|
Title: Avatar gripes [OT divergence split from tech board thread] Post by: yakuza699 on December 26, 2014, 10:01:31 AM PS: When will I be allowed to use an avatar so that I can stop posting this image? Probably never. At least for now they haven't yet announced that they will allow avatars in future.Title: Re: Reused R values again Post by: itod on December 26, 2014, 10:22:23 AM PS: When will I be allowed to use an avatar so that I can stop posting this image? Probably never. At least for now they haven't yet announced that they will allow avatars in future.Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again: http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html (http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html) Title: Re: Reused R values again Post by: JorgeStolfi on December 26, 2014, 12:33:18 PM Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again: http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html (http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html) That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars. EDIT: or just prohibit GIF images, why not? Title: Re: Reused R values again Post by: itod on December 26, 2014, 12:49:27 PM Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again: http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html (http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html) That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars. EDIT: or just prohibit GIF images, why not? You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF. Title: Re: Reused R values again Post by: JorgeStolfi on December 26, 2014, 04:51:51 PM Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again: http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html (http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html) That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars. EDIT: or just prohibit GIF images, why not? You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF. I have read more carefully now. The hack seems to be entirely dependent on the HTML page using a <script...></script> tag with the image file named as the script source. Why would the forum pages do that? If the avatar image is used only inside <img ...></img> tags, any javascript embedded in the file will never be executed. Isn't it so? The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension. In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one. In any case, image converters like ImageMagick will ignore any javascript in the hacked header (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe. Title: Re: Reused R values again Post by: MichaelBliss on December 26, 2014, 05:02:07 PM I have read more carefully now. The hack seems to be entirely dependent on the HTML page using a <script...></script> tag with the image file named as the script source. Why would the forum pages do that? If the avatar image is used only inside <img ...></img> tags, any javascript embedded in the file will never be executed. Isn't it so? The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension. In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one. In any case, image converters like ImageMagick will ignore any javascript in the hacked header (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe. I believe massive amounts of blood and treasure are being spent daily on creating the new forum software. This has been going on for quite some time and I have no idea what their ETA is, but presumably, we'll have the ability to change our avatars when the new software is implemented. Title: Re: Reused R values again Post by: Remember remember the 5th of November on December 26, 2014, 05:55:22 PM I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.
Title: Re: Reused R values again Post by: redsn0w on December 26, 2014, 06:56:41 PM I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help. I think the new forum software will be very .. very awesome , so maybe it will take some more time to finish it. Title: Re: Avatar gripes [OT divergence split from tech board thread] Post by: marcotheminer on December 26, 2014, 07:43:35 PM I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help. Which is the basis for all the allegations against him (him laundering btc right back to him). It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit. Yet.. Oh well. Title: Re: Avatar gripes [OT divergence split from tech board thread] Post by: mprep on December 26, 2014, 09:36:02 PM I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help. Which is the basis for all the allegations against him (him laundering btc right back to him). It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit. Yet.. Oh well. |