With Facebook, it's fair to say, the content you post is yours. It's by you, for you and about you. In a community setting, you're merely contributing content to and for others. It's not your content per se - it belongs to the community (and if you want to get technical, the site owner's) - this is spelled out in the Terms of Service, unless the admin specifically removes it. I could possibly understand blog content, but topic and shared community content is not really yours, regardless if you started the topic or not. If we were to export ONLY your posts, it would make for silly reading out of context without the surrounding content. We can't export content that doesn't belong to you in any way, shape or form without the site owner's authorization and frankly, I don't know why they would give it - but some might. Nonetheless, I can't say there's no use for this, but certainly not one that would prompt this to be built into the software.
We don't want end users reporting bugs at this time. It sounds like a novel idea and we've allowed this in the past due to various reasons, but at the end of the day, the "bug" is usually caused by a third party modification or theme modification the site owner has performed that the end user would know nothing about. Further, not having access to the site owner's ACP, we're not going to be able to obtain any useful information about the site's configuration and it just becomes (most of the time) a wild goose chase. As for Darkshine's piracy argument -- we definitely don't want to hear from anyone who are using an unlicensed product (likely full of hacks) regardless of how they've self-rationalized their actions to be for the benefit of paying customers. There's enough usage of the product across so many different types of communities that it's not necessary to have the bug tracker as a free for all at this time. Thank you for the feedback, however.
I suppose we could at some point as you said when we're done - but it's not something I'd consider a top priority of course. I would suspect a third party is going to get to an in-depth write-up before we do. As someone responsible for the IPS infrastructure (and someone responsible for controlling related costs) and loving solid performance, it's also not a straight apples to apples comparison. We've not just taken IP.Board 3, done a little refactoring and called it IPS4. In the end, some pages will be faster, some will be a wash and some like View New Content will be a little slower due to providing a smoother experience across the suite content. "Performance" itself is such an open-ended discussion. I've seen many times pages that load lightning fast on the onset, but can't scale beyond a few hundred simultaneous users or X amount of data records. I deal with the largest sites on our own network serving tens of thousands of users and millions and millions of content items -- scalability is what I care most about, not sheer page load times (though having the best of both worlds is obviously ideal, when possible.) It's a difficult balance when you factor in the magnitude of the content we're serving, coupled with the fact that we still have to factor in the lowest common denominators -- dollar hosts that haven't upgraded MySQL since 2007 for self-hosted software. Without those limitations, the sky would be the limit -- MySQL 5.6+, for example, is incredibly more efficient than any previous version. We can leverage some things, but are stuck holding back the software in many regards to accommodate antiquated (in our world) technology. My personal shooting-for-the-stars goal is to make IPS4.x the last series where we have to worry about whether it will work on a $2.99/yr. host as with a product on this scale, it REALLY slows things down from a development standpoint. I would hope/expect in IPS5 (no release date yet, sorry ;)) we'd have moved to a point where we can comfortably say the requirements are xyz (and I wouldn't expect anything crazy, but definitely latest versions of the LAMP stack.) I digress on the little side tangent there. In short, we still have some work to do performance wise. When we're all done, we'd welcome someone to do some real world benchmarking.
I would suggest waiting a bit longer. Having IPS4 on a real-world live "production" site has highlighted several areas that can be improved performance-wise -- and this is a good thing; the time to work these out is now, not after it's on YOUR live production site. With an infrastructure background, I too have identified areas of improvement and we're all working together here to get IPS4 in tip-top performing shape. You'll notice gradual improvements as changes are rolled out. IPS is on the Amazon Web Services platform. Currently, we are not leveraging any caching engines, Cloudfront or any of the many technologies available to speed up performance and this is on single instance connected to RDS. We're keeping it simple and traditional until we're happy with base performance and we're comfortable kicking it up a notch.
The topics have been merged and as the bulk of the issues have been resolved, I'm going to close this to prevent further confusion. I'm sorry this has caused any inconvenience - we're just taking precautions to protect you and your account. Some have, for whatever reason, found these measures unnecessary and as such, we've incorporated an opt-out in the client area. You may check a box and avoid answering the security questions, leaving your account protected by password only. As noted on that page, you assume all responsibility for your account should you choose not to accept the extra layer of protection -- this means in the event your account is compromised, IPS may not be able to assist you in regaining access.
Some have asked for the ability to create their own questions. We do not feel this is necessary at this time as there are nearly two dozen questions to choose from. It is also worth noting that the answers do not have to be accurate or factual. Personally, I treat security questions/answers like additional passwords and make use of a password manager such as Lastpass. This also solves the challenge of using unique passwords on every site.
We will be placing notifications on the login forms as some customers did not receive the mass e-mail due to having opted out of receiving e-mails from us - we apologize for this and will look into tiered notifications (ie: promotional, critical) in the future.
If you have any further questions or concerns, please feel free to open a customer service ticket, or contact us via http://www.invisionpower.com/contact
Some think we're in our ivory tower sipping scotch laughing at all the ways we can cause inconvenience, like *gasp* trying to protect customer accounts. :) In reality, by the end of the day, we're ready for a well padded room for some alone time after the abuse we take in (some self-inflicted, some not).... then I get to go home to a wife, three kids 10 and under (two of them being special needs) and start it all over again!
