Who is using NodeBB?

@mschwartz said in Who is using NodeBB?:

I’m using NodeBB to run a collaborative site for residents of a 55+ (seniors) community.

That's an interesting use case.

@phenomlab said in .zip and .mov TLDs:

@scottalanmiller said in .zip and .mov TLDs:

I'm confused, lol. Are you saying you use CloudFlare too for DNS?

Yes

OOHHHH, cool. Yes, me too obviously. Definitely the best DNS host. Although the speed doesn't do anything really for day to day site usage, it sure makes making adjustments quick and easy.

You should try out their proxy services. They are the best and free.

@oplik0 said in .zip and .mov TLDs:

@julian I doubt Cloudflare will abandon their domain registry even if it doesn't make them much money

I'd say especially because of this. It's a zero profit item and they knew that going in. So it has no need to make money. They make bank in other areas, they are enormous now. And the cost of being a registrar is extremely low. So I'm sure it doesn't even show up on their radar.

@phenomlab said in Who is using NodeBB?:

@scottalanmiller there isn't from recollection or my own personal experience

I'm confused, lol. Are you saying you use CloudFlare too for DNS?

@phenomlab said in Who is using NodeBB?:

@scottalanmiller fastest DNS. I don't use their other services.

I mean just DNS. CloudFlare's biggest thing has always been the fastest DNS on the market. I'd be interested who else is even in their category.

@phenomlab said in Who is using NodeBB?:

@julian I have a load of domains hosted there. They are very cheap as a registrar and they have arguably the fastest DNS on the planet.

Fast like CloudFlare?

If I'm leaking all that data, I'm leaking that data regardless of the .zip domain. What Cisco is proposing is hiding the security risk rather than addressing it. If someone on my security team said this to me, I'd be pretty upset. If I said this when working on Wall St. I'd expect to probably be in big trouble if not lose my position. This isn't a little mistake but a fundamental misunderstanding of security (and IT basics.) Whoever wrote this article isn't even a casual, junior security person. Nor a casual IT one. If this person was hired to work in security and claimed to have security experience, I'd be worried about professional negligence lawsuits if something bad happened.

This is like finding out that your team is taking private company data and putting it outside on the lawn for anyone to grab. And instead of telling them to not do that anymore, asking them to write "Private, don't look" on the envelope.

@phenomlab said in Who is using NodeBB?:

@scottalanmiller I'll just leave this here.

".Zip" top-level domains draw potential for information leaks

As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server

Cisco Talos Blog (blog.talosintelligence.com)

Plus, the fact that they are used to register legitimate domain names for nefarious purposes as likely few have actually thought of registering it themselves.

In the Information Security arena I am in, the frequency of these domains being used in attacks is increasing daily.

So this article is a perfect example of what I mean. Let me quote some:

"How URLs based on filenames can leak information

Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update[.]exe[.]zip” to a hyperlink pointing to the URL “https[://]update.exe[.]zip”:"

So instead of highlighting the ACTUAL security issue of automatically choosing any string as a URL and hyperlinking it and fetching it and sending DNS to public space (wow, that's a lot of mistakes to make this happen) and blaming the use of insecure products, they point to the benign .zip URL. Because they are trying to cover up the actual security holes.

This is the same Cisco who ten years ago told me I needed a terabyte fiber link to my desktop or YouTube wouldn't work. I'd never put Cisco and security together in a sentence. That's a company whose claim to fame is selling smoke and mirrors to upper management and bypassing IT decision making. Their articles aren't for IT people, they are just selling FUD to management so that they can sell their useless products.

@julian said in Who is using NodeBB?:

@phenomlab Perhaps one can drive home the point by registering quarterlyreports.zip and having it serve a zip bomb

But you could do that with a .com and make the opposite point, too. The only real answers are... good users, good secure processes/procedures/platforms. Bandaids are the most dangerous things because it makes people feel that they can act recklessly and blame IT, when in reality nothing was done to protect them.

@julian said in Who is using NodeBB?:

@scottalanmiller I am paraphrasing, but iirc the concern is that it short-circuits common wisdom to "check the url before clicking". For example, I could craft an anchor to this attachment which on cursory glance looks to be a file, but is in fact a website.

A lot of it relies on people being dumb. Most competent tech people can see that URL and know it's a domain, not an attachment... however "people" are often the weakest link, security-wise.

Edit: Originally, the url I chose was malicious.zip, but when I tested it, it downloaded a zip file to my computer suffice to say I deleted it immediately.

