[11:59:14] <hobbes> so
[11:59:15] <hobbes> rip all
[11:59:54] *** Eluvatar sets mode: +oo hobbes QuietDad
[12:05:15] <hobbes> So
[12:05:20] <hobbes> Everyone not dead?
[12:06:15] <QuietDad> On life support. Using technology
[12:08:07] <hobbes> I see
[12:08:09] <hobbes> well, rip all.
[12:08:26] <QuietDad> Isn't this YOUR talk? lol
[12:08:29] <Donald_ET3> Isn't a lecture about to start?
[12:08:35] <hobbes> It's a tech roundtable
[12:08:40] <hobbes> but roundtables generally, require participation
[12:08:49] <madjack> roundtable hype
[12:09:06] <QuietDad> And a moderator to get it all started....
[12:09:06] <Ananke> As speakers you could start it up though.
[12:09:20] <Eluvatar> Agreed.
[12:09:35] <QuietDad> Yak, man. Yak.
[12:10:10] <Eluvatar> So this was the brief intro I threw together 9 hours ago

[12:10:17] <Eluvatar> Eluvatar once made a toaster. And then he learned PHP was a fractal of bad design, so he made another one. Then the API came into existence, and he came to hate all the HTML parsing code he had, so he started on a bunch of non-monolithic things. Then Admin asked him to take care of NS++ D:
[12:10:35] <Eluvatar> (
http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ )
[12:10:57] <Eluvatar> moral of that particular story: don't use PHP if you can avoid it
[12:11:10] <QuietDad> PHP died years ago
[12:11:25] <Eluvatar> yeah well I wrote the first Toaster in 2006
[12:11:35] <Donald_ET3> But w3schools.com still teaches PHP.
[12:11:44] <hobbes> php never dies
[12:11:46] <QuietDad> THE most unsecure programming language EVER
[12:11:47] <hobbes> it is eternal
[12:11:50] <hobbes> Unsecure
[12:11:51] <hobbes> but eternal
[12:12:03] <Donald_ET3> Do you prefer plain Perl?
[12:12:26] <Donald_ET3> What's the alternative?
[12:12:31] <QuietDad> Prefer C++
[12:12:38] <Donald_ET3> Oh.
[12:12:48] <QuietDad> But that's just me
[12:14:02] <Eluvatar> Toaster2 was written in Ruby
[12:14:10] <Eluvatar> and I still use some ruby scripts for NS
[12:14:15] <Eluvatar> but right now I mostly use python
[12:14:46] <hobbes> so, anyways
[12:14:55] <Eluvatar> mostly because python's the language I have written an API ratelimiting library for so far --
https://github.com/Eluvatar/trawler-client-python[12:14:56] <hobbes> the iternerary is probably getting thrown out as we don't really need crowd control
[12:15:20] <Eluvatar> I think having an outline of what to talk about helps
[12:15:27] <Eluvatar> I invie hobbes to introduce himself now

[12:15:30] <Eluvatar> *invite
[12:15:39] <hobbes> yes
[12:15:41] <hobbes> so
[12:16:09] <hobbes> i'm hobbes, I do server related stuff and creep in QuietDad's bedroom on my free time. A few years ago i started with this mess on San Andreas Multiplayer, and just kind of taught myself accross the board.
[12:16:39] <hobbes> I do a lot of website and forum teching which is why i do a lot of admining on NS
[12:16:45] <hobbes> or did a lot of admining, cough, lazarus, cough

[12:16:59] <hobbes> I aslo developed Serina, both interations of RadioNS, and NationNet though it's kind of a dead project atm
[12:17:21] <hobbes> that's kind of all I got, I went all night due to my cat being in surgery (and still is) so half-asleep
[12:17:21] <hobbes> :p
[12:17:49] <Eluvatar> yikes
[12:17:57] <QuietDad> i'm hobbes, I do server related stuff and creep in QuietDad's bedroom <--- banned to the basement now
[12:18:02] <Eluvatar> lol
[12:18:33] <QuietDad> Hobbes is now headless and under a pool table in the basement
[12:18:43] <Eluvatar> QuietDad, and you?
[12:19:32] <Donald_ET3> Do most people here know what a toaster is? This is the first time I've heard that term in this context.
[12:20:10] <Donald_ET3> sry
[12:20:32] <Eluvatar> toaster was the name of my website with endorsement counts, endorsements given counts, lists of natiosn you haven't endorsed, manual recruitment coordination, feeder movement logs, and feeder + certain other regions RMB logs
[12:20:40] <hobbes> It also made toast
[12:20:48] <madjack> I'm choosing to believe that Elu's coding is all in the pursuit of the perfect toast
[12:20:50] <QuietDad> I am a 35 year IT professional. My name is one of many on the original ODBC 1.0 bought from my company, where I designed and led the initial development team, for use in creating Windows fow WOrk Groups 3.1
[12:21:05] <Eluvatar> NS > RL

