:wtf: How can this be so wrong??? (AKA the Discopocalypse thread)

aliceif

This post is deleted!

dkf

@ChrisH said:

flagshit product

I'm so stealing that for other systems I'm aware of!

ChrisH

Only if you post WTFs about them here.

dkf

Only if they're IT-related. Stupidity abounds elsewhere too.

ChrisH

Yeah, because we totally don't have threads with 10000+ posts about non-IT related idiocy.

dkf

Yes, but who here cares about the grinding stupidity of running far too short a train so that there's over an hour when getting a seat on it is pure luck? grumble grumble grumble grumble grumble

Onyx

This is relevant to my interests. Is there a newsletter or something?

Dreikin

@RaceProUK said:

They use an algorithm that's actually more secure than the one we use in SockBot:

I wanted to make a GUID bookmarklet a little while ago and came up with this (based on the same code as SockBot uses - or even the SockBot code itself, since I think I got the idea and the base from here):

javascript: alert('{88888888-8888-4888-2888-888888888888}'.replace(/[82]/g, function(c) {
    var array = new Uint8Array(1);
    window.crypto.getRandomValues(array);
    if (c == '8') {
        return ((array[0] % 16).toString(16))
    } else if (c == '2') {
        return ((array[0] % 4 + 8).toString(16))
    }
}))

Assuming I got that right, and assuming I'm reading the node.js docs correctly, that should be able to be transformed into node.js by doing:

const crypto = require('crypto');
const guid = '{88888888-8888-4888-2888-888888888888}'.replace(/[82]/g, function(c) {
    const buf = crypto.randomBytes(1).readUInt8(0);
    if (c == '8') {
        return ((buf % 16).toString(16))
    } else if (c == '2') {
        return ((buf % 4 + 8).toString(16))
    }
}))

Thinking about it, however, it may be better to do something like:

const crypto = require('crypto');
var guid = crypto.randomBytes(4).toString('hex') + '-'; // 88888888-
guid    += crypto.randomBytes(2).toString('hex') + '-'; // 88888888-8888-
var part = crypto.randomBytes(2);
part[0]  = (part[0] & 0x0F) + 0x40;
guid    += part.toString('hex') + '-'; // 88888888-8888-4888-
part     = crypto.randomBytes(2);
part[0]  = (part[0] & 0x3F) + 0x80;
guid    += part.toString('hex') + '-'; // 88888888-8888-4888-2888-
guid    += crypto.randomBytes(6).toString('hex') // 88888888-8888-4888-2888-888888888888

.toString('hex') "Encode[s] each byte as two hexadecimal characters", so this should waste less bits* and skips all the individual replaces. OTOH, it's not as readable.

---

Filed under: I'm making a lot of assumptions here

RaceProUK

If you need it cryptographically strong, then yes, use a proper crypto module. However, for most cases it's overkill, and Math.random() is good enough.

Dreikin

@RaceProUK said:

If you need it cryptographically strong, then yes, use a proper crypto module. However, for most cases it's overkill, and Math.random() is good enough.

True, but I did this for fun/curiosity ("how can I make this cryptographically strong?"), so what's good enough wasn't really a consideration

Although, unless you're hitting it enough that the expense of the cryptographically strong version is a problem, might as well use it since it's otherwise not much more complex than the Math.random() version (last version excepted, which trades off readability for efficiency).

blakeyrat

That's not a GUID.

FrostCat

How so? Looks like that replaces every byte with a random value, except for the 4 and 2, which are replaced with a '4', and '8, 9, a, or b', which looks right according to Wikipedia.

Dreikin

@blakeyrat said:

That's not a GUID.

Are you saying I made an error, or did you forget about this conversation about a month ago?

@accalia said:

@blakeyrat said:

There's only one algorithm that can be used, AFAIK, that results in a GUID

incorrect, there are two common algorithms

one is a temproal/spacial algorithm that uses the generating machine's MAC address and the current time to generate a GUID. this is a type 1 GUID

one is pseudorandom, and is rather more complicated but basically it's close to 124 random bits. this is a type 4 GUID

you can tell what kind you have because the format specifies that for a type 1 GUID the first hex digit in the third group will be a one (xxxxxxxx-xxxx-1xxx-xxxx-xxxxxxxxxxxx) and a type 4 GUID will have a 4 in that position. (xxxxxxxx-xxxx-4xxx-xxxx-xxxxxxxxxxxx)

there are other algorithms too, but they are less commonly used.

