Date   

Re: serious security issue #login

Marv Waschke
 

Peter-- You are right. This is a serious security compromise for convenience. Groups.io, like most consumer applications, is not highly secure. If it were, it would not be used by most of the people who use it now. When someone forgets the password to an account and is sent a link to reset their password, they engage in an insecure transaction. In a high security environment, they would undergo a lengthy in person interview, have their fingerprints taken, their retina scanned, and a DNA swab analyzed before getting a new password. If they lost their password, they would have to repeat the process and there would be a fair chance they would be permanently denied access for their carelessness. If a product like Groups.io were set up in that manner, who would use it? We make compromises for convenience. This is one of them and a common one.

In this case, users rely on the security of their email account. Many consumer applications and services also rely on email account security. It never hurts to remind folks to keep their email accounts secure and never forward emails that contain links that are signs of authentication, like links to password resets or entrance to Zoom meetings.
Best, Marv


Re: Annual recurring Calendar event

Andy Wedge
 

On Sun, May 17, 2020 at 08:51 PM, Cal wrote:
On the Calendar, how do I set up a recurring annual event, like a holiday, that occurs on the nth Monday of a particular month? 
You can define a monthly event that repeats every 12 months by day of week.

Andy


Re: Members vs directory

Duane
 

On Sun, May 17, 2020 at 09:04 PM, K Ruffing wrote:
Most people entered their display name (or maybe their email host automatically did so
When someone is new to GIO, their first message should set their Display Name based on what they've set up in their email program/client.  They can always go back and change it for a specific group themselves.

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki


Re: Message missing from digest

Duane
 

On Sun, May 17, 2020 at 08:17 PM, ro-esp wrote:
it seems rather odd that one could opt-out for special messages
You can't opt out of Special, regardless of any settings you make for email delivery.

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki


Re: Members vs directory

K Ruffing
 

Thanks, Duane.

Most people entered their display name (or maybe their email host automatically did so, by default) as "first last" (not "last, first").  As group owner, I standardized the few exceptions.  The alternative was to change a few hundred entries.  Not gonna do that, government experience or not.


Re: Message missing from digest

ro-esp
 

On Mon, May 18, 2020 at 12:50 AM, Shal Farley wrote:


Bill,

> ... but it was not included in the Full Digest.

I don't know if this relates to your observation, but keep in mind that
there is no "the" Full Digest - the digest sent to each member is built
based on each member's mute and follow choices in addition their
subscription settings. Same for plain-text digest.

So the message may have been excluded from the digest you observed due
to the specifics relating to the email address it was sent to.
err...yeah, but it seems rather odd that one could opt-out for special messages..it would defeat the purpose, wouldn't it?

groetjes/ĝis, Ronaldo


Re: Members vs directory

 

K,

This just seems like such a simple option to add.
One of the challenges to implementing it is identifying the member's last name.

The site doesn't store separate first name, last name fields. It has a single Display Name field. Different members might put anything there, including nicknames.

Farley, Shal
Shal Farley
Shal W. Farley (with or without the period)
Shal
S. Farley
Shal "shaggy" Farley (appropriate only during safer-at-home)

Those are just a few of the more common variations. Add titles, honorifics, and other name decorations and you have quite a broad range of possibilities to parse. I'm saying that it is an impossible task, maybe there's even a regex that would give a 99% valid result. But I wouldn't call it simple.

It wouldn't work right if a group allows members to sign up
anonymously (no username, or a nickname or pseudonym), but I don't;
it's one of my little prerogatives as listowner.
Hence Duane's suggestion that you enforce a last-name first format with your members.

There's a different suggestion that might work for you, and be more generally useful. There's a suggestion to allow a group to add fields to the Members list. You could add a Last Name field. It might take another suggestion to get that capability added to the Directory as well.
https://beta.groups.io/g/main/topic/72854840

From that topic I favor Duane's suggestion of making the fields configurable by the group (in terms of what they're called / used for).

Shal


--
Help: https://groups.io/helpcenter
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Re: Groups.io site updates #changelog

 

Bruce,

Gotta admit, I'm struggling to understand what Mark meant by "marking
a non-message."
Heh, I read right through that without noticing. I think that's likely to be an editing error, where he meant to say either "a message" or "a non-spam message".

Does he mean a message that had previously been deleted from the
message archive?
I guess that's a plausible interpretation, but it seems like an odd way to phrase that idea.

Shal


--
Help: https://groups.io/helpcenter
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Re: Message missing from digest

 

Bill,

... but it was not included in the Full Digest.
I don't know if this relates to your observation, but keep in mind that there is no "the" Full Digest - the digest sent to each member is built based on each member's mute and follow choices in addition their subscription settings. Same for plain-text digest.

So the message may have been excluded from the digest you observed due to the specifics relating to the email address it was sent to.

Shal


--
Help: https://groups.io/helpcenter
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Re: Members vs directory

Duane
 

On Sun, May 17, 2020 at 04:13 PM, K Ruffing wrote:
I would really, really value an option to sort the member list and directory by last name.
You have to make suggestions on the beta group.  No one from GIO monitors this group.

