No more bots!

Case number:845818-991434
Topic:Game: Social
Opened by:B_2
Status:Open
Type:Suggestion
Opened on:Monday, January 2, 2012 - 03:18
Last modified:Tuesday, January 10, 2012 - 06:43

I would like to officially protest the expanded use of bots on the foldit IRC servers.

#Global has seen the recent return of gringer's dictionary bot, which gets abused frquently by kids who think it's fun to ask it to define any sort of random word or phrase, most of which have absolutely nothing to do with foldit.

Now there is a new 'urlbot' which purports to translate URLs typed into chat into shorter URLs, for some useless reason. This is a huge security risk - there is no way to determine where the shortened/obfuscated URL is pointing a user. It could be any malware site on the net. Those of us who have been around a while know not to click on those types of URLS, but there are plenty of younger users here that haven't realized what a big bad place the internet is.

I would like to suggest a "no bots" rule on the official foldit IRC site.

(Mon, 01/02/2012 - 03:18  |  34 comments)


Joined: 08/30/2011

When these bots aren't officially from foldit they should be removed.
I thought the URL bot was implemented by the developers and it is quite helpfull in my opinion.

Joined: 10/11/2011
Groups: None

From the link it posts, it was done by one of the players.

The link it uses is not a dodgy one B2

mimi's picture
User offline. Last seen 36 weeks 4 days ago. Offline
Joined: 11/17/2008
Groups: Contenders

When a URL is put into global chat it is quite often not possible to read the full URL if you are accessing chat via the game as opposed to via an external IRC provider. Since it is also not possible "in game" to just click on the URL it can be difficult to access the references.

The urlbot was provided as a service just to automatically take URLs and convert them to a "tinyurl" which will fit in the chat box, so that all users could see what was being refered to.
If you test it you will find it does just that.

infjamc's picture
User offline. Last seen 2 years 45 weeks ago. Offline
Joined: 02/20/2009
Groups: Contenders

And regarding the concern that the site being referred to might contain malware: the fact is that there's no way to avoid it unless the Foldit chat system scans the links in advance before allowing the comment. After all, in the event that the link is short enough even without the need of a tinyurl conversion, someone could still fall into the trap of an illegitimate link by manually typing the URL.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

If that is the problem that is trying to be solved here, then using 'tinyurl' links is NOT the way to solve it. Either the chat window needs to expandable, or make the original links clickable.

Putting a rogue urlbot online to post 'tinyurl' links is not to way to solve this issue.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

Most of you have missed the point.

There IS a way to prevent a malicious website URL from being distributed via an innocent looking tinyurl link. That way is to NOT USE hidden or obfuscated links. I believe the developers are opening up a huge security and liability issue by allowing these types of links to be promoted as if they are produced and supported by foldit.

Having been in computers since before the internet was born (or invented by Al Gore), there is NO WAY I would ever trust a tinyurl link. There is just NO WAY to determine where that link will take you.

It would be so very easy for someone to make a 'urlbot' that spits out links to any sort of evil web site every time someone posts a genuine link in a chat window. You can just not go on 'trust' these days, those that do are foolish.

infjamc's picture
User offline. Last seen 2 years 45 weeks ago. Offline
Joined: 02/20/2009
Groups: Contenders

Actually, you CAN enter the domain name as "http://preview.tinyurl.com/" to see what the tinyurl link goes to. But I do agree that there is a possible security issue here; even if the original link is clickable, there's no guarantee that any link is safe. Again, a better long-term solution would be pre-scanning the links... but since I'm not familiar with IRC, I don't know if that's possible.

Joined: 06/17/2010

In the other hand, if all posted links will be clickable....

Joined: 12/06/2008
Groups: Contenders

One cannot guarantee that ANY link will not lead to a malevolent site, whether it's transcribed into a tinyurl.com URL or not. Most of us here are adults, and as such, assume full responsibility for whatever mischief we get into by promiscuously clicking random links. Any children playing here should be under the guidance of their parents, and shouldn't be going off on tangents without their parents' approval.

While I applaud the initial "concern" over this subject, it's really not truly necessary to do this if we realize and accept that players here aren't total morons. At least the ones that aren't playing under three or more different identities.

Dropping the priority of this request to a less hysterical level.

