I actually witnessed SQL Injection

SQL injection is one of those hacks you can do on websites with really bad security practices. It can occur whenever your database query includes user input. If the user puts something you don’t expect, they can alter the database in ways that you don’t expect.

A funny example – which is kind of famous in engineering circles – is given in the webcomic XKCD.

Now about 10 years ago, I coded up a site called Stickymap. It was a local search where users can post locations in their neighborhood that are interesting and leave description. It was coded in PHP. You can secure PHP if you’re careful but it’s very difficult to do so. If you use PHP in your organization, there should be very specific rules around running SQL queries.
biglogo

Well – one of my queries did not escape the user generated data. And, long story short someone changed every single venue name to “Bureau Veritas”. Every single one. In the world.

After I investigated, I don’t think that this was the intent. I think that the user was trying to add a (very spammy) description to a single venue that short-circuited the query so that the “WHERE clause” didn’t make it in. For those of you who don’t know, the WHERE clause in an UPDATE statement tells the database which items to update. If there is no WHERE clause, it’ll update everything. Pretty insane, right?! It should probably update nothing.

I wonder how that person/spammer felt after they did this. Where they shocked? Did they move on to another site? Who knows!?

Fortunately, I had enough backup data to restore the Stickymap database while I was in San Francisco. Of course this always happens when I’m in San Francisco away from my home computer!!

Furthermore, I plugged up the security hole on the site. It’s pretty cool that the security hole was left unexploited for 10 years and then all of a sudden was found. Who knows what problems we have lurking in our more critical systems? I like to hope those are more widely tested. You also want to see systems that hackers are constantly trying to exploit because that means that the owners of that system have been forced to plug the security holes. For example, I would rather trust software that’s been cracked and plugged a few times in the past than software that’s never been hacked but also never left out in the wild either.

Anyway – if someone out there wants to tell me there are more security holes in my site – let me know! But please try not to destroy Stickymap – it’s my fun mid-2000s space on the internet and a reminder of how far we’ve come on local search.

And if you are the accidental culprit and you come forward, I’ll either interview you for the blog, or I’ll owe you a beer!

Marsbot and Chatbots

marsbot

I spoke about Marsbot a number of times on this blog, but I wanted to write my own (short) piece on what we did and why we did it. The short of it is that Marsbot is a personal assistant that tells you about all the best places around you and what to do there. The secret sauce is that you don’t have to put much into it to get use out of it – you just download the app on your phone (iPhone or Android) and it automatically discovers where you go and what you like. Sometimes it’ll ask you a question or two, but it also infers a lot automatically.

To get more information about it from a product perspective, I recommend that you check out both Dennis Crowley’s post on Medium and also from Foursquare (and Marsbot) Product Manager Marissa Chacko.  You can also check out my talk at Talkabot in Austin. We all worked together on this for a while and are pretty psyched about the results.

Especially last December, when we got on Mashable’s 12 best Apps of the year. It’s nice to be on the same list as Pokemon Go – even though we far fewer users.

Now that it’s been out for a while, here are a few of my takeaways from the experience.

1) Context is everything. Discoverability in the bot space isn’t going to be like discoverability in the app space. There probably won’t be a “bot store” and even if there is, it’ll be very difficult to break through like the App stores. The winners are going to have to stand out and learn something very specific about users to help them complete a task (or have fun). Foursquare now has the Pilgrim SDK to allow other apps (and in the future hopefully bot platforms) to have the same superpowers that Marsbot has.

2) Natural Language Understanding (NLU) is the ability for a computer to understand human input. When it comes to bots, sophisticated NLU doesn’t mean much unless the backend code can actually act on that understanding. For example, suppose you text Marsbot to say that the recommendation is “too far”. An NLU system that gets that is only worth it if there’s a backend module where Marsbot can give a closer recommendation. (There is by the way)! Therefore when it comes to bot design, I think the thing to focus on is what actions you want the bot to be able to take and expand on those. The NLU can be heuristic-based at first, and one day can be replaced by a sophisticated AI system only after a wide variety of actions are coded in the system.

3) I’m really into the conversational aspect of this. The hook for Marsbot is that it talks to you, not the other way around – but many of our users talk to Marsbot and seem to try to form a friendship with it. I imagine a seamless conversation where you can object to Marsbot’s recommendations (for both places and menu items) with reasons until it comes up with a solution. I mentioned this in my talk in Austin, and some of it is implements (too far, too expensive) but Marsbot doesn’t understand more than 1 command at a time. It would take a bit of work to make a fully-fleshed out human-like conversation working.

4) Marketing these bots and getting them to capture the public imagination is hard. Marsbot was lauded in the tech press, but the user numbers remain small. And even if you can build a bot with very large user numbers, how do you transition from being a fun curiosity to an indispensable tool that people rely on? I think a lot of bot-makers are doing some interesting things in the enterprise space where they can sell their technology to organizations. For the individual consumer space, the secret to the bot-hit is still elusive, but may be cracked someday!

5) You haven’t heard the last of this technology from Foursquare. I think that our Pilgrim SDK will power bots like Marsbot, and our NLP + recommendation powers will continue to grow. If you’re in the US, download Marsbot on your iPhone or Android device, and let me know how it goes (@maxsklar)!