I spun up an instance of phpBB (trying to keep costs down) and customized a ThemeForest theme to make it not ugly. I'll post a thread today that lists all of my notes from the setup process of the site for anyone interested.
I'm a huge fan of the bulletin board/flat forum model of communication, so I'm hoping this site can blossom into a community of high quality folks having high quality conversations.
EDIT: Also, this is my first foray into setting up and using phpBB, so please let me know if I need to adjust anything. I tried to keep most settings at the default because I assumed that made more sense than me tickering, but I'm all ears if things are weird.
I am thinking of starting a forum myself. How did you go about selecting phpBB of all options? I have mostly looked at nodeBB but have not taken any practical steps yet.
I would love to be corrected in this, (and in fact I'm prototyping a NodeJS+NuxtJS+VueJS forum on the weekends, but don't expect a release this year) but I think you're better off sticking with the PHP variety of forums. I think that's where maturity, stability, and extensions ecosystem shine.
I've already registered. I'm super hopeful that this grows into a real forum community for extended discussions. I, like many other posters in the inspiration thread, used to have a number of forums I frequented which mostly died off between the rise of Facebook and Reddit. I'm a fan of the conversation format, and I hope enough others are as well (:
Another major upside to forums is the ability to easily directly connect to folks. I've made many friends that way over the years in various forums, and business partners.
Hmm, that is certainly possible. Hopefully instead it can just be folks who are looking for a different type of interaction that a flat forum provides over something like this site.
Nice idea. The biggest hurdle with starting a community site is getting the initial users and maintaining a level of activity that keeps bringing back users to the site. If activity slows down a little, you will find that traffic decreases proportionally. How do you plan to solve the chicken and egg problem? After the initial launch, what's the plan to get your site in front of potential users?
I am working on a somewhat related idea : a site like reddit, but which also has a chat room for each subreddit/topic + public moderation logs among other features. I launched with only the chat rooms part of it and I faced the issues mentioned above, so I'm interested in hearing about your approach. Good luck!
2) I'm going to write up a fairly detailed thread later today that explains in more detail the Why of setting up the site, and the How I did it (literal technical details for those interested). I'll post that here and on Reddit and a few other places to hopefully get some exposure. Cool kids call that "traffic leaking" where you get valuable content in front of active communities, so might drive some traffic.
3) I'm debating setting up a contest of sorts, where members can earn a special badge/title by actively participating in the forum. So for example, start 10 threads and post 25 replies in threads and earn a special badge on your account for eternity. Silly, sure, but could be a simple fire starter.
But yeah, overall, it's a challenging thing to do, and I've failed at it a few times over the years in trying to start forums. I still really love them though, so I wanted to try it again.
The way to solve the chicken and egg problem is through paid posters. If you hire an initial group of people to post content and reply to new users eventually visitors who come on board will see the buzz and participate. Then you can phase out paid posters when you no longer need them. Pretty easy.
I agree, getting that initial user base is always tricky. After that, things kinda perpetually keep themselves going.
Especially when you're likely talking about interesting topics / questions people google for. It seems in recent years that going has favored articles over forum topics in their results, but I'm sure there's still plenty of search traffic that goes to forums to bring in new users.
Well, there are quite a few ways you can solve this issue. Namely:
1. Fake it, like on Reddit. Setup a bunch of fake users and create a ton of topics until activity really kicks in.
2. Do exchanges and deals on forum promotion and community management sites. For example, you can ask the people on Forum Promotion for exchanges, where you do five posts on their site in exchange for five posts on yours or what not.
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
That is happening because you are running PHP 7.2. In that file $this->extra_headers is initialized as non-countable NULL. Basically phpBB needs to update their code base to support newer versions of PHP. A quick fix would be to change "var ... $extra_headers" at the top of the file to "protected $extra_headers = [];".
It's probably a safe assumption that they use a similar style elsewhere though, so probably better to just change PHP version rather than edit the source files?
