Building an Inexpensive, Aesthetic, Private Forum

post by Aaron Graifman (aaron-graifman) · 2024-09-09T17:10:42.677Z · LW · GW · No comments

This is a question post.

Contents

  Requirements:
None
  Answers
    12 Said Achmiz
    9 rsaarelm
    4 kave
    2 lukehmiles
    2 Ben Pace
None
No comments

Reason for Writing: I want to gather information for a friend who is a professional in the behavioral sciences.
Epistemic Status: Less than 2 hours googling how to build a forum, and a couple youtube videos

Requirements:

  1. Aesthetic
  2. Inexpensive
  3. Private
  4. Easily Setup

The goal is to create a small, private forum for discussions. 

I've looked into discourse, not sure if that's the best option.

Answers

answer by Said Achmiz · 2024-09-10T01:26:24.047Z · LW(p) · GW(p)

MyBB (or similar) with a custom theme.

Aesthetic: lots of themes available, and making your own seems easy.

Inexpensive: can’t beat “free” for the software, and cheap hosting that supports PHP+MySQL is plentiful.

Private: trivial to set up basically arbitrary access controls, as with any half-decent forum software.

Easily set up: standard PHP+MySQL stuff.

(I strongly anti-recommend Discourse as a forum platform.)

comment by Viliam · 2024-09-10T20:09:20.491Z · LW(p) · GW(p)

Some webhosting companies already provide the entire combination of PHP + database + forum, for the price of webhosting. (At least this was the situation a decade ago.) Then you just set the access rights to "only registered and approved users can read and write" and you're ready.

Replies from: SaidAchmiz
comment by Said Achmiz (SaidAchmiz) · 2024-09-10T20:18:34.091Z · LW(p) · GW(p)

That’s true, but I’m not aware of one that does this combo and is good (uses a good forum software, is reliable, etc.). Are you?

Replies from: Viliam
comment by Viliam · 2024-09-10T20:54:45.360Z · LW(p) · GW(p)

No.

But I would advise against setting up the software for yourself (unless this is the type of thing you also do for a job), because it can be more work than initially expected, especially if you need to keep updating it afterwards. Also, if you use a standardized solution, there are standardized exploits out there, so unless you set it up carefully and update regularly, you probably should expect it to get hacked sooner or later.

Basically, remember the situation when one person practically took down Less Wrong, and it had to be reprogrammed from scratch, because updating the original Reddit codebase would be too much work? Similar thing can happen when you use a free solution, and defending against it can turn out to be too much work. I don't know how big a target is the "friend who is a professional in the behavioral sciences", but sometimes it just takes one crazy person with too much free time.

So, in my opinion, if it's not a big deal, use some cheap and simple solution that can (and will) be thrown away later. If it is important, I am afraid that you will need a paid solution (or you will pay with your own time, more than you expected).

Replies from: SaidAchmiz
comment by Said Achmiz (SaidAchmiz) · 2024-09-10T22:03:23.338Z · LW(p) · GW(p)

I don’t agree with most of this.

I agree with this part:

I would advise against setting up the software for yourself (unless this is the type of thing you also do for a job)

Yes, if you are not a “tech person” / programmer / engineer of some sort / otherwise have experience with software, you should not set this sort of thing up yourself. You should find/hire someone to do it for you. That is not difficult.

I disagree with the rest of what you say.

Choosing a free solution that is well-maintained is better than rolling your own. A standardized solution plus standardized exploits plus standardized mitigations to those exploits is better than a custom solution.

Basically, remember the situation when one person practically took down Less Wrong, and it had to be reprogrammed from scratch, because updating the original Reddit codebase would be too much work? Similar thing can happen when you use a free solution, and defending against it can turn out to be too much work.

First of all, as I recall, that wasn’t an “exploit” in the usual “software vulnerability” sense. Perhaps someone from the LW team who was around back then can better describe the details, but as I understand it, it was a design flaw in the “if someone does this bad thing, we have no good tools to catch them and/or prevent someone from doing it” sense. There is no reason whatsoever why a custom solution can’t have arbitrarily many such design flaws, and such an “exploit” in no way relies on having access to the source code or… anything like that.

And—again, to my recollection—old Less Wrong was never “hacked”.

But more importantly, the reason why any of this was a problem at all is that old LW used the old Reddit codebase—that is, one which had been deprecated and was no longer maintained. Indeed, it is a bad idea to choose such a platform, if you do not have a dedicated engineer to service it! This is why you should choose something popular and well-maintained.

For example, I linked MyBB in my earlier comment. It is updated regularly, and the developers clearly take security very seriously. I don’t know how much money you’d have to spend to get this degree of protection in a custom solution, but it sure ain’t a small number.

When you speak of standardized exploits to standardized solutions, I expect that you have Wordpress in mind, which is infamous for its exploitability (although I am unsure to what extent that reputation is still accurate; it may be an outdated characterization). But most web forums (which, note, Wordpress is not) get hacked approximately never. Ones based on well-designed, well-maintained, popular software like MyBB, even less so.

