Should FreeRepublic be closed to anyone w/o an account on election day/night?

11-5-12 | Arcy

[Lazamataz]

Actually, on the walk over to work (yes, I live THAT close to work), I realized I spoke w/o coffee.

The authentication layer is already written. It's the login and cookie structure JohnRob already has in play. What we would do is the AUTHORIZATION layer, which is a lot easier if all you are doing is granting access to pages. I've never 'had it that easy', I've always had to have RBAC (Rules-Based Access Control) down to the control- and menu-item level.

I won't claim it to be a five-minute fix, but it is a lot easier than it first struck me.

By the way, during my thinkwalk, I actually thought of a series of security holes that I bet JohnRob didn't think to plug, based on his authentication method. If he's not using SessionID on every page, he's vulnerable to a variety of spoofs and CSRF 'confused teller' attacks. Not a big deal, because the attacker would need to know A) which internet user was logged into FR to begin with, and B) the payoff is small, unless they happen to luck upon the session with Admin Mod, JimRob or JohnRob. So what if they hijack Laz's screen name, for example. All that would happen is Laz might not hit it for one day.

[Lazamataz]

Actually, on the walk over to work (yes, I live THAT close to work), I realized I spoke w/o coffee.

The authentication layer is already written. It's the login and cookie structure JohnRob already has in play. What we would do is the AUTHORIZATION layer, which is a lot easier if all you are doing is granting access to pages. I've never 'had it that easy', I've always had to have RBAC (Rules-Based Access Control) down to the control- and menu-item level.

I won't claim it to be a five-minute fix, but it is a lot easier than it first struck me.

By the way, during my thinkwalk, I actually thought of a series of security holes that I bet JohnRob didn't think to plug, based on his authentication method. If he's not using SessionID on every page, he's vulnerable to a variety of spoofs and CSRF 'confused teller' attacks. Not a big deal, because the attacker would need to know A) which internet user was logged into FR to begin with, and B) the payoff is small, unless they happen to luck upon the session with Admin Mod, JimRob or JohnRob. So what if they hijack Laz's screen name, for example. All that would happen is Laz might not hit it for one day.

[ken in texas]

Please announce the truth about Free Republic.

What truth? Information on FR can be read by anyone; that's how most of us found the place to begin with. If you want to post a new thread or participate in an existing thread you have to take the effort to build an account and logon.

[Dead Corpse]

Move FR over to one of these...

With bridged Cisco CP-DQPSK cards for OC-768 up/down network speeds...

[cornfedcowboy]

I need to get me an account today over at DU if that is the case.

[lefty-lie-spy]

I don’t understand st00pid. Try again.

[Lazamataz]

Actually, since it's a login/persistant cookie sort of authentication deal, it's not all that rough. I never really thought about the security of FR before because I never think in terms of doing her harm, but there are likely a lot of reasonably easy dodges around this model to get in behind the scenes. Maybe. Depends how much of his homework JohnRob did.

Even sniffing for passwords is (somewhat) reasonable on the http: non secure model we are presently on! Certs are obviously the way to go to prevent all that treachery.

I cannot be open about the Fed measures in place, for obvious reasons, but it is a very fascinating and pretty durned rugged setup they've got.

[JimRed]

It would also be adventageous to prevent the creation of new accounts on FR (starting now) until after the election to keep out the liberals who will certainly come here to explode in anger as elction results come in.

What, and miss all the fun of their heads exploding???

;^)

[Arcy]

I need to get me an account today over at DU if that is the case. Funny you should say that; because, I tried it yesterday and this morning using different e-mail addresses and screen names and their side has yet to send me a log-in password for either acct. This tells me they are NOT allowing new account creation right now and will probably continue this practice until after election night.

[bmwcyle]

If we just had our own geosync internet communication satellite.

[Arcy]

This is what visitors to the site on election night should see and it's so easy to implement:

[BO Stinkss]

Glad you decided not to quit FR

[Arcy]

It could be a DOS (Denial of Service) attack by a group that is dedicated to causing problems over here. One way to launch an attack like this is through the command line interface using the ping command and writing some code to generate a shower of these requests from multilple pc's. However, that can be PREVENTED easily by turning off response to pings via the server, which FreeRepublic has NOT done (novice security team) as evidenced by my successful ping just now (see below).

[Arcy]

Thanks. I had to go cool off for a while. :)

[Titan Magroyne]

::sigh::: Third freakin attempt...

I don’t foresee such changes being implemented, but I’ll opine.

If it helps with traffic issues, I’m fine with disallowing new signups until after all returns are in.

WRT blocking mere lurkers from site access - I see no need to act as if we FReepers have something to be ashamed of. The DUmp is hardly an example to emulate.

Besides, FReepers themselves may be trying to take quick anonymous peeks throughout the day (ignoring of course that the site’ll be a parking lot even w/out logging in).

[Old Grumpy]

I don’t think FR should shut anybody out; I was a lurker for a few years before actually joining and I like the idea that this site is available to anybody who wants to read it and get educated. We are not at all like the Dumb-o-crats and their stinking site (thanks to the Grace of God) and therefore should be proud to have a site that anybody can check in with and see what we all think. I’m proud to be part of FREEREPUBLIC.

[Arcy]

It would only be for one night.

[don-o]

I have zerpo knowledge of these things, but what I have read that makes the most sense is that the problem is the pipe - not anything internal to FR.

Is that even close to accurate? What solution, if it is?

Right now - mid morning on Election Day Eve, she’s feeling like she’s taking her last gasping breaths before expiration.

[tomkat]