A few site improvement ideas

H

harpoonflyby

The Force is Strong With This One
after listening to the recent podcast (about connection costs), here's a few things that could help the site:

- The podcast page
- There are two ways of playing back podcasts, one using the nice flash player, the other by clicking on the titles listed below that area to reveal download and streaming options. When I first started listening to podcasts (as an unfamiliar user) I somehow had two podcasts streaming at the same time and couldn't figure out very easy how to stop it. I can't seem to reproduce that now, so don't ask how. I wonder how many others have run into similar things trying to figure out this ui. I also can be listening to the player, and then drag the player out of view which makes it gone forever.

- What if you bundle the podcasts into 2 or 3 segments and offer them through bittorrent, and place the torrent files on your podcast page. I saw that being done over on Chinesepod.com which work really well since they have hundreds of podcasts. I for one would help keep it seeded from one of my machines. You could *conceivably* force people to just use bittorrent if they want to download the files, otherwise they're left to use your player, or itunes. Depends on how dire you are about cutting costs, that way it wouldn't be so easy to just click around and easily incur bandwidth usage

- Search - I noticed the search box keeps sliding further and further down the page on the right column as new stuff is added. This area of a webpage is typically the lowest value, while search is probably the highest feature you can offer, especially with the amount of content on this site. It would be good to move the search box to the left column and at the top. People will actually hunt around on other pages to find this feature thereby incurring wasted page uploads / bandwidth.

- The subscribe button - This would be helped if it looked more clickable like a button, it doesn't attract the eye because it is using script which recedes into the page. Some sort of color, rounded box, or even 3d bevel would probably get more clicks on that

Just some suggestions, feel free to ignore.
 
harpoonflyby said:
- What if you bundle the podcasts into 2 or 3 segments and offer them through bittorrent
Click to expand...
We do not want to encourage our readers to use bittorrent because of "Spyware Floods In Through BitTorrent"
http://www.eweek.com/article2/0,1759,1828633,00.asp
and other security related reasons.

We rather encourage our readers to have all ports on their computers closed except of very few that are absolutely necessary.
 
i would agree that the search box could be more prominent. I spent a good 8 weeks reading sott before realising i could search more easily.
 
ark said:
harpoonflyby said:
- What if you bundle the podcasts into 2 or 3 segments and offer them through bittorrent
Click to expand...
We do not want to encourage our readers to use bittorrent because of "Spyware Floods In Through BitTorrent"
http://www.eweek.com/article2/0,1759,1828633,00.asp
and other security related reasons.
Click to expand...
Interesting article. As read below in the comments:

Hash checking prevents anyone from adding anything to the original torrent, and if you're in the habit of downloading and running random executables from the Internet (you don't even 'run' movie clips) then you're at risk whichever way you choose to acquire them. Otherwise the article was very... grammatical.
Click to expand...
The assertion in the article that adware can be 'bundled' into a torrent at some interim point 'while the bits are flying around' and become hidden when the 'bits are reassembled' is a fallacy. The files you end up with, after your download is complete and verified, are exactly the same as they were when the torrent was first created. The only way you could download a torrent containing spyware is if it was created to contain spyware. As the guy above me said, this is no different from downloading files using any other method. And bittorrent is inherently less suitable for propagating this stuff when compared to other P2P networks. If you're worried about spyware you really shouldn't be using WMP either, same as IE
Click to expand...
 
harpoonflyby said:
Interesting article. As read below in the comments:

.... As the guy above me said, this is no different from downloading files using any other method.
Click to expand...
Click to expand...
The above is evidently not true. It is, in fact, false. It IS different from direct downloading from a site that you know and trust. Let me patiently explain you why: if you download a podcast, for instance, from our site, then you know, with rather high probability, that it is us who put the file there. If you download the file via bittorrent - you have no idea who put the file there, who has tweaked its content and how. The files downloaded via distributed p2p networks may contain any number of interesting "additions" that are not always completely innocent. Knowing that there are agencies around that would like to use any available method for increasing their spying capabilities, it would be a real suprise if such an idea would not be exploited. Digital signatures etc. will not help as they can be tweaked as well.
 
There are also different versions of 'bittorent' exe's floating around, so this
can also be seen as the first level of attack. Any EXE downloads should NOT
be installed unless you KNOW FOR A FACT it is safe. EXE's can open up a
"pandora's box" from which malicious software can be downloaded from the
Internet, can create a series of programs so that it can bypass all security software
and then be integrated to exploit your system. So.. you are still left with 'trusting
the source' for the downloaded medias but even then, this is no guarantee that
your computer will not be exploited by means you have no idea of, especially
where a "man in the middle" attack can be easily carried out.

There are MANY exploiting tricks, too long to divulge here. But one thing you can do, is
to prevent YOURSELF from ADDING MORE PROBLEMS TO YOURSELF by being TOTALLY
AWARE of the security problems that computers have. Let's face it, it is VERY DIFFICULT
to do this, especially if you do not have the information to do your homework as most of
this information is propreitary and you are at the mercy of the software vendor. This is
true for most of the software wherever the source originated from. Even with the OPEN
SOURCE community, there is always the possiblity of code being added that escapes
attention of security aware engineers, so there are no guarantees, even here.

When you connect a computer to the Internet, you are, in fact, opening your front
door to anyone who dares to come into your computer. Yes, you can buy firewalls,
antiVirus, and many security products but this in fact does NOT guarantee total protection
from all forms of attacks, but it does at least put in some restrictions so as to block "normal
people" from attacking you. It cannot stop hackers or the security agencies that have
"backdoor access" to your computer. In the US, software MUST have backdoors installed
and certain security software MUST be restricted to a certain level (otherwise they are
classified as "munitions") so that your friendly gov't can spy on you if they wish to do so.
What this means is that digital signatures (a form of encryption with protocol), encryption,
private-lines, all of these things can be expolited, perhaps not as easily but they have been
done and you can bet that security agencies have no problem at all, unless you violate the
"rules" (PGP) and do not get caught.

The first weakest link of all, is human ignorance. No amount of security can be developed
to prevent an idiot into giving away their password, creating weak passwords (such as "computer")
or to divulge their security numbers, or to not or improperly secure a computer system, or to
accept a data-media to be installed into their data-sensitive computer system(s) without first taking
the necessary security precautions and with due diligence. There is a myriad ways an ignorant
individual can cause security problems for themselves.

The second weakest link is placing computer(s) on the Internet. A really secure system is
one of which you can put ONE computer on a Internet connection, for which this computer
has NO SENSITIVE INFORMATION on it, and all of the precautionary security devices/software
is installed. This computer is physically isolated from all other systems. This computer is one
of which can have ALL data destroyed and then re-installed as necessary. This is akin to having
a sentry posted at the "front door", around this one computer, 24 hours a day. Any data obtained
from the Internet or outside source(s) are completely scrubbed for antiVirus, AntiSpyware, etc., etc.,
before it is physically brought inside and transferred to it's private internal computer system(s). Of
course, there is NO GUARANTEE that malicious data is introduced into the private internal computer
systems but with proper and due diligent procedures, these steps do minimize security risks. This is
of course "inflexible", which is why many IT's do not do it in this way because they want many of their
employees or family members to have access to the Internet - so the IT folks will have to put a LOT
of bucks into more hardware/software security systems infrastructure and pray that they can minimize
damaging attacks. Again, there are no guarantees, there are more points of attacks, and there are no
guarantees that an insider can bring in damaging software inside the private internal computer system(s)
or to take sensitive data to the outside. Please be aware that attacks can take advantage of weaknesses
in the operating system, even at the level of protocols such as TCP/IP and also attacks can happen with
physical devices between your home system and the physical line somehow going to your ISP. There are
MANY, MANY places to exploit an attack and it is fairly easy to do.

Ok, I am SURE there is a LOT more to be said, but I think I said enuf for now.
 
ark said:
harpoonflyby said:
Interesting article. As read below in the comments:

.... As the guy above me said, this is no different from downloading files using any other method.
Click to expand...
Click to expand...
The above is evidently not true. It is, in fact, false. It IS different from direct downloading from a site that you know and trust. Let me patiently explain you why: if you download a podcast, for instance, from our site, then you know, with rather high probability, that it is us who put the file there. If you download the file via bittorrent - you have no idea who put the file there, who has tweaked its content and how. The files downloaded via distributed p2p networks may contain any number of interesting "additions" that are not always completely innocent. Knowing that there are agencies around that would like to use any available method for increasing their spying capabilities, it would be a real suprise if such an idea would not be exploited. Digital signatures etc. will not help as they can be tweaked as well.
Click to expand...
Ah I see your point, however i do not gather this was the point of that particular article. To your point the same could be said about your newsletter email you send to members. You could more easily manipulate email than the content of a podcast. In the podcast bittorent case, what you say is true if you have your torrent files hosted on just any service. However, since you would in fact be hosting the torrent file on your website, you would be the one who creates the hash, and not some third party. So in theory people still have the same assurance. Completely infallible authentication is not possible however, you are right to some extent.