But that's what I was saying... the risk isn't the URL, it's using an operating system that uses three letter name extensions to denote behavior is inherently risky and if people were ACTUALLY concerned with security at all, they would react rationally instead of emotionally, and have long ago moved away from Windows and actually fixed this risk. Avoiding legit domains because their users are too dumb and their security allowed Windows through seems more like an admission of failure and a tacit disregard for actual security. As we say in IT "politics over profits"... looking to clueless managers like we are doing something, rather than actually doing what we are supposed to do.

In most settings, users shouldn't work working with files at all in modern workflows. But that's another level beyond just moving to more secure operating system platforms and processes.

@brazzerstop said in Who is using NodeBB?:

@tankerkiller125 Thank you for the share this info, I found out about .zip .mov domains just now.

There is a domain for essentially everything at this point.

@tankerkiller125 said in Who is using NodeBB?:

@crazycells It's a massive security risk along with .mov

We've actually straight up blocked .zip and .mov TLDs where I work. And I know a lot of other companies have/are doing the same because of the risks it poses.

Risk? How does it pose a risk? It's a URL, how does it pose any different risk than any other three letter extension? I have a feeling you are citing a risk of Windows, or a perceived risk of people who use Windows. If the use of three letter extensions to denote file types is a risk, blocking the use of Windows would be the thing to do. Not blocking random Internet domains because they overlap with a third party naming convention on Windows.

If that's not it, I can't even guess what risk three letters have when it is z i and p rather htan o r and g or c o and m.

@BrotherGlaucon said in Private messaging:

And the reason I posted in an old thread is because I assumed that the battle lost, and the damage done, years ago. I simply wanted to cast my vote and provide others with an opportunity to correct any misconception that I may have been laboring under. I really like NodeBB and I have spent a lot of time with it this week, but the lack of PM blindsided me.

This makes no sense as it has PM. Messages that are private. I sent you a message to show.

@BrotherGlaucon said in Private messaging:

To give an example regarding threading, if I want to have two separated conversations with a single individual or group, this is not possible with chat, no?

That's an assumption that has no basis in reality. That it is chat does not imply one way or the other. You are acting like chat and PM are technical terms for specific technologies or approaches, but they are not. They are common sense English language terms for usages of messaging systems. One thing that is universal, all PM systems are chat systems, a few rare chat systems don't support PMs. That's it.

NodeBB has both in every sense.

@BrotherGlaucon said in Private messaging:

My post was a direct response to that claim, and you clearly missed this. Chat does not work like PMs. Chat is not "content-rich, threaded, and approached by all parties in a long-term sort of way."

That's not what chat means. You missed that we had already said that the two were the same and that you can't make up your own definition. That's not what chat means. As someone who has run commercial chat systems for decades, I can tell you that that's neither technically correct, nor colloquially correct, or implies in any way whatsoever.

Standard chat systems from nearly any vendor ever have not worked that way. Both chat and PM terms have always overlapped when chat systems allowed privitization of channels and both have been lean when rich media was difficult and both rich when it was available.

There is no separation between the two except when chat is non-private. PM is just chat that is private. There is no other definition.

@scottalanmiller I PM'd you so that you could see it in action.

@BrotherGlaucon said in Private messaging:

@cytrax said in Private messaging:

Something as simple as PM system is what a new prospect would look at it. I read somewhere within the forums that it would be great for gaming sites to adopt NobeBB. Well, I am that guy from a gaming site that's looking to start using NobeBB. And I can tell you that it would a deal breaker for my users if I try to force them to use a system without PM. Actually, I would get stones thrown and me and threats made against my dog. lol

Yes, I agree. Did you have any luck finding a workaround for PM's in NodeBB? What were your findings in this area?

(Sorry for the long interval - just had to try to pick your brain!)

There's no workaround as it has PMs. What do you expect the PMs to do that they aren't doing today?

@BrotherGlaucon said in Private messaging:

If I missed the feature, then I am to blame.

As the developer said in the post that you responded to: "The current chat feature has no difference than a PM system."

@BrotherGlaucon said in Private messaging:

@scottalanmiller said in Private messaging:

This entire thread is about using the PM system. We've had PMs on NodeBB since I can remember.

Then how do I use them? Are you confusing PMs with chat?

If I missed the feature, then I am to blame. But if you haven't understood my post, then you are to blame. I specifically talked about the difference between PM's and chat via private threads...

You can't just make a new definition. There is a PM/chat system here. It's both a chat and a PM feature. It has both covered. You just select the person you want to PM and it is a private chat with them. The ability to talk to groups of people exists, too.

@BrotherGlaucon said in Private messaging:

Over at Misago there are no private messages, there are only "private threads," which is really the same thing, and it also reveals the difference between a PM system and a chat system. A PM is basically a private thread with a limited number of participants. It is content-rich, threaded, and approached by all parties in a long-term sort of way.

So you are a Misago shill trying to promote them here by accidentally saying that they copied the system from here?