Avatar gripes [OT divergence split from tech board thread]

[yakuza699]

PS: When will I be allowed to use an avatar so that I can stop posting this image?

Probably never. At least for now they haven't yet announced that they will allow avatars in future.

[itod]

PS: When will I be allowed to use an avatar so that I can stop posting this image?

Probably never. At least for now they haven't yet announced that they will allow avatars in future.

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

[JorgeStolfi]

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

[itod]

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.

[JorgeStolfi]

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.

I have read more carefully now.  The hack seems to be entirely dependent on the HTML page using a <script...></script> tag with the image file named as the script source.  Why would the forum pages do that?  If the avatar image is used only inside <img ...></img> tags, any javascript embedded in the file will never be executed.  Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension.  In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header  (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.

[MichaelBliss]

I have read more carefully now.  The hack seems to be entirely dependent on the HTML page using a <script...></script> tag with the image file named as the script source.  Why would the forum pages do that?  If the avatar image is used only inside <img ...></img> tags, any javascript embedded in the file will never be executed.  Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension.  In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header  (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.

I believe massive amounts of blood and treasure are being spent daily on creating the new forum software.   This has been going on for quite some time and I have no idea what their ETA is, but presumably, we'll have the ability to change our avatars when the new software is implemented.

[Remember remember the 5th of November]

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

[redsn0w]

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

I think the new forum software will be very .. very awesome , so maybe it will take some more time to finish it.

[marcotheminer]

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.

[mprep]

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.

For me at least, it seems that there is something getting done regarding the new forum software. See: https://bitcointalk.org/index.php?topic=749802.0