New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I guess one could at least argue that. How it will be judged by 3rd parties is another question though.
Personally i would advise against it (at least in relation to potential real names) though. As long as there's no actual KYC it's basically an invitation to frame people. Also the whole thing would likely be quite problematic if some of the admins fall under EU jurisdiction. I'm not much into laws but i'm pretty sure that the GDPR will just hate the whole idea. Emails might still fly (probably not) but once actual names are involved chances are it's just an overall no-go.
My suggestion would be to skip the doxxing step and just directly order dozens of unpaid pizzas to the offending users home addresses. Would probably still hit the wrong people but at least it's privacy friendly.
The moment publishing people's info to encourage the internet to harass them came up this became ridiculous. There is no way that ends well but I guess it'll be interesting to watch unfold.
Good luck.
I am willing to accept alternative suggestions to reduce the chance of abuse on our free servers (other than don't offer free servers).
I would rather clients know there are consequences associated with their actions - If a donor or FOSSVPS is 'hurt' by a client, action must be taken.
Monitoring and proactive abuse handling? I know that comes down to work/time, which sucks for what is essentially a charity project, but i don't really see much other options.
Well, you could make them post a code to their Github to make sure its actually a relevant project and first of all theirs. The Github can later be used for shaming purposes (hell, you could probably open issues in their repos and/or start shaming pull requests). Beyond that there really isn't much that would have a) actual value to the user b) can be verified reasonably easy. Names/addresses will be fake anyways and email addresses are throw away material.
What do most hosts do in cases of abuse? Depending on the seriousness of the abuse, there may be a chance for remediation. Or if the issue is serious enough or persistent, service is terminated.
Do you see providers coming on LET complaining about former customers? Usually not unless the customer makes an issue of it first and opens a thread about it.
Well, it's not like you don't have a point but to be fair regular providers have an incentive to clench their buttcheeks: Money. They also have one important filter a free project doesn't have: Money.
@totally_not_banned Thank you for your comments
Active monitoring is already in place. This problem occurred because SMTP WAS open. When I originally planned the servers I wrongly thought that would be ok (yes it could have been you developing an Open Source email system). That 'loophole' is now closed.
You are correct FOSSVPS is effectively a charity and I accept damage could be done to a 'real' Github but as you know people clone and create false accounts etc. Also while a client has abused us, I am not the sort of character to have an ongoing crusade to trash a Github.
Totally agreed.
The solution is to 'filter' at the start (registration) which is what we TRY to do.
'Providers' have fraud detection systems and payment systems which do a lot of the filtering. For us the problem is clients lie on their registration - as has already been stated, emails can be throw away, Names can be made up, Git can be cloned. The only thing we have (perhaps) is reputation on the forums. I no longer trust the NodeSeek forum ergo NodeSeek clients
Well, at least the code part wouldn't actually be hard to fully automate. Just store some random hash with your user data and have the signup process tell the client to paste it into their (supposed) Github profile. Then there's a cronjob running every X minutes that fetches the profile and checks for the code. If it's there the account gets activated and if the account lacks activation after Y hours it'll get deleted.
Sure, that doesn't rule out throwaway Github accounts with stolen projects but the same process could easily check the repos for stars, forks, commit count (by the actual owner of the repo) and whatnot else. Sure it creates a notable entry barrier and stars, forks, ... could still be faked by someone with an army of sockpuppet accounts while the repo could have 1000 empty commits (even though just counting Z commits per day into the final score would probably block that) but it's probably way more complicated than the average scriptkiddie would like and supporting serious projects while keeping out idiots is kind of the point isn't it?
There could always be a manual onboarding process for people that (for this or that reason) can't fulfill the automated requirements, which would again disincentivize abusers as they can be sure that with less overall noise (and the precondition of not meeting official requirements) their requests will face drastically increased scrutiny.
Edit: If you pick up something along those lines also support GitLab, Codeberg or a similar Github alternative. Github's owner is not exactly nice and them having their AI steal people's projects shouldn't be rewarded with a monopolistic position either. Actually if i were to do this i'd probably award a negative score for simply using Github instead of an alternative
Edit2: Even the trashing (well, it doesn't really have to be trashing - just some firm and clear notice on what kind of person is running the show there) of abuser's Githubs could probably be automated :P
You could charge a one time fee, maybe $1, on sign-up, and run it through the same fraud detection and payment systems. If the $1 is an issue, whatever is left over from processing fees could be donated to another charity, I guess.
A user found a thing and abused it.
You're taking some risks cuz free service and you kinda know who that's going to attract.
The thing was a clear risk, something /paid/ services don't allow by default.
You banned the user and closed off the thing.
Situation is handled and you're a bit wiser.
Be aware some variation of this is going to happen again.
Please take some time before following any suggestions from the village drunks feeding your upset feelings so they can enjoy bigger explosions later.
Oh, this..
The consequence is they lose access to a great free service. Some of the things you're saying here ("Action must be taken!", what the actual fuck?) are pretty concerning.
Anyway I'll stop here, shame they broke you.
@totally_not_banned again great points - thanks.
I think the key point is attracting the right people to start with. Before I took over FOSSVPS it was being promoted on NS so this continued. Now that it has stopped, I know things will cool off.
