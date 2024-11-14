JayPettryMMA
Danger Zone Aficionado
Staff member
Forum Administrator
- Joined
- Mar 13, 2011
- Messages
- 42,006
- Reaction score
- 24,279
So you've heard or seen a lot about the sudden shutdown on the forum in the middle of UFC Fight Night Magny vs. Prates, and the unexpected implementation of Two Step Verification, also known as Two Factor Authentication ("2FA"). We in the booth did not have a lot we could say at the time, given we were in the middle of a security review. Even when we enabled two-step and set the banner--a banner that you can only see if do not have 2FA currently enabled for your account, which should explain why some of you do not see it--we were unable to go into detail. Now that the dust has settled, we can issue a statement.
We the staff of the forum, along with the tech team that works for Evolve (our parent company) and the hosting apparatus for the forum itself, Xenforo, conducted a review of our security measures into issues we have been encountering behind the scenes. Nothing major, no DDoS attack or ransomware or "the Russians" or anything else speculated thus far. What we can say is that we had a concern about account security, one that did not stem from our own servers but rather from data breaches offsite and bad actors making their way here. Why did you not know about it? We had handled the current situation, but more permanent measures were taken by our Tech team to prevent future issues.
When our tech team or Xenforo suggest or provide a fix, we implement it, period. This is why I initially explained that when Xenforo strongly recommended we set up 2FA, it was not even a question for us. Account security trumps all other concerns. We don't know what Xenforo recommends or doesn't recommend for other sites, as that doesn't pertain to us.
We understand that it's a slight annoyance, and one that you might be surprised is needed for a karate forum given that your online banking doesn't force you to use that to login, etc. We put together a list of frequently asked questions below, and if you have others that we missed on this topic, please ask. I want to thank the forum staff for being patient and helpful as always as this even caught them off-guard. The mods and admins are good people and tirelessly work for the betterment of Sherdog. I also want to thank you, the Sherdogger, for reading this.
Q&A
Q: Why did it take so long to say something?
A: We needed to complete our review of our security tweaks and fixes. We didn't want to have to issue a statement and then have to come back a few days later with changes, updates or corrections. We didn't want to tell you anything untrue, and didn't have a lot at our disposal at the time.
Q: Why did the forum need to go down?
A: The security changes were done deep within the system, affecting all usergroups and make sure that the protections were fully functional before re-launching. It's not the kind of thing you tinker with while PBP threads are rolling, etc. We take account issues seriously here, and put a halt to them immediately by shutting down the forum temporarily. We are sorry for the inconvenience, and hope you were able to enjoy the masterful play-by-play going on at the same time. As soon as we could go live on Monday, we did.
Q: Why 2FA?
A: There are only so many tools at our disposal internally, and it was recommended that this was the best course of action to protect all accounts at once. We have done some other fixes as well, including anti-spam and user registration measures. One positive side effect of 2FA is that the few bots we do have these days--which, by the way, are substantially fewer than we used to have in the past--should dwindle down to a very tiny amount at most.
Q: Will you be deleting or changing accounts?
A: No. When the week window elapses, all users that do not currently have 2FA enabled will be required to set it up from the login screen. It should be self-explanatory, but we can provide some instructions. The only change that might be made is if you registered with an email address that you can't access anymore.
Q: How do you set this up?
A: Go to this link. The top option on the page is Two-step verification, which all accounts need to enable. You should not have to change your password, although we always recommend users secure their accounts with individual-use passwords they do not share with other accounts elsewhere. What you will do is confirm your email address, and that email will receive a short confirmation code every 30 days that you plug in when logging into Sherdog. It is an extra step, a nuisance to some, but worth it in the long run for protecting accounts. It takes under a minute, I promise. I've been doing it since the migration. You can also use an authenticator app, where you scan a QR code, and again that should be simple and have instructions on the page when you set it.
Q: What happens if I'm using an email address that I no longer have access to?
A: Contact me directly by private message and let me know the email you would like registered to your account going forward. I will be glad to change it for you so that you can set this up.
Q: What if I don't want to do this?
A: Unfortunately, as it takes effect next week, the only way to access the forum will be with your account enabling 2FA. It should only ask you the additional confirmation code prompt once every 30 days, and if it asks you every time you come on SD, we suggest you clear your cache/cookies. Please, please don't throw your account away over this minor new feature on the forum. We understand that change can be off-putting and that this is an extra hurdle for a karate forum, but it is out of our hands. If you need, we can give you an extra reason to stick around...