By adding digital signatures to content you place in bittorent, you could publish your key which would allow users to validate the content. Another idea is you could have one of your members speak the key's fingerprint into the podcast, that way users can validate the key you publish, that's if you want to be really really paranoid. If someone wanted to obfuscate or alter the content of a podcast using sound/speech manipulation they would need to go through a heck of a lot of trouble (not saying they couldn't just that it would be difficult to change very much of the context of the podcast)
 
harpoonflyby said:
Ah I see your point, however i do not gather this was the point of that particular article. To your point the same could be said about your newsletter email you send to members.
Click to expand...
No. Our newsletter is a pure text file. Moreover, you miss the point about downloading from places that you TRUST.

harpoonflyby said:
You could more easily manipulate email than the content of a podcast.
Click to expand...
No. Our newsletter is a pure text file. Moreover, you miss the point about downloading from places that you TRUST.

harpoonflyby said:
By adding digital signatures to content you place in bittorent, you could publish your key which would allow users to validate the content.
Click to expand...
You could count on fingers of one hand those readers who would care to know how to use these keys. Moreover "Yes, it is possible to create a public key with the same fingerprint as an existing one, thanks to a design misfeature in PGP 2.x when signing RSA keys. The fake key will not be of the same length, so it should be easy to detect. Usually such keys have odd key lengths."


We are not going to use PGP and we are not going to encourage our readers to use bittorrent or other P2P services. P2P requires opening additional ports on your PC through which all kind of trojans may easily come - especially when people are not experts with managing firewall - and most people are certainly not experts. Moreover, P2P networks attract special attention of all kind of agencies, and they get a "special status". We are not going to specially attract this attention. Our approach may change in the future, if the internet will become overly, institutionally, censored. But then, probably, new options will appear.
 
ark said:
We are not going to use PGP and we are not going to encourage our readers to use bittorrent or other P2P services. P2P requires opening additional ports on your PC through which all kind of trojans may easily come - especially when people are not experts with managing firewall - and most people are certainly not experts. Moreover, P2P networks attract special attention of all kind of agencies, and they get a "special status". We are not going to specially attract this attention. Our approach may change in the future, if the internet will become overly, institutionally, censored. But then, probably, new options will appear.
Click to expand...
With regard to P2P and security problems, there are many things to consider. The previous poster is correct that if SOTT were to provide the Torrent file, and if the format was a strictly non-executable one, such as .mp3 (which could not contain adware or viruses), then the main problem would be what Ark outlines as agencies picking up the IP's of downloaders as "special status" ones. Hence, the problem in this case can be minimized to just that one: third parties picking up the IP's of downloaders.

So it seems to me that the general problem, for now, is promoting P2P and BitTorrent in general. From my point of view, if it weren't for the "IP sniffing" problems, BitTorrent is an excellent protocol for transferring files. In the future it may indeed be so that downloading files from a single source may not be an option, so P2P may be the only solution. But, one step at a time.
 
More seriously, P2P clients can compromise network security by effectively boring holes into firewalls. P2P networks send information over a port that is not usually used for network traffic, for example port 1214. Because most firewalls block these ports, P2P clients will often ask the user to disable security restrictions on these ports. Many clients also implement tunelling techniques where the P2P traffic is disguised as normal web traffic which many firewalls assume is harmless. In both of these instances, this unprotected port is an attractive target for attackers who can use it to establish a backdoor connection and take control of computers within the networks. P2P clients thus give users not only the incentive but also the means to circumvent network security policies.

The threats posed by P2P networks, however, are not confined to technical issues raised by their file transfer protocols. They also allow users to download files whose origins cannot be verified, increasing the risk of downloading and installing malicious or buggy software that can propagate across the network. Combined with the security holes that P2P clients can open through techniques like tunelling, the dubious quality of downloaded files provides an attractive point of entry for a number of viruses, Trojan horses, and worms. A number of attackers have taken advantage of this, writing malware that use P2P networks as a major vector for spreading between networks.

http://www.sonicwall.com/alert/SonicAlert/index.asp?ev=sig&sigid=1994
Click to expand...
 
As a petty sidenote:

I noticed differnent date/time formats everywhere on the site.

ISO 8601 regulates international date and time representation. The signature feature of the ISO 8601 format is that all values are organized from most to least significant. Example: YYYY-MM-DD HH:MM:SS

Confusing:
DD/MM/YYYY
MM/DD/YYYY
YY/MM/DD
 
You must log in or register to reply here.

Trending content

Back
Top Bottom