I’ve just released a new version of MegaMegaMonitor, v108. It’s compatible with v106, so you can upgrade “at your leisure” (or else your browser will probably do it for you in a day
or two). Here’s what’s new:
Faster updates – thanks to some improvements at the back-end (and with apologies to people who were temporarily inconvenienced by missing flair for a few hours
yesterday), your MegaMegaMonitor icons should now never be more than 8 hours out-of-date (and typically closer to 3-4), rather than the previous 24 hour delay.
Smarter caching – this is achieved, however, alongside smarter caching, so your copy of MMM will spend less time checking for updated data, which will make
it less-likely to slow your browser down, especially if your Internet connection isn’t very good.
Better “back” support – thanks to the HTML5 History API, the MegaMegaMonitor “tools/options” panel now has its own web address. Which means that if you press “back”
to get out of it, it works like you’d expect, not in weird ways as it did previously. It also means that you can give people a link to “their MMM options page” if you’re helping
them to understand it – here’s your MMM options page, for example!. Your options are still all stored on your
computer, of course – it’s just an illusion.
Private sub support – at long last,
MegaMegaMonitor is capable of supporting private subreddits of which I’m not personally a member. If you’re the moderator of a private sub and want to make this happen for your
private sub, get in touch. If you’re not a moderator but would like this to happen for your
private sub, talk to your moderators! This new change means that, for the first time ever, it’s possible for somebody to have more icons than me. Get collecting!
“Tiny icons” mode – don’t like how much space all of the icons take up? Now from the options
page you can switch to “tiny icons”, which are eye-squintingly small but should fit daintily alongside the name of the redditor you’re looking at. How sweet.
I hope that’ll keep you all amused for a little while. Don’t forget to get in touch if you’d like icons for your private subs: I wonder if the /r/HarryPotter folks would like MMM support for their “houses” (which are four private subs)? And whatever happened in the end to /r/DragonLounge? And is /r/ElephantLounge still a thing? The more subs MMM supports, the sooner people will finally start
overtaking me with icons!
(FYI: the /r/centuryclub mods have already said “no”, so that’s not going to happen until I get another 70K comment karma…)
Update:/u/gamehelp16 (who’s about to get some gold for their efforts) spotted a bug in the tiny icons that could make some icons
invisible, some of the time. I’ve now released v110, which fixed that problem. Thanks, /u/gamehelp16!
Edit: fixed typo.
Update2: v108/v110 also broke the “search for a user’s posts by sub” feature, so I’ve rushed-out v112 to fix that. I really ought to initiate some
kind of “beta” process, shouldn’t I?
I’ve got all of the core code written for v108, and I’m looking forward to sharing it with you all. But first, I’d like to find mods from one or more private subs of which I’m
not a member who’d like to be guinea pigs for a new feature.
This new feature will, at long last, allow icons, encrypted messages, and all of the other fabulous features you love to be used on private subreddits even if I’m not personally a
member of them. From the serious (/r/top? /r/centuryclub?) to the silly (/r/dragonlounge?) and even to
fringe outliers (/r/MegaLounge2), this feature could be yours. I’m already talking to the /r/NinjaLounge / /r/PirateLounge folks.
You let me know (some day I’ll automate this step by having /u/MegaMegaMonitorBot let me know)
MegaMegaMonitorBot can then see the membership list for your sub, and can thus – for MMM users – let them “see” one another anywhere around Reddit. So it’s basically the same as
regular MegaMegaMonitor, except you don’t need to invite me personally into your sub.
The observant among you might note that, if I were the unscrupulous type, I could log in as/u/MegaMegaMonitorBot and snoop upon whatever
it is that you say there. I suppose that’s true, just as it is with any bot that you grant access to your sub. But on the other hand: if I were malicious, I’d
already have seen such content by abusing the trust of the people in your sub who’ve installed MMM already. Just sayin’. Anyway: the key thing is, it’s up to you. I think
that this has the potential to add real value to many kinds of private subs, and I’d love for people to have the chance to make use of it.
Not a mod? Tell the mods of the subs you’re in!
tl;dr: next version of MegaMegaMonitor will be able to support private subs of which I’m not personally a member: mods who want to do this should invite /u/MegaMegaMonitorBot and then contact me; non-mods should pester their mods.
