Regular readers will have noticed that we’ve been offline for several days. As you can see, during that time, we’ve made some major changes to the site, and though the design has changed substantially, we’ve made even more dramatic changes in the back-end. We are now running our 6th major iteration of OSNews. It all was precipitated by messages from readers we’ve received over the past few weeks alerting us that they’ve been getting spam, phishing attempts, and some weak-sauce cyber-extortion emails at addresses that were unique to their OSNews accounts. Read on for more.
It certainly seems like we’ve had a breach. Our best guess is that someone was able to exploit a vulnerability in old, unmaintained code in the site’s content management system, and made off with at least some user data, which may be as little as a few user records or, at worst, our entire database. Your email addresses were in there, and the encryption on the passwords wasn’t up to modern standards (unsalted SHA1). The truth is that once we concluded it was likely that we were breached, our small volunteer team decided it was better to go offline than it was to learn the avenue of exploit, given that we had no interest in continuing to rely on the aged codebase.
Other than potential spam, though, we’re not aware of any other nefarious use of your data, we don’t store much beyond email addresses and passwords, but nonetheless, we’ve very sorry that we weren’t more diligent over the years with keeping in lockstep with best practices with respect to site security.
Upgrading the site has been long overdue. In fact, we’d made a serious attempt at discontinuing the old CMS a few years ago, and a few years before that, and it got bogged down both times by the fact that we depend on volunteer help and we all have real lives. The OSNews system is old. The last meaningful update to the codebase was in 2008, with much of the logic based on the 2005 “version 3” rewrite of OSNews. File modification times of 2014 or older were almost always small tweaks or bug fixes. The site was largely written for PHP 4 and it never had a proper maintenance plan. We’ve now migrated the site to WordPress. For all its faults, WP is at least a known quantity. Many thanks to Adam Scheinberg for spending so many hours over his winter break migrating the data from the old CMS to WordPress.
To be perfectly honest, when contemplating what needed to be done to properly move the site to a new platform, I considered just throwing in the towel and going offline permanently. Revenues from advertising don’t cover expenses, and though this could probably be rectified by exploring more creative sponsorship approaches, I don’t have the time. I’m currently trying to get a startup off the ground. I love being a part of this community, and I’m willing to continue to invest in it, but I only want to keep it going if it’s going to remain vibrant and meaningful.
In order to keep your history from the old site, and to make that re-association process as painless as possible, we’ve written a very simple account migration tool. The tool checks your login against a very stripped down version of our old user table and then re-encrypts your password. When you login to the new OSNews site, your password will be encrypted using a modern secure algorithm, which is currently PHP’s password_hash function, which uses Blowfish or Extended DES and can change over time so we don’t repeat any past mistakes.
I’d like to conclude this update with a cry for help. The only way to achieve this dream of vibrancy and meaningfulness is with your help. One of the advantages of the new platform is that it will make it easier for us to include new contributors and do experiments. What can you do?
- Read and comment every day
- Submit news
- Share interesting stuff on the site with your friends
- Write an original article
- Suggest someone interesting for us to interview, and recommend some questions we can ask
- Suggest new topics you think we should cover with more regularity
- Volunteer to be an editor and post news everyday
- Help us with ideas on how we can make money. (sponsorships, ads, partnerships, whatever)
- Need a part time job? I’ll hire you to promote the site and manage our sponsorship and advertising relationships.
I would suggest creating a Patreon page.
Agreed, it would be far better than the old, and hard to find, membership system that was there before
Patreon is definitely something that’s one the table. Any suggestions for possible Patreon perks and rewards are welcome!
I spent 12€ a month for technical magazines, so will add another 4€ for OSNews, just start on Patreon and post the link ….
I’ve been coming back for longer than I am willing to admit :p. I’ll support keeping this community alive.
Yeah I’d patreon for this site. The only project on there I would support.
I’d contribute $1 just for the Karma.
The Ars Technica Yubikey promotion was a big part of the reason I subscribed. But I don’t think you have enough content to same pricing as Ars.
If you set up a Patreon, it’ll be the first Patreon thing I’ve signed up for.
Since time is a concern, I recommend just starting up a Patreon and then consider the rewards later on. Just to start with it’s an extremely fast way to give us all an opportunity to donate.
Personally, I’d rather a direct subscription than going through Patreon. Patron is a publication / funding tool and its cut of the proceeds reflects that. As OSNews publishes itself something like Amazon Pay, PayPal, or another payment service that can handle subscriptions might be a better fit.
I’d be happy with PayPal or Amazon. Patreon’s new fee structure is identical to PayPals.
I suggested Patreon because it provides a better interface with less effort.
A platform that aims for outlets more similar to osnews would be https://steadyhq.com/en. Don’t know much about it except that I looked into such platforms myself recently.
I find this site incredibly useful to keep on on things. I’d be willing to do a one time donation with paypal, amazon or similar once a year.
All Payment platforms take a cut. It’s just a matter of how much that cut is.
Patreon has a number of issues around inconsistent policies and dubious corporate practices right now. It’s being boycotted by a lot of people.
I’d seriously consider contributing more directly though.
Well, it’s only now and again that you can visit a site you visited in the early 2000’s and rose from the ashes of BeNews.com. So… Awesome!
I’m not a visitor after the BeOS days but I check in often.
Thank you for all your hard word
Ha, now I understand why I was getting all those lame extortion emails to a barely used email address. Thanks for letting us know and for all the hard work migrating to the new platform.
Any way to contribute monetarily would be good.
What’s with the low contrast gray text? That’s never a good idea, especially for us old geezers. Please, give us black on white so these old eyes can read it. Thanks.
Agree with that. It´s pretty difficult to read now this site. It would be nice to have the previous font color scheme, please.
