I’m sitting in a session entitled Protecting Your Open Discussion Forum. The presenter is Jamie McCarthy, from Slashdot.
Slides: http://slashdot.org/jamie-oscon-talk/oscon_01.html
- Slashdot has been the proving grounds for social misfits online.
- User participation is good. Brings new ideas.
- Large forums: defined as 1000+ people or more.
- “Attacker”, traditional exploits are cross-site scripting, DoS, annoying HTML, unhelpful comments, and being a jerk.
- Know your goals. Know your enemy. Make an attacker invest. Block IP numbers, slow down the attacker’s processes.
- Seeing is gaming. An attacker sees it as a game. Attackers will switch tactics because to them it is a game. To you, it is a headache. Removing the ability for the attacker to see their results works. Information hiding. If an attacker can score it, they are motivated even more.
- Users have made a game out of getting both negative and positive karma. Mistake to make karma a number, since it has a “score”. Better to not use a numbers system, but rather a text label.
- People can forgive draconian rules as long as they are consistent.
- First line of defense is to increase your attacker’s resource allocation: time, bandwidth, IPs, open proxies, their accounts.
- Do a google search for “free proxy list” and use that. Test these IP numbers.
- Watch our for robo-created accounts.
- Make new accounts less powerful, fewer capabilities.
- Never allow users to upload scripts or javascript, at any time.
Posted by Cameron Barrett at July 29, 2004 08:33 PM