« Apps4iDevices Rebirth: RF-1 Demo | App News | thesoundtestroom: Echo Pitch - Pitch Shifting Delay »

Open Mic: How secure should preset sharing be?

I'm just finishing up on the preset sharing feature, and I'm seriously wrestling with the security implications. It is always dangerous whenever you let people upload arbitrary stuff onto your server. But that's not even my main concern, I can code around those security issues. The problem is when you guys download it!

It's Not Me, It's You

I'm 99.9% sure I can keep people from hacking the site through the preset uploads, but I have zero ways of preventing people from uploading malicious shit that could hack you. Okay, not quite zero, I can prevent people uploading .exe and .dmg files.

But there are hundreds of apps with their own unique way of handling presets. I can't just say "only allow files of this type" because there are just too many different types. Maintaining a list of filetypes used by every app is impossible.

So when you download a file from here, I cannot begin to guarantee that it will work or even that it won't brick your devices. Now this might not come up, and no one will ever abuse the system, but you don't design a system on hope.

Danger Zone

The best I can come up with is either limiting uploads to select users, like Patrons, or have a free-for-all with a reporting system. I'm disinclined to limit it to Patrons, because I worry that this is going to dramatically limit the amount of people sharing on the site. Over 3,000 people come to the site every day, and only about 50 of you are Patrons. I doubt very much that anyone who wants to give away free presets is going to want to give me money for the privilege. I know Apple and Google expect you to pay them license fees to "sell" free apps, but I don't think I can pull that off.

There's a whole reporting system on comments that has been in there since day one of discchord v3. I don't know if you know that or not, because in the 10 months the site has been running on discchord v3 you guys have reported exactly 0 comments. If you're logged into the site you'll see a little exclamation mark in a triangle below every comment.

The system keeps nearly all the spam out, so there haven't been a lot of opportunities for you guys to report things. However, there have been some comments that were sketchy or xenophobic... yet no one reported them. This makes me worried about relying on reports to alert me about potentially harmful files being distributed from the site.

Help Me, Help You

I will be putting up legal disclaimers left and right, but that only covers my ass and not yours. I'm interested in hearing your thoughts on the subject and how you'd like me to insure your devices stay safe. Once again: this is probably irrelevant, and no one will ever abuse the system, but I have anxiety so I'm really good at thinking about security and insecurity. Right now I'm toying with the idea of a hybrid system; where Patrons can upload freely, but non-Patrons have to jump through some hoops to upload.

I'd also like to hear from anyone that has found the comment reporting Easter Egg. That shit was hilarious to me when I made it, but I don't think anyone's found it yet. There's all sorts of Easter Eggs in here for hackers too. Try sending weird POST messages at my API and it warns you off with goofy messages.

Reader Comments 15

So lonely.
I think the hybrid system sounds reasonable. Sensible precautions like throwing out obviously bad file types (exe, bat, cmd) and maybe a size filter are about all you can do. I'm trying to think how an "Open in app" link could possibly brick an iOS device. Never say never, but it doesn't seem like a likely attack vector.
August 16, 2017  | person jimhanks
BTW, I was offended by your previous comment. I tried to report it but... oh wait, I see what you did there. Bwahahaha
August 16, 2017  | person jimhanks
On August 16, 2017 - @jimhanks said:
I think the hybrid system sounds reasonable. Sensible precautions like throwing out obviously bad file types (exe, bat, cmd) and maybe a size filter are about all you can do. I'm trying to think how an "Open in app" link could possibly brick an iOS device. Never say never, but it doesn't seem like a likely attack vector.
As someone who has to jailbreak all of his iDevices, I know how insecure they are! It's all security through obscurity. I'd be more surprised if there wasn't an "Open in app" exploit. But that's probably reserved for clandestine agencies, rather than botnets or any of the other shenanigans I worry about here.

This really is just an intellectual exercise in paranoia. I don't think any would launch a sophisticated attack on readers here using a 0-day exploit like that. But they could...
One possible hoop could be comments on threads dating back X months. Another is a demo audio track that other readers can thumbs up. X number of thumbs up and the presets go public.
August 16, 2017  | favorite_border stub
I think that you download at your own risk. That's the same as any other site offering free presets from google drives etc.
August 16, 2017  | person CougarFool
ssl would be a good idea,
At least you know what server you are talking to...
August 16, 2017  | person lala
hmm... jimhanks beat me to it 😂 so I went to report his... but... well the spam option seams like it is going to be killed instantly and not even passed by you, and the hate speech one will result in bans as soon as I click it? I am then less inclined to report because I am afraid I am not seeing his point of view and just knowing that a second person is going to look at the report and actually act on it makes me more likely to report. Obviously you don't want people reporting unnecessarily but just something saying "There are only 3 rules here. Which rule is this comment violating? Thanks for reporting, I will have a look at it." ..... I don't really like that either. Thinking out loud at this point.
August 16, 2017  | touch_app Lucas
I think the current reporting feature will be enough to keep the presets cleaned up for now.
August 16, 2017  | touch_app Lucas
On August 16, 2017 - @lala said:
ssl would be a good idea,
At least you know what server you are talking to...

