|
EllisDSox
King Hella!

Registered: 01/22/07
Posts: 25,730
|
|
You're fucking out, I'm fucking in.
-------------------- Disclaimer: If you have any kind of heart condition, my posts are not for you. You could literally die from reading the first couple of words in any one of them. Scroll down the page, live your life and prosper, but don't read my posts because your heart will probably explode. I am not joking.
|
Ythan
ᕕ( ᐛ )ᕗ


Registered: 08/08/97
Posts: 18,803
Loc: NY/MA/VT Borderlands
Last seen: 9 hours, 52 minutes
|
|
Thanks a lot for taking the time to explain. It's always nice to get a vulnerability report from someone who knows what they're talking about! I do wish you'd approached me about it directly, we're not stingy with our bug bounties and we're always looking for opportunities to partner with talented programmers to further develop the site. But, I understand you may not be looking for more professional obligations, and it can be hard to resist poking at a site's code. I've certainly been guilty of this myself over the years. I wouldn't trust a programmer who's never been curious enough to poke around where they don't belong!
So basically, we don't seem to be leaking privileged information, this comes down to the fact that we typically only have ~100 - 300 registered members online at any one time, and using historical data it's possible to narrow that pool by correlating the timestamp of anonymous posts with the timestamp of non-anonymous posts, and figuring out both the common times a user is likely to post and also how much time tends to elapse between them posting. With this information it can be possible to make an informed guess at the identity of an anonymous poster, although it wouldn't be possible to confirm.
I'm not convinced this is as effective as you claim. For example, these are the top five threads in the Anon forum at the moment: https://www.shroomery.org/forums/showflat.php/Number/23663667#23663667 https://www.shroomery.org/forums/showflat.php/Number/22390595#22390595 https://www.shroomery.org/forums/showflat.php/Number/23491387#23491387 https://www.shroomery.org/forums/showflat.php/Number/23448803#23448803 https://www.shroomery.org/forums/showflat.php/Number/23643081#23643081
You've said you have a proof-of-concept, but are you actually able to identify the OP in any one of those threads with reasonable confidence? (Obviously, if so, please only reveal them to me privately.) I feel like I understand your description, but I can't get your reported results with my implementation (even with full access to our metadata, and the ability to check my accuracy and iterate based on the results). If you have working code we might want to buy it from you, if for no other reason than to help test our remediation efforts. But it'd have to work a lot better than my own attempt. In the past I've played around with similar concepts for puppet detection, and they were never anywhere close to accurate enough to put into service.
As far as the ratings go, you definitely exposed an example where our algorithm could be manipulated, and we need to fix it (by changing our formula, not by banning people who try to take advantage of it ). I've adjusted things so your exploit is no longer viable, but I'll need to set aside some time to pursue a better formula which more accurately reflects our intentions.
Also, I want to thank you because your post got me looking through our code more closely and I did find one vulnerability which could directly reveal any anonymous poster. But our members should know that's fixed now, it was due to a decomissioned script in a non-standard location, and in the access logs we've retained, I don't see any hits which might have revealed sensitive data.
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
