| |
I'm happy to announce that formal LUGNET memberships are now available. :)
Things won't be very fancy initially (no map or other web-toys yet) but this
gets the ball rolling and begins to pave the way for much more to come later
down the road.
At this point, the memberships probably aren't something for everyone, since
they don't actually do anything (for now, they just store data about you),
but it's still kinda fun.
Here's how to sign up:
http://www.lugnet.com/people/members/join/
From there, you can hop to the actual enrollment form. The form is quite
the little beastie to fill out, so I recommend printing a hardcopy and
jotting down a few notes before beginning.
Take your time filling out the form -- there's no rush to get into in queue
-- because the member ID numbers are assigned upon receiving the membership
fee, not upon receiving the completed form. (In other words, while a day or
two might make a difference, a few minutes or hours certainly won't.)
It was suggested a while ago that the lifetime membership fee be a high
number since it was a for-life kind of thing, or to charge some sort of
periodic subscription fee, but we wanted it to be much more open and simple
than that, and, most importantly, easily affordable for anyone.
So we set it up that you pay what you think is fair, based on what the value
of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
membership, leaving anything else up to you.
Enjoy!
--Todd
[followups to lugnet.people]
|
|
| |
Woo-hoo!
I love those chest-stickers :)
First a question - I made a mistake - d'oh! I forgot to put my country in the
address field, is it okay to go back with my browser, change the information
and re-submit, or should I email the changes to membership@lugnet.com or
something similar?
Also, I didn't request that my secondary email address should be confidential,
but the submission page said that I had - it could be a bug with your script or
my browser I guess!
As a poor student, I didn't want to commit myself to a large sum of money, but
I can see myself making a yearly contribution once I'm fully working! If that's
a fairly common attitude then maybe if you had an entry box for those people
who wish to make a yearly contribution, that would help with your calculations
and statistics!
Finally - congratulations! Another milestone reached and the level and
organisation of Lugnet continues to amaze me!
Richard
|
|
| |
In lugnet.announce, Todd Lehman writes:
> Take your time filling out the form -- there's no rush to get into in queue
> -- because the member ID numbers are assigned upon receiving the membership
> fee, not upon receiving the completed form. (In other words, while a day or
> two might make a difference, a few minutes or hours certainly won't.)
If I post my fee from the UK today, it'll probably get to you after someone who
posts theirs from the US in a weeks time - this isn't a big issue as I'd never
be immature enough to compete for a membership number anyway ;) I'm not trying
to give you another headache - I just thought I'd point it out!
Long Live the LUGNET!
Richard
|
|
| |
Where do you mail the membership fee to and who should it be made payable
to?
KL
In lugnet.announce, Todd Lehman writes:
>
> I'm happy to announce that formal LUGNET memberships are now available. :)
>
> Things won't be very fancy initially (no map or other web-toys yet) but this
> gets the ball rolling and begins to pave the way for much more to come later
> down the road.
>
> At this point, the memberships probably aren't something for everyone, since
> they don't actually do anything (for now, they just store data about you),
> but it's still kinda fun.
>
> Here's how to sign up:
>
> http://www.lugnet.com/people/members/join/
>
> From there, you can hop to the actual enrollment form. The form is quite
> the little beastie to fill out, so I recommend printing a hardcopy and
> jotting down a few notes before beginning.
>
> Take your time filling out the form -- there's no rush to get into in queue
> -- because the member ID numbers are assigned upon receiving the membership
> fee, not upon receiving the completed form. (In other words, while a day or
> two might make a difference, a few minutes or hours certainly won't.)
>
> It was suggested a while ago that the lifetime membership fee be a high
> number since it was a for-life kind of thing, or to charge some sort of
> periodic subscription fee, but we wanted it to be much more open and simple
> than that, and, most importantly, easily affordable for anyone.
>
> So we set it up that you pay what you think is fair, based on what the value
> of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> membership, leaving anything else up to you.
>
> Enjoy!
> --Todd
>
> [followups to lugnet.people]
|
|
| |
In lugnet.people, Kevin Loch writes:
> Where do you mail the membership fee to and who should it be made payable
> to?
I'm guessing that that information is in the acknowledgement email that is sent
to you after your form has been processed... ? But I don't have mine yet, so I
can't tell you!
Richrd
|
|
| |
In lugnet.people, Richard Franks writes:
> If I post my fee from the UK today, it'll probably get to you after someone who
> posts theirs from the US in a weeks time - this isn't a big issue as I'd never
> be immature enough to compete for a membership number anyway ;) I'm not trying
> to give you another headache - I just thought I'd point it out!
Yeah, I know. :) Some people might, though. I'd just hate to see anyone
rush through it, so I thought it was worth pointing out. :)
--Todd
|
|
| |
In lugnet.people, Richard Franks writes:
> First a question - I made a mistake - d'oh! I forgot to put my country in the
> address field, is it okay to go back with my browser, change the information
> and re-submit,
No, that would create a second event in the applications log.
> or should I email the changes to membership@lugnet.com or
> something similar?
I would say, simply just wait until you get the info/password that lets you
edit your personal info, and then you can easily make the edit directly
yourself. :)
> Also, I didn't request that my secondary email address should be confidential,
> but the submission page said that I had - it could be a bug with your script or
> my browser I guess!
It's not technically a bug anywhere, but I agree it's confusing. The script
that echoed back the submission data is just a simple recorder which reports
back what it received, and doesn't actually know how to interpret the data
beyond the basics. Since the checkboxes for privacy on both addresses are
checked by default, the "keep private" box was still checked for your second
address, even though you left it blank -- which is perfectly innocuous. :)
--Todd
|
|
| |
In lugnet.people, lehman@javanet.com (Todd Lehman) writes:
> In lugnet.people, Richard Franks writes:
> > First a question - I made a mistake - d'oh! I forgot to put my country in the
> > address field, is it okay to go back with my browser, change the information
> > and re-submit,
>
> No, that would create a second event in the applications log.
>
>
> > or should I email the changes to membership@lugnet.com or
> > something similar?
>
> I would say, simply just wait until you get the info/password that lets you
> edit your personal info, and then you can easily make the edit directly
> yourself. :)
Ooops, I take that back -- I'll have to make the change, otherwise it's a
"chicken and the egg" paradox because your info might not get to you via
post without a complete address. :) You can just respond to this post and
mail me the country line...
--Todd
|
|
| |
In lugnet.announce, Todd Lehman writes:
>
> I'm happy to announce that formal LUGNET memberships are now available. :)
Cool!!
Todd, how do you want to handle international payments? Can you accept cheques
(or should I say checks??) in non US curency (converted appropriately) or
should I organise to get a US cheque or similar to you? Can you accept credit
card payments?
Pete Callaway
|
|
| |
In lugnet.people, "Peter Callaway" <pcallaway@bmcl.com.au> writes:
> Todd, how do you want to handle international payments? Can you accept cheques
> (or should I say checks??) in non US curency (converted appropriately) or
> should I organise to get a US cheque or similar to you? Can you accept credit
> card payments?
For now, it needs to be a cheque (personal, cashier's, money order, etc.)
drawn on a U.S. bank and written in U.S. Dollars.
(Cash in person is also fine, but if you choose to send cash by post, please
make sure that you understand the risks involved, and please make sure that
it is legal to send cash out of your country if you don’t live in the U.S.)
Someday, maybe credit cards, but not anytime soon.
Someday, maybe also someone from each country could collect payments on
behalf of people there, and then bundle the payments together periodically
to reduce overhead costs, but probably not anytime soon.
--Todd
|
|
| |
Todd Lehman wrote:
>
> In lugnet.people, "Peter Callaway" <pcallaway@bmcl.com.au> writes:
> > Todd, how do you want to handle international payments?
I'd be happy to factor for folks on this one if there was interest.
Since you'd be paying one of my factorees, they get no fee, and I'd
halve my usual fee of a buck.
email me or see my webpages... (my.voyager.net/lar/factor_desc.html)
Todd needs to say OK before you start firing forms at me, though.
Warning, factoring is a bit slower than mailing direct will be.
--
Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
- - - Web Application Integration! http://www.novera.com
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
NOTE: Soon to be lpieniazek@tsisoft.com :-)
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> Todd needs to say OK before you start firing forms at me, though.
It's OK with me if it's OK with you.
--Todd
|
|
| |
In lugnet.announce, Todd Lehman writes:
> Take your time filling out the form -- there's no rush to get into in queue
> -- because the member ID numbers are assigned upon receiving the membership
> fee, not upon receiving the completed form.
Todd,
Before I begin, I want to mention that members filling out the form from a
proxy server should add a few extra keystrokes (like spaces) at the end of each
text field, because they get chopped off. Todd, I actually submitted twice;
the first time shows a lot of chopped remarks, which you can ignore since I
re-sent.
Anyway, it's about time you started reaping a few of the fruits of your labors.
I am only too happy to pay for the services provided by Lugnet.
I would like to mention that much of the info is provided by the users of this
site, efforts that are done for the "good of the cause." These efforts would
not be possible without this forum, though, so again, I think nominal charges
are not enitirely out of place.
I also know that there are TONS of folks like myself that will be sending you
cash, and hope to see reflections of your newfound bounty in the near future.
I'll let my other fellow members come up with the kinds of things they'd like
to see.
On the other hand, if only a hundred of us dedicated types send in the cash,
then I won't lay any guilt trips about a thousand bucks or so. Life's too
short, and this site is just too good...
Dave (jot and jab)
|
|
| |
In lugnet.announce, Todd Lehman writes:
> http://www.lugnet.com/people/members/join/
> [followups to lugnet.people]
Todd,
tm
As the self appointed paranoiac (1) user of Lugnet, I just want to suggest
that you should have some wording on the application itself to minors and
other kiddies out there that they should be speaking with their parents before
handing over all of that information to Lugnet
Given the nature of legos (toys that not only AFOL's like to use) and the fear
that surrounds childrens use of the web these days, you should probably put
the warning right on the application page, and perhaps people should have to
click through a warning page to get there, not just be referred to an off page
document containing the terms of use (2).
Anyway, just my $0.02
Will
P.S. And yes, I am a lawyer, but this is not my area of practice, so this is
offered only as general non-binding free advice, which is not even worth the
$0.02 mentioned above ;-).
tm
(1) Or if you prefer the alternate spelling paranoic.
(2) See, http://www.lugnet.com/admin/terms/ .
|
|
| |
In lugnet.people, "Will Middelaer" <betamale@removeyahoo.com> writes:
> tm
> As the self appointed paranoiac (1) user of Lugnet, I just want to suggest
> that you should have some wording on the application itself to minors and
> other kiddies out there that they should be speaking with their parents before
> handing over all of that information to Lugnet
Mmm, good idea, thanks.
--Todd
|
|
| |
In lugnet.people, lehman@javanet.com (Todd Lehman) writes:
> In lugnet.people, "Will Middelaer" <betamale@removeyahoo.com> writes:
> > tm
> > As the self appointed paranoiac (1) user of Lugnet, I just want to suggest
> > that you should have some wording on the application itself to minors and
> > other kiddies out there that they should be speaking with their parents before
> > handing over all of that information to Lugnet
>
> Mmm, good idea, thanks.
Followup---Here's what I did...3 things:
-----------------------------------------------------------------------------
On the entry page <http://www.lugnet.com/people/members/join/> I changed the
first paragraph from:
How do I join?
To become a LUGNET member, first familiarize yourself with
LUGNET's Terms of Use, then fill out the lifetime membership
enrollment form.
to:
How do I join?
To become a LUGNET member, first familiarize yourself with
LUGNET's Terms of Use, then fill out the lifetime membership
enrollment form. (Kids, make sure you have permission from a
parent or guardian first.)
-----------------------------------------------------------------------------
At the top of <http://www.lugnet.com/people/members/join/enroll.html>
I added a third paragraph:
(Kids, make sure you have permission from a parent or guardian
first before giving out any personal information.)
-----------------------------------------------------------------------------
And at the bottom of <http://www.lugnet.com/people/members/join/enroll.html>
I added a new paragraph and a pair of radio buttons:
Once again, it's important to stress: Kids, make sure you have
permission from a parent or guardian before submitting this form!
Select one of the following:
o I am 18 years of age or older.
o I am not yet 18 years of age. I have the permission and
approval of my parent(s) or legal guardian(s) to fill out
this form and to provide personal information about myself.
I am not submitting information without their knowledge and
consent.
-----------------------------------------------------------------------------
--Todd
|
|
| |
Done.
Only for countries where I have factorees, please.
(Australia, Germany, Italy Japan, Netherlands, New Zealand, United
Kingdom)
No email please! Send me a form and my rake will be 50 cents. If you
email me directly it will be a dollar.