*hmm* I do have black text on white background … but I think the font size is to large (I scale down to 80%).
Ah, BTW I did disable Windows font aliasing, maybe that’s the reason …
I kinda like the new look. LOL
Personally, I like dark web pages, but as I didn’t want to complain about the designer’s choices, I simply changed everything quickly using Stylebot.
Thanks for the update. Do agree about the Patreon suggestion.
I like the new design well enough.
Except for the big OSNews bar at the top that doesn’t scroll off the screen. I hate it. It takes up a lot of vertical real estate.
I know what site I’m on. It isn’t difficult to scroll to the top if I need a link to the homepage, especially when there’s a static button at the lower-right that does exactly that.
Also, I’m not sure if the account migration tool worked? I put in my info, got only blank page, and ended up resetting my password so I could log in and say how much I hate that black bar.
That said. cheers! Thank you for all your hard work!
Drumhellar,
I had the same issue and thought maybe it was just me. However the password reset email worked for me too.
Same here. I also second the *navbar* sentiment.
It would also be really nice to get comment voting back, but I’ll take the site as is over it being shut down any day! Thank you.
Double this.
We’ll be trying to figure out the best way to handle things like comment voting in the coming weeks.
Comment voting is one of the worst ideas on the internet. It promotes most popular opinions while hiding unpopular ones, thus contributing to massive “bubbles” and “echo chambers”.
Password reset reversed the user and password twice till I realised I’d needed to use my brain.
David Adams,
WordPress sites feel so cookie-cutter-like & generic IMHO, but alas it seems to be where things are going.
To be honest, I think that’s what many of us in the web industry are seeing. In past decades there was growth, now-a-days we’re experiencing mass consolidation (ie amazon taking >50% of e-commerce pie) and it’s painful for small independent companies and the contractors who serve them. In many ways I’m in the same boat.
Not necessarily password related, but wordpress has it’s share vulnerabilities too…but at least then someone else is probably going to fix it so that you can update.
https://wpvulndb.com/
I see that many historical comments did not import properly. I assume some sort of regex was used that did not take into account the possibility of multiple quoted sections. The result is quoted sections that are rendered incorrectly.
I’m sure some of us can help if you ask!
Going forward, I guess there will be no more comment titles, however for posterity I kind of wish the old comments would be imported with titles prepended to the comment to provided context that originally existed for those comments.
The new site is [b]very[/b] slow for me. I just measured using firefox web tools and the homepage took 9937ms to load, though not consistently. Maybe it’s just search engines busy crawling the new site, or perhaps something’s wrong with a database index? As is often the case, modern CMS systems like WordPress can introduce a lot more execution overhead than the custom site that preceded it. I’d check the database for slow queries for starters. Unfortunately it might require a faster host to handle the same load at the same performance.
I don’t like the huge floating header, in part because it occupies a lot of screen space that I can’t scroll out of the way when I’m trying to read the content. Also, positioning of anchor links is broken due to the floating header (see previous link).
I know HTML isn’t the best at dealing with this, but it’s always seemed quirky to have websites just limit themselves to a fixed width regardless of the size of the window. On my computer the content is just 36% of the window. Wouldn’t this migration be a good opportunity to switch to a responsive design?
Anyways it’s just food for thought.
David we really don’t get to talk as much as I’d like, but thank you and the rest of the team for all your hard work!
Lost the ability to edit, haha…
I have to get accustomed to wordpress comment syntax.
It replaced my link with the “Fortran is still a thing” blurb above, which doesn’t illustrate the quoting problem, but essentially when there were two blockquotes in the same comment, the import erroneously treated the entire text between the first
as a single block quote rather than two separate ones.
Thanks for the update.
The current site seems very functionally minimal. No upvotes/downvotes? Is this planned to change?
Also, it’s probably just me, but I assume this means no more subscriptions?
As for wordpress, I see so many attempts to hack my website via wordpress bugs these days…the hackers out there seem to believe many WP installations are vulnerable.
We will be trying to implement some kind of voting in the near future, and coming up with something to replace our old subscription/membership model.
Ok, not bad but need improvement:
– Collapse top bar when i scroll down. It is wasting a lot of precious vertical space!
– The “User Review 0 (0 votes)” has a lot more contrast than the post content. The first time I opened OSnews i didn’t even found the post text because i was so focused in this and in the “about author” black secteions
– Same applies for the title colour and text color. The real content are the ones with less contrast!
We’ll definitely be making some refinements to the design. Good suggestions.
Good Luck!
Just a little comment: if you know that a breach possibly happened please contact affected users immediately so they are warned that their password is not safe. Some of them still possibly use one password for more sites…
I’ll be sending an email out to all of our registered users at some point to notify them.
That is great, but honestly – the sooner the better. And it’s a bit too late now. (But better late then never.)
Davids response makes me even more disappointed than the original post.
Btw: if patreon it is, I am in.
The problem I have with Patreon is that they take an extra 20%(or more) off the payment as VAT if you are in Europe even if the destination is the USA. That makes the reduction from what you pay to what the site gets is too high.
I don’t see that with PayPal.
Thank you for the hard work and use of your free time in creating and maintaining this. It’s much appreciated.
The UI feedback points I have are:
1) The massive OS News never moving title bar – if it’s was the tiny one above the huge logo that would be better if it had to remain – otherwise it consumes too much real estate.
2) The UI is too “airy”. The old UI had much more density too it so I could read a lot more on one page. I hope there are WP settings/themes that allow a denser read
3) Higher contrast as others have mentioned – black on white is better than grey on grey
I appreciate this is probably just foundational and will be tweaked over time and it’s all first world problems, so please take with a grain of salt and keep up the great work!
I do understand you were breached. I do understand you needed a new platform.
But WHY is the new design ugly as shit?
1) Very low contrast: greyish background, greyish fonts.