Joined: 04/19/2009

The urlbot was developed and is maintained by ptfrog. His 15 year old daughter also plays - if anyone is going to be the most cautious and diligent about a url bot, it is a parent who knows that his own minor child will be clicking the bot links.

Ingame, exterior links are not clickable - neither are the exterior tinyurls that are generated by the bot. The tinys simply make it easier for folders who are only using ingame chat to type in the links. The bot is only doing what has been asked of many folders many times - to tiny a url so that someone can see it and be able to type in the link.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

I'm sorry, but trust does not happen on the internet, and anyone who does trust a stranger is naive.

You may think that a bot owner is a nice polite parent, but it could be just as easily be a pervert or evil-doer using social engineering to lure people into complacency before replacing the harmless tiny URLs with something much more sinister.

There is no way to tell, and social engineering being what it is, it is best to remove the temptation, and only allow pure URLs that can be seen and evaluated. The naive will click on anything anyway, so let's just remove one more possible virus vector.

Joined: 04/19/2009

The problem is that most urls cannot be seen in ingame chat.

You use external irc - many people don't, especially when they start playing the game.

During the days in September when we were inundated with new players, the (volunteer) mods and other veteran players needed to give directions to the tutorials on the wiki, or the videos. That was very time consuming, and repetitious.

On that basis alone, much less that many players now are doing some great research into proteins & wish to share the links, many people have wasted much of their time going to the tinyurl website to tiny a link so that someone else can at least see the link to type it in.

It's all trust, for goodness sakes. You choose not to, that's fine. The rest of us can decide for ourselves whether or not we trust any link, tiny or not - and in this day & age of spoofed websites, you can either make your own decisions about using a link - or to be perfectly safe, never use any that have been suggested to you.

I have never used any name but this one on the web in 15 years, so the thought of someone being "a pervert or evil-doer using social engineering to lure people into complacency before replacing the harmless tiny URLs with something much more sinister" is not usually uppermost in my mind - my browser is equipped with so much safety, and my computer with up to date protection (and I use a mac) that I don't worry about it. I choose which links I will go to, and will ignore any from people I suspect are malicious or uninteresting.

I'll leave that level of paranoia to others who have the expertise in multiple online identities. (And those who leave psuedo-bot links in global, I guess to try to get their point across - don't know because I wouldn't click them).

infjamc's picture
User offline. Last seen 2 years 45 weeks ago. Offline
Joined: 02/20/2009
Groups: Contenders

Again, I understand your concern. That's why I advocated the idea of scanning the links before conducting the tinyurl conversion if it's possible to do so.

Also, if you really want to be careful, where does the conspiracy theory stop? I mean, just look at the list of sponspors for Foldit-- how can you know for sure that we aren't being deceived into designing a biological weapon? (Obviously, I'm being hyperbolic here. The point is simply that, while you cannot be 100% sure that the Foldit project is benign, you can be sure beyond a reasonable doubt. And the same can be said of the links that show up on global chat.)

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

This is a simple security hole to plug, just dis-allow the bot. All it takes is someone to make the correct decision, and enforce it.

I can't figure out why you think URLS are not visible in the in-game chat, they do appear.

Here's an example: http://fold.it/portal/files/chatimg/irc_76275_1325820643.png

Joined: 04/19/2009

What you consider the correct decision may not be what many others would consider correct.

As I've just showed you in global:

http://fold.it/portal/files/chatimg/irc_99169_1325820890.png

Ingame, links that long are truncated and unreadable (that picture shows that the link cuts off at the _13). If it's a clickable image link from foldit - then it doesn't matter. If not - then it does!

Here's a foldit wiki link:

http://foldit.wikia.com/index.php?title=Fold.it_IRC_%28chat%29_Information&redirect=no

That shows up on ingame chat as:

http://foldit.wikia.com/index.php?title=Fold.it_I

In order to give a new person that wiki link - you must either tell them "to go to the foldit website, look for the wiki link at the top for the wiki, click on the link near top of front page of wiki for IRC information" - or you must go do a tinyurl for them.

The bot is simply getting the tinyurl - saving many of us time and effort typing the same things over & over again.