I also disagree with the advice to “use some cheap and simple solution that can (and will) be thrown away later”. In my experience, such platform choices tend to be quite “sticky”, and migration is often painful, expensive, and time-consuming. That is not to say that you should never migrate to a custom solution (although I am very skeptical about OP’s use case requiring anything more advanced than a good PHP bulletin board)… but even if you expect that you’ll want to migrate, it is far better to migrate from a basically working site which merely lacks some features you want, or has some annoying limitations, etc., than to migrate from a site which has broken or been hacked or otherwise exploded.

The fact is that a decent PHP-bulletin-board-type platform already is “a cheap and simple solution”. (Which can, of course, be thrown away later, but doesn’t have to be.) Trying to go even cheaper is setting yourself up for pain later on.

Replies from: habryka4
comment by habryka (habryka4) · 2024-09-10T23:21:46.796Z · LW(p) · GW(p)

This all roughly matches my model. 

Perhaps someone from the LW team who was around back then can better describe the details, but as I understand it, it was a design flaw in the “if someone does this bad thing, we have no good tools to catch them and/or prevent someone from doing it” sense.

Yeah, the core issue was that there was basically no protection against people just automatically creating thousands of accounts and using them to downvote whoever they disliked. In-general, bot issues are one of the top reasons for websites that accept user submissions either need to have a strict manual review phase, or be continuously updated with defenses.

Replies from: SaidAchmiz
comment by Said Achmiz (SaidAchmiz) · 2024-09-10T23:58:29.049Z · LW(p) · GW(p)

In-general, bot issues are one of the top reasons for websites that accept user submissions either need to have a strict manual review phase, or be continuously updated with defenses.

Indeed. And what you’ll generally find is that mature, widely-used platforms tend to have many and varied tools for dealing with this sort of thing, whereas if you build custom software, you end up having to handle many more edge cases, attack types, etc., than you’d expected (because it’s very hard to think of all such possibilities in advance), and the project just balloons massively due to this.

(For example, Simple Machines Forum—which runs Data Secrets Lox, and which I, on the whole, do not recommend—has all sorts of options for gating user registration behind verification emails / manual moderator approval / captcha / verification questions / etc.; it has moderation tools, including settings that let you enforce per-post approval, on a per-subforum basis; it has a karma system; it has built-in GDPR compliance features; and all of this before you consider all the optional modifications that are available… and SMF is not even one of the better platforms in this category! How much development work would it take a small team to get a discussion forum platform to this state? How much work would it take even to just build the core functionality plus the moderation/security/anti-spam tools…?)

answer by rsaarelm · 2024-09-11T06:17:28.127Z · LW(p) · GW(p)

Everyone who participates probably isn't a github-using programmer, but if they were, a stupid five-minute solution might be to just set up a private github project and use its issue tracker for forum threads.

answer by kave · 2024-09-11T23:40:28.498Z · LW(p) · GW(p)

I don't know what "private" means to you, but if you just mean you can control who joins, I think google groups are a good choice for 2 - 4.

Zulip, Discord and Slack are all options as well, though they all (to differing degrees) encourage shorter, chattier posts.

comment by Said Achmiz (SaidAchmiz) · 2024-09-12T01:23:46.637Z · LW(p) · GW(p)

Zulip, Discord and Slack are all options as well

However, these are all very bad for searchability, archiving, multimedia content, and creation of permanent content of any sort.

Replies from: kave
comment by kave · 2024-09-12T05:23:52.452Z · LW(p) · GW(p)

IMO, pro Slack instances are wonderful for searching & good for many different kinds of media, though not mixed media (i.e. you can upload videos, photos, pdfs (and search over them all, including with speech recognition!) but inserting photos into a message is annoying).

I'm not really familiar with Zulip or Discord.

(Also, I'm not sure with pro Slack instances really qualify for (2) anymore)

answer by lukehmiles · 2024-09-10T17:46:32.833Z · LW(p) · GW(p)

I have used a number of discourse forums and they just feel bad/wrong but I cannot explain why. I would also vote for more of an old-fashioned php BB with a nice theme. Those are always great, even though all my intuitions tell me they seem like they should suck. Shows how little I know.

Eg https://github.com/phpbb/phpbb

Also has styles: https://www.phpbb.com/customise/db/styles/board_styles-12?sid=6245508b90fd3410be19888406fae215

Basically I'm repeating what Said said

answer by Ben Pace · 2024-09-09T18:03:20.078Z · LW(p) · GW(p)

IMO the best option is... the open source LessWrong codebase.

comment by Ruby · 2024-09-09T20:01:34.102Z · LW(p) · GW(p)

I'm not sure where to rate it on easy to set up. It's not as out of the box as other services.

Replies from: kave
comment by kave · 2024-09-10T02:20:51.856Z · LW(p) · GW(p)

I also expect it would be a bit more expensive than something like Said’s suggestions

No comments

Comments sorted by top scores.