2) Why is there the need to use custom fonts? Is everyone visiting OSNews has a high DPI monitor? I don’t and your fonts look ugly as shit (blurry and low contrast) on my 96dpi monitor.
It would be great if you ran some sort of voting and offered several designs we could choose from.
This is WordPress. They can tweak the design as time goes on. Don’t be an entitled prick.
How am I an entitled prick when WP offers literally thousands of free themes to choose from?
If anything you’re an arrogant prick who is ready to sacrifice his eyes because … reasons.
Entitled part seems to be due how you are presenting feedback. I will try and help by quoting your feedback and offering a less entitled versions:
Old: “But WHY is the new design ugly as shit?”
New: “In many ways I prefer the old version of the website. In particular: [insert a list things that were better]”
Old: “Oh, and it’s impossible to edit one’s comments. Wow, great.”
New: “I am wondering if comment editing could be implemented.”
Old: “Also, great many fucks for leaking my email address which to this date has received zero SPAM messages. Now I presume each SPAM database will contain it. Damn.”
New: “I am frustrated and disappointed that the lack of up to date security practice has exposed my email address and thus has left me open to unwanted SPAM. Is there anything that I can do now to mitigate this risk?”
The difference is being able to output what you are thinking or feeling without being triggered and understanding that other humans are separate entities from yourself and do not have to do what you say. If you are supportive and give feedback in a no so triggered manner they may even listen!
Because you’re being a bloody drama queen. Other people have already raised the problems you raised without sounding like they owed you. I mean, really “sacrifice”?
And you claimed to “understand”, and yet not understand they threw this up at short notice. You are demanding everything work and look like they’ve spent years on this when in fact they’ve had to do this in a hurry because of a security breach.
Oh, and it’s impossible to edit one’s comments. Wow, great.
Yeah, I find that strange as the WP site I run allows this.
Comments editing has just been enabled. A five minutes grace period is a little bit too short IMO but it’s still better than nothing. Please consider increasing it to 10.
And thanks OSNews!
Also, great many fucks for leaking my email address which to this date has received zero SPAM messages. Now I presume each SPAM database will contain it. Damn.
“Also”? Judging by your other comment, you obviously have not even bothered to read the actual post at all. The breach was the driver for this quick upgrade. No wonder you think you’re entitled to a website that has a whole team of UX designers working on for years.
Are you alternatively gifted or what? At what point did I request a dedicated team of web designers to work on this website? All I asked for was a WP theme with standard fonts and enough contrast. Is that too much? Where did I sound like a drama queen? Will you please politely GTFO and stop commenting on my posts? Stop being an arrogant prick.
You didn’t “ask”. Other people asked. You ranted with question marks.
As for Patreon: I am in.
As for the switch to WP: Though there maybe was a need for a quick solution, the design is horrible.
If you have been using your password elsewhere, now would be a good time to change them.
Woa, OSNews looks almost modern now! One thing though, the greyish thin font is very badly legible on my screen. Could do with a better one.
There’s no feedback on the account migration tool, it just dumps the user to a blank page. Old password didn’t work (which is a good thing) but someone not used to WordPress sites might not catch on to just do the “forgot password” routine.
Anyway, I’m glad the site is finally on a modern and mature back end, but WordPress’ default commenting system is atrocious and outdated. I know you guys are stretched thin as it is, but are there any plans to move to a more modern and capable comment system with editing, voting, friends/foes, etc?
For love of God please change that font – it is too gray and on Retina displays too thin. It is really hard to read.
The migration tool didn’t work for me either.
I’m looking forward to seeing the page evolve into something approaching the old site and I echo the comments regarding Patreon.
Anybody who has followed the site for even a bit of its history knows how we’ve always incorporated constructive feedback and freely made modifications to site design. I spent hours of my Christmas break hunched over an iPad hacking through decade-old code to write conversion scripts and customizing WordPress to get post history, users, content, podcasts, comics, imported and handled. Ancient HTML had to be sidestepped, and crazy random shortcodes in old OSnews code had to be accounted for.
We’re happy to engage with anyone who wants to help or offer something worthwhile. I knew going in we’d never find a base theme that would make even a simple majority of users happy. That said, if you’re here just to bitch or tell us how much you think the site sucks, feel free to save yourself the trouble, we’re not going to respond to those comments. That said, specific issues shared in a productive way will be addressed readily (e.g. migration tool, which I’ll look at momentarily, font, which has already been replaced), and by the way, we massively appreciate that kind of support and feedback. Thank you!
Many of the suggestions given – such as the font colour choices – were already being discussed before going live, and we’ve got other ideas as well, such as a possible dark mode that would work well on mobile displays and dark UIs on desktop operating systems.
Suggestions are always welcome, but as always – we’re a very small team, with all coding basically resting on Adam’s shoulders, so adjust your expectations regarding just how much we can do over such a short period of time. Remember – the other technology sites you read, such as Ars or The Verge, are part of multimillion dollar platform companies with tons of investors and dozens – if not more – people on staff. We just do this in our own free time.
Thanks!
Thank you for changing the font, it was really painful to read even when zoomed pretty far in on a normal FHD monitor.
The new layout seems to be a nice upgrade on mobile devices, so, yay
Things already modified:
* Font is heavier and darker
* Floating header removed, no longer fixed to top
* Migration tool fixed (it worked on our dev box, sorry about that)
* Multifactor authentication support added
We’ll continue to tweak and improve as necessary.
Thanks a lot!
I’m curious how I can access my profile on OSNews as I can see nothing relevant anywhere.
Love the addition of the 2FA, but having issues getting the code recognized for Google Authenticator.NVM – got it; had to delete and re-add.BTW Awesome work! Thanks!
