Menshn stats and where they came from.

You may have noticed, if you have been following my twitter feed, that I have been posting some Menshn statistics recently. You may also be wondering how I came by these numbers.

 

  Someone sent me a message on twitter pointing me to the URL: menshn.com/data/chat.php (which shall remain unclickable for reasons that will become apparent).  This web page basically dumps the last 20-30k “menshns” out in a semi-structured html data format.  In total (at time of writing) it dumps 31MB of data. So you can see why I’m not making it a link. I’ve no desire to overload their systems.

Upon looking at the “View source” on the menshn.com homepage, it seems that they use this to back end the automatically updating feed on their homepage.  

If you watch the traffic generated by your browser – you can see it making a request every 4 seconds for https://menshn.com/data/chat.php?roomid=*&lastid=73405

So, now we know where my source got the link from – seems if you don’t supply any arguments, it just dumps everything it has. And so, with such a dataset we are able to do some metrics.

First up, I parsed all the data out to produce a simple ID,Room,Name,Message text file – just to prove to myself that I had understood the data set and was parsing it correctly.

Next, I built into the parser, metric building. Count the unique users, count number of posts/menshns, count number of rooms/topics, etc.

From this I have the top line information: 

Number of active users: 218
Number of active rooms: 224

Breaking this down further to “Top 20” lists, I get:

20 Most prolific users:
 5752 janemcqueen
 3240 CosensV
 2019 Chriss
 2011 BlackAdder
 1569 PoliticsBlogorguk
 1520 Xlibris
 1106 DavidX
 783 JOSHBHJ
 782 Louise
 717 EdenFisher
 704 JayMcNeil
 666 Grist
 588 TinderWall
 401 RV
 384 Bozier
 373 jeanprytyskacz
 348 MikeARPowell
 285 Silaz
 251 Rabbs
 239 Europe

And

20 Busiest rooms:
 6361 //ukpolitics
 3216 //gaymarriage
 1252 //religion
 1014 //assangecase
 877 //olympics2012
 717 //judaism
 673 //uselection
 663 //atheism
 642 //mormonism
 585 //davidcameron
 527 //civilliberty
 479 //reshuffle
 474 //mittromney
 415 //corbyelectio
 394 //capitalism
 315 //twitter
 295 //falklands
 224 //louisemensch
 208 //philosophy
 204 //catholicism

Growth metrics are easily obtained by performing the same test at different times. In my case, they were 3.5 days apart. Leading to the conclusion posted on twitter:  

 

If you really want to see all the menshns, rather than overload the menshn server – you can obtain my parsed analysis of the dump at http://pgregg.com/test/menshn/menshnchat.txt

I’d welcome comments on this. For the record – none of this information was obtained via a “hack” and no illegal acts were committed in the gathering of this information.

 

 

Luke Bozier reponds. Backs up allegation with 3rd party tweets.

Follow-up to yesterday’s article when I discovered Luke Bozier was accusing me of being behind the lukebozier.com web site.

Luke Bozier, co-founder of Menshn, has responded to my email from last night.

Unfortunately he has not retracted his allegation against me, nor offered an apology.

He has compounded the allegation by further alleging that he, and others, have seen me “bragging about setting up lukebozier.com”

He sent me a screen shot of the following tweet as “proof”.

 


Contents of the Email from Luke Bozier:

Subject: Re: http://lukebozier.com/
From: Luke Bozier <lukebozier@gmail.com>
To: Paul Gregg <p-----@pgregg.com>
That would be all well and good except the fact that plenty of people
have seen your Twitter bragging about setting up lukebozier.com on
Twitter. See the attached screen shot. And it's not the only one.

 

Defamed by Menshn owner Luke Bozier

Today in my twitter feed, I saw this:

 

 

Now I know that the above is a fake/parody account, but it is funny to follow regardless. So I clicked on the link to see what it was about and was horrified to see Mr. Luke Bozier (the real one) make specific allegations that I am behind the lukebozer.com web site.

At the bottom of the page is:



Mr Luke Bozier is mistaken.

I have emailed Mr Luke Bozier asking for an apology and a retraction.

Screenshot of email to Luke Bozier

Leaving Menshn for good

I’ve decided to close my Menshn account, folks. It’s over.  After four weeks of micro-menshning and meeting great friends and colleagues (largely not on Menshn), I’m off. It’s been amazing but it never provided the community feeling it once promised.

So I’ll be posting my rants on twitter and my blog instead, and I’ll be blogging more here and writing for a range of other channels.

Friends can email me via the usual address, add me on Facebook or connect with me on twitter.com, where my username is pgregg.

So to my hundred (automatically assigned) followers – see you around – it’s (mostly) been a pleasure, but largely a technical disaster.

Menshn: Another password design flaw

Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem.

Menshn emails you a link in the form:

pwreset.php?e=email@address.com&c=8chartoken

At least they are not emailing plain text passwords again. But, I noticed that the token link can be used both multiple times, and it does not expire.

Requesting a new token to be emailed to you invalidates earlier tokens – however it remains the case that the most recent pwreset token stays valid.

Ooops. Bad Menshn, bad. Back to the naughty corner for you.

At least clear the stored token when the user uses it once (and ensure you don’t accept blank tokens).

Menshn DNS is a (technical thingy).

So Menshn changed their DNS and stopped their site working for a number of users.

Users pointed it out and Menshn did what Menshn does and blamed everyone else but themselves. I call it the Apple Defence. Or #You’reHoldingItWrong.

What Louise probably doesn’t know is that whoever is advising her*, plainly doesn’t know the first, or last, thing about DNS.

