:wtf: How can this be so wrong??? (AKA the Discopocalypse thread)
-
@pydsigner
Clean the ions? What, like with a cloth?
-
@izzion A silk cloth for the glass tubes
-
And that's why managed services were invented if the first place. If you can't / don't have the skills to maintain a system, don't set up a system that needs maintenance. I'm sure JeffCo will be more than happy to migrate them onto their DaaS platform.
-
@RaceProUK said in How can this be so wrong??? (AKA the Discopocalypse thread):
@loopback0 Why is he worried? It's obvious it'll break.
I'd say "turn off automatic updates". If that's even possible. Maybe blackhole updates.discourse.org or something.
Just leave a stable, working piece of software running, and no one touch it.
But I bet Discurse could break anyways. My theory:
- avatar letter CDN interface changes
- call to CDN returns an error code
- error code includes instructions on where new CDN is
- This triggers an update in the Dicksauce database
- But the update is targeted to a newer schema (because it's Always Good to change the schema)
- Dissflap then tries to update the schema, using a method that isn't supported by the database
- This ends up causing a cascading failure as Discourse rips through the database, renaming columns, moving data to tables that don't exist-- then deleting the existing data
- The database is now left in a state where it's impossible to restore, because it's so broken that none of the restore tools work
- Restoring the entire server from a backup just loops back to step 1
-
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
turn off automatic updates
But how else is the software going to break at the worst possible time?
-
@RaceProUK said in How can this be so wrong??? (AKA the Discopocalypse thread):
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
turn off automatic updates
But how else is the software going to break at the worst possible time?
Discourse-- finds a way.
-
@AlexMedia said in How can this be so wrong??? (AKA the Discopocalypse thread):
DaaS
Denial as a Service?
-
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
@AlexMedia said in How can this be so wrong??? (AKA the Discopocalypse thread):
DaaS
Denial as a Service?
Distopia aligned along Slavery
-
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
Discourse-- finds a way.
-
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
I'd say "turn off automatic updates". If that's even possible
It doesn't do automatic updates IIRC. He's trying to knock up some automatic update script.
Frankly if he's been a user and admin of Discourse for more than 5 minutes and he's not figured out it's a Super Mega Hyper Bad Bad Bad Ideaβ’ then there's no helping him.
-
@loopback0 When it's easier to upgrade Windows than forum software, you know the forum software's shit.
-
@RaceProUK said in How can this be so wrong??? (AKA the Discopocalypse thread):
@loopback0 When it's easier to upgrade Windows than forum software, you know the forum software's shit.
Only because Windows does it without warning
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
Frankly if he's been a user and admin of Discourse for more than 5 minutes and he's not figured out it's a Super Mega Hyper Bad Bad Bad Ideaβ’ then there's no helping him.
Maybe @ben_lubar can make a career out of this.
Not being a Discourse admin-- but traveling the world giving consulting talks about why you shouldn't use Discourse. Optional add-on: counseling and support for the sysadmins who thought otherwise.
-
-
-
@pydsigner said in How can this be so wrong??? (AKA the Discopocalypse thread):
reboot twice
Enabling of disability Hyper-V takes two reboots.
-
@Tsaukpaetra said in How can this be so wrong??? (AKA the Discopocalypse thread):
Enabling of disability Hyper-V takes two reboots.
I've always heard that Hyper-V sucks. Maybe those people were just running it in disability mode.
-
@boomzilla said in How can this be so wrong??? (AKA the Discopocalypse thread):
disability mode
It's how you make Hyper-V check its privilege.
-
@boomzilla said in How can this be so wrong??? (AKA the Discopocalypse thread):
@Tsaukpaetra said in How can this be so wrong??? (AKA the Discopocalypse thread):
Enabling of disability Hyper-V takes two reboots.
I've always heard that Hyper-V sucks. Maybe those people were just running it in disability mode.
Just running discourse on it should make Hyper-V enter "PLEASE STOP THE PAIN, I CAN'T TAKE THIS, PLEASE MAKE IT STOP" mode.
-
@DescentJS That's the first post I read on this site which might need an actual trigger warning.
-
@asdf You Might Be New Here
-
@asdf said in How can this be so wrong??? (AKA the Discopocalypse thread):
@DescentJS That's the first post I read on this site which might need an actual trigger warning.
TRIGGER WARNING
-
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
So... no?
Add a button and make them click it first
What colour should it be?