Re: I'm Out [Re: Ythan]
#23668614 - 09/22/16 04:12 PM (7 years, 5 months ago) |
|
|
castle of words I understand not.
nerds will rule the land when virtual reality hits mainstream. no one will live in reality anymore. people will find it easier to manipulate a false reality than real reality to attain what they want. Just jam in a feeding tube, urinary catheter, and butt irrigation thingie and hook me up to the virtual land please.
Thank goodness the end of the church age is coming (the Armageddons). I'll be raptured the fuck out while yawl deal with atomic war and stuff like that.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Hey if you ever need someone to design a new site feature, I've been programming for about a decade, and am always looking for new revenue streams and business partners . I think with the right search engine optimization, social media marketing, and a touch of asymmetrical cyber-warfare this site could easily become the dominant drug forum on the internet, increasing the profitability of this site by a significant margin.
As far as poking around where I don't belong, man, I could tell you some crazy stories.
I believe your implementation didn't work that well because not enough data was collected. The accuracy of the exploit is logarithmically proportional to the amount of data analyzed. I wrote the code specifically for romper-room usage because there's such a huge pool of data to pull from (not that I actually used it to de-anon people, that would be hella sacrilegious imo). I'll take a look at those links and shoot you an email if I can de-anon the posters, no promises though.
I have a few ideas on how to improve the puppet tracker via language style analysis, however it might be overkill to bust a puppet .
I also think that moving the site/hosting/legal-entity to a different country could drastically reduce potential legal liability. A few nuclear bunkers converted into data centers in europe/asia spring to mind...
Not to mention DDOS-proof IRC channels accessible over TOR.
Thank you for taking the time to respond in-depth Ythan, it is highly appreciated and I'm glad we could reach a mutually beneficial agreement.
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
|
you can program and design web pages but you cant use the "reply" feature? oh ok.
false claims
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Quote:
sprinkles said: you can program and design web pages but you cant use the "reply" feature? oh ok.
false claims
I use the reply function when it's not obvious who I'm replying to.
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
|
you're too cool. will you be my friend? will you tell me how to be cool cause I also want to be cool. I wanna be like them uber cool kids. not the ones who probably arent cool in real life but they are really cool here.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Quote:
sprinkles said: you're too cool. will you be my friend? will you tell me how to be cool cause I also want to be cool. I wanna be like them uber cool kids. not the ones who probably arent cool in real life but they are really cool here.
Yah sure, I need some bitch-work to be done to redo the graem panel so it loads faster. All the hard parts are done, I need each category of graems to be organized in xml files like so:
Code:
<?xml version="1.0"?> <emotions> <emotion>um</emotion> <emotion>smile</emotion> <emotion>laugh</emotion> <emotion>grin</emotion> <emotion>biggrin</emotion> <emotion>cool</emotion> <emotion>evil</emotion> <emotion>wowz</emotion> <emotion>uhoh</emotion> <emotion>hehehe</emotion> <emotion>naughty</emotion> <emotion>uptosomething</emotion> <emotion>meanlaugh</emotion> <emotion>suckit</emotion> <emotion>finger</emotion> <emotion>wink</emotion> <emotion>smirk</emotion> <emotion>crazy</emotion> <emotion>lol</emotion> <emotion>lolz0rz</emotion> <emotion>lmafo</emotion> <emotion>laugh2</emotion> <emotion>rotfl</emotion> <emotion>rofl2</emotion> <emotion>dielaughing</emotion> <emotion>yesnod</emotion> <emotion>geordinod</emotion> <emotion>handth</emotion> <emotion>super</emotion> <emotion>tongue2</emotion> <emotion>imslow</emotion> <emotion>moneyeyes</emotion> <emotion>loveeyes</emotion> <emotion>inlove2</emotion> <emotion>flowers</emotion> <emotion>kiss</emotion> <emotion>love</emotion> <emotion>inlove</emotion> <emotion>hotidea</emotion> <emotion>undecided</emotion> <emotion>lipsrsealed</emotion> <emotion>confused</emotion> <emotion>ooo</emotion> <emotion>shocked</emotion> <emotion>blush</emotion> <emotion>tongue</emotion> <emotion>whistling</emotion> <emotion>rofl</emotion> <emotion>stars</emotion> <emotion>ashamed</emotion> <emotion>doh</emotion> <emotion>foreheadslap</emotion> <emotion>facepalm</emotion> <emotion>bored</emotion> <emotion>evil2</emotion> <emotion>mad</emotion> <emotion>mad2</emotion> <emotion>enraged</emotion> <emotion>grrr</emotion> <emotion>doublefu</emotion> <emotion>crankey</emotion> <emotion>gc</emotion> <emotion>psycrankey</emotion> <emotion>vaped</emotion> <emotion>cuss</emotion> <emotion>smile2</emotion> <emotion>bomb</emotion> <emotion>rant</emotion> <emotion>razz</emotion> <emotion>nonono</emotion> <emotion>shake</emotion> <emotion>cuckoo</emotion> <emotion>noway</emotion> <emotion>nono</emotion> <emotion>snub</emotion> <emotion>rolleyes</emotion> <emotion>whatever</emotion> <emotion>boring</emotion> <emotion>yawn</emotion> <emotion>drool2</emotion> <emotion>drooling</emotion> <emotion>dead</emotion> <emotion>shiftyeyes</emotion> <emotion>paranoid</emotion> <emotion>oogle</emotion> <emotion>eek</emotion> <emotion>what</emotion> <emotion>what2</emotion> <emotion>argh</emotion> <emotion>crazyeyes</emotion> <emotion>weirdeyes</emotion> <emotion>nut</emotion> <emotion>unbelievable</emotion> <emotion>shocked2</emotion> <emotion>wow</emotion> <emotion>crazy2</emotion> <emotion>whoa</emotion> <emotion>omgz</emotion> <emotion>whoah</emotion> <emotion>cloud9</emotion> <emotion>jawdrop</emotion> <emotion>frown</emotion> <emotion>sad</emotion> <emotion>crying</emotion> <emotion>emocry</emotion> <emotion>bitch</emotion> <emotion>cryariver</emotion> <emotion>hissyfit</emotion> <emotion>schoolsout</emotion> <emotion>hangovershades</emotion> <emotion>tinfoil</emotion> <emotion>sadyes</emotion> <emotion>tearchalice</emotion> <emotion>cellphone</emotion> <emotion>tunnel</emotion> <emotion>phreaklove</emotion> <emotion>awesome</emotion> <emotion>awesomenod</emotion> <emotion>awesanta</emotion> <emotion>tensegrin</emotion> <emotion>lmao</emotion> <emotion>pressure</emotion> <emotion>excitingthread</emotion> <emotion>thathurts</emotion> <emotion>dontdothat</emotion> <emotion>sadanddisappointed</emotion> <emotion>fangirl</emotion> <emotion>godno</emotion> <emotion>bluegirl</emotion> <emotion>flop</emotion> <emotion>regretthumbsup</emotion> </emotions>
Just do that and then I'll discuss terms with Ythan for the complete code, SVS's ban being overturned is term numero uno, and I'll cut you in if we can reach an agreement that involves cash/btc payment.
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: Ythan]
#23675257 - 09/24/16 09:03 PM (7 years, 5 months ago) |
|
|
Quote:
Ythan said: https://www.shroomery.org/forums/showflat.php/Number/22390595#22390595
I have the real name of this poster, his DOB, age, address and mugshot along with the the guy anon#1 was posting about. Although I used data mining, and not an exploit.
Also shot you an email Ythan, although not with the posters' info, unless you want me to send it to you. DOXXing people is kind of a step beyond finding someone's user name.
|
Magenta
I care!!


