[HN Gopher] Things I learned after getting users
___________________________________________________________________
Things I learned after getting users
Author : HermanMartinus
Score : 101 points
Date : 2023-03-13 07:15 UTC (15 hours ago)
(HTM) web link (basementcommunity.bearblog.dev)
(TXT) w3m dump (basementcommunity.bearblog.dev)
| hermitcrab wrote:
| >listen to your users. they might have better ideas than you!
|
| So true. My products have improved greatly from listening to
| (some!) user feedback.
| yamazakiwi wrote:
| Users that give great feedback also generally give great
| feedback in the future.
| cousin_it wrote:
| > _some users have suggested pretty smart features that i 've
| since implemented, like this back-to-top button to quickly get
| back to the top of the page_
|
| To me all position:fixed elements (headers, footers, this back-
| to-top button, etc) feel like a kind of annoying dirt on the
| screen. Their absence is a big part of why I love the web 1.0
| aesthetic.
| saurik wrote:
| My god yes. There is literally a key on a full keyboard
| dedicated to this function (Home), smaller keyboards have a
| chord for it (like Fn-Up), and "mobile" touchscreen UI has a
| global mechanism for this (on iOS: touching the status bar)...
| to plop down a position:fixed button on top of the content to
| make it _even easier_ to access this feature that is already
| extremely easy to access is just gratuitous.
| newaccount74 wrote:
| Does Android have this? I had an Android phone for some time
| and the thing I missed most was the back-to-top shortcut
| layer8 wrote:
| Android doesn't have this, and I missed it at first as
| well, but the scroll acceleration is so fast (much faster
| than on iOS) that you can nevertheless scroll to the top
| very quickly.
| nicbou wrote:
| Me too, but I still added a table of contents button on my
| long, structured articles. It's very helpful in my opinion.
| layer8 wrote:
| Wikipedia does this now, and I find it annoying, in
| particular the changing "current section" highlighting, and
| the fact that it hides when the browser window is a bit
| narrower. I'd rather press Home to get to the TOC again when
| it scrolled off.
| Joel_Mckay wrote:
| Yes, there are numerous automated and human-powered nuisance
| traffic streams.
|
| 1. CMS sites are constant maintenance, as most are an endless
| supply of issues. However, some have content caching to reduce
| the SQL workload.
|
| 2. Delayed registration with CAPTCHA and a brief explanation of
| why you are there. Quiet banning IP filter applied to list to
| boot pending users who enter emails that bonce or fail to
| authenticate.
|
| 3. Firewall blacklist areas of the world where you don't do
| business (better yet, whitelist the ISPs in the regions you do
| business), blacklist proxy/tor/spam IP ranges, add port
| tripwires, and setup rate limited traffic per IP (see slow loris
| mitigation methods if you are not using nginx).
|
| 4. add peer site content blocker for forum spammers/bots i.e.
| share exploit probes preemptively with the rest of the net.
|
| 5. add email filter for mention of bitcoin/BTC, and black-hole
| the entire IP block if in an irrelevant region.
|
| 6. lookup same-origin enforcement for your web-server, add
| Subresource Integrity Hash to your core, and re-
| scale/watermark/scrub all media to protect users from themselves.
|
| 7. fail2ban rules for common site security scanners, known
| exploit attempts, and common email scams.
|
| You owe nonpaying users nothing, so the collateral cost of
| blanket bans is $0 in hostile regions. Remote traffic monitoring
| is also recommended if you have a game engine running.
|
| On day 2 we can look at how BTC tumblers/launderers fund most of
| these issues, and whether it is OK to also preemptively blanket-
| ban most cloud/hosting providers (costs under 7% of your users in
| most cases). Remember, adversaries will often pretend to be from
| wherever they wish to inflict harm, and time does not have an
| associated cost in the 3rd world.
|
| Have a gloriously wonderful day =)
| econnors wrote:
| > when the site first got a surge of users from hacker news,
| there was one poster in particular who came to the site,
| registered a bunch of offensive, racist usernames and proceeded
| to post and create threads that were just full of dumb slurs.
| this was definitely a learning experience because i had to act
| quickly, so i tried a bunch of different methods to get rid of
| him.
|
| it's sad that people like this exist in the world. what could
| possibly motivate someone to spend their time doing this?