To speed you through:
"Seller" is Todd, I don't need his snail, I don't need your snail, txn
amount is what you want to give, I'll add the 50 cents when I confirm,
buyer method is "buyer factoree pay" seller ID is "Direct Pay", seller
awareness is "aware"
(some shorthanding happened there..., but you can figure it out. DON'T
MAIL ME to ask, or it's a dollar instead of 50 cents... :-) )
Also state the exchange rate in the remarks please...
Todd Lehman wrote:
>
> In lugnet.people, Larry Pieniazek writes:
> > Todd needs to say OK before you start firing forms at me, though.
>
> It's OK with me if it's OK with you.
>
> --Todd
--
Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
- - - Web Application Integration! http://www.novera.com
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
NOTE: Soon to be lpieniazek@tsisoft.com :-)
|
|
| |
Ummm...
I don't really want to pay anything... do I have to?
ANd if I don't, will I still be able to post messages on LUGNET?
In lugnet.announce, Todd Lehman writes:
>
> I'm happy to announce that formal LUGNET memberships are now available. :)
>
> Things won't be very fancy initially (no map or other web-toys yet) but this
> gets the ball rolling and begins to pave the way for much more to come later
> down the road.
>
> At this point, the memberships probably aren't something for everyone, since
> they don't actually do anything (for now, they just store data about you),
> but it's still kinda fun.
>
> Here's how to sign up:
>
> http://www.lugnet.com/people/members/join/
>
> From there, you can hop to the actual enrollment form. The form is quite
> the little beastie to fill out, so I recommend printing a hardcopy and
> jotting down a few notes before beginning.
>
> Take your time filling out the form -- there's no rush to get into in queue
> -- because the member ID numbers are assigned upon receiving the membership
> fee, not upon receiving the completed form. (In other words, while a day or
> two might make a difference, a few minutes or hours certainly won't.)
>
> It was suggested a while ago that the lifetime membership fee be a high
> number since it was a for-life kind of thing, or to charge some sort of
> periodic subscription fee, but we wanted it to be much more open and simple
> than that, and, most importantly, easily affordable for anyone.
>
> So we set it up that you pay what you think is fair, based on what the value
> of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> membership, leaving anything else up to you.
>
> Enjoy!
> --Todd
>
> [followups to lugnet.people]
Alex "Buy LUGNET memberships at Spam R Us (and spambayala) for a limited time
only! [1]" Roode
[1] Okay, so that was not a very good joke. If you liked it please followup to
lugnet.i-am.stupid or lugnet.dumb-jokes-domain or
lugnet.alex's-dumb-jokes...
|
|
| |
In lugnet.people, Alex Roode writes:
> Ummm...
> I don't really want to pay anything... do I have to?
Nope!
> And if I don't, will I still be able to post messages on LUGNET?
Yep! AFAIK, everything you see here today is free, and will continue to be so.
What memberships will give you is the ability to have an 'identity' on Lugnet,
and participate in Auctions where Lugnet is an active hub. There are a lot more
things to come in the future (see the long-term plan on the first web-page),
obviously including things we haven't even thought of yet! But for now,
membership for me means support for something that I think is worthwhile,
deserves to grow, and also a way to say thanks!
But as Todd wrote in the message that you responded to - membership isn't
something for everyone.
Richard
|
|
| |
In lugnet.people, "Richard Franks" writes:
> In lugnet.people, Alex Roode writes:
> > Ummm...
> > I don't really want to pay anything... do I have to?
>
> Nope!
>
>
> > And if I don't, will I still be able to post messages on LUGNET?
>
> Yep! AFAIK, everything you see here today is free, and will continue to be so.
> What memberships will give you is the ability to have an 'identity' on Lugnet,
> and participate in Auctions where Lugnet is an active hub. There are a lot more
> things to come in the future (see the long-term plan on the first web-page),
> obviously including things we haven't even thought of yet! But for now,
> membership for me means support for something that I think is worthwhile,
> deserves to grow, and also a way to say thanks!
>
> But as Todd wrote in the message that you responded to - membership isn't
> something for everyone.
I'm sending out a follow-up message to clarify things... I pasted a copy
below...
(Yuck, I hate sending out unsolicited e-mail in quantities like this -- it
feels like spamming. :-( Last time anything like this went out to everyone
who'd registered to post was about a year ago. Once a year is more than
enough, if you ask me. I wish I'd made a checkbox for "email me important
announcements about new LUGNET features" so that people who might not want
to see this wouldn't have to...)
--Todd
============================================================================
<Gulp!> Sorry about the confusion, folks!
Several people wrote in and asked whether LUGNET memberships and/or the
fees were mandatory.
The answer is no -- definitely not.
Nothing about LUGNET is changing, except that something new (memberships)
are being added. The memberships are 100% optional. You don't have to,
and aren't expected to, become a member unless you yourself want to.
The word "membership" is somewhat confusing because LUGNET has only had
users up until now, and it's mostly only the old-timers who remember the
original LUGNET Plan documents which talked about memberships. So...
- A "user" is someone who accesses data in the system and reads news
and possibly also posts messages. (This is about 3000 people over
the past year.) And this is all free. Nothing is changing here.
- A "member" is someone who has all the capabilities of a "user" but
also has a personal page on the website and an actual account with a
password and a member ID number and lots of other neat things into the
future (like holding auctions and participating in formal surveys and
voting and things like that).
So, just to reiterate -- if you don't want to pay anything, then you don't
have to -- and you can keep using LUGNET exactly as you have been.
No money is being charged for news or data or anything like that.
Memberships are just something extra -- something to form the backbone
of new infrastructures being built atop everything else.
Here are a couple relevant pages describing a bit about memberships,
http://www.lugnet.com/admin/plan/4.html
http://www.lugnet.com/admin/plan/8.html
from the LUGNET Plan document which was published in late 1997:
http://www.lugnet.com/admin/plan/
Again, I apologize for any confusion...I should have made it more clear in
the first message.
If anyone has any more questions, feel free to ask them on the lugnet.people
newsgroup:
http://www.lugnet.com/people/
Over and out,
--Todd
p.s. About 90 people have filled out membership enrollment forms so far
in the past 36 hours.
Todd Lehman wrote:
> I'm happy to announce that formal LUGNET memberships are now available. :)
>
> Things won't be very fancy initially (no map or other web-toys yet) but this
> gets the ball rolling and begins to pave the way for much more to come later
> down the road.
>
> At this point, the memberships probably aren't something for everyone, since
> they don't actually do anything (for now, they just store data about you),
> but it's still kinda fun. Here's how to sign up:
>
> http://www.lugnet.com/people/members/join/
>
> From there, you can hop to the actual enrollment form. The form is quite
> the little beastie to fill out, so I recommend printing a hardcopy and
> jotting down a few notes before beginning.
>
> Take your time filling out the form -- there's no rush to get into in queue
> -- because the member ID numbers are assigned upon receiving the membership
> fee, not upon receiving the completed form. (In other words, while a day or
> two might make a difference, a few minutes or hours certainly won't.)
>
> It was suggested a while ago that the lifetime membership fee be a high
> number since it was a for-life kind of thing, or to charge some sort of
> periodic subscription fee, but we wanted it to be much more open and simple
> than that, and, most importantly, easily affordable for anyone.
>
> So we set it up that you pay what you think is fair, based on what the value
> of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> membership, leaving anything else up to you.
>
> Enjoy!
> --Todd
>
> p.s. Here's the announcement posting and its related thread if you're
> interested in following along... http://www.lugnet.com/announce/?n=376
|
|
| |
Umm...Todd, you said we can join but those who do not want to pay they do not
have to, right? If so how come you cannot finish the form without filling the
$____ parts out? For example if you leace it blank you get:
"Information missing:
Membership fee: US$
Portion I am paying now: $ "
Z. Unger :?
PS: If possible email me the answer...
In lugnet.people, Todd Lehman writes:
> In lugnet.people, "Richard Franks" writes:
> > In lugnet.people, Alex Roode writes:
> > > Ummm...
> > > I don't really want to pay anything... do I have to?
> >
> > Nope!
> >
> >
> > > And if I don't, will I still be able to post messages on LUGNET?
> >
> > Yep! AFAIK, everything you see here today is free, and will continue to be • so.
> > What memberships will give you is the ability to have an 'identity' on • Lugnet,
> > and participate in Auctions where Lugnet is an active hub. There are a lot • more
> > things to come in the future (see the long-term plan on the first web-page),
> > obviously including things we haven't even thought of yet! But for now,
> > membership for me means support for something that I think is worthwhile,
> > deserves to grow, and also a way to say thanks!
> >
> > But as Todd wrote in the message that you responded to - membership isn't
> > something for everyone.
>
>
> I'm sending out a follow-up message to clarify things... I pasted a copy
> below...
>
> (Yuck, I hate sending out unsolicited e-mail in quantities like this -- it
> feels like spamming. :-( Last time anything like this went out to everyone
> who'd registered to post was about a year ago. Once a year is more than
> enough, if you ask me. I wish I'd made a checkbox for "email me important
> announcements about new LUGNET features" so that people who might not want
> to see this wouldn't have to...)
>
> --Todd
>
>
>
> ============================================================================
>
> <Gulp!> Sorry about the confusion, folks!
>
> Several people wrote in and asked whether LUGNET memberships and/or the
> fees were mandatory.
>
> The answer is no -- definitely not.
>
> Nothing about LUGNET is changing, except that something new (memberships)
> are being added. The memberships are 100% optional. You don't have to,
> and aren't expected to, become a member unless you yourself want to.
>
> The word "membership" is somewhat confusing because LUGNET has only had
> users up until now, and it's mostly only the old-timers who remember the
> original LUGNET Plan documents which talked about memberships. So...
>
> - A "user" is someone who accesses data in the system and reads news
> and possibly also posts messages. (This is about 3000 people over
> the past year.) And this is all free. Nothing is changing here.
>
> - A "member" is someone who has all the capabilities of a "user" but
> also has a personal page on the website and an actual account with a
> password and a member ID number and lots of other neat things into the
> future (like holding auctions and participating in formal surveys and
> voting and things like that).
>
> So, just to reiterate -- if you don't want to pay anything, then you don't
> have to -- and you can keep using LUGNET exactly as you have been.
>
> No money is being charged for news or data or anything like that.
> Memberships are just something extra -- something to form the backbone
> of new infrastructures being built atop everything else.
>
> Here are a couple relevant pages describing a bit about memberships,
>
> http://www.lugnet.com/admin/plan/4.html
> http://www.lugnet.com/admin/plan/8.html
>
> from the LUGNET Plan document which was published in late 1997:
>
> http://www.lugnet.com/admin/plan/
>
> Again, I apologize for any confusion...I should have made it more clear in
> the first message.
>
> If anyone has any more questions, feel free to ask them on the lugnet.people
> newsgroup:
>
> http://www.lugnet.com/people/
>
> Over and out,
> --Todd
>
> p.s. About 90 people have filled out membership enrollment forms so far
> in the past 36 hours.
>
>
>
> Todd Lehman wrote:
> > I'm happy to announce that formal LUGNET memberships are now available. :)
> >
> > Things won't be very fancy initially (no map or other web-toys yet) but this
> > gets the ball rolling and begins to pave the way for much more to come later
> > down the road.
> >
> > At this point, the memberships probably aren't something for everyone, since
> > they don't actually do anything (for now, they just store data about you),
> > but it's still kinda fun. Here's how to sign up:
> >
> > http://www.lugnet.com/people/members/join/
> >
> > From there, you can hop to the actual enrollment form. The form is quite
> > the little beastie to fill out, so I recommend printing a hardcopy and
> > jotting down a few notes before beginning.
> >
> > Take your time filling out the form -- there's no rush to get into in queue
> > -- because the member ID numbers are assigned upon receiving the membership
> > fee, not upon receiving the completed form. (In other words, while a day or
> > two might make a difference, a few minutes or hours certainly won't.)
> >
> > It was suggested a while ago that the lifetime membership fee be a high
> > number since it was a for-life kind of thing, or to charge some sort of
> > periodic subscription fee, but we wanted it to be much more open and simple
> > than that, and, most importantly, easily affordable for anyone.
> >
> > So we set it up that you pay what you think is fair, based on what the value
> > of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> > membership, leaving anything else up to you.
> >
> > Enjoy!
> > --Todd
> >
> > p.s. Here's the announcement posting and its related thread if you're
> > interested in following along... http://www.lugnet.com/announce/?n=376
|
|
| |
I believe that Todd meant that you don't have to pay to USE Lugnet, but you do
have to pay the $10.US to become a MEMBER.
I think that maybe that some people would sort of like support another person,
by paying the fee for them if that person is financially unable(child, foreign
where the exchange rate would make it less inexpensive, etc.) Personally, even
though I don't have a lot of money to spend, $10 is relitively cheap(well, OK,
a month's allowance for me, but I have other jobs), and Todd has already done
so much for us.
