Skit
-
Posts
27 -
Joined
-
Last visited
-
Days Won
1
Content Type
Profiles
Forums
Downloads
Posts posted by Skit
-
-
4 hours ago, Mr.Bottomfeeder said:
Perhaps a solution could be to only allow further theme downloads after a rating for the last downloaded theme has been given.
I think this is a rather elegant solution as it not only gives us higher quality themes but also stops the spam.
I don't think personally this should be the case. The user experience is going to heavily impacted via this method. Sure, one theme every 5 minutes is good enough for most users. But a new user who has just bought a DNA board would have to sit there for a long time before they could find a theme that suits them. I personally went through at least 5 before I found one that I stuck with for a while. That would turn a simple 5 minute browse into a long 25 minute waiting game.
Furthermore, IP collisions are rare but do happen. Not just from the same household but sometimes large institution such as university or work place. It does happen. Some users may also use a VPN for a number of reasons, this would block them from using the website.
I think this is a good idea but just impractical in practice. Perhaps only have the limitation for guests without an account? Even then I think it's bit too draconian to force a user to review something. We will only end up with pointless reviews and one word comments. Only via natural ways can you get real genuine feedback.
If you want real change you must change the ground works and then it will follow naturally. I've gotten much more feedback since I added a google form to my own theme because I wanted real feedback. I didn't do by via raising the walls for everyone else and forcing them to before they could download another theme. I did so by lowering the effort taken to leave me a comment.
-
Indeed. There is major rework needed to this forum!
I know you have said you try to keep your hands off from the community but I don't think that is the way. In doing so you have lost the "human" bit to your moderator role. In doing so you are almost like a "deity" or "god" of some sort. Not knowing what the common humans get up to.
I really think you should get more involved in the community
-
1
-
-
10 minutes ago, zark said:
Задумайтесь, может нужно не бороться со спамом, создавать условия при которых спам будет не нужен и невозможен
EXACTLY!
-
1
-
-
1 hour ago, Wayneo said:
@Skit Please self edit your post. Leave only positive thoughts and suggestions. For about the gazillionth time this must remain respectful. Please and Thanks man 👍
Tomorrow you will see the downloads for each of the 7 (for the 16th), and moving forward, HERE.
I'm very sorry about this. I've taken down the post as I can see why some users might see it as abrasive. That was not my intent.
I'll try and rephrase what I've said in the original post here for everyone to see.
I believe that the core issue in this problem is that devs are not getting the recognition they *think* they deserve and then turn to vote manipulation to do so.
Unless your theme is *constantly* updated. And I mean ***constantly*** your post will be buried in a few days from the new panel. Not that even a lot of people will look in there, and even when they do it's a few downloads a day like you've said yourself. Certain themes have been in the top for far too long. Heck, the DEFAULT theme is on there. Can you try and understand why some devs would feel like they are getting slapped in the face?
We literally don't ask for anything for the hundreds of hours of work we do, we don't ask for money, we don't ask for ANYTHING. And all that work get buried in a month never to be seen ever again by anyone.
The ONLY way to get to the top is to fake stats or "update" your theme constantly.
Fix the core issues, and people will naturally stop doing this.
My suggestion is to have a weekly hand picked panel by the staff since you guys will be monitoring the posts anyway. This panel will not allow ANY post to go on there twice in a row.
The core issue is that devs feel like their work is not appreciated and a system that actively buries and punishes new themes that are well polished (never needs to updated and therefore shown to new people)!
-
2
-
-
2 minutes ago, zark said:
А почему нельзя запретить скачивание незарегистрированным пользователям. При таком условии поиск спама будет прост и очевиден.
While I agree with this as it would "fix" the problem it just makes it so that they will have to make an account for each download. This has more damage to a regular user than a bad user however. I don't think this should be the case.
-
1
-
-
Just now, Wayneo said:
The 7 themes that I left the same discreet comment on.
The 7 theme owners should all be aware as they were probably notified like you were, yet only you are commenting.
In your opinion, would you consider this a respectful conversation? I do.Another option would be for us to completely delete the Themes and recreate them, attributed to the respective owner. Download count would start a zero. No comments, no reviews, no followers
And I do agree, a captcha seems rather elegant as a start.
Yeah, I think this was a good way to notify the users affected.
I don't think it would be fair to me and other users who have worked so hard to gain so much traction on their theme and yet to be just wiped. I feel gutted and I've only had my theme up for a few months. Please don't do this!!!
-
1
-
-
1 hour ago, Wayneo said:
I never said the word 'attacker'. More some internet glory and fame seeker. Just saying, the ONLY PERSON that would want multiple downloads of a particular Theme would be the owner. Except in this case. This was clearly done to right a perceived wrong.
I actually applaud the person because it's so glaringly obvious for all to see.
We do log and can see quite a bit of information. I won't tell you what, but I will tell you the most outrageous is a user that downloaded his own theme >3,000 times.
But here we sit and ponder the future of these 7.