Adam Scheinberg,
Crazy though it may have been, it’s uniqueness gave it character
Are you considering fixing the import to correct the blockquote glitches I mentioned earlier or is that considered a done deal despite the errors? I’ll offer my help with that if you want.
I don’t know how much any of this can be tuned, but I just feel like stock wordpress comes up short with regards to user comments, which IMHO was one of the most important aspects of the osnews experience for the old site. For example the search function doesn’t search comments any more, which is something I’ll miss. Is there a way to sort comments chronologically? I always did that on the old site because it was an easy way to see the progression of posts. Now that new comments are showing up in the middle of the page, I expect it will make prolonged user discussion much more difficult. I’m almost sure to miss the summary posts at the end of many of the user threads on the old site that zima was known for, haha.
Blockquotes are fixed. They’re using the same greediness as the old site, so blockquotes should be wrapped in the same manner as before.
I really, really appreciate the work you put in. And, I hope you didn’t spend too much time on this site, and thoroughly enjoyed the holidays.
Thank you!
All I’ll say is Thank You for all the hard work you all have been doing to get it back up and running. I know it’s probably not how you wanted to spend your Christmas Break; a big thanks to your family and friends too.
Regarding monetization, you can start accepting money your visitors are already trying to give you through programs like Flattr and Brave Rewards. OSnews only need to register an account and claim the osnews.com domain with each of the services. You don’t need to add any widgets, scripts, or tracking to the site for these services to work.
Both work kind of like Patreon, except that users have one monthly subscription that is divided out among participating websites based on their browsing habits. Flattr tries to be an ad-blocking amnesty program; letting people still support their favorite creators and websites. Brave is an ad blocker but offers creators and publishers an alternative revenue stream in the process.
I’m not sure the password conversion site worked (it responded with a blank page after entering my credentials), but I was able to do a “Forgot your password” dance and it looks like it’s got my data.
I had to do the dance twice because I forgot to record the new password (err…) in EnPass, and I briefly got a 429 – Too Many Requests back from the server.
Thanks for keeping this online! Cheers!
Bug report: Either the server’s or WordPress’ time or time zone seems to be misconfigured. My last comment is shown as being published on “2019-01-03 8:16 am UTC” while it was actually submitted and published on “2019-01-03 1:16 pm UTC”.
Also, why use a 12-hour clock format in an otherwise ISO 8601 formatted date-time string?
Happy enough with WordPress, but what I’d really like to see return is the user ranking/score filter. Already I can see quite a few comments I want to down vote to keep the discussions open and civil!
One I’ve used before on a client site (if it helps)
https://codecanyon.net/item/wpachievements-wordpress-achievements-plugin/4265703
I like it! We’ll look at this!
Thank you for deciding to keep the show on the road.
Regarding comments:
Following average comment scores, looking back over old highly rated comments and working out who to up-vote or down-vote was very addictive on the old site (for me at least!) So, I’d suggest a little caution in how it is brought back bringing it back.
If it is brought back (and in the right form that would be a good idea), I’d like to make a recommendation:
*Please put the old “Insightful”, “Amusing”, and “Off topic”, “Inaccurate” tags to the fore.*
Although the old system was often just used as a “Like” or “Don’t like” system, in theory it was a neat form of self-moderation. Now you are redesigning you could make it more explicit: show that a post has been marked down for inaccuracy. Hopefully that could dissuade people from misusing the system.
Agreed!
Hey,
New layout looks pretty good, but i’m still getting the maintenance page in Belgium …
Had to use opera VPN lol.
Anyway, thanks to the staff for keeping us updated and keeping osnews alive.
DNS propagation… always a pain in the arse.
Yeah i saw the TTL for the “old record” that is still cached here is 6m50s and the new one is shorter.
I meant the new one is one hour.
Dno why this record isn’t expiring as it should.
Also, can i PLEASE set a new avatar? I mean damn lol
The default avatars are aweful. You can set a custom one by registering the same email address with Gravatar.
Old record expired btw, working fine now.
Love the new look.. especially the fonts. the site is much easier to read.
The account migration tool worked flawlessly.. it was super quick too.
One suggestion is that making the Headline font of the news articles a tiny bit smaller and adding bold would look nice.
Thank you!
I didn’t notice my email address (a Hotmail one) was leaked because it has been locked without hope of retrieval. I was logging in from too many library computers in that account, so Hotmail assumed a password breach and didn’t have any phone numbers or recovery emails in that account, so it remains locked for the past 10 years…
For those of you getting spam: Don’t open it (to avoid triggering any beacons) and don’t reply and it will gradually go away. An old Yahoo mail which I use as secondary and for some account registrations has been leaked multiple times and the trick above works every time.
To everybody complaining about WordPress being cookie-cutter, this hack should have been a big awakening: Every site out there with a relatively unknown CMS or custom CMS is practicing security by irrelevance or security by snowflake. No exceptions.
If you want a less cookie cutter solution than WP, there is Drupal. But Drupal migration takes time which OSNews stuff apparently doesn’t have, so between WP and “OSnews Snowflake CMS” I prefer WP which doesn’t leak emails.
kurkosdr,
Honestly I take offense to this notion that small developers are “practicing security by irrelevance or security by snowflake. No exceptions.” Just because we don’t work for bigger brand names doesn’t mean anything in terms of the quality of our code.
I strongly disagree with the assertion that popular CMS systems are intrinsically more secure than self-developed ones; the fact is big brands (including wordpress) have been vulnerable to many stupid coding sins like CSS and SQL injection. The take away really should not be about avoiding customized websites, but rather to consistently follow good coding practices.
Ultimately, we can agree that osnews not having enough resources to build/maintain a custom CMS is a strong reason to switch to an off-the-shelf solution, but to insinuate that small developers can’t do the job securely is insulting to all the developers like me who do this sort of custom contract work as a day job.