But sure, maybe that's not enough. Let's go to the RFC:
@1. Introduction said:

This specification defines a Uniform Resource Name namespace for
UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally
Unique IDentifier).

@4.4. Algorithms for Creating a UUID from Truly Random or Pseudo-Random Numbers said:

The version 4 UUID is meant for generating UUIDs from truly-random or
pseudo-random numbers.

The algorithm is as follows:

o Set the two most significant bits (bits 6 and 7) of the
clock_seq_hi_and_reserved to zero and one, respectively.

o Set the four most significant bits (bits 12 through 15) of the
time_hi_and_version field to the 4-bit version number from
Section 4.1.3.

o Set all the other bits to randomly (or pseudo-randomly) chosen
values.

(Note that the bit numbering has the most significant bit last in each field, but the string representation has the MSB of each field first, so the first bullet ends up being the bits 01 at the beginning rather than the bits 10 at the end of its field. The version number in the second field likewise ends up with '4' as the first character of its field.)

fbmac

testing

ae2b1fca515949e5d54fb22b8ed95575 ae2b1fca515949e5d54fb22b8ed95575

b27e61aaaf1ec9a3d3c36da148df8194 b27e61aaaf1ec9a3d3c36da148df8194

28d4fe75e1d1d45246a4c24c1b8b8e9a 28d4fe75e1d1d45246a4c24c1b8b8e9a

c862c0c9de5dd69549d0adce69aafc3c c862c0c9de5dd69549d0adce69aafc3c

8ad509b94b50adcfcd5cdc83e80d84f8 8ad509b94b50adcfcd5cdc83e80d84f8

8fe43fd0273c6255a6aa862c8f3c686d 8fe43fd0273c6255a6aa862c8f3c686d

Dreikin

@fbmac said:

`testing`

`ae2b1fca515949e5d54fb22b8ed95575 ae2b1fca515949e5d54fb22b8ed95575`

`b27e61aaaf1ec9a3d3c36da148df8194 b27e61aaaf1ec9a3d3c36da148df8194`

`28d4fe75e1d1d45246a4c24c1b8b8e9a 28d4fe75e1d1d45246a4c24c1b8b8e9a`

`c862c0c9de5dd69549d0adce69aafc3c c862c0c9de5dd69549d0adce69aafc3c`

`8ad509b94b50adcfcd5cdc83e80d84f8 8ad509b94b50adcfcd5cdc83e80d84f8`

`8fe43fd0273c6255a6aa862c8f3c686d 8fe43fd0273c6255a6aa862c8f3c686d`

...well then. Obviously that's not fixed around here.

fbmac

It doesn't happen in meta, tough

Dreikin

Billion laughs attack - Wikipedia

<!-- lol -->
`lol lol lol lol lol lol lol lol lol lol`

<!-- lol1 -->
`dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc dea50baa594c8d21107231f68eb1d5cc`

<!-- lol2 -->
`ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070 ce71f7e60c4a593921e52713c55fd070`

<!-- lol3 -->
`49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3 49b31a09404e55095b656e602d967de3`

<!-- lol4 -->
`263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1 263eb28ffe40ec0b710790d7084d0bb1`

<!-- lol5 -->
`d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389 d00ddae8463cb40fb8e5cc4a9f697389`

<!-- lol6 -->
`68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529 68eef64c8d16d45810f6ee559ce35529`

<!-- lol7 -->
`8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79 8f0fa5fa75509b1908755118e0329e79`

<!-- lol8 -->
`2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a 2f7ae31b6cee7ed37255e329aa7f753a`

<!-- lol9 -->
`1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6 1dba2998f3aab017d22a06698b403bb6`

<!-- lol10 -->
`db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e db098be8796a27750bb2c097721a240e`

---

Started getting problems at lol6. Did a full lol10 set, but Chrome reset the page a few times and no preview after about lol7 or lol8. Had to cut back to lol5 minus one hash to get something that would actually post instead of "500 Internal server error" or "500 OK".

---

Final count: 4044447 characters in 14 lines, 1011110 instances of 'lol'.

Dreikin

So, lol-level 5 - 1 hash appears to be our instance's limit.