I could be wrong, (I'm a Python guy - not PHP), just seems a safe assumption that it's likely not the only spot.
I like this idea because HN mods (reasonably) discourage certain types of discussions as off-topic. But I'm actually interested to know what HNers think about various topics that may be deemed off-topic by mods. Looking forward to joining your community!
Thank you! I'm not quite sure how we'll deal with off topic stuff, I personally think it's fine as long as it's in an official off topic/general area. We'll see how it goes!
I agree, particularly when it comes to political discourse. HN is one of the most intelligent places on the internet and I think it'd be very enlightening to hear what such great minds have to say about political topics.
> must contain letters in mixed case, must contain numbers and must contain symbols
Please don't do this. Have a minimum length, but don't force me to miss it up. My password manager shouldn't have to try multiple times to generate matching passphrase.
Yeah this is annoying. Simply consider a^b, what makes that expression grow faster, increasing a, or increasing b? b is better mathematically and for mental overhead.
The derivative with respect to b is: log(a)(a^b) or (a log(a))(a^(b-1)).
So it's better to increase b when alog(a) > b. Which is typically the case where a is 26 for lowercased letters and b is like 10 for password length.
This analysis might not be totally correct since the cost of adding one extra allowed character vs increasing password length by one is not the same but w/e.
I've sent feedback to a couple dozen sites over this. Most were government website (internal military sites are the worst) but when various financial institutions started updating their policies they forcing this silliness.
When they don't allow spaces in passwords either, I worry.
Keep in mind, there are situations where the website you're using is interfacing to backend systems that have constraints that can't easily be changed (colloquially known as "legacy systems"). Feedback is good, but change takes time.
Passwords should be hashed client-side anyway, so the real issue there is how to encode the password hash in a way that satisfies the legacy system. But this is usually plausible, e.g. by base64 or hex encoding the hash to avoid disallowed characters and then appending specific characters that satisfy the set of required characters.
Nothing should be doing this. Insecure legacy systems that wrongfully expect to see the plaintext of the user's password should be replaced with properly functioning ones. But just because they haven't been yet is no excuse to actually give them the plaintext of the user's password.
Along the same lines though is OPAQUE PAKE, where the server doesn't need to store a password hash, only a salt, making server compromise far less dangerous, it's quite elegant.
> This just makes the password the hash of the user's passphrase.
There are some other advantages that others have already mentioned, but even if that was all it did it would still be useful in inhibiting an attacker from learning the actual passphrase which many users are likely to have reused on other services.
It would also be useful in finding hash collisions which would give an attacker access to a user's account without needing the actual password, which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used.
Sending a password in plaintext over HTTPS is more secure than hashing it in javascript first and sending the hash.
You don’t need to hash a password over the client so long as it’s sent over an encrypted network. The goal of submitting a password is that it’s not sent in open plaintext. Otherwise even if you hash it on the client, the plaintext hash can still be intercepted and used, exactly as-is, as the plaintext password.
You can if you don't want the authenticating side to actually know the plain text.
e.g. password + client_salt => hash => send to server => (hash+server_salt)^hash2 => compare to db
By doing this you'd protect a user when their password might be accidentally logged (e.g. Twitter recently). Then if you compromise the hash you don't immediately reveal the password itself, just the text needed to authenticate, which can be changed. If you simply change the salt used client side you may not even need to have the user change their password (although obviously better if they did).
That said, I don't think this is required, but there is actually a case for it. Also obviously you should never log the password, but mistakes are made. This helps mitigate the risk of that password being exposed.
Has anyone got direct, first hand experience with such a thing? I'm wondering if it's become urban legend.
I've inherited several ancient code bases where everyone knew silly password rules were a legacy requirement. And ultimately after a lot of digging, every time they were a "legacy limitation" because the original project manager called for it, and could easily be removed by commenting out one check. Which was never allowed to happen, because it was a "constraint that couldn't be changed".