| [deleted]
| expertentipp wrote:
| "Is my girlfriend pregante?"
| [deleted]
| nico wrote:
| Had a similar experience recently. A random person started
| repeatedly filling out contact forms for one of our clients.
| They were doing it manually, and they did it for several days
| straight until finally blocked.
|
| It also left me wondering why that person would spend an hour
| or two each day for several days in a row, filling out online
| forms. What's the motivation?
|
| My suspicion is that the person doing it works at the company
| and was trying to mess with their systems. But I'll never know
| for sure.
| citizenpaul wrote:
| > what could possibly motivate someone to spend their time
| doing this?
|
| Probably being between the ages of 10-14 years old. Bartle
| Killer-explorer?
| nicbou wrote:
| I dealt with a similar basket case once.
|
| It seems like parasocial relationships can swing both ways. You
| know how some fans develop a creepy, obsessive sort of love for
| creators? Well, the same goes for hatred. They feel slighted by
| that person that doesn't know them, and they retaliate from
| behind their keyboard.
| mhuffman wrote:
| Richard Bartle, has this way of dividing up the way what he
| calls "players" but it works for any social media[1]. One of
| them is the "killer" with a sub-type of "griefer" which are
| those whose "... vague aim is to get a big, bad reputation".
| So, from that perspective, they actually do get something out
| of it.
|
| [1]https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_type
| ...
| bunnyswipecom wrote:
| competitor obviously
| flangola7 wrote:
| Attention seeking + lack of moral compass.
| yamazakiwi wrote:
| A lot of them are edgy underage children and don't know any
| better. They think that they have a dark sense of humor but
| really they've lived a life disconnected from those words, so
| they like the idea of pushing others buttons at no cost to
| their selfish existence.
| wolfi1 wrote:
| not only attention seeking, sometimes the motivation is "to
| spread the truth", at least as they perceive it, and
| sometimes it's people who get triggered and are not able to
| stop their rants
| cm2012 wrote:
| Mental illness
| username3 wrote:
| Whitehat moderation tester
| golergka wrote:
| Alcohol.
| wesleychen wrote:
| The thing that really surprised me was that even when he
| implemented IP blocking, the user used a VPN to continue
| abusing the site. That's a step beyond "casual" trolling that
| someone might do to test a site's security (not that this is
| justifiable behavior) and enters the territory of targeted
| harassment.
| mcstempel wrote:
| > this worked for a little bit longer, but he proceeded to get on
| a VPN, and then another when i blocked that IP, then another when
| i blocked that IP, etc, etc.
|
| Beyond VPNs, I've even seen attackers leverage residential IP
| networks which makes VPN detection ineffective as well [1]. If
| you ever need a more permanent identifier to ban users on,
| consider using a device/browser fingerprinting tool [2]. It helps
| avoid the whack-a-mole issue of more sophisticated attackers
| churning IPs/emails/user agents/etc.
|
| [1] https://brightdata.com/proxy-types/residential-proxies [2]
| https://stytch.com/products/device-fingerprinting (I'm admittedly
| biased towards our solution as I work at Stytch)
| dahwolf wrote:
| "this is mostly because i relied on a SQL ORM which in short is a
| tool that makes writing SQL easier to pick up and faster to
| develop. the biggest downside is that it might execute 50 queries
| to your database to get a list of information, when it probably
| only needs 1, which will cause slowdown."
|
| I appreciate this honesty. Listen to this old man's advise: learn
| SQL properly. It's not that hard. Focus on it for a few weeks
| intensely and you've mastered it for life. Then just write SQL
| directly.
|
| I've had weekends ruined troubleshooting my "highly productive
| ORM layer" that nuked a production database. Whilst functionally
| speaking my ORM code was in no way incorrect. I'm talking
| differences of a thousand fold in query load depending on how one
| expresses the ORM calls.
|
| You can then become proficient in trying to reason and predict
| about what your ORM calls do in the actual database, but when
| you're several joins deep, this becomes near impossible. At which
| point you become the ORM, and might as well just write SQL.
| akprasad wrote:
| If writing SQL directly, what process do you use to update your
| queries during schema changes? Do you rely on a test suite to
| catch errors then update queries by hand? Are you using
| compile-time checks through libraries like sqlx [1]?