One way or another, people lose interest in maintaining the CMS behind a website over time, but the website and the user data it contains (such as email addresses) stays online (because community), vulnerable to exploits.
At least WordPress have a team whose sole job is to maintain the codebase, which means stupid errors will be fixed, they don’t lose interest one day like it happened with the codebase for OSNews Snowflake CMS. Basically, if you have WordPress, your site maintains itself. When it comes to Drupal, Drupal might need some manual work, but still, applying an update is easier than discovering a vulnerability and writing the update.
Unless you are working for the in-house CMS maintenance team of some big company the size of Intel or Apple, the maintenance of your custom CMS code will inevitably lapse. Either the small-medium company that hired you to maintain their snowflake CMS loses interest and dismantles the CMS maintenance team, or you lose interest in the little hobby website you set up, which is what happened to OSNews.
kurkosdr,
In my experience most wordpress (and other CMS platforms) users end up needing to customize inhouse or with 3rd party plugins to get their website to do what owners actually need it to do. Right now users on osnews are already asking for more features because let’s face it, wordpress doesn’t offer everything we want out of the box.
Maybe you stick with stock installs and it’s cookie cutter designs, but even then wordpress has a history of vulnerabilities and I’ve personally had to clean up after breaches with some of my client’s wordpress sites that I otherwise had no direct involvement with. It’s pretty much the same scenario that David found himself in: you know there’s a vulnerability somewhere in the wordpress code base, but most users of simple hosting plans don’t have the resources to investigate the attack vectors and consequently the best they can do is wipe/reinstall and hope the problem is fixed. While I don’t mean to dismiss it’s perks, wordpress isn’t the cure-all panacea for security that it’s being made out to be.
It’s not all a numbers game either. In terms of security, having a small team with very strong security qualifications can be worth more than hundreds of developers working on a larger scale commercial product. Take for example microsoft windows, they have millions of man hours per year in development resources. Does it mean a small team can’t build a more secure special purpose operating system? No of course not. Having a smaller special purpose OS will have less functionality, but it can actually be an asset in terms of performance and security due to having less bloat and a much smaller attack surface. The same is true of websites.
So to your original point that all custom sites rely on security by obscurity, I still maintain that it’s wrong and that it’s completely realistic to independently build a special purpose website that genuinely beats the long term security of larger general purpose offerings. To your new point that small companies may not have adequate resources to pull it off, you could be right about that. I see more than a few clients go with off the shelf solutions due to lower upfront costs. Yet sometimes customizing off the shell solutions can more complex and ultimately more expensive than a fully custom solution would have been in the first place. That’s a discussion for a different time
I wouldn’t complain about WordPress being cookie-cutter (I’ve built custom WP themes in the past, and I know of plenty of large sites that are WP-based, ArsTechnica for example – though they’ve done enough custom development that there’s very little sign of of WP to the end-user).
That said, I don’t agree with the quoted statement – especially the “relatively unknown” part. There are CMSes that I would consider “relatively unknown” which, despite that, are developed & actively-maintained by security-conscious developers (for example, ExpressionEngine, the CMS I use for most sites). Those factors, I think, are much more important than how well-known or popular the software is. And using the most popular CMS is not necessarily a benefit from a security standpoint – since that often also means it’s the most popular target for generic, turnkey exploits & the like.
I generally like the new look.
When I first saw the new look (last night), there were a number of items which needing improvements. These have now mostly been fixed.
What I miss:
* The comment titles.
* The net number of likes (votes) on a comment.
* The possibility to like (or not like) a comment.
One thing I wish is that once the bottom of the “Popular Post” block has disappeared from the view, the comments would “expend” to the full width of the screen. If feasible, this would dramatically reduce the amount of scrolling one has to do when reading the comments.
I am uncertain about liking or not the absence of the comment edit and comment preview capabilities present in the previous look.
One thing I noted is that the time of posting for story and comments is now referenced to my time zone. I kind of like the UTC reference used by the previous look.
Thank you for all your hard work!
This is one of my favorite websites since 1999. 20 years!
I haven’t experimented with WordPress in a few years, so I am not sure if any of these are possible but I miss the following features of the old version:
– The ability to edit posts (typos happen)
– The ability to preview formatting (or wysiwyg editing)
– Comment Voting
Also are we still going to see the comments closed after X days? I personally never saw the point of it
I think closing the comments is an anti-spam thing. Moderators have that much time in their hands, and they don’t want some user to convert old comment sections to link farms or whatever. I ‘ve seen old posts of blogspot blogs suffering from that because comments weren’t closed after an X number of days.
I am not saying never close down comments, but a week (or is it 5 days) is too low a number. I have been frustrated by the conversation ending just as it got interesting, back on track, or asnew voices showed up. Now that the site is on wordpress, there are some good anti-spam tools.
Phew. When OSNews went down over the new year I was starting to get withdrawal symptoms. I’m fully impressed you managed to migrate the content to WP, and thanks for all your efforts, and your continued commitment to the site. It’s the only place I visit consistently every day: it’s basically my tech news filter.
Like others I’d also be up for paying. Your previous €$£20 per year subscription plan was a no-brainer for me. Paying to have ads removed (assuming they come back) and not to be tracked (e.g. having the Google Analytics removed for subscribers) would make it double worthwhile for me.
I’m glad the new site is TLS-ified and the RSS feeds are still in place. Although it’s unfortunately not as zippy as the old site (which I loved for its minimalist approach), I’m personally very happy with the new design.
I love the updated site. The old website needed a fresh coat of paint. Good job.
Thanks for the update, and welcome back!
I’d be happy to kick in a couple bucks a month on a Patreon or other similar subscription if y’all set one up; always have loved the fascinating articles people find and post here.
