urlbot security improvements and suggestions

Case number:699969-991511
Opened by:ptfrog
Opened on:Sunday, January 8, 2012 - 13:23
Last modified:Wednesday, January 11, 2012 - 23:51

A couple of suggestions have come up for changing urlbot, and to reduce security issues.

URLbot was designed to help IRC users reach URLs that are too long to read in Foldit's built-in IRC client. But there is an inherent security risk in going to a link that you cannot read. (Questions have also been raised about the security of using URL shorteners -- but that discussion may be found in the thread titled "No more bots!") Some suggestions have been made on how to limit the security risks, and I list them below. But first a word about URLbot design principles:

The guiding principle is that URLbot should be useful without being overly intrusive. It does not translate long IMAGE urls sent by clicking on the camera in the client, since these are already clickable. URLbot does not translate short URLs: unless the URL can be shortened by at least a few characters, it is ignored. It also does some link-checking, and warns if the URL appears malformed or unreachable. (It doesn't censor anything, though.)

I mention all of this because the following suggestions have a downside; they increase the verbiage that will come from the bot. The good news is that URLs are still a small fraction of our conversations, so the total "noise" level will still be small.

Two ideas have been raised:

"Split the URL."
What if URLbot splits the posted URL in such a way that it wraps in IRC? For 99+% of URLs, this might involve little more than adding a space after each slash. The IRC client will automatically wrap the results in a fairly readable way. Even folks who choose to use the tinyurl link would probably appreciate the security of being able to read the URL that they are being directed to. (I know that I would!) I expect that this readable version URL would follow the tinyURL.


"Teaching a noob to fish." For links that come from the foldit site itself, what if I briefly explain how to reach the link in question? For instance:

Go to home page, click "Wiki" in the header and then ....

This could also follow or replace the tinyurl now being generated. I haven't really looked at how easy or hard this will be, but I believe it is doable. I would attempt to make the descriptions as dynamically generated as possible, to minimize the need to change code if the site is reorganized. This would also allow me to say things like "The link to puzzle 497 is near the bottom of the page."

I suppose I could make this a separate function, requestable with a command like
urlbot explain
I don't imagine many would use this, though -- which means that the large amount of work this might require would have a very small payback.

A third possibility is bound to come up: "fix the IRC client!" This is a discussion for another thread. The devs would like nothing better than to fix everything and make everyone happy -- but in our imperfect universe, neither of those goals is something one should hold one's breath waiting for. :-) I'm sure that we all want the devs to concentrate on nifty folding features first -- especially if there is an easy workaround like URLbot that can stand in place of a coded solution to the URL wrap problem. So for this discussion, lets focus on what URLbot can do for us.

Comments? Suggestions? Other ideas?

(Sun, 01/08/2012 - 13:23  |  14 comments)

Joined: 04/19/2009

Of the options you've proposed above, the second option would be unwieldy - and yes, require much work that would need to be redone many times.

The first option (splitting the url into readable chunks) - although it would increase the "noise" - would get my vote. It would add a level of security to the bot, and although I suspect that most would choose to follow the tinyurl, some who may worry about the tinyurl security could then type in an entire link (because they could actually SEE it ingame).

It may be better to have the bot do the split url first with the tiny after it.

ptfrog's picture
User offline. Last seen 7 years 38 weeks ago. Offline
Joined: 09/29/2011

Thanks, auntdeen. I was thinking that the tinyURL would be more visible if it went first. But now that you mention it, I think it may work better the other way around.

If the decision is made to try this approach, we'll do some experimenting in group and see what works best. There are several ways we might format all this info, and it's not obvious to me what the best choice will be.

B_2's picture
User offline. Last seen 6 years 32 weeks ago. Offline
Joined: 11/29/2008
Groups: None

Of course, the most elegant solution would be to make links clickable in the chat windows, as the IMAGE links are now.

I'm not sure why they elected to not make that happen originally. If people are going to post URLs in chat, it's no more of a risk than copying the link to a browser, and less than using the shortened links.

Joined: 10/11/2011
Groups: None

It would be less work, less hassle and cause less "fighting" to make the chat window resizeable and links clickable.

while the bot has a degree of merit..it is also causing a lot of negativity and all the proposed workarounds are getting silly really.

two links from the bot?...so that would be a total of 3 links every time..that is sheer nonsense

ptfrog's picture
User offline. Last seen 7 years 38 weeks ago. Offline
Joined: 09/29/2011

Alas, I figured this would be the first suggestion. But even though I suggested it should not be part of this discussion, it has merit and should not be simply ignored.

