Attachment Approvals: Need for Faster Response Time

[ehrenfest]

I understand the need to prevent people from uploading explicit images and what-not, but I think I should get to upload attachment's without approvals after I hit 1000 posts, or at least more people should have the authority to approve attachments. I think it is wrong that I should have to wait more than a day to have my attachments approved.

 

[JasonRox]

That's a good point.

 

[Evo]

We try to update attachments as soon as we see them. Although, some attachments that are questionable may be delayed.

If you need an attachment approved right away, you can use the "report post" button and request the attachment be approved. That will bring it immediately to our attention. Just be careful not to abuse the report button and use some discretion as to how long you've been waiting. I usually go in and check for attachments at least once a day, as do several other mentors.

 

[JasonRox]

But let's you're a member and have like 1000 posts. Couldn't there be a direct approval system made?

What causes an attachment to be questionable, besides the obvious?

 

[Moonbear]

I think that's a good suggestion. If we haven't banned you for spam or crackpottery by 500 or 1000 posts, it seems we can probably trust you to have automatic approval on your attachments.

For now, if a post sits with an unapproved attachment for more than half a day (that seems like a reasonable time for someone to notice it), feel free to send a PM to a mentor or report the post to request we approve the attachment. You shouldn't have to wait over a day for approval; that is too long.

(P.S., Your attachments are now approved.)

 

[Evo]

I think there might be a limit with how powers are granted.

 

[Gokul43201]

We discussed this some among the Homework Helpers. Attachment approval is something of a problem in the homework forums, where typical response times are on the order of a couple hours, unless there's an attachment in the OP.

Automatic attachment approval for regulars would be sweet!

 

[Moonbear]

Or, alternatively, if HW Helpers and Science Advisors were allowed to approve attachments, it would probably speed up the response time. I'm not sure what the constraints are of the forum software, if it's possible to give people power to approve attachments without access to the other moderation tools, or if people can be put into a "regulars" user group once they've hit a certain post count that allowed automatic approval of attachments.

 

[Gokul43201]

Or, alternatively, if HW Helpers and Science Advisors were allowed to approve attachments, it would probably speed up the response time.

We've hoped/asked for this before, if I recall correctly. I think it is time for more aggressive lobbying.

 

[Evo]

If Greg can give attachment only approval to HH's I think it would be a great idea.

 

[Moonbear]

Greg's on vacation right now, so won't be able to respond to this right away.

 

[G01]

It sounds like a great idea, since pending attachments very often prevent certain problems in the Homework Forums from being solved, even if they are not really difficult for the helpers. I would be all for the "regular poster" idea or giving more people the ability to approve attachments.

 

[Integral]

Meanwhile, use the Report Post button to draw attention to a unapproved attachment. It would not be a bad idea for the OP to report the post for approval immediately after posting .

 

[Chris Hillman]

This is a Terrible Idea! Greg, Don't Do It!

I understand the need to prevent people from uploading explicit images and what-not, but I think I should get to upload attachment's without approvals after I hit 1000 posts

PF moderators have no way of knowing how careful even a long-time poster is regarding computer security! I for one strongly urge PF to continue to insist on individually moderating images and other attachments, including scanning them for possible malware. This is very important!

Please recall that many popular "social networking" websites, including MySpace, LinkedIn, Facebook, Friendster, and Wikipedia, have experienced problems with phishers uploading dangerous malware which seriously affected at least some visitors. To mention only one item from a long long list of possible unintended consequences of the proposed change.

Decisions which affect security always involve a tradeoff between convenience, practicality, and security. IMO, security should remain a primary consideration for the maintainers of PF, particularly given evidence of the changing nature of criminal activity on the web which seems to indicate a trend toward targeting social networking sites.

(Since this discussion affords me a rare chance to say something nice about WP, I note that one reason why so few security problems with WP, e.g. compromise of non-public portions of the internal database, have hit the news is that Brion Vibber has been much careful about security than some other networking website admins have been. Another reason, less happy, is that even computer literature commentators generally seem to be badly confused by the complexity of WP's social and software structure.)

If PF should seriously consider changing its policy by allowing users to upload anything which could cause unprotected browsers to execute unexamined code, please announce the change well in advance and give concerned users the option of not only not revisiting PF, but of having their information wiped from the internal database before the change is implemented!

 

[Evo]

That's a good point Chris. We make Moonbear open all of the suspicious links since she has a Mac.

 

[Chris Hillman]

All Joking Aside...



But seriously, while I do not use That Other Operating System, there are many very serious issues here. Compromising security is never something to do lightly, and if it were up to me, Greg and chroot would have regular discussions about reviewing and improving the security situation at PF, which would include tracking problems noted at other websites and corresponding with other admins.

I should probably point out that Macs are not immune to malware; see for example Macs seized by porn Trojan, 'First' Mac OS X Trojan sighted, and Virus dances onto Mac OS X from The Register. Likewise see Linux Malware On The Rise from InternetNews, Linux and Mac OS X get some love (?) from malware writers from Ars Technica, etc.

Everyone: I strongly urge that discussion of specific security concerns at PF be confined to PM for obvious reasons!

 

[G01]

But seriously, while I do not use That Other Operating System, there are many very serious issues here. Compromising security is never something to do lightly, and if it were up to me, Greg and chroot would have regular discussions about reviewing and improving the security situation at PF, which would include tracking problems noted at other websites and corresponding with other admins.

Everyone: I strongly urge that discussion of specific security concerns at PF be confined to PM for obvious reasons!

Very Good Point Chris. I have to agree that giving regular users upload privileges would be a security risk. Obviously, I still think that something should be done with the approval delays. They really do affect the efficiency of the HH forums. Obviously, I don't think we can ask too much more of the mentors (Evo would eventually snap and start swinging fishes in other forums.)