Just my $.02 (now I only owe $9.98 :)
Ryan
PS Thanks for all that you've done for us
In lugnet.people, Zlatko Unger writes:
> Umm...Todd, you said we can join but those who do not want to pay they do not
> have to, right? If so how come you cannot finish the form without filling the
> $____ parts out? For example if you leace it blank you get:
> "Information missing:
> Membership fee: US$
> Portion I am paying now: $ "
>
> Z. Unger :?
>
> PS: If possible email me the answer...
|
|
| |
In lugnet.people, "Z. Unger" <dzz@mindspring.com> writes:
> Umm...Todd, you said we can join but those who do not want to pay they
> do not have to, right?
No, not exactly.
(1) Anyone can join. (2) No one has to pay to continue using LUGNET. Those
are both true statements. But not paying to join implies not joining. In
other words, it's not a true statement that someone can join without paying.
Everyone who joins has to pay in order to join. But no one is required to
join, and no one who doesn't join is required to pay.
It's like walking into a restaurant... You don't have to sit down and have
a meal there, and you don't have to pay if you don't want to, but not paying
implies not eating. No one can eat without paying; everyone who eats has to
pay in order to eat there. But no one is required to eat there, and no one
who doesn't eat there is required to pay.
(Hope that clears it up!)
> If so how come you cannot finish the form without filling the
> $____ parts out? For example if you leace it blank you get:
> "Information missing:
> Membership fee: US$
> Portion I am paying now: $ "
Because a lifetime membership costs a minimum of US$10.00.
The point in tdhe second message was to clear up the confusion about
requirements: Several people were worried that they were being asked to
pay for things that had formerly been free. But that's not the case.
Everything that was free, is still free. Memberships are a "paid add-on" --
think of them as an advanced site feature, maybe. It's been the plan since
day 0 back in 1996 for memberships to be pay-only. But not having a
membership doesn't mean not being able to use the site.
> PS: If possible email me the answer...
[cc'ing a copy]
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, "Richard Franks" writes:
> > In lugnet.people, Alex Roode writes:
> > > Ummm...
> > > I don't really want to pay anything... do I have to?
> >
> > Nope!
> >
> >
> > > And if I don't, will I still be able to post messages on LUGNET?
> >
> > Yep! AFAIK, everything you see here today is free, and will continue to be • so.
> > What memberships will give you is the ability to have an 'identity' on • Lugnet,
> > and participate in Auctions where Lugnet is an active hub. There are a lot • more
> > things to come in the future (see the long-term plan on the first web-page),
> > obviously including things we haven't even thought of yet! But for now,
> > membership for me means support for something that I think is worthwhile,
> > deserves to grow, and also a way to say thanks!
> >
> > But as Todd wrote in the message that you responded to - membership isn't
> > something for everyone.
>
>
> I'm sending out a follow-up message to clarify things... I pasted a copy
> below...
>
> (Yuck, I hate sending out unsolicited e-mail in quantities like this -- it
> feels like spamming. :-( Last time anything like this went out to everyone
> who'd registered to post was about a year ago.
I love e-mail! As long as it takes at least two minutes to read, I love it!
(except for those dumb webpage newsleter thingies, I HATE those!)
> Once a year is more than
> enough, if you ask me. I wish I'd made a checkbox for "email me important
> announcements about new LUGNET features" so that people who might not want
> to see this wouldn't have to...)
>
> --Todd
Okay, I'm sorry if I don't wanna pay anything, but I don't use money on the
internet. I mean, all the stuff you've done for us. I also have to thank
Kevin Loch for bringing the 2000 catalog! (I bought the 4940 today, and it
didn't have the new catalog! :'( dang...)
Besides, I don't like auctions (im a bad speller (unless of corse, i acctually
spelled that right) !)
> ============================================================================
>
> <Gulp!>
Don't gulp in brackets! You might choke! ( and ) are much better.
> Sorry about the confusion, folks!
>
> Several people wrote in and asked whether LUGNET memberships and/or the
> fees were mandatory.
>
> The answer is no -- definitely not.
>
> Nothing about LUGNET is changing, except that something new (memberships)
> are being added. The memberships are 100% optional. You don't have to,
> and aren't expected to, become a member unless you yourself want to.
>
> The word "membership" is somewhat confusing because LUGNET has only had
> users up until now, and it's mostly only the old-timers who remember the
> original LUGNET Plan documents which talked about memberships. So...
>
> - A "user" is someone who accesses data in the system and reads news
> and possibly also posts messages. (This is about 3000 people over
> the past year.) And this is all free. Nothing is changing here.
>
> - A "member" is someone who has all the capabilities of a "user" but
> also has a personal page on the website
page on the wbsite? Wha??!
> and an actual account with a
> password and a member ID number and lots of other neat things into the
> future (like holding auctions and participating in formal surveys and
> voting and things like that).
and
- A "founder" is Todd.
>
> So, just to reiterate -- if you don't want to pay anything, then you don't
> have to -- and you can keep using LUGNET exactly as you have been.
>
> No money is being charged for news or data or anything like that.
> Memberships are just something extra -- something to form the backbone
> of new infrastructures being built atop everything else.
>
> Here are a couple relevant pages describing a bit about memberships,
>
> http://www.lugnet.com/admin/plan/4.html
> http://www.lugnet.com/admin/plan/8.html
>
> from the LUGNET Plan document which was published in late 1997:
>
> http://www.lugnet.com/admin/plan/
>
> Again, I apologize for any confusion...I should have made it more clear in
> the first message.
>
> If anyone has any more questions, feel free to ask them on the lugnet.people
> newsgroup:
>
> http://www.lugnet.com/people/
>
> Over and out,
Roger.
> --Todd
>
> p.s. About 90 people have filled out membership enrollment forms so far
> in the past 36 hours.
I think it would TAKE 36 hours to fill out that form... =O
Alex Roode
USER of Lugnet, not a member. ???
P.S. I like the Lugnet logo thingies on the minifig pic at the member place.
|
|
| |
Todd:
Okay, you do for us so I'd like to do a little in support of that effort and
join in on the offered Lugnet membership. At the same time, I would never
want ANY information about myself or my interests shared out without my
permission -- am I assured of confidentiality? I am not talking about other
lugnuts finding out about me -- thats fine by me -- I am talking about selling
such information about me, and us all, to some mad scheme to harrass/advertise
to me/us by phone, mail, email, etc.
Also I wanted to know if I could specifically have the membership number
1313. Pretty please? I am desperate! I almost died when I saw that you were
noting that some people might not actually want this number!!! If anyone else
has beat me to it I want to know who (or perhaps you could ask this person to
contact me instead) so that I could offer some kind of lego trade to obtain
the number for myself instead. My affinity for the number is not a passing
phase -- it has EVERYTHING to do with a long standing lego goal of mine. O,
you'll find out soon enough what that goal is, and it would have happend for
Halloween but as a student my time is not entirely my own.
Also I wanted to know if internet lego friends could share a residence on the
proposed virtual member town? This is another "pretty please?" category...I
mean since we can't share digs in the real world, can't we at least pretend we
have a shared collection of ABS junk here?
Lastly, since I know that I am not likely to cough up the big wad of cash
right at this juncture because of my not so deep pockets being, well, not so
deep -- what are the plans for future donations to the cause? Is there any
chance we members will eventually be apprised of the costs of the site, or
your out of pocket expenses? I feel sure that such moves might help avoid the
financial burden being yours alone. Are there any plans to try and make this
outfit non-profit? Just my two bits.
I apologize if some of this has already been covered and I missed it, but I
also wanted to make my special and personal requests.
Thanks, Man!
-- Richard
|
|
| |
In lugnet.people, "Richard Marchetti" <blueofnoon@aol.com> writes:
> Okay, you do for us so I'd like to do a little in support of that effort and
> join in on the offered Lugnet membership. At the same time, I would never
> want ANY information about myself or my interests shared out without my
> permission -- am I assured of confidentiality? I am not talking about other
> lugnuts finding out about me -- thats fine by me -- I am talking about selling
> such information about me, and us all, to some mad scheme to harrass/advertise
> to me/us by phone, mail, email, etc.
I can't promise 100.000% confidentiality, since no matter how unlikely,
theft or break-in is always a distant possibility, but I can promise that
personal information will never be sold or given out to spammers or to LEGO
or anything like that without your direct approval. Anything that's not
shown on your page will be held in strict confidentiality. Of course, if
you commit a crime and the FBI shows up with a court order for data, then
all bets are off. And of course, if you give out your password or someone
steals it from your computer or someplace you have it written down, then
they could potentially grab your personal information and do nasty things
with it.
> Also I wanted to know if I could specifically have the membership number
> 1313. Pretty please? I am desperate! I almost died when I saw that you were
> noting that some people might not actually want this number!!! If anyone else
> has beat me to it I want to know who (or perhaps you could ask this person to
> contact me instead) so that I could offer some kind of lego trade to obtain
> the number for myself instead. My affinity for the number is not a passing
> phase -- it has EVERYTHING to do with a long standing lego goal of mine. O,
> you'll find out soon enough what that goal is, and it would have happend for
> Halloween but as a student my time is not entirely my own.
So far, about 110 people have signed up, and it's gently tapering off. So
number 1313 won't come up for a while... If you've already filled out the
form and you'd like me to strike it, you could fill it out again later when
the numbers are up near that range. (I'll start publishing the names and
numbers sometime in the next few days as things get rolling.)
> Also I wanted to know if internet lego friends could share a residence on the
> proposed virtual member town? This is another "pretty please?" category...I
> mean since we can't share digs in the real world, can't we at least pretend we
> have a shared collection of ABS junk here?
You mean more than one person per house? Perhaps, but that kind of defeats
the purpose for that interface metaphor.
> Lastly, since I know that I am not likely to cough up the big wad of cash
> right at this juncture because of my not so deep pockets being, well, not so
> deep -- what are the plans for future donations to the cause?
I'm not sure I understand the question... There is a page with some
information on donations if anyone wants to make one (and a few people
have)...
http://www.lugnet.com/admin/finance/donations/
> Is there any
> chance we members will eventually be apprised of the costs of the site, or
> your out of pocket expenses?
The out-of-pocket costs so far since 1997 have been less than $10,000, but
in terms of time invested, it must be well over $100,000, if there's any way
to measure that. Not having any source of income except savings and running
parts auctions begins to take its toll on the pocketbook after a couple
years...
> I feel sure that such moves might help avoid the
> financial burden being yours alone. Are there any plans to try and make this
> outfit non-profit? Just my two bits.
I think it'll always be a for-profit thing. (Of course, it's far from
turning any kind of profit at the moment.)
--Todd
>
> I apologize if some of this has already been covered and I missed it, but I
> also wanted to make my special and personal requests.
|
|
| |
Todd Lehman <lehman@javanet.com> wrote:
> > I feel sure that such moves might help avoid the
> > financial burden being yours alone. Are there any plans to try and make this
> > outfit non-profit? Just my two bits.
>
> I think it'll always be a for-profit thing. (Of course, it's far from
> turning any kind of profit at the moment.)
I hope it always stays for-profit. I WANT someone to make money off
this. Heck, I want to help Todd & Suz actually turn a profit by
running all my auctions here. :)
--
The parts you want and nothing else?
http://jaba.dtrh.com/ - Just Another Brick Auction
Why pay eBay? Run your own LEGO auctions for free!
http://www.guarded-inn.com/bricks/
|
|
| |
lehman@javanet.com (Todd Lehman) writes:
> So we set it up that you pay what you think is fair, based on what the value
> of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> membership, leaving anything else up to you.
Is it possible to pay by having the membership fee deducted from one's
AucZILLA account? Can this be specified when signing up for a
membership?
Fredrik
|
|
| |
In lugnet.people, Mike Stanley writes:
> Todd Lehman <lehman@javanet.com> wrote:
> > > I feel sure that such moves might help avoid the
> > > financial burden being yours alone. Are there any plans to try and make • this
> > > outfit non-profit? Just my two bits.
> >
> > I think it'll always be a for-profit thing. (Of course, it's far from
> > turning any kind of profit at the moment.)
>
> I hope it always stays for-profit. I WANT someone to make money off
> this. Heck, I want to help Todd & Suz actually turn a profit by
> running all my auctions here. :)
I would have to agree in this case. I think a for-profit LUGNET can only be a
good thing. The more profit LUGNET makes then the more time Todd can devote to
it which can only make things better.
I was actually considering trying my first auction recently be have decided to
hold off for now because 1. it really isn't that much stuff, 2. I don't NEED
the money at the moment, and 3. I want to see if I can hold off long enough to
see what Todd comes up with for auctioning on LUGNET so that I can contribute
more to the financial support of LUGNET.
Eric K.
The New England LEGO Users Group
http://www.nelug.org/
|
|
| |
Mike Stanley wrote:
> I hope it always stays for-profit. I WANT someone to make money off
> this. Heck, I want to help Todd & Suz actually turn a profit by
> running all my auctions here. :)
And I want to help Todd & Suz turn a profit by transitioning all my
factoring to here... as well as running auctions and sales here, if the
prices end up being as good as eBay's...
