/complain, and yet this was my highest review...lol
:) I've marked almost every message on this thread as
> 100 a recommendations to read and for the insightful comments. Perhaps
> others did as well, or others agreed directly with the concerns (I agreed
> with the concerns, BTW).
>
> Well that explains my rating then = )
> > I won't hurt in anyway by seeing my posts are rated
> > low,. but this doesn't mean that (in anyway) I feel comfortable about
> > the procedure. Lugnet is not an academic place where participants
> > supposed to present scientific assays or defend their master thesis to
> > an academic council, IMHO. I visit Lugnet in my SPARE TIME, and it's an
> > integral part of my HOBBY, which is obviously a SPARE TIME activity by
> > nature, of which the purpose is nothing but FUN and RELAXING. I can
> > explain further but I'm sure you get what my point is.
You summarized my thoughts much better than I did in my own words...That was
my initial feeling of Lugnet...I guess Lugnet is my internet version of
"Cheers" (where everybody knows your name, etc. ad naueum = )
My comments that were critical are best viewed from the "HOBBY and
RELAXATION" point of view. I was merely commenting that the real world is
problematic or judgemental enough; I don't come on-line to find more of the
same...Everything can't be rosy all the time, I realize that. Lego building
+ experimentation is one of my "simple joys" or "guilty pleasures".
Therefore I try to support a very positive environment surrounding this
acquisition of time and resources. I'm sure Todd can see from the webtv
browser hits to the server that I (and Craigo, for that matter) spend
significant amounts of time here (even if I don't post often)
>
> > Web sites? Yeah, may be. Web sites and news group posts are very
> > different in nature and I think former is very suitable for rating,
> > while the latter is no need to be rated (besides being not suitable),
> > especially in the Lugnet case, where signal to noise ratio is very very
> > low, or noise is organized in a way that never bothers not interested
> > people.
>
> I think you're onto something there, but I also think that the signal-to-
> nosie ratio is an extremely personal thing. By "exteremely personal" I mean
> that it varies widely from person to person. Someone said, for example, that
> they found approximately 75% of the messages here to be fluff or noise, and
> another said that they enjoy reading what they consider fluff.
I enjoy seeing a supportive community. Some of the fluff let's peope know
that they have created something truly unique or inspiring. A certain
amount of Positive feedback (or critical commentary) can be just as
inspiring as new pictures or discussions. For instance, a young child
showing his creation to his parents, and the satisfaction that child feels
from finishing a project or "inventing" something new. Regardless of age,
isn't that one of the feelings everyone attaches to this hobby? ...The
happiness derived from building, the satisfaction of displaying it, and the
desire to build something bigger, better, more complex...often reinforced by
the challenge from yorself and others to improve, evolve, and "reinvent the
wheel".
In general, a cigar is just a cigar, and fluff is just fluff, but isn't it
worth it if one builder "blossoms" from feedback and challenges?
> Not everyone does or wants to read everything, and I know people for whom
> 90% of all the messages here are just noise -- because their time is limited.
> That's a very _low_ signal-to-noise ratio.
>
>
> > Actually, don't we rate web pages already? Your CLSoTW elections
> > made primarily on "rating" basis, AFAIK.
>
> The resulting list of sites spun out by CLSotW is a very crude "in or out"
> list. The main (read: 99%) original purpose of of CLSotW was to give a place
> to visit once a week to curl up with a cup of coffee and visit some "cool"
> (and hopefully relatively new) LEGO-related website.
That is how I used to spend Saturday morning or Sunday after reading the
paper...opening up my mind to new things and pondering the possibilities
while viewing someone's masterpieces.
The archive of past
> picks is just a by-product (a nice freebie). The summaries of the sites are
> the writings of one person -- not extremely helpful compared to what could be
> possible instead.
>
> But more importantly, there can only be one CLSotW per week, and at any given
> time there are dozens of sites out there which most people would consider
> "cool" but which, for one reason or another, aren't easily findable. The
> CLSotW page (in its current form) can only show so much.
Since Lugnet has yielded so many additions to discussion groups....why not a
subcategory of .build or .publish or .general (ossibly even a seperate
group) analogous to Tom Stangls S@H updates...A group where people can post
Webpage updates from ANY theme...I have not completely pondered the
consequences of cross-posting and "signal to noise" of this action, but it
might be a way for people who just want to see new content to continually
and quickly keep up w/ updated webpages besides culling "pirates", "trains"
or "castle" links and groups. Ultimately a bulletinboard of updated
webpages from all themes to peruse at liesure...The immediate benefit being
that you are assured that all content is new = )
> What I'd like to see someday (this is just me, and I haven't collected
> opinions from others on this yet) is a system to rate not only whole websites
> but individual pages of websites -- and then collate the ratings and produce
> hourly revolving "top N" lists. Age of last addition would be an important
> factor here, so that things would drop in their position on the list with the
> passage of time. Currently, there is just no way to keep up with all the
> great stuff that's being put on display at all the various fan websites.
Well I guess that's a positive and negative...so much inovation and
creativity, it's impossible to keep up...I welcome the challenge.
> Without some collaborative rating system for webpages, I'm going to miss at
> least half of the great stuff no matter how hard I try...so I'd rather miss
> the things that didn't get high ratings and see the things that did. Then
> if I have a bit of extra time I can go down the list and look at slightly
> lower-rated things. And it would be especially helpful to me if it knew my
> preferences and also gave me the option to turn them off or to show me random
> things. And categorizing and tagging is important too.
>
> In other words, I trust the collective opinion of a bunch of people far more
> than I trust random events which might lead me to something interesting. (Of
> course, a mix of both is needed, otherwise one never exposes oneself to new
> things -- but that should be a personal decision.)
Kinda like a Best-sellers list or "other customers also read/purchased this:..."
> --Todd
| | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.general, Todd Lehman writes:
> Clearly, these are very strong feelings being expressed by people. How many
> others feel this way? What would you like to see happen? Post your thoughts
> as a reply to this message (or reply privately if you prefer not to post your
> thoughts publicly).
I, personally, like the rating system. I do understand the emotion that I
attach to my posts, and while I know I don't always post something useful, it
does stab (a tiny bit) when I see it marked down... So I guess I wouldn't want
to have it go away, but perhaps be less visible...
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
that's probably a good idea - if someone wants nothing to do with the rating,
they could disable it alltogether.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I think I'd like to be able to find out what my post (or any post, for that
matter) is rated in the community.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
no, I think this would be a bad idea. I like the ratings, and I like the idea
of the spotlight being updated automaticlly...
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
well, someone rated my idea that "la la la" should be an html tag as a 0.
While it stung, I definitly agreed with it.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
nope.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
nope, and I don't think it makes it easier or harder...
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
heh, well, I didn't think of all the trouble it could cause... I still like it.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
right time :)
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
don't we already have that for web pages, at least in some form, in the CSotW?
anyway, what I think should be done:
* have an option to hide the whole rating system, like it was never there...
The scores, and the voting bar as well.
* perhaps hide the score of an article by default - you won't see it unless you
are activly looking for it. If I post a useless post (IMO), I won't bother
looking at it's rating, since I know it's bad...
* possibly make the ratings invisible to anyone but the poster of that message
- though that will kinda defeat the purpose of showing other people cool
posts...
:)
Dan
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Dan Boger writes:
> > 9. What other areas (besides news articles) can you imagine that a
> > collaborative ratings system would be most helpful to you? LEGO sets?
> > Websites? Individual web pages? etc...
>
> don't we already have that for web pages, at least in some form, in the
> CSotW?
In some form, yes, but it's greatly lacking in that it has no way of learning
your personal preferences. Already there are 180 CLSotW past picks, and just
to go through all of them (even on a T1 or a T3) would probably take someone
several days.
I believe there are also hundreds of sites out there which escape notice
too easily. I just took a thorough look at Tom Stangl's website today, for
example, and I was totally blown away by it. I'm not sure if I'd ever seen
the whole thing before -- only bits & pieces of it. I wish I could rate it
very highly somewhere as a recommendation for people to check it out. I
could post a message about it, but that's so transient -- not persistent
enough.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In some form, yes, but it's greatly lacking in that it has no way of learning
> your personal preferences. Already there are 180 CLSotW past picks, and just
> to go through all of them (even on a T1 or a T3) would probably take someone
> several days.
>
> I believe there are also hundreds of sites out there which escape notice
> too easily. I just took a thorough look at Tom Stangl's website today, for
> example, and I was totally blown away by it. I'm not sure if I'd ever seen
> the whole thing before -- only bits & pieces of it. I wish I could rate it
> very highly somewhere as a recommendation for people to check it out. I
> could post a message about it, but that's so transient -- not persistent
> enough.
so something like /lugnet/publish/sites or /lugnet/announce/site where you (or
someone) can post a site, has to set a FUT to someplace else... perhaps
instead of the regular message post form, you do it with a special form that
will ask for Author name, email and description?
feh, I had some other ideas for it, but this blinding headache is confusing
me... :/
More on this later.
Dan
| | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
(Some snipping here, read Todd's post)
> Specific personal questions:
> 1. ... the ratings were not displayed to you unless you specifically requested
> (via some simple setting) that they be displayed to you?
>
> 2. ...the numeric values of the ratings were not displayed ever to anyone but
> collected and used by the server only...
I think a combination of these could work well. The ratings could be hidden
from public view, so that noone feels like they are being punished, and the
server could still use the numbers. I'd like to still have the link to the
Distribution of Input page. That way, curious users could see how that article
is being rated. I think that this would work better than a personal setting to
make ratings visible.
I support ratings because of the possibilities that they allow (for searching,
hot topics, etc). However, we have a natural tendency to feel bad when our
opinions aren't considered to be as great as those of others. Getting rid of
ratings all together would help morale, but I personally think that we'd be
losing more than we'd be (re)gaining.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Because I know what good the ratings could be used for, I'd feel worse.
> 4. Have you ever felt victimized by the rating system?
Fortunately, no. (Perhaps not yet)
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
No, but Larry's theory that certain people mark him down automatically makes me
uncomfortable. I hope that doesn't really happen, but if it does, it's bad.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas?
Not at all. Though, I can see how it would for some.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
I was initially upset because I sent my membership money in too late and was
missing out. :) Now, I'm a full member that rates 90% of the messages that I
read. It seems to me that people are getting upset over numbers that don't
actually do anything yet, so I'm currently nervous about what will happen
in the community when features based on ratings appear.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
Perfect timing. If it had been done before, no one would know what to
think. If we'd waited, some people might have left.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Lego sets definately! I'd like to see an overall rating for a thread
(though that's more of a use of the current ratings). Theme ratings could
work, though does it really help anyone to know that we all liked classic
space? :) I think that web site ratings would cause more of a problem than
article ratings currently do.
I think I just wrote my longest Lugnet message yet. :)
Ben Roller
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> Clearly, these are very strong feelings being expressed by people. How many
> others feel this way? What would you like to see happen? Post your thoughts
> as a reply to this message (or reply privately if you prefer not to post your
> thoughts publicly).
Hi Todd,
To be brutally honest, I had some doubts about the rating system when I
originally saw it - I wondered how long it would be before somebody
decided (say) that they didn't like someone else and started rating all of
their posts as '0'. (I don't know if that's happened yet or not.) I also
wondered if people would use the ranking as a "competition". (Some people
will use *anything* as a competition...) I didn't really think either of
these possibilities were that great for LUGNET, but I kept quiet because I
really didn't have any firm evidence and I didn't want to slight your
work.
I know the rating system has made a few changes to my behavior, but it's
in the area of "checking what my articles were ranked" instead of "using
the ranking to decide what's worthwhile to read.
> It was never a purpose of the ratings system to make anyone ever feel bad
> or unwanted or unwelcome. It's core purpose is simply to highlight "neat or
> noteworthy stuff" but not to downgrade "un-neat or un-noteworthy stuff" or
> regular "fluff" (which there's nothing wrong with).
I'm not sure how this would work (and it's certainly got potential for
abuse) but maybe a self-rating system? I wouldn't be averse to marking
things I post as 'fluff' if they really are.
Another idea would be a non-numerical "rating" system. Maybe you could
rate something as "Fluff", "General Interest", "Group Spotlight" (sort of
like the Spotlight, but for individual groups), and "Spotlight". The X
posts with, say, the highest number of votes for "Group Spotlight" could
be shown in a special window. The numbers could decay over time so it
wouldn't be always the same posts. (Am I making this clear? If not, tell
me and I'll try to explain...)
A keyword system might also be a possibility (to help the "finding stuff
that interests you" part of the equation).
> It seem that no amount of education about what the numbers mean will be able
> to make a meaningful dent in the natural inclination to view, say, a 40 as
> having been "marked down" from its default of 50.
I'm afraid you're right here. Why? I think it's because somebody cared
enough about your post to give it a sub-50 rating, when they could have
just "left it alone".
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
I don't think I'd mind that at all. Of course, I do half of my LUGNET
reading via NNTP, so I don't always see the ratings anyway.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I think this would really cut down on hurt feelings. I know I wouldn't
mind it.
Would the personal recommendations be something like alexlit.com, where it
compares your ratings of articles with other people's ratings of those
same articles so it can "guess" what other articles you'd like?
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
I wouldn't really miss it.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Hmm. Most of the stuff I've posted that's gotten a low rating has been
"fluff", so I really didn't feel too bad about getting a low rating,
except for that first initial burst of displeasure at seeing that someone
thought my post was "not useful".
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Hmm...not really. But I don't study the ratings that much, either.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Nope. I'm an opinionated son of a bull moose, so the rating system isn't
going to shut me up.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
Not too much changed, especially now that I find out that other people
aren't satisfied with it.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
It's never too early to defuse a potential problem in the community. "Too
late" would mean that LUGNET was doomed, and I highly doubt that it is.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Hmm. The websites/web pages one could get personal the way the article
ratings did, if you weren't careful. LEGO set ratings would be pretty
cool, though!
J
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
<bulk snip>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Indifferent. I've been following along, and have a pretty good idea of what
the issues are, but it just doesn't matter much to me. I don't put much stock
in the numbers to date, since so few people are rating messages. If the
system becomes more wide spread, I'd definately like the option of seeing the
numbers, because they will be more indicative of community opinion.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
So long as I can (when the system becomes more widespread) use the ratings as
intended, I don't care if I see the numbers. However, it seems likely to me
that seeing the numbers (or having the option) makes it easier to use them.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
:/ One step forward, two steps back. I think the ratings is a good idea, and
will become even more of a good idea as Lugnet grows. The current
implementation is generating some ill-will, but I don't think that the
"damage" to the community outweighs the potential use of ratings. I am also
of the opinion that much of the "damage" to the community is from a mis-
understanding of what the ratings indicate.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Not victimized, per se. I have felt irritated, though. A specific example:
When I posted a message about my current MOC, with description and pictures,
some anonymous individual rated it "0". It didn't bother me that someone
thought my message wasn't worth the electrons it's printed on, it bothered me
that I had/have no way of finding out *why*. To put it another way - I try to
contribute positively to the community here, and someone out there thinks I
didn't - I'd like to know what they think needs fixing.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Nope, not even remotely. (And I have a hard time understanding why anyone
would)
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
It would be nice if there was the option for people to explain their rating.
Even just a 20 character text box would go light years to making it better.
It turns "80" and "20" into "80 - cool mech, dude!" and "20 - link doesn't
work"
But more relevantly- no, it doesn't affect my posting habits one iota.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
It's currently less useful than my initial expectations. I don't think enough
people are rating messages to give a meaningful sample. A combination of
members not signing in, apathy, and non-ease of use.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
No time like the present. I don't think addressing it earlier would have
allowed enough time for people to react to the system.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Oh cool... If the ratings system was linked into the Pause database, that
would be sweet! I also think it could be useful for CLSotW, but that may be
trickier.
YMMV.
James
http://www.shades-of-night.com/lego/
I'm getting paid for this --> alladvantage.com
Sign up via me, the reference $$ go to fund Lugnet.
| | | | | | | | | | | | | | | | | | | |
| |
|
Hi Todd,
My personal feedback. I think the ratings system has caused me to post less,
if that's a concern or not. I haven't felt belittled or berated, but I tend
to think nobody reads my posts when I see it rated by less than 3 people and
it rated poorly. If a hundred people rated my post, even if it was voted
down, I feel like my voice has been heard. Even though I know it's not true,
but the rating gives you the impression that "nobody read this, nobody
cares."
Conversely, I completely ignore the ratings on other people's posts. I'm
after info on certain topics. There's not enough people rating to make it
seem worth looking at.
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Even if my ratings were hidden, I still would want to see what it said.
Remember, ratings and responses are the only gauge Lugnet gives for people
reading your posts. I suppose I would constantly check my own and never check
anyone elses.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I would like that better. I just don't know if what YOU think I like, is
equal to what I think I like. When you tell me, "this is what you like," I'll
probably tell you, "No it isn't." My interests usually don't line up with the
majority opinion.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
I'd like that better still.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
I'd like to believe that very few things make me feel victimized, Oprah. :O)
My life doesn't ride on what 3 or 4 Lugnet members think about my post. I
post less than I did before the ratings because it gives me the impression
that people aren't reading what I'm posting.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Never victimized.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Harder. I just feel less inclined to share.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
about the same.
>
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
If I saw an increase in ratings, I'd say too early. But I don't think most
people rate them and it doesn't look like that's on the increase. It would
make a difference if either of the above were true. (Being too early, I mean)
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
I like when sets are rated, it gives me an idea on whether I would like it,
but that's only if they tell me why they like or dislike it. A numeric system
tells me zero. I think you have that covered in one of the groups. I just
wish it had more participation.
> Thanks for your time,
> --Todd
>
> [followups to .admin.general]
| | | | | | | | | | | | | | | | | | | |
| |
|
Some miscellaneous unordered thoughts:
- I would be inclined to say that the rating system is definitely
harmfull. I have not seen anyone say "wow, this rating system just
helped me read through 2 weeks of posts and catch up on all the
important stuff", but we have seen several people express bitterness
about it.
- without a uniform way of applying ratings, I don't see how usefull it
will be. One example I came up with is suppose a bunch of people felt
that any post in lugnet.off-topic.humor should be rated 0-20 because
overall they are irrelevant, and they don't want them to show up in
general searches. On the other hand, another group of people rate
messages based heavily on the appropriateness of the message to the
group it's in (figuring that the search will let them adjust the weight
of all messages in a group), rate the funniest humor posts highly.
- I haven't paid too much attention to the ratings, but just looked over
the ratings of my posts. I didn't see any real problems.
- I tend to pay more attention to the response my messages gain. Of
course there is one area where this frustrates me. There has been
discussion going on about the T&C for a few months or so now. Several
times it has seemed that we were working towards some usefull goal, and
then all of a sudden a pall of silence drifts over the discussion. As a
result, it doesn't feel like anything has been accomplished. People are
still posting auctions in wrong places and people are still getting
blasted for posting a non-auction market post to a non-market group.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | |
A couple more thoughts:
- Anytime you have a way to compare reactions about things, there is
opportunity for people to feel that their contribution wasn't valued.
Note that we have someone currently bummed out that they got a lukewarm
reaction to their web site.
- Any "scoring" system without feedback will be frustrating. I have to
admit that I'm curious as to why my post to lugnet.admin.terms about
"where is Waldo" posts got a high rating by one person, but has had no
responses. Obviously if you get a low rating, you're going to wonder why
(seeing the discussion here, I do know why the postings of mine which
got low ratings got them).
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
snip,snip,snip...
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
That's probably a good idea (it doesn't worry me) for the sensitive, but
people will always be tempted to look at their 'mark' and get upset.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I think the rating system has a purpose. The problem is the number of people
rating a post (would you like a jury of one or two ?). It showed it's purpose
in response to Brad J's recent post, where a more significant number of
raters had their say. We Australians got a bit carried away and were marked
down accordingly because our concerns are outside Brad's jurisdiction, and
there would be little point in his reading them.
So maybe the rating system should stay 'public' in certain groups, such as
Lego.direct (quite narrow guidelines) to cut down noise, and stay 'public'
for a different reason in lugnet.general just to trim the fat.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
No it should stay, as Lugnet traffic grows we will need some tool to pick
items of most interest for those of us with less time.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
No, I think a post that gets no replies or a thread that dies is a worse
feeling. We all shouldn't get too precious about it though.
