The darker stories

[jducoeur]

*Sigh*. I just occurred to me that the CommYou story list didn't yet have "As a sysadmin, I can ban specific users." I can probably put that off while I'm in alpha, but by the time I get to an open beta I'm going to have to have all of those abuse-management tools in place. Sucketh most mightily -- I always prefer to believe the best in people -- but it's a certainty that I'm going to need efficient ways to boot spammers and other abusers out of the system.

(The design is fairly spam-resistant by nature, but since Facebook has some open groups, spam is certainly possible. Indeed, this reminds me that I need to add the stories for automated abuser-detection -- for instance, if someone is getting a high percentage of "ignore this user" requests in public groups, that's a red flag.)

I'll bet that there are a whole bunch of abuse-centric stories that I haven't thought of yet, which will become apparent once the system grows beyond a friendly initial few thousand users. I'll need to allocate some time to shove those stories in and deal with them fast as people think up abuse vectors. Not my favorite part of the project, but necessary if I really intend to have a million users.

Hmm. I bet I should create a CommYouCrackers group upfront, while it's still in alpha: a closed group of folks who are actively encouraged to mess with the system and come up with ways to break it *before* the blackhats do. Does that sound like something you'd be interested in playing with? I have enough devious clever friends that we really ought to be able to beat this thing into submission before the bad guys find the back doors...

Comments

[metahacker.livejournal.com]

I have at least two friends who are actively working in online security right now who might be willing to try to break in...

[dlevey.livejournal.com]

While I am, at this point, completely outside of Facebook, I might be interested in pushing on the edges to see where they might be soft.

[learnedax.livejournal.com]

Yeah, sure. I'm still interested in the project, and I derive a certain pleasure from breaking things in clever ways...

[jducoeur]

I will admit that I was specifically thinking of you here -- you have a proven skill in this regard...

[learnedax.livejournal.com]

Remember, I broke Irix 5.3's login screen by falling asleep on the keyboard...

(It was a non-serious buffer overrun in the username field.)

[cellio]

I don't use Facebook, but if you ever post information about the design (under a lock, presumably), I'd be up for kibbitzing at a theoretical level.

The report logs of sites already dealing with abuse problems could be quite informative, if you could figure out how to get access. Failing that, you can sometimes glean information from reading their abuse policies; if they're specific enough, you can start down the path of "why would that be a problem?" and maybe reason it out. Just guessing, but policies are at least generally public, so it's easy to look.

[jducoeur]

Actually, I'll probably be pretty public about the APIs. They won't be truly "open" for quite a while yet (not until I can figure out how to do so without breaking my monetization, and not until I think they are stable enough), but I'm not going to try to hide them -- security through obscurity is never a good idea.

So while the discussion group will probably be closed, I probably won't be trying too hard to lock the API docs themselves down.

As for the reports of abuse from elsewhere -- definitely true, and I'm already working on clamping down on the more obvious abuse vectors. This is more going to be people looking at the APIs, and pointing out places where I may not have thought about issues. So yes, kibitzing will be welcome. (And we'll see if I can tempt you in. While I'm under no illusions that everyone is going to use CommYou instead of LJ, I *am* planning on doing some things better.)

[cellio]

Attacking your APIs (at least on paper) sounds like fun. :-) (Whether I attack them for real will depend on language, time, and any relevant policies at my ISP's end.)

While I'm under no illusions that everyone is going to use CommYou instead of LJ, I *am* planning on doing some things better.)

It sounds like you're trying to do something a little different than LJ. People don't need to choose just one. While LJ has communities, its strength is the individual journal and the services that go with it. LJ is alt.fan.me. CommYou is more like a topical newsgroup -- at least as I understand it so far. LJ centers around people; CommYou centers around conversations. (Conventional blogs center around topics filtered by authors.)

[jducoeur]

LJ centers around people; CommYou centers around conversations.

Basically correct, yes. I'm not trying to be the be-all and end-all of a social network, precisely because CommYou is designed to be embedded inside existing social networks and provide a conversational stratum for them.

In the long run, I hope for it to actually be more or less a superset of LJ functionally -- that is, there's no reason for it *not* to be used as a blogging tool as well, and eventually I'd like for it to be powerful enough to be worth doing so. But that's not the central focus, and I suspect that I'll never do some of the things that LJ does. (For example, I may not bother with the *extreme* level of look-and-feel customization that LJ provides, although basic styling won't be *too* far down the road, and I'll probably eventually be open to external clients.)

All that said, I'm trying to keep my expectations moderate. It's going to *look* a fair amount like LJ to people who are used to that -- the differences are fairly subtle, focusing on how you interact with the conversations. So it's going to take a while before people catch on to the applications for which CommYou is the better tool...