Registered: 06/14/09
Posts: 20,322
Loc: The land of plenty
Last seen: 3 months, 7 days
|
Re: I'm Out [Re: Ythan] 7
#23676131 - 09/25/16 09:07 AM (7 years, 5 months ago) |
|
|
Quote:
Asante said: I applaud how you handled this falsereality. Thumbs up 
Dude! https://www.shroomery.org/forums/showflat.php/Number/23674256#23674256
He's hanging shit on you, don't take that shit!
For real though, I think the staff should be concerned about Falsereality.
"This site has slowly become worthless to me, its design is outdated, the general populace is retarded, the ratings system is broken, the anon feature is useless (...) and legitimate discussion of vendors is prohibited due to a profit incentive because smoothly integrated monetization is apparently too difficult a concept to implement for you guys."
Then he goes on to say: "Additionally, the vast majority of my non-automated ratings were positive"
He thinks the community is crap and yet he has rated most people positively. How does this make sense? Who cares, it's ratings. My point is that he's full of shit. I think that's obvious as he's still regularly participating in this horrible forum because his beautiful ratings were given back to him.
https://www.shroomery.org/forums/showflat.php/Number/23673891#23673891
Quote:
falsereality said: I have an ace up my sleeve that would completely compromise access to the site for a decent period of time. I like this site though , and I'm saving this for a black-swan event where I need to reverse a mod/admin's decision.
Calling the site worthless was a bluff (ergo, poker gif), this site is a cool place to talk to chill people and I legitimately want to help to make it better, not only from a security perspective, but also improving/adding user features and decreasing legal liability.
I can't share email correspondences with Ythan, but I would say there is a good chance SVS will get unbanned soon.
I decided to make this post after reading the above post of Falsereality's. This guy talks like a terrorist. They also seem like someone that gets off on other's fear. He's liar and admits to deliberately using such conniving tactics to get what he does not deserve. He did post the above post in the Romp though, so i don't expect him to be banned for such a thing, but considering the recent circumstances i wanted to mention this post to make sure that the admins take all of this into consideration because he seems very legit and unshroomy to me.
Edit: rephrased a bad sentence, and fixed the reply to
Edited by Magenta (09/26/16 06:41 PM)
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
|
Quote:
Magenta said: blahblahblaah
I'm predominantly a businessman magenta. I have no legal obligation to point out exploits I have found, and testing theoretical exploits in a foreign blackbox environment is dangerous, especially if you care about the site you've found a *potential* exploit for.
As far as my quid-pro-quo attitude, yeah, if I can deliver a service to someone in exchange for something other than money, I'm happy to do so, as the costs are simply turned into virtual changes.
If you would please fuck off from this conversation that would be great, I'm currently writing a response to ythan on this exact subject, and I started writing said email before you posted this bullshit.
As far as "speaking like a terrorist" . I've been around the block quite a few times handling business negotiations, forgive me if I offered up a much faster graem panel for reduced ban time for SVS's. What the fuck is so terroristic about that? I wasn't even asking to get paid, just a reduction of his ban.
Ythan rejected my proposal and in-turn, I'm just going to give him the new graem panel for free, no strings attached.
As far as the exploit I mentioned in the RR, it's still in early development. Not like I can just hand over an unfinished project. BTW, I would never maliciously attack the site like that regardless of circumstances.
Anyways, I'm done defending myself over nothing to a person that knows absolutely nothing about this situation.
|
PLURAL
PLUR


Registered: 01/16/14
Posts: 31,320
Loc: PLUR
Last seen: 10 days, 23 hours
|
|
Never? That's not what you just recently said.
-------------------- PLUR
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: PLURAL]
#23677636 - 09/25/16 06:50 PM (7 years, 5 months ago) |
|
|
Quote:
Treana said: Never? That's not what you just recently said.
I would be happy to clarify anything I have said.
|
koods
Ribbit



Registered: 05/26/11
Posts: 106,493
Loc: Maryland/DC Burbs
Last seen: 10 hours, 20 minutes
|
|
You may be a great coder and security expert, but you seem incapable of rendering assistance without bragging about it.
--------------------
NotSheekle said “if I believed she was 16 I would become unattracted to her”
|
falsereality


Registered: 04/01/13
Posts: 4,112
|
Re: I'm Out [Re: koods]
#23679588 - 09/26/16 11:39 AM (7 years, 5 months ago) |
|
|
Quote:
koods said: You may be a great coder and security expert...
Thanks koods!
|
sprinkles
otd president


Registered: 10/13/12
Posts: 21,527
Loc: washington state
Last seen: 3 years, 1 month
|
|
you can safely secure my crap so my man cop doesnt get into it? i have my suspicions.
|
|