--
Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
- - - Web Application Integration! http://www.novera.com
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
NOTE: Soon to be lpieniazek@tsisoft.com :-)
|
|
| |
In lugnet.people, Fredrik Glöckner <fredrik.glockner@bio.uio.no> writes:
> lehman@javanet.com (Todd Lehman) writes:
>
> > So we set it up that you pay what you think is fair, based on what the value
> > of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> > membership, leaving anything else up to you.
>
> Is it possible to pay by having the membership fee deducted from one's
> AucZILLA account?
OK.
> Can this be specified when signing up for a membership?
No, just send me an email here at this address...
--Todd
|
|
| |
>
> > I think it'll always be a for-profit thing. (Of course, it's far from
> > turning any kind of profit at the moment.)
What are LUGNet's actual running costs? I mean costs for upgrades, repairs, power
and Todd's time?
I assume the start-up costs would be high, or at least what I consider to be high?
Scott A
|
|
| |
My factoring for memberships seems to be working, we've done two already
with one more pending... Thank you, all, for not emailing me with
questions! :-)
--
Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
- - - Web Application Integration! http://www.novera.com
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
NOTE: Soon to be lpieniazek@tsisoft.com :-)
|
|
| |
Dear Todd,
I *still* don't know where I should send those $10. Is it to your house? If
so, what's the address?
TIA,
Shiri
|
|
| |
In lugnet.people, Shiri Dori writes:
> Dear Todd,
> I *still* don't know where I should send those $10. Is it to your house?
> If so, what's the address?
>
> TIA,
> Shiri
You just now (about 90 minutes ago) filled out the enrollment form, right?
Check your e-mail -- the info you need should be there in your inbox now.
Best,
--Todd
|
|
| |
Well, just got back from the 24x7 USPS in downtown Boston. Mailed out the
first huge stack of member packets. And whew -- the first run at it took a
lot longer than I'd expected, but now I think it's down to a science. I'll
try to run batches to the USPS every three days or so, once a week at the
very least. A bunch more will go out tomorrow as well.
BTW, the list of countries among people signed up so far is getting
interesting: everywhere from Austria to Australia, California to Canada,
Turkey to Taiwan, Italy to Israel.
Italy & Canada are tied for second place at the moment with five members
each. (62 in the U.S.) When we get up into the 100's, where the numbers
are more meaningful, I'll make this sort of info easy to get to.
--Todd
|
|
| |
Daily chuckle?
Todd Lehman wrote:
> BTW, the list of countries among people signed up so far is getting
> interesting: everywhere from Austria to Australia, California to Canada,
> Turkey to Taiwan, Italy to Israel.
I know what you meant... but California isn't a country, per se...
- it was once, though. Briefly.
- some people that live there are from another planet
- some people there wish it was
- some people in the rest of the US wish it was
--
Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
- - - Web Application Integration! http://www.novera.com
fund Lugnet(tm): http://www.ebates.com/ ref: lar, 1/2 $$ to lugnet.
NOTE: Soon to be lpieniazek@tsisoft.com :-)
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> - some people there wish it was
Ever wondered why that was the case, Larry?
::ahem::
-- Richard
|
|
| |
In lugnet.people, Todd Lehman writes:
> Well, just got back from the 24x7 USPS in downtown Boston. Mailed out the
> first huge stack of member packets. And whew -- the first run at it took a
> lot longer than I'd expected, but now I think it's down to a science. I'll
> try to run batches to the USPS every three days or so, once a week at the
> very least. A bunch more will go out tomorrow as well.
>
> BTW, the list of countries among people signed up so far is getting
> interesting: everywhere from Austria to Australia, California to Canada,
> Turkey to Taiwan, Italy to Israel.
>
> Italy & Canada are tied for second place at the moment with five members
> each. (62 in the U.S.) When we get up into the 100's, where the numbers
> are more meaningful, I'll make this sort of info easy to get to.
>
> --Todd
I received mine today. This is a very classy mailing. Love the envelope.
I won't spoil everyone's fun by revealing the contents, but they are very
cool!!!!! I may have to join again to get more!!!! Hmm... maybe I'll sign my
other half up.
Again, Todd and Suz, this is a very classy mailing!
But I do have one question. Where is the members log-in?
|
|
| |
In lugnet.people, Ed Jones writes:
> I received mine today. This is a very classy mailing. Love the envelope.
> I won't spoil everyone's fun by revealing the contents, but they are very
> cool!!!!! I may have to join again to get more!!!! Hmm... maybe I'll sign my
> other half up.
Ahh! I had my suspicions from day 1 as to what *might* be in there, but yeah, I
didn't want to spoil anyones fun either by suggesting it - especially if it
wasn't :)
Can't wait for mine to come through :) But as I took ages getting organised and
only sent off my fee last week it'll probably be next year now! Ooops!
Richard
|
|
| |
In lugnet.people, Ed Jones writes:
> I received mine today. This is a very classy mailing. Love the envelope.
> I won't spoil everyone's fun by revealing the contents, but they are very
> cool!!!!! I may have to join again to get more!!!! Hmm... maybe I'll sign
> my other half up.
>
> Again, Todd and Suz, this is a very classy mailing!
Thanks! And glad you enjoyed it!
> But I do have one question. Where is the members log-in?
On most pages, there's now a thing to click on in the upper-right corner
of the screen. It's labeled "Sign In" and currently (but subject to change)
shows a yellow key for the icon. Click that, and then type in your stuff
on the page that comes up. Then you should be all set.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
>
> On most pages, there's now a thing to click on in the upper-right corner
> of the screen. It's labeled "Sign In" and currently (but subject to change)
> shows a yellow key for the icon. Click that, and then type in your stuff
> on the page that comes up. Then you should be all set.
>
> --Todd
Cool, it works, it works.
|
|
| |
In lugnet.people, Ed Jones writes:
> I received mine today. This is a very classy mailing. Love the envelope.
> I won't spoil everyone's fun by revealing the contents, but they are very
> cool!!!!! I may have to join again to get more!!!! Hmm... maybe I'll sign my
> other half up.
>
> Again, Todd and Suz, this is a very classy mailing!
Ditto
:)
James
http://www.shades-of-night.com/lego/
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> Don't tell me your PW, but should I be able to figure out what the
> default one is???
Well, if you can work out mine then please let me know :) I'm just impatient to
wait until (probably) after Christmas for my package to arrive :)
Richard
|
|
| |
In lugnet.people, Richard Franks writes:
> In lugnet.people, Larry Pieniazek writes:
> > Don't tell me your PW, but should I be able to figure out what the
> > default one is???
>
> Well, if you can work out mine then please let me know :) I'm just impatient • to
> wait until (probably) after Christmas for my package to arrive :)
>
> Richard
OK, that kind of answers that the PW is either sent in the mail or emailed
to you, I finally got around to filling out my info form (kind of embarassing
for me to be the only person in the first 20 (50?) that didn't have theirs
filled out, except for Paul G.).
So, if there is someone else out there who filled out their form but didn't get
mailed a packet, did you get an email with your password? I tried all the
obvious ones like my user ID, my name, the ever popular "password", "LUGNET"
and a few others...
Thanks. I can wait, I guess but you know how impatient I get.
++Lar
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> So, if there is someone else out there who filled out their form but didn't
> get mailed a packet, did you get an email with your password? I tried all the
> obvious ones like my user ID, my name, the ever popular "password", "LUGNET"
> and a few others...
Ah.. I believe that the password is sent with your member packet, I can't
remember where I read that but it's in there somewhere!
Richard
|
|
| |
Larry Pieniazek wrote:
> In lugnet.people, Richard Franks writes:
> > In lugnet.people, Larry Pieniazek writes:
> > > Don't tell me your PW, but should I be able to figure out what the
> > > default one is???
> >
> > Well, if you can work out mine then please let me know :) I'm just impatient • to
> > wait until (probably) after Christmas for my package to arrive :)
> >
> > Richard
>
> OK, that kind of answers that the PW is either sent in the mail or emailed
> to you, I finally got around to filling out my info form (kind of embarassing
> for me to be the only person in the first 20 (50?) that didn't have theirs
> filled out, except for Paul G.).
>
> So, if there is someone else out there who filled out their form but didn't get
> mailed a packet, did you get an email with your password?
Number 49 here to say "no", my PW did not come with an email AND I have yet to
receive my membership packet. So if you see me on the street and I am not able to
perform the secret handshake, please go lightly on me.
-7x7{;^D
> I tried all the
> obvious ones like my user ID, my name, the ever popular "password", "LUGNET"
> and a few others...
>
> Thanks. I can wait, I guess but you know how impatient I get.
>
> ++Lar
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> Don't tell me your PW, but should I be able to figure out what the
> default one is???
Everyone gets a different randomly-generated password. No default passwords,
no backdoors. The passwords are generated once, then crypted (like Unix),
and stored only in crypted form. Right before writing them to disk in
crypted form, they're printed straight onto the member packet cards.
At some point I'll probably need to make something to let people change their
passwords, but for now this'll do. :)
--Todd
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> Don't tell me your PW, but should I be able to figure out what the
> default one is???
>
> --
> Larry Pieniazek larryp@novera.com http://my.voyager.net/lar
Well, its printed on a card under the membership card and appears to be
randomly generated ascii characters.
|
|
| |
In lugnet.people, John Neal writes:
> Number 49 here to say "no", my PW did not come with an email AND I have
> yet to receive my membership packet. So if you see me on the street and
> I am not able to perform the secret handshake, please go lightly on me.
I believe yours went out yesterday, John, so it should get to you tomorrow
(Friday), assuming the USPS isn't swamped yet.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> Everyone gets a different randomly-generated password. No default passwords,
> no backdoors. The passwords are generated once, then crypted (like Unix),
> and stored only in crypted form.
Shucks! And there I was hoping that it was some intense math-geek thing.
"Take the set number of the LEGO set released closest to your birthday and
convert into 4 digit format. Interpolate these digits with the first 5 digits
of your phone number, increment the...."
:)
Richard
|
|
| |
In lugnet.announce, Todd Lehman writes:
>
> I'm happy to announce that formal LUGNET memberships are now available. :)
> So we set it up that you pay what you think is fair, based on what the value
> of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> membership, leaving anything else up to you.
If I send an extra $10, can I get a new packet of LUGNET membership stuff, most
importantly my password?
Chris
|
|
| |
In lugnet.people, Christopher L. Weeks writes:
> If I send an extra $10, can I get a new packet of LUGNET membership stuff,
> most importantly my password?
Have you forgotten your password? If so, write me an email from your primary
address and I can now ask the server to generate a new one for you and send
it directly to you via e-mail. You could think of it as a temporary new one
which you could use to sign in and change something you are less likely to
forget or lose, if you prefer.
--Todd
|
|
| |
In lugnet.admin.general, Christopher L. Weeks writes:
> In lugnet.announce, Todd Lehman writes:
> >
> > I'm happy to announce that formal LUGNET memberships are now available. :)
>
> > So we set it up that you pay what you think is fair, based on what the value
> > of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> > membership, leaving anything else up to you.
>
> If I send an extra $10, can I get a new packet of LUGNET membership stuff, • most
> importantly my password?
>
> Chris
|
|
| |
In lugnet.admin.general, Christopher L. Weeks writes:
> In lugnet.announce, Todd Lehman writes:
> >
> > I'm happy to announce that formal LUGNET memberships are now available. :)
>
> > So we set it up that you pay what you think is fair, based on what the value
> > of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> > membership, leaving anything else up to you.
>
> If I send an extra $10, can I get a new packet of LUGNET membership stuff, • most
> importantly my password?
>
> Chris
Me too. I've now forgotten all 3 of my passwords, including the two new ones
that I worked very hard to come up with memorable phrases that I could
remember and that passed that (*&)&@%&$# insanely strict password check.
Anything I can actually remember, it flags. Even my pet phrases. I gotta start
writing these passwords down.
++Lar
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> In lugnet.admin.general, Christopher L. Weeks writes:
> > In lugnet.announce, Todd Lehman writes:
> > >
> > > I'm happy to announce that formal LUGNET memberships are now available. :)
> >
> > > So we set it up that you pay what you think is fair, based on what the value
> > > of LUGNET is to you, with the minimum being 10 dollars (U.S.) for lifetime
> > > membership, leaving anything else up to you.
> >
> > If I send an extra $10, can I get a new packet of LUGNET membership stuff, • most
> > importantly my password?
> >
> > Chris
>
> Me too. I've now forgotten all 3 of my passwords, including the two new ones
> that I worked very hard to come up with memorable phrases that I could
> remember and that passed that (*&)&@%&$# insanely strict password check.
>
> Anything I can actually remember, it flags. Even my pet phrases. I gotta start
> writing these passwords down.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ack! Don't you realize that's much more insecure than your semi-secure
easially rememberable passwords? This is retarded. My banks and credit
cards and online trading accounts don't require that much "security", why
does my chat board?