I am happy for two things:
1. It’s back up.
2. It’s on WordPress. This means that issues get fixed faster and you don’t have to spend all the time maintaining it that you once had to. You still have to maintain it and patch it, however.
This site is needed. I’d definitely subscribe as I’ve been using it for years.
Fortunately password_hash doesn’t support “extended DES” (supports only sane algorithms) and uses bcrypt by default.
PS You should warn users earlier by sending emails about the breach.
Ukhm, email leak? If there was anyone with PII’able email (like firstname.lastname@) you may find yourself in GPDR shithole.
Are you sending my email address to fucking gravatar
1. It’s sent in the URL, but only after being run through md5.
2. If you don’t register at gravatar, it’s unlikely there’s any issue, since no one has rainbow tables of every possible combination of valid email addresses. It’s more likely they run into md5 collisions unless your email is already out in the wild.
3. Oh, by the way, we’ve been using gravatar since July 2007[1].
[1] https://www.osnews.com/story/18197/gravatar-support-on-osnews/
It’s still possible to follow users around (that happen to use the same email address on multiple sites) by searching for their gravatar url. No need to know what the hash is created from…
There was a discussion in 2007, and the redeeming factor back then was that osnews mirrored the images locally, ie. it didn’t expose the gravatar URLs to the public.
Speaking of which: any chance that we could get a user dashboard to edit email addresses, time zone preferences and the like?
You can edit your email address by clicking in the upper right hand corner on your name. It will lead you here: https://www.osnews.com/wp-admin/profile.php
As for gravatar, we didn’t mirror them. If you had already uploaded an avatar, we kept it in place. Changes to avatars and new avatars were forced over to Gravatar, an artifact of the switchover. Realistically, the options are Gravatar or a generic icon. We’re not planning to support custom local avatars right now. I’m open to suggestions if someone has one, I’m not really too excited about letting users specify their own avatar URL though…
Time zone preferences… maybe. There’s still a lot of work to be done, but we didn’t want to be offline longer than necessary. I’ve probably made three dozen changes to the site since this morning. Keep the suggestions coming, we’ll keep improving!
Adam, replying here since I can’t reply to your answer: https://www.osnews.com/wp-admin/profile.php gives me “Sorry, you are not allowed to access this page.” and when clicking the user name in the upper right (“Howdy, pgeorgi”), I get the menu with the icon, username and “Log Out”. Only “Log Out” is clickable.
Thanks for all the work here!
@pgeorgi – your link isn’t the same as mine. Try clicking on the link I posted.
@pgeorgi Please try now, I’ve modified the migration process to properly create a user_level of “Subscriber.”
I see that editing comments is now possible, awesome! Is there a way to set it to 20 minutes like it was on the old site rather than 5?
I had never looked at gravatar before, but now that I’m looking up the implementation I see that you are right: all our email addresses are being publicly exposed in unsalted MD5 hash form.
https://en.gravatar.com/site/implement/hash/
IMHO gravatar’s implementation is inherently insecure against modern attacks. It turns out some successful attacks have already been conducted against gravatar hashes specifically in 2009 and 2013.
https://arstechnica.com/information-technology/2013/07/got-an-account-on-a-site-like-github-hackers-may-know-your-e-mail-address/
Just now I tested some of the gravatar hashes in this discussion…I successfully reversed the hashes for both David and Adam osnews email addresses in under two minutes using hashcat. Granted those are “simple” email addresses from a predictable domain, but give me a week or two and I bet I could produce rainbow tables for reversing 99% of md5 hashed gmail addresses using relatively modest resources.
Clearly it’s up to osnews staff whether gravatar is worth the risk or not, but I think for the purposes of making informed decisions, md5 hashed emails should be considered *extremely weak* in terms of security. For better or worse, a permanent fix would need to come from gravatar themselves. Personally I think that users should be allowed to opt out to keep their information more secure.
Adam, the link you posted doesn’t work for me either. As pgeorgi mentioned, it leads to a page that says “Sorry, you are not allowed to access this page.” Clicking on my username also does not lead me to that page but rather only opens the menu, and the only option that is clickable is “Logout”.
Man, I’m doing a large migrations at work at the moment, I feel for you guys. It’s always lots of work.
If you want any help with setting up a caching layer for WordPress let me know, I’ve done it before with Varnish.
Just thought I’d toss my two cents in and thank Thom and the (unfortunately) anonymous staff for years (approximately decades in my case) of great work.
Thanks guys!
Where can I can I change my password? Also would be it possible to have comment box on top of the comment so us (the users) don’t have to scroll all the way down?
Thanks.
Hum, I really thought this site I’ve been using since a long time ago (by Internet standard) did go to heaven cloud pastures. I’m very happy it didn’t happen as I would miss a lot the good guys and their opinions.
It is really nice to get exposed to different views about subjects related to technology and its consequences, some of which really thoughtful and through.
Oh, and I even would miss the lunatics, they are funny too.
Welcome back OSnews and many thanks to all involved to make it happen!
acobar,
+1
Osnews staff deserve to be commended for all the hard work. I also want to reiterate your sentiment about enjoying the discussions on all sorts of topics with others here on osnews. Still I think there’s a tendency among us to take things for granted. We may not appreciate just how much of an existential crisis osnews was in. I’m sure money can help with some of the operational costs, but we all should do more to honor David’s other requests too:
You are right about it that many of us can contribute more to make this Internet corner even more fun.
One aspect that would really set it apart is if some articles could accept revisions and coauthoring. What I have in mind about it is the following: someone write and article about subject “A”, it gathers interest and another member ask to make corrections and additions, get its modifications accepted and the whole content get updated. Of course, it would need a kind of VCS support and a better account management but it would also end up giving better articles, just like what happens with our source code projects.
As a side note: happy new year Alfman!
