Eric

Especially Judy!

11 hours ago, Sara EA said:

How much data does Google collect behind your back?  Anyone look at the Google Voice privacy policy?

Your phone number, the called phone number, the date and time of the calls, the content of your voicemail messages, the text messages sent through the service, etc.  I wouldn't characterize it as "behind your back" as the sole purpose of the service is to intercept, process, and forward your call information.

https://policies.google.com/technologies/voice?hl=en-US

5 hours ago, Medlin Software, Dennis said:

Sounds great. 

5 minutes ago, Medlin Software, Dennis said:

I tested cloudflare. Did not offer me anything I could not get from htaccess country allow. Still plenty of bots in the us which is why I added the ip testing service. 

A few things

1. I had done some country blocking with .htaccss on the old server, but never felt confident that I had a complete list of IP ranges
2. The new server is running nginx, so no .htaccess
3. Cloudflare keeps the traffic from even seeing the website, since they manage DNS and issue the challenge before a request to the server is made
4. Aside from the country blocking, they're doing other bot detection magic, plus I'm adding custom web application firewall rules that are specific to the forum app.

I'm a fan of doing as much of this as possible at the proxy, but I also have nginx rules set up for anything that gets through.

I'm using CloudFlare to manage DNS and as a proxy in front of the site.  If I set up the rules to block traffic from outside of the US at that level, they won't even hit the web server.

My only worry is that if a forum member is blocked for some reason, they're not going to have any way to let me know they can't get in.

Since enabling the captcha 30 minutes ago (click the checkbox to prove you're not a robot), out of 910 challenges only 4 were solved.  It may not be necessary to block the traffic completely if the challenge is effective against the type of traffic I'm trying to prevent.

I've just set up rules to issue a captcha challenge for any visitor not from the US or Canada to help with the bots and spammers.  I'm interested to know if anyone on the forums gets caught up in those--if not, I may block traffic from outside North America entirely.  I wouldn't normally do something like that, but this is a very US-specific site.  Can anyone think of a reason not to?

37 minutes ago, Lion EA said:

Wow! Quick work, Eric. We appreciate your knowledge and hard work to make this move and to continue to monitor it for us. Thank you!!

You are welcome! I ironed out and documented the process yesterday, and everything went smoothly this morning. 

Alright, everything is moved and at first glance, things appear to be working normally.

A lot has changed behind the scenes--more than I'd normally like to change all at once, so please report any issues or broken features you encounter.

Hi folks,

The server move I mentioned last month will begin soon:

You'll know it's in progress when the forum is replaced with a static message, and you'll know it's back up when the message is gone and there's an update on this post.  

I've done a trial run of the migration and although it went smoothly, I expect a few bumps over the coming weeks as it starts getting real traffic.  Thank you for your patience!

12 minutes ago, jklcpa said:

The site does have the option to stay logged in, and stays that way until the user clears browsing history unless leaving cookies intact.  I'm logged in almost all the time.

The site also has the ability for a user to log in anonymously too and stay that way.

 

Both good points.  Even in a situation where the site is cached for logged out users, the TTL would be set to a low value, likely to an hour or less, so they would still see almost all of the most recent content.  Then, after that period of time, the cache expires and the next hit generates a fresh copy.

It would go a long way to dealing with all of the bot activity that the site sees.  Every hit from one of those bots is processed like any other, which generates multiple database queries.  Serving them a static file would be tremendously more efficient.

In any case, I'll know more once the move is complete, and I've had time to work on the server/software configuration for a little while.  There's a reasonable chance we'll be able to get away without the caching layer at all.

On 4/23/2024 at 8:53 PM, Catherine said:

Thank you, @Eric, for everything you do for us.

Do you need any donations at this time to fund the new server? If so, please let us know!

You're very welcome.  I feel like people should be donating to Judy instead, as she's got more to do with keeping this place running smoothly than I do. 

I doubt there will be any significant change in cost--instead of one powerful/expensive server, I'll have all my sites broken up into multiple smaller, less expensive virtual machines.  We'll see how the first few days go.  Because the whole site is dynamic, I can't get away with leaning on caching as much as I do with your average static website.  E-Commerce sites are similar in that way.  

It'll be interesting to see the CPU/RAM required to run the site when it has its own dedicated resources to work with.  If resource use seems excessive even after tuning, I may entertain caching the site for guests (those who aren't logged in) so that content might be outdated by an hour or two unless you log in.

Hello all,

We've had some (very few, but more than zero) issues where database tables have crashed during times of heavy load on the server.  These load spikes are usually related to other sites that I'm responsible for that happen to share resources with the ATX Community.

These haven't been significant issues, and in fact have been very easy to resolve when they arise, but it does cause brief downtime on the Forum.

So, in the interest of constant improvement, I would like to move the ATX Community to its own server (VPS) with its own dedicated resources.  There are other server configuration changes/challenges that I'll tackle at the same time.  Because this is the only forum I maintain, I am less experienced with performance tuning for this software than, say, more standard website content management systems.