Understand your point about generating a code during registration and have this placed on Github (code gen is easy) but the complexity of checking different types of git systems or web pages would be challenging. My coding skills are not bad but I just don't have the time for that amount of work
@david
As soon as money gets involved everything changes. FOSSVPS is free and the only thing we deal with is the generous node donations. We are doing all of this work so the community and the donors benefit. My (honestly) only benefit is a free server which I don't really need and my reward is potentially thanks or abuse by the clients. This is why I get pissed off.
Yeah, i can sadly kinda second this. Actually i (personally) think it would be a ton of fun to build such a system but i figure in the end coming up with something clever/nice would likely take a good couple of days at least.
Just for the slim chance that i get the urge to act against better knowledge: What kind of software are you running this would have to integrate with? As in what manages your accounts/servers? If that can't be realistically described in a couple sentences i understand though.
No - The action is the termination of the NS clients VPS. You may consider ending all NS VPS is an over reACTION, but that is the consequence. Naming and shaming is something I am throwing out for discussion and I totally agree there are all sorts of implications. My real feeling is that it is probably not going to work in any real shape or form.
As far as 'shame they broke you' - hello I am still here. They broke themselves.
Yes lessons can always be learnt (I am not that naive) but perhaps my view of people generally being good is not accurate.
I appreciate your thoughts but really what are we gaining? The potential client is just proving that they can update a git / web page, not really sure that proves a lot
To answer your question everything is shell script and works well, so it's easy to integrate lots of things.
Well, the basic code thing is pretty trivial and boring anyways. If i were to actually put time into this you can be certain that it will be capable of calculating scores by as many factors as humanly possible. I mean, Github (&friends) already has a lot of scorable stuff and once that's all included the question becomes: "Why stop just there?"
Figuring out sensible weighting is obviously a whole different topic but just getting everything available would be the logical first step. Weights can then be configured later on.
Interesting. I guess it shouldn't be hard as far as integration is concerned then.
Reminds me of good, so-so, and bad neighbourhoods in a town/city and nodeseek is like a very bad neighbourhood - and that's entirely on them.
Also @msatt did give their users a chance. And promptly got abused.
I once got a free server myself and "gave away" the major part of it in the form of free VPS, so I do have some experience with that situation myself.
The problem with free VPS is that on one hand you need to filter but on the other hand you need to keep your time and work invested low. Besides I did not want to observe my users, I wanted to respect their privacy, just like msatt does I guess.
So it turns into a game of probability, or more correctly of keeping the probability of abuse as low as possible but at "low cost" in terms of time and work.
The route I chose mainly was to only provide VPS to LETsters which were far from new and actually had meaningfully comments (i.e. not just memes) in multiple threads plus clear and strict rules along with a clear statement that any infraction of those rules almost certainly would lead to termination.
And it worked surprisingly well, I did not have a single infraction let alone abuse. In fact I experienced some cases of users politely asking if [something not clearly within the rules] was acceptable ( responded yes in all (few) cases).
And that although I also accepted some users I didn't know or even wouldn't have wanted as friends. But I was as "harsh" to myself as in my rules for them that is, I told myself that it was about meeting the requirements and not about me liking them. And again, it did work out fine.
Summary, based on positive experience:
And filtering does include to not accept applicants with an (even mildly) elevated risk profile, like e.g. nodeseek, and certainly in the case of msatt's operation which includes two dedis of his own.
Keep in mind that it's really friendly and generous enough to share one's server(s)! And the person that does that - and he/she alone! - certainly has the right to filter and to make the rules, period.
I am only too happy to let you have a development VPS for this purpose. Make the code Open Source and perhaps it could be of benefit to other providers as well. No pressure
@jsg - Thank you once again for your supportive comments. I think it is fair (open) to say I was one of your clients and very happy with the VPS. As you say there were no issues until everything disappeared
To be fair to NS clients some have been with me since October last year without issue (but so was the abuser) and I had no problems.
I suppose it is like jumping off a cliff - what a great feeling...........(splat)
Been thinking.....
How about a 'sponsor' type system where a trusted current FOSSVPS user can vouch for a new client. If there is abuse then all members of the chain are terminated - Good or Bad idea ?
@msatt, If I hypothetically request vps from fossvps for the development of this UserScript https://justpaste.it/hy9sn, would you grant it?
I like it - with two caveats: (a) the vouching user must have been onboard and trouble-free for some time like e.g. 3 months minimum. And (b) to avoid abuse (of that system) only a limited number of candidates can be vouched for per period, e.g. one per 3 months.
Hypothetically - I detect this as a 'gotcha' and if I am worried then the answer is no.
@jsg - my exact same thoughts. It can likely provide organic growth.
LOL, ok
Do you have any requirements for number of commits per month or something like that? I guess that would be easy enough to game anyway. Some way to verify that users are actually using the service to develop software and not idling it, using it to host their porn sharing service, or worse would be pretty valuable. Maybe point an LLM at the users repos and have it provide a summary once a month. You could even gamify it so that you could publish a leaderboard of the largest amount of changes, the coolest new features, etc.
Get a server where abuse is allowed.
@deafcon that would be great but it really is too much work / development which I could no afford.
@ascicode - It is an idea, but hard NO. I don't condone abuse and I won't cater for it. The donors have been extremely generous and there is no way I would wish to cause them any problems. Also this is for (white hat) Open Source Developers so abuse should not be their objective.
learning
Just block the countries which are risky and be done with it. A company or a brand has the right to choose its customers.