I do accept there are databases with eight character fields for maximums, but beyond that, I'm interested in any genuine experience.
I couldn’t imagine releasing a forum for the hn community that wasn’t also a neat software project. Using phpbb seems like the antithesis of something this community would appreciate, other than perhaps for the practicality of choosing something common.
That was kinda the point of this whole thing though. This wasn't a software project for me, this was a community project. I have no interest in developing a forum, but I do have interest in participating in one.
From what I can tell so far, what we setup seems to be working fine. If we hit a wall, I'll search out the next most practical option.
That makes sense as administrating a forum takes a significant investment of time, and you don’t necessarily have enough time to run a forum and also develop the software. However, if it became popular, I would expect some of us would want to hack on the software... but who would want to work on a phpbb theme? I’d pretty much rather be using a Google + group.
I've seen enough custom forums appear here only to die out to know that building the software and building a community are two completely different things and that one shouldn't expect that they will come if you build it.
I can see the temptation to want to hack around on it because it's a forum for hackers, but it's not as if HN is taking pull requests either.
Nice job. I've actually been looking for more places to hang out with the HN crowd.
I'm not sure about this approach though. Forums are too centralized and don't feel interactive enough. I'd much rather see a HN community on Matrix or something similar.
Don't you think many HN posters will object to using a chat service with a fishy as-of-yet probably-not-profitable business model and a big ol' database of all the messages sent? Discord is a great service for now, but it's unclear to me what their plans are in terms of monetization and user privacy.
I don't think HN users will actually object using this service. Although I dont understand why would you call it FISHY - because what's there on Discord that's not anywhere else on Google :) or Alexa ;)
About Monetization Here you go : https://goo.gl/Af7xwR
That was actually part of the point of using an "old school" software package for this. I totally understand that there are newer/arguably "better" ways to handle online conversation, but some of us grew up on forums like this so the nostalgia is just right.
Good luck. I definitely think personal webpages and self-hosted forums need to make a comeback.
However...
Your FAQ link leads to a 404 page, and the "legalese" on the registration page seems like a bit much to me. And why should I need to be registered to see the "team" page and profiles?
It's just a web forum, don't take things so seriously. You're an admin, you can literally just ban people for acting up, you don't have to expect to back it up in a court of law or anything.
No clue! Ultimately it's completely unrealistic to expect to siphon off users from anywhere, instead we should have this as a complementary community I guess.
'comp.misc' exists on USENet and has done since the dawn of time. It's fairly spam free these days, and a few dedicated people post stuff to it. It's in a perfect place to be used again and turned into a meaningful discussion hub.
Well, I just signed up. Not sure if I'll be active here, but I always like to support forums over social media sites and other corporate silos.
That said, if I can give you a bit of advice:
Change that captcha on the registration page. It's really annoying to decipher, and likely doesn't do all that much to stop bots.
Instead, get a few questions and answers set up, and make them forum specific. Like, what startup aggregator is Hacker News associated with? What's FANG mean? What language are the frameworks React, Vue and Angular written in?
In other words, stuff a dedicated community member would know/could easily look up, but which a bot might not want to bother with.
That's much better to stop spam, and less annoying than figuring out what letters and numbers are in a captcha.
Thanks for signing up and thanks for the feedback! I agree that that captcha sucks, but it's the default so I left it for now. I'll add all this to my todo list!
I have a different problem in that the captcha will not get validated for me! I tried registering, but it seems that no matter how many times I try the captcha code shwos invalid. I'm not a bot, I swear! :)
I'm honestly not the biggest fan of discourse, though I do appreciate it as a project. I like the old school BB style.
One opportunity we have as a forum is to create continuity between the trending conversations and more "long term" discussions that are difficult to have on a platform that is churning out new content constantly and lacks notifications about replies etc
139 comments
[ 40.5 ms ] story [ 1383 ms ] thread(Specifically this part of the thread: https://news.ycombinator.com/item?id=17071224)
I spun up an instance of phpBB (trying to keep costs down) and customized a ThemeForest theme to make it not ugly. I'll post a thread today that lists all of my notes from the setup process of the site for anyone interested.