“You can edit your email address by clicking in the upper right hand corner on your name. It will lead you here: https://www.osnews.com/wp-admin/profile.php”
Not for me.
If I click on my name all I get is the option to log out.
Nothing else…
Please try now, I’ve modified the migration process to properly create a user_level of “Subscriber.”
https://www.osnews.com/wp-admin/profile.php gives:
“Sorry, you are not allowed to access this page”
And there’s no link to this page anywhere. When I click on my nickname at the top I see a sort of menu with my nickname (not a link, just text) and a “Log Out” link. That’s all.
Please try now, I’ve modified the migration process to properly create a user_level of “Subscriber.”
It works now, thanks!
I’m gonna ask this very serious question: WP requires constant updates and maintenance since major security issues in it are identified pretty much every month. Are you sure there’ll always be someone who presses the Update button in a timely manner and does everything required to keep this website up to date and secure?
WP updates can be automated fairly easily. Several plugins will notify you of out of date plugins or themes.
Automation could be good as long as new releases don’t introduce major incompatibilities and don’t bring the whole website down.
I almost feel like you could have hosted on WP.com but that’s kinda expensive since you want to run your own ads.
Wouldn’t count on it given their inability not to be hacked. You’d think on a site like this they’d know what their doing with security……..seems that’s a no
How helpful of you to chime in! The last time anyone modified the core code of the site was 2008, which I’m sure you read in the article.
Hashtag obnoxious
the problem w/wp is it makes such a bush league looking page. Straight out of 2007. Should have used Joomla.
Surely you’d agree that, given that CMSes are all fully templatable, the underlying system has nothing to do with the way a site “looks.” Joomla can be a mess too, and no one here knows Joomla internals well enough to customize it and convert into it, so I’m not sure the purpose of this comment?
I’m a Joomla developer. I’m sure others read this site. You could have put out a call for help and received several volunteers to assist a redesign. This looks like your first time WordPress blog. I want to see some affiliate ads and paid reviews if we’re going this direction, get to work.
I get the feeling you don’t realize that there are actual people on the other side of your comments, which is odd since you’ve been using the site for 10 years now.
We took the site offline and built a replacement within a few days, unpaid, using the tech we knew, accommodating 1M+ comments, 30K stories, tens of thousands of users, and a billion ancient customizations. Are you suggesting you would’ve dropped everything over Christmas to do that? I doubt it.
We all get it, you’re unhappy with WordPress. You’ve been heard, but you’re not being helpful. In fact, you’re kinda coming off as a jerk.
Joomla is a security nightmare
WP is even more so.
Thank you for your hard efforts over the years. I would like to suggest you have the option to donate via Bitcoin. I canceled my Patreon account recently and I have no intention of signing up again. Ideally just have a simple Bitcoin address rather than going via Bitpay or similar. Also, the currency conversion of costs of Paypal etc are ridiculous.
I also get the “Sorry, you are not allowed to access this page” when I try to click on my username. Any chance you can fix this?
Thanks for the time and effort you’ve all put into the site. I’m very glad you didn’t decide to shut it down forever.
Count me in as a paying subscriber via Amazon or Paypal (if no other viable choices). Please, no Patreon.
Will all of the old news content and comments from the old site be migrated over? (Maybe I’m just not finding it on the new site.)
The parts that are coming are all here. All news stories, all comments. What part are you looking for?
Thanks for the honest and upfront email. I would normally say that this is why we can’t have nice things but I this we have all won as the result of your hard work to migrate the site.
Umm … i’m getting a site admin link in the right bar … that can’t be right.
I changed what i thought was my theme before realizing it said site admin … sorry if i messed anything up.
You’re good, that’s just your personal control panel.
When I try to submit a news it says “Minimum number of characters not met in content field. Please try again.”
Not sure where else to address this so I’ll do it here:
The migration tool doesn’t seem to have migrated anything for me.
I wasn’t sure what my original password was, so I reset my password first.
After doing that the migration tool appeared to work – it gave a success message – but I cannot find any of my original comments.
If I re-try it now, I get a message saying my profile cannot be migrated.
I didn’t have many comments so its not a major – but still would like to keep them nonetheless.
Your comments have indeed been associated with your account. If you used the password reset, you don’t need to use the migration tool. In fact, the migration tool will itself reset your password to your old OSnews password.
Adam it seems like you have some strong hard core OSnews followers I am one of them. I personally check this site on a daily basis it all started in college more than 15 years ago when in one of my class I was asked to reference a technical article once a week. I used OSnews and other sites to hunt for good technical articles since then I have made it a habit to visit OSnews daily. I would personally hate to see this site go away, but there are many readers as I am who do not voice their opinion in the comment section as they should. Thanks for your hard work.
Thank you! It’s depressing as hell to see so many obnoxious people who feel it’s worthwhile to come here just to register their hatred for WordPress or bitch about the look and feel without the least bit of compassion. They don’t realize they seem like entitled a-holes. We’ll continue to iterate and improve if you keep visiting!
Hey, starting from scratch is sometimes just the best thing to do! Wipe the slate, start fresh. Happy to hear you are using it as an opportunity and very thankful for all the contributions that you and Adam have made in the short term to get back up and running.
Two suggestions I have that others have chimed in on as well:
1.) Comment upvoting/filtering. There are some existing WP plugins that should handle this without really having to do any of the heavy lifting
2.) Subscription support:
Patreon – sure, maybe, its a useful interface… others can see how they are helping the site meet goals, etc. Not sure its more recent “censorship” claims are within the ethic of a technology website but that’s totally up to you.
Bitcoin/Litecoin – dead simple obvious option for a tech website. No automatic recurring payment scenario, no way to count on it showing up every month.