On another topic, I love the new personal inventory. Is there any
way to enter the information in on one page instead of going from set
to set?
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> On another topic, I love the new personal inventory. Is there any
> way to enter the information in on one page instead of going from set
> to set?
Oops, with duplicate set numbers that might not be a good idea :)
How about adding a UPC field to the db so we can use a CueCat?
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> Ack! Don't you realize that's much more insecure than your semi-secure
> easially rememberable passwords?
Of course not -- because that's patently false.
Uhhh, if you chronically have trouble remembering good passwords, you should
be writing them down and putting them somewhere *safe* that you trust -- like
your dresser drawer at home, or a jewelry case, or somewhere else safe behind
lock and key that you already trust. Then, if you should happen to forget
your passwords, you can look them up and refresh your memory. There's nothing
inherently insecure about written-down passwords. And something like a PayPal
password (if you can't remember it), write that down encoded somehow, to foil
burglars.
Even if your password is written down and you carry it with you wherever you
go in your wallet, that's *much* better than having a bad password. Think.
The chances of someone stealing a good password from your wallet are *much*
*much* *much* *much* *MUCH* less than the chances of a cracker stealing your
bad and easily breakable password.
> This is retarded.
I'm kinda shocked that you would say something like that, much less actually
believe it. I guess you haven't done the math! (some of which can be found
on the old thread). We're talking 25-bit number space here, Kevin.
> My banks and credit
> cards and online trading accounts don't require that much "security", why
> does my chat board?
False. Bank and credit cards require a lot more security than most people
think. It may seem as though your bank card is protected by a 4- or 8-digit
PIN number, but that's not true! Someone has to steal the card off your
person _and_ know the PIN number in order to steal your money. Oh sure, if
you lost your card and someone found it, they could try brute forcing it at
an ATM -- manually -- at the rate of maybe, at best, 6 or 7 tries per minute,
but unless they're wearing a ski mask, their face is being videotaped. And
even if they get through and steal your money, if you've reported your card
lost or stolen, you probably won't be held liable. And even if you didn't
report it stolen in time, you can probably dispute the charges.
> On another topic, I love the new personal inventory. Is there any
> way to enter the information in on one page instead of going from set
> to set?
Not currently.
--Todd
|
|
| |
Todd Lehman <lehman@javanet.com> wrote in message
news:G1Evq8.A9o@lugnet.com...
> False. Bank and credit cards require a lot more security than most people
> think. It may seem as though your bank card is protected by a 4- or • 8-digit
> PIN number, but that's not true! Someone has to steal the card off your
> person _and_ know the PIN number in order to steal your money. Oh sure, • if
> you lost your card and someone found it, they could try brute forcing it • at
> an ATM -- manually -- at the rate of maybe, at best, 6 or 7 tries per • minute,
> but unless they're wearing a ski mask, their face is being videotaped. • And
> even if they get through and steal your money, if you've reported your • card
> lost or stolen, you probably won't be held liable. And even if you didn't
> report it stolen in time, you can probably dispute the charges.
One point to note, especially for anyone planning on visiting Australia.
ATMs around here will eat cards after about four tries, if you fail on
entering the PIN succession.
Cheers ...
Geoffrey Hyde
|
|
| |
In lugnet.people, Kevin Loch writes:
> In lugnet.people, Kevin Loch writes:
> > On another topic, I love the new personal inventory. Is there any
> > way to enter the information in on one page instead of going from set
> > to set?
>
> Oops, with duplicate set numbers that might not be a good idea :)
Internally, it uses a suffix on the set number to avoid ambiguities arising
from duplicates issues of a number, for example:
http://guide.lugnet.com/set/1974_1
http://guide.lugnet.com/set/1974_2
http://guide.lugnet.com/set/1974_3
http://guide.lugnet.com/set/1974_4
(that's three sets, each numbered 1974, within a larger value pack also
numbered 1974 :-).
You can add the _1 suffix on sets where the number was only used once, and it
will automatically canonicalize the URL to a more human-friendly form whenever
possible. For example, if you click to:
http://guide.lugnet.com/set/7190_1
it rewrites the URL as:
http://guide.lugnet.com/set/7190
since 7190 is unambiguous.
But anyway, duplicate set numbers aren't too much of an issue.
> How about adding a UPC field to the db so we can use a CueCat?
Little bang for the buck, but neat geek factor. :-)
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Kevin Loch writes:
> > Ack! Don't you realize that's much more insecure than your semi-secure
> > easially rememberable passwords?
>
> Of course not -- because that's patently false.
>
> Uhhh, if you chronically have trouble remembering good passwords, you should
> be writing them down and putting them somewhere *safe* that you trust -- like
> your dresser drawer at home, or a jewelry case, or somewhere else safe behind
> lock and key that you already trust. Then, if you should happen to forget
> your passwords, you can look them up and refresh your memory. There's nothing
> inherently insecure about written-down passwords. And something like a PayPal
> password (if you can't remember it), write that down encoded somehow, to foil
> burglars.
Wouldn't it be easier to e-mail the forgotten password to the e-mail address
your members input upon registration? That e-mail could be intercepted but I
don't think a lot of people would go into that kind of trouble to be able to
look at someone's personal collection.
|
|
| |
In lugnet.people, Dan Jezek writes:
> Wouldn't it be easier to e-mail the forgotten password to the e-mail address
> your members input upon registration?
I started doing that about 2 weeks ago. It generates a password, sends an
email with that password, then stores the encrypted password. The membership
packet then contains a backup password.
In the case of older members, or if someone deleted the mail -- basically, if
they just can't find it at all -- then the system can regenerate a new one
and send that.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> Have you forgotten your password?
Yup.
> If so, write me an email from your primary address and...
Done!
Thank you very much.
Chris
|
|
| |
In lugnet.people, Todd Lehman writes:
>
> > My banks and credit
> > cards and online trading accounts don't require that much "security", why
> > does my chat board?
>
> False. Bank and credit cards require a lot more security than most people
> think. It may seem as though your bank card is protected by a 4- or 8-digit
> PIN number, but that's not true! Someone has to steal the card off your
> person _and_ know the PIN number in order to steal your money. Oh sure, if
Actually, all they need to know is my customer number and a PIN to view my
account records. I would consider my bank account records much more valuable
than my LUGNET profile, no offense :)
If the concern is script kiddies cracking accounts, wouldn't it make more
sense to disable accounts (or better IP's) that are attempting cracking
than force users to choose uncomfortable passwords?
You might want to consider letting your users, many of whom understand
the issues and risks as well as you do, decide for themselves what
strength password to use.
Also, I don't think Larry and I have a problem with the fact that you
reject trivial passwords, but that your standards are a bit too high
for practical use. Remember, any security measure should be designed
to delay subversion, not prevent it outright, which is theoretically
impossible. Have you determined what ammound of difficulty is required
before you could detect the intrusion attempt? Or did you set an artificially
high standard (like months or years) without consideration of the impact
it would have on legitemate use? The president would be alot safer if
he never went out in public, but that would interfere unacceptably with
his normal activities.
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> Actually, all they need to know is my customer number and a PIN to view my
> account records.
ouch. How easy is it for a thief to get your customer number? How many
digits is your PIN?
> I would consider my bank account records much more valuable
> than my LUGNET profile, no offense :)
natch. :)
> If the concern is script kiddies cracking accounts, wouldn't it make more
> sense to disable accounts (or better IP's) that are attempting cracking
Disable accounts on repeated fails and you make it trivial to DoS someone.
Disable IP addresses and you lock out the innocent on shared proxy servers.
> than force users to choose uncomfortable passwords?
Here are some tips on choosing hard-to-guess passwords that are easy to
remember:
http://www.lugnet.com/people/members/password-suggestions
There were some threads on this on Slashdot a while back, and several people
noted that one of the best ways to remember a password is to use it often
in the beginning so that your fingers actually begin to remember it (through
so-called "muscle memory"). Like riding a bike, you tend not to forget it
after a certain point. Some people suggested keeping it written down on a
paper that you keep with your person until you're comfortable that you
absolutely know it and won't forget it, then you eat that piece of paper. :)
LUGNET's pw changer
http://www.lugnet.com/people/members/pw/
lets you add a new password (keeping the old one just in case) before
retiring the old one. Kinda like having a spare set of keys.
> You might want to consider letting your users, many of whom understand
> the issues and risks as well as you do, decide for themselves what
> strength password to use.
Ahh, that is *sooo* tempting -- and I appreciate the practical advice -- but
how many people wouldn't just be lazy and click that checkbox (or whatever it
was)?
"Yah sure, I understand...urrp. OK, bob123cat it is!...Whee!...urrp."
[...two weeks later...]
"Hey, I didn't write that on my page! Hey, that's not my butt! Hey, I'm
not selling that! Hey, I didn't bid on that! What the fsck is going on?!"
Second, how many people with enough cognitive reasing power and/or training
to grok the combinatorics up, down, and sideways don't have the cognitive
ability to invent an easy-to-remember but hard-to-guess password?
> Also, I don't think Larry and I have a problem with the fact that you
> reject trivial passwords, but that your standards are a bit too high
> for practical use.
I'll agree with that. I think they may still be a bit too high. I still
seriously consider Larry's original suggestion of having two thresholds --
one for "this is really highly suggsted" and a slightly lower one for "this
is the lowest safely allowed." The thresholds can be tuned very finely.
> Remember, any security measure should be designed
> to delay subversion, not prevent it outright, which is theoretically
> impossible. Have you determined what ammound of difficulty is required
> before you could detect the intrusion attempt?
A corrupted cookie file could look like an intrusion attempt, although a
corrupted cookie file isn't so likely to result in rapid variations and
permutations without something like stack frame variable corruption.
> Or did you set an artificially
> high standard (like months or years) without consideration of the impact
> it would have on legitemate use? The president would be alot safer if
> he never went out in public, but that would interfere unacceptably with
> his normal activities.
I'm not sure if I'm remembering the figures exactly, but IIRC it currently
passes 6-character pw's containing an average of approximately 24-26 bits of
unique information. To make pw's more "practical" would mean dropping that
even further (26 is already somewhat risky) down to something like probably
18. Even 2^20 is only one million, and 2^18 is only 1/4 million. If someone
ran one innocuous HTTP request per second, it would take less than a week to
make 2^18 attempts in that more relaxed pw validation scenario.
2^18 is open net hockey for crackers.
--Todd
|
|
| |
Hi there!
Excuse me if i am totally lost here...
Is it not so that a 6 letter password containing letters from A to Z and 0
to 9, can have 36^6 different combinations and contains 48 bits in a unique
order?
A binary value containing 0 or 1 in 8 postitions is 2^8, equals 256
/Joakim
"Todd Lehman" <lehman@javanet.com> wrote in message
news:G1FIsA.Etr@lugnet.com...
> I'm not sure if I'm remembering the figures exactly, but IIRC it currently
> passes 6-character pw's containing an average of approximately 24-26 bits • of
> unique information. To make pw's more "practical" would mean dropping • that
> even further (26 is already somewhat risky) down to something like • probably
> 18. Even 2^20 is only one million, and 2^18 is only 1/4 million. If • someone
> ran one innocuous HTTP request per second, it would take less than a week • to
> make 2^18 attempts in that more relaxed pw validation scenario.
>
> 2^18 is open net hockey for crackers.
>
> --Todd
|
|
| |
In lugnet.people, Joakim Olsson writes:
> Hi there!
> Excuse me if i am totally lost here...
> Is it not so that a 6 letter password containing letters from A to Z and 0
> to 9, can have 36^6 different combinations and contains 48 bits in a unique
> order?
> A binary value containing 0 or 1 in 8 postitions is 2^8, equals 256
36^6 is about equal to 2^31. Maybe it was typical 5-character pw's that
resulted in 24-26 bits of true information...I don't remember for sure, it
was many months ago. OK, yes, <calculator poking> 36^5 is about equal to
2^26. Also, IIRC, I think many 5-character pw's were rejected during the
random statistical tests on grounds of being too short and simple. Most of
the random 6-character pw's went through OK. Anyway, 2^18 is open net hockey
and 2^24 is still not so great.
Thanks.
--Todd
|
|
| |
I've been on a few BBSes, quite a while back now, and believe me, some of
the passwords that I came up with were quite alphanumeric, and rather
random.
A hacker's chance of guessing a random, or even semi-random, password is
therefore theoretically rather small. This would make any kind of
brute-force attack rather obvious looking, and moreover, rather easily
traceable. This therefore is a sufficient deterrent to would-be hackers. I
would rather live with a sufficient deterrent to hackers than an
insufficient nightmare which keeps Todd constantly checking with law
enforcement agencies.
Keep up the good work mate!
Cheers ...