Now that the hounds have got auction announcements back to .marketplace,
who is marking them down there ? Something of interest to someone, will be
of no interest to someone else, so maybe no ratings in a group such as this.
The post title should be specific and people can decide from there. The
purely commercial aspect of some Lugnetters is irksome to me as it seems to
be to others, but I am not about to mark an auction announcement down just
because the item is of no interest to me and has been posted to where it
should be.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Not really, but some must have.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
People who are continuously marked down may be deterred from posting and we
need the widest possible community base as possible.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
I must admit I thought what has happened would happen. At whatever part of
life people are evaluated and marked the lowly marked will get testy.
Maybe a marking system that instead of a 'fail' mark, articles of no interest
were unmarked (which does happen with articles unrated and left at 50 now).
Just have a star system (3 stars,5 stars ...) for posts of note, or maybe
a tally of the number of readers of a post.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
Better now than later.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Lego sets definitely (inanimate objects),but it's hard enough already getting
enough reviews in .reviews. Websites....here we go again, it's getting
personal.
We do need a rating system, just fine tune it, more members rating and more
members joining Lugnet (my IMO's in the mail !), and try and cut out negative
ratings just neutral and positive.
-pete.w
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Peter White writes:
> > 3. How would you feel (better or worse) if the ratings were not even
> > collected and collated in the first place? (i.e. the destruction of the
> > feature altogether)
>
> No it should stay, as Lugnet traffic grows we will need some tool to pick
> items of most interest for those of us with less time.
Here BTW is a quick example of a "top N" list (N=40)...
http://www.lugnet.com/top40.cgi
It's just an experimental page, and it may go away without notice. I'll leave
it up for at least a few days, though, for feedback. It's updated once hourly
by a cron job. The ratings aren't shown in the listing itself, only in the
body of the article snippet. Your personal news-filter settings from
http://www.lugnet.com/news/filter/
aren't taken into account here -- this page currently shows everything in the
system.
One thing to try (if you're a member) -- go through a few of these, and rate
a few of the ones you haven't rated, and then check back a few hours later to
see how/if the list changed.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Peter White writes:
> > > 3. How would you feel (better or worse) if the ratings were not even
> > > collected and collated in the first place? (i.e. the destruction of the
> > > feature altogether)
> >
> > No it should stay, as Lugnet traffic grows we will need some tool to pick
> > items of most interest for those of us with less time.
>
> Here BTW is a quick example of a "top N" list (N=40)...
>
> http://www.lugnet.com/top40.cgi
>
> It's just an experimental page, and it may go away without notice. I'll leave
> it up for at least a few days, though, for feedback. It's updated once hourly
> by a cron job. The ratings aren't shown in the listing itself, only in the
> body of the article snippet. Your personal news-filter settings from
I like the top 40, and hope it stays.
I was hopefully speaking for others with the 'less time' comment, I myself
use the web browser to look for interesting post titles or hop into ng's I
have an interest in, I admit to spending hours browsing on lugnet at a time.
-pete.w
| | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Peter White writes:
> > Here BTW is a quick example of a "top N" list (N=40)...
> > http://www.lugnet.com/top40.cgi
> > [...]
>
> I like the top 40, and hope it stays. [...]
Any suggestions on a better title than "top 40"? If there wasn't already
something called "Spotlight," that might be a good name for it. I'm wary
that "top 40" sounds possibly like it's putting things up on a pedestal or
too much like the music industry. :)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Here BTW is a quick example of a "top N" list (N=40)...
>
> http://www.lugnet.com/top40.cgi
Neat. However it is ironic that as of this writing many of the top rated
articles are ones expressing dissatisfaction or concern with the rating
system.... as the old saying goes, you can vote yourself OUT of a democracy but
you can't vote yourself back into one.
If the ratings system survives in some form, this particular use of it is one
reason to keep it around and I agree with the other posters who would like to
see this page, in some form or another, stay.
++Lar
| | | | | | | | | | | | | | | | | | | | |
| |
|
Before I start this message is a response to
http://www.lugnet.com/admin/general/?n=6221.
I have very rarely used the Lugnet News web-interface so I did a little
research on the rating system. After twiddling around in the web-based
version I discovered that some fundamental issues need to be addressed to
achieve a meaningful rating system.
Firstly, what is being rated? Is it the relevancy of the post to the
message commencing the thread? Is it the quality of the ideas contained in
the post? Is it the post in general - e.g. style, humour, etc? It would
appear that the rating system is too vague and wide to achieve anything at
present. For example, if ratings are based on the relevancy of an article
to the message commencing the thread than the starting message cannot in
itself be rated. It also leads to problems when a conversation goes
off-topic; the mind boggles to think of the problems relevancy ratings would
cause.
Secondly, as I understand Lugnet Members can only rate posts; i.e. only
those that have coughed up the necessary wonga can rate messages. It would
appear that to have to pay to have the privilege of rating messages is
absurd. There are thousands of users but only hundreds of members. If I as
a non-member (not sure how long that'll last :) ) want to alert fellow
Lugnet users to Jimmy Crankies' article on Lego bricks being pretty
impressive/relevant I am unable. It is better that anyone can alert
everyone else to a great article than only a select few.
However, I will not simply state that the ratings system is unhelpful or
hurtful. I myself do believe that the ratings system can be made to work
but only with the following fundamental changes:
1 - That the ratings system criteria are clarified. The ratings must have
meaning to be useful. Relevancy to the message commencing the the thread is
wrong as it ultimately achieves nothing. Instead ratings should be based on
the quality of ideas expressed; for example, I want to say to fellow
Lugnet.Trains users that James Mathis post for a link to his latest train
creation is 'Great' so I simply select 'Alert users that message is 'Great'
'.
2 - The current 1-100 system is abolished. Instead a message can be rated
as 'Great' or just left alone as an average message. This would be very
much like the e-mail priority system; an exclamation mark could appear in
the web-interface to alert users to a 'Great' post. Rather than turning a
user away from posts it simply draws them to particularly brilliant
articles. As I said in point two, it alerts fellow users to something
especially interesting. It also prevents others from being hurt at their
messages being 'down-rated'.
3 - Rating privileges are extended to non-members. It appears that voting
is only for a select few; imagine being told, 'You have to pay £100 to vote
at the next general election'. It is undemocratic!
To summarise; the current ratings system is vague, undefined and
undemocratic. It needs clarification, simplification and opening to all
users to achieve the degree of effectiveness that Lugnet wants and requires.
If anyone has any views, comments and opinions than please reply; this issue
must be dealt with swiftly to prevent the current problem turning into a
crisis.
Thank-you,
Nicholas Allan
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Nicholas Allan writes:
> Firstly, what is being rated?
Good point. I see a growing need for a "ratings HOW-TO" page.
> Secondly, as I understand Lugnet Members can only rate posts;
If just anyone can rate a message, what's to keep me from creating 100
accounts and rating my posts up to "100" for whatever reason? Todd's taking
steps to verify existance of people to keep this from happening.
> only those that have coughed up the necessary wonga
I assume you mean money. ;) The cost for lifetime membership is only $10.
That's not a lot of money by any account. I pay that in a single month for
Internet access, and I get a lot more VALUE out of Lugnet. :)
> but only with the following fundamental changes:
>
> 1 - That the ratings system criteria are clarified.
I don't agree with your suggested implementation, but the idea is right on
the money.
> 2 - The current 1-100 system is abolished. Instead a message can be rated
> as 'Great' or just left alone as an average message.
After about 100 messages got rated 'Great', those ratings would be,
for the most part, useless.
> 3 - Rating privileges are extended to non-members.
Well, other than asking "Why become a member", there's the problem of
control of how often each person rate messages.
> It is undemocratic!
If everyone has to pay the same fee to vote (anywhere), is it still
undemocratic?
Just some thoughts,
Ben Roller
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
"Ben Roller" <broller@mail.clemson.edu> wrote in message
news:FtC0nK.AGL@lugnet.com...
> In lugnet.admin.general, Nicholas Allan writes:
>
> > Firstly, what is being rated?
> Good point. I see a growing need for a "ratings HOW-TO" page.
Perhaps rating can be done in two completely seperate ways. First one rates
the quality of the content of the post and second one rates the relevancy.
For messages commencing a thread one could only apply the first point;
otherwise one ends up rating the relevancy of a post to itself :)
> > Secondly, as I understand Lugnet Members can only rate posts;
> If just anyone can rate a message, what's to keep me from creating 100
> accounts and rating my posts up to "100" for whatever reason? Todd's • taking
> steps to verify existance of people to keep this from happening.
I understand completely. I was simply pointing out that not everybody is
going to be happy about not being able to rate posts and draw others'
attention to them.
> > only those that have coughed up the necessary wonga
> I assume you mean money. ;) The cost for lifetime membership is only • $10.
> That's not a lot of money by any account. I pay that in a single month • for
> Internet access, and I get a lot more VALUE out of Lugnet. :)
I hope to apply for Lugnet membership very soon, and yes, I certainly get
more value than that per month. Again I was simply illustrating the
principle involved. Obviously one does need to get benefits from one's
membership or some people (not myself) will question the point of
membership.
> > but only with the following fundamental changes:
> >
> > 1 - That the ratings system criteria are clarified.
> I don't agree with your suggested implementation, but the idea is right • on
> the money.
I just popping off to start a new thread in lugnet.admin.general titled
'Creating Lugent Ratins Criteria'. I hope by doing this I can draw
everyone's attention to the current problem.
> > 2 - The current 1-100 system is abolished. Instead a message can be • rated
> > as 'Great' or just left alone as an average message.
> After about 100 messages got rated 'Great', those ratings would be,
> for the most part, useless.
Very true, but if the criteria explained why and how a message was rated
'Great' then it may work. After posting last night (British time) I had
some more thoughts about the rating system and realised that the reason some
are getting hurt is that messages start off at a midpoint value of 50%.
This means that people can have their messages 'down-rated' so-to-speak,
which can be very demoralising. An alternative would be to start at zero
and then work up but that would result in many posts that don't get
'up-rated' just disappearing in the web-interface behind all the rated
messages.
> > 3 - Rating privileges are extended to non-members.
> Well, other than asking "Why become a member", there's the problem of
> control of how often each person rate messages.
I have since changed my mind on the privilege of rating as it is quite
honestly very petty in reality; I apologise, I just demonstrating one of my
principles.
> Just some thoughts,
> Ben Roller
Thanks for replying Ben, hopefully this debate in general will result in
meaningful criteria to rate posts.
Nicholas Allan
| | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
I think I've already said just about everything I have to say on this topic :)
But if you're counting numbers...
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
I think being able to instantly see rated messages sitting next each other in a
group is likely to continue to cause bad feeling. But I'm unsure about your
question.. if you mean:
(i) How would I feel if users could flick a switch and default to the current
implementation? Then I don't think that would be a good idea.
(ii) How would I feel if users couldn't see messages in a group rated alongside
each other, but could see an individual posts rating by clicking on a "Show
Ratings" button from within the post itself? Then I think that would be great!
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I think it's useful, and interesting to be able to see an individual posts
marks.. but not by default - the user has to want to see it.
So I would feel worse.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Worse.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Once or twice.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
I usually feel happy for someone if I see they've got a high rating.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Probably easier once the tables and upper layers are in place. At the moment I
don't know how much stock people take from ratings to judge.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
No too much differently, some fears have come to life, others aren't as
widespread as I thought they might be. I still think it's a great idea, and
still looking forward to the upper layers :)
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
Probably about the right time.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Well.. you could have made this a "how much do you agree with this statement"
questionairre :) If people could 'propose' things, and let people vote on them
- community ideas. I'm sure the CAD groups could use something like that? If
members could set up such questionairres easily that would rock!
Richard
| | | | | | | | | | | | | | | | | | | |
| |
|
> It seems at this point that the article rating feature -- intended to • help --
> is actually causing more harm than good to the community. It's difficult • to
> gauge how much harm is being done when opinions are so varied, but it's • clear
> that something needs to be changed.
I think the rating system, in a ideal world, is a great idea. However, this
is not an ideal world. The trouble with the system is, as I see it, that not
enough members are voting - and those who are voting are not using the
system the same way as others are. Additionally, it could be argued that
those who can't vote, but want to, may feel disenfranchised by not being
able to.
I'd be a little reluctant to say goodbye to the rating system, as it does
have potential. With that in mind, I'd suggest restricting it to a single
group {1} where it can be monitored in isolation and perhaps even enhanced
in some way.
BTW : I reckon that on loc.uk there is only one person voting (I expect it
is RF?). This means that anyone glancing at this group a few years down the
line will be using that single opinion as a guide. As much as I respect RF,
nobody could argue that is ideal.
Scott A
{1} I'd suggest .general for this as, for the most part, it is both well
read and fairly mellow in nature (just like me :-) )
| | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Scott Arthur writes:
> BTW : I reckon that on loc.uk there is only one person voting (I expect it
> is RF?). This means that anyone glancing at this group a few years down the
> line will be using that single opinion as a guide. As much as I respect RF,
> nobody could argue that is ideal.
Just for the record.. it isn't me! As in I do rate in loc.uk, but not all of
them, and not my own posts :)
Richard
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> > BTW : I reckon that on loc.uk there is only one person voting (I expect it
> > is RF?). This means that anyone glancing at this group a few years down the
> > line will be using that single opinion as a guide. As much as I respect RF,
> > nobody could argue that is ideal.
>
> Just for the record.. it isn't me! As in I do rate in loc.uk, but not all of
> them, and not my own posts :)
Me neither -- :) -- I try hard not to give opinions on messages in any of the
loc groups except ones local to me, or rare cases where someone announced
something that was obviously way helpful... There might BTW be some
crossposting effects going on. Of course there are also other members in the
UK besides Richard! :)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.loc.uk, Richard Franks writes:
> In lugnet.admin.general, Scott Arthur writes:
>
> > BTW : I reckon that on loc.uk there is only one person voting (I expect it
> > is RF?). This means that anyone glancing at this group a few years down the
> > line will be using that single opinion as a guide. As much as I respect RF,
> > nobody could argue that is ideal.
>
> Just for the record.. it isn't me! As in I do rate in loc.uk, but not all of
> them, and not my own posts :)
Sorry, I did not mean to infer you'd been voting on your own posts - although
I'm sure you do value your own opinion :-)
I just assumed that as the total number of votes were so low, that only one
person was activley doing it - and I know you do vote.
Enjoy Easter
Scott A
>
> Richard
| | | | | | | | | | | | | | | | | | | | |
| |
|
Many of my posts have never received any replies or follow-ups, which is quite
depressing. With the current scoring system, at least I know one or two people
have read my post. This often makes me feel better. The actual score is not
that important. (I have never received a high score so far. :-P)
In lugnet.admin.general, Todd Lehman writes:
> The first, original purpose for having ratings was to be able to lay the
> foundation for the later creation of variety of "what's hot" or "top X of
> group Y" listings for quick browsing -- something akin to the current
> Spotlight pages, only fully automated, instantly updating, and much more
> representative of collective opinion. The second original purpose was to
> lay the foundation for so-called "collaborative filtering" possibilities --
> the server learns (could learn) what types of things you prefer to read,
> and gives (could give) higher priority to you personally for messages rated
> higher by people with similar interests. These two main purposes become
> increasingly relevant as message traffic increases.
For this purpose, maybe a simple voting system will do a better job than the
current scoring system.
Just put a checkbox there, meaning "I like this post", and let's see how many
votes each posts get.
Cheers,
Hao-yang Wang
| | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman <lehman@javanet.com> wrote:
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I think this is my preference. Furthermore, I think it'd be good if the
current numerical scheme (while cool from a geek point of view) were reduced
to two buttons: "This article is great" and "This article is off-topic".
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
I'm sorta annoyed by the way it doesn't work from the nntp interface (at
least not without some serious hacking). That alone is a divisive problem.
(Especially since the web interface is less capable than a newsreader in so
many other ways.)
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman wrote:
[some concerns about the rating system]
I don't post here often, because usually what I want to say has
already been said. However, Todd asked for our opinions, so I
figured I would speak up, as a non-"usual suspect".
I don't mean for this message to sound snotty or anything like that.
If it ends up that way, it's because whoever is reading this doesn't
really know me. I think my overall reaction is, wow, this whole
ratings thing has really gone to people's heads and has been blown
WAYYYY out of proportion. (My reaction to most arguments I encounter
is, "Ahh, get over it already!")
I prefer to make my own decisions about what to read rather than
relying on someone else's opinion. That usually means that I end up
reading everything in the groups to which I am subscribed. (I am
currently subscribed to 135 of 725 total groups, and I am tens of
thousands of messages behind, but that's my "problem" and no one
else's.) Since I tend to read threads to their conclusion, I notice
that about 70% or more of all the messages are fluff: me too, wow
that's great, or person-to-person messages that would be better off
sent via email. Also, there are a lot of posts that are just not
legible, not relevant, or not in the right newsgroup. I don't see
that getting low ratings on these messages has caused their posters
to stop posting them.
Also, I think there are a lot of overly sensitive people here who
care overly much about what people think of their posts. It's just a
message; it's not evidence of your worth as a human being!
Since questions 1 - 5 assume that one is actually noticing ratings,
I'll answer them together:
> 1. How would you feel (better or worse) if the numeric values of
> the ratings were not displayed to you unless you specifically
> requested (via some simple setting) that they be displayed to you?
> 2. How would you feel (better or worse) if the numeric values of
> the ratings were not displayed ever to anyone but collected and used
> by the server only for internal calculations, hotlist generation,
> and personal recommendations to you?
> 3. How would you feel (better or worse) if the ratings were not
> even collected and collated in the first place? (i.e. the
> destruction of the feature altogether)
> 4. Have you ever felt victimized by the rating system? Have you
> posted something which has obtained a low rating and felt
> uncomfortable or unhappy about yourself or about LUGNET because of
> the low rating? How often?
> 5. Have you ever felt victimized indirectly by seeing someone
> else's post get a high rating? How often?
I rarely use the web interface, so I would feel neither better nor
worse if ratings were hidden or disappeared entirely. If there came
a time when ratings were sent as an X-Lugnet-rating header, my news
client already gives me the option to selectively display headers, so
I would already have the option to display or not.
As for personal recommendations, I don't see how the bot would be
able to determine, from aggregate ratings given by others, what *I*
would like to read.
As I said above, I rarely post to LUGNET. A quick search shows a
whopping 139 posts in 1.5 years of reading, most of them unrated, a
few rated by 2. I don't think I've blipped enough people's radar to
have people rating my posts. Since I don't post enough to get rated,
and I don't see the ratings when I read, I don't feel victimized at
all either by getting low ratings or having other people get high
ratings.
> 6. Do you feel that the article rating system makes it easier for
> you or harder for you to share your ideas? And does this bother
> you?
Neither, no. I try to police myself. Sometimes I'm more successful
than at other times. In looking over my past posts, I winced a
couple of times at some of the fluffy things I posted. Sigh.
> 7. How does your initial reaction to the announcement of the
> article rating system compare to your current opinion of it?
My current opinion is about the same as my initial reaction: what
would I use it for?
> 8. Do you feel that it is too early, too late, or the right time to
> address these issues?
Probably the right time, since so much energy has been spent
discussing them already, energy that would be better spent clicking
bricks together. :)
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO
> sets? Websites? Individual web pages? etc...
I would prefer to see more time and energy put into objective data,
such as the set inventory & database, rather than subjective stuff
like ratings. Links to websites are more helpful if they include a
description of what one might find there. In general, I
prefer objective rather than subjective.
Thanks, Todd, for taking time to ask for our opinions, and thanks for
giving us a forum in which to express them.
Can we get back to building now?
--
Susan Hoover
Houston, TX
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Then its a blind crapshoot. I, for instance, am a member but simply have not
bothered to rate any articles as I can decide for myself what was worth
reading. A rating system is, in and of itself, one of two things: 1. a
critiqueing system. 2. a popularity contest. While neither is of itself
necessarily a bad thing, without multiple rating criteria, its pretty useless.
It likes rating the color green only the basis of the color green. Green
compared to red? How green makes you feel? All greens or only LEGO green? etc.