|
| [1]: https://github.com/launchbadge/sqlx
| willio58 wrote:
| This is exactly why I find no solution fits all here. For me,
| I use an ORM as a catch-all and then for certain applications
| I manually write the queries. It's best of both worlds, and I
| know what components in my app have custom queries so I can
| test against them.
| jw1224 wrote:
| > I'm talking differences of a thousand fold in query load
| depending on how one expresses the ORM calls
|
| That doesn't sound like ORM... More like an N+1 problem. Eager-
| loading makes N+1 more likely with ORMs, but it's easy to avoid
| when you know what to look for.
|
| ORMs are designed to reduce querying, not increase it a
| thousand-fold :)
| chillfox wrote:
| The core problem with ORMs is that you end up having to learn
| the ORM on top of learning SQL and the particular database. It
| ends up being like working with the database through an opaque
| indirect layer.
| andrewstuart wrote:
| These days I build applications that actually use SQL.
|
| Typically a single statement to get the job done for any query.
| monroewalker wrote:
| Are you paying for Sentry? What type of monitoring does it
| provide? I'm working on a project I'd like to add some monitoring
| so I'm on the lookout for a good solution. Looking for something
| free though until there's a need to have better insight than I
| can get without paying for it
| kevincox wrote:
| I'm using the Sentry free tier and it is great. The main value
| is how to managed repeated errors. You can group different
| exceptions for the "same" error, resolve errors that have been
| fixed or ignore known errors until they occur to more users,
| more often or what have you.
|
| If you are good about squashing errors you can make it very far
| on the free plan. Plus they have some burst detection built in.
| Just make sure that "expected" errors aren't just ignored in
| the UI, stop emitting them in the app itself so they don't
| count towards your quota (and it keeps your logs tidy).
|
| I haven't been using their tracing or anything because their
| Rust SDK doesn't seem to support it despite claiming that it
| does (or I have set it up wrong).
| monroewalker wrote:
| Thank you for elaborating, this is useful :)
| benaduggan wrote:
| My team got really far using something called GlitchTip. It's
| compatible with the Sentry SDKs, but really cheap, so it felt
| like there were minimal consequences to switch if we ever had
| the need to. We only switched to Sentry cause our company was
| acquired and they already had a Sentry subscription going.
| monroewalker wrote:
| Hadn't heard of GlitchTip, but will look into it. Thanks!
| dhosek wrote:
| Man, on the abuse front--it's amazing the lengths that people
| will go through to put spam on the web. There are apparently
| canned solutions for pushing stuff to any Mediawiki site,
| although I found that a really stupid captcha1 was enough to
| bring that down almost to zero, but early on with rejectionwiki,
| I had the same sort of chronic abuser things happening that are
| described in the article.
|
| [?]
|
| 1. Basically a set of really obvious questions, like "Who wrote
| Hamlet?" and what's "Shakespeare's first name?" that any writer
| (for whom the site is targeted) should be able to answer.
| codetrotter wrote:
| > Who wrote Hamlet?
|
| Sir Francis Bacon :smirk:
| naniwaduni wrote:
| > that any writer (for whom the site is targeted) should be
| able to answer
|
| hey now, not all writers who discuss things in English are
| necessarily familiar with the anglo literary tradition
|
| (it's probably a higher overlap than average, and shouldn't be
| too hard for them to search, but be careful throwing the
| assumption around)
| warkdarrior wrote:
| > Basically a set of really obvious questions, like "Who wrote
| Hamlet?" and what's "Shakespeare's first name?" that any writer
| (for whom the site is targeted) should be able to answer.
|
| Given that ChatGPT exists now, I assume these questions will
| need to be replaced with something harder to automate.
| dhosek wrote:
| Given that the spammers seem to use some sort of canned
| software, it might have been enough to figure out how to
| change one or two internal URLs in MediaWiki, actually.
| juped wrote:
| ChatGPT would be an extremely expensive way to answer these
| questions.
| corobo wrote:
| Really? I thought these types of questions would be
| limited. They seem hand-crafted.
|
| If you cache the answers you're probably looking at 10
| queries or so until the site admin gives up on that idea
| and tries something different
| addisonl wrote:
| At MOST that is a 100 token prompt/response, so that is
| like $0.0002 to answer with gpt-turbo. Hardly going to
| break the bank...
___________________________________________________________________
(page generated 2023-03-13 23:00 UTC)