-
Also... civilised whispers leaked in uncivilised digest since day one.
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
Also... civilised whispers leaked in uncivilised digest since day one.
-
Discourse Isocrates!
NowPlanned with many amazing options, including:
Features that obviously can be left out of 1.0... and 1.1... and...*"Secure email mode" site setting ensures that no content is leaked to the outside via emails when the site's content is sensitive.
Allow new signups to change their email address as well as resend confirmation, in case they typoed their signup email
Basic internal search stats in admin dashboard
New and amazing discosettings!
"Get a room" reminder sent once per topic, to any user who replies to the same user in that topic 3 times in a row.
Congratulations emails to new users who get a number of likes by established users, and new users who read a lot of topics/posts in their first few days
The White Whale!
Refactor topic performance to support topics with 100k posts+ without serious performance impact
-
@izzion said in How can this be so wrong??? (AKA the Discopocalypse thread):
Refactor topic performance to support topics with 100k posts+ without serious performance impact
Presumably pushed out again because either:
a) they don't know how
b) it requires massive reengineering
c) all of the above
-
@izzion said in How can this be so wrong??? (AKA the Discopocalypse thread):
The White Whale!
-
@izzion Also, the linked topic...
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
Also... civilised whispers leaked in uncivilised digest since day one.
Well, you know, whispers are a brand new feature you can't possibly expect it to be bug free on day one maybe after a year of beta or so..........dotdotdot
leaked in uncivilised digest
You know what's extra fun about that? Anyone who was signed up for digest has a permanent archive of whispers that they can now mine at their leisure.
-
@izzion said in How can this be so wrong??? (AKA the Discopocalypse thread):
"Secure email mode" site setting ensures that no content is leaked to the outside via emails when the site's content is sensitive.
Is there also a "don't break" checkbox, because I think that would be useful.
Related bug: "Added
nobug
flag to compiler to allow site to compile without bugs."
-
Some interesting takeaways:
What we do (Discourse) is serviced better by a smaller number of super fast cores than a larger number of slow cores, anyway.
Designing a multi-user website that doesn't scale with core count.
Next, when they tried Xeon E5-1650 processors with a 140-watt TDP, they measured an actual TDP of 250 watts!
our standard 1U server build now overheats, alarms, and throttles with the 6 core CPU
Of course, his reasoning is not that maybe Discourse is terrible software that happens to function as a power virus. Nope, it's that
Intel's TDP figure of 140 watts for the 6 core version of this CPU is a terrible, scurrilous lie!
-
with the new TIM applied it took 5x longer to reach throttle temps with mprime threads=6. Before, it would thermally throttle within a minute of launching the test, and after it took ~10 minutes to reach that same throttle temp
<1 minute * 5 = ~10 minutes.
JeffMath
-
@Jaloopa said in How can this be so wrong??? (AKA the Discopocalypse thread):
with the new TIM applied it took 5x longer to reach throttle temps with mprime threads=6. Before, it would thermally throttle within a minute of launching the test, and after it took ~10 minutes to reach that same throttle temp
<1 minute * 5 = ~10 minutes.
JeffMath
Registered as a trademark Jan '17.
-
@Jaloopa said in How can this be so wrong??? (AKA the Discopocalypse thread):
<1 minute * 5 = ~10 minutes.
JeffMathThat could be about right if you're doing some naive time-tracking by measuring CPU clock cycles and your processors are thermal throttling, causing the actual clock rate to be far lower than the one you're using in your calculations.
-
@Onyx said in How can this be so wrong??? (AKA the Discopocalypse thread):
JeffMath
Registered as a trademark Jan '
17<20.JMTFY
-
@izzion said in How can this be so wrong??? (AKA the Discopocalypse thread):
"Get a room" reminder sent once per topic, to any user who replies to the same user in that topic 3 times in a row.
Public discourse is not civilized discourse.
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
So... no?
Add a button and make them click it first
What colour should it be?Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web tend to agree that PBKDF2 is a secure choice6.
Ooh, a link! What does it say?
Good job undermining your own point.
-
Based on our analysis of this event we are bumping minimum password lengths, from a global default of 8 in Discourse 1.5 to
users -- 10 chars
admins -- 15 charsSo what happens when a user with a 10-character password gets promoted to admin? My bet is on "everything breaks".
-
@Maciejasjmj Until one of their
authorised testerscustomers finds out, no-one will ever know.