Sorry.

Dreikin

@fbmac said:

It doesn't happen in meta, tough

Good thing, too.

dkf

@fbmac said:

It doesn't happen in meta, tough

They found a different stupid way to implement it.

DoctorJones

@dkf said:

They found a different stupid way to implement it.

Hashes were clearly so they decided to use GUIDs instead.

I suppose you can lead a Dischorse dev to water, but you can't make him think.

Onyx

@DoctorJones said:

I suppose you can lead a Dischorse dev to water, but you can't make him think.

They can bikeshed the hell out of that water though!

RaceProUK

At least the GUIDs can't be guessed like the hashes could

DoctorJones

That's a shame ;-)

FrostCat

@fbmac said:

It doesn't happen in meta, tough

Well, no, we aren't updated to the version where they fixed it, I though.

DoctorJones

Saw this on meta.fail and had a chuckle

Mar 18, 2016

User blocked for no apparent reason

Seeing as the minimum post length is (default) 20 characters IMHO, as a poor typist, faster than 3 seconds is very fast indeed. min first post typing time (default 3000) Minimum amount of time in milliseconds a user must type during first post, if threshold is not met post will automatically...

@codnghorror said:

Likely a post was sent through the anti spam mechanism, I.e. Pasting in a reply instead of typing it, tripping our "boy you sure do type awful fast for a new human user" protection and rejected by a mod or admin. This would block the user indefinitely.

So if you join a discourse forum, and paste something into a reply, you're immediately auto-fucked.

Bravo guys! That's fucking magic!

@codnghorror said:

In other words rejecting that post by a new user will auto block the user even though it does not explicitly say that. But possibly should.

Duh, do you think? Anything's better than let's fuck this user's account but leave no audit trail for the mods to figure out what's happened.

@codnghorror said:

It is unclear what to do with a new user who trips this detector and has their first post rejected.

How about not fuck their account over? If it's a spammy post, the community will very quickly flag it as such.

---

Filed under: Discourse, making problems where there weren't any since 2014!

loopback0

@zogstrip said:

User was automatically blocked because they were identified as a fast typer

loopback0

Discourse: making Mavis Beacon weep since 2014.

loopback0

PM threads with more than 200 posts?
CLOSED_TOO_LONG.

Mar 21, 2016

Using private / personal messages as long term chat

One thing we’ve noticed come up on a few sites is a pattern of behavior where users make almost no public posts, but spend most of their time in very, very long PM topics that can be tens of thousands of replies long There are a few problems with this: We currently have a massive perf...

Thus, we've decided to add a new site setting for maximum allowed replies in a PM topic and it will default to 200. After that limit is hit, the PM will be auto-closed by the system user with a brief explanation and reminder...

The whole sending every post ID in every request thing will be fixed at some point, honest.

Maciejasjmj

@loopback0 I was just about to praise Discourse for handling long PM threads much better than NodeBB. But apparently Jeff took a look at NodeBB and figured out "hey, there are still things we can screw up"!

PJH

@loopback0 said:

Mar 21, 2016

Using private / personal messages as long term chat

One thing we’ve noticed come up on a few sites is a pattern of behavior where users make almost no public posts, but spend most of their time in very, very long PM topics that can be tens of thousands of replies long There are a few problems with this: We currently have a massive perf...

"You will use the software in the manner I want you to. What? It's on your site? So what?"

Edit: Why does Akismet complain when I left in the meta. part of that URL? (Added back in post-posting.)

loopback0

@PJH said:

Edit: Why does Akismet complain when I left the meta. part of that URL? (Added back in post-posting.)

Pass - seems to randomly take issue at URLs then allow them to be edited in after. Happened on my post.

RaceProUK

Congratulations Jeff Atwood; you have successfully killed entire classes of social interaction.

sloosecannon

Consider adopting a chat system if you need long term, persistent personal messaging.

AHAHAHAHAHAHHAHAAHAHAHWAT

No, really. Wat?

Wat.

CatPlusPlus

We currently have a massive perf problem with longer topics as we send down a list of all IDs of all replies in the topic, which can be enormous -- if the topic is 50k replies long, it includes 50k ids in a list in every request. Longer term we do plan to fix this, but restricting very long topics is something we need to do in the short term, unless there is a very good reason for a topic to have 50k replies, it should be avoided.