The results will be desparate.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
Doesn't matter to me.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Your original intent is admirable, however, from the messages you have gotten,
things don't seem to be going as intended. I'd say lose it.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Nope, don't even pay much attention to it.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Nope.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Nope.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
The word SNAFU comes to mind, not through anyones fault.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
It is definitely the right time.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Again, rating systems become either critiques or popularity contests. Noone is
a winner. It creates a democracy that, but its pure definition, is
exclusionary.
> Thanks for your time,
> --Todd
>
> [followups to .admin.general]
| | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
> Specific personal questions:
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
I mainly use the NNTP interface; my perception of the rating system wouldn't
change much.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
This sounds good. Instead of trying to express one's personal feelings
publicly but anonymously, a rater's motive would instead be to give feedback
to the server only. IOW, let's let someone express their opinion of my
message in a public reply. I would definitely feel better about this.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
I feel that something is needed, if for nothing else then for building the
Spotlight page. Scrapping the rating system in favor of something else might
be good.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Yes. Yes. If someone disagrees with me and wants to let the world know, I at
least want to know who said it. This kind of anonymous, public reply is wide
open for abuse.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Not really.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
It doesn't affect what I say before I hit the Send button.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
I am actually disappointed in how it's turned out. I stopped rating messages
a while ago, largely due to the anonymity of the system, and the lack of
feedback. If someone doesn't like what I said (or if they did), I'd like more
feedback than just a 30 or 70.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
Probably a little too late, but most likely just in time.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
LEGO sets, of course. Websites and web pages, probably not. e.g. I know my
web site is lacking in sparkle, and it'll stay that way -- if someone doesn't
like that, tough. If someone wants to critique my web site *content*, then
let's *discuss* it.
Cheers,
- jsproat
--
Jeremy H. Sproat <jsproat@io.com> ~~~ http://www.io.com/~jsproat/
I think the mistake a lot of us make
is thinking the state-appointed shrink is our friend.
| | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Jeremy H. Sproat writes:
> > 4. Have you ever felt victimized by the rating system? Have you posted
> > something which has obtained a low rating and felt uncomfortable or unhappy
> > about yourself or about LUGNET because of the low rating? How often?
>
> Yes. Yes. If someone disagrees with me and wants to let the world know, I
> at least want to know who said it. This kind of anonymous, public reply is
> wide open for abuse.
Hmm, hmm... Very insightfully put. Hadn't looked at it from the point of
view of an "anonymous, public reply." Interesting...
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Jeremy H. Sproat writes:
> > 9. What other areas (besides news articles) can you imagine that a
> > collaborative ratings system would be most helpful to you? LEGO sets?
> > Websites? Individual web pages? etc...
>
> LEGO sets, of course.
That could be a great application of a detailed rating system... Multi-
dimensional too, not just a single number.
> Websites and web pages, probably not. e.g. I know my
> web site is lacking in sparkle, and it'll stay that way -- if someone doesn't
> like that, tough. If someone wants to critique my web site *content*, then
> let's *discuss* it.
In terms of websites, I was thinking more along the lines of you telling the
server what types of websites you liked best, and it would compare that with
what other people had said about what they liked best, and would present you
with predictions about or lists of sites you hadn't visited yet. At present
there are well more than 500 fan-created LEGO pages (sites).
Composite collation of ratings would also help in building and maintaining
"cool links" lists which are currently created by hand by a number of people.
Imagine if you could get a "cool links" list tailored just for you, in addition
to lists prepared by hand or other impersonal composite machine-generated
lists.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd L wrote:
> Composite collation of ratings would also help in building and maintaining
> "cool links" lists which are currently created by hand by a number of people.
> Imagine if you could get a "cool links" list tailored just for you, in addition
> to lists prepared by hand or other impersonal composite machine-generated
> lists.
I don't think you need site ratings to do this. If there was some way
for a person (whether the site owner or someone else) to "register" a
site with the cool links page, and then fill in a form specifying which
themes (not just Lego themes, but themes popular with AFOLs such as
military models or Ancient Rome) or subjects it covered, and what kind
of other content was included, a user wanting a personalised list of
cool sites could then specify what themes or subjects they wanted to see
and get a customised list. This wouldn't address site *quality* but
that's so subjective and a site which might be very low quality from a
design point of view might be just the one I want from a content point
of view.
Kevin
--
Personal Lego Web page:
http://ourworld.compuserve.com/homepages/kwilson_tccs/lego.html
eBay auctions:http://members.ebay.com/aboutme/kevinw1/
Subscribe to my Lego auction mailing list:
http://www.onelist.com/subscribe/Legopartsales?referer=1
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote in message ...
> Composite collation of ratings would also help in building and maintaining
> "cool links" lists which are currently created by hand by a number of • people.
> Imagine if you could get a "cool links" list tailored just for you, in • addition
> to lists prepared by hand or other impersonal composite machine-generated
> lists.
What I think would be helpful for this is to come up with a good set of
categories (do a fair bit of brainstorming so it doesn't have to be expanded
too much later). Then when a web site author submits his website to the
"cool web pages" directory, it becomes open for rating (but an author can
withdraw his website at any time, in which case the ratings can be erased or
hidden at his choice). The author of course gets a vote (and each category
should be able to be listed by order of submission (even cooler - show me
all the ones in this category I haven't rated yet) or by levels of coolness.
People rating a web site just get a yes or no vote for each page in each
category. The scale of coolness could break down into say 4 groupings (top
10, top 1/3, 2nd 1/3, bottom 1/3) with the ranking being figured as a simple
num_yes/num_votes.
This will still have a subjectivity problem unfortunately.
Ultimately, I guess cool lists are best done by hand. Then they are just a
list of notable sites. Note that in my web categorization, I the only value
judgement I make is a small set of top sites. This is a set of sites that I
would recommend someone visit first. One shouldn't feel bummed out that your
web site didn't make that list (for one thing it doesn't get updated very
often). What I would like people to do though is let me know that they think
their site should show up somewhere in my categorizations. I make very
little value judgement when categorizing the pages (if you have a web site
with a picture of a train car, as long as I can decide what general type of
car it is, I'll list it). Of course some of those categorizations include
superlatives like "cool castle", which are value judgements. The main intent
of the pages is for ME to find web sites when I want inspiration, but since
I've gone to all this effort, why not share it.
I'm actually slowly starting to link to Lugnet messages on the pages. This
may be the best way to highlight information. There are a number of threads
which are real useful. Of course what would be nice is a way to create a
custom thread which had only the most useful posts (there are some valuable
threads out there which are so large as to be probably worthless to go back
and try and read). Of course creating edited threads would involve value
judgements (but hopefully people won't feel bad that their "me too" or a
post with wrong information gets left out of the edited thread). Perhaps
this type of thing could be done by giving each group an associated
.best-of. Then the articles are cross-posted to .best-of by the editors
somehow. If each group had a small team of editors, one would get around
most personal issues (and of course you can always ask in the original
thread "hey, why didn't my post get included in the edited thread"). Note
also that if a post filled with errors was not included in the edited
thread, the post with corrections which referred to it, will still do so, so
the post doesn't get totally hidden, it just won't show up in one's
newsreader or on the web page (though one might want to be able to see the
edited thread's posting tree).
Frank
| | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman skrev i meddelandet ...
[...about the rating system...]
As I only read via a newsreader (off-line), I don't see the ratings and, even
if I had been a member, don't have any opportunity to rate, I find it rather
unnecessary. The storms that it has raised are, IMO, equally disturbing as
auction posts in the wrong groups, if not worse.
(It's about time to kill-file posts containing 'rating')
> Specific personal questions:
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Suits me fine! But as I don't see the ratings (only the wawes they create), it
doesn't matter much either way.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
It sounded like a good idea, although not very important. The effects have
been disturbing.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
It's about time!
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Rating of sets might be meaningful, although you have to realize that people
have different opinions, and *none* of them are wrong.
Rating of web pages would be even more crushing for the down-rated individual
than a spurious '0' on a posting. We all know *our* page is good (if not the
best)!
> Thanks for your time,
Thanks for *your* time Todd, lugnet *IS* fantastic, but IMO you should use
your time for something else than rating systems.
--
Anders Isaksson, Sweden
BlockCAD: http://user.tninet.se/~hbh828t/proglego.htm
Gallery: http://user.tninet.se/~hbh828t/gallery.htm
| | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote in message ...
<snip>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed to you unless you specifically requested (via some • simple
> setting) that they be displayed to you?
I think most users would activate this setting, if available. That is,
it wouldn't likely solve the problems.
> 2. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
One idea is that ratings continue to be collected as they are now, but
conditionally display the numerical results. That is, only display the
net rating result for a post if:
- the sample size is greater than a certain threshold (say 4)
- the rating is greater than a threshold (say 70)
In this way, noteworthy posts would stand out. Also, the ability to
down-rate a message still exists, but there is little chance of
offending the poster.
If the above admin-set thresholds are not met for a post, only the
number of submitted ratings would be displayed.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Ratings would help with the 'spotlight' feature, which I find
valuable.
John
(remove the obvious to reply)
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, John Koob writes:
> Todd Lehman wrote in message ...
> > 2. How would you feel (better or worse) if the numeric values of the • ratings
> > were not displayed ever to anyone but collected and used by the server only
> > for internal calculations, hotlist generation, and personal recommendations
> > to you?
>
> One idea is that ratings continue to be collected as they are now, but
> conditionally display the numerical results. That is, only display the
> net rating result for a post if:
> - the sample size is greater than a certain threshold (say 4)
> - the rating is greater than a threshold (say 70)
> In this way, noteworthy posts would stand out. Also, the ability to
> down-rate a message still exists, but there is little chance of
> offending the poster.
That's a good idea! I'm not sure what you mean by "sample size"; but I think
that adding another condition would be useful:
-Only display the rating if more than X people have rated it (X = ? Perhaps
5?)
Is that what you meant by sample size? If not, what did you mean by it?
> Ratings would help with the 'spotlight' feature, which I find
> valuable.
Agreed; the temporary "top 40" seems very useful.
-Shiri
| | | | | | | | | | | | | | | | | | | | | | |
Shiri Dori wrote in message ...
> In lugnet.admin.general, John Koob writes:
>
> > One idea is that ratings continue to be collected as they are now, but
> > conditionally display the numerical results. That is, only display the
> > net rating result for a post if:
> > - the sample size is greater than a certain threshold (say 4)
> > - the rating is greater than a threshold (say 70)
> > In this way, noteworthy posts would stand out. Also, the ability to
> > down-rate a message still exists, but there is little chance of
> > offending the poster.
>
> That's a good idea! I'm not sure what you mean by "sample size"; but I • think
> that adding another condition would be useful:
> -Only display the rating if more than X people have rated it (X = ? Perhaps
> 5?)
>
> Is that what you meant by sample size?
Yes.
It doesn't really matter what X is, but 4 or 5 seems reasonable
to start with.
--
John
(remove the obvious to reply)
| | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman <lehman@javanet.com> wrote:
<some questions about article rating>
i can't really address the questions you asked, but i just
wanted to say that i use emacs or slrn to broswe, and they
both have great scoring systems, which i use on the groups
here.
i think something like a rating system for the whole site,
while a nice idea, just won't work. everyone has a unique
opinion on what should be what, or just don't care, and it
would be difficult to get useful results such a system.
if an article was given a rating depending on the viewer's
preference, it might be more useful.
right now, i dont see what the rating system accomplishes.
other people enjoyed reading the article, or didn't? what
does that mean? why didn't they enjoy it? is it going to
be for the same reason i wouldn't enjoy it? if that isn't
the reason, i'm probably going to want to have read it, so
the scoring system didn't do anything good for me.
--
Science is the systematic classification of experience.
George Henry Lewes (1817-78)
| | | | | | | | | | | | | | | | | | | |
| |
|
I have always felt that the ratings given to my posts accurately reflected
how interested others would be towards those posts.
In fact, if you had asked me to personally rate all of my posts, i probably
would have given them the same number.
I usually read my news through a news program, so I only rarely see those
numbers (usually if I'm searching using the LUGNET news browser).
The numbers don't bother me in the least.
Brad
Todd Lehman <lehman@javanet.com> wrote in message
news:FtBuAn.2LD@lugnet.com...
> All,
>
> It seems at this point that the article rating feature -- intended to • help --
> is actually causing more harm than good to the community. It's difficult • to
> gauge how much harm is being done when opinions are so varied, but it's • clear
> that something needs to be changed.
>
> Technically, the rating system is working extremely well and, from an • admin
> point of view, the composite ratings being produced seem very well • consistent
> with the rating system's main goal of being able to highlight recommended
> reading to those short on time.
>
> However, it seems that the high visibility of both the raw and composite
> numbers are having an overall negative effect on the community's morale.
> Some of the deeper concerns are raised in this message and its replies:
>
> http://www.lugnet.com/admin/general/?n=6130
>
> I also received a private e-mail last night describing the rating system • as
> "a fiasco and an embarrassment to LUGNET" and calling for its removal.
>
> Clearly, these are very strong feelings being expressed by people. How • many
> others feel this way? What would you like to see happen? Post your • thoughts
> as a reply to this message (or reply privately if you prefer not to post • your
> thoughts publicly).
>
> As to possible "fixes," there have been many suggestions over the past few
> weeks, most of which center around making the rating numbers less obvious • or
> gone altogether. If you're curious, you can find most of these in the • group
> lugnet.admin.general -- but it's a lot to wade through.
>
> The first, original purpose for having ratings was to be able to lay the
> foundation for the later creation of variety of "what's hot" or "top X of
> group Y" listings for quick browsing -- something akin to the current
> Spotlight pages, only fully automated, instantly updating, and much more
> representative of collective opinion. The second original purpose was to
> lay the foundation for so-called "collaborative filtering" • possibilities --
> the server learns (could learn) what types of things you prefer to read,
> and gives (could give) higher priority to you personally for messages • rated
> higher by people with similar interests. These two main purposes become
> increasingly relevant as message traffic increases.
>
> It was never a purpose of the ratings system to make anyone ever feel bad
> or unwanted or unwelcome. It's core purpose is simply to highlight "neat • or
> noteworthy stuff" but not to downgrade "un-neat or un-noteworthy stuff" or
> regular "fluff" (which there's nothing wrong with).
>
> It seem that no amount of education about what the numbers mean will be • able
> to make a meaningful dent in the natural inclination to view, say, a 40 as
> having been "marked down" from its default of 50. Even if the default • were
> changed from 50 to 0 (so that numbers tended almost always to climb rather
> than to climb half of the time and fall half of the time), it seems likely
> that feelings will still be hurt, because it seems that some people are • hurt
> by the fact that others are getting 80's and 90's while they are getting • 40's
> or 50's or 60's. Going with a scale 0 to 100, in retrospect, hasn't been • any
> better from an overall morale point of view than if a scale -100 to +100 • had
> been used.
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed to you unless you specifically requested (via some • simple
> setting) that they be displayed to you?
>
> 2. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed ever to anyone but collected and used by the server • only
> for internal calculations, hotlist generation, and personal • recommendations
> to you?
>
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
>
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or • unhappy
> about yourself or about LUGNET because of the low rating? How often?
>
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
>
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
>
> 7. How does your initial reaction to the announcement of the article • rating
> system compare to your current opinion of it?
>
> 8. Do you feel that it is too early, too late, or the right time to • address
> these issues?
>
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
>
> Thanks for your time,
> --Todd
>
> [followups to .admin.general]
| | | | | | | | | | | | | | | | | | | |
| |
|
Todd L wrote:
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Better
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
Better
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Better
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Sort of: not "uncomfortable or unhappy about yourself or about LUGNET"
but annoyed and indignant. Only once, because I use a newsreader 99% of
the time and don't normally see the ratings.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
No
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
No effect (having looked at the ratings and decided I didn't like how
they worked or felt, I went back to my newsreader so I don't see em)
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
Sounded like a good idea at the time: actual experience seems not useful
and actively repellent to some people.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
The righ t time.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Lego sets. Impersonal things (ie not individuals messages or individuals
web sites).
Kevin
--
Personal Lego Web page:
http://ourworld.compuserve.com/homepages/kwilson_tccs/lego.html
eBay auctions:http://members.ebay.com/aboutme/kevinw1/
Subscribe to my Lego auction mailing list:
http://www.onelist.com/subscribe/Legopartsales?referer=1
| | | | | | | | | | | | | | | | | | | |
| |
|
Hey Todd,
I've been avoiding a direct and complete opinion about the rating system till
now, mainly because I wasn't sure of my stand on it. But now I know where I
stand... here're my answers:
> The first, original purpose for having ratings was to be able to lay the
> foundation for the later creation of variety of "what's hot" or "top X of
> group Y" listings for quick browsing -- something akin to the current
> Spotlight pages, only fully automated, instantly updating, and much more
> representative of collective opinion.
This is a good idea and I'll be glad to ee it implemented.
> The second original purpose was to
> lay the foundation for so-called "collaborative filtering" possibilities --
> the server learns (could learn) what types of things you prefer to read,
> and gives (could give) higher priority to you personally for messages rated
> higher by people with similar interests.
This, IMO, would work if (and only if) the rating were *not* based on numeric
rating, because the numbers can be perceived in oh-so-many ways. It would work
well, IMO, if there was a rating system based on written-out choices, for
example:
-this post is in the wrong NG (ie, off-topic)
-this post is OK, but not very useful
-this post is very informative
-this post features great MOCs/web sites/[etc]
You get the picture.
This could be very useful once (if?) the RSS/channels are implemented. I could
say, for example, that I want to see informative posts only; while Jeff (just
throwing around names) will ask to see MOC posts as well as informative ones;
and Eric will want to see all posts regardless... that kind of thing.
> These two main purposes become
> increasingly relevant as message traffic increases.
Right; but pure numbers aren't really helping. Categorizing posts
by "usefulness" is downright inappropriate and unhelpful. Because what's
useful and important to someone (e.g. info about a cool new mindstorms set
that is sighted in stores), will be useless to me and vice versa.
> It was never a purpose of the ratings system to make anyone ever feel bad
> or unwanted or unwelcome. It's core purpose is simply to highlight "neat or
> noteworthy stuff"
That's why I think that written-out statements are more useful than numbers.
Like Jeremy and others mentioned, a numeric scoring without a reason does not
help the person posting to realize what he/she has done wrong (or done
excellently well).
> but not to downgrade "un-neat or un-noteworthy stuff" or
> regular "fluff" (which there's nothing wrong with).
Right! "Fluff" is one of the things I like in lugnet, we are here day-in and
day-out; and there aren't Brad Justus posts every day, or MTT sightings every
week. Lugnet contains of a whole lot of fluff, and I personally like to read
it-- and see what's happening every day, regardless if it's highly "useful".
> Going with a scale 0 to 100, in retrospect, hasn't been any
> better from an overall morale point of view than if a scale -100 to +100 had
> been used.
Sorrowfully enough, no. :-(
Numbers are numbers, no matter what they are.
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Neither better nor worse.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
Better. I would like that.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Neither better nor worse. I think it is a good idea but it needs to be re-
thought.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Yes, to some extent. Not very often, though.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
I can't recall such a situation.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Neither, and no.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
Originally, I thought it was a great idea. After seeing it in action, I still
think it's a good idea; but it has to be reworked.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
Right time. Perhaps a tad too late, but it doesn't matter.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you?
> LEGO sets?
Yes; but again, not pure numerical value.
> Websites? Individual web pages?
No way. Much, MUCH more potential for insults and bad feelings all around.
-Shiri
| | | | | | | | | | | | | | | | | | | | | |
Shiri Dori <shirid@hotmail.com> wrote:
> -this post is in the wrong NG (ie, off-topic)
> -this post is OK, but not very useful
> -this post is very informative
> -this post features great MOCs/web sites/[etc] • [snip]
> Right; but pure numbers aren't really helping. Categorizing posts
> by "usefulness" is downright inappropriate and unhelpful. Because what's
> useful and important to someone (e.g. info about a cool new mindstorms set
> that is sighted in stores), will be useless to me and vice versa.
> That's why I think that written-out statements are more useful than numbers.
Good point -- this is kind of what I was trying to say, although I'd taken
it to a further extreme. (Even less choices.)