-
@Maciejasjmj said in How can this be so wrong??? (AKA the Discopocalypse thread):
So what happens when a user with a 10-character password gets promoted to admin?
My bet is on: He won't be able to change his password to a secure password because the "old password" field of the password change form doesn't validate. Because that'd be both hilarious and as moronic as most other DiscoBugs.
-
@Maciejasjmj said in How can this be so wrong??? (AKA the Discopocalypse thread):
So what happens when a user with a 10-character password gets promoted to admin? My bet is on "everything breaks".
Considering that's exactly what happened with Discourse to me and when I increased the minimum username length to four, it wouldn't surprise me.
-
https://meta.discourse.org/t/super-features-that-only-discourse-does-have/50800/2
Participate in topics without registering an account
Um, sorry to rain on your discoparade, dude, but I'm pretty sure even toxic hellstew forums had anonymous users. For long enough to figure out it's a terrible, terrible idea.
-
I'd be tempted to add "automatic regression of bugs" to that list.
-
@Maciejasjmj said in How can this be so wrong??? (AKA the Discopocalypse thread):
Based on our analysis of this event we are bumping minimum password lengths, from a global default of 8 in Discourse 1.5 to
users -- 10 chars
admins -- 15 charsSo what happens when a user with a 10-character password gets promoted to admin? My bet is on "everything breaks".
Discourse will upgrade their password and whisper to the user:
"Your old password of
password22
was too short. Your new admin password ispassword2212345
"
-
omg I just realized something else about that "what to do when dipshit is compromised"...
Think about what a normal toxic hellstew forum would do. Temporarily disable, roll the data back to an earlier version, and upgrade to close the bug.
Except with Discourse:
- Temporarily disabling probably would break the entire forum because of the rube goldberg caching / containers / whatever.
- You can't roll back the data, because every time they make a change they permanently break backwards compatibility. I would hazard a guess that it's impossible to restore a backed up Discourse database 99% of the time.
- You can't upgrade to close the exploit, because you rolled back, so your instance is now permanently broken. And if you did upgrade, it probably wouldn't close the exploit because DiscoDevs banned you for reporting it.
-
@mott555 said in How can this be so wrong??? (AKA the Discopocalypse thread):
Next, when they tried Xeon E5-1650 processors with a 140-watt TDP, they measured an actual TDP of 250 watts!
our standard 1U server build now overheats, alarms, and throttles with the 6 core CPU
Of course, his reasoning is not that maybe Discourse is terrible software that happens to function as a power virus. Nope, it's that
Intel's TDP figure of 140 watts for the 6 core version of this CPU is a terrible, scurrilous lie!
This guy writes blog posts about designing servers, the managed use of which he's selling.
And he doesn't know that, like, the TDP of a CPU isn't the power draw of the entire machine at idle load?
Lol this guy.
-
@pydsigner
Oh, come on, everyone knows that CPUs are the only things that draw power in a server. Fans, RAM, hard disks, the motherboard itself and the bus connectors, they all just use the power that the CPUs let them have after doing calculations.
-
@pydsigner said in How can this be so wrong??? (AKA the Discopocalypse thread):
@mott555 said in How can this be so wrong??? (AKA the Discopocalypse thread):
Next, when they tried Xeon E5-1650 processors with a 140-watt TDP, they measured an actual TDP of 250 watts!
our standard 1U server build now overheats, alarms, and throttles with the 6 core CPU
Of course, his reasoning is not that maybe Discourse is terrible software that happens to function as a power virus. Nope, it's that
Intel's TDP figure of 140 watts for the 6 core version of this CPU is a terrible, scurrilous lie!
This guy writes blog posts about designing servers, the managed use of which he's selling.
And he doesn't know that, like, the TDP of a CPU isn't the power draw of the entire machine at idle load?
Lol this guy.
Not only that, he kind of admitted that if you get DiscoHosting you may be getting a poorly-designed server personally built by the frustrated company president!
-
to reproduce this problem, you need to have a forum that serves attachments form the same domain as posts, and you need to have a link without the "attachment" class.
Someone tagged this with "feature". I think it is really a bug instead because the basic behavior of links that most internet users are used to is broken ... Discourse has a lot of trouble with that because of the fancy javascript.
Your easy solution is to enable a CDN...Bonus Discopoints for it breaking their HTTP redirects from their old forum's URLs, and also for handling the URL being difficult because of DiscoEmberRouting.