MegaMegaMonitor v106 released – enhanced security

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

tl;dr: This is a security update to MegaMegaMonitor. If you don’t update, your copy of MegaMegaMonitor will stop working.

Sorry for the wall of text – scroll down to “What’s new?” for the short version, and remember to upgrade:

So there’s been a security bug in MegaMegaMonitor since about the year dot. I’ve always known about it, and I’ve always intended to fix it (in fact, it was the very next thing on my list), but for the time being I’d been doing something particularly naughty which was to rely on ‘security through obscurity’ – hoping that nobody would put the effort in to undermining me. Well, I should’ve known better, really, and /u/BeanbagLover caught me out, making a minor tweak to their copy of MegaMegaMonitor to pretend that it was me in order to read encrypted messages from any of the currently-available subs for crypto.

I’ll stress that this was my fault. I’d have rather than /u/BeanbagLover reached out and contacted me directly, rather than testing out their new-found power in an /r/askreddit_megalounge thread (what I’d have called “ethical disclosure”), but fundamentally it was still me taking shortcuts in order to get more functionality out, quicker, that made the problem exist in the first place.

So I’ve rushed-forward my efforts to release a more-secure version of MegaMegaMonitor, putting it together this lunchtime at work. Owing to the nature of the fix, old versions of MegaMegaMonitor will stop working or will stop being up-to-date within the next few hours, so you might need to click the “install megamonitor” button again if it stops working for you and the auto-update hasn’t kicked in yet.

What’s new?

It’s all behind-the-scenes stuff, this time, I’m afraid:

  • Faster updates on the server-side: this won’t affect you yet, but will make it possible to have MegaMegaMonitor update its data more-frequently in a future release
  • Handshake authentication – instead of just trusting that you are who you claim to be and giving you the appropriate membership data and encryption/decryption keys, MegaMegaMonitor will now (if it doesn’t recognise you) perform one of several additional background identity checks to ensure that you really do have access to the subreddits that you claim to. You won’t see it – it all happens in the background – but after an update or when you first install MegaMegaMonitor you might notice that it takes a couple of seconds longer to run, the first time around.
  • Fresh cryptographic keys – I’d already implemented a system by which old encryption/decryption keys could be invalidated if they were leaked (as they now have been!), so that’s included. Again, it’s silent, but the essence of it is that even though existing encrypted messages made with MegaMegaMonitor v104 and below can potentially be read by anybody who broke the older (shit) security system (e.g. /u/BeanbagLover), they can’t read any newly-encrypted content (from v106 onwards) without finding a whole new way to break in. Which is now a lot tougher.

So there you have it – the first major security-patch to MegaMegaMonitor, out now. And again I’ll stress that I’d far prefer to see ethical disclosure of vulnerabilities in this tool (or any of my software): drop me a private message and I’ll fix things ASAP and credit you. Break them in public and I’ll still fix them, but I’ll have to do them under pressure and it’ll make me sad. This particular bug was always going to be fixed in v106: I just didn’t expect to have to find time to finish and release v106 until Sunday.

[AMA] I am /u/avapoet, creator of MegaMegaMonitor, cartographer of the MegaLounges, and general hacker-geek. AMA.

This self-post was originally posted to /r/Askreddit_MegaLounge. See more things from Dan's Reddit account.

( )

I was asked to do an AMA here, so… here I am! If you know me already, it’s probably because you use MegaMegaMonitor [install here], a browser plugin I made that helps you to see where you are relative to others in the MegaLounges as well as in a variety of other private subreddits. You’ve probably seen the link in the sidebar of /r/askreddit_megalounge, right?

Recently, I’ve been adding features to help moderators of private subreddits to manage their membership, and I’m always open to suggestions for future features. MegaMegaMonitor’s not been without its controversies, though: and I’m happy to tell you about them, if you’re interested.


I’m a believer in the AMA concept, though (and I’m not sure how much I can really say about MegaMegaMonitor: it speaks for itself, doesn’t it?), so here’s some other things that people often ask me about on Reddit or elsewhere, in case that’s what you wanted to know about:

  • I can pretty-much guarantee that I’ve got the shortest name of anybody you’ve ever met.
  • I live in Oxford, UK, where I run the websites of the libraries of the University of Oxford.
  • I also do freelance web application development and I help run a non-profit that makes software for charities.
  • I’m in a slightly-unusual romantic relationship, in that my partner is married to somebody other than me, and we all live together.
  • I’ve been blogging since the 1990s, and have never (deliberately) deleted a post.
  • I’m a keen geocacher and a magician-in-training.

So – what can I tell you about MegaMegaMonitor, me, or anything else? I’m all yours from now until I go to bed (and I’ll be back online in the morning, so anything I miss I’ll pick up then)!