All that to say, I am expecting it to be a slightly bumpy transition but with improved speed and stability in the long term.  There might be as much as one or two days of downtime followed by intermittent hiccups until everything is smoothed out.  I'm aiming for mid-May to get this work done, but there is no hurry on my end.  If there are business reasons to put it off longer, please speak up!

Thanks!

45 minutes ago, Lion EA said:

Thank you for taking good care of us, Eric!

I was up late last night and saw the posts coming in. It was not all at once, automatically. There were a couple of screen names posting with about the speed of someone cut/pasting manually. It was kinda odd. I'd leave after a bunch/page-full and then return to another few, or I'd report some to see more came in while I was reporting, rinse & repeat. That kind of speed.

I apologize for inundating you with so many reports. In my sleep-deprived state it seemed like a good idea to report a bunch so you'd see the extent of the problem before you had to enter the message board or without looking farther.

I did see those reports along with Judy's email this morning.  

The registrations are happening manually.  They're answering the questions correctly and not trigging Google's ReCaptcha service.  They're also using unique email addresses for every registration. 

Once they made it past the registration process, they have a script that will automatically post content, but the forum doesn't allow people to post more than once very quickly, so that throttles how fast the spam can be added.  With 110 accounts, though, it can pile up quickly.

Your email addresses are not readily accessible on this website.  Only Judy and I can see email addresses for individual users.

You bet!

I may end up taking the forum down again soon, it looks like they're still making it through although more slowly than before.  I need some time to look at where these accounts are coming from--the registrations seem like they're being created manually, not by bots, and then once registered the posting is automated.  I may end up blocking all traffic from Russia and China, but need to investigate the traffic more closely to see how effective that would be.

I could also add a manual verification step to registration, but I need to look more closely at what that process would look like on our (your) end as well.

Happy Independence Day, everyone!

The forum was inundated with bots this morning and they were able to many accounts and many, MANY pages of spam topics in about 2 hours.  I've deleted 110 accounts and 2,568 topics from the site, so it should be all cleaned up now.  If you see anything that I've missed, please use the Report feature on the post.

I've made some minor changes that will hopefully keep this from occurring again, but I'm not completely confident that more significant changes aren't necessary so I'm keeping a close eye on the forum.  It should become apparent very quickly whether the bots are still able to get in once the forum is open again.

Thank you all for your patience!

My daughter (11) is a fan of Vihart's videos.

She let me know on the 14th that Phi is much cooler than Pi. Then I called her a nerd.

I think they're fixed!

Hey, look at that, they're broken.  Thanks for bringing this to my attention, I'm looking into it now.

I can only imagine it was a weird caching issue.  Even if you omit the 's' from https:// the site should redirect you to the secure version.

Mozart tells the most intricate poop jokes.

Windows 11 is mostly minor refinements, minor new features, and a fresh coat of paint compared to Windows 10, not a huge overhaul like the new version number would suggest.  I would say that if your software vendor says it's compatible, and manufacturer of your peripherals (printers, scanners, etc) are supporting Windows 11, then you're safe to use it.  Do whatever you're comfortable with.

https://support.atxinc.com/includes/atx system requirements.pdf

I think doom and gloom rants about either choice (sticking with Windows 10 or choosing to buy a Windows 11 computer) are probably a bit of an over-reaction.  I don't think there's much risk either way... but if you're the type to get flustered by technology changes, then right before tax season might not be the ideal time to start getting acquainted with a new version of Windows.

The article that I believe prompted the above comic:

https://www.baekdal.com/thoughts/password-security-usability/

From the article: It is 10 times more secure to use "this is fun" as your password, than "J4fS<2". At least, that was true until the article was published.

When I have to create passwords for another person's account, and I'm not sure if they'll take the time to change it, this is the method I use.  Example: purple-spotted-skipping-hamster

It's completely random, extremely secure, and easy to remember and type.

Unfortunately, even though the password would take hundreds or thousands of years to crack, it's deemed insecure by many password strength indicators because it's missing a number or a capital letter.

On 8/19/2022 at 7:30 PM, Lion EA said:

It did do a security update 8/17/2022. I'm nursing it through until the next version comes out.

Apple just released iOS 12.5.6 on August 31. This patches the same serious vulnerability that they had previously patched in newer versions of iOS.

https://support.apple.com/en-us/HT213428

https://arstechnica.com/gadgets/2022/09/apple-releases-rare-ios-12-update-to-patch-zero-day-webkit-vulnerability/

On 8/19/2022 at 5:51 PM, Lion EA said:

Wait, wait. So the iPhone 6S is newer than my iPhone 6? And, I won't need the security update? Or, I DO need a security update due to recent activities, but my phone is too old to get it?

The 6S is newer than your 6, and Apple's release says only the 6S and newer is affected.

There is the possibility that since the iPhone 6 is "stuck" on iOS 12, it never received version of iOS that was vulnerable in the first place.

Nope, not the case, they just took their time fixing the bug in iOS 12 and patched it weeks later.