Brave browser – Adoption is early at this point for sure so you won’t capture every possible dollar but I would suggest becoming a verified publisher as it allows for a controlled and recurring support mechanism by those who want to support you through crypto. An hour’s worth of research can show you how to get paid from user engagement in effectively any currency you choose. (bank payment in USD, or tons of crypto options) Seriously, consider this option early on. Passive contributions from an ad-free and privacy centric browser user base should be welcomed in my opinion.
Again, thanks for all the work, I’m looking forward to the growth that 2019 is sure to bring. (growing pains and all) =)
I like the change. I found the old site awkward to use.
For me, the most important thing about the site is the actual content. I happen to like a nice clean look, but almost any WordPress theme works — if you want to invest the effort, you can even write your own. There are also many relatively low cost, professional themes that are highly customizable.
For the most part, when I create a website, I use WordPress as the CMS. It is regularly updated and easy to use.
Cheers
WordPress is really good choice but this CMS is one of the top brute-forced CMS.
Thanks for the honesty and all the good work you’ve done over the years. I appreciate you still having RSS front and center while other sites are getting rid of it. I’d be happy to contribute to a Patreon if you set one up.
OSnews has been on my daily visit list since so many years, and I’m really happy you decided to go on.
It defers in many ways from those polished tech news sites, but in a very positive way:
You have an oppinion and this is sometimes a bit different from the mainstram.
You have a magazine character in a way that you also post historical news, just because they are an interesting read.
You care about old computers, too.
I promise to spend some 10 € per year for this unique page, as long as it keeps it’s “semi professional” feeling. I love it.
As usual you get dozens of haters and a multitude of “suggestions”. The only web sites I built and ran was in the 90’s and before CSS, PHP and CMS systems was invented, even that was hard to keep up to date at times, I wouldn’t know where to start today!
I think they’ve done an amazing job getting the site back up in just a few days, it would have been a horrible loss if OSnews had just gone dark.
Just sit back and relax, things will progress as time allows and the most asked for features will appear where possible.
Thanks for the big explanation and for the honesty on it. Thank you also for all the hard work you’ve done over the years. And I also appreciate a lot that you will keep RSS on.
The new web is a classical WP, which includes, at least for me, an extreme big font size. I’d prefer to have an overall font size a bit smaller, also this would reduce the excess of white color.
Thanks again, and keep the good work!
I said the theme/cosmetics do not really matter to me very much (content matters); however, I do have a suggestion: Make the border on the “Leave a Reply” text entry area more visible (make it black and possibly thicker). I had trouble seeing where to type in a comment until I saw the little, bottom right-hand corner of the box (i.e. used to resize the box),
I can handle it the way it is, but it is hard on these old eyes!
Oh! @Mikaku Almost all browsers have a zoom function (often Ctrl + to enlarge, Ctrl – to shrink and Ctrl 0 to reset to the default). I frequently use it on sites that have squinty small fonts — or when my eyes are tired.
Cheers
JRG, yeah I know that feature but, sincerely, I prefer to obtain the web sites as they are originally instead of tweaking my browser differently for each website in all my workstations.
Anyway, thanks for your advice!
Cheers.
We don’t mind the feedback, and I agree with you that it’s reasonable to expect a certain level of readability for any website. I’m sure we’re not going to be able to satisfy everybody, but we’ll probably be making tweaks for a while to try to make things incrementally better.
Thank you for taking time in reading my commentary. I’m sure that in the next days and weeks the website will improve things here and there. Also, on my part, I’ll have to adapt to these changes and for sure at the end I’ll embrace them as if they were made for me.
Thanks again for all this work!
As a result of user feedback, there is now an option in your profile to disable Gravatar for your account and instead use an anonymous, generic, local image.
Adam Scheinberg,
Thanks!
I tried to select “opt out of gravatar” and “update profile”, however it always reverts back to “use gravatar”. Did I do something wrong?
Maybe I could create an article about hashcat and it’s capabilities? I don’t know if that’d be good osnews material.
I don’t mean to be one of the obnoxious people continually being a pest about things, haha, but on a different subject: is it necessary to scan through all the comments just to find the new ones? As the number of comments increases every visit (ie up to 161 now), I’ve had to reread the whole list several times, is there something I am missing? On the old site it was easy to view posts chronologically. If there’s no way to read only new comments, then I think using the comments as forum for discussions will become rather problematic.
I’m open to this discussion, but there doesn’t appear to be an easy way to do this while keeping threading. Should we disable threading? What do you think?
Thanks to the entire team for the work done. The breach is definitely unfortunate, but this is one of few websites that I visit daily for news that wouldn’t make my normal feed. It is the mix of industry news with those occasional gems like the Steam heating article, and the timezone article before that really keep me coming back for what may be a decade now.
I still can’t access any profile page. All I get is the same as already reported earlier, a menu with my username and log out, that’s it. Clicking on my username does nothing at all.
I love the new look. Needs a few more visuals on the stories I think, to go with the times, but overall, it’s OSNews as we know and love.
Eugenia,
Hey, it’s been a while! It’s nice to see some of the old school folks coming on to say hi. I wonder what you are up to these days?
Hi, thanks!
I’m into art these days, but I might contribute a few articles here soon. I missed the old gang.
I used to joke that OSNews was just “Thom Holwerda’s personal blog”, but now it actually looks like just a blog instead of a news site.
The front page should really just show the headlines and maybe a short abstract of each story, so that you can actually see multiple stories at once without scrolling. Unfortunately now it’s very hard to see at-a-glance what stories there are, since you need to scroll through whole posts in order to see each headline. This is made worse by the humongous title font, which at least let’s you find where one post ends and another begins.
Kudos for the smooth and expedient transition. I was able to reset my password and log in with no problems. I also like the slick new theme. Keep up the good work!
Nice. Following this site for years now and finally decided to create a profile. Works well on Lynx too.