[HN Gopher] Things I learned after getting users ___________________________________________________________________ Things I learned after getting users Author : HermanMartinus Score : 101 points Date : 2023-03-13 07:15 UTC (15 hours ago) (HTM) web link (basementcommunity.bearblog.dev) (TXT) w3m dump (basementcommunity.bearblog.dev) | hermitcrab wrote: | >listen to your users. they might have better ideas than you! | | So true. My products have improved greatly from listening to | (some!) user feedback. | yamazakiwi wrote: | Users that give great feedback also generally give great | feedback in the future. | cousin_it wrote: | > _some users have suggested pretty smart features that i 've | since implemented, like this back-to-top button to quickly get | back to the top of the page_ | | To me all position:fixed elements (headers, footers, this back- | to-top button, etc) feel like a kind of annoying dirt on the | screen. Their absence is a big part of why I love the web 1.0 | aesthetic. | saurik wrote: | My god yes. There is literally a key on a full keyboard | dedicated to this function (Home), smaller keyboards have a | chord for it (like Fn-Up), and "mobile" touchscreen UI has a | global mechanism for this (on iOS: touching the status bar)... | to plop down a position:fixed button on top of the content to | make it _even easier_ to access this feature that is already | extremely easy to access is just gratuitous. | newaccount74 wrote: | Does Android have this? I had an Android phone for some time | and the thing I missed most was the back-to-top shortcut | layer8 wrote: | Android doesn't have this, and I missed it at first as | well, but the scroll acceleration is so fast (much faster | than on iOS) that you can nevertheless scroll to the top | very quickly. | nicbou wrote: | Me too, but I still added a table of contents button on my | long, structured articles. It's very helpful in my opinion. | layer8 wrote: | Wikipedia does this now, and I find it annoying, in | particular the changing "current section" highlighting, and | the fact that it hides when the browser window is a bit | narrower. I'd rather press Home to get to the TOC again when | it scrolled off. | Joel_Mckay wrote: | Yes, there are numerous automated and human-powered nuisance | traffic streams. | | 1. CMS sites are constant maintenance, as most are an endless | supply of issues. However, some have content caching to reduce | the SQL workload. | | 2. Delayed registration with CAPTCHA and a brief explanation of | why you are there. Quiet banning IP filter applied to list to | boot pending users who enter emails that bonce or fail to | authenticate. | | 3. Firewall blacklist areas of the world where you don't do | business (better yet, whitelist the ISPs in the regions you do | business), blacklist proxy/tor/spam IP ranges, add port | tripwires, and setup rate limited traffic per IP (see slow loris | mitigation methods if you are not using nginx). | | 4. add peer site content blocker for forum spammers/bots i.e. | share exploit probes preemptively with the rest of the net. | | 5. add email filter for mention of bitcoin/BTC, and black-hole | the entire IP block if in an irrelevant region. | | 6. lookup same-origin enforcement for your web-server, add | Subresource Integrity Hash to your core, and re- | scale/watermark/scrub all media to protect users from themselves. | | 7. fail2ban rules for common site security scanners, known | exploit attempts, and common email scams. | | You owe nonpaying users nothing, so the collateral cost of | blanket bans is $0 in hostile regions. Remote traffic monitoring | is also recommended if you have a game engine running. | | On day 2 we can look at how BTC tumblers/launderers fund most of | these issues, and whether it is OK to also preemptively blanket- | ban most cloud/hosting providers (costs under 7% of your users in | most cases). Remember, adversaries will often pretend to be from | wherever they wish to inflict harm, and time does not have an | associated cost in the 3rd world. | | Have a gloriously wonderful day =) | econnors wrote: | > when the site first got a surge of users from hacker news, | there was one poster in particular who came to the site, | registered a bunch of offensive, racist usernames and proceeded | to post and create threads that were just full of dumb slurs. | this was definitely a learning experience because i had to act | quickly, so i tried a bunch of different methods to get rid of | him. | | it's sad that people like this exist in the world. what could | possibly motivate someone to spend their time doing this? | [deleted] | expertentipp wrote: | "Is my girlfriend pregante?" | [deleted] | nico wrote: | Had a similar