Avatar gripes [OT divergence split from tech board thread]

mprep

global moderator

Activity: 3766

Merit: 2610

In a world of peaches, don't ask for apple sauce

Quote from: marcotheminer on December 26, 2014, 03:43:35 PM

Quote from: Remember remember the 5th of November on December 26, 2014, 01:55:22 PM

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.

For me at least, it seems that there is something getting done regarding the new forum software. See: https://bitcointalksearch.org/topic/public-github-repo-of-the-new-forum-software-development-749802

marcotheminer

legendary

Activity: 2072

Merit: 1049

┴puoʎǝq ʞool┴

Quote from: Remember remember the 5th of November on December 26, 2014, 01:55:22 PM

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.

redsn0w

legendary

Activity: 1778

Merit: 1042

#Free market

Quote from: Remember remember the 5th of November on December 26, 2014, 01:55:22 PM

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

I think the new forum software will be very .. very awesome , so maybe it will take some more time to finish it.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

MichaelBliss

hero member

Activity: 526

Merit: 500

Quote from: JorgeStolfi on December 26, 2014, 12:51:51 PM

I have read more carefully now. The hack seems to be entirely dependent on the HTML page using a tag with the image file named as the script source. Why would the forum pages do that? If the avatar image is used only inside tags, any javascript embedded in the file will never be executed. Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension. In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.

I believe massive amounts of blood and treasure are being spent daily on creating the new forum software. This has been going on for quite some time and I have no idea what their ETA is, but presumably, we'll have the ability to change our avatars when the new software is implemented.

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: itod on December 26, 2014, 08:49:27 AM

Quote from: JorgeStolfi on December 26, 2014, 08:33:18 AM

Quote from: itod on December 26, 2014, 06:22:23 AM

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.

I have read more carefully now. The hack seems to be entirely dependent on the HTML page using a tag with the image file named as the script source. Why would the forum pages do that? If the avatar image is used only inside tags, any javascript embedded in the file will never be executed. Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension. In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.

itod

legendary

Activity: 1974

Merit: 1075

^ Will code for Bitcoins

Quote from: JorgeStolfi on December 26, 2014, 08:33:18 AM

Quote from: itod on December 26, 2014, 06:22:23 AM

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: itod on December 26, 2014, 06:22:23 AM

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

itod

legendary

Activity: 1974

Merit: 1075

^ Will code for Bitcoins

Quote from: yakuza699 on December 26, 2014, 06:01:31 AM

Quote from: ?? on ??

PS: When will I be allowed to use an avatar so that I can stop posting this image?

Probably never. At least for now they haven't yet announced that they will allow avatars in future.

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

yakuza699

hero member

Activity: 935

Merit: 1002

Quote from: ?? on ??

PS: When will I be allowed to use an avatar so that I can stop posting this image?

Probably never. At least for now they haven't yet announced that they will allow avatars in future.

Topic: Avatar gripes [OT divergence split from tech board thread] (Read 748 times)