FAO Sean Lim, Steven Weller, Gary Cox...

[basildd]

You may have seen the previously posted thread in Route building from 'Steven' stating 'Matt is a poo'. Well this infantile person is hosting your files on his site and if thats the level that he wants to drag UKTrainsim down to, perhaps you would consider pulling your files from that site, if for no other reason, than in defference to Matt who has made this site possible for us all...

[basildd]

If the Steven who posted this trash is the same as the Steven in the heading for this thread (as some people seem to think), perhaps you could explain yourself??

[madmardy]

i hope thats not me who seems to think

[steven]

Well the only likely cause is that someone has logged in as me using my weak password which I have now changed and I have emailed matt explaining the situation and to see if there is a way to do this. I was shocked myself when I saw the post and even more shocked to see that my name was used to start the thread and I can see no reason to post such a infantile post.

Steve

[NeutronIC]

I'm perfectly happy that there is no likelyhood of Steven posting something like that and I think it backs up the justification that weak passwords aren't a good idea.

In the meantime, if someone becomes aware of a way to bust the site security please let me know as soon as possible, and if anyone has any kind of evidence about who did it, let me know too - I have full web logs from when this posting was made so, uh, guess what, I hope you were using an Anonymiser.... hacking my server and any of the accounts on it is a computer crime under the Computer Misuse act.

Matt.

[johndibben]

What the 'chuff' is this all about.

Whats a 'weak' password ..... I 've got a name and a 5 digit password.

All strange to me.

Basil's 'on the ball' .... as ever .... thank goodness someone is.

[JohnEyres]

How the heck could anybody get or even remember an Atomic systems acount password? Apart from anything its vertually a code.

[NeutronIC]

Definition of a weak password:
Easy to guess.

Examples:
Your username (yes, some people really do this)
Less than 6 characters (not so bad if they mix letters and digits though)
Common english word
Someones Name
Birthdate

They're all bad, there's more but those are the common hotspots.

A secure password should:

Be at least 8 characters
Mix letters and numbers
Not be an english word
Not be a name
Not be a date

People can crack passwords if they are english words, names or dates, very quickly and easily. I had a security analyst run a very simple script over the password database of the userbase of an ISP I used to be the technical director for and out of 1,000 users (approx) he had about 350 of them within about 10 minutes, the rest were fairly secure and needed brute forcing the hard way (try every combination of letter/number). Out of those 350, 200+ of them were the same as the username.

Matt.

[asalmon]

How the heck could anybody get or even remember an Atomic systems acount password? Apart from anything its vertually a code.

You can go into "personal details" and change it - I was tempted to do mine, but decided it's better being a non-standard one, I can remember it 'coz I type it every day - though no one could guess it without brute force!

-Alan

[johndibben]

I still use the one I was given .... and that's far from 'easy'.

PS 'Matt is a poo' .... ermm .... obviously a comment from a 'well adjusted' person .... I don't think.

I sometimes think someone or some people have a 'grudge' against the site and Matt .... judging by the way these things keep happening.

Funny old World.

[basildd]

Following on from what has obviously transpired, I offer Steven my unreserved apologies as he obviously isn't to blame for this. In defference I have to say that I did include Steven as one of the people I was trying to draw the attention of this to (as well as Sean and Gary) as I did not put the two together. When I realised it was one and the same, I wondered if there had been some sort of 'spat' with Matt over an upload or something. I didn't give any thought to the fact that someone would hack into someone elses account to post such banal and purile rubbish. Do they teach 9 year olds computer studies in school these days by chance?

As for the perpetrator of this, do you really get satisfaction from this sort of thing? Are you the sort of person who 'doesn't fit in' and feels that attention seeking is the way to get noticed. Well it does that, but doesn't do you any favours. All you are doing is giving credence to the myth that people who like trains are 'sub-normal'. That is very sad, as are you.

[NeutronIC]

I've been thinking about it some more and it might even have been an accident that the person got the logged in account of Steven - sessions are being cached by ISP's left right and center, despite instructions to the contrary from the server, AOL being one of the worst offenders.

This means that occasionally, someone might suddenly appear logged in and if they realise it's under someone elses account then they can potentially do this kind of childish antic.

This is the reason that sites like Amazon have the "you are fred, if you are not, click here to log out", so it's not a problem localised to us, it's inherent in web based login that isn't using the HTTP login mechanism.... unfortunately, HTTP login has a host of other problems (like inability to actually log out again and screwed up defaults on Internet Explorer that make it not work at all for some people).

However the good news is:

a) it doesn't happen too often
b) when I get the persistent login working, that'll have the side effect of completely closing this problem down as the session will be cross checked against a cookie on the users PC - which was only set when the user specifically logged in, so if they suddenly get given someone elses session then it'll get booted out immediately and they won't be able to do any damage.

Meanwhile, i'll keep flushing the session table manually since it is having difficulty doing it itself I think!

Anyone still putting the PHPSESSID on URL's that they post is just making this problem worse as you're basically giving your account away when you do that - though I don't recall seeing any such URL's for a while now so i'm highly inclined to believe it's just a sodding ISP with a badly configured cache.

That doesn't excuse the childish behaviour that ensued after realising they were logged in as someone else though. The responsible, adult, thing to do is to log out immediately.

Matt.

[johndibben]

I know I have a 'bee in my bonnet' .... like Basil had a 'wasp up his nose' .... but you're obviously doing what you can in the time you have to do it

BTW When 'Basil gets a 'wasp up his nose' 40' willow trees disappear .... (private joke) .... I'm not messing with him

[40058]

Perhaps this site should be made exclusive to registered users regardless
as to whether they have subscribed to X amount of months etc (Ie: if you're not registered then you can't see what's on forums etc) that way you can keep these "boring idiots" away from sites which contain adults
and sensible young people who just want to share their common interests, chat and make new friends etc - lets face it, the world nowadays if full of people who are just plain "sad, boring and insulting idiots"

SteveS

[basildd]

I know I have a 'bee in my bonnet' .... like Basil had a 'wasp up his nose' .... but you're obviously doing what you can in the time you have to do it

BTW When 'Basil gets a 'wasp up his nose' 40' willow trees disappear .... (private joke) .... I'm not messing with him

On inspection, it wasn't only the willow tree!