Why not just put the display names in as last, first?  Anyone familiar with government operations should be used to that ;>)

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki


Re: Members vs directory

K Ruffing
 

Resurrecting an old thread...

I would really, really value an option to sort the member list and directory by last name.

Currently it's alpha by first name (from, e.g., Aaron Zipp to Zelda Aardvark) when the reverse (Aardvark to Zipp) would be much more useful.

My little group, the alumni of a close-knit government agency, doesn't have any real method of outreach except word-of-mouth and word-of-keyboard.  (The agency, understandably, doesn't publicize our existence.)  So I often try to rally our members to hunt for "missing alumni" and contact them, or provide me with the info, so I can invite them to join.  But people get tired of paging through a multi-page directory that's alphabetized by first name.  Heck, I know that I do.

Sure, suggesting that we download the directory in CSV form and re-sort by lastname works, but it's an extra step that's not reasonable for rank-and-file members.

This just seems like such a simple option to add.  It wouldn't work right if a group allows members to sign up anonymously (no username, or a nickname or pseudonym), but I don't; it's one of my little prerogatives as listowner.





Annual recurring Calendar event

Cal
 

On the Calendar, how do I set up a recurring annual event, like a holiday, that occurs on the nth Monday of a particular month?  (Labor Day, MLK Day, and Thanksgrieving come to mind.)  This works for a monthly event, but not an annual event, which only wants to keep it on the same date every year (like Xmas, New Year's, July Fourth).  Kindly enlighten.


Re: Message missing from digest

Andy Wedge
 

On Sun, May 17, 2020 at 03:29 PM, Bruce Bowman wrote:
Special Notices are always sent as individual emails. Having already been sent, they are not included in any subsequent digest.
That was my initial understanding too but special messages sent on my group also appear in the Full Digest.

Andy


Re: serious security issue #login

Duane
 

On Sun, May 17, 2020 at 10:11 AM, Peter Cook wrote:
Are you saying this link is also used for users who have not yet established one?
The procedure can be used by any member at any time.  Some use it for convenience, especially when they have a strong password and multiple devices.  As long as you visit the site at least once every 30 days, the cookie on a device is updated so you won't need to log in again.  You could even enter someone else's email address, but the email would go to that address, so it wouldn't allow you in unless you had control of their email.

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki


Re: serious security issue #login

Bruce Bowman
 

On Sun, May 17, 2020 at 11:11 AM, Peter Cook wrote:
Are you saying this link is also used for users who have not yet established one?
That's correct...or have forgotten it.

Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual


Re: serious security issue #login

Peter Cook
 

On Sun, May 17, 2020 at 11:06 AM, Bruce Bowman wrote:
If the "email me a link" function were disabled, there would be no means to perform an initial login, and therefore no way to establish a password.
This account already had a password. Are you saying this link is also used for users who have not yet established one?


Re: serious security issue #login

Andy Wedge
 

On Sun, May 17, 2020 at 03:57 PM, Peter Cook wrote:
When I clicked on this link, I was immediately logged into her account without being asked for her password. Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?
If you look at the member's manual you will see that logging in by having a link emailed to you is perfectly legit and the way the system is designed to work. The link is personalised for the intended recipient so the security issue is really the fact that your member shared it with you - they effectively gave you the password to enable you to login to their account.

Andy


Re: serious security issue #login

Bruce Bowman
 

On Sun, May 17, 2020 at 10:57 AM, Peter Cook wrote:
In response to replying to a group post, one of my members received this. (I've x-ed out the last part for security reasons.)
Peter -- This looks like the normal "email me a link to log in" message, sent when you click the corresponding button on the login page.

Here's the problem. When I clicked on this link, I was immediately logged into her account without being asked for her password.
Yes, clicking the login link does log you in to the referenced account. Account security comes from having access to the email account where the link was sent. If you cannot access that email address, you cannot use the login link.

That's why people shouldn't be forwarding them, any more than they should be sharing their social security number or credit card credentials.

Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?
If the "email me a link" function were disabled, there would be no means to perform an initial login, and therefore no way to establish a password.
 
Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual


serious security issue #login

Peter Cook
 

In response to replying to a group post, one of my members received this. (I've x-ed out the last part for security reasons.)

===============================

Hello,

Here is a link to log into your Groups.io account:

https://woodmoor.groups.io/loginlink/xxxxxxxxxxxxxxxxx

It will expire in 24 hours, on 05/17/2020 at 10:26am EDT,
but you'll stay logged in for 30 days, unless and until you log out.

If you did not ask for a login link to be sent to you, please ignore this email.

Cheers,
The Groups.io Team

===============================

Here's the problem. When I clicked on this link, I was immediately logged into her account without being asked for her password. Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?

Pete


Re: Message missing from digest

Bruce Bowman
 

On Sun, May 17, 2020 at 10:25 AM, D.W. Tighe wrote:
We just had a case where a message came out successfully to everyone subscribed to Individual distribution, but it was not included in the Full Digest.
Bill -- Did the message have [Special] in the subject line?

Special Notices are always sent as individual emails. Having already been sent, they are not included in any subsequent digest.
 
Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual

6941 - 6960 of 38701