This is the archive site for the pioneering blog CamWorld.com, which is no longer maintained.
Cameron Barrett's personal site can now be found at cameron.barrett.org and his professional site can be found at cameronbarrett.com.

July 29, 2004

Protecting Your Open Discussion Forum

I'm sitting in a session entitled Protecting Your Open Discussion Forum. The presenter is Jamie McCarthy, from Slashdot.

Slides: http://slashdot.org/jamie-oscon-talk/oscon_01.html

  • Slashdot has been the proving grounds for social misfits online.
  • User participation is good. Brings new ideas.
  • Large forums: defined as 1000+ people or more.
  • "Attacker", traditional exploits are cross-site scripting, DoS, annoying HTML, unhelpful comments, and being a jerk.
  • Know your goals. Know your enemy. Make an attacker invest. Block IP numbers, slow down the attacker's processes.
  • Seeing is gaming. An attacker sees it as a game. Attackers will switch tactics because to them it is a game. To you, it is a headache. Removing the ability for the attacker to see their results works. Information hiding. If an attacker can score it, they are motivated even more.
  • Users have made a game out of getting both negative and positive karma. Mistake to make karma a number, since it has a "score". Better to not use a numbers system, but rather a text label.
  • People can forgive draconian rules as long as they are consistent.
  • First line of defense is to increase your attacker's resource allocation: time, bandwidth, IPs, open proxies, their accounts.
  • Do a google search for "free proxy list" and use that. Test these IP numbers.
  • Watch our for robo-created accounts.
  • Make new accounts less powerful, fewer capabilities.
  • Never allow users to upload scripts or javascript, at any time.
Posted by Cameron Barrett at July 29, 2004 08:33 PM