[12:21:13] <QuietDad> I got a Lucite Plaque, comapny I was working for got 40 million
[12:21:39] <Eluvatar> (I mean, we should probably be talking about our role in NS, not outside of it. idk)
[12:21:53] <QuietDad> Was once VP of data communications for Sony USA (pre internet days)
[12:22:33] <Donald_ET3> Wow. You guys are important people! O_O
[12:22:57] <QuietDad> I have no real role in NS. I was involved in recommending options in TSP last year in finding a new home for our forums after a brief non technical issue
[12:22:59] <madjack> til QuietDad pulled The Interview

[12:23:14] <KringPhone>

[12:23:19] <Eluvatar> OK. So hobbes, what's "Forums: You're (probably) doing them wrong." about? Not an argument against free hosting services in general, I hope?
[12:24:14] <Raven|afk> I thought it would be about set up and how the board layout/features can affect the community
[12:24:29] <Raven|afk> i.e. a million top level sections
[12:25:29] <QuietDad> TSP's forum, created by a user in Peru, on a free host in chicago with a .mx domain seems to work
[12:25:42] <Eluvatar> Yeah I've led a crusade in TNP since 2012 to bring the list of top level boards down and keep it down
[12:25:45] <KringPhone> lol
[12:25:51] <KringPhone> I didn't create the forum
[12:25:57] <KringPhone> Glen did
[12:27:43] <Eluvatar> Compare web.archive.org/web/20120217005427/http://forum.thenorthpacific.org/index/#top with the current layout >__>
[12:29:29] <Eluvatar> I think that making too big of an index is only one of many mistakes people often make
[12:29:55] <Eluvatar> Early on, people would use all sorts of free forums for NS: conforums, proboards...
[12:30:10] <Eluvatar> I find it interesting how the consensus has mostly settled on invisionfree/zetaboards at this point
[12:30:25] <QuietDad> Main issue I have with ALL the forums is each step in the NS forum process seems to require a new subforum you need to search for
[12:30:29] <Eluvatar> To a significant extent because proboards used to store passwords in plaintext, and allow password recovery.
[12:30:59] <QuietDad> Zeta is now owned by proboards....
[12:31:05] <ANewCentury> zeta is pretty good
[12:31:16] <QuietDad> And their free hosting platform
[12:32:29] <Eluvatar> I think people started to move away from proboards not because they didn't trust the company per se
[12:32:41] <Eluvatar> but because of a particular implementation detail regarding passwords
[12:32:50] <QuietDad> Anyone else have the belief that the forums are as they are because as people move on to other regions and create new ones, they design to what they know?
[12:33:06] <hobbes> well den
[12:33:06] <Eluvatar> There was an actual incident by the way: one Lady Blue Moon surreptitiously obtained admin power on a regional forum, as I understand it,
[12:33:07] <madjack> the only ns forum i like the look of is on proboards

[12:33:28] <Eluvatar> then used these powers to change users' emails to her own, then used password recovery
[12:33:32] <hobbes> @Quietdad
[12:33:37] <hobbes> they're slow or unresponsive half of the time
[12:33:38] <Eluvatar> -- then used the so obtained passwords to log into their NS nations
[12:33:38] <hobbes> but works

