Forum owners don't understand discobot


(Michael - DiscourseHosting.com) #1

Today was the fourth time in a month or so that we got a support ticket from one of our customers, who was convinced that they were hacked or in some way compromised. It turned out that the culprit was Discobot, which is apparently not recognized as a system thing.

So we’re getting support tickets like

We have noticed that a user Discobot has been setup with Admin privileges? Can you let me know urgently if this is something we should be concerned about?

and

This seems to be a spam bot to me - and it has granted admin level clearance

The amount of people freaking out about this is just getting too high to blame the user :wink:

I was wondering if there is anything that could be done to make this user (even more) identifiable as a ‘harmless’ system user. Maybe have a separate category for it in the user list, or not having it show up there at all (except when a checkbox ‘show system users’ is checked, for example), or having a special icon instead of, or next to, the shield ?


(Jeff Atwood) #2

If you actually visit the discobot profile, it’s pretty clear what it is. I also have to say we haven’t had this reaction from our customers.

Where exactly are they seeing it and freaking out, and why aren’t they visiting the profile page for that user, are my two questions.


(Michael - DiscourseHosting.com) #3

I know and I agree. But if four distinct customers are mailing us separately, something must be not clear enough, somehow.

They’re seeing it in Admin - Users - Staff,
and they freak out before visiting the profile? :wink:


(Jeff Atwood) #4

Maybe advise them to freak out after visiting the profile?


(Michael - DiscourseHosting.com) #5

:slight_smile: At the moment we come into play there, they’ve already freaked out.

But in a way, that was what I was suggesting. If there would be some kind of indication that this was a system user, they would indeed visit the profile first.

I think it would be good to have a ‘nobody’ type of user, next to admin and moderator, to designate that this is not an actual person.


(Jeff Atwood) #6

Sorry, our plate is rather full at the moment. You may want to work on a plugin if it is an ongoing concern for your audience.


(Michael - DiscourseHosting.com) #7

Not making any demands here… just sharing something we noticed and making a suggestion.

If a PR or a plugin is welcome, we can spend some time on this.


(Jeff Atwood) #8

If we get a lot of complaints I can re-evaluate, but we just haven’t had many at all.


(Christoph) #9

Maybe a simple way of dealing with this could be to add a few words about the bot to the “READ ME FIRST: Admin Quick Start Guide”? In fact, I think that would be a good idea regardless of those scared admins.


(Régis Hanol) #10

Won’t help those who have already read it tough.


(Stephen) #11

This seems more like a communication thing. Discourse is going to keep evolving and developing, the marketing information for your service needs to remain abreast of that.

If the first time they hear of Discobot is when they receive that message, the problem is one of customer messaging, not how the bot is categorized.


(Michael - DiscourseHosting.com) #12

I don’t completely agree with that. Software should be intuitive enough to be comprehensible without extensive communication.
Second, the fact that the bot is categorized as “admin” is confusing (and, imho, sort of wrong, because it cannot and will not perform regular admin actions).


(Joshua Rosenfeld) #13

To be fair, discobot “reads” all PMs, and you can call discobot in any post (including PMs). Without admin rights this wouldn’t be possible.


(Ricardo) #17

I agree. I will say that at best, its confusing the way it is right now. It was kind of weird to me as well (first time hosting Discourse). I think the fix is to simply rename the bot to something more friendly. Should be a low hanging fruit, but I also think this is a low priority item. Still valid however. “SystemNotifier”, “AutoResponder”, “SystemAssistant” would make it more clear that the user is harmless, intended to be there, and automated (IMO).


(Jeff Wong) #18

While we’re bikeshedding solutions, an alternative to renaming the bot itself would be to have a default group for built-in default accounts (It could include the system account as well.) You could then include flair or titles that indicate it as a built in account, so it’s more immediately obvious.


(Richard - DiscourseHosting.com) #19

That is what @michaeld was trying to say :slight_smile:


(Jeff Atwood) #20

Ok but @michaeld can you screenshot where users are seeing this? There are literally dozens of places you can view users, so maybe mock up with actual screenshots what you are proposing, exactly? Because I’m not following, and none of our customers are having an issue with this currently.


(Richard - DiscourseHosting.com) #21

All users saw it in Users - Staff

Suggestions:

  1. move Discobot and System users to a ‘System’ tab instead of ‘Staff’ to distinguish them

  2. Replace the little shield icon on the right with something different (fa-rocket or something)

  3. Remove ‘trust level: leader’ and the Leader badge on the profile and replace it with something different. Badges make it look like it’s an actual person

  4. For forums that require approval, the empty space after ‘approved by’ is scary and could read something like ‘system user’


(Jeff Atwood) #22

That’s a lot of engineering work that wouldn’t move things forward that I need moved forward to satisfy our actual customer requests…

Pull requests accepted, of course!


(Neil Lalonde) #23

Don’t the site admins themselves get greeted by discobot immediately after their site is provisioned? They shouldn’t be surprised to see it in the users list. Discobot explains itself to them right away: “I’m only a robot, but our friendly staff are also here to help if you need to reach a person.” Or does discoursehosting somehow modify discobot’s messages or timing?

I’m pretty sure that 0 of our customers have reported being hacked by discobot. :confused: