patrick.net

Patrick says

That will issue you a new random password.
... I have learned that a fair number of people will use, say, their banking password.

That's pretty reasonable, given how much safer it will be for everyone. Maybe you could add a little blurb on the profile section to save people some time?

I believe the problem of reusing of passwords is solved by adding a salt value to the user's password before salting. I remember the old days of UNIX where the operating system kept a text file of names and salted hashed passwords. Everyone could see that file! Maybe that has been broken by brute-force nowadays?

I propose a new Social Network Model.
The missing password question gave me a mind spark.

Instead of a Social Network where extroverted people go beat their chest and expose their inner demons, and cancel themselves for their outrageous ideas.
How about a website you go to that has a selection of Monikers, already with Username and a profile. (lots of preset monikers, with a wide range of personalities and interests)
You don't log in, you don't sign up, you just visit, assume a moniker and make posts much like Twitter, Gab, or Patnet. You may or may not, identify yourself in the post, though it would defeat some of the purpose for this style of Rando Anon Networking.

This idea gives me a lot of curios things to ponder how people will behave. A place where Truth Bombs can posted, without the Canceling or Doxing. Even if the Fuckers get mad at a Rando Anon thread, they'll have no idea, that original poster posted in one of his threads, and he was having a civil conversation with that person.
Monikers wont be vilinized, unless one happens to be the one assholes and trolls' gravitate to.
It would be kind of funny to see hot women posting bathroom mirror duckface shots under the name Farah's Faucet.
I wonder if that kind of platform would illicit the same perpetual victims that like to sign up for the traditional bluemark verified bonefide services?

Patrick says

So not allowing password choice is a defense mechanism against that. I know it's not great, but I can't think of a better solution.

NOTE there is a danger with this - if they are able to get onto your site and monitor the traffic, they can see the password in the clear before it is translated into the "true" password which is the hash.

@Patrick:

I can because I know how Unix does this. Use password salt. So, don't store a password directly, store a hash of the password plus salt:

https://cyberhoot.com/cybrary/password-salting/?source=patrick.net

It's called adding salt to the password. Something that should work well is something like:

SHA256SUM ("user selected password" + "patrick.net" + "user name")

So for me it would be something like

SHA256SUM ("MyEasyPassword patrick.net richwicks") which works out to be:

f67e091546188ba42d39f3706de32ed6009649f013e68a14f7f4a11adba65b9a

The reason you want the salt to change for every user (in this case the salt is "patrick.net richwicks") is that solving for the hash for ONE user, will only solve it for that one user. Somebody trying to crack passwords have to go through the ENTIRE dictionary of possible passwords for every single user, not just once. The hash will be different for each user even if they have the same password.

Also the salt should be last, otherwise a cracker can cheat by doing SHA256SUM ("patrick.net richwicks") ONCE and from that point, start guessing passwords. It reduces the time needed to calculate "patrick.net richwicks" each time. SHA256sums are calculated from left to right.

SunnyvaleCA says

Maybe you could add a little blurb on the profile section to save people some time?

Good idea, I will add a blurb on the profile section.

I already store the passwords md5 encrypted with a salt, but if someone got control of the site, they could see the password when it is sent to the server before I salt and encrypt and compare.

I suppose that problem could be solved by encrypting the password in the browser with js before sending, and then comparing encrypted versions on the server. But then again, if someone got control of the site, they could disable that js. it's a never-ending arms race, so I pre-empt it by just making passwords random. Then the worst they can do now is just fuck with the site, but not with your bank account. I regularly upload new code, overwriting what is on the server, so they couldn't even do that for very long, I think. But surprises abound in the tech world.

Mirror the site on the dark web in case the man tries to shut you down...


https://www.zerohedge.com/markets/death-truth?source=patrick.net

Patrick says

So not allowing password choice is a defense mechanism against that. I know it's not great, but I can't think of a better solution.

Currently the password size is six. anything smaller than eight can easily be hacked now days. Suggest bumping length to at least 10.

Did anyone requested to see only the new messages when clicked on a previously visited threads. This should eliminate lot of redundant traffic.

Well, when you click on a previously visited thread, it should already position the page so that you start at the new comments. Let me know if that is not working.

Patrick says

should already position the page so that you start at the new comments

It starts at the last page of comments, but it doesn't scroll to the location of the last comment I saw previously. If memory serves, if I never visited the thread previously, then it still shows the last page of comments. That sounds like a much easier system to implement, but I think Blue's idea would be great.

Are you clicking on the "unread comments" icon?




If I click that, it pops to the location of the last comment you saw.

Patrick says

Are you clicking on the "unread comments" icon?

Nope! Not discoverable. Just looks like an annoying animated gif designed to further distract me. (Ooops... sorry. "Annoying" is redundant, as all animations are annoying.). I see you have a text description, but I never bothered to roll over that graphic. I thought it just indicated maybe that there were some new messages.

I'll be clicking that now, though!

Well, that's good feedback. I twas obvious to me, but then I created it, lol. Hard for you all to know what I'm thinking.

Maybe I should have every post link simply open at the next unread comment and not at the top.

Oh, and try the "unread" tab which I created a few months ago.

It will open your most recent active, popular, or new post (depending on what tab you're on). You can just click on it over and over to quickly catch up on everything.

I guess that's not obvious either, but I don't know how to explain it succinctly.

I was just scrolling through those tabs today. I think we are in such a hurry, we just don't pay attention to details anymore. Proof: I'm a SW tester, my career exists for that exact reason.

Good to know about the icon, will retrain myself to start using that.

I think it does make sense to jump to the latest unread comment for people who are logged in and click on a post link.

So I'll make that the default action.

How hard would it be to add a DM feature so we can message other users directly?

It would be significant work to add it as an on-site feature, and then I'd have the problem of people threatening each other over DM. I don't want to be the moderator for that kind of thing.

I used to have a "befriend" feature where if you befriended another user and they accepted, you could both see each other's email address. It would not be very hard to bring that back, and would get me out of the moderation game. Should I add that back?

Patrick says

It would be significant work to add it as an on-site feature, and then I'd have the problem of people threatening each other over DM.

I'll tell you how to fix that, any direct message can be made public by either user - maybe have email addresses removed - those are easy to detect \S+@\S\.

So if somebody makes some crazy statement in a direct message, just expose it.

Patrick says

I think it does make sense to jump to the latest unread comment for people who are logged in and click on a post link.

So I'll make that the default action.

OK, I did that thing.

So if you click on a link on the home page or any other list of posts, you'll automatically jump to the oldest unread comment on it.

I use the heck out of the handy "bottom" and "home" links. I notice today the "bottom" link puts you lower in the thread but not to the bottom, I keep having to click the "last" link to get there. Had me confused looking for my "deleted" post at first.

Also, since bringing it up last, I've figured out which tags work for bold, italic, and underline. When you have time, adding a tool to drop open and close links at the cursor, or before and after highlighted text, would be very much appreciated and save on using CAPS for routine stress or emphasis.

Just read the comment above mine, that the "bottom" functionality was changed to "last post read." That's actually a good idea, but you might change the text to "last read" and bring back the "bottom" link with its original function.

Automan Empire says

I notice today the "bottom" link puts you lower in the thread but not to the bottom

@"Automan Empire" This is news to me. I cannot reproduce the bug. "bottom" in the lower left of each page works the same as ever for me. Can you give me a post where this happens?

Yes, I should add a tool to make it easier to format.

You can surround a word or phrase with the * character to make it bold or the _ character to make it italic.

After experiencing it several times in a row earlier, then not being able to duplicate it in several ways now, I believe I figured out what's going on. When a positioner like this gets appended to the URL

?offset=280#footer

then "bottom" won't take you farther than the bottom of the same "page" the referenced post appears on in a long thread, no matter how many times you click it. Maybe it's always worked like that..? I assumed the "bottom" was supposed to act as a page-down on long threads, so repeatedly clicking would scroll you to the bottom.

It might be an artifact of my habit of getting a stupid amount of open tabs going, doing Patrick activities on some of these, then much later coming back to the computer and clicking on one of the now much older open tabs.

Also, I found that the markdown tags work but are tedious, glad to see * and _ supported too.

Patrick says

So if you click on a link on the home page or any other list of posts, you'll automatically jump to the oldest unread comment on it.

Seems to be working! Funny thing is I think it's a little bit weird. It's pretty clearly the best behavior, so probably just need to get used to it.

You probably don't need the View Unread Messages button on the home page links. That button does at least serve as an indication that I have or haven't viewed a thread at all.

@patrick is patnet source code still hosted publicly?

@Hircus No, I removed my github account when they imposed a politically motivated terms of use.

But if you want the source code, send me an email at p@patrick.net

Well, anyone can always just log out and see all the comments, so there's no way to completely block a particular user from seeing your comments.

I know some people used to keep a separate porn window open to view the site anonymously just so they could see comments which were blocked by mutual ignore when they were logged in. So in the end it seemed silly to try to prevent people from seeing whatever comments they want to.

I suppose I could require login to see the site at all, and then block, but:

1. people will get throwaway accounts, again to see the blocked comments
2. I want the general public to be able to read all your comments without logging in

Patrick says

I suppose I could require login to see the site at all, and then block

I think you are being fooled into accommodating the minority.

This is a public forum, it should be accepted that what is posted here is public. If people want private communication and don't want to share their thoughts outside of a group, there's mailing lists.

richwicks says

Patrick says

I suppose I could require login to see the site at all, and then block

I think you are being fooled into accommodating the minority.

This is a public forum, it should be accepted that what is posted here is public. If people want private communication and don't want to share their thoughts outside of a group, there's mailing lists.

yes please don't change that, it's nice to read it if i can't login on the device. i have multiple devices, i don't have login on all of them.

HunterTits says

richwicks says

This is a public forum, it should be accepted that what is posted here is public. If people want private communication and don't want to share their thoughts outside of a group, there's mailing lists.

Every other 'public forum' lets users block others. Standard practice.

Every other public forum allows you to not see what somebody posts, not to prevent them from seeing what you post.

To do that, users would have to be uniquely identified through a phone number or something similarly fascist and invasive, to prevent people from signing up with multiple accounts, and even then, they can view it when they aren't logged in at all.

Does anybody want to recreate Twitter here?

What you say here, is public. You are free to use a pseudonym, you can use tor to connect, or a VPN. What you say here is public, although its trivial to make yourself anonymous. Brave has Tor, VPNs are priced around $1.00 a month - why would anybody want to prevent people from reading what you post? They can bitch and moan about it, but can they demonstrate you're incorrect?

HunterTits says

How come I can't downvote posts by people who set me on ignore? I can comment on them.

@Patrick - I think that IS a bug.

I once suggested you shouldn't be able to downvote a person without making a reply. Just telling a person they are wrong, doesn't allow them to evaluate how they may be wrong. I hate getting downvotes without somebody explaining how they think I'm full of shit.

You disagree with me? Fine, but explain why. Maybe I'm full of shit. I can't change my mind without somebody explaining how I'm wrong.

I'll look into it.

I have a suggestion, I never see the "unread" part of a new post, because it's not noticeable. I want to suggest replacing:



with the following image to replace it:



That's the same image, cleaned up, in red although I got a little fancy with the "a" - I added a tail.

Patrick says

@SunnyvaleCA

The only way is to use the "forgot password" link. That will issue you a new random password.

I know people want to choose their passwords themselves, but from years in tech, I have learned that a fair number of people will use, say, their banking password. So then if patrick.net got hacked, it's possible that the hacker would get your banking password and your email address. Not good.

So not allowing password choice is a defense mechanism against that. I know it's not great, but I can't think of a better solution.

I used this mechanic of temp password in past, But Now I can set password.
Go to your profile and "type password" and it takes that password.

richwicks says

I have a suggestion, I never see the "unread" part of a new post, because it's not noticeable. I want to suggest replacing:



with the following image to replace it:



That's the same image, cleaned up, in red although I got a little fancy with the "a" - I added a tail.

Thanks for the volunteer work @richwicks !

I uploaded it and am trying it out.

this is bold and this is italic

personal

I think they work, except perhaps at the beginning of a line:

*bold*
_italic_

Made note to fix that.

Patrick says

I think they work, except perhaps at the beginning of a line:

bold
italic

Made note to fix that.

OK, fixed.

Hi Pat, looks like uploading pics is busted for me.

Might have something to do with the underscores?