Forums  /  The Site  /  Feedback thread
  ShikenNuggetsShikenNuggets

@MyLittleWalrusMyLittleWalrus 2FA is being seriously considered by site staff, but implementing it takes quite a lot of work so it would likely be a while before it would be ready. They're considering other short-term alternatives to prevent the leaderboard vandalism as well.

@crashcrash do you actually have anything to add here or are you just taking a cheap shot because you think it makes you look clever or something

QuivicoQuivico and ImaproshamanImaproshaman like this. 
  LivLiv

It would be easy to prevent accounts being compromised if users didn't revert back to slight alterations of passwords that are confirmed compromised.

And yeah, some did...

The site would benefit greatly from 2FA, but it's bizarre why people knowingly swap back to passwords that are pasted in plaintext on the internet somewhere. In cases where 2FA is applied, 2FA is then basically the only security for these accounts because they're knowingly using a password that anyone can see.

 
  crashcrash

when your site has had several security breaches in the past year alone and lacks numerous features that are 100% standard on nearly all websites, some of which have been promised for literal years at this point™. when plenty of people within this community are plenty aware of how poorly managed this site is and the people who run it

nah keep blaming your user base while never actually fixing any of the major problems with this site

enINFAMOUSvyenINFAMOUSvy and 30Cents30Cents like this. 
  ShikenNuggetsShikenNuggets

Yeah... whatever dude. Try creating and maintaining a website with hundreds of thousands of users, massive data sets, a gigantic and constantly growing list of widely varying (and often conflicting) requirements, all with like 2 volunteer developers working on it in their spare time, then come whine about how the site is "poorly managed" and "lacks numerous features".

I understand being frustrated with the slow progress of development, but being snarky and belligerent anytime there's a snag is uncalled for and doesn't help or solve anything.

 
  LivLiv

There have been no security breaches.

A security breach would imply the database has been breached. It never has. Users using bad passwords does not mean the site was breached. It is the user's fault when they freely admit to me they changed back to a compromised password despite being told it was compromised the last time this happened. Not doing that is blatant common sense.

We've been discussing 2FA, and hopefully it will be implemented fairly soon. People will probably be pissed but it's my belief that at this point it should be mandatory for all game mods, because it's obvious passwords alone simply are not going to work when people are willingly changing back to passwords we've already told them are on the web for anyone to see and utilize.

(And I don't control what features are and aren't implemented, as well as the timespan because it's not my job to program for this site, nor is that part of my role, so I can't really help in hurrying these features along, but they take time)

QuivicoQuivico, HabrenoHabreno and ShikenNuggetsShikenNuggets like this. 
  crashcrash

here, i've calmed down a bit and i understand that things like 'security breach' aren't exactly the best terms to be using in this scenario

but isn't it at least kinda fucked that every other month some leaderboard gets hijacked and people just have to assume that they need to change their passwords again? yes i know reusing passwords is bad and that doesn't stop people from doing it, but telling people to change their passwords isn't a security measure, and there's no excuse to not have any with a site as big as this, especially when there's some major case happening this frequently. it would be nice to know for certain whether or not my account has actually been compromised or at potential risk, rather than just having to assume the worst. people want actual change. they want to see these features implemented. not even more empty promises from a site that has already been the subject of plenty of controversies in the past regarding how it's run. it's really not a secret at this point that speedrunners have been growing more sick and distrusting of this site. shifting the heat onto the user base and using the "you do it yourself" excuse isn't a very good look, and shows absolutely no sign that you're interested in actually fixing the issues with this site.

30Cents30Cents likes this. 
  DangerlessDangerless

@crashcrash

"but isn't it at least kinda fucked that every other month some leaderboard gets hijacked and people just have to assume that they need to change their passwords again?"

Isn't it kinda fucked that people reuse the same passwords or simply add a single digit to the end of their old passwords? People should be taking care of their accounts on any website, how hard is it to update your passwords on a regularly basis this is 2019 and you are going to tell me people are too illiterate about security even at the most basic level? Has it gotten to that point where people just don't care enough about themselves...to take care of themselves by just updating their passwords again, on a regularly basis? Just for something as simple as this? People literally have actually told us they have either reused passwords or "changed/added a single digit" to the old one.

