Posted on 03/16/2025 6:09:41 AM PDT by Lazamataz
I've noticed, over the years, that very old Free Republic accounts, accounts that have been inactive for months or years, suddenly reactivate.... but their politics are suddenly suspect.
Be they Zeeper-oriented (that is, super-favorable to Ukraine) or, conversely, super-favorable to Russia, or even suddenly-liberal... these accounts reactivate with a flurry of posts that are contrary to conservatism.
Are these real Freepers who have had a change of heart about their politics? Are these real Freepers who feel the need to jump on the forum with propaganda and support for one side or the other per the Ukraine/Russia war?
Or are these hijacked accounts?
People will recall some time back, quite a few accounts of active Freepers were hijacked. It created a bit of a problem. When all was said and done, the accounts were returned to their rightful owners, and the site owner (and his moderator crew) pointed out that their passwords were very easy to guess. He instructed people to have stronger passwords.
I also have a friend on Facebook who no longer participates in the forum, but still reads it, who has seen a Freeper posting who he happens to know has been dead for more than a decade.
The problem is, we have far too insecure a login process, and enemies of the forum have been exploiting that.
At the login page, you can attempted unlimited login attempts. This will allow simple brute-force password cracking.
Also, the Forget Password option sends an email with your password in clear text. Emails can easily be sniffed with the right techniques. Passwords can easily be cracked that way.
My suggestions to mitigate these critical security concerns are:
These relatively-simple security changes will stop account-hijacking.
Getting closer.
A post of beauty
But, how do you REALLY feel?
I miss how it used to show how many FReepers actually clicked on the thread, even without posting.
"Tell me wasnβt there a visit counter to the threads back in the day???"
I think that was around the time when copy/pasted quotes would throw out some weird characters (wrong coding on the site, I think it was because not using UTF-8).
Took JohnRob a few weeks to fix.
You can’t be series, this is HUGH!
I remember some trolls going back to the Palin election (I voted for her, not the canary).
Very good point.
Yeah, I dod remember it becoming very lax about that time.
ROFL!
No, most of the foreign trolls were from loser countries like Spain and France.
Laz is not being rude, funny, or insane. Expiring log-ins make sense. I now log in/ out every time i do a FReeper read session and erase my history because it is no one else in my familyβs business what i do and say here. None of them agree with me now, and at least one would have malicious intent.
Oh noβ¦are you living with some of the 29%?
An IMEI (International Mobile Equipment Identity) is a unique 15-digit code that identifies a mobile device, like a phone, similar to a VIN number on a car.
So 8n simple terms the MFA service generates an encrypted string from “FREEREPUBLIC-USERNAME-PASSWORD” and turns it into a QR code.
Nothing else knows how to decrypt the string, except that specific MFA app. If you use a photo app, QR scanner app, or Google Authenticator, they’ll throw an error because they can’t decrypt it.
When you scan the code, your phone adds its EMEI. So the MFA server receives “FREEREPUBLIC-USERNAME-PASSWORD-EMEI”.
Registration over.
From that point on, your username and password are tied to that specific app and the specific handset. A simple unlock challenge regenerates the encrypted string, ie “this is my username, this is my password, and I’m using THIS phone with THIS EMEI.”
If that matches what you registered, you’re logged in successfully.
If you lose your phone, you can go through the registration process again on the replacement phone, which can be done by emailing you a temporary code.
It is not hard to set up multiple options. Email, SMS, app, even an RSA or Yuibikey.
The whole point of all these mechanisms is to address the problem of password harvesting. ESPECIALLY for moderator/admin accounts.
Years ago I went into a datacenter and all the admin passwords were scribbled on the whiteboard. I could’ve run riot all through their network without them knowing it was me.
Imagine not having to go to the effort of taking a photo of a whiteboard because you can go on the dark web and get the photo from it...
Now imagine, everyone with zot abilities who has had the same password for fifteen years, has their login details in a freely available, hacked password list.
So even if MFA is overkill for Freepers, it should be mandatory for admins and moderators.
Admin/moderators vs. “ordinary” account holders is a very valid distinction.