experience recently. A random person started | repeatedly filling out contact forms for one of our clients. | They were doing it manually, and they did it for several days | straight until finally blocked. | | It also left me wondering why that person would spend an hour | or two each day for several days in a row, filling out online | forms. What's the motivation? | | My suspicion is that the person doing it works at the company | and was trying to mess with their systems. But I'll never know | for sure. | citizenpaul wrote: | > what could possibly motivate someone to spend their time | doing this? | | Probably being between the ages of 10-14 years old. Bartle | Killer-explorer? | nicbou wrote: | I dealt with a similar basket case once. | | It seems like parasocial relationships can swing both ways. You | know how some fans develop a creepy, obsessive sort of love for | creators? Well, the same goes for hatred. They feel slighted by | that person that doesn't know them, and they retaliate from | behind their keyboard. | mhuffman wrote: | Richard Bartle, has this way of dividing up the way what he | calls "players" but it works for any social media[1]. One of | them is the "killer" with a sub-type of "griefer" which are | those whose "... vague aim is to get a big, bad reputation". | So, from that perspective, they actually do get something out | of it. | | [1]https://en.wikipedia.org/wiki/Bartle_taxonomy_of_player_type | ... | bunnyswipecom wrote: | competitor obviously | flangola7 wrote: | Attention seeking + lack of moral compass. | yamazakiwi wrote: | A lot of them are edgy underage children and don't know any | better. They think that they have a dark sense of humor but | really they've lived a life disconnected from those words, so | they like the idea of pushing others buttons at no cost to | their selfish existence. | wolfi1 wrote: | not only attention seeking, sometimes the motivation is "to | spread the truth", at least as they perceive it, and | sometimes it's people who get triggered and are not able to | stop their rants | cm2012 wrote: | Mental illness | username3 wrote: | Whitehat moderation tester | golergka wrote: | Alcohol. | wesleychen wrote: | The thing that really surprised me was that even when he | implemented IP blocking, the user used a VPN to continue | abusing the site. That's a step beyond "casual" trolling that | someone might do to test a site's security (not that this is | justifiable behavior) and enters the territory of targeted | harassment. | mcstempel wrote: | > this worked for a little bit longer, but he proceeded to get on | a VPN, and then another when i blocked that IP, then another when | i blocked that IP, etc, etc. | | Beyond VPNs, I've even seen attackers leverage residential IP | networks which makes VPN detection ineffective as well [1]. If | you ever need a more permanent identifier to ban users on, | consider using a device/browser fingerprinting tool [2]. It helps | avoid the whack-a-mole issue of more sophisticated attackers | churning IPs/emails/user agents/etc. | | [1] https://brightdata.com/proxy-types/residential-proxies [2] | https://stytch.com/products/device-fingerprinting (I'm admittedly | biased towards our solution as I work at Stytch) | dahwolf wrote: | "this is mostly because i relied on a SQL ORM which in short is a | tool that makes writing SQL easier to pick up and faster to | develop. the biggest downside is that it might execute 50 queries | to your database to get a list of information, when it probably | only needs 1, which will cause slowdown." | | I appreciate this honesty. Listen to this old man's advise: learn | SQL properly. It's not that hard. Focus on it for a few weeks | intensely and you've mastered it for life. Then just write SQL | directly. | | I've had weekends ruined troubleshooting my "highly productive | ORM layer" that nuked a production database. Whilst functionally | speaking my ORM code was in no way incorrect. I'm talking | differences of a thousand fold in query load depending on how one | expresses the ORM calls. | | You can then become proficient in trying to reason and predict | about what your ORM calls do in the actual database, but when | you're several joins deep, this becomes near impossible. At which | point you become the ORM, and might as well just write SQL. | akprasad wrote: | If writing SQL directly, what process do you use to update your | queries during schema changes? Do you rely on a test suite to | catch errors then update queries by hand? Are you using | compile-time checks through libraries like sqlx [1]? | | [1]: https://github.com/launchbadge/sqlx | willio58 wrote: | This is exactly why I find no solution fits all here. For me, | I