On Fri, 3 Oct 2008, Bluebie, Jenna wrote:
> How is spam a problem in a shoes-only interface? Don't spammers only operate
> on the web?
>
> They're hardly going to code up a special adaptor for the spam bots just to
> spam poor _why, and I doubt many spammers would install shoes just to spam the
> manual. We don't need to even make the comments visible on the web interface.
> I feel like the web interface is a nice thing to have, but should act as a
> lowest common denominator for what we can do in the manual.
Ok, I think you're right. After what happened to Ruby Garden (who would want
to bother attacking a web site about Ruby in the days before Rails got big?
But they did. <sigh/>) I'm a bit cautious, especially about inflicting it
on someone else.
>
> Another option would be to force comments through the web UI to be confirmed
> through an email link, though overall I feel it's a good thing to require
> people to use shoes for this task, because at least then we know that the
> commentator actually has and uses shoes. I don't see what benifit HMAC gives
> when the key is embedded in to open source.
You get the key sent back to you on your initial mailing. HMac takes
your message, adds the key to it, and then computes the SHA-1 or MD5
hash. It then doesn't send the key, only the message and the hash.
Both parties know the key, but the eavesdropper doesn't. The reciever
gets the message, adds their copy of the key to it, and computes the
hash again. So messages without the correct Hash are clearly rubbish,
and can be safely ignored.
>
> The real trouble would probably come from prankster shoobies looking to cause
> some havoc with their newfound skills. One way to work around that would be to
> store a unique identifier, perhaps generated by the uuid gem, the first time
I'll have to look into uuid to see if both ends can know it.
> they run shoes. It could be sent with their comments, or for extra awesome
> bonus points, we could even force the sending of this ID via an X-Shoes-ID
> header on outgoing http requests that use the ajaxy functionality within
> shoes, so anyone simply wrapping the code that sends comments in the manual in
> an 500.times { ... } loop would have all the requests identified to the
> server. In this way, if rebel shoobies ever did become a problem, be simple
> enough to rate limit on the server side off this ID. If they're persistent
> enough to recode the spambot using net/http, well, sucks to be us then. :P
Yes. Trying to think as an evil nuisance, we need to be able to stop them
circumventing this by grabbing a new copy of shoes.
>
> One fun side effect of always using the ID in requests is that the subsequent
> spammy comments could be totally hidden from everyone else, while when their
> shoes requests the list of comments, it appears they successfully spammed the
> place. Mmmmm, nice warm trickery.
Yes.
>
> The HMACy response challengey thing has me thinking now though... We could
> write a block of really heavily compressed & obfusicated code (camping style!)
> which no newbie would have a chance in heck of being able to read and modify,
> which could act as a kind of secret cypher for challenging the client. Not
> sure what use it would be, but sure could be fun to code. :)
Hmmm, I wrote some HMAC code a while back, but it is way too clear.
Hugh