*assuming she has an advisor, perhaps Bozier, as no geek worth his (or her) salt will ever say “technical thingy”.

No Louise, DNS migration does not take 24 hours. It is not the fault of the other ISPs. It is your own fault.

Now Louise and Bozier have both blocked me on twitter, but I’m a magnanimous chap – in the words of Sid [Ice Age] “I’m too lazy to hold a grudge” – so I’ll tell them how to fix it next time.

DNS records have this little number attached to them called a TTL – or Time To Live. Normally the domain TTL is 86400 seconds, or, as you’ve found, 24 hours. This number is entirely within your control. It is the number *you* give to other ISPs when they ask for your zone information. So when their systems receive that data, they can, rightly, assume that the data is good for the next 24 hours.

Thus, when you are planning a domain/DNS change – what do you do? You lower the number to an acceptable outage window, e.g. 60 seconds on your original DNS zone(s) servers. Further, you need to do this at least 24 hours in advance of the change to allow the existing longer TTL records out there to expire.

Thus when you switch DNS servers, or server IPs, your maximum outage window is the new lower TTL.

Welcome to the Internet. It’s a technical thingy.

Luke Bozier of Menshn has form on Copyright Infringement

3rd in my series of articles about Menshn.

So, today (or last night), Luke Bozier blocked me on twitter. Seems like a pointless act since anyone not logged into twitter can read all his posts anyway.  However, it did cause me to google his name and I came up with two personal web sites of his for his blog at:
Out of interest I had a click through some articles and came across an image on:
Well no, not murder, but yes Copyright Infringement.
You see the image of the Chernobyl Guard is (c) Trey Ratcliff at http://www.fotopedia.com/items/flickr-433927398 (article https://stuckincustoms.com/2007/02/02/nuclear-winter-in-chernobyl/) and all he asks for the use of the image is Attribution. However, Luke Bozier does not provide that attribution.
Screenshot of Luke’s site at the time of this article (because Luke is quite efficient at removing the images when I call him out on his law breaking).

Menshn does not censor, Allegedly.

Officially:

40-menshn-loiuse-nocensorship.jpg
However, my messages on menshn.com do not appear to be visible to others. Compare this screenshot of the same “menshnabout” topic/room.
On the left is Firefox – not logged in. On the right is Chrome – my account logged in.
42-menshn-hidden-messages-thumb-500x230-41.jpg
My message is only visible to me when logged in.
And, I checked…. Private Mode is Off.
Am I being singled out or is there a more widespread censoring going on?

Menshn and another security issue

On June 19, menshn.com launched giving me a couple of days to have a look around, but not enough time to write up any serious thoughts before going on vacation.  The site launched only in the US and visitors from the UK and elsewhere were greeted with a holding page. However, like many technically aware individuals, geographic barriers are no match to those with VPNs, VPSes or just a simple web proxy.

Initially, only three “topics” were available, a (US) Election2012 topic and one each for Obama and Romney.

Menshn has taken a bit of a battering on Twitter over, I guess, pretty much every aspect of the site imaginable.

Some don’t like the owners, one UK Conservative Member of Parliament, Louise Mensch, and a former Labour advisor Luke Bozier. However, the primary focus of much of the complaints are the web site’s numerous and shocking security flaws.

I believe I was one of the first (if not the first) to highlight the Cross Site Scripting Security flaws. Though I did not actively demonstrate (exploit) it having previously burned in this area, others such as James Coglan have demonstrated the complete lack of data validation that abounds on Menshn.

The site launched without using a SSL Certificate allowing passwords to pass in plain text – a flaw I missed – but ably spotted by Suggy and Andrew White.

Also prior to going on vacation I highlighted two examples of Copyright Infringement to both Louise and Luke. The first was the alleged unauthorised use of the Obama HOPE poster which I screen captured here:

I was completely ignored.


Then Menshn created a new topic “Women” for which they used another image of a “thoughtful woman”:

Note – screen cap of Menshn is on left; the same image I found on Elite Dating Agency site (using Google image search, honest!).  I tweeted to Luke, who responded that the image was Creative Commons. However, this I doubted as I can generally spot a professional image and eventually found the real source as a Premium Stock Image that they could have paid just $9.99 to use. The image soon disappeared from Menshn without further comment from Menshn.

Edit: Just found another image on Menshn – the image for the UKPolitics topic – that does not adhere to the Copyright owner’s license:

The original image is owned by Kevin Shakespeare with the license of “Attribution, Non-Commercial, and No Derivative Works”. Another Menshn fail.

I like to think I’ve educated them a little on Copyright law.

And finally, the straw that breaks the camels back.

Back from vacation, try to login, but of course I forgot the password and so used the “forgot my password”.  Now all normal security conscious web sites will create an encrypted, time limited, one-time use token or URL that you can use to reset your password and email that to you.

No, not Menshn. Menshn will email your actual password in plain text.

The horror. Not only does this mean your password flying through the world’s email servers (making it available to all sorts of Government interception) it also means that Menshn is storing your password inside its database using at best a two-way reversible encryption, or at worst in plain text.

Either way – it is a security disaster,  A breach of the web site means all users and all passwords are exposed in plain text (with the reversal key available from the forgot password code). Luke should read http://www.phptherightway.com/#password_hashing_with_bcrypt .

An awesome coder he is not.

Post publication edit: This article has been mentioned in Business Insider –

We Speak To The British Politician Behind The Controversial 180-Character ‘Twitter-Killer’ Menshn

 

All content © Paul Gregg, 1994 - 2024
This site http://pgregg.com has been online since 5th October 2000
Previous websites live at various URLs since 1994