The site already supports SSL, optionally. Just hit it from HTTPS instead of HTTP and your connection will be SSL encrypted.

https://discchord.com
On August 16, 2017 - @stub said:
One possible hoop could be comments on threads dating back X months. Another is a demo audio track that other readers can thumbs up. X number of thumbs up and the presets go public.
After a lot of thinking I've decided to do something along these lines. I'm going to be a little vague on some of the details, but basically anyone who is a regular here (and has had an account for a while) will be able to upload. All developers and active patrons will also be able to upload.

For newer users the process is slightly more complicated, but anyone who has been here long enough and active in the community will automatically be allowed to upload. For everyone else the message they get tells them to email me and I'll consider them on a case-by-case basis.

Thanks a lot everyone for the input! I feel better about this now! There will still be a reporting function if someone uploads something objectionable or copyrighted.
Another option could be to let anyone upload presets, but a Patron has to verify the preset before the general public can see it. That could be another incentive for being a Patron: early access to presets.
I'm surprised that there are actually that many apps that allow some kind of preset sharing on iOS. I assume when talking presets, we're mainly referring to synths right? Perhaps I just haven't used the preset sharing options that much but couldn't you just limit it to say the top 30 or so most popular synths at first. Then add more as time goes on or as users request them. Maybe even that is too much work, I don't know. I like all of the previous ideas. Yours is probably one of the last sites I personally would worry about downloading some kind of virus or malware anyway.

On another note, when this feature is implemented, it would be cool if you could somehow add a column or entry on the front-page similar to the Recent Comments section that would let users know that a new preset pack has been added and approved and for which synth. Kind of like a "Recent User Preset Packs" news ticker. It would just be cool to know what is new and available without having to dig through the different app pages. Maybe you already have something like this planned, just a suggestion
August 18, 2017  | person dreamsyphon
Love your site Tim. It's one of my main "daily visit" sites. Keep up the great work. I'm a longtime lurker, but I'm trying to become more active. Very excited for the new preset sharing feature.

I wasn't sure where else to post this, but I want to let you know that even though I have your site whitelisted on my adblocker, I still see a lot of the "Instead of blocking ads, become a patron!" messages. Is that normal or is there something else I need to do? Thanks
August 18, 2017  | person dreamsyphon
On August 18, 2017 - @dreamsyphon said:
On another note, when this feature is implemented, it would be cool if you could somehow add a column or entry on the front-page similar to the Recent Comments section that would let users know that a new preset pack has been added and approved and for which synth. Kind of like a "Recent User Preset Packs" news ticker. It would just be cool to know what is new and available without having to dig through the different app pages. Maybe you already have something like this planned, just a suggestion

This is a great idea! I'm going to think about how to implement it, but yeah, this should happen!

On August 18, 2017 - @dreamsyphon said:
Love your site Tim. It's one of my main "daily visit" sites. Keep up the great work. I'm a longtime lurker, but I'm trying to become more active. Very excited for the new preset sharing feature.

I wasn't sure where else to post this, but I want to let you know that even though I have your site whitelisted on my adblocker, I still see a lot of the "Instead of blocking ads, become a patron!" messages. Is that normal or is there something else I need to do? Thanks

Thank you very much! If you're seeing that message that means something is still blocking AdSense. I'm not sure what more you could do if you have the domain whitelisted. Thanks for trying though!
comment

  Post a New Comment

You are not currently logged in. Would you like to login or register?
Enter your information below to add a new comment anonymously.

I'm not a racist, but...
Usernames need to be at least 2 characters!
I'm not a racist, but...
Please don't use weird characters in usernames!
{[ Ctrl.useravailable[Ctrl.userselector] ]}
{[ Ctrl.useravailabletext[Ctrl.userselector] ]}
Wow, that's a short email address!

Comment:

Do not use HTML in your comments. Tags: [b] Bold Text [/b] [i] Italic Text [/i]
Links will be generated if you include http:// or https:// at the beginning of a URL.
Submit