Wednesday, February 10, 2010

Moderator Messaging

One of the main problems with our request to "message a moderator" when you have a problem on a given reddit has been that it is completely opaque as to which moderator to message. Much lore has been generated on many reddits as to who is the "good" or the "responsive" moderator, and many messages have fallen to the wayside by choosing unwisely.

By the same token, it is unfair to the moderators that they are unable to see over what may very well be community-wide issues. To mitigate both of these, we've created a separate moderator inbox for each reddit which can be messaged by composing a PM to "#redditname" (with the hashmark stolen from IRC parlance).
So, for now on, to reach the admin's box, send a message to "#reddit.com" and we'll get back to you. For other reddits, we've added a handy link to the moderator box.

From a moderator's viewpoint, we've make a UI tweak to differentiate your moderator inbox from your regular inbox:
And a new orangered alien for when you have moderator mail:
Clicking on the alien will bring you to your moderation inbox. In this view, you'll see the messages to all of the reddits you moderate organized with the newest on top.
Clicking on the name of the reddit (in the blue bubble on the top left) will bring you to a view that shows messages for that reddit alone. This view is also accessible from the "moderator toolbox" on each of your reddits.

One thing to note in responding to these messages: when you participate on a message thread initiated by a user, everything in the conversation will be sent back to the user as an implicit CC.

tldr: Don't message one moderator, message all moderators.

Tuesday, February 02, 2010

FEED ME!

In pursuit of making reddit easier to use, we've added the ability to get private RSS feeds to parts of the site that would normally require you to log in. The new set of feeds is available thru your preference page, and is available (currently) in both RSS and JSON. [If you are worried about the security of this, we've added a preference to disable it, and set it up so that all feeds will be invalidated once you change your password.]

The first example of its use is the front page: we want you to be able to customize your subscriptions to different reddits, but up until now there was no way to get a feed of your personalized front page without passing us your login cookie. This is sometimes handled gracefully by browsers, but seldom by other feed readers.
By the same method, we're also generating RSS links for your saved, liked, disliked and hidden pages, as well as to get the contents of your inbox (even your unread tab).

And for the moderators in the audience: you'll now find that both the spam and reported listings of your reddits have RSS available. In this case, though, you'll find the feed on the page in question rather than on your preference page. This should make it much easier to keep dibs on what is making its way onto your reddit's spam pages. We've also fixed a bug on those listings that was breaking hiding of links, so moderators will now have the capacity (at least individually) to clear out their spam listing.

How to tell us about an exploit you've found

So, about 8 hours after we put up new markdown rendering engine, our call to find exploits was a complete success, and here is the new white-hat who found it.

Besides discovering a bug in the way that discount dealt with escaped quotes in certain places (with thanks to David Parsons of Discount for getting out a patch so quickly), we learned that we should probably set up some guidelines for how to report exploits to us. So, we created a wiki page on help.

For those of you who don't know the details of how the infamous worm spread on reddit 5 months ago, here's the short story: a bunch of white-hats created a reddit where they tried to create a proof-of-principle worm that would append itself as a reply to all of the comments in a given page. The whole thing was contained to a shared comment thread, and all of the testing was contained to that thread...until one of the users went to their inbox. You see, the replying JS is common in both areas, so an exploit that works on a comment thread works in your inbox. Your inbox, though, has, in principle, comments from all sorts of other comment threads from all over the site. The result was that the worm got out and was allowed to spread freely until we took down (and later patched) the markdown renderer.

The lesson and tldr: please don't post or test for exploits in any shared or public areas. PM us and then make sure your work is well hidden. Once the genie is out, it's hard for us to re-cork it.

Monday, February 01, 2010

reddit has a new rendering engine! (hopefully you didn't notice)

As most of you know, reddit's commenting system uses a technology called Markdown that allows you to type stuff like:
My [site](http://something.com) is *really* cool.
...and have it rendered as:
My site is really cool.
We get so many comments (and comment-viewings) per second that doing this translation has always been a major burden on our servers. The more CPU cycles we spend on it, the more application servers we need, and in turn the more connections going to our database servers, the more places we have to roll code out to, and all sorts of other growth problems.

But you shouldn't feel one ten-thousandth of a guilt unit over this news, because we've just switched our rendering engine from markdown.py (which is nothing to sneeze at and has served us well since the beginning) to a 100%-compatible, pure-C implementation of Markdown known as Discount. (Get it?)

In our tests, Discount is fifteen times faster than markdown.py, which should allow us to reclaim some of our computing power and devote it to other areas of the site that are struggling.

If you happen to be the sort of person who can't resist looking for security holes in any new technology, and you come across one here, please let us know quietly, rather than choosing to announce your finding in the form of a worm which takes out the entire site. DO NOT SHARE YOUR EXPLOIT WITH ANYONE ELSE. I promise that we'll immediately get to work on the problem as soon as you tell us, and once it's fixed, we'll give you full credit ... as well as the special new ultra-rare "White Hat" trophy. We're also retroactively giving it to previous responsible disclosers chromakode and notrael. The aptly-named javascriptinjection, who wrote and accidentally released the aforementioned worm, will get one too, but only because he immediately got in touch with us as soon as he realized what he had done, then later found a second vulnerability and reported that one the nice way. Hats off to our winners!

tl;dr: If you see any wonky comments, tell us.

P.S. Special thanks to David Parsons, who is the author and maintainer of Discount and has just been an all-around great guy with respect to this big change. He patiently and quickly answered my endless stream of questions about his code, and even added features to the library that we would have otherwise had to hack in ourselves as a patch. Check out his website, too; it includes photos of his casemod projects and detailed visual archives of some amateur experiments in the field of recombinant DNA research.