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Shiri Dori writes:
> Right; but pure numbers aren't really helping. Categorizing posts
> by "usefulness" is downright inappropriate and unhelpful. Because what's
> useful and important to someone (e.g. info about a cool new mindstorms set
> that is sighted in stores), will be useless to me and vice versa.
That's what the averaging effect is for -- to smooth that out. If the system
also could learn what you liked, you might find that helpful. (That's a long
way down the road, though.)
> [...]
> Right! "Fluff" is one of the things I like in lugnet, we are here day-in and
> day-out; and there aren't Brad Justus posts every day, or MTT sightings every
> week. Lugnet contains of a whole lot of fluff, and I personally like to read
> it-- and see what's happening every day, regardless if it's highly "useful".
Will you still feel that way when there are 4x the number of messages daily?
A year and a half ago, there were only 80-100 messages a day (on average).
Now there are 350-400 a day (on average). At some point, the fluff becomes
too much. And you may already have an unusually high liking or tolerance for
that sort of thing. Not everyone out there so much time to read everything.
Not trying to sound like a contrarian, just pointing out another POV.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman <lehman@javanet.com> wrote:
> > Right; but pure numbers aren't really helping. Categorizing posts
> > by "usefulness" is downright inappropriate and unhelpful. Because what's
> That's what the averaging effect is for -- to smooth that out. If the system
> also could learn what you liked, you might find that helpful. (That's a long
> way down the road, though.)
Smoothing what out, though? How does the system distinguish between "0: I
like posts about robots, but not in .castle" and "0: not interesting to me",
or "60: kinda funny if you're in the right mood" and "60: contains some
useful information but could be more complete"?
Also, I'm _very_ skeptical of the "match what you like" concept. It sounds
neat in practice, but I've never seen it implemented well.
homr/ringo/Firefly/bignote/launch/whateverthey'recallingthemselvestoday did
an ok job, but you'd have to do some serious language parsing/comprehension
stuff to make it work with news posts, even in such a narrow subject as
Lego.
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Matthew Miller writes:
> Todd Lehman <lehman@javanet.com> wrote:
> > That's what the averaging effect is for -- to smooth that out. If the
> > system also could learn what you liked, you might find that helpful.
> > (That's a long way down the road, though.)
>
> Smoothing what out, though? How does the system distinguish between "0: I
> like posts about robots, but not in .castle" and "0: not interesting to me",
> or "60: kinda funny if you're in the right mood" and "60: contains some
> useful information but could be more complete"?
It can't (and doesn't actually need to) distinguish that so greatly -- the
bottom line (to it) would be that you disfavor posts about robots in castle
and things that are kinda funny or contain some useful info.
> Also, I'm _very_ skeptical of the "match what you like" concept. It sounds
> neat in practice, but I've never seen it implemented well.
> homr/ringo/Firefly/bignote/launch/whateverthey'recallingthemselvestoday did
> an ok job, but you'd have to do some serious language parsing/comprehension
> stuff to make it work with news posts, even in such a narrow subject as
> Lego.
I'm very skeptical about that form of collaborative filtering as well. But
there's a completely other form of it which is purely statistical correlation
based. It looks only at how your responses correlate to the responses of
others, without knowing (or having to know) anything at all about the content.
Then it makes a prediction about how you would feel about some brand new data
point based on how other people before you felt about that new data point.
Of course, it's a scheme which works better for things like record albums or
books or LEGO sets than time-sensitive things like news articles. If you're
always the first one to rate something, it couldn't help you out, but if
you're always the last one to rate something, then it could. That's the
theory, anyway. It works basically on the premise that everyone tends to
have opinions which can be approximated by a linear combination of other some
set of other people having multiple partially overlapping domains of input.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Matthew Miller writes:
> > Todd Lehman <lehman@javanet.com> wrote:
> > > That's what the averaging effect is for -- to smooth that out. If the
> > > system also could learn what you liked, you might find that helpful.
> > > (That's a long way down the road, though.)
> >
> > Smoothing what out, though? How does the system distinguish between "0: I
> > like posts about robots, but not in .castle" and "0: not interesting to me",
> > or "60: kinda funny if you're in the right mood" and "60: contains some
> > useful information but could be more complete"?
>
> It can't (and doesn't actually need to) distinguish that so greatly -- the
> bottom line (to it) would be that you disfavor posts about robots in castle
> and things that are kinda funny or contain some useful info.
Whoops -- :) -- I meant to say, "...that you disfavor posts about robots in
castle and _favor_ (somewhat) things that are kinda funny or contain some
useful info." But actually it would just look at the statistical correlation
between your rating and other people's ratings, etc.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Shiri Dori writes:
> > Right; but pure numbers aren't really helping. Categorizing posts
> > by "usefulness" is downright inappropriate and unhelpful. Because what's
> > useful and important to someone (e.g. info about a cool new mindstorms set
> > that is sighted in stores), will be useless to me and vice versa.
>
> That's what the averaging effect is for -- to smooth that out.
Well- yeah. But at the current amounts of rating (most posts get no more than
two ratings) the averaging effect doesn't smooth much out.
I totally forgot to mention in my long post that I actually stopped regarding
a rating of a post as a factor of whether I'm going to read it or not. I just
ignore the rating, because I've noticed that the rating had nothing to do with
my perspective on the post whatsoever.
> If the system
> also could learn what you liked, you might find that helpful. (That's a long
> way down the road, though.)
Yes... the thought occured to me that perhaps, while posting, one could
(optionally) check off any number of boxes describing the post
(e.g. "MOC", "market", "set opinion"). Then each reader could specify what
things he would and would not like to see.
> > [...]
> > Right! "Fluff" is one of the things I like in lugnet, we are here day-in and
> > day-out; and there aren't Brad Justus posts every day, or MTT sightings
> > every
> > week. Lugnet contains of a whole lot of fluff, and I personally like to read
> > it-- and see what's happening every day, regardless if it's highly "useful".
>
> Will you still feel that way when there are 4x the number of messages daily?
> A year and a half ago, there were only 80-100 messages a day (on average).
> Now there are 350-400 a day (on average). At some point, the fluff becomes
> too much. And you may already have an unusually high liking or tolerance for
> that sort of thing. Not everyone out there so much time to read everything.
You're right. That hadn't occured to me. When I think of it, I spend more time
on lugnet than the average fan (1) and I check it every 10 minutes or so (more
often if I'm really bored). I guess I *do* tolerate fluff more than other
people, because lugnet for me is not only a mean for sharing my hobby (lego)
with other fans, but also a source of communication with people. (1)
I still think that word strings will provide better feedback and guidance (as
to what to read/what not) than numbers, though. But if the RSS ends up having
number ratings, I'd set my prefs to "show any message regardless of the
rating" because I, personally, like to read it all.
-Shiri
(1) What can I say? I'm in a bad social situation right now, my only friends
live 7 time-zones away from me and I mostly communicate with people (2) via
the net. I also have a lot of free time on my hands because I don't hang out
with my friends (it's a bit hard considering the geographical differences ;-).
(2) both my friends from Israel, and AFOLs.
| | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote a bunch of worthy stuff about the rating system.
Lugnet hosts an amazing variety of visitors. From my background, the rating
system is fine. If I want to rate, I will (which I generally don't). If I
want to pay attention to other people's ratings I will (which I generally
don't).
Sure the system can be misused by mean spirited people, and ego trippers,
but they're out there anyway, and if they don't use this vehicle they'll
just use another, and the damage will be the same.
> I also received a private e-mail last night describing the rating
> system as "a fiasco and an embarrassment to LUGNET" and
> calling for its removal.
See - mean spirited people. Lugnet on the whole is a fine contribution to
the sum of the universe. Even where it has its drawbacks (and there are
some, but my list is very short), its net is a major contribution. Some
people focus only on the negatives, and these assume overwhelming
proportions in their minds. Its a mistake, but its very common.
On the attempts at helpful suggestions side (and conscious that those taking
this considerably more seriously than I have probably already suggested
these):
- it would seem that the aims could be achieved by not allowing mark downs.
Let every post have no rating at all, and allow 'noteworthy', 'especially
noteworthy', and 'golly gee, everyone has gotta read this' to be ratings
which can be assigned. Without going into all the detail, it seems to hit
all the marks and prevent most of the damage. Using text strings rather
than numeric ratings might help out the numerically challenged :-)
- and list raters names and email addresses too. People tend to behave much
more sensibly when they're acountable for their actions. If the raters knew
their ratings would be obviously traceable to them, you'd get a few less
ratings, but the ones you'd lose would be the scurrilous ones. I for one
have no problem with being held publicly accountable for anything I say or
do. This would banish the cloak and dagger naysayers too (the ones
complaining about being rated by the shadowy elite).
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of
> the ratings were not displayed to you unless you specifically
> requested (via some simple setting) that they be displayed to
> you?
Hmmm. Hard to imagine people would not turn this on, even if it pained
them. This is not a close your eyes kind of medium. (Then again, I'm not a
close your eyes kind of guy)
> 2. How would you feel (better or worse) if the numeric values of
> the ratings were not displayed ever to anyone but collected and
> used by the server only for internal calculations, hotlist
> generation, and personal recommendations to you?
This sounds like a good idea. I still prefer my suggestions up top, but
this would appear to be an improvement.
> 3. How would you feel (better or worse) if the ratings were not
> even collected and collated in the first place? (i.e. the
> destruction of the feature altogether)
I'd feel worse. I'd feel like the holier than thou types and naysayers had
won again. You're shooting for a worthy goal Todd. Press on regardless.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
I don't check ratings of what I post. I was told I got a low rating on a
post (10). Like I said, mean spirited people about. I can understand
though how first time posters might be discouraged if they got pasted.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Good grief no. I can't understand how I could feel that. What, jealous of
someone else's apparent success? Surely if I did feel that way, i'd be
qualifying myself as someone you shouldn't listen to!
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Its an interesting sideline, not critical for me, but important to me that
Lugnet should go on developing.
> 7. How does your initial reaction to the announcement of the article • rating
> system compare to your current opinion of it?
No change. It has worked out pretty much as I would have expected.
> 8. Do you feel that it is too early, too late, or the right time to • address
> these issues?
Any time's a good time to think.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Yup all sounds fine to me.
> Thanks for your time,
No problem, least I can do.
And those of you with a fine sense of history might recall that I left
.general some time ago, after I copped a dose of abuse over my potty mouth.
Rest assured I have not become soft and resigned in my old age. I'm only
here because Todd seems to be wearing more than a fair share of abuse, and
because he asked me (like he asked everyone) to.
I reckon this is about the biggest post I have ever sent to Lugnet -
apologies to those with traffic issues.
Regards
Richard
Still baldly going...
Check out Port Block at http://www.hinet.net.au/~rparsons/port/
| | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Parsons writes:
> [...]
> Sure the system can be misused by mean spirited people, and ego trippers,
> but they're out there anyway, and if they don't use this vehicle they'll
> just use another, and the damage will be the same.
I wish I could mark that statment an "11". :) Very good point. (!!!!)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Richard Parsons skrev i meddelandet ...
> Todd Lehman wrote a bunch of worthy stuff about the rating system.
>
> > 5. Have you ever felt victimized indirectly by seeing someone else's post
> > get a high rating? How often?
>
> Good grief no. I can't understand how I could feel that. What, jealous of
> someone else's apparent success?
If that's how you see the ratings ("someone else's success"), I think the
system should be turned off at once. I thought the ratings were supposed to
help find readworthy (is that a word?) posts, not signaling 'success' or
'failure' to individuals!
[Side remark]
The lugnet traffic seems heavily skewed into .admin right now, in this
download I found only one group with more than 10 messages since my last
download (about 16 hours ago) - guess which one!
(Of course, this observation is based on the 19 groups I read, not all of
lugnet)
--
Anders Isaksson, Sweden
BlockCAD: http://user.tninet.se/~hbh828t/proglego.htm
Gallery: http://user.tninet.se/~hbh828t/gallery.htm
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Anders Isaksson writes:
> Richard Parsons skrev i meddelandet ...
> > > 5. Have you ever felt victimized indirectly by seeing someone else's post
> > > get a high rating? How often?
> >
> > Good grief no. I can't understand how I could feel that. What, jealous of
> > someone else's apparent success?
>
> If that's how you see the ratings ("someone else's success"),
I think Richard was trying to guess what I meant by my question. My question
was meant to "amplify" and address the worst possible imaginary concern.
> I think the
> system should be turned off at once. I thought the ratings were supposed to
> help find readworthy (is that a word?) posts, not signaling 'success' or
> 'failure' to individuals!
That's correct. It's being changed to reflect that more closely.
> [Side remark]
> The lugnet traffic seems heavily skewed into .admin right now, in this
> download I found only one group with more than 10 messages since my last
> download (about 16 hours ago) - guess which one!
> (Of course, this observation is based on the 19 groups I read, not all of
> lugnet)
Yes, this is an active thread. Every group goes through bursts of activity
at one time or another.
--Todd
| | | | | | | | | | | | | | | | | | | | |
| |
|
Todd & All,
> However, it seems that the high visibility of both the raw and composite
> numbers are having an overall negative effect on the community's morale.
> Some of the deeper concerns are raised in this message and its replies:
>
> http://www.lugnet.com/admin/general/?n=6130
I pretty much agree with Thomas Main's assessments of the rating system. I
don't use the system in terms of the website interface, since I get all my
LUGNET info from the NNTP. One of the most visible complaints I have of the
ratings system is the inability of seeing these ratings on the various
postings submitted on the web interface locally.
> Clearly, these are very strong feelings being expressed by people. How • many
> others feel this way? What would you like to see happen? Post your • thoughts
> as a reply to this message (or reply privately if you prefer not to post • your
> thoughts publicly).
See above.
> It was never a purpose of the ratings system to make anyone ever feel bad
> or unwanted or unwelcome. It's core purpose is simply to highlight "neat • or
> noteworthy stuff" but not to downgrade "un-neat or un-noteworthy stuff" or
> regular "fluff" (which there's nothing wrong with).
Hmm... this sounds interesting in theorey, but knowing a little bit of human
nature, it can be abused. If I really don't like someone in debate, or in
another area, I can trash all their posts by giving them a 0 or 10. (I have
not done this, BTW, I have not voted for any posts one way or another)
I think this is a matter of interpretation of what a 0 rating as opposed to
a 100 or a 90. Some people differ on intrepretations.
> It seem that no amount of education about what the numbers mean will be • able
> to make a meaningful dent in the natural inclination to view, say, a 40 as
> having baeen "marked down" from its default of 50. Even if the default • were
> changed from 50 to 0 (so that numbers tended almost always to climb rather
> than to climb half of the time and fall half of the time), it seems likely
> that feelings will still be hurt, because it seems that some people are • hurt
> by the fact that others are getting 80's and 90's while they are getting • 40's
> or 50's or 60's. Going with a scale 0 to 100, in retrospect, hasn't been • any
> better from an overall morale point of view than if a scale -100 to +100 • had
> been used.
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed to you unless you specifically requested (via some • simple
> setting) that they be displayed to you?
Since I don't see them, I don't know. I guess if I would use the web
interface, I would probably not read the lower rating ones. I read a
majority of the e-mails I get, unless I am definately not interested in it
(IE Castle auctions) I don't think displaying the numbers is good.
> 2. How would you feel (better or worse) if the numeric values of the • ratings
> were not displayed ever to anyone but collected and used by the server • only
> for internal calculations, hotlist generation, and personal • recommendations
> to you?
I think this is better. That way you can still generate the hotlists
automatically.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Well, I don't think it is necessary to remove it all together, private
voting might be better.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or • unhappy
> about yourself or about LUGNET because of the low rating? How often?
Well, I don't know if any of my posts have been, I frankly don't care
anymore if they do, simply because I am a big guy and can take it. I would
hate to see debate anymore, however, especially since I am not in the
"majority" in terms of leftists thinking. I think this is an area where
ratings do little.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Well, from what I have seen, some of the postings get really bad ratings for
no reason, and some get good ratings for, IMO, are not. It is a flawed
system in terms of some people throwing off the numbers.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Harder. That is one of the reasons I dropped out of debate. It does bother
me.
> 7. How does your initial reaction to the announcement of the article • rating
> system compare to your current opinion of it?
I think my concerns were promptly validated.
> 8. Do you feel that it is too early, too late, or the right time to • address
> these issues?
I think it is a good thing, before it goes for too long.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
I don't really think I would want a ratings system on my page. i am
flattered if people visit it, period. I would hate to have mine downgraded
because of my lack of html. My website will undergo a major change, since I
have learned a lot since I put it together, once I get the my steatlh
project going. I think I good way of portraying websites would be a major
links page with themes, and construction techniques and so on, and you could
submit your thoughts on building mechs, or something.
> Thanks for your time,
> --Todd
Thank you, Todd, for your continuous efforts to get LUGNET as good as it can
be. I for one, still enjoy it, and look forward to the improvements ahead.
It is a substantial monument to all AFOL'S to have a home on the internet to
share and exchange ideas, projects, likes, dislikes, etc. and I am glad to
be a part of it. : )
Sincerely,
Scott S.
--
Scott E. Sanburn
Systems Administrator-Affiliated Engineers -> http://www.aeieng.com
LEGO Page -> http://www.geocities.com/Area51/Station/3372/legoindex.html
Coming Soon: The Sanburn Systems Company
>
> [followups to .admin.general]
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> [...]
> Clearly, these are very strong feelings being expressed by people. How many
> others feel this way? What would you like to see happen? Post your thoughts
> as a reply to this message (or reply privately if you prefer not to post your
> thoughts publicly).
> [...]
First, thanks to everyone who has taken the time to put their thoughts into
words, both publicly and privately. A clearer picture is beginning to emerge.
We'd like to try scaling things back (i.e., simplifying things) just a little
bit first before trying out any drastic fixes. Three things seem very clear:
(1) the current system of publicly showing composite numbers in the range 0 to
100 with a default of 50 is causing more overall harm than overall good, and
(2) changing the method of the scale might help, and (3) eliminating the
visible numeric scores altogether would definitely help (help relieve hurt
feelings, that is).
Ironically, the problem isn't the collection of data; the problem is
presenting back too much data -- too easy to see details or variations and
not know what they mean.
We're going to try a simple change to the way the scores are presented -- and
we'd like to keep this in place for at least 24 hours to collect feedback.
Maybe this improves things a bit, maybe it doesn't. Maybe it solves the
problems altogther, maybe not. We apologize in advance for the bumpy ride,
since the changes will be visible ones.
Changepoint 1
-------------
Remapped the range 0 to 100 to the range 0 to 5 and changed the default score
from 50/100 to 1/5 so that scores tend generally to climb rather than to fall.
Articles can still be marked down (toward zero), but seeing scores turn
downward would now be a rare rather than a common occurrence.
Thus, here's an old/new conversion table (just for illustration and
understanding -- not important to memorize):
OLD <==> NEW
--- ---
100 5
90
80 4
70
60 3
--> 50 <------------- old default
40 2
30
20 --> 1 <--- new default
10
0 0
And a comparison of the "marked down" and "marked up" ranges (which, again,
are a figment of the imagination, but it's effectively impossible to convince
people of that...so we have to live with that impression and compensate
for it):
OLD
-----
100 | ^
90 | |
80 | "marked up" (perceived as "good")
70 | |
60 | |
50 |<--starting point (default score)
40 | |
30 | |
20 | "marked down" (perceived as "bad")
10 | |
0 | V
NEW
-----
5 | ^
4 | |
3 | "marked up" (perceived as "good")
2 | |
1 |<--starting point (default score)
0 | "marked down" (perceived as "bad")
This was a very simple two-line code change on the server...the ratings engine
was designed to have its output mapped to other ranges besides 0-100, and the
default scores of 50 are/were never stored in the database (it was always
added on-the-fly at display-time) so changing this from 50 to 1 was trivial.
When casting input, the number of choices is also now decreased from 11
choices (corresponding before with 0,10,20,30,40,50,60,70,80,90,100) now to
6 choices (corresponding now with 0,1,2,3,4,5).