> It would be less work, less hassle and cause less "fighting" to make the chat window resizeable and links clickable

I agree to the third point, with reservations. I cannot truly speak to the first two; only devs can. Though I doubt that any change to the Foldit client is less work for the devs than allowing a URLbot to continue.

I actually wrote a more detailed response, and then I deleted it. We are all concerned with the level of noise occurring in online discussions, and the best way to minimize noise in a forum is to ensure that discussions are held in relevant threads. There are places to argue for the removal or URLbot, and others to argue for increasing the priority of adding features to the IRC windows in the Foldit client. However, I am concerned about one remark:

> it is also causing a lot of negativity

I haven't seen this, myself: I see a very few people objecting, and a much larger number (either in the forums or in IRC and PM) supporting it. But if it is causing a lot of problems, URLbot should be removed.... tealight: can you do an informal survey, and bring the results to the "No more bots!" discussion page? How many folks out there don't want URLbot at all?

Returning now to the topic at hand: Assuming that urlbot will continue to run - what features will make it most useful?

The following remark touched on this, sort of:

> .so that would be a total of 3 links every time..that is sheer nonsense

I'm with you, tealight. I hate "noise" in a conversation. Even introducing URLbot's current functionality was an exercise in soul-searching.

On the other hand (you *knew* there was another hand coming, didn't you?) I just took a look at the statistics. Since URLbot started in global, it processed 14,550 lines of text. In that time, it shortened 104 URLs. Bothersome -- but perhaps it does not quite rise to the level of "sheer nonsense." Especially since some of those probably would have had a tinyurl added anyway -- and perhaps a line from another user requesting a shortened version, or several lines conversation why someone cannot get to the URL. It's may not quite break-even, but it's likely to be close.

That doesn't mean we can't do better, though. I've got another idea -- tell me what you think:

For convenience, I generate a tinyurl whenever the real URL is at least 30 characters. (A tinyurl is 26 characters.) I think that this minimum character count may be a little small; we might want to increase the threshold to, say, 35 characters. This would reduce the total output by 23 lines, or better than 20%.

The problem is that I cannot tell how much of a URL is actually be displayed in the IRC window. The font is not fixed width, and the number of characters may vary by platform. It may also be that folks with impaired vision have a display configured to show fewer (but larger) characters. All of this is why I picked such a small number for the URLbot threshold.

But if we can determine the lower limit for the number of characters displayed in a line (say, 40), we can avoid redisplaying URLs that are short enough to fit entirely on the screen. For instance, there were only 69 URLs that were longer than 40 characters long. 69 URLs translates to about 4 added lines per day, on average. Not a lot to worry about, I think.

I had one other idea: I could reduce the output a bit more by not re-parsing links within the foldit site -- on the assumption that foldit links are going to be "trusted." I'm not crazy about this, though. The savings would be small, and might encourage some miscreant to try to hack the Foldit web site to take advantage of this feature.


>all the proposed workarounds are getting silly really

Some of them *are* silly, at least to me. But we're brainstorming; that often involves discussing silly ideas. And I prefer to look at the opinions of others with as open a mind as possible -- especially when my first inclination is to respond dismissively. It sometimes leads to interesting concepts I'd otherwise have missed. Plus, it tends to cut down on the heat in the discussion.

Ultimately, only the really good ideas will be implemented.

Joined: 10/11/2011
Groups: None

my comment "sheer nonsense" was with respect of the suggestion of urlbot posting two links everytime a link was posted..that would make 3 links..even on a full irc screen that would be a mess to read, let alone the stupidly small game chat screen.

My negativity comment is based on the posts about it, the votedowns and also tristans observations in another feedback post and a small amount from the chat.

I think the general idea is a good one, and you have put a lot of work into making it as clean and simple as you can
The level of "noise" there is now, is okay.