Q: What would that be?
A:
Q: Is that what I think it is?
A: Yep. They've been a long time coming. Phrasing.
Q: TLDR?
A: Go here, set up your email to get a confirmation code, enter it when logging in. If that email address is no longer available, reach out to me privately and I'll update it for you.
We the staff of the forum, along with the tech team that works for Evolve (our parent company) and the hosting apparatus for the forum itself, Xenforo, conducted a review of our security measures into issues we have been encountering behind the scenes. Nothing major, no DDoS attack or ransomware or "the Russians" or anything else speculated thus far. What we can say is that we had a concern about account security, one that did not stem from our own servers but rather from data breaches offsite and bad actors making their way here. Why did you not know about it? We had handled the current situation, but more permanent measures were taken by our Tech team to prevent future issues.
When our tech team or Xenforo suggest or provide a fix, we implement it, period. This is why I initially explained that when Xenforo strongly recommended we set up 2FA, it was not even a question for us. Account security trumps all other concerns. We don't know what Xenforo recommends or doesn't recommend for other sites, as that doesn't pertain to us.
We understand that it's a slight annoyance, and one that you might be surprised is needed for a karate forum given that your online banking doesn't force you to use that to login, etc. We put together a list of frequently asked questions below, and if you have others that we missed on this topic, please ask. I want to thank the forum staff for being patient and helpful as always as this even caught them off-guard. The mods and admins are good people and tirelessly work for the betterment of Sherdog. I also want to thank you, the Sherdogger, for reading this.
Q&A
Q: Why did it take so long to say something?
A: We needed to complete our review of our security tweaks and fixes. We didn't want to have to issue a statement and then have to come back a few days later with changes, updates or corrections. We didn't want to tell you anything untrue, and didn't have a lot at our disposal at the time.
Q: Why did the forum need to go down?
A: The security changes were done deep within the system, affecting all usergroups and make sure that the protections were fully functional before re-launching. It's not the kind of thing you tinker with while PBP threads are rolling, etc. We take account issues seriously here, and put a halt to them immediately by shutting down the forum temporarily. We are sorry for the inconvenience, and hope you were able to enjoy the masterful play-by-play going on at the same time. As soon as we could go live on Monday, we did.
Q: Why 2FA?
A: There are only so many tools at our disposal internally, and it was recommended that this was the best course of action to protect all accounts at once. We have done some other fixes as well, including anti-spam and user registration measures. One positive side effect of 2FA is that the few bots we do have these days--which, by the way, are substantially fewer than we used to have in the past--should dwindle down to a very tiny amount at most.
Q: Will you be deleting or changing accounts?
A: No. When the week window elapses, all users that do not currently have 2FA enabled will be required to set it up from the login screen. It should be self-explanatory, but we can provide some instructions. The only change that might be made is if you registered with an email address that you can't access anymore.
Q: How do you set this up?
A: Go to this link. The top option on the page is Two-step verification, which all accounts need to enable. You should not have to change your password, although we always recommend users secure their accounts with individual-use passwords they do not share with other accounts elsewhere. What you will do is confirm your email address, and that email will receive a short confirmation code every 30 days that you plug in when logging into Sherdog. It is an extra step, a nuisance to some, but worth it in the long run for protecting accounts. It takes under a minute, I promise. I've been doing it since the migration. You can also use an authenticator app, where you scan a QR code, and again that should be simple and have instructions on the page when you set it.
Q: What happens if I'm using an email address that I no longer have access to?
A: Contact me directly by private message and let me know the email you would like registered to your account going forward. I will be glad to change it for you so that you can set this up.
Q: What if I don't want to do this?
A: Unfortunately, as it takes effect next week, the only way to access the forum will be with your account enabling 2FA. It should only ask you the additional confirmation code prompt once every 30 days, and if it asks you every time you come on SD, we suggest you clear your cache/cookies. Please, please don't throw your account away over this minor new feature on the forum. We understand that change can be off-putting and that this is an extra hurdle for a karate forum, but it is out of our hands. If you need, we can give you an extra reason to stick around...
Q: What would that be?
A:
Q: Is that what I think it is?
A: Yep. They've been a long time coming. Phrasing.
Q: TLDR?
A: Go here, set up your email to get a confirmation code, enter it when logging in. If that email address is no longer available, reach out to me privately and I'll update it for you.