[12:33:46] <Eluvatar> (Mainly to eavesdrop on TGs as I understand it)
[12:33:53] <Eluvatar> This was not considered okay.
[12:33:56] <ANewCentury> that is evil
[12:35:57] <Eluvatar>
http://www.nationstates.net/page=news/2004/03/04/index.html[12:35:58] <Eluvatar> ^ relevant
[12:36:00] <QuietDad> It's really much simpler than that. Every PHP website in the word has a config.php page on it. In the case of Public Domain boards, it's really not the hard to get the code, figure out the variables in it, call the hosted site's config.php and display the variables
[12:38:00] <QuietDad> That will get you the SQL database useid and password, then with any of the phpadmin pages or mySQLadmin pages it's really easy to get a root admin id and password in the database
[12:39:00] <Eluvatar> What... are you talking about?
[12:39:01] <Donald_ET3> So, is that what people are talking about when they say that computer security is much worse than it could be?
[12:39:19] * Unibot waves.
[12:39:24] <hobbes> you're late
[12:39:30] <Unibot> I know, I apologise.
[12:39:33] * Donald_ET3 salutes
[12:39:38] * Unibot salutes back.
[12:39:41] <Eluvatar> Are you talking about how easy it is to manipulate a forum if you have access to the configured secrets?
[12:39:45] <Eluvatar> Yeah, it definitely is.
[12:40:51] <Eluvatar> But I don't think that's relevant to a discussion of the ways people commonly do forums wrong in NS
[12:41:37] <QuietDad> One of the issues in computer security is that using free hosts with their default forum addons is security. The Interweb is NOT a safe place. Ever
[12:42:13] <Eluvatar> Not sure I follow: are you saying that (reputable) free forum hosts generally pay a lot of attention to security
[12:42:18] <Eluvatar> and can have taken care of it for you?
[12:42:22] <QuietDad> And most of the forums are click and shoot design by people that really have no clue on web design
[12:43:41] <Eluvatar> yes
[12:43:44] <QuietDad> I use free hosts for some of my commercial accounts that dont warrant the expenses of paying for a hosted account. In all cases, I never use the cpanel supplied software on it. I use things NOT on it
[12:44:12] <Eluvatar> That sounds like the opposite logic
[12:45:17] <Eluvatar> Well we seem tired of talking about forums
[12:45:57] <Eluvatar> long story short: be smart! Try to actually design them sensibly, and if you care about security(which you should) use reputable services and/or do it properly yourself.
[12:45:59] <QuietDad> For example on Web design. When I visit the current TSP forum (myBB), the FIRST thing I do is click "View new posts" and right click and tab on what I want to read. There SHOULD be a "Mark all forums read" link on the search results screen, but it's only available on the main index
[12:46:16] <Eluvatar> Next on our agenda we have "API, its flaws, and how it works with various 3rd party NS sites."
[12:46:44] <Eluvatar> The most 'fun' aspect of working with the API is its rate limit
[12:47:31] <Eluvatar> it makes running more than one program at a time, and webpages that use NS data, significantly more complicated than they could otherwise be
[12:48:43] <hobbes> the issue with API is that it doesen't quite care who calls it
[12:48:49] <Eluvatar> The two solutions I've seen for running multiple things at once have been keeping each program to a separate, smaller, rate so that the total rate is within the limit; and using a throttling program of some kind
[12:48:51] <hobbes> at least, the current system
[12:49:08] <Eluvatar> what do you mean, hobbes?
[12:49:17] <hobbes> for example
[12:49:32] <hobbes> given the API code, I can pretend to be, say, NSWiki
[12:49:43] <hobbes> theres no real authentication on who the API is talking to to my knowledge
[12:50:19] <Eluvatar> That's right
[12:50:47] <Eluvatar> Well, mostly
[12:51:15] <Eluvatar> There's 2 authentication systems in the API: 1 seeks to authenticate NS nations as such, and one authenticates telegram scripts
[12:51:29] <Eluvatar> the telegram script authentication system is actually pretty solid
[12:51:37] <Eluvatar> (as far as I can tell)
[12:51:59] <Eluvatar> I mean it'd be /better/ if you used a derived shared secret rather than giving the equivalent of the private key each time
[12:52:27] <Eluvatar> but you use the private password to log in to your nation so it's probably fine