Changepoint 2
-------------
Instead of displaying ratings as numbers, display them now as a string of "+"
symbols (and a "-" symbol for 0)... i.e.:
SYMBOL NEW OLD
++++ 5 83-100
+++ 4 67-82
++ 3 50-66
+ 2 33-49
1 17-32
- 0 0-16
This was also a simple code change in a single location.
Changepoint 3
-------------
Simplifed the rating display in the "Brief" article view mode (the one which
shows an abstract or snippet of it, like what you see on the homepage):
OLD: Unrated: 50
NEW: (nothing)
OLD: Rated: 40 by 1
NEW: +
OLD: Rated: 63 by 5
NEW: ++
OLD: Rated: 96 by 14
NEW: ++++
Also simplified the rating display in the "All" (full) article view mode so
that the rating displays along with the other headers further to the left:
OLD: Rating: 50 / By: _0_
NEW: (nothing)
OLD: Rating: 40 / By: _1_
NEW: Rating: (_histogram_)
OLD: Rating: 40 / By: _1_
NEW: Rating: + (_histogram_)
OLD: Rating: 96 / By: _14_
NEW: Rating: ++++ (_histogram_)
These were also simple code changes each in a single location.
Changepoint 4
-------------
In a couple of places, flipped the direction of the symbol used for showing
articles you've rated from >> to << (only cosmetic to support the above).
Final notes
-----------
These changes are not switched "on" yet, but look for them about 10-15 minutes
after this "heads-up" message appears.
And the /news/rating-graph.cgi displays (the histograms) still show the raw
input table 0 to 100... Something to change later if this is worth pursuing.
--Todd & Suz
| | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> [...]
> Instead of displaying ratings as numbers, display them now as a string of "+"
> symbols (and a "-" symbol for 0)... i.e.:
>
> SYMBOL NEW OLD
> ++++ 5 83-100
> +++ 4 67-82
> ++ 3 50-66
> + 2 33-49
> 1 17-32
> - 0 0-16
> [...]
The minus signs still look damaging, and I don't think it's good that a
default of 1 (20 internally) can be lowered to 0 by a single person casting
a 0. (20+0)/2 = 10, which becomes 0, which becomes "-".
Might tweak this tomorrow, either to...
SYMBOL NEW OLD
+++++ 5 83-100
++++ 4 67-82
+++ 3 50-66
++ 2 33-49
+ 1 17-32
0 0-16
...or to...
SYMBOL NEW OLD
++++ 4 80-100
+++ 3 60-79
++ 2 40-59
+ 1 20-39
0 0-19
...and in either case with 0 as the default rather than 1 (or 20 internally).
0 (blank) just seems so much easier to start with and explain than partway
up the range. This way, also, nothing could _ever_ get a negative rating --
The worst that could happen to something is that it didn't have any symbol
shown next to it.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> SYMBOL NEW OLD
> ++++ 4 80-100
> +++ 3 60-79
> ++ 2 40-59
> + 1 20-39
> 0 0-19
>
> ...and in either case with 0 as the default rather than 1 (or 20 internally).
> 0 (blank) just seems so much easier to start with and explain than partway
> up the range. This way, also, nothing could _ever_ get a negative rating --
> The worst that could happen to something is that it didn't have any symbol
> shown next to it.
This looks like a much better rating system. And I agree that any given
article shouldn't be given a negative rating without further explanation. If
someone continuously receives negative ratings for their posts, they might
take it as their posts are not wanted and might cause them to stop posting at
all. In your old rating system, I assume anything less than 50 is a negative
meaning there is something wrong with the post. If there is anything wrong,
please explain further by leaving a reply instead of leaving a rating.
Leaving a low rating won't explain to the original poster what is wrong with
the article. Since the old rating was done anonymously, people might leave a
low rating for any reason even just because they don't like the original
poster.
On a side note I noticed that before the rating system was implemented I used
to scroll through at least 2-3 pages (by clicking on "show 100 more") of new
posts every morning and after the rating system was implemented, the number of
posts died down to a little more than 1 page.
Way back I thought about rating all links that I have on my page (almost 500
of them) but quickly discarded the idea since giving a lower rating than the
maximum to anybody will be like sending them a message that their "product" is
not good enough. This rating system would have done more harm than good.
And finally, the whole reason for having a rating system is to show the most
interesting articles? I thought that the purpose of having a Spotlight
section was to do this.
D.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Jezek writes:
> [...]
> And finally, the whole reason for having a rating system is to show the most
> interesting articles?
That's not the whole reason, no. It's one important reason, though.
> I thought that the purpose of having a Spotlight section was to do this.
That's one purpose of it, although the Spotlight section almost always ignores
auctions because it's more news- and MOC-focused. Before the ratings, it was
also produced from only a single person's input (in 99% of the cases), which
is a downside both in overhead and accuracy.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman <lehman@javanet.com> wrote:
> SYMBOL NEW OLD
> ++++ 4 80-100
> +++ 3 60-79
> ++ 2 40-59
> + 1 20-39
> 0 0-19
How about
+++ 4
++ 3
+ 2
1
0
?
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Matthew Miller writes:
> Todd Lehman <lehman@javanet.com> wrote:
> > SYMBOL NEW OLD
> > ++++ 4 80-100
> > +++ 3 60-79
> > ++ 2 40-59
> > + 1 20-39
> > 0 0-19
>
> How about
>
> +++ 4
> ++ 3
> + 2
> 1
> 0
That's probably even better.
Gonna try out a related thing first -- changing the "+" symbols to "!" symbols.
The "!" symbol is a lot skinnier than "+", so it saves precious space, and the
count of symbols isn't really as important anyway as the overall bottom-line
visual draw. The "+" symbol (chosen over "*" for its higher legibility in
default Helvetica) still somewhat connotates "plus" or "better" even without
an accompanying "-" sign. (Do you get that feeling as well?) The idea behind
the exclamation point "!" is shouting "hey, look at this!!"
Changing the input-collection text from:
How would you rate this message? Low o o o o o o High o (No comment)
to:
Would you recommend this article to others? Yes! o o o o Yes!!!! o No
ought to alleviate ambiguity.
I always had reservations about using the word "rating" in context with
articles. Slashdot uses the word "score" but that also gives the feeling that
someone is "keeping track" or "keeping score." Other word options were
"voting" and "opinions" but according to their dictionary definitions, those
didn't quite match. (I don't recall how much in-depth the word choice was
discussed in the initial thread, but probably not enough.)
Migrating this away from the idea of "rating" and toward the idea of
"recommending" (that's what the ratings are supposed to do, in the final
analysis) seems like a wise idea.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> Gonna try out a related thing first -- changing the "+" symbols to "!" • symbols.
> The "!" symbol is a lot skinnier than "+", so it saves precious space, and the
> count of symbols isn't really as important anyway as the overall bottom-line
> visual draw. The "+" symbol (chosen over "*" for its higher legibility in
> default Helvetica) still somewhat connotates "plus" or "better" even without
> an accompanying "-" sign. (Do you get that feeling as well?)
No, but I see how other people might.
> The idea behind
> the exclamation point "!" is shouting "hey, look at this!!"
>
> Changing the input-collection text from:
>
> How would you rate this message? Low o o o o o o High o (No comment)
>
> to:
>
> Would you recommend this article to others? Yes! o o o o Yes!!!! o No
>
> ought to alleviate ambiguity.
<snip>
Yes, definitely yes.
If your post isn't recommended, it doesn't mean anything... just that it's not
recommended. No hard feelings (or at least less hard than "low ratings").
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Shiri Dori writes:
> Yes, definitely yes.
> If your post isn't recommended, it doesn't mean anything... just that it's
> not recommended. No hard feelings (or at least less hard than "low ratings").
Also thinking of making a rating of 0 (lowest) not count -- i.e., be exactly
the same as inputting no opinion at all. In other words, there would be a
way not to recommend to read something (naturally) but no way to recommend
not to read something. This way, _only_ positive things could be "said" via
the input. Negative input would be the same as no input. This would
effectively discard the ability to penalize someone for what they've posted.
It would be a loss of useful functionality, but overall, we're probably better
off if that aspect of functionality doesn't exist, since (a) few people are
relatively emotionless and (b) this is just a hobby, after all. We're here to
have fun, to do positive things, not to begrudge each other accidentally or
on purpose.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> This way, _only_ positive things could be "said" via
> the input. Negative input would be the same as no input.
"If you can't say anything nice, don't say anything at all". Gee thanks for
reminding us Mom...er..Todd. ;)
Ben Roller
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman <lehman@javanet.com> wrote:
> default Helvetica) still somewhat connotates "plus" or "better" even without
> an accompanying "-" sign. (Do you get that feeling as well?) The idea behind
> the exclamation point "!" is shouting "hey, look at this!!"
Yeah, I agree that "+" has connotations of "better". But I think the "!"
seems to have a "Warning" feeling to it, especially in red. (It's a typical
icon in warning error message dialog boxes, for example.) That doesn't mean
it's necessarily a bad choice -- maybe it's just me. If it weren't for the
space issue, I'd pick "*".
> Changing the input-collection text from:
> Would you recommend this article to others? Yes! o o o o Yes!!!! o No
*grin* Other than reminding me of those awful Herbal Essences shampoo
commercials, looks good.
> Migrating this away from the idea of "rating" and toward the idea of
> "recommending" (that's what the ratings are supposed to do, in the final
> analysis) seems like a wise idea.
Agreed.
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Matthew Miller writes:
> Yeah, I agree that "+" has connotations of "better". But I think the "!"
> seems to have a "Warning" feeling to it, especially in red. (It's a typical
> icon in warning error message dialog boxes, for example.) That doesn't mean
> it's necessarily a bad choice -- maybe it's just me. If it weren't for the
> space issue, I'd pick "*".
Welp, space isn't really _that_ much of an issue compared to the symbol itself.
All things being equal, a thinner character is better than a big fat character
like "+". Let's see what people think about "!" after seeing it for a little
while...I seem to remember visiting a discussion group site once which used a
small orange "!" image to mark something that was important -- it didn't seem
to me like a "don't read this!" but obviously a "read this!".
(Anyone else reading this -- if you think "!" is a terrible choice or have
another suggestion, please let us know! We can certainly try out "*" if "!"
sends the wrong impression.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman <lehman@javanet.com> wrote:
> like "+". Let's see what people think about "!" after seeing it for a little
> while...I seem to remember visiting a discussion group site once which used a
> small orange "!" image to mark something that was important -- it didn't seem
> to me like a "don't read this!" but obviously a "read this!".
For what it's worth, slrn uses ! to mark highly-scored (via my own score
file) articles. So I'm certainly used to it. (I thought it kind of odd of
slrn too, but no one asked me for feedback there....)
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> (Anyone else reading this -- if you think "!" is a terrible choice or have
> another suggestion, please let us know! We can certainly try out "*" if "!"
> sends the wrong impression.)
I like + over *, but unless the !'s font is darker, it's worthless to me. I
have fairly good eyes, but I can barely even see that the article is rated.
Again, I introduce you to Mr. Dead Horse...Why not use 1-5 instead of !-!!!!!,
*-*****, +-+++++, or anything else. Yes, I know why not, but I like the
numbers better.
Ben Roller
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Ben Roller writes:
> In lugnet.admin.general, Todd Lehman writes:
>
> > (Anyone else reading this -- if you think "!" is a terrible choice or have
> > another suggestion, please let us know! We can certainly try out "*" if "!"
> > sends the wrong impression.)
>
> I like + over *, but unless the !'s font is darker, it's worthless to me. I
> have fairly good eyes, but I can barely even see that the article is rated.
Ah, but that's the beauty of it! The font will be darker when the rating (or
recommendation) is higher; if the rating is low, you shouldn't even notice it.
A high-rated post will attract attention to itself; which is like a
recommendation-- the people recommending it (ie rating at higher) are helping
you notice it, etc.
I think it's great that way!
-Shiri
| | | | | | | | | | | | | | | | | | | | | | | | |
> Ironically, the problem isn't the collection of data; the problem is
> presenting back too much data -- too easy to see details or variations and
> not know what they mean.
Hmm. As far as I can see, the main problem is neither the collection _or_ the
representation of the data but the data itself. When members vote, they are
voting on different things eg:
Do I agree with that?
Was that worded well?
Was it interesting?
Is it of value to others?
etc?
Changing the way the data is represented, does not make the data any better.
If the rating system is to stay, I think the data would be a little more
meaningful if we knew how many people have read the message - i.e. if message
is has 4 votes and 4 readers, the rating may be meaningful... but if it has had
100 readers and only 4 votes that's not so good.
Lastly, members should not be able to rate their own posts (I assume they can
right now - but I'm not 100% sure).
Scott A
| | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> we'd like to keep this in place for at least 24 hours to collect feedback.
Well, since you asked, I thought I'd leave mine.
> Changepoint 1
> Remapped the range 0 to 100 to the range 0 to 5...
This change could be for the better. I was fine with the 100 scale (I think
the 5 scale gives less acurate results) but it's good if it makes rating easier
for people. Hopefully this will cause more people to rate. Under the old
0-100 system, I constantly was counting dots to see where "70" or "60" was.
under any system, I think it might be nice to somehow label each selection.
> and changed the default score from 50/100 to 1/5 so
This is much better than setting the default to zero as you seem to suggest
in http://www.lugnet.com/admin/general/?n=6288 I see a huge difference between
"not yet rated" and "rated down" and think that for ratings to work that we
need both.
> Changepoint 2
> ...display them now as a string of "+" symbols (and a "-" symbol for 0)
I don't mind going from 0-100 to 0-5, but I would MUCH rather see the number
than a number of symbols. It is much easier to quickly assess the rating of a
message when I don't have to count the symbols (and they are too close together
for me to be able to quickly tell the number by just looking). I wonder if
others feel the same about this change.
> Changepoint 3
> Simplifed the rating display in the "Brief" article view mode
As long as unrated messages are the only ones that don't have their
rating shown, this is fine. You mentioned changing the "-" to showing no
rating, and that makes it difficult to tell the difference between bad and
unrated messages. I prefer to see the "by 7" in all of the ratings views so
that I can tell how many have rated, but I would live on without that.
> Changepoint 4
> In a couple of places, flipped the direction of the symbol used for showing
> articles you've rated from >> to << (only cosmetic to support the above).
I didn't notice and I doubt that this will be the point that you get the most
complaints about. :)
Ben Roller
| | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> All,
>
> It seems at this point that the article rating feature -- intended to help --
> is actually causing more harm than good to the community. It's difficult to
> gauge how much harm is being done when opinions are so varied, but it's clear
> that something needs to be changed.
I think that your rating concept has potential, but is incurring "issues in
interprtation and implementation"
> Technically, the rating system is working extremely well and, from an admin
> point of view, the composite ratings being produced seem very well consistent
> with the rating system's main goal of being able to highlight recommended
> reading to those short on time.
I browse Lugnet liesurely and often ( I have more time than most-I work out
of my home) I can sympathize w/ those who are time-constrained, accessing
Lugnet on their lunch hour, etc. I can see where a "highlighting system" or
"USA Today style headlines" may appeal to those seeking specific discussion
or content.
>
> However, it seems that the high visibility of both the raw and composite
> numbers are having an overall negative effect on the community's morale.
The rating system has affected my moral...
> Some of the deeper concerns are raised in this message and its replies:
>
> http://www.lugnet.com/admin/general/?n=6130
>
> I also received a private e-mail last night describing the rating system as
> "a fiasco and an embarrassment to LUGNET" and calling for its removal.
I hesitate to judge it as a fiasco....I speak purely as an individual on
this point. However, I don't think that my mindset differs greatly from others.
> Clearly, these are very strong feelings being expressed by people.
I participate in these philosophical discussions on a rare basis, but I am
interested in their outcomes more often, nowadays. I can not accurately
describe my feelings, but I do have a strong emotional response. I
sometimes feel slighted, and I don't wish to participate in any system that
may impact others in a similar way.
How many
> others feel this way? What would you like to see happen? Post your thoughts
> as a reply to this message (or reply privately if you prefer not to post your
> thoughts publicly).
I do not wish you to construe my comments as being critical of your effort
or in any way imply that Lugnet is "out of control". I admire what you
created and only wish to maintain Lugnet as my Lego cyber shangrila, so to
speak. I would like to see ratings removed from certain groups (like
auction, B-S-T, etc.) I think any "highlighting" system should have a
"gentleman's agreement" or "code of conduct" that is more concise and
commonly understood. I think people should rate posts on relevance to
group, topic etc. NOT THE CONTENTS OF THE WEBPAGE, PICTURE, WHATEVER. I
think the way the ratings are presented now degenerates multiple individual
posts to a beauty contest.
> As to possible "fixes," there have been many suggestions over the past few
> weeks, most of which center around making the rating numbers less obvious or
> gone altogether. If you're curious, you can find most of these in the group
> lugnet.admin.general -- but it's a lot to wade through.
I tried to wade throgh it and got lost and blurry eyed quickly...If you are
going to keep the rating system, I think it should be employed
selectively...not in .local, .market, .people, for instance.
> The first, original purpose for having ratings was to be able to lay the
> foundation for the later creation of variety of "what's hot" or "top X of
> group Y" listings for quick browsing -- something akin to the current
> Spotlight pages, only fully automated, instantly updating, and much more
> representative of collective opinion. The second original purpose was to
> lay the foundation for so-called "collaborative filtering" possibilities --
> the server learns (could learn) what types of things you prefer to read,
> and gives (could give) higher priority to you personally for messages rated
> higher by people with similar interests. These two main purposes become
> increasingly relevant as message traffic increases.
I respect your mindset and vision....this is akin to systems of analysis
employed by Amazon.com and music sites...this I would be interested in, but
I guess there are alot of growing pains getting to the end result.
> It was never a purpose of the ratings system to make anyone ever feel bad
> or unwanted or unwelcome. It's core purpose is simply to highlight "neat or
> noteworthy stuff" but not to downgrade "un-neat or un-noteworthy stuff"
The intent is different from the defacto result...I only have 250,ooo bricks
which "precludes me from competing" for "praise" from people who only like
big MOCs or I focus on themes (Ninja, Wild West, et. al) that are commonly
reviled or discounted by others in the community. The rating system was not
intended to create this, but in implementation it is happening. Possibly
some individuals misinterpret the idea of rating, thus "judging" the quality
of the creation. The person who originally posted their masterpiece in the
interest of communal participation may then be discouraged or intimidated.
Essentially the inent of the rating system is victimized by interpretation.
PERCEPTION = REALITY A person may perceive that his contribution is unwothy
and n longer participate, or worse become antagonistic. This rating system
can also be used to setle scores between rivals. (again not the goal, but in
reality I think it happens in debates)
or
> regular "fluff" (which there's nothing wrong with).
I used to be annoyed by gratuitous fluff, now I miss it...fluff adds to the
poitive spirit here.
> It seem that no amount of education about what the numbers mean will be able
> to make a meaningful dent in the natural inclination to view, say, a 40 as
> having been "marked down" from its default of 50. Even if the default were
> changed from 50 to 0 (so that numbers tended almost always to climb rather
> than to climb half of the time and fall half of the time), it seems likely
> that feelings will still be hurt, because it seems that some people are hurt
> by the fact that others are getting 80's and 90's while they are getting 40's
> or 50's or 60's.
For me it is purely personal...I have been a salesman for a long
time...numbers going down is rarely a ood thing = ) i have a VERY thick
skin, but I often see clique-like behavior similar to that in
highschool...so+so does/says something, so automatically it is
prophetic...another person (outside the clique) says/does something equally
profound and is blown off, low-balled, gnored, etc. That is the nature of
human behavior; there are some people that I follow more than others, BUT
now the rating system can skew some individauls higher and "newbies" much lower.
Going with a scale 0 to 100, in retrospect, hasn't been any
> better from an overall morale point of view than if a scale -100 to +100 had
> been used.
