Today was the fourth time in a month or so that we got a support ticket from one of our customers, who was convinced that they were hacked or in some way compromised. It turned out that the culprit was Discobot, which is apparently not recognized as a system thing.
So we’re getting support tickets like
We have noticed that a user Discobot has been setup with Admin privileges? Can you let me know urgently if this is something we should be concerned about?
and
This seems to be a spam bot to me - and it has granted admin level clearance
The amount of people freaking out about this is just getting too high to blame the user
I was wondering if there is anything that could be done to make this user (even more) identifiable as a ‘harmless’ system user. Maybe have a separate category for it in the user list, or not having it show up there at all (except when a checkbox ‘show system users’ is checked, for example), or having a special icon instead of, or next to, the shield ?
At the moment we come into play there, they’ve already freaked out.
But in a way, that was what I was suggesting. If there would be some kind of indication that this was a system user, they would indeed visit the profile first.
I think it would be good to have a ‘nobody’ type of user, next to admin and moderator, to designate that this is not an actual person.
Maybe a simple way of dealing with this could be to add a few words about the bot to the “READ ME FIRST: Admin Quick Start Guide”? In fact, I think that would be a good idea regardless of those scared admins.
This seems more like a communication thing. Discourse is going to keep evolving and developing, the marketing information for your service needs to remain abreast of that.
If the first time they hear of Discobot is when they receive that message, the problem is one of customer messaging, not how the bot is categorized.
I don’t completely agree with that. Software should be intuitive enough to be comprehensible without extensive communication.
Second, the fact that the bot is categorized as “admin” is confusing (and, imho, sort of wrong, because it cannot and will not perform regular admin actions).
I agree. I will say that at best, its confusing the way it is right now. It was kind of weird to me as well (first time hosting Discourse). I think the fix is to simply rename the bot to something more friendly. Should be a low hanging fruit, but I also think this is a low priority item. Still valid however. “SystemNotifier”, “AutoResponder”, “SystemAssistant” would make it more clear that the user is harmless, intended to be there, and automated (IMO).
While we’re bikeshedding solutions, an alternative to renaming the bot itself would be to have a default group for built-in default accounts (It could include the system account as well.) You could then include flair or titles that indicate it as a built in account, so it’s more immediately obvious.
Ok but @michaeld can you screenshot where users are seeing this? There are literally dozens of places you can view users, so maybe mock up with actual screenshots what you are proposing, exactly? Because I’m not following, and none of our customers are having an issue with this currently.
move Discobot and System users to a ‘System’ tab instead of ‘Staff’ to distinguish them
Replace the little shield icon on the right with something different (fa-rocket or something)
Remove ‘trust level: leader’ and the Leader badge on the profile and replace it with something different. Badges make it look like it’s an actual person
For forums that require approval, the empty space after ‘approved by’ is scary and could read something like ‘system user’
Don’t the site admins themselves get greeted by discobot immediately after their site is provisioned? They shouldn’t be surprised to see it in the users list. Discobot explains itself to them right away: “I’m only a robot, but our friendly staff are also here to help if you need to reach a person.” Or does Communiteq (formerly DiscourseHosting) somehow modify discobot’s messages or timing?
I’m pretty sure that 0 of our customers have reported being hacked by discobot.