Do we hide them for a week from downloads. Let innocent downloaders get a 404?
Do we start manually monitoring any theme that hits the top of the Top? And then what? Moderators leave a count and a 1 star review with that count? 3 days in a row, hide it (timeout) for a week.
Do we remove that panel altogether?Thank you, I hope others speak up.
"Attacker" is just a technical term for the person performing the action on your network. Well, penetration tester. It's just that when I usually talk about cyber security it's actually something serious and not a vape theme lol.
Simplest solution would be to just remove the downloads. This should be done at least. The rest is up to you. I'm just some nerd who likes to vape.
-
1
-
-
37 minutes ago, Wayneo said:
What a great comment. We moderators have been aware of the issues, but we'd prefer Evolv spend their time working on meaningful things instead of wasting time on stuff like this. Hell, one had a view count of ~260 with a download count of ~400. Obvious much.
You were not the only person to comment/review their own theme, which was called out by another developer.
Don't take this personally. Have any suggestions?
Hell, if I knew where those counts were kept, a one line script in a Linux /etc/rc2.d file could keep it clean. (depending, depending, depending)
Na, it's fine. I didn't think you were trying to go after me for the review. I'm just putting it on the table to to be known. I think it's stupid and should not have even been possible at all.
QuoteHave any suggestions?
1) Stop self reviews, should have never been a thing.
2) Just put a captcha on the download page. Simple drop in solution.
3) First log the CSRF keys and as much user info(such as user agent and IP etc. not sure if this is GDPR tho) as possible. Then after a week of (silent) surveillance change the keys to be ephemeral and unique by IP / browser fingerprint.
If the bot is setup in a static way with static URL we will be able to immediately catch them upon the deployment of the new ephemeral keys. They will request a URL that no longer exists and then CSRF key can be correlated to a user request on the server.
My URL for my download has been the same this entire time so if download links are per user and unique then perhaps the attacker has already revealed themselves.
I highly doubt the attacker has made a fully dynamic bot for this. The IP, user agent and browser would probably be all the same. If it's not just a simple curl/wget loop since that works just fine without auth.
HOWEVER. I should note. DO NOT BLOCK TOR OR VPNs. This is a stupid and a cop out way of "security", people actually need Tor and VPNs for things. They might not be able to even use Evolv products otherwise. Given a good system this sort of gate keeping is completely unnecessary and cuts out good users as well.
-
1
-
-
>designers reviewing their own theme with a 5 star rating
I've left one on my theme as a joke/protest. I agree with you. This should not be possible at all and just seems like a very silly oversight.You can see the reply I left to myself is "WFT, why are you leaving reviews on your own theme?".
If you couldn't tell from my post I don't try to take myself or my theme very seriously. It's full of emojis and memes.
Anyhow I did some testing and the current system is extremely easily exploitable. Even just clicking edit and then saving it immediately without ANY changes will work completely fine and will boost your listing up to the top of the new. I'm pretty sure a few themes are doing exactly this.
That is before you look into actually performing an actual actual attack and not just clicking.
You can see it's got a CSRF key at the end of the URL:
https://forum.evolvapor.com/files/file/1196-neo-cloudz-on-crack%E2%84%A2-dna250c-dna75c/?do=download&csrfKey=7d443771196c5e0e5da05e71c005f365But I don't think it's doing anything. You can just spam the URL and the downloads will go up.
This leave it open to attacks via a simple CURL HTTP request or any type of simple net scripting at all. Which is to say if the attacker is competent and uses actual web techs like https://www.selenium.dev/ which can simulate full browsers...
The forum is fucked basically.
Anyhow, I don't think this will be fixed. It's simply not really a big enough issue for Evolv to fix. And to fix it it's not going to be an easy fix. It's a multitude of analytics and back end work. And even if it is fixed. It's a cat and mouse game.
And we can't really point fingers unless Evolv digs up the server logs. Even then, it's hard to say who the culprit is since they can just spam other themes. RN, certain themes have far too high of a view / download ratio (I'm pretty sus, or maybe my theme is just bad idk lol). I think it would be very easy to filter out real from fake downloads given server logs. Fake downloads will probably just spam the URL and not bother to simulate user actions since it's not needed.
BUT, in the case that Evolv does want to fix this I would love to help. I can code and would love to work for you guys
-
2
-
Theme Designers 'Top Downloads' panel - count spamming. STOP!
in Themes and Custom Screens
Posted
I agree with these points. This should be the way but unfortunately this is not how things go. People download stuff for a lot of reasons. Maybe it's for later, maybe they are like me and want to download a lot of themes fast so I can test them out. It's just quite a egocentric way to view the world.
Other users who don't have an account cannot leave you feedback. This has lowered the barrier to review instantly so they don't have to give Evolv any of their details. I personally try to avoid giving out as much info as possible and wouldn't bother to make a account just to review a theme. You have to understand people don't just sit there and review themes. Especially if it's a hassle to make an account.