API design unnecessary, performance too hard. Commence workarounds.

loopback0

@CatPlusPlus said:

API design unnecessary, performance too hard. CommenceContinue workarounds.

sloosecannon

@sloosecannon said:

Consider adopting a chat system if you need long term, persistent personal messaging.

AHAHAHAHAHAHHAHAAHAHAHWAT

No, really. Wat?

Wat.

The more I think about this, the more Wat I get.

I mean... This is literally shutting down a legitimate form of communication (which is probably used by many forums) because they can't figure out how to not send 50k post ids with every topic load.

Like... WTF of epic proportions.

Holy wat.

sloosecannon

@sloosecannon said:

Consider adopting a chat system if you need long term, persistent personal messaging.

AHAHAHAHAHAHHAHAAHAHAHWAT

No, really. Wat?

Wat.

Oh, for those who don't want to visit meta.d (don't blame you...)

Thus, we've decided to add a new site setting for maximum allowed replies in a PM topic and it will default to 200. After that limit is hit, the PM will be auto-closed by the system user with a brief explanation and reminder something like

This personal message was automatically closed after reaching the maximum of 200 replies. Consider adopting a chat system if you need long term, persistent personal messaging.

This should introduce some desired friction into this behavior, making it harder to abuse, without unreasonably limiting "real" personal message topics.

THAT MESSAGE IS FOR END USERS WATTEHFUQ.

Like... Imagine if Youtube said "This comment system is not for trolls. Consider implementing a new comment system if you want to troll"

Or Facebook saying "This image album is not for sharing. Consider implementing a CMS if you want to share images".

Like... WTFOMGBBQWHYYYYWAT

CatPlusPlus

The Real Solution is obviously:

I don't use any of mine as a substitute for "chat"

Maybe it would be better to not use "staff" as the discriminator but average "word count" ?

That is, if it is being used as a "chat" (I'm assuming the replies would all be relatively short) then close it.

NedFodder

@loopback0 The best is this reply from @riking

It may be wise to 'cycle' the thread, then - create a new PM with a link back to the last post of the old PM, and edit the old PM's close message to point to the new PM.

In other words, pagination. Seriously, fuck those guys.

PJH

@NedFodder said:

@loopback0 The best is this reply from @riking

It may be wise to 'cycle' the thread, then - create a new PM with a link back to the last post of the old PM, and edit the old PM's close message to point to the new PM.

In other words, pagination. Seriously, fuck those guys.

But, but, but... each page of 200 posts would be infiniscrolled. Best (or worst) of BOTH worlds!!!!eleventyone!!!1.

 1.

boomzilla

@sloosecannon said:

because they can't figure out how to not send 50k post ids with every topic load.

But you gotta love the rationalizations applied.

boomzilla

@NedFodder said:

In other words, pagination.

LOL. Someone should point that out.

Lorne Kates

@izzion said:

Ah, so @wood is a uppity-up in the Ember development cabal. That explains the technology choice.

Maybe he'll complain on the Ember forums and get him and all the Discodevs banned.

PleegWat

"This is a support forum. Consider adopting a discussion forum instead."

darkmatter

Wow, I've read 2 large topics and infiniscroll is still working. This is amazing.
I must be doing it wrong

loopback0

@sloosecannon said:

WTFOMGBBQWHYYYYWAT

The only response to realising that JeffCo are prioritising other shit over this fundamental performance flaw in their product, and then just applying stupid restrictions instead. Also they list supporting large topics as a planned feature. Not a bug fix, a feature.
It was on the Discourse 1.5 roadmap, but got bumped to 1.6 with lots of other new shit being added in its place.

tufty

Surely all they need to do is add an extension to the bikeshed. That way tandems will fit.

AlexMedia

@loopback0 said:

It was on the Discourse 1.5 roadmap, but got bumped to 1.6 with lots of other new shit being added in its place.

Just wait until Jeff talks to EA... then "support for large topics" becomes DLC.

FrostCat

@FrostCat said:

How so? Looks like that replaces every byte with a random value, except for the 4 and 2, which are replaced with a '4', and '8, 9, a, or b', which looks right according to Wikipedia.

Hmm. 8 days later, and we have the patented @blakeyrat implicit admission of being wrong, i.e.,