[12:52:33] <Eluvatar> *a
[12:52:39] <hobbes> mhm
[12:52:53] <Eluvatar> The Authentication API however is terrible and should never have existed in its current form
[12:52:57] <Eluvatar> <_<
[12:53:26] <Eluvatar> This is because, as hobbes points out, there's no authentication of the program checking it
[12:53:38] <Eluvatar> so it's completely open to man in the middle attacks
[12:53:50] <Eluvatar> This is why I will repeat this advice:
[12:53:59] <Eluvatar> If you're writing a new NS service, do not use the NS Auth API
[12:54:14] <Eluvatar> If you're an NS++ user, do not use the NS Auth API for anything but an NS++ service
[12:54:33] <QuietDad> I really don't have extensive knowledge of the NS API, but isn't it only read only?
[12:54:55] <Eluvatar> (that's
http://www.nationstates.net/page=verify_login )
[12:55:05] <Eluvatar> QuietDad, everything but the telegram sending API is read only
[12:55:39] <Eluvatar> the problem is that that verify_login page, combined with the auth API to check its tokens, is not secure against man-in-the-middle
[12:55:56] <hobbes> FYI guys, you are all open mic
[12:55:56] <Eluvatar> I'm sure there are plans in the works to fix this
[12:56:05] <hobbes> I believe violet has discussed it in the past
[12:56:30] <QuietDad> It just seems that it's limited. There are several instances of people taking the daily dumps and loading their own databases to get what they want how they want it
[12:57:23] <Eluvatar> There's a reason the daily dumps are made available
[12:57:37] <Eluvatar> It's definitely much higher bandwidth than the API
[12:59:41] <hobbes> mhm
[13:00:13] <QuietDad> I tried to look at it a while back to write a simple routine to generate a table of all the nations I had endorsed AND all the nations that had endorsed me and give me a list of who I hadn't cross endorsed and qho hadn't returned the endos I had given and didnt feel like having to load a data dumpevery day to keep it current
[13:00:55] <Eluvatar> the dumps do not contain endorsement information
[13:01:27] <Eluvatar> It used to be necessary to obtain the list of WA nations from the daily dumps: I have
http://www.thenorthpacific.org/api/ from that age
[13:01:41] <QuietDad> But it does show who is endorsed to who and a simple outer join gives me what I need to knwo
[13:01:43] <QuietDad> know
[13:01:54] <Eluvatar> (The region_name.txt files are updated nightly with the list of WAs in the region at the major update)
[13:02:46] <Eluvatar> as far as I know, neither nations.xml nor regions.xml contain any endorsement information at all
[13:02:55] <Eluvatar> not even the nations endorsing the given nation
[13:03:21] <Eluvatar> that can only be obtained through the 'live' API as far as I know
[13:03:34] <Eluvatar> And I just double checked

[13:03:52] <QuietDad> It's been a long time since I was looking at it and dont remember, but there was a way to get a nation and all the nations it had endorsed
[13:03:58] <Eluvatar> Yes, through the live API
[13:04:14] <Eluvatar> i.e.
http://www.nationstates.net/cgi-bin/api.cgi/q=endorsements/nation=pauline_bonaparte[13:04:31] <Eluvatar> -> <NATION id="pauline_bonaparte"><ENDORSEMENTS>ss_longclaw,arugula_supreme,samoupravljanje,the_doctor_in_the_tardis,yalia,james_brown,-suntzu-,harpatezlomnelea,motion_and_stillness,tranquil_winds,slamtopia,tannenmille,clone_wars,cervelat_salami,soviet_canuckistan,omnipotent_thomas,ainin_x,crosseye_jack,sweet_pestilence,oitseasetei,oton_atcel,patent_troll,club_stoic,51st_highlanders,tnoeser,1903_a_new_century,the_uss_kildonan,crusader_ii,gerfwe,obbanstantz</ENDORSEMENTS></NATION>
[13:04:51] <QuietDad> Loike I said. It's been a while
[13:05:03] <hobbes> I've always been too lazy
[13:05:08] <hobbes> to fuck with api
[13:05:20] <Eluvatar> jackiechan.gif
[13:05:27] <hobbes> ^
[13:05:34] <QuietDad> Same here. eventually it gets to be more of an effort than the info it would produse
[13:05:44] *** Joins: Ballotonia
[13:05:48] *** Eluvatar sets mode: +o Ballotonia
[13:05:54] <Eluvatar> We were just talking about the APi
[13:05:57] <hobbes> admin sighting
[13:05:58] <hobbes> hide the booze
[13:06:02] <hobbes> and hacks
[13:06:09] <Eluvatar> and thanks by the by for adding the list-of-nations-in-the-WA API
[13:06:23] <Ballotonia> What if I WANT some booze?

[13:06:55] <QuietDad> I was going to make a WAMP server to load with the dumps and interface with the API, but I gave it to someone to help heat my house with
[13:06:57] <Eluvatar> Well then I'll just have to get some harpoon UFO for you
[13:07:19] <Eluvatar> WAMP = wrong
[13:07:22] <Eluvatar> <_<
[13:07:58] <Eluvatar> The most lengthy API discussion however was about security and the Auth API
[13:08:07] <hobbes> fyi, people with no voice
[13:08:11] <hobbes> round table, you're free to talk
[13:08:19] <QuietDad> I usually do Centos LAMP servers, but in this case Wamp was easier. and WAMP is just to get it loaded then play with it for real
[13:09:54] <QuietDad> And any of the LAMP/WAMP distros have their limitations. Most are designed to work on a desktop and not host sites
[13:10:08] <Eluvatar> Well our discussion of the API seems to have died down
[13:10:15] <Eluvatar> No questions from the audience, it seems.
[13:10:30] <Eluvatar> The next item on hobbes agenda was "Bots: Wat they do, and how they do it"