One last example that I showed you in global:

http://foldit.wikia.com/wiki/Lua_Functions_That_Should_Be_Implemented
http://foldit.wikia.com/wiki/Lua_Functions_Th --------------------------------(how it shows ingame)

This is not my "display issue" as 3 other people checked during our discussion in global, and all had the same truncation at the same place ingame.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

It sounds like you've provided the answer to both problems, even though one problem is of your own creation.

Simply direct the users to read the proper section of the "wiki", then you won't have to type long URLs to be converted by a high-risk URL shortener, and you can also eliminate an uncontrolled bot from the IRC server. I'm sure your scripters can come up with some canned narrative responses to the common questions that don't require the long links. "/me slaps noob with a trout, and directs the noob to the fold.it wiki to read up on LUA functions" No need to spoonfeed the full link.

Do you not understand that adding a third party re-director in the middle of the http request process is such a huge security risk?

URL shortener sites have been hacked with their stored "short" URLs being redirected to "evil" sites, they have tracked traffic through their sites, they have installed tracking cookies on the unsuspecting user's machines, redirected users to pages showing advertisements before ultimately redirecting them to the desired page, they have provided the desired site in a frame on a page with malicious java code, and a host of other less-than desirable practices. URL shorteners are one of the main tools of the trade of phishers and spammers. There is no guarantee that "tinyurl.com" has not already been compromised, or will not be compromised in the future.

They are bad news, no matter what the possible good intentions are for using these dodgy services.

ptfrog's picture
User offline. Last seen 5 years 30 weeks ago. Offline
Joined: 09/29/2011

Interesting -- so your objection is not only to the bot, but to URL shortener sites in general. I cannot speak to that, other than to say that I picked tinyurl because they have been around the longest (as far as I know), and have an excellent reputation.

You've got a point about teaching people how to find things on the Wiki; I kind of like that idea. I could probably analyze foldit links and attempt to direct people through the site. That might be tricky, since the fold.it site is not renowned for internal consistency, but it's worth thinking about. Of course, this would make the bot significantly noisier, and might make others unhappy.

But it does not solve the problem of long URLs for sites other than foldit sites -- like CASP. The folks who help out in IRC take a lot of time and effort to do so -- and while they are capable of writing click-through directions on any URL, I am in favor of any tool that makes their lives easier, and not harder. It also makes things easier for the recipients of the URL -- who are probably being told to "read and learn," and if urlbot makes it more likely that this will happen, hooray! for urlbot.

(Admittedly, not all URLs posted to foldit are protein-related, but it is precisely the fun one can have with other folders that draws many people to this "game." So these should not be excluded.)

But the main justification for what I did is this: think back to how many times you've seen a request like "I can't see that whole URL. Can you post a tiny version?" It seems that URL shorteners are the solution of choice; all I've done is automated the process to save folks some time.

That said, I have an idea. What if I split the posted URL in such a way that it wraps in IRC? For 99+% of URLs, this would involve nothing more than adding a space after each slash. That way folks who do not trust tinyurl can type in the full version. Even folks who do use tinyurl would probably appreciate the security of being able to read the URL that they are being directed to. (I know that I would.) I dislike anything that adds noise to the IRC channel, but if it has value I'd be happy to add the feature. What saith the ops?

And if folks like the idea of teaching a noob to fish -- that is, explaining how to find a link on the fold.it site, I can look into that as well. I might leave out the bit about the trout, though. :-) My thoughts: I suspect that anyone with enough interest will learn their way around anyway, so this might have a fairly low benefit-to-noise ratio. Still, I think that B_2 has a clever idea, and maybe we can find a way to use it.

One last note: I appreciate the sentiment behind such adjectives as "rogue" and "uncontrolled," but I remind you that urlbot is easily controlled. All it has to do is misbehave once, and *poof* -- it's gone. So (in my mind) that moves the conversation onto one about the relative merits of URL shorteners vs utility and common usage. I have some additional thoughts on this, but for now I'll let the comments above stand.

infjamc's picture
User offline. Last seen 2 years 45 weeks ago. Offline
Joined: 02/20/2009
Groups: Contenders

As a stop-gap measure, I would say that a URL splitter would be better than a tinyurl conversion if there's a real chance that the redirect could be hacked/intercepted. Alternatively, have the URLBot link to the preview-able version of tinyurl (as I've mentioned in one of my posts above).

ptfrog's picture
User offline. Last seen 5 years 30 weeks ago. Offline
Joined: 09/29/2011

As the designer of the urlbot, I have to say I agree with this. There is no easy way to tell where these links will go, and I (or someone clever who manages to masquerade as urlbot) could certainly do something untoward with them.