Any service/website is going to tell you to always update your passwords. If there was an actual security breach what makes you think some idiot would be wasting his time with user accounts when he could have total control over the site by acquiring one of the admins accounts?

Again, you don't seem to be reading, us Fmods cannot add these features but its something we absolutely want added even Volvagia wants 2FA added but damn dude its still just two people trying to get stuff done. Of course we see what people want, people want a lot of things on this site and I agree that sometimes they are just far and inbetween. I swear there was a thread on here talking about 2FA, a lot of people weren't sure how they wanted it done but it seemed that it is something they want as well.

We don't care about the damn controversies, people are going to say shit and whatever they want and we aren't going to be able to change their minds most of the time, we aren't telling people to "you do it yourself" either, there is interest in fixing things but again you literally disregarded most if not half of what @LivLiv just posted.

We are in agreement when it comes about that we want further improvement with security related situations/issues, there is no debate.

Edit: From Pac - "Just a note that we're treating MFA is an immediate priority and it's currently being implemented. It will be up and running in the next couple of days."

QuivicoQuivico and HabrenoHabreno like this. 
  TreyaTreya

On an unrelated note, here's some quality of life improvement ideas for marathons on speedrun.com;

Auto-synchronization between horaro and speedrun.com - virtually nobody uses the latter for putting up schedules, it's not convenient to update on two websites at once.

Notifications if a game you followed gets accepted into a marathon.

Past and and upcoming marathons a user has taken/is taking part in. Can also be manually added if the user do so wishes.

If a marathon is currently running, it is temporarily kept to the top of the marathon forums and categorized as so. Lets also say if the schedule was auto-synchronized with horaro or on speedrun.com itself, no additional input is needed on the organisers end.

Below currently running marathons would be Upcoming as middle and Past as a bottom category. This would help clean it up a lot and combat necroposting.

When submitting a game, let players submit subdefinitions of main categories without the need to type them. It's all fine if it's just Any% with no other specification, but some have ones like certain characters and different rulesets.

QuivicoQuivico and ShikenNuggetsShikenNuggets like this. 
  OxkniferOxknifer

It would be really nice if speedrun.com was open-sourced and recoded from ground up without using PHP.

Instead of having users apply to be developers, the code base should be open to view and submit pull requests to. This would accelerate development and invite a culture of open feedback.

 
  CriscoWildCriscoWild

I love the idea of a culture of open feedback. Unfortunately that, like the MMLB/SR API sync, is still in development. As recently as a few hours ago, a guy got his post deleted when he expressed some concern over inactive moderators of a particular leaderboard. You hate to see it.

 
  OxkniferOxknifer

In the audit log, it would be great if we could see more information about the run such as:
- Category
- Time
- Platform
- Other variables

Currently these show up as numbers. "Cat" and "Values" here aren't very helpful for identifying which run is which.

{
"cat": 96675,
"level": null,
"video": "https:\/\/www.youtube.com\/watch?v=urEIEBNMnws&feature=youtu.be",
"comment": "Don't know exact time.",
"players": [
"Buckeye"
],
"values": {
"10561": 35881,
"35441": 119685,
"35508": 119929
}
}

ImaproshamanImaproshaman and dhadha like this. 
  OxkniferOxknifer

Being able to export the audit log would also be a great feature

ImaproshamanImaproshaman likes this. 
  PizzayumyumPizzayumyum

Runs which tie a current world record shouldn't notify every follower of that game with "X WR has been beaten by Y with a time of Z". It should say, "X WR has been tied by Y with a time of Z". Just a little nitpick heh.

MangoManMangoMan, ShikenNuggetsShikenNuggets and 2 others like this. 
  UniwersalUniwersal

I got a friend invite from a scammer who messaged me on discord, trying to get my personal information. The only place where I've had to link my discord is speedrun.com which already gets bots regularly. Since people have to put out ways for other people to contact them due to the lack of internal messaging system on speedrun.com, I doubt this will be the last time it happens.

In some distant future when the messaging system is operational, I hope we can finally remove the tags for our personal accounts about our other social media sites. The game moderators already need to have email verification, so as a replacement method to contact a mod could be to give them a personal message and if they haven't been online for, let's say, 10 days or so, the message would pop up as a notification in their email box.