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
I would feel better, but then I would always know they are lurking in the
server somewhere. So I guess I would be tempted (on a low-self-esteem-day)
to go looking for validation...lol
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
I would support and generaly prefer this most of all...again the amazon.com
analogy
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
I think that "once done...thi thing can not be undone" (you can't unspill
milk-you can only clean it up and try to avoid future occurences)
I would like limited destruction of the feature...essentially removal of a
VISIBLE rating from all groups except dear lego (or othr Brad read / TLG
read groups)
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Yes. I may be overly sensitive on this, may be not. I can think of at least
6-12 occurences in a week...(if people don't want to listen to me or thnk
I'm a nut, cry-baby etc., then I don't want to know from some
anomolous/anonymous rating...share your reasoning and discuss it...If people
think my posts are vacuous or devoid of useful content, give me a chance to
improve. Tell me my grammar is lacking, my typos are annoying, or my
comments are off topic. As it stands right now, I consider my opinion no
less or more valid than anyone else's, but rating views on politics, MOCS,
and building "lower" than others is like sniping from cover instead of
meeting in the open on level ground.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
Yes. More frequently now that I have been paying attention to ratings.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
I am now intimidated, on occasion, to share my ideas. Sometimes I am low on
"profound" words and building epiphanies. I still want to participate, but
unless I am giving away free Guarded Inns or reinventing the wheel, I
hesitate. I feel like I am back in Catholic grade school (20 some years in
the past) being graded on my class participation and how much trivia I can
spout.
I was never overly hung up on my reputation or impression here til a
number was tagged on my butt everytime I posted a message. Now I feel like
I am trying to live up to some amorphous standard. For instance, what if a
Lugnet "newbie" saw posts from person "x" always rated highly while ALL of
person "y"s posts are continually marked lower; consequently never reading
"y"'s comments. What if this "newbie always skips reading posts from
"y"....both individuals miss out on the value of each others intellect and
experience; person "y" may have some useful/interesting contributons. By
extension what would happen if this happened on a large scale, if a whole
community no longer paid attention to "y".
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
I missed the original announcement, but I was willing to try anything new on
Lugnet = ) Now I am at the least disinterested, at the most disenfranchised,
ignored, and discouraged.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
I think I have some issues of my own to deal with = ) <memo to self, seek
psychiatric help+ buy more guiness>
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
I love popular opinions of sets...that I support.
> Websites? Individual web pages? etc...
If you are going to rate websites, then you also take o the burden of
determining a standard to judge by, AND a responsibility to uggest improvments.
<insert paraphrased quote from Merlin to Arthur in Boorman's Excalibur
"there can be no good w/ out evil...you can not have one w/ out the other"
> Thanks for your time,
> --Todd
Thank you for being proactive and listening
>
> [followups to .admin.general]
| | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
Better
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
So so. If the feature is to be kept, prefer that they be viewable. Else why
have them.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Better. Wish the time had never been spent to develop them.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
Victimized? Hardly.
Annoyed that there's a strategic rater out there (and while there is no way to
PROVE it, I have pretty strong circumstantial evidence that it happens to me on
a fairly regular basis, and I am starting to suspect I know who it is, which
just validates my opinion of that person as basicaly a waste of food) but I
don't really seek validation from others as my main goal in posting, so I don't
get "unhappy about myself" over it. If you, gentle reader, do... grow up!
But then I am more self assured than the average person and I truly believe
that other people may well not have strong enough egos to get "down checked"
(or apparently downchecked... as I said, no amount of explaining away will
correct the perception that downchecking is what is happening) without feeling
bad about it.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
No one makes better posts than me (when I take the time to be eloquent) so how
could I be upset by someone else getting a good rating? That's saying that a
competent person is threatened by another persons competence. If I believed
that I would be threatened by the ability of others to make models almost as
good as mine or to architect systems almost as well as, or even better than, I
do. That way lies Looterville of the soul. So no.
Further I'd say that anyone who feels victimised because someone else was
winning a popularity contest this meaningless in the grand scheme of things has
deep deep issues and may want to seek professional help.
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
Mildly easier when they are good ideas, harder when they're flippant fluff, so
that's a (tiny little) good thing.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
Initially thought it was technically a neat idea and wasn't sure of the social
implications. Early experiences I observed portended problems which came to
pass.
Now feel that the LDT (Lugnet Development Time) would have been better spent on
any number of other things, such as unifying member information/cookies, fixing
the ***broken*** password system, streamlining and improving set database input
capabilities, allowing member areas to be created, facilitating group
sheparding/information gathering, improving the web interface ability to
remember what you had read, or some other things that I forget.
But then LDT gets spent on weird things. Look at how much of it was spent on a
password checker that over time due to repeated twiddling became so tuned to
recognise arcane substitutions that it fails perfectly good random passwords
that are not subject to dictionary attack... and ultimately there that checker
sits, a neat toy to play with, and we still have broken hard to remember
passwords that we can't change. But LDT is Todd's to spend as he sees fit. As
it should be.
Ratings have been a big administrative waste of time so far. Time that I'd
rather see Todd spend on coding useful features or on building or on sleeping,
or on having fun with Suz. Or even on doing LDT for geeky, useless but less
divisive things like that password checker.
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
A bit late... quite a bit. The right time would have been before they were
deployed, and before this brouhaha got out of hand.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
Websites. I already know what sets I like and don't need anyone else's opinion,
thank you very much, but I don't know about all the websites out there and do
value some filtering there. Make it like Amazon in that it shows me sites I am
likely to like based on how I rated sites myself, not just ones that the great
unwashed masses liked, because who cares about popularity.
One other comment.... the current linear rating system, no matter how the
number of gradations, starting point, scale values, etc, is tuned, is
insufficient. That's because it is linear. As with so many things, there are
more dimensions than just one.
on/off topicness
newsworthiness
long term information value
Gee whiz that's neat factor
suitability for children
Just to name a few possible things...
Pretty much any linear scale is broken, c.f. the right left "political
spectrum" which fails to describe anything useful because politics is not one
dimensional.
> Thanks for your time
No charge. I just wrapped up a project early and sold followon work, so I'm in
a good mood.
++Lar
| | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> [...]
> But then LDT gets spent on weird things. Look at how much of it was spent on
> a password checker that over time due to repeated twiddling became so tuned
You talk as if you seem to know how much actual time was spent on it. Elapsed
time is a crude indicator of development time.
> [...]
> Ratings have been a big administrative waste of time so far. Time that I'd
> rather see Todd spend on coding useful features or on building or on
> sleeping, or on having fun with Suz. Or even on doing LDT for geeky, useless
> but less divisive things like that password checker.
Sorry if you feel the password checker is useless. Sorry if you feel inclined
to make gross assumptions about how time is being spent based on what you see
from the outside. We work on many different things at once. If you judge
what's being worked on by what appears as features, you'll get a very warped
view. Some things in the over are 3 years old. Some things are 2 months old.
Some things are 2 days old. The priority of every background task is
continually reassessed. The only foreground task is staying on top of issues
that arise in the groups. Writing a reply like this is a complete waste of my
time, but I don't feel that I was left much choice, since misinformation was
being spread.
> > 8. Do you feel that it is too early, too late, or the right time to address
> > these issues?
>
> A bit late... quite a bit. The right time would have been before they were
> deployed, and before this brouhaha got out of hand.
Actually, many of these issues were indeed addressed beforehand. Anything
that wasn't, wasn't thought of during the original discussions... Some
things were avoided, some things weren't...it's somewhat a matter of
experience and 20-20 hindsight.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > [...]
> > But then LDT gets spent on weird things. Look at how much of it was spent on
> > a password checker that over time due to repeated twiddling became so tuned
>
> You talk as if you seem to know how much actual time was spent on it. Elapsed
> time is a crude indicator of development time.
Time is time, all I have to do is look at the number of posts about it to tell
that some time was spent on it, by you, by me, by others, regardless of how
much time was development time vs playing with it time vs loading up its DB.
I won't presume to estimate exactly how much time was spent but I doubt it was
less than a man day all told.
> > [...]
> > Ratings have been a big administrative waste of time so far. Time that I'd
> > rather see Todd spend on coding useful features or on building or on
> > sleeping, or on having fun with Suz. Or even on doing LDT for geeky, useless
> > but less divisive things like that password checker.
>
> Sorry if you feel the password checker is useless.
Useless was a bit harsh, sorry... let's just call it less useful than quite a
few other things, and more useful than a few other things. And clearly you
enjoyed doing it and enjoyed that other people enjoyed playing with it. Nothing
wrong with geeking out on low priority things, after all. For if that were so,
all of us would be better served doing our real work 100% of the time instead
of enjoying our hobby, eh?
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> > Sorry if you feel the password checker is useless.
>
> Useless was a bit harsh, sorry... let's just call it less useful than quite
> a few other things, and more useful than a few other things.
Fair enough.
> And clearly you enjoyed doing it
Not really. Wish I hadn't had to.
> and enjoyed that other people enjoyed playing with it.
Not really, no. It's not intended as a toy or a means of entertainment.
I enjoyed getting feedback on aspects of it to the extent that getting
useful feedback is enjoyable.
> Nothing wrong with geeking out on low priority things, after all.
> For if that were so, all of us would be better served doing our real work
> 100% of the time instead of enjoying our hobby, eh?
Not sure what/if you are insinuating between the lines there, or whether I
should feel insulted by that comment, but having a password validator that
doesn't suck is IMHO a fundamental prerequisite to allowing passwords to be
changed. Anything less is irresponsible. (Yes, I know, allowing too much
time to pass before facilitating the change of passwords is also arguably
irresponsible, but it's a much lesser maximum risk.)
Can we drop this argument?
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> having a password validator that doesn't suck is IMHO a fundamental
> prerequisite to allowing passwords to be changed. Anything less is
> irresponsible.
Even if you have great passwords - can't just anyone in the intervening
networks between the user and LUGNET just snoop in and copy down the
unencrypted password?
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Richard Franks <spontificus@__nospam__yahoo.com> wrote:
> Even if you have great passwords - can't just anyone in the intervening
> networks between the user and LUGNET just snoop in and copy down the
> unencrypted password?
Not if it uses https, which I assume it will at some point.
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Todd Lehman writes:
> > having a password validator that doesn't suck is IMHO a fundamental
> > prerequisite to allowing passwords to be changed. Anything less is
> > irresponsible.
>
> Even if you have great passwords - can't just anyone in the intervening
> networks between the user and LUGNET just snoop in and copy down the
> unencrypted password?
As long as it's using http and not https, yes. Once it's in a cookie, it's
no longer plaintext, so it's less susceptible to snooping although still
susceptible to playback attacks.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Richard Franks writes:
> > Even if you have great passwords - can't just anyone in the intervening
> > networks between the user and LUGNET just snoop in and copy down the
> > unencrypted password?
> As long as it's using http and not https, yes. Once it's in a cookie, it's
> no longer plaintext, so it's less susceptible to snooping although still
> susceptible to playback attacks.
Aren't the contents of a cookie simply Base64-encoded? I mean, it's a
wel-known and reversable format.
Cheers,
- jsproat
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Sproaticus <jsproat@io.com> wrote:
> Aren't the contents of a cookie simply Base64-encoded? I mean, it's a
> wel-known and reversable format.
I assume it's a one-way hash of some sort. I'd guess (without looking) that
it's probably md5....
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Jeremy H. Sproat writes:
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Richard Franks writes:
> > > Even if you have great passwords - can't just anyone in the intervening
> > > networks between the user and LUGNET just snoop in and copy down the
> > > unencrypted password?
> > As long as it's using http and not https, yes. Once it's in a cookie, it's
> > no longer plaintext, so it's less susceptible to snooping although still
> > susceptible to playback attacks.
>
> Aren't the contents of a cookie simply Base64-encoded? I mean, it's a
> wel-known and reversable format.
No, the last phase of encoding (and thus the first phase of decoding) for
the sign-in cookie is a Base16 (ASCII hex [0-9A-F]) pass. This, however, is
applied to an already-encrypted id/pw combo, which has been passed through a
pad-style encryption which changes each time you ask for a sign-in cookie.
(Thus, you'll never get the same cookie twice even if your password stays the
same.) On the receiving end, after the server decrypts your cookie, it then
reencrypts this data a different way (on the fly) and compares this with the
encrypted version on file in the encrypted-pw table. Thus no raw pw's are
stored anywhere.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Todd Lehman writes:
>
> > having a password validator that doesn't suck is IMHO a fundamental
> > prerequisite to allowing passwords to be changed. Anything less is
> > irresponsible.
So are you going to enforce that people HAVE to set their passwords to things
that the validator feels don't suck, or are you going to give advice but allow
it anyway?
The former is rather draconian for a site that doesn't handle money. I've asked
this question before but didn't get a clear answer, I don't feel.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> So are you going to enforce that people HAVE to set their passwords to
> things that the validator feels don't suck,
That is its purpose.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > So are you going to enforce that people HAVE to set their passwords to
> > things that the validator feels don't suck,
>
> That is its purpose.
But the validator doesn't find non-sucky passwords, it just finds the least
randomised - ie, it will pass something like:
4h(i,>$s& but fail:
4h(i,>$s&-fun
What's the point of allowing people to change from their highly randomised
default LUGNET password (because they have a hard time remembering it), if the
validator only allows something of greater randomisation?
IIRC at least one default LUGNET password failed? My LUGNET password which is
rather easy to remember.. passed with honours!
IMHO it is reasonable to impose a minimum limit of characters, impose an
alpha-numeric mix, maybe even make sure that it isn't just one word known to a
dictionary mixed with one number. But much more than that seems too
restrictive. There is also the counter-security risk - as people have to use
really complicated and random passwords, they tend to start writing them down
in places, password files etc.
Besides which, the longer it takes before users can change their passwords, the
greater chance that other people will stumble upon their LUGNET welcome pack,
which contains their password handily printed out :)
I'm not a security expert - just a user who would rather take the advice of a
password system but have ultimate personal responsibility over my password.
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Richard Franks <spontificus@__nospam__yahoo.com> wrote:
> But the validator doesn't find non-sucky passwords, it just finds the least
> randomised - ie, it will pass something like:
> 4h(i,>$s& but fail:
> 4h(i,>$s&-fun
It's finding _more_ random passwords in a technical sense of "random". (More
random = containing no sequences. Or more accurately, no part of the number
follows from any other part.)
I agree that the super-cool validator may be overkill for the current state
of LUGnet -- there's no money or credit card information involved. However,
it may be quite reasonable for the future.
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Matthew Miller writes:
> Richard Franks <spontificus@__nospam__yahoo.com> wrote:
> > But the validator doesn't find non-sucky passwords, it just finds the least
> > randomised - ie, it will pass something like:
> > 4h(i,>$s& but fail:
> > 4h(i,>$s&-fun
>
> It's finding _more_ random passwords in a technical sense of "random". (More
> random = containing no sequences. Or more accurately, no part of the number
> follows from any other part.)
Yup - you're right - my squiff (I meant *more*) :)
> I agree that the super-cool validator may be overkill for the current state
> of LUGnet -- there's no money or credit card information involved. However,
> it may be quite reasonable for the future.
I'd be happy with a user-responsible password for membership logins (ie 90% of
membership use including posting privilidges), but with authorisation through a
LUGNET-validated password for more intimate services (ie financial). I think
Todd suggested that 2-tier password scheme already?
Richard
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
(canceled)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
I can't believe that Larry posted this twice (accident maybe, maybe not). I
am with Larry on this one. This is a problem that requires a simple
solution. Please do not confuse simple with simplistic. It is a
complicated problem; the solution, while perhaps complicated in it's
synthesis, needs to be simple. Listen to Larry, he will guide you toward
the light!
Build On!
John Matthews
(It's not my fault that Larry is usually right)
Larry Pieniazek <lar@voyager.net> wrote in message
news:FtHnrw.IM9@lugnet.com...
> In lugnet.admin.general, Richard Franks writes:
>
> > I'd be happy with a user-responsible password for membership logins (ie • 90% of
> > membership use including posting privilidges), but with authorisation • through
> a
> > LUGNET-validated password for more intimate services (ie financial).
>
> I wouldn't.
>
> Look. I've read through the plan several times. There is nothing there • that
> needs this *insane* level of protection. Nothing. Really.
>
> We are *not* talking missile lanuch codes here, people.
>
> Two levels of passwords is ridiculous. And what is safer, a sort of easy • to
> crack password that is memorised, or a hard to crack password that is kept • in a
> cookie and written on a sticky and kept in the users wallet? The latter.
>
> Use the checker to tell the user that their password isn't very secure and • that
> the system can't be held responsible if someone hacks it and starts • posting
> under their name, submitting ratings, or heaven forbid, puts in some bids • or
> transfers funds out of their account to another user's account.
>
> Then ask them if they're OK with that and OK with the fact that the system
> *isn't* their daddy and isn't going to be able to protect them from every
> conceivable thing that could go wrong. Let's get a grip. We are NOT • talking
> power plant control codes either.
>
> ++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, John Matthews writes:
> I can't believe that Larry posted this twice (accident maybe, maybe not).
It was an accident and I would appreciate the first one being cancelled. There
is a difference in phrasing of less than 1% between the first and second, but
it's crucial.
> I am with Larry on this one. This is a problem that requires a simple
> solution. Please do not confuse simple with simplistic. It is a
> complicated problem; the solution, while perhaps complicated in it's
> synthesis, needs to be simple. Listen to Larry, he will guide you toward
> the light!
I appreciate the support but I don't actually agree with John. At least not
when he says this is a complicated problem.
Let me put my cards on the table here. I would claim I know as much about what
Lugnet is intended to be as anyone else who is peering in from the outside can.
Certainly Todd knows more, but I claim I know as much as anyone possibly can
that doesn't know what Todd knows but hasn't shared with us. (for perfectly
valid reasons, mind you)
Further,
- I have been here from the beginning
- I have read the plan
- I have a fair bit of experience in evaluating requirements from rather
sketchy information, as well as a fair bit of experience in estimating
development effort both before the fact based on those same sketchy
requirements, and after the fact by observing developers who sometimes want to
hide how much effort they put out.
So my professional judgement of what is required, based on the evidence
available to me is that... this is NOT a complex problem. This site (based on
the requirements that are public knowledge) does not need or deserve elaborate
security measures for the casual user. And that's what 99% of us are. Casual
users visiting a hobbyist site.
What is being discussed is more elaborate security than 99+% of commercial
sites have. And I'm arguing from authority. After all, I build these for a
living. Some sites I have been involved in building move millions of dollars a
day.
It's not justifiable from a development effort perspective.
It's not justifiable from a user interface perspective.
Now, as I always say, Todd's gold, Todd makes the rules, Todd can do what he
wants.
But if you want me to shut up about this you either have to flat out say
"shut up" to me *and* everyone else, or you have to convince me differently.
Nothing in the requirements visible to me can justify a need for this elaborate
security. Multiple layers of passwords? I just don't see the benefits being
worth the cost.
Just ignoring me isn't going to get me to shut up, Todd.
Why am I raising such a big stink? Because human factors matter. They matter a
lot, and they are more important than just about anything else. The human
factors here now aren't as good as they could be. Preferences and passwords are
broken. A robust design for them is not hard to come up with (go look at
Yahoo, for example... it is fast and unobtrusive, it reprompts you for the
same password in areas where you wouldn't want a casual visitor to your
machine to have access to) but won't be achieved by fiddling around the edges
one feature at a time, it needs to be realised by a holistic approach that
takes the vision in the plan and turns it into concrete requirements that can
be implemented in a staged way.
Keep fiddling and you'll get a patchwork and you'll do a lot of backing and
filling, way more than you have to. Iterative design and development is the way
to go but there has to be more than a vague vision for the iteration beyond the
next, or patches on top of kludges is what you'll get.
Larry Pieniazek
System Architect, Project Manager, Estimator, General Nuisance and proud of
it...
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Richard Franks writes:
> I'd be happy with a user-responsible password for membership logins (ie 90% of
> membership use including posting privilidges), but with authorisation through • a
> LUGNET-validated password for more intimate services (ie financial).
I wouldn't.
Look. I've read through the plan several times. There is nothing there that
needs this *insane* level of protection. Nothing. Really.
We are *not* talking missile lanuch codes here, people.
Two levels of passwords is ridiculous. And what is safer, a sort of easy to
crack password that is memorised, or a hard to crack password that is kept in a
cookie and written on a sticky and kept in the users wallet? The latter?
Hardly!
Use the checker to tell the user that their password isn't very secure and that
the system can't be held responsible if someone hacks it and starts posting
under their name, submitting ratings, or heaven forbid, puts in some bids or
transfers funds out of their account to another user's account.