Does the MFA service use a secret key to encrypt the FR-USERNAME_PWD string and the app use the same secret key to decrypt it? If that's the case could the adversary reverse engineer the app to find the secret key? If so, could you deploy each MFA with a unique private key and register the public key at the server during the registration step? Seems like one of several ways to avoid the shared secret key problem.
Is the IMEI for my phone secret, or can it be looked up by an adversary pretending to be me? Serial number portion of the IMEI is six digits and the rest (manufacturer, model) would be publicly known. The six digits might become public through signaling or some other third party use of the number. The fact that you have the IMEI in your own server database is a red flag because it's no longer secret.
I suspect what you really need is a unique code on the device that is guaranteed to be secret. Simplest solution is a private key. When I did my bit of phone-based authenication I used the secure key storage in Android. In short the private key remains in the secure enclave and the only thing you can do with it as a programmer is use it to sign a message. I sign the message, send it to the server, the server validates the signature using the public key. The public key is stored in the server during the registration step (my registration was someone complex but still a separate step like you are doing).
Depends on the service used. I currently have something like 40 services using Microsoft Authenticator with Entra ID, and 20 using Google. I also use Auth0, Cyberark, Nymi, Beyond Trust, and a few others.
The security is only as good as the security of the cloud platform. If someone can get onto the admin platform without MFA, all bets off.
Your EMEI is literally just a code representing the handset. This is why, professionally, I’d say NEVER lock MFA options down to MDM managed smartphones (the USA loves Apple MDM but you might as well advertise, “hack this one system and you’ve got the keys to the castle!”
If my employer got hacked they still wouldn’t be able to clone my MFA phone. It’s intentionally off grid. I’ve got the authenticators running in offline mode with the phone... Basically, it’s a 5 year old phone with no SIM and no WiFi, acting as a 60-in-one RSA token. It goes online only when I need to add another authenticator.
I used to use Myki password manager, which worked the same way. Passwords were stored in a TPM encrypted vault, private key known only to Myki. The sheer effort required to get into the vault (needed physical access to the phone with a way to bypass its biometric protection) combined with the fact nobody would know what passwords I had in there - made it borderline unhackable.
MS Authenticator creates a private key for each registered service, associating whatever data is in the QR code sent by the service to that private key. Registration is essentially completed by sending the corresponding public key.
There's no IMEI involved, not needed and not useful. Private keys stored in the phone can't be extracted by any method. Once registered the service just has to validate a signed message using the public key. Cloning is impossible.
If there is an app of any sort on a phone it would use PKI.
And since FR enables anonymity then the only issue is a handle being misused. Meanwhile,any position is sets one in opposition from a contrary one, and since those of like mind tend to congregate, then dissent from "group think" typically results in various degrees and forms of disparagement, whether it be atheists on Quora or Reddit, etc. to Catholic sites to Slate and the DU, etc.. Yet conservatives overall are more tolerant than libs. And FR is far more mature with its judicious moderation than any other forum i have been on. But the most intolerant are such as oppose FR owner's statement that FR is
"pro-God, pro-life, pro-family, pro-Constitution, pro-Bill of Rights, pro-gun, pro-limited government, pro-private property rights, pro-limited taxes, pro-capitalism, pro-national defense, pro-freedom, and-pro America. We oppose all forms of liberalism, socialism, fascism, pacifism, totalitarianism, anarchism, government enforced atheism, abortionism, feminism, homosexualism, racism, wacko environmentalism, judicial activism, etc. We also oppose the United Nations or any other world government body that may attempt to impose its will or rule over our sovereign nation and sovereign people. We believe in defending our borders, our constitution and our national sovereignty.
Free Republic stands for God, family, country. We generally look to Judeo-Christian* guidance on issues of law, morality, justice, freedom, life, family and civil society. And we have a Christian self-governing, self-reliant, individual accountability & responsibility, you gotta work if able-bodied and want to eat attitude on cultural and societal issues. And a Christian pro-Constitution, original intent, pro-liberty, pro-life, pro-family, pro-gun, restricted government, small government, states rights, individual rights, free enterprise position on political and civil matters.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.