There's people who are more susceptible to scamming than others and as a result of this incident, I'd like to ask for personal messages to become a bigger priority in the "to do list" than it has been so far.

 
  ShikenNuggetsShikenNuggets

I really don't think moving all speedrunning-related contact here would solve that problem. You're gonna get weird scam messages no matter what, whether it's on Discord, or Twitter, or emails, or here on speedrun.com (you've mentioned the somewhat ridiculous number of bots in the forums here, that would almost certainly translate into scam messages if/when the messaging system is introduced). That's just a harsh reality of being online and having any open lines of communication.

In any case, I suspect we won't be removing the social media requirement for moderators at any point, even if/when messaging becomes a thing.

For what it's worth, I've been a mod on several games, been very active in the forums, and had all sorts of contact info listed on my profile for over 2 years, and I've only ever gotten 2 sketchy DMs on anything (both of which were quite blatant, probably bots, and blocked instantly).

 
  UniwersalUniwersal

Sure, I realize there will always be the issue of bots, scammers etc. I'd just prefer the issue to stay here rather than have scammers use this as a hub to invade other social media sites where I might socialize with my closest friends and family members.

A little side note: bots might be easier to detect, scammers a little less so. It might be blatant for you but it doesn't translate to everyone. Removing the over reliance of other social media sites could mitigate some of the damage. It protects people's privacy a little better.

I won't pursue this issue any longer, just wanted to make my concerns heard.

 
  ShikenNuggetsShikenNuggets

I don't know, I really don't see how having scammers here instead of having them there would be any sort of improvement. You're still looking at the messages (I hope) so you're not avoiding them in any way (if anything you're gonna get even more nonsense), and it's not like you'll suddenly stop getting scam messages elsewhere if you remove it from your profile here. It happens everywhere, all the time, this isn't a speedrun.com specific issue in any way.

There's plenty of reasons to want the messaging system, but this just doesn't seem like one of them.

Originally posted by UniwersalIt might be blatant for you but it doesn't translate to everyone

I understand this concern, but the answer is "learn to spot scammers", not "use a different messaging system that won't protect you from this problem in any way".

 
  LivLiv

Have to consider when the messaging system (eventually) does go live, I fully expect the bots to start using it to personally message users. That's one thing that has to be considered in any kind of PM system, which is abuse of that PM system. You're never going to be free of people doing this stuff, the best thing for users to do is just never hand personal information to anyone over the internet ever. It doesn't matter whether they're an internet friend / streamer or anything really.

ImaproshamanImaproshaman and ShikenNuggetsShikenNuggets like this. 
  UniwersalUniwersal

I believe you both missed my core issue with this. I know that there will always be bots and stuff. My point was that this is the only site where I have to reveal personal info to the public. It's something that scammers seek, a hub for free contacts on random people, allowing them to contact people on social media sites where they normally wouldn't be able to. Discord, facebook, steam and some others being the obvious ones. I'd prefer these scammers/bots not to flow to my other communication devices just because of speedrun.com.

I don't expect any action to be taken from this. Just wanted to spread awareness to moderators of the site that these things do happen on a more frequent basis than they are reported and it is an issue that is most likely to grow as the site gains popularity. Being a moderator of a game is currently equivalent to giving your phone number and all your contact info to an advertising company.

The recent email verification for moderators was a great addition for the site's security. I just wish that user security and user privacy would be taken a look at as well as the site continues to grow.

 
  LivLiv

Even with the PM system, I can't myself reasonably imagine the contact method requirement will go away for moderators.

A core issue with contacting moderators is that if they're inactive, the PM system isn't really going to help at all because they aren't going to be able to see PMs if they're not using the site. So, that then leaves us in a predicament where it'd simply be impossible for us to get in contact with people besides simply hoping they do happen to come online at some point and see the PMs. On the other hand, If I'm able to find some avenue to personally contact them via their profile/name/runs to take my attempted contact further, then that removes the entire point of even allowing zero contacts because of this issue.

Personally, I would love to hear how many user's have had this happen to them, as I've used the site for almost 5 years and have never specifically heard of this being a frequented occurrence at all.