Caltrops Authentication Seal

[Tdarcos]

Discussing the new feature I just developed so that I was able to make my messages on Caltrops, when they contain my image reference, I thought it was a brilliant hack.

Originally I wanted to return an SVG image. Those are easy to do and the image is a text file, so it's not hard. While this worked when typed in as a URL, it failed in an IMG tag.

So I had it do a regular image file, and it creates an on-the-fly JPEG as a one-time image. The only thing I was worried about was browser caching, in which if there was one reference it might not go back and retrieve the image again, but apparently either it's not checking, there's no "last saved" value, or it is able to notice the image is not the same as the last one.

At first, I just had it "write" an image with a random number in a box, it was not really intended as an authentication. Then I looked at how Caltrops would send a browser request for the image, and, as it turns out, it was okay for the time being until people started impersonating me again.

Not that I care that much, but I thought it would be a fun exercise to see if I could find a way to allow me to distinguish uses of it between mine and impostors. And it was basically using the same method the telephone company uses to set off an alarm when someone tries to rob a pay phone, vs. being able to tell when a collector comes to empty the coin box legitimately.

Jonsey immediately recognized what I'm doing. Other people looked at the reference and said you could do cache poisoning and dns attacks because I'm not using HTTPS to retrieve the image (I'm too cheap to spend another $20 a year to get an SSL certificate for a non-revenue producing site). But all I'm doing is reading the HTTP_REFERRER to get the &pid= of the posting, then doing a database lookup to see if it's in there. Nothing earth shaking, just a simple proof of concept to see if it could be done.

Oh by the way, Pinback, if you really did forge one of my messages, it just showed that you had enough common sense to write something reasonable, literate and normal, as opposed to the typical three-year-old writing level of too many of Caltrops' inmates.

I just thought of it as a way to do a fun hack and to thumb my nose at the people over there, but nothing serious.

And in total programming time it was probably 2 sessions of 4-5 hours over 8-10 months, most of the time being in the second session to line up the text fields because each color change requires a different write to image statement.

Also, it now shows something different on a right-click and view image in Firefox.

But it definately was fun to do.

"I'm Tansin A. Darcos and I ... what the fuck do I need a Freshness seal for? I log in here!"

[pinback]

Oh by the way, Pinback, if you really did forge one of my messages, it just showed that you had enough common sense to write something reasonable, literate and normal, as opposed to the typical three-year-old writing level of too many of Caltrops' inmates.

No, what it showed is that you are the only person in the entire galaxy who cannot tell which of your posts are actually yours.

To the rest of you, this was the best part: To show off how great his new anti-forgery system is, he went back and "certified" one of his old messages that he himself absolutely, definitely wrote.

Except it was one of MY posts. Which everyone reading it could tell immediately by the style and the content of the message.

Well, almost everyone.

Paul, the system you developed is great, but the only one to whom it is any use is you.

[Tdarcos]

Oh by the way, Pinback, if you really did forge one of my messages, it just showed that you had enough common sense to write something reasonable, literate and normal, as opposed to the typical three-year-old writing level of too many of Caltrops' inmates.

No, what it showed is that you are the only person in the entire galaxy who cannot tell which of your posts are actually yours.

You really think that? If someone parodied your style that you would recognize any message from more than a year ago that someone else wrote?

To the rest of you, this was the best part: To show off how great his new anti-forgery system is, he went back and "certified" one of his old messages that he himself absolutely, definitely wrote.

No, only you would take it that seriously. It was simply an attempt to try to recognize what I thought were my old messages, based on them making sense and not being stupid. It isn't absolutely foolproof and I was aware of that.

Except it was one of MY posts. Which everyone reading it could tell immediately by the style and the content of the message.

Okay, let me learn something. Since you probably won't tell me which one it was, give me an idea of the sort of things I should have looked for. I'd like an objective criterion to understand how I should have known. Otherwise I'll go back to the older ones and change their message if I can't figure it out.

Paul, the system you developed is great, but the only one to whom it is any use is you.

And? So what? The whole idea is to single out posts from me from impersonators because I thought it would be fun to do. The only person it has any use for is me.

[pinback]

Oh by the way, Pinback, if you really did forge one of my messages, it just showed that you had enough common sense to write something reasonable, literate and normal, as opposed to the typical three-year-old writing level of too many of Caltrops' inmates.

No, what it showed is that you are the only person in the entire galaxy who cannot tell which of your posts are actually yours.

You really think that?

Yes. And so does everyone else.

If someone parodied your style that you would recognize any message from more than a year ago that someone else wrote?