Edit (23:47 BST / 22:47 UTC): I’m going to bed, but I’m still answering questions (I’m taking my phone, so they’ll be shorter replies, and only until I fall asleep), and then I’ll check in again tomorrow morning. Thanks for the lovely words, guys!

Edit2: Tuesday morning. Back at my desk; working from home today so if you still want me, I’m all yours. I’m hoping to release a new version of MegaMegaMonitor this afternoon.

MegaMegaMonitor v104 released – minor improvement to “lists”

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

Tiny new release with thanks to /u/greypo for highlighting the need for it. In v102, bulk-inviting people to a subreddit would fall over and stop if it came to somebody who was banned from that subreddit, requiring the user to manually remove their name from the list before they could continue. In v104, instead, it treats them the same as if their username was invalid: it logs the reason that it failed to invite them, but then carries on with the rest of the list.

tl;dr: if you didn’t know you needed this feature, you don’t.



MegaMegaMonitor v102 released – message encryption, icon suppression, gilding graphs, and moderator tools

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

I’ve just released MegaMegaMonitor v102. As usual, the new version will probably install itself automatically the next time that your installation of Greasemonkey/Tampermonkey decides to check for it, but you can – if you prefer – force the upgrade to happen immediately by installing MegaMegaMonitor again.

Here’s what’s new in 102:

  • The message encryption tools, which were partially shown off last month, are now available for your use. With them, you can add secret messages to posts and comments that can only be read my MegaMegaMonitor users who also happen to be in particular private subreddits. For example, here’s a secret message that only people in /r/MegaMegaMegaLounge (or higher) will be able to read:

Either you don’t have MegaMegaMonitor installed, or you’re not in the MegaMegaMegaLounge. Sorry!

  • For those of you who were concerned about the proliferation of icons across your screens, and don’t want to see so many, there’s now an icon suppression option. So if you’re in /r/gildeddrunk but don’t want to keep spotting your fellow alcoholics around the place, you can hide that icon. It doesn’t stop other people from that subreddit from seeing the icon next to your name, though!

Edit: Turns out this feature was in v100, too. I can’t keep track. I was pretty sure that there were four features I meant to tell you about today, though… I wonder what I’ve forgotten…

  • Remember the gilding graphs tool I showed you at the start of this month? Well: now it’s a bona fide part of MegaMegaMonitor, and it’s far easier to use than the old copy-and-paste-the-Javascript way, so there’s no excuse for you not to make yourself a graph to show off how you’ve been gilding.
  • And finally, lists. I showed off screenshots from a prototype version of this feature last week, and since then it’s been refined and improved into something that I hope will really help the moderators of some of my favourite private subreddits. But because it runs from your own computer, you can use it even on subreddits that I’m not personally part of (although that does make it a little slower than other MegaMegaMonitor features)! If you can’t see how MMM lists might be useful to you, here’s a recipe book of use cases that might help you to understand.

This is probably the biggest ever new release of MegaMegaMonitor, with a stack of fun new features. Sorry about the delay in releasing it: those of you who know about my personal life have an idea of how busy this month has been for me, so that’s my excuse for the delay!


Edit2: I’ve remembered what the fourth thing is, now! I’ve tried to improve the ‘hover’ behaviour of the MMM popup, so it shouldn’t bug you so much if your cursor drifts over it by accident!

MegaMegaMonitor v100 released, now with support for /r/gilderguild

This self-post was originally posted to /r/gilderguild. See more things from Dan's Reddit account.

( )

Full announcement over here

So yeah: I’ve just released the new version of MegaMegaMonitor, and it includes (among other things) support for /r/gilderguild.

What does this mean? Well: it means that you can install MegaMegaMonitor and you’ll be able to instantly identify your fellow Gilder Guild members anywhere else you see them on Reddit. Here’s an example of what it looks like when I, for example, see /u/mrkleen340 talking over on a thread in /r/RhodeIsland!

For those of you who’re also in other private subreddits, like /u/outroversion, /u/k_princess, and /u/IAMA_Plumber-AMA, you’ll also see icons for some of these communities, too. Plus there’s a tool for searching for a person’s posts within a particular subreddit, so if you’ve got a personal policy never to gild anybody who’s posted something in e.g. /r/TheRedPill, then it’s now easier for you to check (I’m not recommending this kind of selective gilding policy, and it’s not for me personally… but I know that some of you do it!).

Anyway: please do go and play with it and let me know what you think. I’m sure that our mods who use it (which is all of them except /u/ULTIMATUM7, as it happens!) will back me up about how valuable a tool it is.

Thanks! Keep up the gilding, guild!

MegaMegaMonitor v100 released – “suppress icon” option, slight CSS improvements, new build system, smaller download

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

Hi all!