I'm a huge fan of the bulletin board/flat forum model of communication, so I'm hoping this site can blossom into a community of high quality folks having high quality conversations.
EDIT: Also, this is my first foray into setting up and using phpBB, so please let me know if I need to adjust anything. I tried to keep most settings at the default because I assumed that made more sense than me tickering, but I'm all ears if things are weird.
Overall though, nodeBB looks really nice, so go for it!
I would love to be corrected in this, (and in fact I'm prototyping a NodeJS+NuxtJS+VueJS forum on the weekends, but don't expect a release this year) but I think you're better off sticking with the PHP variety of forums. I think that's where maturity, stability, and extensions ecosystem shine.
Another major upside to forums is the ability to easily directly connect to folks. I've made many friends that way over the years in various forums, and business partners.
E.g., "Can you believe this trash got on the front page!" everyone proceeds to downvote or "hey my show hn is up!" everyone upvotes.
Worth a shot at least.
I am working on a somewhat related idea : a site like reddit, but which also has a chat room for each subreddit/topic + public moderation logs among other features. I launched with only the chat rooms part of it and I faced the issues mentioned above, so I'm interested in hearing about your approach. Good luck!
Totally agreed that forums (and communities in general) have the cold start problem, and there's no real good solution for it.
I do have some ideas though.
1) I'm interested in whipping up a simple phpBB mod that enables Link posts (like here on HN). That will help with the News posting aspect of the community. Thread here: https://hackerforums.co/the-lounge-f3/idea-extension-for-php...
2) I'm going to write up a fairly detailed thread later today that explains in more detail the Why of setting up the site, and the How I did it (literal technical details for those interested). I'll post that here and on Reddit and a few other places to hopefully get some exposure. Cool kids call that "traffic leaking" where you get valuable content in front of active communities, so might drive some traffic.
3) I'm debating setting up a contest of sorts, where members can earn a special badge/title by actively participating in the forum. So for example, start 10 threads and post 25 replies in threads and earn a special badge on your account for eternity. Silly, sure, but could be a simple fire starter.
But yeah, overall, it's a challenging thing to do, and I've failed at it a few times over the years in trying to start forums. I still really love them though, so I wanted to try it again.
BTW: Post your project here! :) https://hackerforums.co/show-hf-f7/
Especially when you're likely talking about interesting topics / questions people google for. It seems in recent years that going has favored articles over forum topics in their results, but I'm sure there's still plenty of search traffic that goes to forums to bring in new users.
1. Fake it, like on Reddit. Setup a bunch of fake users and create a ton of topics until activity really kicks in.
2. Do exchanges and deals on forum promotion and community management sites. For example, you can ask the people on Forum Promotion for exchanges, where you do five posts on their site in exchange for five posts on yours or what not.
3. Pay some sort of service for content.
One or more of those could work for this site.
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions_messenger.php on line 506: count(): Parameter must be an array or an object that implements Countable
Probably best to turn off debugging statements.
Just so I'm clear, this happened immediately after registering? Or did you do anything else that triggered this?
I could be wrong, (I'm a Python guy - not PHP), just seems a safe assumption that it's likely not the only spot.
NO.
It's better to improve the code than roll back to an older and less secure version of the language.
This is PHP we're talking about, after all.
Put up or shutup.
Please don't do this. Have a minimum length, but don't force me to miss it up. My password manager shouldn't have to try multiple times to generate matching passphrase.
The derivative with respect to a is: b(a^(b-1)).
The derivative with respect to b is: log(a)(a^b) or (a log(a))(a^(b-1)).
So it's better to increase b when alog(a) > b. Which is typically the case where a is 26 for lowercased letters and b is like 10 for password length.
This analysis might not be totally correct since the cost of adding one extra allowed character vs increasing password length by one is not the same but w/e.
When they don't allow spaces in passwords either, I worry.
Along the same lines though is OPAQUE PAKE, where the server doesn't need to store a password hash, only a salt, making server compromise far less dangerous, it's quite elegant.
There's no implementations so far I believe.
https://eprint.iacr.org/2018/163
There are some other advantages that others have already mentioned, but even if that was all it did it would still be useful in inhibiting an attacker from learning the actual passphrase which many users are likely to have reused on other services.
Sending a password in plaintext over HTTPS is more secure than hashing it in javascript first and sending the hash.
If it's practical to find a hash collision, your hash algorithm is broken.
> which is made easier with the ability to study the client-side code doing the hashing, and taking note of the algorithm and methods used.
The security of a system should not depend at all on that information being secret.
e.g. password + client_salt => hash => send to server => (hash+server_salt)^hash2 => compare to db
By doing this you'd protect a user when their password might be accidentally logged (e.g. Twitter recently). Then if you compromise the hash you don't immediately reveal the password itself, just the text needed to authenticate, which can be changed. If you simply change the salt used client side you may not even need to have the user change their password (although obviously better if they did).
That said, I don't think this is required, but there is actually a case for it. Also obviously you should never log the password, but mistakes are made. This helps mitigate the risk of that password being exposed.
I've inherited several ancient code bases where everyone knew silly password rules were a legacy requirement. And ultimately after a lot of digging, every time they were a "legacy limitation" because the original project manager called for it, and could easily be removed by commenting out one check. Which was never allowed to happen, because it was a "constraint that couldn't be changed".
I do accept there are databases with eight character fields for maximums, but beyond that, I'm interested in any genuine experience.
They didn't, they just chose off the shelf PHP forum software written by idiots that does this and a million other stupid things.
From what I can tell so far, what we setup seems to be working fine. If we hit a wall, I'll search out the next most practical option.
I can see the temptation to want to hack around on it because it's a forum for hackers, but it's not as if HN is taking pull requests either.
EDIT: Changed this to just have a minimum length restriction. Thanks for the feedback!
Please, disable cookies for HackerForums.co too.
I mistook this for being about usernames at this hacker forum
I'm not sure about this approach though. Forums are too centralized and don't feel interactive enough. I'd much rather see a HN community on Matrix or something similar.
However...
Your FAQ link leads to a 404 page, and the "legalese" on the registration page seems like a bit much to me. And why should I need to be registered to see the "team" page and profiles?
It's just a web forum, don't take things so seriously. You're an admin, you can literally just ban people for acting up, you don't have to expect to back it up in a court of law or anything.
All of those items are in my todo list now!
Discord seems to be a chat app, which is quite different than a forum and even HN itself
https://www.discourse.org/about (FWIW)
https://hackerforums.co/help/faq
That said, if I can give you a bit of advice:
Change that captcha on the registration page. It's really annoying to decipher, and likely doesn't do all that much to stop bots.
Instead, get a few questions and answers set up, and make them forum specific. Like, what startup aggregator is Hacker News associated with? What's FANG mean? What language are the frameworks React, Vue and Angular written in?
In other words, stuff a dedicated community member would know/could easily look up, but which a bot might not want to bother with.
That's much better to stop spam, and less annoying than figuring out what letters and numbers are in a captcha.
Still, hope the forum works out well!
Topics shouldn't be the same as those found on hackernews, those would be redundant though.
I would suggest using discourse.org instead of rolling your own phpBB instance
I'm honestly not the biggest fan of discourse, though I do appreciate it as a project. I like the old school BB style.
One opportunity we have as a forum is to create continuity between the trending conversations and more "long term" discussions that are difficult to have on a platform that is churning out new content constantly and lacks notifications about replies etc
I've been keep track of HN related things people have built and added this also
https://github.com/keithn/HackerNewsCommunity