Subtle changes, bugs and feedback

Works perfectly well, but images above the anchor point loaded fractionally after the page which pushes the anchored post down.

There's no elegant solution to this, this is what browsers do when they don't know the height of images.

OK, ta.

BTW, I couldn't find that thread... must be permissioned or something.

Because cartoons are the best source of security advice...

Bruce Schneier, on the other hand:

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.

Not that persona allows this...

Yes, but my point remains that the VAST majority of people do not use a password manager.

For THOSE people who do use a single password everywhere, it is far better that it be longer than shorter, more complex than simple... but length is of higher importance than complexity... so if you're going to only do one thing, make your password long.

.

2 things.

1. I use LastPass with Persona. My password is very long and complex, and my LastPass requires 2FA using a YubiKey (even on Android).
   
2. My point remains, because the majority of people are morons who use 1 password for everything, and cracking their passwords is a piece of piss unless it's long.
   

Bruce Schneier, on the other hand:

This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

It's not a trick that depends on the password crackers not being "onto it", it's an algorithm that might output any one of 2⁴⁴ possible strings, all of which are reasonably easy for a person to memorise. See the comments on Bruce's article for details.

When visiting the "Today" page, it's impossible to see whether a thread titled i.e. "Rourke" is a sales thread, a wanted thread or a CP thread without clicking into it, right? Is there a way round this?

It's coming.

Added navbar menu to key things, mostly external.

On there is the donate button, and the link to the LFGSS CC cycling club on British Cycling.

Additionally, I've included searches of related social media stuff so that it's easy to find LFGSS on the wider web.

and the link to the LFGSS CC cycling club on British Cycling.

It says "British Cycling Club", which doesn't make it obvious that you're being shown the way to our club. I think I'd have called the link "Cycling Club" and taken people to lfgss.cc, which should then have links to all of the bodies to which the club is affiliated, not just BC.

Sure, but I've only so many hours in the day and I haven't built lfgss.cc yet.

http://www.opine.me/mozilla-persona-browserid-is-a-step-in-the-wrong-direction/

To be fair I don't know if the author is a security expert. He might be a total numpty on security matters for all I know.

Hmm, I'm following the polo forum, but one of the stickied threads is not showing up in my following stream? The Montpelier one.

I've tried unfollowing and refollowing, but it's still not there?

@Velocio

Er how do I send a PM to someone? Selecting the username doesn't seem to do it.

Also unable to log in on iPhone using safari, tells me my browser is unsupported and I need to upgrade! Fine on safari on the ipad

Click on user name to go to profile (e.g. https://www.lfgss.com/profiles/47911/ ), there a button called "Send Message" which takes you to the composition window https://www.lfgss.com/huddles/create/?to=47911

Thanks, weirdly the send message button doesn't show when I go to their page. It seems to have worked using your link

He's not bad as far as it goes, not in the league of a cperceiva but at least he's some hands-on experience. On HN he changed his tune after the Beta and final version were released. The comments in that blog post are based on the initial Alpha and many things changed.

His criticisms are easily defeated and no longer relevant, namely the two he mentions:

1. Phishing attack due to use of a third party domain; in a popup or not it's irrelevant, his core criticism is that people signing into domainx.com don't expect to go to domainy.com but then he has acknowledged many times that if you don't trust the client (the app or website), then things like Twitter Signin, Facebook Connect, etc are only secure by visiting the third party domain. Same is true here on LFGSS... we don't trust the web client.
   
2. The fake logout, in that signing out didn't sign you out of Persona; that was solved in a Beta. Signing out of LFGSS will sign you out of Persona.
   
   

Not sure whether you know, but I have actually built several web account and SSO systems. The first back in 1998 for British Telecom (for their web portal), the next in 2000 for 300+ football websites, the web account for Premium TV, the third was a SSO extension for SharePoint, the fourth was the basis for trust based security in SharePoint, the fifth was a web account for Yell Group customers and sales people.

I've built auth systems based on LDAP, ActiveDirectory, RDBMS sessions, multi-devices, multi-access tokens, trust based relationships between domain forests, SSO to legacy systems and SAP. Basically, it's one of my speciality areas. Tens of millions of people have used my web account and SSO systems.

Somewhere in that experience I get really hesitant to build yet another sign-in method. But I do have a really really deep understanding of the requirements of one, and of what we needed for LFGSS to make it so that the API could work and we can build native client apps in future.

When I sat down to start this, I knew exactly what we would need to build, and what I saw was that Mozilla were building precisely the same thing.

If we didn't use Persona, I would build Persona.

It may have some nuanced differences. I wouldn't have done the email bridge (auto-signin with Gmail accounts) for example. But in the implementation and flow, almost everything else would be really similar.

If we ever stop using Persona, we will build something that looks very much like Persona.

But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.

Persona is 95% of what we need, and has saved us months of work by not requiring that we build it.

Your iPhone Safari is in "Private Browsing" mode, disable it and you will be fine.

Is it possible to slow down the scrolling on event maps? it seems super twitchy, much more so than Google Maps, for example...

That's 100% to do with whatever browser you are using and how it handles such things.

Out of my control I'm afraid.

I'm following the polo forum, but one of the stickied threads is not showing up in my following stream? The Montpelier one.

I've tried unfollowing and refollowing, but it's still not there?

Following a forum gives you updates on new items created within the forum.

As we would spam people to death if they had email notifications enabled we chose not to apply it to older items in the forum... it would be too noisy.

Any existing threads you want to follow, you should individually follow.

I may re-visit this, if it seems that people would rather accept the noise levels, then I'll go that direction on it.

Ahhh, that sounds like a great way to have it. Just not immediately obvious when clicking the same button in different places.

I'm going to subscribe to a bunch more forums now I know that.

Although I would like a way to automatically subscribe to everything in a forum (24 and 42) but I guess there aren't many people like me (except maybe the mods?).