Stellar work. Your openness about everything is incredibly refreshing, and integration with RES was an awesome move. It's an easy choice to make the switch!
I am seriously impressed. I loaded up your README on github and had your app running within 10 minutes locally---including `gif` uploads. That's just really nice craftsmanship that is usually missing in fresh projects. Giant kudos to you guys.
(There were a couple trivial steps I had to do that weren't documented. I submitted a pull request. [1])
True. We use 12 rounds of bcrypt, though, so they should be at least moderately secure. It's the best solution we've found so far... we'd be happy to hear alternatives that allow us to generate secure hashes for the IPs and allow us to ban people by IP if necessary.
And yes, I know that 12 rounds of bcrypt doesn't mean much. It will delay brute force attacks, though.
If the only purpose is for IP blacklists (bans, dos, etc), then doing 12 rounds of bcrypt would be counter productive. It'd be a lot of CPU usage on your end. Especially if its done for every request.
A better approach would be something quicker to compute but that you can destroy equally easily. Generate a random token that cycles every X minutes/hours. The HMAC the remote IP and this secret. Use the result for bans/rolling rate limiting. If you keep the token only in memory then you don't have to worry about the IP lists being leaked as they won't be recoverable.
They are certainly capable of paying for it... the facts show though that they are typically not good at shielding their source IP. The wikipedia edit from the senate IP, the tracking of the SAIC IP to NSA etc...
This is awesome, and I really appreciate the effort toward privacy/transparency. Along those lines, supporting do not track is great, but why use GA at all? Just implementation ease? Is this something you plan to move away from?
Well, GA is quite convenient - we get pretty graphs, realtime analytics and so on. It's not something we have considered moving away from, since it's trivial to disable it entirely. And it's not significantly worse than any other tracking tool.
I'd say it's substantially different from hosting your own Piwik, OWA, or even something like snowplow - where you could elect to avoid IP storage.
That said, those all entail a lot of work and/or additional cost. You're also absolutely right that allowing users to disable it (and ads) is an amazing feature.
Piwik is really ancillary to the discussion at hand, but I often see the claim that Piwik can't handle busy sites, and it's important to quantify the claim.
I've had success (and others report similar behavior) with 500,000+ hits per day. http://piwik.org/docs/optimize/ reports adequate support to higher levels. It's quite easy to set this up with EC2 + RDS, and using autoscaling gets you a very resilient solution that can easy handle those numbers. Also, in the case of mediacru.sh, many of the optimizations have little impact since they optimize for reporting on the already-gathered analytics. With only two analytics viewers/users - this is not much of an issue.
If you're doing more than 1mil per day, then I think something like snowplow, a commercial solution, or a fully custom solution are appropriate anyway.
In addition to what jdiez had to say about GA - we're trying to understand our audience a little better. MediaCrush uses tons of new web tech that won't work on outdated browsers, and GA helps us get an easy look at support for things like that. Also tells us what kind of media is most popular, and who's sending us traffic, which is just kind of nice to know.
Okay, I understand that using Google Analytics when we're so pro-privacy is a bit of a weird choice.
We've realised that self-hosting our analytics might be a better choice. I've created an issue[1] to discuss this matter. Ideally what we'd want is something as close to GA as possible - real time analytics being reasonably important.
Note: we were aware of the implications of using GA on the site, but since we offer the ability to disable them very easily we didn't think it was a big deal. That's a mistake on our part, so let's discuss how to fix it.
Demo page [1] uses gif made from Chuunibyou demo Koi ga Shitai! [2] anime. Was it totally random choice or MediaCrush crew did it purposely (aside from showing big difference)? Apparently many geeks are after anime, but sadly overall plot-quality of them deteriorates slowly almost each year. That said, Chu2koi was actually one of better series in 2012 Q4 (with nice visual side too).
To be less off-topic: good job on making it, openness and finally shipping it.
To be fully honest i have no clue lol. I though you had some type of method and that is why i was like oh damn this will be amazing for my new project :-) Best of luck hope to see MP3 compression soon.
from what I've seen this is all free. which is ofcourse great. and open source too. But I wonder if you guys have a business model? I mean somebody has to pay for those servers right?
We don't have a business model right now. At this stage we're just trying to build a service with the best possible experience for the users. Monetization will come later, we can afford to pay server and bandwidth bills for now.
Our only source of income is donations and the advertisements that we show exclusively on the home page. You can check all of our accountability at https://mediacru.sh/transparency, by the way.
Brilliant. I wish you guys the best of luck. I hope all of this pays off in the end and you guys can make this awesome product profitable, because I hope to be using this for a long time :)
Oh, didn't know about that. Well, that's the good thing about being open source - you have some knowledge we didn't have, so submit a pull request fixing it, I'll merge it, and we'll all be a little bit happier.
Oh, thanks. I think this is a promising project but I'd like to point out a couple of things.
I tried to upload 3 different files. 2x PNG file (no more than 1MB in total) and a gif file (~5MB). I was only able to upload one of them (one of the PNG files). I tried the upload the same files on 2 different browsers (Chrome 29.0.1547.49 & Firefox 23) in both normal and private mode but the result was the same. Maybe you're dealing with heavy traffic right now or maybe the problem was on my side. I hope I don't sound like I'm criticizing you (not that there's anything wrong with that), but I'm merely pointing out my experience in the first 5 minutes. I'll keep using the service to see if everything works out, though. Because I'm currently looking for a service like yours.
Another point I want to make is the similar to the one I've already made. You need to provide more information about the service. Clearly since this is an anonymous service, users won't be able to sign up for an account to manage their files, but what happens when I upload my files? Are they going to be indexed by the search engines? How long are you going to keep my files online?
Can you link me to your failed images? I'll see what's up. Load isn't too terrible at the moment.
As for information, I'll make sure it's more clear on the site, but I'll answer you directly as a temporary measure: When you upload your files, they disappear into our servers and can only be accessed by that URL. If you lost it, just upload it again, we'll hash it on the client before you actually do the upload. As for indexing, view pages are not shown in search engines. Your files stay there forever.
I don't have any links because the uploads weren't completed. I was able to upload the PNG file that I wasn't able to before, but I still can't upload any gif files. All of the gif files that I tried to upload stuck at exactly this point: http://alog.lu/mcrush.png. I tried to upload a gif file that has a smaller size (~2MB), and it looked like I was going to upload it successfully, but the upload started all over again and then get stuck at the exact same point. It's really strange. I'm pretty sure it's not due to my connection because I can use any other website perfectly fine and I did try to upload different gifs from different browsers, but I got the same result. Maybe it's an OS related issue? I'll try again tomorrow morning on Xubuntu to see if the problem persists. Thanks for your interest and your answers on other issues.
I am seriously impressed. I loaded up your README on github and had your app running within 10 minutes locally---including `gif` uploads. That's just really nice craftsmanship that is usually missing in fresh projects. Giant kudos to you guys.
(There were a couple trivial steps I had to do that weren't documented. I submitted a pull request. [1])
[1] - https://github.com/MediaCrush/MediaCrush/pull/108