That said, I wouldn't trade it for anything. Maybe just a little more medication. :)
Sonya, was this yesterday or just now? There was an issue that was resolved. Since yesterday afternoon, nobody should be receiving passwords by e-mail and the lockout issue has been fixed as well. If that is not the case and this just happened, please PM me further details so I can investigate further. Thanks.
I'm sorry for your frustration -- you purchased a product almost 9 years ago (others purchased even longer ago) and we've delivered that product -- and then some -- the entire time and with IP.Board 3, we will continue to do so, likely for another two years. The product you purchased is no longer feasible to develop as you purchased it. We're giving you the choice of continuing to use what you purchased or opt-in to the new license structure and take advantage of the new IPS suite. You did not purchase IPS4 or a license that's compatible with it (introduced in 2007) - thus you are not entitled to IPS4, but we are indeed not only offering it to you for free, but essentially paying you for half or more than what you paid those 9 long years ago, thus allowing two more years on the IPS4 platform before you even need to think about renewals. If that's unethical, I fear there may be an expectations issue.
I'm regretful we've lost your confidence. Obviously what we're offering is a far cry from literally a lifetime of everything IPS does (which is not what you purchased) - but it's the best we're willing to offer.
To follow up on this quickly, I've looked at all the reports here from those that said they didn't receive the e-mail and confirmed the e-mail was not sent to you. This was because you disabled mail notifications/unsubscribed from us. We will look into ways we can override that for critical notifications in the future, but really, we don't send that much e-mail -- perhaps the occasional newsletter -- if you want to ensure you receive all relevant e-mails, you may wish to turn notifications back on. Sorry for the confusion on that one.
As an additional side, the team are working, as we speak on an opt-out of the new security features. You can avoid using the questions / answers, but if you do so and your account is compromised, IPS will not assist you in regaining access. I never expected anyone to be upset about an additional layer of security to safeguard their purchase, but clearly some don't see the need, so we're fine with letting you avoid it so long as you understand we can't give it both ways: less security and the expectation that IPS is going to spend an hour or more tracking down where your license went, verifying identities and reclaiming it for you. There will be a disclaimer if you select "I don't want to answer these questions."
Regarding the password changes - there was little point in executing the extra level of protection if someone could login and set the questions/answers before the actual account holder could get to the account. Once again, this was done because many customers are losing their accounts due to using the same e-mail addresses/passwords that have been used on other sites that were compromised. Databases exist where people can reference these details, then go to various websites such as IPS and try to login using those details. If we'd warned of our plans, the attackers would have expedited their plans to get as many accounts as possible. The forums and SSO added an unexpected layer of complexity here that we'll be more keenly aware of for next time -- if there's a next time. :)
It seems you used the forums to reset your password instead of the client area. The forums was set to e-mail a random password rather than allowing you to choose your own. My deepest apologies for this. It's been corrected and NOBODY should receive a password by e-mail now. Please let us know if that is not the case.
There was a mass e-mail sent out in tandem with this change. Unfortunately, not everyone received it - we are investigating as to why with Mandrill. Sorry for the inconvenience.
There's over a dozen questions - you only need three. I think you can make it work. Choosing your own questions just adds an unnecessary layer of complication. I've never come across the ability to do that personally. They are always pre-defined.
We're sorry about that, it seems not everyone got the e-mail. We're working on that.
Deeply sorry for any inconvenience this has caused. We thought we were doing a good thing here by being proactive and helping to protect your investment against a new wave of attacks. Perhaps we need an opt-out of such things in the future, so people who think their passwords are "good enough" and request no further safeguards can just wing it without obligation to IPS.
I could have never envisioned helping to further protect accounts going so dramatically. Wow!
Passwords are encrypted, we have no way of verifying whether they're strong or weak. What we do know is while no part of IPS has been compromised, over the past several months, we've had dozens -- not a few -- dozens of customer service requests that all start the same way "I can't access my account." After 30 minutes of investigation, we locate the original account to find that it has been compromised. After verifying the identity of the account holder and following other processes which take another 20-30 minutes, we confirm that the original account holder either: had their e-mail account hacked or used the same password on <insert big site here> and their e-mail address and password were in a database that attackers were using to get access to other sites, including IPS.
Neither of these are "IPS' problem" but it's becoming a significant inconvenience to customers and we are expending an unnecessary amount of time recovering accounts, determining if they should be recovered (some legitimate customers sell licenses, then try to take them back) etc. This was the best way, short of 2FA (which REALLY would have caused confusion) to add an extra layer of protection to accounts.
It's mind boggling that you wouldn't want that protection, but if you don't, just enter "no" to three random questions and call it a day. Know that if your account is compromised, there may be little we can do for you if you can't help us, help you.
I'm sorry this didn't go smoother, obviously there's a lot of moving pieces and in spite thorough testing and vetting, a few issues cropped up. Those issues have been resolved, the answers are not case sensitive and we've added over a dozen questions... you should have no problem finding a question you're able to answer. Personally, I use Lastpass and turn questions/answers into second and third passwords. It is not international law that you have to answer the questions with accuracy, it's just a good idea to be able to answer them in the future.