Author

Topic: Avatar gripes [OT divergence split from tech board thread] (Read 769 times)

global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.
For me at least, it seems that there is something getting done regarding the new forum software. See: https://bitcointalksearch.org/topic/public-github-repo-of-the-new-forum-software-development-749802
legendary
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

Which is the basis for all the allegations against him (him laundering btc right back to him).

It would be so easy for theymos to disprove these theories and 'prove' the usage of the forum's funds, much like cloud mining sites in order to show if they are legit.

Yet..

Oh well.
legendary
Activity: 1778
Merit: 1043
#Free market
I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.

I think the new forum software will be very .. very awesome , so maybe it will take some more time to finish it.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
I've been reading about the new forum software for many years now. For the amount of money theymos has received, he should've whipped it up 50 times by now, and also hired a team to help.
hero member
Activity: 526
Merit: 500
I have read more carefully now.  The hack seems to be entirely dependent on the HTML page using a tag with the image file named as the script source.  Why would the forum pages do that?  If the avatar image is used only inside tags, any javascript embedded in the file will never be executed.  Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension.  In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header  (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.

I believe massive amounts of blood and treasure are being spent daily on creating the new forum software.   This has been going on for quite some time and I have no idea what their ETA is, but presumably, we'll have the ability to change our avatars when the new software is implemented.
hero member
Activity: 910
Merit: 1003
Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.

I have read more carefully now.  The hack seems to be entirely dependent on the HTML page using a tag with the image file named as the script source.  Why would the forum pages do that?  If the avatar image is used only inside tags, any javascript embedded in the file will never be executed.  Isn't it so?

The risk described there seems to be a malicious site using that trick to send javascript to the browser without using a file with ".js" extension.  In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.

In any case, image converters like ImageMagick will ignore any javascript in the hacked header  (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.
hero member
Activity: 910
Merit: 1003
Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html

That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG.  Or to PNG then to GIF.  This simple solution would also have the advantage of disallowing those irritating animated avatars.

EDIT: or just prohibit GIF images, why not?

legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
PS: When will I be allowed to use an avatar so that I can stop posting this image?
Probably never. At least for now they haven't yet announced that they will allow avatars in future.

Avatars are big security concern, one of the reasons for the last big bitcointalk fail when forum was down for several days. Doubt they will enable them ever again:
http://iamajin.blogspot.com/2014/11/when-gifs-serve-javascript.html
hero member
Activity: 935
Merit: 1002
PS: When will I be allowed to use an avatar so that I can stop posting this image?
Probably never. At least for now they haven't yet announced that they will allow avatars in future.
Jump to: