Protecting Your Open Discussion Forum

I’m sitting in a session entitled Protecting Your Open Discussion Forum. The presenter is Jamie McCarthy, from Slashdot.

Slides: http://slashdot.org/jamie-oscon-talk/oscon_01.html

  • Slashdot has been the proving grounds for social misfits online.
  • User participation is good. Brings new ideas.
  • Large forums: defined as 1000+ people or more.
  • “Attacker”, traditional exploits are cross-site scripting, DoS, annoying HTML, unhelpful comments, and being a jerk.
  • Know your goals. Know your enemy. Make an attacker invest. Block IP numbers, slow down the attacker’s processes.
  • Seeing is gaming. An attacker sees it as a game. Attackers will switch tactics because to them it is a game. To you, it is a headache. Removing the ability for the attacker to see their results works. Information hiding. If an attacker can score it, they are motivated even more.
  • Users have made a game out of getting both negative and positive karma. Mistake to make karma a number, since it has a “score”. Better to not use a numbers system, but rather a text label.
  • People can forgive draconian rules as long as they are consistent.
  • First line of defense is to increase your attacker’s resource allocation: time, bandwidth, IPs, open proxies, their accounts.
  • Do a google search for “free proxy list” and use that. Test these IP numbers.
  • Watch our for robo-created accounts.
  • Make new accounts less powerful, fewer capabilities.
  • Never allow users to upload scripts or javascript, at any time.

Posted by Cameron Barrett at July 29, 2004 08:33 PM

Leave a Reply

Your email address will not be published. Required fields are marked *