I’ve just made an interim release of MegaMegaMonitor. Not many new features, but I’ve made huge improvements to the way that I build and release MegaMegaMonitor versions, which will make it easier for me to have a “test” version that’s under construction and to later roll those changes into the live release. Which means it’s easier for me to make new features.

Improvements in this release include:

  • A smaller download – MegaMegaMonitor is now down from about 77K to about 43K, which means that it installs faster
  • The Options/Tools panel now has some basic CSS to make it marginally less-hideous
  • A bug was fixed in the “search for a user’s post by subreddit” feature, which caused links to posts that were link (rather than self) posts to link to the content rather than to the post, making them useless
  • An option was added to the Options/Tools panel to allow you to suppress icons that you don’t care about. So if you’re in /r/DecadeClub but for some reason don’t feel a strong attachment to that community, you don’t have to see their icon around Reddit.
  • /r/gilderguild has been added to the icon list.
  • There’s an icon already set up for the next upcoming (not yet announced) MegaLounge, so as soon as it opens and people start getting invited (I think there are about 5 of us gilded-and-ready-to-go, so far, and they’re all special MMM’er), the icon’s already been made. Mysterious, no?

There’s lots more features still to come, but I wanted to give you all of that stuff by way of apology for being sort-of absent for the last week or two. I’m still loving all of your suggestions and I’ll be getting to most of them as soon as I can, but keep them coming. Thanks!

If you already use MMM, the update will probably come automatically for you. Or you can just go to the webpage (linked below) and click “Install MegaMegaMonitor” to force it to update to the latest version.

MegaMegaMonitor installation page/instructions

Too Many Cards

Somebody on /r/MegaLoungeVI 1 this week asked me what my favourite magic trick (to perform) is. And because it’s far easier to show somebody than to tell them, I turned on the webcam and did a one-take shot of this, my attempt at something akin to Derek Dingle‘s stunning interpretation of Larry JenningsAmbitious Classic:

Given that it’s rare for me to film myself performing magic and be, on the whole, pleased with the result, I thought I’d share it with you all, too, in case there are those among my friends who haven’t had the opportunity yet to see me perform (apologies for the fake-sounding monologue – the sound was dubbed on later).

Why do I like this particular effect so much? It’s certainly not the thing that gets the best reaction from my spectators. In fact, if I were to ask people I’ve performed for what trick was their favourite, I imagine that not one of them would choose this. But for me, it represents the challenge of magic: it’s a moderately-complex series of sleights joined together into a rhythmic dance.

I’m not sure if that translates well, or whether one of those things, like describing code as poetry, that you already need to understand before you can understand.

In any case – if you were impressed by my trick, you should now watch a master performing it, and perhaps you’ll see how far I’ve yet got to go…

1 One of Reddit’s MegaLounges2, access to which is gained by being gilded in the prior MegaLounge (or /r/lounge itself, in the case of the first MegaLounge).

2 For the last 5 years, it’s been possible to buy “Reddit Gold” subscriptions, and for most of that time it’s been possible to anonymously gift individual months of Reddit Gold to other users (known as “gilding”), in acknowledgement of a contribution they’ve made on the site. Having “Reddit Gold” grants you access to the official gold subreddit /r/lounge; getting gilded while in /r/lounge gets you access to the unofficial /r/MegaLounge, and so on. There are several dozen ‘levels’.

[Yet More Graphs!] Where, what, and whom do you gild?

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

They said it couldn’t be done! And, technically-speaking, they were right. But I’ve come up with a way for you to generate your personal gilding history graphs. By which I mean, things like this pie chart showing which subreddits I gild in the most.

Follow the instructions in this post, and you too can have a report made for you like this one about me – note that the web addresses each contain a unique code so that nobody else gets to see your graphs (unless you choose to share them here).

How to get your Gilding Report… more-easily

You should still read all of this post because it has some valuable warnings about doing what strangers tell you to do on the Internet. But if you’re looking for a way to get your Gilding Report that works in Firefox and doesn’t require you to copy-paste ugly code everywhere, just go to and follow the instructions there. Good luck! And don’t forget to share the highlights of your results!

How to get your Gilding Report (old instructions)

Copy-paste the following code into the address bar of your browser (triple-click it to select it all):

javascript:(function(){function l(n,i){var t="/u/"+n+"/gilded/given.json?limit=100&after="+i;$("#d").append("."),$.getJSON(t,function(i){if(my_gildings_given_json.push(,null!{l(n,},2e3);else{for(var t=[];my_gildings_given_json.length>0;)t=t.concat(my_gildings_given_json.shift());t=JSON.stringify({return{kind:n.kind,,}})),$("body").html('<h1>Almost done...</h1><p>Just drawing some graphs...</p><form method="post" action=""><input type="hidden" name="u" /><input type="hidden" name="g" /></form>'),$('input[name="u"]').val(n),$('input[name="g"]').val(t),$("form").submit()}})}var my_gildings_given_json=[];$("body").html('<h1>Please wait<span id="d"></span></h1><p>This will take a little over 2 seconds per 100 gildings you've given.</p>'),$.get("/api/me.json",function(n){l(,"")});})();

Important: many web browsers will remove the “javascript:” from the start when you paste it. If this happens, you’ll need to manually type it back in before you press enter. Sorry.