Having considered, this, I decided to produce urlbot and (with permission) release it. My reasoning was as follows:

1) It's awfully useful. It might be better to add features to the client instead -- but development resources are limited, and this fills a hole in the meantime.

2) The first time urlbot does something other than what it is advertised to do, it will no doubt be booted from the system. So the exposure of the fold.it community to a nefarious plan, whatever that plan might be, is quite limited.

I intend to release the code as open source -- so folks can add URLbots to their own groups if they choose. I only have not done so because family health issues have prevented me from taking the time to do some minor cleanup. Of course, there is no way for a user to know if the code I am using is the code I release, and that issue is compounded if others are also running bots. (I would be delighted to make the urlbot service available to other groups as well, but that would give me access to their group conversations. Regardless of my good intentions, this seems imprudent at best.)

I worked very hard to make it urlbot useful without being intrusive; I think I succeeded in that. It does not shorten IMAGE URLs, since these are clickable. It does not shorten URLs that are already as short as -- or not much longer than -- a Tiny URL. It warns the user if the original URL was unreachable or appears malformed.

I would be happy to take suggestions on how to make it more useful. I would also be happy to remove it from global, if there is a consensus among the ops that I should do so.

And finally: If the devs, ops, or other muckymucks-in-charge want to run urlbot themselves, I will endorse and support that. (I think it's a fine idea, actually, with much to recommend it.) The code -- written in Perl -- is available for the asking.

spmm's picture
User offline. Last seen 40 weeks 4 days ago. Offline
Joined: 08/05/2010
Groups: Void Crushers

my 2cents - the URL shortener is really useful, I support keeping it - the definition bot is unnecessary and I support its removal.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

So you are against practicing safe internet? Remind me never to try a link or file from you.

I can't believe how much social networking and microblogging has made supposedly intelligent people so accepting of such high-risk practices as letting uncontrolled third parties get in the middle of http requests. It's simply staggering.

A perfect example of why we will never get rid of spam and phishing, so many people simply choose to ignore obvious safety practices.

Joined: 10/11/2011
Groups: None

I think you may find that he likes it, as he can misuse it as was evidenced earlier in chat

Tlaloc's picture
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 08/04/2008
Groups: Mojo Risin'
Type: Bug » Suggestion

There are many things that are security risks on the Internet. Urlbot isn't one of them. Tinyurl is a well-known url shortener. It takes the original url and hashes it to a short url with a consistent algorithm. The same url always results in the same tinyurl, and no two urls will have the same tinyurl. If the original url is safe, then the tinyurl will also be safe. Assuming that the tinyurl site isn't hacked, which I think is a pretty safe assumption since it has been around for years and is widely used, the tinyurl is just as safe as the original url.

If you have a properly patched and up-to-date web browser, the assumption of the web is that html and javascript cannot infect your machine (zero day browser exploits being the exception). Even pdf files and flash are generally assumed to be safe, although Adobe has frequently proven that this assumption is wrong. If you download a file, or run a program, all bets are off, but the web browsers always require an additional step before you can perform those task.

The urls that are posted could lead to content that may be unsuitable to children, or spam, or other unsavory sites, but the original url will lead to exactly the same content. Since we have a core of players from around the globe who are watching chat virtually at all times, the content posted in chat is watched for improper content. The main problem we have is swearing and annoying teenagers who have not learned the conventions for chat. Spam, commercial posts, and other bad links have not been a problem.

Urlbot provides a service, as does gringer's bot. Any new bots should be evaluated on a case by case basis, but I see no reason to make any change to either the policy of allowing bots or these bots in particular.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None

I completely disagree that 'urlbot' is not a security risk. 'urlbot' is distributing those third party links. There is a long history of URL shortener services being hacked, and of unsavory practices by the services themselves attempting various revenue generating schemes. To say that it's safe simply because urlbot is using one of the older or more well-known services is ridiculous. If anything, tinyurl.com is probably more of a target for being hacked than the smaller less-known URL shortener services. If they get hacked there will be tens of millions of compromised URL redirection links, making them a prime target.