The noise level would only be an issue in a small screen, if a lot of links were posted in short succession, which could occur with another infux of new people.
Perhaps determining the maximum characters the game screen displays on one line and making that the default for a URL being shortened. as far as I am aware the font size in game cant be made bigger ( I stand to be corrected on that ) rather than the size of a URL

People with vision problems wear glasses, so one would assume they would be able to see 6pt fonts, I can see 4pt with glasses and absolutely nothing without :P
If there are players who are legally blind playing, they would probably have software to convert text to speech

The main concern seems to be security. Reassure those who fear for security breaches and you will be "home and hosed" as they say

You have done a marvelous job PT, please dont think I have been disparaging of your work.

( can you make a bot to lose gringer?) lol

ptfrog's picture
User offline. Last seen 7 years 38 weeks ago. Offline
Joined: 09/29/2011

Thanks, tealight. That clears it up.

- There may be a fair amount of commentary, but it seems to come from a very small number of players. One can never please everyone, so we may have to live with that. But I

- When I said "vision impaired" I was thinking legally blind. I don't know of any way to change the character size or typeface either, but I don't know if they are actually hard-coded into the app.

- I cannot convince anyone of URLbot's security, no matter how often I say "trust me." I just don't have the face for it, I guess. :-p I leave this discussion to the "No more bots!" thread,.

- I still kind of like the idea of being able to read the URL. Something like :

urlbot: The long URL from tealight has been shortened to ==> http://tinyurl/abcdefghi <==. The original URL was http:// www.deliciouslinkster.com/ Dantes7CircleEmporium/ DepartmentOfTourism/ MenuListing/ Sloth/ FastFoodIndex.html

I don't know how this will look in the client; I'm just guessing that highlighting the tinyURL with a couple of arrows will be useful. Really, the only way to tell will be to experiment a bit.

But I see your point.... Still, if there is not much discussion, I might suggest to the ops that we try it for a bit and see what people think.

- Thanks very much for the kind words.

- I am not a bot, I am an UNaugmented human!

B_2's picture
User offline. Last seen 6 years 32 weeks ago. Offline
Joined: 11/29/2008
Groups: None

I'm curious why you think the "ops" have any say in what is allowed on the IRC channels.

If there was an abdication of control of the IRC servers by the fold.it staff, I didn't see any notice of that.

I believe the role of the moderators is to enforce policy, not make policy.

I'm sure one of more of them will chime in on this. However, it would be nice if teh foild.it staff would also grace us with an opinion on the proliferation, quality and types of bots that will or will not be allowed on the public project channels.

I have no issue if some team wants to pollute their group channel with the noise from endless bots, but #Global is already more than "noisy" enough.

ptfrog's picture
User offline. Last seen 7 years 38 weeks ago. Offline
Joined: 09/29/2011

Good question. The answer is, it was just an assumption on my part. As an IRC user, I generally figure that the ops are in charge -- at least, as you say, to the extent of enforcing the rules. I also assume that if there are questions about policy, they are the ones who know the people to ask and will make the necessary inquiries on my behalf.

It doesn't necessarily work that way, of course. But if the ops are not the people to ask, then they can direct me appropriately. Or you can, if you like: who should I direct the query to?

Joined: 10/11/2011
Groups: None

Beta-helix or Jflat

S-Man's picture
User offline. Last seen 8 years 50 weeks ago. Offline
Joined: 12/09/2011
Groups: None

I agree with B_2, and also, could you add some like "chatting tools", you know like emoticons, text presets (BRB, LOL, BTW, etc...), Showing our profile picture when we chat, and if the person has left or not so nobody's sitting there chatting with themselves.

Joined: 10/11/2011
Groups: None

To get those features you will need to use an external IRC client..like Mirc, icechat etc. Or you could use the web based one called Mibbit

ptfrog's picture
User offline. Last seen 7 years 38 weeks ago. Offline
Joined: 09/29/2011

I agree with B_2 as well: making the link clickable would be better. But I can't do that, or make the other changes you suggested -- I'm not a developer, just a user like you.

And until the devs have time to work on the IRC client, I thought that URLbot could make users' lives easier in a small way.

Joined: 09/22/2011
Groups: None

The clickable links issue is now being addressed:

In game chat doesn't allow clicking URLs - http://fold.it/portal/node/988174#comment-15220


Developed by: UW Center for Game Science, UW Institute for Protein Design, Northeastern University, Vanderbilt University Meiler Lab, UC Davis
Supported by: DARPA, NSF, NIH, HHMI, Amazon, Microsoft, Adobe, Boehringer Ingelheim, RosettaCommons