Geoffrey Hyde
Todd Lehman <lehman@javanet.com> wrote in message
news:G1FK70.H7p@lugnet.com...
> In lugnet.people, Joakim Olsson writes:
> > Hi there!
> > Excuse me if i am totally lost here...
> > Is it not so that a 6 letter password containing letters from A to Z and • 0
> > to 9, can have 36^6 different combinations and contains 48 bits in a • unique
> > order?
> > A binary value containing 0 or 1 in 8 postitions is 2^8, equals 256
>
> 36^6 is about equal to 2^31. Maybe it was typical 5-character pw's that
> resulted in 24-26 bits of true information...I don't remember for sure, it
> was many months ago. OK, yes, <calculator poking> 36^5 is about equal to
> 2^26. Also, IIRC, I think many 5-character pw's were rejected during the
> random statistical tests on grounds of being too short and simple. Most • of
> the random 6-character pw's went through OK. Anyway, 2^18 is open net • hockey
> and 2^24 is still not so great.
>
> Thanks.
>
> --Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
>
> Disable accounts on repeated fails and you make it trivial to DoS someone.
> Disable IP addresses and you lock out the innocent on shared proxy servers.
>
>
Not if you only disable loggin in as that user from that ip.
> I'm not sure if I'm remembering the figures exactly, but IIRC it currently
> passes 6-character pw's containing an average of approximately 24-26 bits of
> unique information. To make pw's more "practical" would mean dropping that
> even further (26 is already somewhat risky) down to something like probably
> 18. Even 2^20 is only one million, and 2^18 is only 1/4 million. If someone
> ran one innocuous HTTP request per second, it would take less than a week to
> make 2^18 attempts in that more relaxed pw validation scenario.
>
> 2^18 is open net hockey for crackers.
I think a minimum of 6 characters is a good limit. It's the character
diversity that is causeing problems. Also, you could make failed attempts
take a few extra seconds to further delay brute force attacks. You
cold even make successful logins take a few extra seconds just for good
measure.
BTW, no password is required to post right?
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> In lugnet.people, Todd Lehman writes:
> > Disable accounts on repeated fails and you make it trivial to DoS someone.
> > Disable IP addresses and you lock out the innocent on shared proxy servers.
>
> Not if you only disable loggin in as that user from that ip.
Is there a way to tell if a given IP address is a shared proxy server or not?
If you disable login access as one user from a given IP address, then you
effectively disable login access as _all_ users from that IP address, because
it would be just as trivial to DoS everyone in succession as it would be to
DoS a single person. In other words, disabling logging in as a user from a
given IP address still locks out the innocent on attacks coming through shared
proxy servers.
> I think a minimum of 6 characters is a good limit. It's the character
> diversity that is causeing problems.
Crack programs use dictionaries.
> Also, you could make failed attempts
> take a few extra seconds to further delay brute force attacks.
I'm kinda wary of that because it is so trivial for a potential attacker to
fork multiple copies of itself and work right arond the delay as if it wasn't
even there. If you delay 3 seconds, then a cracker program just forks extra
copies of itself and works in parallel. So sleep-delays over HTTP don't count
for much. On the other hand, a server could probably get around that by
making a password mutex for each IP address, whereupon failure the process who
owns the mutex would delay some number of seconds before releasing the mutex
to the next process. That way, no HTTP process checking a pw could step
around any other.
> You cold even make successful logins take a few extra seconds just for good
> measure.
Cookie == micro-login. Successful logins have to be as fast as possible.
> BTW, no password is required to post right?
Right.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Kevin Loch writes:
> > In lugnet.people, Todd Lehman writes:
> > > Disable accounts on repeated fails and you make it trivial to DoS someone.
> > > Disable IP addresses and you lock out the innocent on shared proxy servers.
> >
> > Not if you only disable loggin in as that user from that ip.
>
> Is there a way to tell if a given IP address is a shared proxy server or not?
> If you disable login access as one user from a given IP address, then you
> effectively disable login access as _all_ users from that IP address, because
> it would be just as trivial to DoS everyone in succession as it would be to
> DoS a single person. In other words, disabling logging in as a user from a
> given IP address still locks out the innocent on attacks coming through shared
> proxy servers.
>
>
> > I think a minimum of 6 characters is a good limit. It's the character
> > diversity that is causeing problems.
>
> Crack programs use dictionaries.
Um, yes I know that. It's also possible to generate "human random"
dictionaries that speed up brute force of "strong" passwords where
users are forced within certain limits. BTW, I wonder what the keyspace
is of all (8 chars and less as typical) LUGNET filter approved
passwords is? Remember the more you restrict the keyspace the less
secure it is mathematically.
>
> > Also, you could make failed attempts
> > take a few extra seconds to further delay brute force attacks.
>
> I'm kinda wary of that because it is so trivial for a potential attacker to
> fork multiple copies of itself and work right arond the delay as if it wasn't
> even there. If you delay 3 seconds, then a cracker program just forks extra
> copies of itself and works in parallel. So sleep-delays over HTTP don't count
> for much. On the other hand, a server could probably get around that by
> making a password mutex for each IP address, whereupon failure the process who
> owns the mutex would delay some number of seconds before releasing the mutex
> to the next process. That way, no HTTP process checking a pw could step
> around any other.
>
>
Problem solved (login locking).
> > You cold even make successful logins take a few extra seconds just for good
> > measure.
>
> Cookie == micro-login. Successful logins have to be as fast as possible.
>
>
cookie=no dely, unless you are concerned with people hacking cookie/ip pairs.
but successful user/pw login should be delayed exactly the same as user/pw
failiure. If you really wanted to be slick, drop successful and unsuccessful
logins into the homepage with no indication of login status. Give successful
and unsuccessful logins similar cookies. Of course that would impact
the user experience so you wouldn't do that :)
> > BTW, no password is required to post right?
>
> Right.
|
|
| |
In lugnet.people, Kevin Loch writes:
> Um, yes I know that. It's also possible to generate "human random"
> dictionaries that speed up brute force of "strong" passwords where
> users are forced within certain limits. BTW, I wonder what the keyspace
> is of all (8 chars and less as typical) LUGNET filter approved
> passwords is? Remember the more you restrict the keyspace the less
> secure it is mathematically.
http://news.lugnet.com/admin/general/?n=5788
> > [...] On the other hand, a server could probably get around that by
> > making a password mutex for each IP address, whereupon failure the process
> > who owns the mutex would delay some number of seconds before releasing the
> > mutex to the next process. That way, no HTTP process checking a pw could
> > step around any other.
>
> Problem solved (login locking).
I'm very tempted to head in that direction. Even not relaxing the strictness
of the validator, I think it would be wise.
> cookie=no dely, unless you are concerned with people hacking cookie/ip pairs.
Cooking hacking is the logical place for crackers to focus since it's easy
to make the HTTP logs look less un-normal than ten thousand hits all on the
same URL.
BTW, what is cookie/ip pair?
> but successful user/pw login should be delayed exactly the same as user/pw
> failiure.
Why delay successful logins? I thought the only thing that's important is
that the failures take the same amount of time (or a random amount of time).
If two failures take a different amount of time proportional to something like
the matching portion (some old systems long ago did this) people can exploit
that, but what could be exploited by not delaying on a successful attempt?
You can't not give some sort of positive feedback to the user upon success.
> If you really wanted to be slick, drop successful and unsuccessful
> logins into the homepage with no indication of login status. Give successful
> and unsuccessful logins similar cookies. Of course that would impact
> the user experience so you wouldn't do that :)
That would bad for users, ya.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
>
> Cooking hacking is the logical place for crackers to focus since it's easy
> to make the HTTP logs look less un-normal than ten thousand hits all on the
> same URL.
>
> BTW, what is cookie/ip pair?
The BrickShelf uses the cookie returned *and* the ip address that the cookie
was issued to for reauthenticate login. Nobody has complained about loosing
login yet via multiple proxies (i.e. aol). Also, cookies can be made
*much* more difficult than typical passwords (BrickShelf uses 64 bytes).
>
> > but successful user/pw login should be delayed exactly the same as user/pw
> > failiure.
>
> Why delay successful logins? I thought the only thing that's important is
> that the failures take the same amount of time (or a random amount of time).
> If two failures take a different amount of time proportional to something like
> the matching portion (some old systems long ago did this) people can exploit
> that, but what could be exploited by not delaying on a successful attempt?
> You can't not give some sort of positive feedback to the user upon success.
If successful login takes 10ms, and failiures delay by 2 seconds, I know
if I don't receive a response within 100ms I can try again.
>
> > If you really wanted to be slick, drop successful and unsuccessful
> > logins into the homepage with no indication of login status. Give • successful
> > and unsuccessful logins similar cookies. Of course that would impact
> > the user experience so you wouldn't do that :)
>
> That would bad for users, ya.
>
> --Todd
So is not being able to set a pasword they can remember no?
I think we agree in what makes a password stronger or weaker.
My recommendation is to choose the right balance between convenience
and security. If no one is hacking accounts and many users are complaining
about the password filter, then you might want to adjust the filter settings.
My guess is that many more people will explore and use the more advanced
LUGNET features if you do that. I'd like to see more people rate sets,
list inventories and create web pages on LUGNET. I'm almost certain this
password thing is affecting that. Although I have to admit the set
inventory was so cool I actual dug the LUGNET membership card out of the
closet (no minor task) just so I could log in and try it out.
Hmm, this gives me an idea for the next poll...
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> I think we agree in what makes a password stronger or weaker.
> My recommendation is to choose the right balance between convenience
> and security.
As is mine. Todd has one opinion of where that is. Some people think it is too
strict. Some are happy. I wonder if any think it is too lenient?
> If no one is hacking accounts and many users are complaining
> about the password filter, then you might want to adjust the filter settings.
> My guess is that many more people will explore and use the more advanced
> LUGNET features if you do that. I'd like to see more people rate sets,
> list inventories and create web pages on LUGNET. I'm almost certain this
> password thing is affecting that.
I know it is affecting me. Todd sent me a new password and I set two more that
hopefully I will have better luck remembering, but I still have 3 that are
cluttering up stuff. How do I remove those if I don't know what they are?
++Lar
|
|
| |
In lugnet.people, Kevin Loch writes:
> > BTW, what is cookie/ip pair?
>
> The BrickShelf uses the cookie returned *and* the ip address that the cookie
> was issued to for reauthenticate login. Nobody has complained about loosing
> login yet via multiple proxies (i.e. aol).
But doesn't that make somebody have to log in again if they use *any* kind of
non-static-IP connection -- i.e., a typical dial-up or DHCP connection -- and
not limited only to shared proxy servers? If they're on a typical ISP dial-up
PPP connection and hang up the phone and dial back in ten minutes later, do
they have to log in again to make more changes?
> Also, cookies can be made
> *much* more difficult than typical passwords (BrickShelf uses 64 bytes).
>
> If successful login takes 10ms, and failiures delay by 2 seconds, I know
> if I don't receive a response within 100ms I can try again.
I don't see how that's an effective deterrant.
If successful login takes 10ms, then a single attacking client process with
one child process that it kills after 10-100 ms could make, say, 10 to 20
attempts per second.
If successful logins are delayed by 2 seconds, why can't your client fork
20 copies of itself and try a whole bunch of pw's in parallel? If the server
isn't mutexing on the IP address, you'll know within a few seconds if any
of those worked, with comparable overall throughput in attemps per second to
the single-process attack.
Now, if a server mutexes on the IP address and delays all client processes
connected to an attacking IP address upon login failure, then delaying upon
successful login is moot, because attacks can't be sped up. So in either
case, why bother delaying upon success? Isn't the important thing is to have
a solid way to limit the overall throughput of failed attempts?
--Todd
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> I know it is affecting me. Todd sent me a new password and I set two more
> that hopefully I will have better luck remembering, but I still have 3 that
> are cluttering up stuff. How do I remove those if I don't know what they
> are?
I didn't plan for that. In the beginning, I honestly didn't think that anyone
would ever forget their password (or at least not have it written down
somewhere that they could find it). I'll have to come up with something.
Since the pw's are encrypted on the server and stored in an untagged list,
I can't tell which are the older ones and which are the newer ones. For
now, if you really want the old ones cleared out, I can wipe the entire list,
but then you'd have to take a new one and change that again -- more hassle
than you probably want.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Larry Pieniazek writes:
> > I know it is affecting me. Todd sent me a new password and I set two more
> > that hopefully I will have better luck remembering, but I still have 3 that
> > are cluttering up stuff. How do I remove those if I don't know what they
> > are?
>
> I didn't plan for that. In the beginning, I honestly didn't think that anyone
> would ever forget their password (or at least not have it written down
> somewhere that they could find it). I'll have to come up with something.
> Since the pw's are encrypted on the server and stored in an untagged list,
> I can't tell which are the older ones and which are the newer ones. For
> now, if you really want the old ones cleared out, I can wipe the entire list,
> but then you'd have to take a new one and change that again -- more hassle
> than you probably want.