use an ORM as a catch-all and then for certain applications | I manually write the queries. It's best of both worlds, and I | know what components in my app have custom queries so I can | test against them. | jw1224 wrote: | > I'm talking differences of a thousand fold in query load | depending on how one expresses the ORM calls | | That doesn't sound like ORM... More like an N+1 problem. Eager- | loading makes N+1 more likely with ORMs, but it's easy to avoid | when you know what to look for. | | ORMs are designed to reduce querying, not increase it a | thousand-fold :) | chillfox wrote: | The core problem with ORMs is that you end up having to learn | the ORM on top of learning SQL and the particular database. It | ends up being like working with the database through an opaque | indirect layer. | andrewstuart wrote: | These days I build applications that actually use SQL. | | Typically a single statement to get the job done for any query. | monroewalker wrote: | Are you paying for Sentry? What type of monitoring does it | provide? I'm working on a project I'd like to add some monitoring | so I'm on the lookout for a good solution. Looking for something | free though until there's a need to have better insight than I | can get without paying for it | kevincox wrote: | I'm using the Sentry free tier and it is great. The main value | is how to managed repeated errors. You can group different | exceptions for the "same" error, resolve errors that have been | fixed or ignore known errors until they occur to more users, | more often or what have you. | | If you are good about squashing errors you can make it very far | on the free plan. Plus they have some burst detection built in. | Just make sure that "expected" errors aren't just ignored in | the UI, stop emitting them in the app itself so they don't | count towards your quota (and it keeps your logs tidy). | | I haven't been using their tracing or anything because their | Rust SDK doesn't seem to support it despite claiming that it | does (or I have set it up wrong). | monroewalker wrote: | Thank you for elaborating, this is useful :) | benaduggan wrote: | My team got really far using something called GlitchTip. It's | compatible with the Sentry SDKs, but really cheap, so it felt | like there were minimal consequences to switch if we ever had | the need to. We only switched to Sentry cause our company was | acquired and they already had a Sentry subscription going. | monroewalker wrote: | Hadn't heard of GlitchTip, but will look into it. Thanks! | dhosek wrote: | Man, on the abuse front--it's amazing the lengths that people | will go through to put spam on the web. There are apparently | canned solutions for pushing stuff to any Mediawiki site, | although I found that a really stupid captcha1 was enough to | bring that down almost to zero, but early on with rejectionwiki, | I had the same sort of chronic abuser things happening that are | described in the article. | | [?] | | 1. Basically a set of really obvious questions, like "Who wrote | Hamlet?" and what's "Shakespeare's first name?" that any writer | (for whom the site is targeted) should be able to answer. | codetrotter wrote: | > Who wrote Hamlet? | | Sir Francis Bacon :smirk: | naniwaduni wrote: | > that any writer (for whom the site is targeted) should be | able to answer | | hey now, not all writers who discuss things in English are | necessarily familiar with the anglo literary tradition | | (it's probably a higher overlap than average, and shouldn't be | too hard for them to search, but be careful throwing the | assumption around) | warkdarrior wrote: | > Basically a set of really obvious questions, like "Who wrote | Hamlet?" and what's "Shakespeare's first name?" that any writer | (for whom the site is targeted) should be able to answer. | | Given that ChatGPT exists now, I assume these questions will | need to be replaced with something harder to automate. | dhosek wrote: | Given that the spammers seem to use some sort of canned | software, it might have been enough to figure out how to | change one or two internal URLs in MediaWiki, actually. | juped wrote: | ChatGPT would be an extremely expensive way to answer these | questions. | corobo wrote: | Really? I thought these types of questions would be | limited. They seem hand-crafted. | | If you cache the answers you're probably looking at 10 | queries or so until the site admin gives up on that idea | and tries something different | addisonl wrote: | At MOST that is a 100 token prompt/response, so that is | like $0.0002 to answer with gpt-turbo. Hardly going to | break the bank... ___________________________________________________________________ (page generated 2023-03-13 23:00 UTC)