Jaderune Pen Pals

[mystic]

Recent incidents have made me think that we need a strengthening of the security protocols. While something can be made at the software level, something needs to be made at the social level. So, I will summarize what we have up to now, and what we can do. I would like to receive your feedback, because it is important to see where Jaderune is heading to.

So, everybody knows that we have been under attack since uncountable months. In December, a huge work was done, purging something like 59,500 accounts, most of which were just bots (non human). Then, we observed some crazy people trying to re-register new accounts, because they found out they had been banned (probably the bot's commanders). In the registration process, we added a security code that changes every time. So, bots cannot pass through. Therefore, now we only have real human beings who have to register manually. However, many register, try to post spam, links, etc., and get automatically deleted. Others are smarter and create "dormant accounts", ready to be used when they need it. A lot of those dormant account come from China, where lot of young people are paid to hack into forums and websites. They cost less than writing a robot, and that's why they come to Jaderune. This led to a stricter enforcement of the software rules. All dormant accounts (without posts) for 15 days are automatically purged. This was a hard decision with the site owner, because the purged "false positives" (casualities, genuine accounts) skyrocketed. It's rare, but sometimes we get a complaint from a genuine user whose account was terminated because of "profile abuse" - which simply means no posts in 15 days since subscription. But it is clearly stated in the registration form in red, and it kept the forum very clean and safe until now.

Then, we had one or a few trolls who come with a hidden agenda and try to discourage the participants usually with flagging an entire people with some preconceived ideas. Mostly they talk about money, poverty, etc. Members become disgusted, and we lose users, because instead of a nice place the forum becomes a place of war. That is an abusive behavior, because it offends the soul of a people. One is entitled to such thoughts and can share them privately, but in public it is a violation of the forum rules. So, we have software that flags certain words and check the identity of the offender. If it is found that he uses proxies, fake names, etc., he is asked to be verified by sending us a valid ID card scan (passport, ID card, driving license, etc.). If they don't comply, their accounts gets disabled. Here we can make some improvements. We can make a module that automatically checks every user IP for proxies, hidden servers, etc., and purge their account automatically. Also, we can state more clearly in the registration rules that it is forbidden to talk about money issues and that at any time, at simple request, for verification purposes they are obliged to show their ID card.

Recently, we spotted out DannyJones. I have no doubt he was a scammer, and probably BigBlastGuy. But I still have a doubt about Gary2310. One reason for all is that, if one is a cheater, he does not use his home DSL connection straight away, knowing that he will get caught. But... he got resented of the verification check and does not collaborate showing us a valid ID card. His main objection is that he is afraid of identity theft. I would like to develop some protocols that ensure us a proper security check without making the people feel uncomfortable.

One of my question is, is it so unusual in the US to ask for a document? I know about the identity theft in the US, indeed, but any office asks for a document anyways (from banks to anything). In my country there is no identity theft, because protocols are very strict. And it is very normal to show one's ID. So, I would like to know everybody's opinion and proposals.

The night brought me another idea. We could ask the complete generalities and phone number of the person as they appear in whitepages.com, and somebody of us could call to ensure that the person is real. Google and many sites work with SMS verification and operator calling. Obviously it is a cost, but we would do it only in extreme cases such as the recent ones.

What do you think?

[Edwin]

Mystic, you have a lot of great ideas! None of us wants increased scrutany, but when bad things happen we need that. Bank security measures often cause us troubles and inconviniences, but they are necessary. Yes, I have heard that identity theft is a big deal here in the USA, but, knock on wood, it hasn't happened to me yet, except that in 1986 I was vandelized, person things were stolen from me, and someone used one of my credit cards even after it was shut down, which I did immediately, but the bank suffered the loss, not holding me liable.

When I was offering a house for rent and sending out rental applications a few years ago, I had some people really interested, couldn't wait to move in, until they got my rental application requesting a social security number, and the I was talking with his wife, while he was yelling in the background about how he was not going to give out his social security number! The application also asked for banking information, and no one objected to that!

Mystic, we have had such negative things done to us on this forum a few times that I think stronger measures are necessary, because people who do things like BigBlastGuy, ManilaMadMan, GoldJackAss, and DannyJones have their nerve; they damage all the good people on the forum including decent western guys/gals, and all the filipinas, and they have no respect for any of us, and they don't care what happens to us, so I think what you are doing Mystic is great, even though, yes, some do object, yet it seems necessary.

I think calling on the telephone to verify that someone is a real person is a good idea when needed. I wouldn't mind getting a call like that anytime. But, I am one of those people who would not be in the white pages, because since 1998 we ahve not had a land line telephone, but use cell phones for all of our telephone communications. But, I wouldn't mind a call on our cell phone anytime. I will suggest that when you call you carefully identify who you are, because we get a lot of calls from people wanting to sell something, some on the level, and others seeking to scam us out of money. Many of them are recorded messages, and when we hear that we hand up. So let people know right away who you are, so that you don't get hung up on.

I think it is a very good idea not to allow money to be discussed, because that has been one of the major subjects at the bottom of all of this trouble. As well as money no one should be allowed to bash filipinas and say bad things about them, which also has been at the bottom of our troubles here. Because of the nature and purpose of this forum those subjects should be completely off limits! One thing that clued me in to the fact that DannyJones was not a good person, was that he said that other forums would not allow him to discuss what he was trying to write about here, and he had his nerve, and was very offensive to try that here!

[mystic]

Cell phones, unfortunately, cannot be verified because they are not published. One could give fake data and a true cell phone, and you would never suspect that he cheated you. We should find a way that was already verified by somebody (for example, whitepages.com already verified the person, if they included him in their records) and lean on that. It could be even a golf club card, and then we would have to call the golf club for verification, but this seems excessive.

For another site, I implemented in the registration process the upload of an ID card. So, one is not concerned that somebody intercepts an email and uses one's data, because the document is directly stored in the server in a secure location (typically, the web server is accessible from the internet, but the received document is stored in an internal LAN, or a place that is not accessible from the internet; so there is no chance that somebody hacks the server and finds the document).

Another idea that just came up to my mind is that Michael certifies the site with SSL, and we could have a special form where a user at request can upload his document. SSL certifies the security of the site, the owner is verified and his data published. It's the same protocol used for e-commerce. I made one registration of SSL once. I was called by the certificating firm and they even verified my work and called lot of people to ascertain my identity. However, an SSL certificate costs and has yearly fees. And we always have the risk that persons like Gary would feel that even with SSL they don't want to show their ID. So it might be wasted money. I would like to find the easiest and most comfortable way to verify one's identity.

[Edwin]

We had a land line telephone all our married life until we move to the Cascade Mountains, and there were no telephones there, so once two way internet satellite communication because possible we got that, and when we moved back home we simply did not continue the telephone, because supporting both was too expensive, and we get along just fine with the internet and the cell phone.

Yes, mystic, there must be other ways for identification, and I am carrying a whole wallet full of cards of various kinds, so something could probably be figured out with one of those.

Anyway I am glad that you are working to make our forum a better place to be by keeping out the people are are not nice!

[m&m]

I am glad that this forum really work good. I should say, thanks to mystic for his ingenuity and his willingness to share to us his knowledge. Because of this, I wish and pray that this gives you joy at heart as you have become a good encouragement here despite different perspective and ideas we share in the forum.