No that would work, I wrote down the password you sent me and the two new ones
I chose and they are pretty memorable, I hope. Implement something that
generates a new password AND wipes out ALL the old ones in one fell swoop.
Then send me the new password, I'll discard the old autogenerated (which would
now not be in there anyway), put in the two new ones I chose as easy to
remember (sorry Todd, one is a personal slur on you but it's easy to remember)
and I will be all set.
This "wipe out all passwords and send a new one" is mighty powerful stuff. Use
with extreme caution. (but you can trust ME of course... so go for it...)
++Lar
> --Todd
|
|
| |
Todd Lehman <lehman@javanet.com> wrote:
> ouch. How easy is it for a thief to get your customer number? How many
> digits is your PIN?
My old bank (US Trust) used my social security number + PIN for phone access
to my account. Eep.
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
|
|
| |
In lugnet.people, Todd Lehman writes:
>
> Here are some tips on choosing hard-to-guess passwords that are easy to
> remember:
>
> http://www.lugnet.com/people/members/password-suggestions
>
> LUGNET's pw changer
>
> http://www.lugnet.com/people/members/pw/
I'm amazed on how complex and sophisticated the Lugnet password system is.
There are the password suggestions, Password strength analyzer which even
includes an internal dictionary and gives you the CPU time that it took to
analyze the password... I tried P4#$37FG and it barely passed. Ability to
have multiple passwords (which means having a separate database table just for
the passwords), retire old passwords, etc, etc.
The funny thing is that the password doesn't really protect anything other
than the rating system and one's collection ... the last time I checked I
could post under someone else's username :-P
|
|
| |
In lugnet.people, Dan Jezek writes:
> I'm amazed on how complex and sophisticated the Lugnet password system is.
> There are the password suggestions, Password strength analyzer which even
> includes an internal dictionary and gives you the CPU time that it took to
> analyze the password... I tried P4#$37FG and it barely passed. Ability to
> have multiple passwords (which means having a separate database table just
> for the passwords), retire old passwords, etc, etc.
Yup, it's a serious system. Most systems don't take pw issues seriously.
> The funny thing is that the password doesn't really protect anything other
> than the rating system and one's collection ... the last time I checked I
> could post under someone else's username :-P
We'll see how many people find it funny nine months from now.
--Todd
|
|
| |
In lugnet.people, Dan Jezek writes:
> [...]
> analyze the password... I tried P4#$37FG and it barely passed. Ability to
> [...]
That's a problem. It does fail too many good pw's, partially because it
tries to be too clever in transmogrifications and 20 different language
lookups in its dictionary of 3 million words. (It was just as easy to put
in that many as it was to put in English only -- there are gobs of word lists
and dictionaries freely available for that sort of purpose.)
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Dan Jezek writes:
> > [...]
> > analyze the password... I tried P4#$37FG and it barely passed. Ability to
> > [...]
>
> That's a problem. It does fail too many good pw's, partially because it
> tries to be too clever in transmogrifications and 20 different language
> lookups in its dictionary of 3 million words.
^^^^^^^^^^^^^^^^^^
Ouch! I can only imagine the time it took you to key all that data in.
|
|
| |
In lugnet.people, Dan Jezek writes:
> > That's a problem. It does fail too many good pw's, partially because it
> > tries to be too clever in transmogrifications and 20 different language
> > lookups in its dictionary of 3 million words.
> ^^^^^^^^^^^^^^^^^^
> Ouch! I can only imagine the time it took you to key all that data in.
FTP standard ASCII text document, one word per line. Convert to ISO-8859-1
if necessary (character-based search & replace, quick). Feed to indexer via
pipe. Walk away, sip coffee, come back later, it's all done. No typing.
--Todd
|
|
| |
Larry Pieniazek wrote:
> This "wipe out all passwords and send a new one" is mighty powerful stuff. Use
> with extreme caution. (but you can trust ME of course... so go for it...)
A solution to this could be to do the following:
- when someone asks for a password reset, create a new password for
them, put it in the list, also put it in a special "reset account"
password file (along with the ID).
- when the user receives the "reset" password, they log on using it, and
go to the "reset" page (the system could even detect the use of this
password and automagically send you to this page)
- when the user clicks on the "reset password" button (after reading
what will be done), the system removes all passwords from the password
file, then the system takes the the new password (which it conveniently
has in the reset account file), and automatically enters it into the
main password file. Once this is done and comitted to disk, the entry
is removed from the "reset password" file.
- if a system crash interrupts this, the system will also check the
"reset password" file to allow you to log on.
- There should also be an "oops" button which removes the reset password
from both files and effectively cancels the reset.
- If the reset password is not used within a certain time limit, it
should be cleared.
This should block DOS by resetting someone's passwords since the person
who receives the e-mail must take action on it.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
|
|
| |
In lugnet.admin.general, Dan Jezek writes:
> In lugnet.people, Todd Lehman writes:
> > In lugnet.people, Dan Jezek writes:
> > > [...]
> > > analyze the password... I tried P4#$37FG and it barely passed. Ability to
> > > [...]
> >
> > That's a problem. It does fail too many good pw's, partially because it
> > tries to be too clever in transmogrifications and 20 different language
> > lookups in its dictionary of 3 million words.
> ^^^^^^^^^^^^^^^^^^
> Ouch! I can only imagine the time it took you to key all that data in.
Imagine it is all you *can* do, as Todd didn't actually do the typing, he said
he got lists of words readily available from the 'net that are made available
(by whom?) to aid in building stronger password checkers. (and also to aid in
building dictionary attack robots??)
++Lar
|
|
| |
"Todd Lehman" <lehman@javanet.com> wrote in message
news:G1HDIu.J6p@lugnet.com...
> In lugnet.people, Dan Jezek writes:
> > The funny thing is that the password doesn't really protect anything • other
> > than the rating system and one's collection ... the last time I checked • I
> > could post under someone else's username :-P
>
> We'll see how many people find it funny nine months from now.
So ... are you going to tell us what is going to happen nine months from now
or just leave us hanging?
IMHO, the password checker and system is way to stringent for the system, as
it currently exists, I've worked in places where I've had to have government
security checks and they weren't this concerned over passwords and security.
But, depending on your plans, it my be appropriate in the future.
Either way, it doesn't really matter to me. I keep my password in my Palm,
so it's always with me, no matter how long or convoluted is has to be.
Mike
--
Mike Faunce
mike at faunce dot com
LUGNET #96
|
|
| |
In lugnet.admin.general, Todd Lehman wrote:
> I didn't plan for that. In the beginning, I honestly didn't think that anyone
> would ever forget their password (or at least not have it written down
> somewhere that they could find it).
Huh? Todd, I hope you meant to write, "I didn't think about dealing with
people forgetting their passwords".
People forget passwords *all* *the* *time*. That's why so many sites have
such ridiculously unsecure password requirements -- so people can remember
how to get in.
And writing passwords down doesn't help -- people either either leave them
out in the open, or they put them in a safe place, and forget what that
safe place is.
Steve
|
|
| |
In lugnet.people, Steve Bliss writes:
> In lugnet.admin.general, Todd Lehman wrote:
> > I didn't plan for that. In the beginning, I honestly didn't think that
> > anyone would ever forget their password (or at least not have it written
> > down somewhere that they could find it).
>
> Huh? Todd, I hope you meant to write, "I didn't think about dealing with
> people forgetting their passwords".
No, I meant exactly that: I didn't think that anyone would ever (a) forget
their password or (b) not be able to just go look it up. When you put it in
a cookie, you don't even have to remember it beyond that, unless you move to
different systems or sign out or your cookie file becomes corrupt. I guess
that was naive of me. We sent it out printed-only in the beginning so that
that we could verify that someone had actually received it (kinda like what
PayPal does, but not quite as stringent) and so that they'd have a written
copy they could keep somewhere safe if they ever needed it, or destroy it if
they knew they wouldn't forget it.
> People forget passwords *all* *the* *time*. That's why so many sites have
> such ridiculously unsecure password requirements -- so people can remember
> how to get in.
Yah, OK. Heh heh. I wonder, though, don't people still forget even their
super-insecure bad passwords? BTW, I've read more than one story of someone
reporting that a stubborn friend of theirs (different people) would use a
site's name as their login password. I guess that's pretty hard to forget,
if you're consistent about it. :-)
> And writing passwords down doesn't help -- people either either leave them
> out in the open, or they put them in a safe place, and forget what that
> safe place is.
Well, now that you mention it, I have gotten a few mails from people who said
they can't remember where they put their membership packet. Someone had moved
to a new house and hadn't unpacked it yet, and another person thought their SO
might've cleaned up and put it somewhere.
--Todd
|
|
| |
Todd Lehman <lehman@javanet.com> wrote:
> > The funny thing is that the password doesn't really protect anything other
> > than the rating system and one's collection ... the last time I checked I
> > could post under someone else's username :-P
> We'll see how many people find it funny nine months from now.
I don't find it funny; I'm just glad it hasn't been a problem.
It'd be nice to hack in some sort of GPG-based authentication system....
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
|
|
| |
Larry Pieniazek <lpieniazek@mercator.com> wrote:
> he got lists of words readily available from the 'net that are made
> available (by whom?) to aid in building stronger password checkers. (and
> also to aid in building dictionary attack robots??)
University of Oxford. <ftp://ftp.ox.ac.uk/pub/wordlists/>. Wordlists have
non-password related uses too, apparently. :)
--
Matthew Miller ---> mattdm@mattdm.org
Quotes 'R' Us ---> http://quotes-r-us.org/
Boston University Linux ---> http://linux.bu.edu/
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Dan Jezek writes:
> > I'm amazed on how complex and sophisticated the Lugnet password system is.
> > There are the password suggestions, Password strength analyzer which even
> > includes an internal dictionary and gives you the CPU time that it took to
> > analyze the password... I tried P4#$37FG and it barely passed. Ability to
> > have multiple passwords (which means having a separate database table just
> > for the passwords), retire old passwords, etc, etc.
>
> Yup, it's a serious system. Most systems don't take pw issues seriously.
>
>
> > The funny thing is that the password doesn't really protect anything other
> > than the rating system and one's collection ... the last time I checked I
> > could post under someone else's username :-P
>
> We'll see how many people find it funny nine months from now.
>
> --Todd
Huh?
Ther is only one thing I can think of that has a nine month
completion cycle, and it doesn't have a thing to do with passwords.
Could you elaborate?
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> > We'll see how many people find it funny nine months from now.
>
> Huh?
>
> Ther is only one thing I can think of that has a nine month
> completion cycle, and it doesn't have a thing to do with passwords.
> Could you elaborate?
LOL, no not that. :)
--Todd
|
|
| |
In lugnet.people, Kevin Loch writes:
> In lugnet.people, Todd Lehman writes:
> > In lugnet.people, Dan Jezek writes:
> > > I'm amazed on how complex and sophisticated the Lugnet password system is.
> > > There are the password suggestions, Password strength analyzer which even
> > > includes an internal dictionary and gives you the CPU time that it took to
> > > analyze the password... I tried P4#$37FG and it barely passed. Ability to
> > > have multiple passwords (which means having a separate database table just
> > > for the passwords), retire old passwords, etc, etc.
> >
> > Yup, it's a serious system. Most systems don't take pw issues seriously.
> >
> >
> > > The funny thing is that the password doesn't really protect anything other
> > > than the rating system and one's collection ... the last time I checked I
> > > could post under someone else's username :-P
> >
> > We'll see how many people find it funny nine months from now.
> >
> > --Todd
>
> Huh?
>
> Ther is only one thing I can think of that has a nine month
> completion cycle, and it doesn't have a thing to do with passwords.
> Could you elaborate?
Maybe Todd will finally unveil his gigantic space minifig colony. He's been
promising it since '98 .... That would be something to see! I'm not laughing
any more :-O
- Dan
|
|
| |
In lugnet.people, Dan Jezek writes:
> Maybe Todd will finally unveil his gigantic space minifig colony. He's
> been promising it since '98 .... That would be something to see! I'm not
> laughing any more :-O
Still on the back burner.
http://news.lugnet.com/people/?n=382
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> Still on the back burner.
> http://news.lugnet.com/people/?n=382
And it's a shame, too, since the test models, or preliminary models, or, uh,
whatever you'd qualify them as that I've seen look ultra-sweet.
But I'm hardly one to talk about low model output. I have at least three
things I want to build in my head. Wait. I mean, I have at least three models
in my head that I want to build, and I've done nothing about it so far.
eric
|
|
| |
In lugnet.admin.general, Matthew Miller writes:
> Larry Pieniazek <lpieniazek@mercator.com> wrote:
> > he got lists of words readily available from the 'net that are made
> > available (by whom?) to aid in building stronger password checkers. (and
> > also to aid in building dictionary attack robots??)