Adding that third party in the middle between the user and the destination URL is very much asking for trouble.

Just wishing that's it's safe isn't going to make it so.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None
Type: Suggestion » Bug

I realize that because this is an AD group invention, it's considered sacred, but that shouldn't bve allowed to compromise security.

Joined: 06/17/2010
Type: Bug » Suggestion

Change it one more time....
Brick, it is just because you are not using chat at all. Well maybe you sometimes throw few words how evil we are, but not much constructive things.
IRC related issues are NOT a top priority for Foldit devs. Much more things are still to do in game client. If you not like gringer or urlbot just use /ignore function and live happy ever after.

B_2's picture
User offline. Last seen 4 years 24 weeks ago. Offline
Joined: 11/29/2008
Groups: None
Type: Suggestion » Bug

It is a high priority security risk. Just about as important as if the fold.it site itself was hacked.

Joined: 06/17/2010
Type: Bug » Suggestion

RU kidding? Tlaloc is dev, if he change priority you can not just switch it back.
Anyway, it is 1st post i see that have so negative (-9 atm) points from feedback users.
FYI all next non-dev priority changes will be deleted.

Joined: 10/11/2011
Groups: None

Apparently devs have a foldit icon next to their name ( source Beta-helix), tlaloc does not have a ribbon next to his name....:)

Joined: 06/17/2010

FYI Tlaloc is a guy who give us v2 lua.... he IS a DEV :)

Joined: 10/11/2011
Groups: None

I know perfectly well who tlaloc is thanks.
An extremely good programmer and software developer
He was contracted by foldit on a fixed term contract to implement functionality etc to Lua.

ptfrog's picture
User offline. Last seen 5 years 30 weeks ago. Offline
Joined: 09/29/2011

It may be that this conversation has largely run its course, since we have reached the stage where we are simply disagreeing about fundamentals. But there were a couple of ideas that came out, and I'd still like to get feedback on them.

"What if I split the posted URL in such a way that it wraps in IRC? For 99+% of URLs, this would involve nothing more than adding a space after each slash. That way folks who do not trust tinyurl can type in the full version. Even folks who do use tinyurl would probably appreciate the security of being able to read the URL that they are being directed to. (I know that I would.) I dislike anything that adds noise to the IRC channel, but if it has value I'd be happy to add the feature. What saith the ops?"

and

"teaching a noob to fish:" briefly explaining how to click through to links on the foldit site -- instead of, or in addition to, the tinyurl.

Comments? Anyone who has stuck it out this far has a genuine interest in the topic, so I would appreciate your thoughts. That said, it probably makes sense to open a separate thread for this discussion; I think I'll do that and post the link here.

ptfrog's picture
User offline. Last seen 5 years 30 weeks ago. Offline
Joined: 09/29/2011

I have just opened the thread

urlbot security improvements and suggestions
http://fold.it/portal/node/991511

I propose that in keeping with the subject lines, we keep discussion of the merits of bots and URL shorteners in this thread, and discussion of urlbot features in that one.

Tlaloc's picture
User offline. Last seen 10 weeks 1 day ago. Offline
Joined: 08/04/2008
Groups: Mojo Risin'

I need to make clear that I don't speak for the foldit team. My post is from my knowledge of the Internet, and as my feeling for what is and isn't a security problem. I don't feel that urlbot is any substantial and real risk, and that there is nothing to address here. Believe me that I'm about 10 times more security conscious than the typical user of the Internet.

In any case, this is *not* a bug, and should not be classified as one. Furthermore since it does not crash the foldit client for a substantial number of people or make the game unplayable, it is certainly not a priority one issue.

What Seth and Zoran feel about chat bots, I don't know. The best they can do with bots is ask people not to put them on global chat, since foldit chat just uses irc. They can block individual usernames or ip addresses if something malicious is detected, but I just don't see this as something that they should spend resources on. They have few enough and there are far more important issues for them to spend their time on.

Sitemap

Developed by: UW Center for Game Science, UW Institute for Protein Design, Northeastern University, Vanderbilt University Meiler Lab, UC Davis
Supported by: DARPA, NSF, NIH, HHMI, Amazon, Microsoft, Adobe, RosettaCommons