I’ve found a few people who’ve got ninja-related names and so might be particularly amenable to the idea of being recruited to the noble ranks of the /r/NinjaLounge. I haven’t looked any of them up, yet, but here are the links in case anybody else wants to:
To fix it, (1) delete MMM from your Greasemonkey/Tampermonkey scripts list, then (2) restart your browser, then (3) install MMM again. Most
people can get away with fewer steps than this, but this three-step approach should work for everybody.
Hi all!
So apparently everything broke for a lot of people after I released v106. The problem
was the combination of two things:
v100 broke the auto-updater.
v100 also broke the error message that was supposed to appear if the auto-updater was broken and #3 happened.
v106 changed the format that the data was passed around in, which invalidated earlier versions that were still “out there”. It repaired #2, though!
The combination of these two factors meant that people running v100, v102, or v104 will have ended up “stuck” on those versions, and won’t even have gotten error messages to tell them
that the data format had changed and they needed to update.
I’ve remotely-fixed #1 as of yesterday, so everything should fix itself for anybody who’s still affected. Sorry it took longer than it should have to do that, though: I’ve
had a nasty stomach bug this week.
Everything should now be okay for everybody, and I’m going to be getting started on all-new features in about a week and a half, of which the principal new feature will be tools to
allow MegaMegaMonitor to work on private subreddits that I’m not a member of (with permission from the mods of that sub). Updates, as usual, on /r/MegaMegaMonitor.
tl;dr: This is a security update to MegaMegaMonitor. If you don’t update, your copy of MegaMegaMonitor will stop working.
Sorry for the wall of text – scroll down to “What’s new?” for the short version, and remember to upgrade:
So there’s been a security bug in MegaMegaMonitor since about the year dot. I’ve always known about it, and I’ve always intended to fix it (in fact, it was the very next thing on my
list), but for the time being I’d been doing something particularly naughty which was to rely on ‘security through obscurity’ – hoping that nobody would put the effort in to
undermining me. Well, I should’ve known better, really, and /u/BeanbagLover caught me out, making a minor tweak to their copy of MegaMegaMonitor to
pretend that it was me in order to read encrypted messages from any of the currently-available subs for crypto.
I’ll stress that this was my fault. I’d have rather than /u/BeanbagLover reached out and contacted me directly, rather than testing out their new-found power in an /r/askreddit_megalounge
thread (what I’d have called “ethical disclosure”), but fundamentally it was still me taking shortcuts in order to get more functionality out, quicker, that made the problem exist
in the first place.
So I’ve rushed-forward my efforts to release a more-secure version of MegaMegaMonitor, putting it together this lunchtime at work. Owing to the nature of the fix, old versions of
MegaMegaMonitor will stop working or will stop being up-to-date within the next few hours, so you might need to click the “install megamonitor”
button again if it stops working for you and the auto-update hasn’t kicked in yet.
What’s new?
It’s all behind-the-scenes stuff, this time, I’m afraid:
Faster updates on the server-side: this won’t affect you yet, but will make it possible to have MegaMegaMonitor update its data more-frequently in a future release
Handshake authentication – instead of just trusting that you are who you claim to be and giving you the appropriate membership data and encryption/decryption keys, MegaMegaMonitor
will now (if it doesn’t recognise you) perform one of several additional background identity checks to ensure that you really do have access to the subreddits that you claim
to. You won’t see it – it all happens in the background – but after an update or when you first install MegaMegaMonitor you might notice that it takes a couple of seconds longer to
run, the first time around.
Fresh cryptographic keys – I’d already implemented a system by which old encryption/decryption keys could be invalidated if they were leaked (as they now have been!), so that’s
included. Again, it’s silent, but the essence of it is that even though existing encrypted messages made with MegaMegaMonitor v104 and below can potentially be read by
anybody who broke the older (shit) security system (e.g. /u/BeanbagLover), they can’t read any newly-encrypted content (from v106 onwards)
without finding a whole new way to break in. Which is now a lot tougher.
So there you have it – the first major security-patch to MegaMegaMonitor, out now. And again I’ll stress that I’d far prefer to see ethical disclosure of vulnerabilities in this tool
(or any of my software): drop me a private message and I’ll fix things ASAP and credit you. Break them in public and I’ll still fix them, but I’ll have to do them under pressure and
it’ll make me sad. This particular bug was always going to be fixed in v106: I just didn’t expect to have to find time to finish and release v106 until Sunday.