Subject:
|
Re: Enhanced verification (was: Re: What the F.......)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Tue, 14 Dec 1999 19:18:46 GMT
|
Viewed:
|
205 times
|
| |
| |
<snip>
>
> So here are my thoughts:
>
> There is the 'X-Real-Life-Name' header field which is inserted automatically
> into new incoming messages. It gives a bit more information about someone if
> they're using a screen name, nickname, alias, etc., but it doesn't actually
> authenticate someone via a password. But something like this could.
>
> A header field 'X-Member-ID' could be inserted by the web interface if and
> when someone is a member signed-in at the time they post. Subsequently,
> when articles are displayed, this field would be interepreted in some way and
> would give a link to the member's page, perhaps with some small additional
> graphic image or other mild attention-grabber.
>
> This would allow people with multiple email addresses to continue posting
> from any of those addresses without having to worry about configuring
> anything else, and could all be made to happen automagically and
> transparently.
I like this idea although I don't understand how it would help in terms of the
issue we are currently discussing.
Would this require someone to sign in once a day the first time they go to
LUGNET? If so does that mean you would be using some sort of temporary cookie?
If so I guess I understand. I personally would not mind signing in once a day
although I don't see a need in my case although in Brad's case it is much more
likely that someone would want to disguies themselves to impersonate Brad. Why
I don't know but it has already been proven that some are malicious enough to
do so.
>
> A second (optional) level of protection could be voluntary blocking of
> one's own email-address & name to other users -- i.e., someone could ask
> the system not ever to let anyone post using their name & email combination
> unless the poster was actually signed in as that user. Blocking based on
> name & email together (not separately) would certainly not prevent some
> other person coincidentally named Brad Justus from posting, but we wouldn't
> want to prevent that anyway.
>
> Since LUGNET member passwords are not sent via email but rather by snail
> mail, member packets of TLC employees could even be sent to a LEGO Company
> postal address, further proving the reality and validity of the person behind
> the identity.
>
> Now, all of this assumes that Brad and other TLC employees who wanted to
> participate (without fear of being imposterized) would be willing to sign up
> as members and post only through the web interface, so this solution may not
> be feasable. But short of kludging up some other authentication system, I
> think this is really the only way to go.
OK a lot of this is over my head. I definitly think there is a need to put
some security around official TLC postings in order to minimize the chance of
an imposter. One thing I don't understand is if TLC representative such as
Brad want to do this and it requires them to be members does that mean they
need to be "paying members". I would hope for some sort of exemption for
someone like Brad but if that was not possible I would like to help in what
ever way I can to make sure Brad can post in a secure environment.
>
> In terms of being "members," BTW, I probably should allow for TLC to be its
> own "user group" of people with its own roster and so forth. I set up the
> member cookies in such a way that any person could actually belong to any
> number of user groups of people. When you sign in as a LUGNET member, your
> cookie is named "/". Signing in as a LEGO Company member (as opposed to a
> LUGNET member) would give some other cookie, perhaps named "/lego/". And if
> someone is a NELUG member and NELUG was having LUGNET handle its membership
> roster, then signing in as a NELUG member would give a cookie named
> "/org/us/nelug/". So quite a bit is possible.
How exactly would you monitor who was allowed to sign up for which "user
group". Obviously not everyone could sign up to be in the TLC "user group" so
how would you make sure that only TLC employee's got into this group.
Of course I would like to talk more about using LUGNET to handle NELUG
memberships but Brad's case is definitly a priority so we can talk more later
about how this would work.
Again my technical expertise in this area is minimal to non-existant so please
excuse my ignorance.
I do have a couple other questions.
1. You were able to determine earlier from a log that Brad's IP address was a
TLC address. Could you use this to authenticate Brad? Could something check
Brad's IP to ensure that his combination of Name and E-mail address are coming
from a known LEGO IP? If so could this be optional so the rest of us can post
from multiple computers on multiple networks (i.e. Home and Work)
If this were doable maybe there could be some sort of check for any lego.com or
mindstorms.com etc etc address was coming from an offical LEGO IP. I don't
know how easy it would be to maintain such a database but it is a thought.
This may not be technically feasible either I don't know.
2. Of course another option would be to allow Brad to somehow flag a message
as being an imposter message and upon confirmation of the imposter the
offending message would be canceled and replaced with some sort of "beware
imposter" message. Hopefully your logs would then allow you to track down the
imposter and impose a no questions asked life ban/dismissal from LUGNET.
Again I could be dreaming here but I though I would try and make some
suggestions.
Eric K.
The New England LEGO Users Group
http://www.nelug.org/
|
|
Message has 1 Reply:
7 Messages in This Thread:
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|