Then ask them if they're OK with that and OK with the fact that the system
*isn't* their daddy and isn't going to be able to protect them from every
conceivable thing that could go wrong. Let's get a grip. We are NOT talking
power plant control codes either.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Richard Franks writes:
> I'd be happy with a user-responsible password for membership logins
> (ie 90% of membership use including posting privilidges), but with
> authorisation through a LUGNET-validated password for more intimate
> services (ie financial). I think Todd suggested that 2-tier password
> scheme already?
Ya, sorta... But not so much two different states of logins as two tiers of
passwords which would both be required (only if you wanted it that way) before
you'd be considered actually logged in. In other words, you could give two
passwords (one strong, one weak), leaving one in a cookie permanently and
putting the other in a cookie only temporarily.
When might something like that be useful? Say you'd like to log in from work
during the workday, but you don't want to leave yourself logged in while you're
away from the keyboard (at lunch, in a meeting, in the loo, etc.), but for
practical reasons, you don't want to type a full-strength password every time
you log in.
The two-password combination would allow you to log in "halfway" using a
first password which would go into a first cookie on your machine. You could
leave that there 24 hours a day without worrying about abuse because it would
be useless to anyone without the other half. Then, when you wanted to log in
for real, you could use a second password (this one could be really simple and
weak and easy to remember) and this would go into a second cookie on your
machine. You'd want that second cookie to stay only as long as you were at
your keyboard -- then when you logged out, only the second cookie would be
deleted.
In other words, think of it this way: Instead of having two passwords in
order to log in, you have two _halves_ of a single password -- kind of like
the medallion in the first Indiana Jones film.
BTW, speaking of two- or multi-tier login states... There won't actually
_be_ a change-password facility per se... Instead, there will be an create-
new-password and a delete-old-password facility. It's important that there
be both because passwords are like keys: You can lose a key, but you tend
to have a back-up key just in case. So in that spirit, you'll be able to
give yourself any number of passwords that you want -- and delete old ones
(if you want) after your newer ones have "taken hold" in your mind and you're
absolutely positive that you don't need the old one anymore. A side-benefit
of having multiple passwords is retaining the option to later add login
attributes to the passwords -- i.e., you use password A to do simple things
(maybe from the public library or at work) and you use password B to do
complex things (say, only from home -- if you want that kind of separation).
Another benefit of multiple passwords is this: No matter how hard or how
many times you tell people never ever to give out their password to anyone,
people still sometimes do. If they're going to do it, it's best to give them
the benefit of the doubt and assume they're doing it for at least what they
consider to be a good reason. Thus, if they needed to give out their password
temporarily to, say, a relative helping them do something on their behalf for
whatever reason (I can't think of anything off-hand but I'm sure it'll come
up), they could actually create a new password just for that and then destroy
that password afterwards (say, the next day) -- all without having to
compromise their "real" password. And that's a benefit that happens purely
for free with zero extra coding, once you have the ability to add and subtract
passwords from a list.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Richard Franks writes:
> In lugnet.admin.general, Todd Lehman writes:
> > In lugnet.admin.general, Larry Pieniazek writes:
> > > So are you going to enforce that people HAVE to set their passwords to
> > > things that the validator feels don't suck,
> >
> > That is its purpose.
>
> But the validator doesn't find non-sucky passwords, it just finds the least
> randomised - ie, it will pass something like:
> 4h(i,>$s& but fail:
> 4h(i,>$s&-fun
>
> What's the point of allowing people to change from their highly randomised
> default LUGNET password (because they have a hard time remembering it), if
> the validator only allows something of greater randomisation?
It's perfectly content to "pass" most 6- to 8- character pw's constructed by
the first letter of successive words, especially if the pw includes a digit,
a capital letter, or a special character. Those types of things tend to be
"random" from a brute-force-attack point of view but un-random to the person
generating the pw.
The point is that there are plenty of other pw's that people could come up
with which aren't dangerous, but which are sufficiently random and perfectly
memorable.
> IIRC at least one default LUGNET password failed? [...]
That's entirely possible -- the generator for those doesn't consider
dictionary words, keyboard sequences, etc. But it doesn't necessarily mean
that the pw which failed is risky, so long as they're still chosen from an
equally distributed set of structured input. I can see how it could be
disconcerting, though. :-)
> IMHO it is reasonable to impose a minimum limit of characters, impose an
> alpha-numeric mix, maybe even make sure that it isn't just one word known
> to a dictionary mixed with one number. But much more than that seems too
> restrictive.
:) you and I both know that you're an extremely intelligent adult who has
thought about these things and wouldn't pick something particularly risky --
but the server doesn't know that...(well, I guess it knows that you're an
adult, but...) What of a 10-year-old kid (not that there's anything wrong
with being a 10yo)? Just because someone is a 10yo, should they should be
given a break and allowed to pick a risky pw like "lego4me"?
> There is also the counter-security risk - as people have to use
> really complicated and random passwords, they tend to start writing them
> down in places, password files etc.
Definitely a risk -- but a weak password like "lego4me" or "zaza88" is a
higher worst-case security risk than a strong password which has been written
down.
No matter how strong or weak a password is, if someone writes it down or tells
it to a friend, there's the possibility that someone in that person's nearby
vicinity could use their password -- that's always a risk, and the blame lies
entirely with the user if something goes awry there.
On the flipside, if someone chooses a weak password and never writes it down
and never tells it to anyone, but then someone halfway around the globe who
has never met them suddenly guesses it through trial and error or a brute-
force attack, the blame lies entirely with the system and not with the user.
> Besides which, the longer it takes before users can change their passwords,
> the greater chance that other people will stumble upon their LUGNET welcome
> pack, which contains their password handily printed out :)
True, very true. But if someone leaves that password in a place that it can
be discovered by untrusted eyes and subsequently abused, then that's their
own darn fault.
> I'm not a security expert - just a user who would rather take the advice of
> a password system but have ultimate personal responsibility over my password.
Think of it this way: It's not a PR disaster if someone has their written-
down password stolen and used by a friend or coworker or family member --
that's their own irresponsibility. It -is-, OTOH, a huge PR disaster if
someone chooses a weak password and their account is hacked. There is a
middleground where both extremes are avoided -- where people can pick their
own passwords which don't "have to" be written down and which aren't
particularly dangerous either.
Perhaps the password strength analysis tool should have two thresholds for
the "pass" state:
- Pass if 100% or higher
- Pass with a warning if between 50% and 100%
- Fail if 50% or lower
This would still weed out dictionary words and awful keyboard sequences like
'zaza' and 'qwerty' and 'mnbvcxz' and '3edcvfr4' but allow more (in practice)
than it currently does. I'm not sure if this is what Larry meant or if he
was suggesting an infinitely-low fail threshold.
I don't have a problem with two thresholds as long as the fail-in-practice
threshold isn't too much lower than the fail-in-theory threshold.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> The point is that there are plenty of other pw's that people could come up
> with which aren't dangerous, but which are sufficiently random and perfectly
> memorable.
Maybe I'm just miffed because it failed *all* of the passwords I use? :) If I
did anything that even remotely required great security that would be a problem
I guess!
> > IMHO it is reasonable to impose a minimum limit of characters, impose an
> > alpha-numeric mix, maybe even make sure that it isn't just one word known
> > to a dictionary mixed with one number. But much more than that seems too
> > restrictive.
>
> :) you and I both know that you're an extremely intelligent adult who has
> thought about these things and wouldn't pick something particularly risky
*mumble*mumble* Look over there - a MISB Galaxy Explorer!
> What of a 10-year-old kid (not that there's anything wrong
> with being a 10yo)? Just because someone is a 10yo, should they should be
> given a break and allowed to pick a risky pw like "lego4me"?
It's not just children - there are lots of adults out there with even mild
learning difficulties that might find it hard to remember more randomised
passwords.
> On the flipside, if someone chooses a weak password and never writes it down
> and never tells it to anyone, but then someone halfway around the globe who
> has never met them suddenly guesses it through trial and error or a brute-
> force attack, the blame lies entirely with the system and not with the user.
Just out of curiousity - would LUGNET allow brute-force or trial and error
attacks? Something like sending an email warning after 3 fails, then locking
the account for 24 hours after 5 fails would somewhat negate the danger of
those types of attacks?
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> Maybe I'm just miffed because it failed *all* of the passwords I use?
Me too. I mean, I'm not miffed (I have *much* better things to get miffed
about) but it did fail, without exception, every password I have ever used.
> If I
> did anything that even remotely required great security
I do. And the things I apply them to have checks for weak passwds.
I suspect that they aren't as tight because they use a secondary measure to
prevent brute force (three missed passwd attempts means you have to get your
passwd manually reset).
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Eric Joslin writes:
> (three missed passwd attempts
In a row. Very important phrase I left out.
> means you have to get your
> passwd manually reset).
eric
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Richard Franks writes:
> Maybe I'm just miffed because it failed *all* of the passwords I use? :)
Are there any that it gave between 0% and 100% to? (i.e., not < 0% ?)
> [...]
> Just out of curiousity - would LUGNET allow brute-force or trial and error
> attacks? Something like sending an email warning after 3 fails, then locking
> the account for 24 hours after 5 fails would somewhat negate the danger of
> those types of attacks?
Eeek -- no! -- locking people out on a failed login attempt would certainly
negate the danger of a brute-force of attack, but it would make an entirely
new type of attack (an even worse one!) possible. Consider:
$url = <URL of member sign-in page>
foreach $m (1..1000) # Loop over all members
{
foreach (1..5) # Attack each member 5 times
{
$pw = <generate random nonsense>
<HTTP POST to $url with $m and $pw>
}
}
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> > So are you going to enforce that people HAVE to set their passwords to
> > things that the validator feels don't suck,
>
> That is its purpose.
Draconian and rather big-parentish. Why can't I take the risk of a sucky
password if I so choose? Not that I personally would, mind you.
Now, unlike government jackbootedness, we do as consumers have a choice not to
use Lugnet... but what exactly is the harm of allowing sucky passwords? It
falls entirely or for the most part on the person who made the poor choice. Why
be their daddy?
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> Draconian and rather big-parentish. Why can't I take the risk of a sucky
> password if I so choose? Not that I personally would, mind you.
You put more at risk than your own data or matters when you choose a sucky
password. (Think about it.)
> Now, unlike government jackbootedness, we do as consumers have a choice not
> to use Lugnet... but what exactly is the harm of allowing sucky passwords?
Increased probability of successful brute-force compromises.
> It falls entirely or for the most part on the person who made the poor
> choice. Why be their daddy?
Have I somehow given you the impression that that the only purpose of the
validator is to protect data?
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman wrote:
> > Now, unlike government jackbootedness, we do as consumers have a choice not
> > to use Lugnet... but what exactly is the harm of allowing sucky passwords?
>
> Increased probability of successful brute-force compromises.
true, but can't you limit the number of attempts to, say, 5 in 30 minutes... that will make brute force attacks impractical...
:)
Dan
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> Todd Lehman wrote:
> > > Now, unlike government jackbootedness, we do as consumers have a choice
> > > not to use Lugnet... but what exactly is the harm of allowing sucky
> > > passwords?
> >
> > Increased probability of successful brute-force compromises.
>
> true, but can't you limit the number of attempts to, say, 5 in 30 minutes...
> that will make brute force attacks impractical...
How without opening an equally dangerous door?
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman wrote:
> > > Increased probability of successful brute-force compromises.
> >
> > true, but can't you limit the number of attempts to, say, 5 in 30 minutes...
> > that will make brute force attacks impractical...
>
> How without opening an equally dangerous door?
Well, for a brute force attack to be successful, they have to try 100,000s of passwords... if you limit them to 5 tried every 30 minutes, it's pretty certain that they won't stumble upon the correct password before the password owner dies...
Or are you referring to a different door?
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Dan Boger writes:
> Or are you referring to a different door?
Denial of service. I could write a bot that wakes up every 4 minutes and
tries 6 random passwords for your account (and theoretically every one else's
too) thus denying you (or theoretically anyone) the ability to get on as a
member, because no matter when you try, you will already be locked out for
that time period.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> In lugnet.admin.general, Larry Pieniazek writes:
> Have I somehow given you the impression that that the only purpose of the
> validator is to protect data?
Who said that? Not me...
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Larry P and then Todd L wrote:
> > So are you going to enforce that people HAVE to set their passwords to
> > things that the validator feels don't suck,
>
> That is its purpose.
In that case, you may as well not bother allowing us to change passwords
since we can only change to one just as random and hard to remember,
which will also go up on a yellow sticky on the monitor like the current
one is... (if I worked in an office I wouldn't do that, but since I work
from my home no-one else is going to see the array of yellow stickies
except me, and I don't post the $$-related ones).
Seriously, I'm pretty good at remembering weird numbers (I have my
library card PIN, bank card PIN, and several bank account #s memorised)
but I am getting totally over-passworded lately and it's just not
possible to remember them all. What's going to be so earth-shatteringly
important in the member facilities on LUGNET that you have to force a
password which is far tighter than the ones I use to access my bank and
CC accounts over the net?
Kevin
--
Personal Lego Web page:
http://ourworld.compuserve.com/homepages/kwilson_tccs/lego.html
eBay auctions:http://members.ebay.com/aboutme/kevinw1/
Subscribe to my Lego auction mailing list:
http://www.onelist.com/subscribe/Legopartsales?referer=1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman skrev i meddelandet ...
> In lugnet.admin.general, Larry Pieniazek writes:
> > So are you going to enforce that people HAVE to set their passwords to
> > things that the validator feels don't suck,
>
> That is its purpose.
I think that's unwise (to _force_ people to use an acknowledged pw). Two
reasons:
- one cannot choose a password that is easy to remember --> it will be written
down in some easy accessible place.
- by disallowing some passwords, you are limiting the number of possible
passwords, i.e. you are making a brute force attack easier.
- the refutation of a password makes the customer irritated, especially if
there's no _obvious_ (to the customer) reason.
Test for a minimum length, and force a mix of letters (upper and lower case)
and numbers/special characters, and it will be good enough.
[OK, that was three things, but who said I can count?]
--
Anders Isaksson, Sweden
BlockCAD: http://user.tninet.se/~hbh828t/proglego.htm
Gallery: http://user.tninet.se/~hbh828t/gallery.htm
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Anders Isaksson writes:
> Todd Lehman skrev i meddelandet ...
> > In lugnet.admin.general, Larry Pieniazek writes:
> > > So are you going to enforce that people HAVE to set their passwords to
> > > things that the validator feels don't suck,
> >
> > That is its purpose.
>
> I think that's unwise (to _force_ people to use an acknowledged pw). Two
> reasons:
>
> - one cannot choose a password that is easy to remember --> it will be
> written down in some easy accessible place.
Can't or won't?
> - by disallowing some passwords, you are limiting the number of possible
> passwords, i.e. you are making a brute force attack easier.
I don't believe that's the case.
http://www.lugnet.com/admin/general/?n=5788
> - the refutation of a password makes the customer irritated, especially if
> there's no _obvious_ (to the customer) reason.
I may have to make a short FAQ page.
> Test for a minimum length, and force a mix of letters (upper and lower case)
> and numbers/special characters, and it will be good enough.
SW:Ep1
M:Tron6989
70'sLEGO
2*4Brick
Pi3.14159
12:34Sunday
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> > Test for a minimum length, and force a mix of letters (upper and lower case)
> > and numbers/special characters, and it will be good enough.
>
> SW:Ep1
> M:Tron6989
> 70'sLEGO
> 2*4Brick
> Pi3.14159
> 12:34Sunday
Oops, almost forgot to list the classic counterexample!
E=mc^2
That uses a mix of...
* At least one uppercase letter from A-Z
* At least one lowercase letter from a-z
* At least one numeric digit from 0-9
* At least one "special" character
...and yet it's still a terrible password.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Todd Lehman skrev i meddelandet ...
> In lugnet.admin.general, Anders Isaksson writes:
> >
> > - one cannot choose a password that is easy to remember --> it will be
> > written down in some easy accessible place.
>
> Can't or won't?
I'm not sure what you're asking here...
What I tried to say was:
If I have to construct a (for me) strange password, 'just to please the
system' (that's how most users see it, at least), the probability of my
remembering it is lower than if the system accepts whatever I choose. The
harder it is to remember, the higher the probability that I have to keep it
written down somewhere (easily accessible).
--
Anders Isaksson, Sweden
BlockCAD: http://user.tninet.se/~hbh828t/proglego.htm
Gallery: http://user.tninet.se/~hbh828t/gallery.htm
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Anders Isaksson writes:
> I'm not sure what you're asking here...
oh, sorry. I was asking if you meant that people (a) actually wouldn't be
_able_ to choose a password that was easy for them to remember or (b) actually
could but wouldn't bother trying to come up with one that was easy for them to
remember. In other words, did you mean that you would be inclined to come up
with something difficult to remember but which passed, and then simply write
that down somewhere, or would you take the time to come up with something that
you could actually remember easily?
> What I tried to say was:
> If I have to construct a (for me) strange password, 'just to please the
> system' (that's how most users see it, at least), the probability of my
> remembering it is lower than if the system accepts whatever I choose. The
> harder it is to remember, the higher the probability that I have to keep it
> written down somewhere (easily accessible).
I take it as a given that most people will still write a password down
somewhere no matter how easy or difficult it is for them to remember (if they
feel that password is important) just in case they might forget it. Even if
most people don't, it certainly doesn't alarm me one bit knowing that some
people would -- and do.
Maybe they write it down backwards, or shifted by one letter, or letter-case
flopped, or even raw, but it's still safer for them and for LUGNET if they
keep a written record of it in a safe place (such as their wallet or purse
or bureau at home) than if they have a weak password which could be guessed
at from any of 100 million nodes on the Internet.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> I take it as a given that most people
but not all. I don't.
> will still write a password down
> somewhere no matter how easy or difficult it is for them to remember (if they
> feel that password is important) just in case they might forget it. Even if
> most people don't, it certainly doesn't alarm me one bit knowing that some
> people would -- and do.
>
> Maybe they write it down backwards, or shifted by one letter, or letter-case
> flopped,
I doubt most people that write down passwords apply any of these cyphers to
them but I am just speculating on this particular point.
> or even raw, but it's still safer for them and for LUGNET if they
> keep a written record of it in a safe place (such as their wallet or purse
> or bureau at home) than if they have a weak password which could be guessed
> at from any of 100 million nodes on the Internet.
Fascinating... can you provide a reference for this assertion, or is it just
conjecture? Keeping ATM passwords in one's wallet or purse is a particularly
bad practice, for example. But then, we're talking about something rather
different than money, aren't we?
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
From the last two posts, I think I have arrived at my own conclusion on this
matter. Todd wants to protect his hard earned work by issuing complicated
passwords that theoretically cannot be hacked. I can't blame Todd for this
notion, it seems to make a great deal of sense. Larry, on the other hand,
wants to name his password, and he should be allowed to do so. Todd fears
that not all Lugnet users are as sophisticated as Larry, and someone will
name a password that is easily breached. Again, this seems to make a great
deal of sense. While bad for Larry (and many other Lugnet Members), Todd
can protect his network by using these methods. Unfortunately, this leads
me to the conclusion that there is no need for me to become a member! (bad
for Todd). I am not a member, I have no password, and none of this
discussion applies to me. Furthermore, I read Lugnet with a newsreader! As
many people do, I suspect.
What happens next? How does Todd attract me (and other sophisticated users)
to use the web interface and deal with passwords, etc? From where I sit, I
don't think it can be done. Either cut off newsreader access (bad), or
allow folks to name their passwords (bad according to Todd).
This is becoming *way* too complicated. Let me have my newsreader access
without making me feel like I am left out because I choose not to use the
web interface.
Sorry for trouncing your web playground Todd, but that is how I see it.
Build On!
John Matthews
(plans on contributing to the great effort known as LUGnet, just wants
something other than a moving target)
Larry Pieniazek <lar@voyager.net> wrote in message
news:FtHxnL.8r2@lugnet.com...
> In lugnet.admin.general, Todd Lehman writes:
>
> > I take it as a given that most people
>
> but not all. I don't.
