To fix it, (1) delete MMM from your Greasemonkey/Tampermonkey scripts list, then (2) restart your browser, then (3) install MMM again. Most
people can get away with fewer steps than this, but this three-step approach should work for everybody.
Hi all!
So apparently everything broke for a lot of people after I released v106. The problem
was the combination of two things:
v100 broke the auto-updater.
v100 also broke the error message that was supposed to appear if the auto-updater was broken and #3 happened.
v106 changed the format that the data was passed around in, which invalidated earlier versions that were still “out there”. It repaired #2, though!
The combination of these two factors meant that people running v100, v102, or v104 will have ended up “stuck” on those versions, and won’t even have gotten error messages to tell them
that the data format had changed and they needed to update.
I’ve remotely-fixed #1 as of yesterday, so everything should fix itself for anybody who’s still affected. Sorry it took longer than it should have to do that, though: I’ve
had a nasty stomach bug this week.
Everything should now be okay for everybody, and I’m going to be getting started on all-new features in about a week and a half, of which the principal new feature will be tools to
allow MegaMegaMonitor to work on private subreddits that I’m not a member of (with permission from the mods of that sub). Updates, as usual, on /r/MegaMegaMonitor.
tl;dr: This is a security update to MegaMegaMonitor. If you don’t update, your copy of MegaMegaMonitor will stop working.
Sorry for the wall of text – scroll down to “What’s new?” for the short version, and remember to upgrade:
So there’s been a security bug in MegaMegaMonitor since about the year dot. I’ve always known about it, and I’ve always intended to fix it (in fact, it was the very next thing on my
list), but for the time being I’d been doing something particularly naughty which was to rely on ‘security through obscurity’ – hoping that nobody would put the effort in to
undermining me. Well, I should’ve known better, really, and /u/BeanbagLover caught me out, making a minor tweak to their copy of MegaMegaMonitor to
pretend that it was me in order to read encrypted messages from any of the currently-available subs for crypto.
I’ll stress that this was my fault. I’d have rather than /u/BeanbagLover reached out and contacted me directly, rather than testing out their new-found power in an /r/askreddit_megalounge
thread (what I’d have called “ethical disclosure”), but fundamentally it was still me taking shortcuts in order to get more functionality out, quicker, that made the problem exist
in the first place.
So I’ve rushed-forward my efforts to release a more-secure version of MegaMegaMonitor, putting it together this lunchtime at work. Owing to the nature of the fix, old versions of
MegaMegaMonitor will stop working or will stop being up-to-date within the next few hours, so you might need to click the “install megamonitor”
button again if it stops working for you and the auto-update hasn’t kicked in yet.
What’s new?
It’s all behind-the-scenes stuff, this time, I’m afraid:
Faster updates on the server-side: this won’t affect you yet, but will make it possible to have MegaMegaMonitor update its data more-frequently in a future release
Handshake authentication – instead of just trusting that you are who you claim to be and giving you the appropriate membership data and encryption/decryption keys, MegaMegaMonitor
will now (if it doesn’t recognise you) perform one of several additional background identity checks to ensure that you really do have access to the subreddits that you claim
to. You won’t see it – it all happens in the background – but after an update or when you first install MegaMegaMonitor you might notice that it takes a couple of seconds longer to
run, the first time around.
Fresh cryptographic keys – I’d already implemented a system by which old encryption/decryption keys could be invalidated if they were leaked (as they now have been!), so that’s
included. Again, it’s silent, but the essence of it is that even though existing encrypted messages made with MegaMegaMonitor v104 and below can potentially be read by
anybody who broke the older (shit) security system (e.g. /u/BeanbagLover), they can’t read any newly-encrypted content (from v106 onwards)
without finding a whole new way to break in. Which is now a lot tougher.
So there you have it – the first major security-patch to MegaMegaMonitor, out now. And again I’ll stress that I’d far prefer to see ethical disclosure of vulnerabilities in this tool
(or any of my software): drop me a private message and I’ll fix things ASAP and credit you. Break them in public and I’ll still fix them, but I’ll have to do them under pressure and
it’ll make me sad. This particular bug was always going to be fixed in v106: I just didn’t expect to have to find time to finish and release v106 until Sunday.
I was asked to do an AMA here, so… here I am! If you know me already, it’s probably because you use MegaMegaMonitor [install here], a browser plugin I made that helps you to see where you are relative to others in the MegaLounges as well as in a variety of other private
subreddits. You’ve probably seen the link in the sidebar of /r/askreddit_megalounge, right?
Recently, I’ve been adding features to help moderators of private subreddits to manage their membership, and I’m always open to suggestions for future features. MegaMegaMonitor’s not
been without its controversies, though: and I’m happy to tell you about them, if you’re interested.
I’m a believer in the AMA concept, though (and I’m not sure how much I can really say about MegaMegaMonitor: it speaks for itself, doesn’t it?), so here’s some other things that
people often ask me about on Reddit or elsewhere, in case that’s what you wanted to know about:
I can pretty-much guarantee that I’ve got the shortest name of anybody you’ve ever met.
I live in Oxford, UK, where I run the websites of the libraries of the University of Oxford.
I also do freelance web application development and I help run a non-profit that makes software for charities.
I’m in a slightly-unusual romantic relationship, in that my partner is married to somebody other than me, and we all live together.
I’ve been blogging since the 1990s, and have never (deliberately) deleted a post.
I’m a keen geocacher and a magician-in-training.
So – what can I tell you about MegaMegaMonitor, me, or anything else? I’m all yours from now until I go to bed (and I’ll be back online in the morning, so anything I miss I’ll pick up
then)!
Edit (23:47 BST / 22:47 UTC): I’m going to bed, but I’m still answering questions (I’m taking my phone, so they’ll be shorter replies, and only until I fall asleep),
and then I’ll check in again tomorrow morning. Thanks for the lovely words, guys!
Edit2: Tuesday morning. Back at my desk; working from home today so if you still want me, I’m all yours. I’m hoping to release a new version of MegaMegaMonitor this
afternoon.
Tiny new release with thanks to /u/greypo for highlighting the need for it. In v102, bulk-inviting people to a subreddit would fall over and stop if it came to
somebody who was banned from that subreddit, requiring the user to manually remove their name from the list before they could continue. In v104, instead, it treats them the same as if
their username was invalid: it logs the reason that it failed to invite them, but then carries on with the rest of the list.
tl;dr: if you didn’t know you needed this feature, you don’t.
If there’s one place on Reddit that this kind of self-promotion shouldn’t be considered inappropriate, it’d be in the subreddit that carries my name. And now that we’re
this high up (and you’re seeing my face everywhere already), I’ve got no problem with any of you having a link by which you can work out exactly who I am in real
life.
So here’s the latest post from my ‘blog. It’s pretty dull unless you use the Squiz CMS at your workplace or write PHP code in your day job, though. I promise I’m more interesting,
sometimes.
