|
falsereality


Registered: 04/01/13
Posts: 4,112
|
I'm Out
#23658466 - 09/19/16 11:11 AM (7 years, 5 months ago) |
|
|
So, I called someone an idiot and now my ratings are permanently disabled? Fucking ridiculous. The specified reasons for the removal of my ratings are as follows:
Quote:
Infraction type: Inappropriate Rating Offending Rating: lol (left for DinduNuffin) Infraction description: Misusing the rating system to flame, troll or otherwise harass another member. Ban details: Leaving automated ratings to manipulate the normalized values.
Leaving automated ratings is not against the rules, nor is artificially increasing the weight of ratings by exploiting a shittily designed ratings weight system.
DinduNuffin deserved to be called an idiot, because he is a fucking idiot that started an illegal contest on this site, encouraging members in various countries to commit a crime for a chance to win money he never intended to pay out.
Additionally, the vast majority of my non-automated ratings were positive, aside from a select few which I would otherwise happily defend if the following didn't apply.
This site has slowly become worthless to me, its design is outdated, the general populace is retarded, the ratings system is broken, the anon feature is useless (I was going to mention the exploit before my rating were removed, but fuck that), and legitimate discussion of vendors is prohibited due to a profit incentive because smoothly integrated monetization is apparently too difficult a concept to implement for you guys.
The rules are draconian, and with the addition of trigger happy mods I I'm done with this mickey-mouse horse-shit.
Peace out bitches.
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,803
Loc: NY/MA/VT Borderlands
Last seen: 9 hours, 52 minutes
|
|
Huh, thanks for the heads up, I really thought we had closed all the vulnerabilities related to anonymous posting. I'll have to take a look at the code and see if I can figure it out. If one of our members beats me to it, I'll send $100 via Paypal to anyone who discloses how to get someone's identity from an anonymous post. No questions asked and it can be completely private and anonymous. Please contact me via PM or e-mail ythan@shroomery.org.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: Ythan]
#23658742 - 09/19/16 01:11 PM (7 years, 5 months ago) |
|
|
Quote:
Ythan said: Huh, thanks for the heads up, I really thought we had closed all the vulnerabilities related to anonymous posting. I'll have to take a look at the code and see if I can figure it out. If one of our members beats me to it, I'll send $100 via Paypal to anyone who discloses how to get someone's identity from an anonymous post. No questions asked and it can be completely private and anonymous. Please contact me via PM or e-mail ythan@shroomery.org. 
I'm permanently banned from paypal because I hacked paypal .
Counter-offer: I'll give you the code to de-anon users and outline what changes need to be made to remove the most obvious attack vector for 1k USD in BTC.
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,803
Loc: NY/MA/VT Borderlands
Last seen: 9 hours, 52 minutes
|
|
Heh, no thanks, at my current hourly rate I'm pretty sure I can figure it out for less than that. But I do appreciate your bringing a potential vulnerability to my attention! I'll be glad to hook you up with a free supporter account for that if you want.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: Ythan] 3
#23658820 - 09/19/16 01:36 PM (7 years, 5 months ago) |
|
|
Quote:
Ythan said: Heh, no thanks, at my current hourly rate I'm pretty sure I can figure it out for less than that. But I do appreciate your bringing a potential vulnerability to my attention! I'll be glad to hook you up with a free supporter account for that if you want. 
. touché. How about we settle in the middle with you reinstating my ratings in turn for the exploit?
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,803
Loc: NY/MA/VT Borderlands
Last seen: 9 hours, 52 minutes
|
|
Hah, very well you win this round Mr. reality... sounds more than fair. E-mail me please at ythan@shroomery.org?
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Will do. Thanks Ythan!
|
idiotek


Registered: 02/06/04
Posts: 40,728
|
|
So are you back in?
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Quote:
idiotek said: So are you back in?
I was never out. All I really wanted in the first place was to get my ratings back.
|
idiotek


Registered: 02/06/04
Posts: 40,728
|
|
I know, ratings are super important, that's why I'm so excited to give you one when yours get restored.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Quote:
idiotek said: I know, ratings are super important, that's why I'm so excited to give you one when yours get restored.
I don't directly care about the my ratings, I think they're a nice touch, but it's pretty fucking insulting to just remove someone's ability to use a core site feature because said feature was poorly designed and easily exploited (without breaking site rules).
Using the excuse "Flamin'" because I called someone an "idiot" was such a bullshit reason to permanently disable my ratings.
|
John Nada
Toujours Frais

Registered: 03/03/03
Posts: 97,746
Loc: Hotwings; race car
|
|
Send it to me as well. Is it in PHP?
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Thanks for reinstating my ratings ythan, I'll email you the exploit and fix within 48hrs. I would do it sooner but I'm kinda preoccupied with a client today.
Quote:
John Nada said: Send it to me as well. Is it in PHP?
PHP/XML... and no, not sending it to you.
|
John Nada
Toujours Frais

Registered: 03/03/03
Posts: 97,746
Loc: Hotwings; race car
|
|
Gross. Send it to me anyway. 
And I don't care about the actual exploit, I just want to look at the code. You can wait til Ythan fixes it if you like.
|
Asante
Mage


Registered: 02/06/02
Posts: 87,078
|
|
I applaud how you handled this falsereality. Thumbs up
-------------------- Omnicyclion.org higher knowledge starts here
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
|
ratings are things that say people care (or dont care) about me.
Edited by sprinkles (09/22/16 08:14 AM)
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: Asante] 2
#23667194 - 09/22/16 05:24 AM (7 years, 5 months ago) |
|
|
@Ythan The exploit vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:R/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MC:L/MI:N/MA:L
Meaning that the attack complexity is high, complex enough to where de-anonymizing members takes a non-negligible amount of effort, although there is an easy patch, it would require modification of source code which I don't have access to. Network pattern analysis was used in a proof of concept model to de-anonymize a user by means of tracking time intervals between posts of a targeted member and correlating time intervals between posts in a sub-forum presumed to be used by the suspected member; by forming a Markov matrix from the collected data, a probability can be determined that anon#x is "$username". The accuracy of the program is logarithmically proportional to the amount of data collected.
I don't personally use facebook, but a similar example of this method was used to determine the sleep cycles of people's friends on facebook messenger:
A simple patch for this is to reduce the precision of post timestamps when a user posts anonymously, a more secure approach would be to randomize when an anonymous post is actually submitted to the time it is publicly viewable, although I think this would be overkill.
The actual code was refactored into python, let me know if you still want me to email you it. I figured it was harmless enough to post the methodology because the fix wouldn't take much time at all.
One of my other suggestions is to change the ratings weight system to give more weight to users that have received more positive ratings, instead to those that have handed them out (like I did with an automated rating program).
Quote:
Asante said: I applaud how you handled this falsereality. Thumbs up 
I probably could have been less of a dick, but thanks
Edited by falsereality (09/22/16 05:26 AM)
|
John Nada
Toujours Frais

Registered: 03/03/03
Posts: 97,746
Loc: Hotwings; race car
|
|
Thanks for explaining the basic logic. That's all I really wanted to know. Very interesting.
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
|
Quote:
John Nada said: Thanks for explaining the basic logic.
I LOL'd that you pretended to understand stuff.
|
John Nada
Toujours Frais

Registered: 03/03/03
Posts: 97,746
Loc: Hotwings; race car
|
|
Hush, Sprinkles, real humans are talking.
|
|