>
> > will still write a password down
> > somewhere no matter how easy or difficult it is for them to remember (if • they
> > feel that password is important) just in case they might forget it. Even • if
> > most people don't, it certainly doesn't alarm me one bit knowing that • some
> > people would -- and do.
> >
> > Maybe they write it down backwards, or shifted by one letter, or • letter-case
> > flopped,
>
> I doubt most people that write down passwords apply any of these cyphers • to
> them but I am just speculating on this particular point.
>
> > or even raw, but it's still safer for them and for LUGNET if they
> > keep a written record of it in a safe place (such as their wallet or • purse
> > or bureau at home) than if they have a weak password which could be • guessed
> > at from any of 100 million nodes on the Internet.
>
> Fascinating... can you provide a reference for this assertion, or is it • just
> conjecture? Keeping ATM passwords in one's wallet or purse is a • particularly
> bad practice, for example. But then, we're talking about something rather
> different than money, aren't we?
>
> ++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
(canceled)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, John Matthews writes:
> [...]
> This is becoming *way* too complicated. Let me have my newsreader access
> without making me feel like I am left out because I choose not to use the
> web interface.
> Sorry for trouncing your web playground Todd, but that is how I see it.
Thanks for your insightful and thoughtful comments, John!
It's really not as complicated as it may seem. There is a simple pw tester,
it does a reasonable job of identifying weaknesses in pw's, and it outputs a
number in a range. It fails anything below a given threshold on its scale.
Every site that allows people to choose their own password has _some_ kind of
validator attached to it. Usually it's something pretty simple like requiring
four or more characters or a mixture of letters, numbers, etc. Some of the
better ones also include dictionary checks.
From my POV, it's not a matter of whether or not to validate pw's with exactly
this sort of thing in combination with dictionary lookups and a couple other
checks, but simply a matter of where to set the threshold for pass vs. fail.
The magic number (whatever it is) has simply to be chosen high enough to be
safe for users and safe for LUGNET, yet low enough to be acceptable from a
human factors perspective. From recent feedback here, it seems that the
threshold may be higher than it should be. (That's OK; it can be adjusted
lower if needed.)
How best to proceed? Let's not talk about whether or not it's a good idea to
use a strict validator. Let's talk about what the validator's threshold could
safely be lowered to.
http://www.lugnet.com/people/members/pwsa/
There are two thresholds in need of being chosen:
1. The threshold above which pw's are considered "strong" (from a statistical
perspective) and passed without protest.
2. The threshold above which pw's are considered "strong enough" (from a
human factors perspective) and passed with protest (i.e., a warning)
and below which pw's are considered "too weak" for comfort and rejected
flat-out.
Maybe #1 ends up staying at 100%, or maybe it lowers to 50%. And maybe #2
needs to be set to 50%, or -25%, or maybe even -300%. The scale can be
adjusted.
If a consensus on what #2 should be cannot be reached, then the last resort
would be to go with a weaker form of strict validation -- something workable
but more importantly something that typical users are used to living with
(like, for example, being at least N characters long and having at least one
uppercase letter and one digit and one non-alphanumeric).
I'd love to hear more opinions from people who consider themselves typical
computer users -- this kind of input (like what John gave) is very helpful.
--Todd
p.s. Multi-Layer passwords (for multi-tiered logins) is just an idea -- not
something on the slate. Don't worry about that being too complicated because,
if it ever would be useful to add, it would only be something purely optional.
It's not part of the present discussion.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
(canceled)
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
This is an interesting subject. However, I only know one person who keeps a
written note of his password/ATM number etc. The only reason he does this is
because he is dyslexic. Despite that, I'm sure that as more and more web
services now ask for passwords, I suppose people will write down passwords,
use the same one all the time or develop some other strategy.
Scott A
"Larry Pieniazek" <lar@voyager.net> wrote in message
news:FtHxnL.8r2@lugnet.com...
> In lugnet.admin.general, Todd Lehman writes:
>
> > I take it as a given that most people
>
> but not all. I don't.
>
> > will still write a password down
> > somewhere no matter how easy or difficult it is for them to remember (if • they
> > feel that password is important) just in case they might forget it. Even • if
> > most people don't, it certainly doesn't alarm me one bit knowing that • some
> > people would -- and do.
> >
> > Maybe they write it down backwards, or shifted by one letter, or • letter-case
> > flopped,
>
> I doubt most people that write down passwords apply any of these cyphers • to
> them but I am just speculating on this particular point.
>
> > or even raw, but it's still safer for them and for LUGNET if they
> > keep a written record of it in a safe place (such as their wallet or • purse
> > or bureau at home) than if they have a weak password which could be • guessed
> > at from any of 100 million nodes on the Internet.
>
> Fascinating... can you provide a reference for this assertion, or is it • just
> conjecture? Keeping ATM passwords in one's wallet or purse is a • particularly
> bad practice, for example. But then, we're talking about something rather
> different than money, aren't we?
>
> ++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> SW:Ep1
> M:Tron6989
> 70'sLEGO
> 2*4Brick
> Pi3.14159
> 12:34Sunday
NONE of those are bad passwords for the level of security that LUGNET, now, or
ever, (2) will require.
To think differently implies that either there is something far far deeper and
earth shatteringly important about to happen at some point (2), or that there
is a bit of excessive paranoia at work somewhere. People who really don't want
their ID's hacked should use better ones, of course, but J. Random AFOL would
be well served by any of these.
1 - based on what has been revealed publicly
2 - which may be the case, but how would *we* know... Only Todd does.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Larry Pieniazek writes:
> In lugnet.admin.general, Richard Franks writes:
> > In lugnet.admin.general, Todd Lehman writes:
> >
> > > having a password validator that doesn't suck is IMHO a fundamental
> > > prerequisite to allowing passwords to be changed. Anything less is
> > > irresponsible.
>
> So are you going to enforce that people HAVE to set their passwords to things
> that the validator feels don't suck, or are you going to give advice but allow
> it anyway?
>
> The former is rather draconian for a site that doesn't handle money. I've
asked
Not to mention that Lugnet != NSA.
KL
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Todd Lehman writes:
> Not sure what/if you are insinuating between the lines there, or whether I
> should feel insulted by that comment, but having a password validator that
> doesn't suck is IMHO a fundamental prerequisite to allowing passwords to be
> changed. Anything less is irresponsible. (Yes, I know, allowing too much
I haven't posted with respect to this in a while, but I would like to say that
if you use this current validator to validate what people can choose for
passwords you might as well just not use it and keep sticking people with the
ones you are now.
I've fed it almost every password I've ever used, some of which took more than
a day on a P2 for l0phtcrack to brute-force, and it failed them all.
It's a neat toy - it's fun to throw things that are purely random at it and
have it spit back how worthless as passwords they are. But it's insanely
picky, with the emphasis being on the insanely part.
I've got a password or three now that it passes, taking a tip from your "first
letter of each word of a sentence" comment. But I don't see them as any
better than the multitude it failed.
But I have no desire to argue overmuch about this. You do what you want, but
you need to keep in mind that as LUGNET grows and as you hope to attract more
and more people, ultimately benefiting both the community and you, you could
possibly be sticking those willing to *pay* to be members with a password
system that is about a million times more restrictive than the ones they use
to buy with credit cards and access their bank accounts every day. I wonder
how many people will find the services worth the trouble?
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Mike Stanley writes:
> [...]
> I've fed it almost every password I've ever used, some of which took more
> than a day on a P2 for l0phtcrack to brute-force, and it failed them all.
> [...]
> I've got a password or three now that it passes, taking a tip from your
> "first letter of each word of a sentence" comment. But I don't see them
> as any better than the multitude it failed.
> [...]
Thanks for the above data points. How badly did it fail them by?
Did you catch this post from Monday?--
http://www.lugnet.com/admin/general/?n=6459
What threshold number was below the all the number returned for the ones you
tried that it failed? Would a threshold of, say, 50 (instead of the current
100) pass all of the ones that it's currently failing? Would a threshold of
-100?
(The threshold is just a number on a scale -- that scale can be adjusted.)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> Thanks for the above data points. How badly did it fail them by?
Pretty badly - I know they were all worthless. I didn't really pay attention
to the numbers. I think they were as low negatively, though, as the "first
leter from each word in a sentence" was positively, though.
> Did you catch this post from Monday?--
>
> http://www.lugnet.com/admin/general/?n=6459
Yep.
> What threshold number was below the all the number returned for the ones you
> tried that it failed? Would a threshold of, say, 50 (instead of the current
> 100) pass all of the ones that it's currently failing? Would a threshold of
> -100?
I think they were all < -100. Just tried one of them, and it was -138.
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
I find the labels a bit pejorative, as they impose your thinking on what level
of security is appropriate on what should just be strength metrics.
For example at setting 1 "lax" it fails passwords that I consider perfectly
adequate for the risk level here at Lugnet and which I would use if I could.
The next setting up is "casual" but it is far from casual, it's already shading
up towards quite restrictive.
Suggest you dump the labels and just go with numeric indicators. My lax is
probably -23 on your scale and I would call your lax "serious" and your casual
"moderately insane".
So clearly these labels are going to be divisive if you keep them. Just say you
require security level 2 and leave it at that with no label attached to it.
PS, my opinion remains unchanged, even 2 is way too strong for what is needed
here but that's a different issue.
++Lar
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Larry Pieniazek writes:
> I find the labels a bit pejorative, as they impose your thinking on what
> level of security is appropriate on what should just be strength metrics.
OK, fair enough. Labels gone. Just pure numbers in the drop-down list now.
> For example at setting 1 "lax" it fails passwords that I consider perfectly
> adequate for the risk level here at Lugnet and which I would use if I could.
The label covers (covered) what the setting allows in the worst-case. If you
poke around enough (or, as I've done, run scripts internally that hammer on it
to generate meaningful statistics), you'll find that the "Lax" setting (1)
does indeed pass some very, very bad pw's. It may also fail a few good ones
here and there, but as I'm sure you must realize, false positives are
infinitely more harmless than the reverse.
> The next setting up is "casual" but it is far from casual, it's already
> shading up towards quite restrictive.
It's appropriate to call it casual because it is only a minimal level of pw
security -- it offers approximately 25 bits of protection in the worst case.
(It passes approximately 40% of all 5-character pw's chosen from the alphabet
{a-z,0-9}.) 2^25 is scarcely 30 million combinations to try. That IS casual,
trust me.
> Suggest you dump the labels and just go with numeric indicators. My lax is
> probably -23 on your scale and I would call your lax "serious" and your
> casual "moderately insane".
Here is why "1 - Lax" is in fact lax and not even remotely close to serious:
1. It passes terribly poor 4-character passwords such as "chow", "itso",
and "frob", and in fact passes 90% of all 4-character randomly generated
pw's using a linear distribution of the letters 'a' to 'z'. 26^4 =
456,976 (bad).
2. It passes 95% of all 4-character randomly generated pw's using a linear
distribution of the letters a-z and the digits 0-9. 36^4 = 1,679,616
(also bad).
3. It passes 99% of all 4-character randomly generated pw's using a linear
distribution of the 95 printable ASCII characters. 95^4 = 81,450,625
(still rather bad).
It you believe that any of the above is not lax, then I would posit that you
have at best a weak understanding of even the most basic statistical and
mathematical issues related to pw cracking. (Sorry.)
> So clearly these labels are going to be divisive if you keep them. Just say
> you require security level 2 and leave it at that with no label attached to
> it.
Okie dokie.
> PS, my opinion remains unchanged, even 2 is way too strong for what is
> needed here but that's a different issue.
You go right ahead and believe that. In actuality, it would be totally
irresponsible to lower the bar any further. I've already made it far less
restrictive than it was going to be originally. I really would appreciate
it if you would please stop bugging me about this.
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
> Here is why "1 - Lax" is in fact lax and not even remotely close to serious:
>
> 1. It passes terribly poor 4-character passwords such as "chow", "itso",
> and "frob", and in fact passes 90% of all 4-character randomly generated
> pw's using a linear distribution of the letters 'a' to 'z'. 26^4 =
> 456,976 (bad).
>
> 2. It passes 95% of all 4-character randomly generated pw's using a linear
> distribution of the letters a-z and the digits 0-9. 36^4 = 1,679,616
> (also bad).
>
> 3. It passes 99% of all 4-character randomly generated pw's using a linear
> distribution of the 95 printable ASCII characters. 95^4 = 81,450,625
> (still rather bad).
>
> It you believe that any of the above is not lax, then I would posit that you
> have at best a weak understanding of even the most basic statistical and
> mathematical issues related to pw cracking. (Sorry.)
Perhaps part of the problem is the relative weights attached to various
elements of strength of passwords. I would generally agree that a 4
character password should not be accepted (of course I suspect most of
us have a significant amount of money protected only by our physical
possesion of a plastic card, and a 4 DIGIT password - I at least chose
an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
systems these days allow anything other than a 4 digit PIN).
I'm not sure that boiling the strength of a password down to a single
number is the best way to go about it. Why not require a few things,
like minimum length, and let the other checking try and reject trivial
extensions of a short password into the minimum length.
However, you have spoken that this is the final word on Lugnet
passwords, follow-ups to lugnet.off-topic.debate if anyone cares to
continue discussion.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.admin.general, Frank Filz writes:
> Perhaps part of the problem is the relative weights attached to various
> elements of strength of passwords. I would generally agree that a 4
> character password should not be accepted (of course I suspect most of
> us have a significant amount of money protected only by our physical
> possesion of a plastic card, and a 4 DIGIT password - I at least chose
> an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
> systems these days allow anything other than a 4 digit PIN).
For the average person or script kiddle to crack a 4-digit PIN via brute
force, they'd have to:
(1) first actually get someone's card; and then
(2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed
to eat cards after a few failed attempts, and they'll probably be on
videotape too.
For the average person or script kiddle to crack a 4-digit PW on the Internet,
all they need to do is write a tiny script, then sit back and watch it go, all
relatively untraceable if they're being careful. Even if they're not being
careful, it would still be trivial for them to crack a 4-digit PW or cause a
DoS if service were denied after a few failed attempts.
Unless the cracker works in the banking industry, comparing PINs to PW's is
apples and orange, my friend. :)
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| |
|
Todd Lehman wrote:
>
> In lugnet.admin.general, Frank Filz writes:
> > Perhaps part of the problem is the relative weights attached to various
> > elements of strength of passwords. I would generally agree that a 4
> > character password should not be accepted (of course I suspect most of
> > us have a significant amount of money protected only by our physical
> > possesion of a plastic card, and a 4 DIGIT password - I at least chose
> > an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
> > systems these days allow anything other than a 4 digit PIN).
>
> For the average person or script kiddle to crack a 4-digit PIN via brute
> force, they'd have to:
>
> (1) first actually get someone's card; and then
> (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed
> to eat cards after a few failed attempts, and they'll probably be on
> videotape too.
(1) is certainly true, (2) is mostly true (there are many ATMs,
including ones in stores which can not eat cards, and probably don't
alert the cashier to take the card [possibly dangerous if the person
using the card is a real criminal]).
> Unless the cracker works in the banking industry, comparing PINs to PW's is
> apples and orange, my friend. :)
True. But my main point was that one shouldn't allow 4 character
passwords in general. The ATM note was just a side note.
Another interesting security flaw I just saw yesterday: I am nearing the
end of my student loan paybacks, and randomly decided to check out if I
could find my account information on the web. I had some paperwork with
the loan servincing agency with me, and noticed an e-mail, so I pulled
up www.host-name.com. Sure enough, they had a screen to get to account
information. What did you need to get there: SSN and ZIP! The screen
allows you to change your address and phone numbers, shows your last 12
payments for each loan, and other status. Not an incredible amount of
information, but somewhat scary.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.off-topic.debate, Frank Filz writes:
> True. But my main point was that one shouldn't allow 4 character
> passwords in general. The ATM note was just a side note.
oh! OK. I totally totally totally agree with that!
--Todd
| | | | | | | | | | | | | | | | | | | | | | | | |
In lugnet.admin.general, Todd Lehman writes:
> but I don't feel that I was left much choice, since misinformation was
> being spread.
Oops, wrong word. It wasn't right to say that "misinformation" was being
spread. Rather, speculation was being presented which just happened to be
incorrect. (Big difference!)
--Todd
| | | | | | | | | | | | | | | | | | | | |
| |
|
I believe there is a problem that has already been addressed by several
people, and that is that the ratings are too vague. If everyone is rating
messages based on their own criteria, then we will never be able to use the
information that is being collected effectively.
I would suggest that above the ratings bar, that there could be a little blurb
regarding how messages in the current group should be rated. For instance, in
Lego.Direct, the blurb could be, "How useful is this message to Brad Justus
and the team at Lego Direct?". The same message could be cross posted to
another group and be rated by a different criteria in that group (and
therefore would have a different rating that would be relevent to that
group). In each group, the rating blurb would be different.
Hmmm... I guess this would probably boil down to a one line summary of the T&C
for that group. I'm not sure, but this could be food for thought.
Another possibility would be to have several categories of ratings, such
as "Overall Rating", "Relevance to Topic", "Usefulness to Group or Community"
and then have a rating selection for each, and average them. That way, a
person could like the post, but mark it down for not being on-topic, and that
way, the posted can get some small amount of feedback as to why their post got
the rating that it did.
Just some random thoughts...
-Andy Lynch
In lugnet.admin.general, Todd Lehman writes:
> All,
>
> It seems at this point that the article rating feature -- intended to help --
> is actually causing more harm than good to the community. It's difficult to
> gauge how much harm is being done when opinions are so varied, but it's clear
> that something needs to be changed.
>
| | | | | | | | | | | | | | | | | | |
| |
|
In lugnet.announce, Todd Lehman writes:
<snip>
>
> Specific personal questions:
>
> 1. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed to you unless you specifically requested (via some simple
> setting) that they be displayed to you?
It doesn't matter to me.
> 2. How would you feel (better or worse) if the numeric values of the ratings
> were not displayed ever to anyone but collected and used by the server only
> for internal calculations, hotlist generation, and personal recommendations
> to you?
It doesn't matter to me.
> 3. How would you feel (better or worse) if the ratings were not even
> collected and collated in the first place? (i.e. the destruction of the
> feature altogether)
Worse, slightly .. The feature does have its benefits.
> 4. Have you ever felt victimized by the rating system? Have you posted
> something which has obtained a low rating and felt uncomfortable or unhappy
> about yourself or about LUGNET because of the low rating? How often?
No. I don't find validation in what others think of my stuff. I ask for
comments for other inspiration and ideas that they might generate. I don't
even ask my wife what she thinks of my stuff.
> 5. Have you ever felt victimized indirectly by seeing someone else's post
> get a high rating? How often?
No. I don't begrudge "good fortune" to others. Not even to Sanjay ;-)
> 6. Do you feel that the article rating system makes it easier for you or
> harder for you to share your ideas? And does this bother you?
It makes it harder only where casual reading material (generated by ratings)
is concerned. It doesn't bother me if the casual reader has an equally
presented way of reading everything else too.
> 7. How does your initial reaction to the announcement of the article rating
> system compare to your current opinion of it?
It's the same..: "I hope it's done right.." (Whatever that is :)
> 8. Do you feel that it is too early, too late, or the right time to address
> these issues?
It's never too late.. cuz the administrator actually listens. Very few ideas
are perfect out of the bag.
> 9. What other areas (besides news articles) can you imagine that a
> collaborative ratings system would be most helpful to you? LEGO sets?
> Websites? Individual web pages? etc...
I don't think displayed ratings attached to those things would be helpful at
all to everyone at large. To me, if the ratings were displayed, it seems that
those with higher ratings would get higher ones (often due to drive-by's), and
low ratings would remain or ever only slowly creep up (unless the content
found in such subjects was dramatically improved, and an effort made to
promote "my awesome new site"). Overall, some will be depressed by it, some
won't care, and others will see it as a challenge to improve.. and there isn't
much you can do to change someone.
CLSotW is like this. If someone's page never wins, does that mean it's not
cool? Of course not. Cool is often in the eye of the beholder(s). But at the
same time, whoever made that site feels a certain way about it, either
indifferent or otherwise. Yet you can't change how they feel.. only they can.
-Tom McD.
when replying, until 1967, spamcake was used in football pads.
| | | | | | |