I would still support giving the privilege to the Homework Helpers with one caveat. There is an issue with giving the privilege to that large a group. That is a lot more people that would have to be trusted with an important part of running the site. If Greg thinks this is possible and workable, then great, but if he doesn't I would understand his concern.

 

[Chris Hillman]

Some suggested reading

I think a more reasonable suggestion would be to explore autoscanning of uploads by homework helpers whose IRL identities are known to Greg and chroot, using the latest scanning packages. But only after some careful checking that the new system is working as intended and only if regular checks are performed thereafter to ensure it hasn't been inadvertently broken by some unrelated upgrade.

I would be concerned about autoscanning generally because auto-anything provides a weakness which can often be exploited. Restricting autoscanning to uploads from a small and select group with the greatest need for the added convenience makes much better sense than enabling autoapproval of all uploads.

IMO, every effort should be made to minimize the chance of compromise of the internal database or of expositing PF visitors to the possibility that their browser will execute any unvetted code.

Here are some links to related new items from various on-line "techie" newsletters:

• Social web sites often easy pickings for phishers, malware writers, Study: surfers just as careless on social networking sites and The enemy adapts: the state of spam, malware, and phishing scams from Ars Technica,
• Wikipedia article to trick users into downloading malware, MySpace phishing scam targets music fans, and Grifters find rich pickings on social networking sites from The Register,
• MySpace faces security problems from BBC News,
• Social Networking Sites in the Crosshairs? from Technology News,
• Experts: Security Flaws Vary on Social Networking Sites and Social Networking Gone Bad from Dark Reading,
• http://www.pcadvisor.co.uk/news/index.cfm?NewsID=7522 from PC Advisor,
• http://www.pcworld.com/article/id,128835/article.html and http://www.pcworld.com/article/id,139506-page,1/article.html from PC World,
• Wikipedia hijacked by malware from Tech World,
• http://www.informationweek.com/story/showArticle.jhtml?articleID=197009245 from Information Week,
• http://archive.comnews.com/stories/articles/1206web/1206Intrusic.htm from Communication News,
• What threats are posed by the popularity of social networking sites like MySpace and YouTube? from TechTarget,
• http://www.hacksafe.com.au/blog/category/social-networking from HackSafe,
• http://www.microsoft.com/technet/community/columns/secmgmt/sm0307.mspx from MicrosoftTechNet,
• http://software.silicon.com/security/0,39024655,39167748,00.htm from Silicon.com,
• Viruses: Changing threats from Consumer Reports,
• http://www.ezinearticles.com/?Identity-Theft-Issues-and-Social-Networking-Sites&id=691967 from Ezine,
• http://www.allheadlinenews.com/articles/7009113142 (it involves Facebook) from All Headline News,
• http://www.sophos.com/pressoffice/news/articles/2006/11/wikipedia-malware.html from Sophos.

From the second Dark Reading item cited above, as an illustration of why we need to think this through before doing anything hasty:

Social networking sites don't collect the type of personal data big-time hackers crave -- social security numbers, credit-card numbers, and bank account data. But they could be used to stage an attack on that data.

Something to bear in mind when reading alerts from sources such as SANS is that many vendors not only have a motive for a certain amount of fear-mongering, but may be owned or at least unduly influenced by the Evil Giant; see for example http://www.linux.com/articles/54886 from linux.com. Similarly, techie newletters and even major media sources often turn out to have surprising ownership, which may cast doubt on the impartiality of their reporting. And those of you who have played with [http://wikiscanner.virgil.gr/]Wikiscanner[/url] will know that numerous BBC staffers have been caught slanting Wikipedia articles related to the BBC (or to colleagues).

Just to keep it all in perspective, here's some further food for thought from the Register. :uhh:

 

[Greg Bernhardt]

At this time there is not a function to give HH attachment approval rights. Whether we develop something is an idea I'll explore when I get back in town next week.

 

[ehrenfest]

PF moderators have no way of knowing how careful even a long-time poster is regarding computer security! I for one strongly urge PF to continue to insist on individually moderating images and other attachments, including scanning them for possible malware. This is very important!

Please recall that many popular "social networking" websites, including MySpace, LinkedIn, Facebook, Friendster, and Wikipedia, have experienced problems with phishers uploading dangerous malware which seriously affected at least some visitors. To mention only one item from a long long list of possible unintended consequences of the proposed change.

Decisions which affect security always involve a tradeoff between convenience, practicality, and security. IMO, security should remain a primary consideration for the maintainers of PF, particularly given evidence of the changing nature of criminal activity on the web which seems to indicate a trend toward targeting social networking sites.

(Since this discussion affords me a rare chance to say something nice about WP, I note that one reason why so few security problems with WP, e.g. compromise of non-public portions of the internal database, have hit the news is that Brion Vibber has been much careful about security than some other networking website admins have been. Another reason, less happy, is that even computer literature commentators generally seem to be badly confused by the complexity of WP's social and software structure.)

If PF should seriously consider changing its policy by allowing users to upload anything which could cause unprotected browsers to execute unexamined code, please announce the change well in advance and give concerned users the option of not only not revisiting PF, but of having their information wiped from the internal database before the change is implemented!

Excuse my ignorance about computer science, but I did not think that image-uploading was in any way a security issue in the sense that downloading an image could actually cause harm to your computer. I thought the main issue was with people uploading pornographic or otherwise explicit images, which is certainly a problem but is not really a threat to your operating system. If I understand your post correctly, then you are saying that merely downloading an image in a standard format such as jpg or bmp can damage my computer somehow. I was not aware of that, but again this is probably just ignorance.