Also important (because some of my work is in computer security and I’d be remiss if I didn’t say this): if anybody asks you to post something beginning with “javascript:” into your address bar, you should be paranoid. People can do all kinds of naughty things, like trick your account into gilding them, like this. However, they can’t do anything that they couldn’t already do if you installed a browser plugin that they wrote, so if you’re already using MMM, you’re already placing more-trust than this in me. Just… be careful, people: if anybody in the comments says e.g. “hey, put this into your address bar!” then I’d recommend that you distrust them. And if somebody geeky feels like auditing my code, above, to verify for everybody that it’s not malicious, then that’d be appreciated too. In short – run at your own risk!

How does this work?

For the technically-minded (or just plain paranoid), here’s what happens when you paste that into your address bar your web browser will, over the course of several seconds (about 2 seconds for every 100 gilds, or part thereof, that you’ve made), collect statistical information about all of the gildings you’ve given (you can see the information it collects for yourself by going to /u/your-username-here/gilded/given note that you can’t see anybody else’s gildings using this method, which is why this weird Javascript-based approach is needed). That information is then collated and sent to the MegaMegaMonitor server, which collates it into a web page for you (with a secret web address) and then sends you to the web page (if you later choose to share that web address with us, that’s up to you: but hopefully you will!).

Gilded ents who should be considered for admission…

This self-post was originally posted to /r/gildedtrees. See more things from Dan's Reddit account.

( )

Hi! I’m /u/avapoet, and if you know about me already it’s probably because you’re using MegaMegaMonitor, a browser plugin that enables you to, among other things, spot other gilded ents elsewhere on Reddit by the “universal flair” gold cannabis leaf they carry (note that only gilded ents get to see other gilded ents: no secrets between frients, right?).

I’ve just been doing some data processing off the back of the MegaMegaMonitor engine, and I’d like to suggest that the following ents be considered for membership here, based on their being gilded in a tree-related sub (there shouldn’t be anybody in this list who’s already here, but if there is – sorry! – however there may be duplicates within this list). It’s a LONG list – far too long for a message (max 10,000 characters) and too long even for a self-post like this (max 15,000 characters), so I’ll share it with you in the comments to this post. That way, /u/green_euphoria, /u/Elderthedog, /u/BassInMyFace and /u/jamacianbagpipemetal can – I don’t know – upvote them to mark them as processed, or something. Or comment on them. Or whatever.

“Tree-related subs” for the purpose of this search were those found listed here, minus e.g. /r/explainlikeimfive which isn’t really tree-related and /r/ReligEnts, /r/Sprouts, /r/boxBritannica, /r/enTOR, /r/entsnyc, and others which are private (and I’m not a member). I also rejected /r/leaves, because most of those folks wouldn’t appreciate being invited in here anyway, I imagine!

I’m not telling you how to run your sub, by the way – far from it. I just think that this community could enjoy a little growth (and not just of the fresh green buddy variety), and wanted to make it easier for the mods to make that happen.

Right: on the the comments…

Edit: Okay; all the comments are there now. Have fun!

Edit2: I’ve been made into a mod, so that I can help trawl through this list and get everybody added! It’s going to take a few days (mostly because Reddit won’t let me add more than a hundred without then taking a few hours break!) but I’ll get there.

Edit3: 1,014 contributors now in our sub (up from ~600 when I started). 512 left to add.

Edit4: 1,314 contributors now in our sub. No more than 213 left to add. And wow; there’s more traffic here than before, mostly in the form of “dude, what is this place?” posts.

Edit5: We’re done! The backlog is cleared! Welcome to /r/gildedtrees, new folks!

Are you running v98? Can you help me with an experiment?

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

( )

Hi! It’s me, /u/avapoet. You might remember me from such MegaMegaMonitor releases as v95 and v92. Also, this post right here.

Anyway: v98 contains the first third of an experimental new feature that I haven’t decided whether or not to implement the second half of, yet. This post is a proof-of-concept of the first half of the feature. Would you mind looking at this post (the actual post – you’ll need to click the “comments” link… and you’ll need to do so with MegaMegaMonitor enabled, of course), and then leaving a comment to let me know that… it appeared in a way that made sense, and showed the kinds of things that you’d… expect it to show. ;-)







Don’t give too much away in the comments, though: remember that just because you can see something on the Internet doesn’t mean that everybody can see it. Don’t believe me? If you’re using RES, click the “source” link under this text and you’ll see for yourself what I typed here…