>
> University of Oxford. <ftp://ftp.ox.ac.uk/pub/wordlists/>. Wordlists have
> non-password related uses too, apparently. :)
What? You mean there's more to LUGNET than sparring about passwords and spam?
As to the link, thanks, new I had scene it B4. I never knead dictionaries,
personally, except when siteing to refute... Just ask me, I'll be glad to tell
you wot a grate speller I am.
++Lar
|
|
| |
In lugnet.people, Larry Pieniazek writes:
> In lugnet.admin.general, Matthew Miller writes:
> > Larry Pieniazek <lpieniazek@mercator.com> wrote:
> > > he got lists of words readily available from the 'net that are made
> > > available (by whom?) to aid in building stronger password checkers. (and
> > > also to aid in building dictionary attack robots??)
> >
> > University of Oxford. <ftp://ftp.ox.ac.uk/pub/wordlists/>. Wordlists have
> > non-password related uses too, apparently. :)
>
> What? You mean there's more to LUGNET than sparring about passwords and spam?
>
> As to the link, thanks, new I had scene it B4. I never knead dictionaries,
> personally, except when siteing to refute... Just ask me, I'll be glad to tell
> you wot a grate speller I am.
>
> ++Lar
I just figured out how to easially pass the LUGNET pw test. Use
lots of special characters. This one: ^n).F6'%#*><}{#: scores
a whopping 900% with no warnings. Just make sure you throw in a number
a lower case letter and an upper case letter and you are all set.
That bypasses the pesky /<-R4d dictionary translator (numbers <-> words)
that has probably been messing most people up. Of course this does
restrict the keyspace significantly, but at least you won't have to
try 300 passwords to get one that passes.
Of course yours doesn't have to be as long as the 900% example.
It diddn't take too long ot come up with ]4b[G which is only 5 characters
yet passes with 350% and absolutely no warnings. Hey, that's a great
strong pasword. "Excellent" according to the appraisal.
Also, it's easier to pass if you avoid mathematical symbols <>-+#%,
heavilly favoring others []':; and so on.
Basically, avoid regular letters and numbers at all cost.
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> [...]
> Basically, avoid regular letters and numbers at all cost.
Gee, that was so funny I almost forgot to laugh. There are plenty of
6-character pw's that you can use that have 5 letters and one number or
special character, and plenty of 7-character pw's that you can use that are
all lowercase letters. I don't see why some people are having trouble coming
up with something.
But be that as it may, I would much rather discuss practical ways to limit
brute-force cracking throughput so that the strictness of the validator can
be lowered to something more human-factors-friendly.
--Todd
|
|
| |
In lugnet.people, Mike Faunce writes:
> > We'll see how many people find it funny nine months from now.
> So ... are you going to tell us what is going to happen nine months from
> now or just leave us hanging?
A combination of things... first, by then there will be more things in
place that will matter more; second, the pw validator will very likely be
less stringent; third, I predict that within the next nine months, a major
online banking site such as PayPal will have a major fiasco in the news with
tens or hundreds of thousands of user accounts having been either cracked
via a distributed stealth parallel cracking system or DoS'd through a
distributed and carefully orchestrated DoS attack based on the principle that
they lock someone of their account out if a small number of multiple login
attempts fail rather than having more stringent pw requirements and allowing
a larger number of fails.
--Todd
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Mike Faunce writes:
> > > We'll see how many people find it funny nine months from now.
> > So ... are you going to tell us what is going to happen nine months from
> > now or just leave us hanging?
>
> A combination of things... first, by then there will be more things in
> place that will matter more; second, the pw validator will very likely be
> less stringent; third, I predict that within the next nine months, a major
> online banking site such as PayPal will have a major fiasco in the news with
> tens or hundreds of thousands of user accounts having been either cracked
> via a distributed stealth parallel cracking system or DoS'd through a
> distributed and carefully orchestrated DoS attack based on the principle that
> they lock someone of their account out if a small number of multiple login
> attempts fail rather than having more stringent pw requirements and allowing
> a larger number of fails.
>
> --Todd
Actually I found PayPal's pw filter to be fairly stringent.
KL
|
|
| |
In lugnet.people, Kevin Loch writes:
> [...] Also, cookies can be made *much* more difficult than typical
> passwords (BrickShelf uses 64 bytes).
I agree! In a cookie, you can put complete random garbage that only the
authentication server knows how to interpret. And if certain bits contain
an index, you can even use a one-time pad or other complex mapping to encrypt
the data so that the pw isn't sent back and forth as plaintext.
--Todd
|
|
| |
Todd - an interesting but minor question to these thread links - if I wanted
the thread unraveled all the way back to it's source post, how would I do
that?
Cheers ...
Geoffrey Hyde
Todd Lehman <lehman@javanet.com> wrote in message
news:G1KG4B.MCt@lugnet.com...
> In lugnet.people, Kevin Loch writes:
> > Actually I found PayPal's pw filter to be fairly stringent.
>
> What do you think about this?--
> http://news.lugnet.com/off-topic/geek/?n=2101
> http://news.lugnet.com/off-topic/geek/?n=2107
>
> --Todd
|
|
| |
In lugnet.people, Geoffrey Hyde writes:
> > What do you think about this?--
> > http://news.lugnet.com/off-topic/geek/?n=2101
> > http://news.lugnet.com/off-topic/geek/?n=2107
>
> Todd - an interesting but minor question to these thread links - if I wanted
> the thread unraveled all the way back to it's source post, how would I do
> that?
When you're viewing an article at the website (such as through one of the
links as shown above), scroll down to the bottom of the page and click one
of the "Entire Thread on One Page" links. You can see the thread in nested
thread form or in chronological form, and at various sizes (whole articles,
snippets, single lines, or just little dots).
--Todd
|
|
| |
In lugnet.admin.general, Kevin Loch writes:
> I just figured out how to easially
Easially?
> pass the LUGNET pw test. Use
> lots of special characters. This one: ^n).F6'%#*><}{#: scores
> a whopping 900% with no warnings. Just make sure you throw in a number
> a lower case letter and an upper case letter and you are all set.
> That bypasses the pesky /<-R4d dictionary translator (numbers <-> words)
> that has probably been messing most people up. Of course this does
> restrict the keyspace significantly, but at least you won't have to
> try 300 passwords to get one that passes.
>
> Of course yours doesn't have to be as long as the 900% example.
> It diddn't take too long ot come up with ]4b[G which is only 5 characters
> yet passes with 350% and absolutely no warnings. Hey, that's a great
> strong pasword. "Excellent" according to the appraisal.
Hey, we better enhance the tester to prevent that password, it's kind of sort
of easy to remember.
<GD&R>
Seriously, I like the active anti cracker defense idea a lot better and I
think that's the better way to solve the problem. Instead of butting heads
with Todd on how secure the password space needs to be due to attack speed,
make it harder to attack.
Everyone wins. Todd gets to be right, we get the password checker turned down
to something reasonable (or off) and crackers get to try a site that's more
likely to be lucrative anyway instead of wasting time here. Like my CU. You
don't even want to know what their password (??) scheme is. It's actually
(even for me, a lax password kind of guy) scary.
++Lar
|
|
| |
In lugnet.people, Todd Lehman writes:
> In lugnet.people, Mike Faunce writes:
> > > We'll see how many people find it funny nine months from now.
> > So ... are you going to tell us what is going to happen nine months from
> > now or just leave us hanging?
>
> A combination of things... first, by then there will be more things in
> place that will matter more; second, the pw validator will very likely be
> less stringent; third, I predict that within the next nine months, a major
> online banking site such as PayPal will have a major fiasco in the news with
> tens or hundreds of thousands of user accounts having been either cracked
> via a distributed stealth parallel cracking system or DoS'd through a
> distributed and carefully orchestrated DoS attack based on the principle that
> they lock someone of their account out if a small number of multiple login
> attempts fail rather than having more stringent pw requirements and allowing
> a larger number of fails.
I was thinking more from the perspective of what you are going to create that
will have a span of 9 months and not what might happen on the internet outside
of LUGNET in 9 months.
This still doesn't explain why you have a sophisticated password system
(including a dictionary of 3 million words in 20 languages which I assume is
for the password check alone?) that doesn't really protect any vital
information while at the same time you have a security hole on the other end
where people can post under other's names.
|
|
| |
In lugnet.people, Dan Jezek writes:
> I was thinking more from the perspective of what you are going to create
> that will have a span of 9 months and not what might happen on the internet
> outside of LUGNET in 9 months.
Well, enough new things that I think it will be hard for anyone to continue
belittling the checking anymore. Plus, as I said before, it's possible (and
likely, I hope) that the checking will be less stringent. Right now I'm
guesstimating that it could safely be made 3 orders of magnitude (base 10,
that is) less stringent, with a bit of clever intrusion detection, tracking,
and deterrants.
> This still doesn't explain why you have a sophisticated password system
It's a foundation?
> (including a dictionary of 3 million words in 20 languages which I assume is
> for the password check alone?)
Well, a password checker worth anything consults a dictionary (among other
checks). Putting in 3 million words in 20 languages is just as easy as
10,000 words from a single language. The dictionary check was actually one
of the easier parts of the checker to implement.
> that doesn't really protect any vital information
> while at the same time you have a security hole on the other end
> where people can post under other's names.
Well, as you are aware, to get authentication in pure NNTP means password-
protecting incoming connections. On the server side, it means throwing a
switch and maintaining a table of usernames and crypted pw's. On the client
side, it means having a much less open news system, and I'm not even sure if
all the popular NNTP clients support pw's, either. I can't look into a
magical crystal ball and know that the NNTP connections will -never- need to
be pw-protected (let's pray they don't) but I do know that it would have been
a fatal mistake to pw protect them at the beginning, and probably at just
about any point as well in the future without an extremely compelling reason.
Even so, just because one portion of a system using a legacy protocol for
message transport happens not to have user authentication, it doesn't follow
that other new portions of the same system should be implemented without it
as well, or implemented poorly.
--Todd
|
|
| |
Todd Lehman <lehman@javanet.com> wrote in message
news:G1EAr4.F49@lugnet.com...
> In lugnet.people, Christopher L. Weeks writes:
> > If I send an extra $10, can I get a new packet of LUGNET membership • stuff,
> > most importantly my password?
>
> Have you forgotten your password? If so, write me an email from your • primary
> address and I can now ask the server to generate a new one for you and • send
> it directly to you via e-mail. You could think of it as a temporary new • one
> which you could use to sign in and change something you are less likely to
> forget or lose, if you prefer.
Oh, hi Todd. I should have checked this NG before emailing you...
Anyway, I emailed you about <thinking> 5 (?) days ago regarding my password,
but I'm now not sure what you mean by primary email... The email address I
initially used when joining lugnet? Because that one is obsolete - I have
yet to change it on my information-thingy-page. Confusion, oh the confusion.
Cordially,
DBR
--
"To infinity and beyond!"
|
|
| |
In lugnet.people, Dylan Bradley writes:
> Oh, hi Todd. I should have checked this NG before emailing you...
> Anyway, I emailed you about <thinking> 5 (?) days ago regarding my password,
> but I'm now not sure what you mean by primary email... The email address I
> initially used when joining lugnet? Because that one is obsolete - I have
> yet to change it on my information-thingy-page. Confusion, oh the confusion.
Hmm, wait, now I'm confused. I don't see you listed. What is your member ID
number? Anyway, by primary email I meant the first one of the (up to) three
that you gave when you signed up to be a member. But I think maybe you're
confusing membership with news posting?
--Todd
|
|
| |
I don't know if this thread is still active, but it seems as if it is the best
place to ask my question. I have created an email account for myself for the
main purpose of doing LUGNET at school, but I don't know where to edit the user
information that I gave about a year ago. I may eventually become a member, but
right now I'd just like to switch my e-mail addresses. If possible, please
e-mail replies to my new address: agmlego@lycos.com
Thank you.
Andrew Meyer
|
|
| |
In lugnet.people, Andrew G. Meyer wrote:
> I don't know if this thread is still active, but it seems as if it is the best
> place to ask my question. I have created an email account for myself for the
> main purpose of doing LUGNET at school, but I don't know where to edit the user
> information that I gave about a year ago. I may eventually become a member, but
> right now I'd just like to switch my e-mail addresses. If possible, please
> e-mail replies to my new address: agmlego@lycos.com
>
> Thank you.
>
> Andrew Meyer
Try this link.
http://news.lugnet.com/news/post/setup/
Then (after waiting a day or so for one of us to process it) write any admin if
you still have trouble. See the header of admin.general for our addresses (which
group this is XFUT)
It's not necessarily an easy link to find. Where do people think it should be
linked from?
Hope that helps
|
|
| |
In lugnet.announce, Todd Lehman wrote:
>
>
> Enjoy!
> --Todd
>
> [followups to lugnet.people]
I can't get my password to work, how do I get a new password?
Mathew Clayson
member 2487
|
|
|