Listen to me: Nobody would or could have ever confused my post with something you would have written. Ever. Ever ever ever.

Okay, let me learn something. Since you probably won't tell me which one it was, give me an idea of the sort of things I should have looked for. I'd like an objective criterion to understand how I should have known.

Because you would never have written that. As everyone except you knew .003 seconds after having read it.

[loafergirl]

No, what it showed is that you are the only person in the entire galaxy who cannot tell which of your posts are actually yours.

You really think that?

Yes. And so does everyone else.

If someone parodied your style that you would recognize any message from more than a year ago that someone else wrote?

Listen to me: Nobody would or could have ever confused my post with something you would have written. Ever. Ever ever ever.

Okay, let me learn something. Since you probably won't tell me which one it was, give me an idea of the sort of things I should have looked for. I'd like an objective criterion to understand how I should have known.

Because you would never have written that. As everyone except you knew .003 seconds after having read it.

Wow Pinners, have you been taking classes from my kids in how to argue a point?

[pinback]

Well, you tell me. Here was the fake post in question:

Subject: Also, yes I AM going to use the authenticity code in every message.

That way you will always know it is me, and not one of you other jerks just putting my name on a post and adding an image ref, which is totally impossible to do, because of how great at computers I am.

Now, tell me, between 0 and .003 seconds, how long did it take you to figure out this wasn't him?

[The Happiness Engine]

The man has a point.

[Ice Cream Jonsey]

Well, you tell me. Here was the fake post in question:

Subject: Also, yes I AM going to use the authenticity code in every message.

That way you will always know it is me, and not one of you other jerks just putting my name on a post and adding an image ref, which is totally impossible to do, because of how great at computers I am.

Now, tell me, between 0 and .003 seconds, how long did it take you to figure out this wasn't him?

loafergirl doesn't even know Tdarcos and yet she knew that was fake.

[Tsummary]

Discussing the new feature I just developed so that I was able to make my messages on Caltrops, when they contain my image reference, I thought it was a brilliant hack.

Originally I wanted to return an SVG image. Those are easy to do and the image is a text file, so it's not hard. While this worked when typed in as a URL, it failed in an IMG tag.

So I had it do a regular image file, and it creates an on-the-fly JPEG as a one-time image. The only thing I was worried about was browser caching, in which if there was one reference it might not go back and retrieve the image again, but apparently either it's not checking, there's no "last saved" value, or it is able to notice the image is not the same as the last one.

At first, I just had it "write" an image with a random number in a box, it was not really intended as an authentication. Then I looked at how Caltrops would send a browser request for the image, and, as it turns out, it was okay for the time being until people started impersonating me again.

Not that I care that much, but I thought it would be a fun exercise to see if I could find a way to allow me to distinguish uses of it between mine and impostors. And it was basically using the same method the telephone company uses to set off an alarm when someone tries to rob a pay phone, vs. being able to tell when a collector comes to empty the coin box legitimately.

Jonsey immediately recognized what I'm doing. Other people looked at the reference and said you could do cache poisoning and dns attacks because I'm not using HTTPS to retrieve the image (I'm too cheap to spend another $20 a year to get an SSL certificate for a non-revenue producing site). But all I'm doing is reading the HTTP_REFERRER to get the &pid= of the posting, then doing a database lookup to see if it's in there. Nothing earth shaking, just a simple proof of concept to see if it could be done.

Oh by the way, Pinback, if you really did forge one of my messages, it just showed that you had enough common sense to write something reasonable, literate and normal, as opposed to the typical three-year-old writing level of too many of Caltrops' inmates.

I just thought of it as a way to do a fun hack and to thumb my nose at the people over there, but nothing serious.

And in total programming time it was probably 2 sessions of 4-5 hours over 8-10 months, most of the time being in the second session to line up the text fields because each color change requires a different write to image statement.

Also, it now shows something different on a right-click and view image in Firefox.

But it definately was fun to do.

"I'm Tansin A. Darcos and I ... what the fuck do I need a Freshness seal for? I log in here!"

Tsummary: Tdarcos spent 10 hours over 10 months writing a system that only he understands and cares about, and it still didn't work.

[Tdarcos]

Okay, let me learn something. Since you probably won't tell me which one it was, give me an idea of the sort of things I should have looked for. I'd like an objective criterion to understand how I should have known.

Because you would never have written that. As everyone except you knew .003 seconds after having read it.

You still haven't given any objective evidence - or any evidence at all - to prove what you're saying is true.

You're an atheist. If someone tries to claim that God is real, or exists and wanted to prove it to you, presumably you'd want evidence. Now, someone saying, "Look at the world around you, it's obvious it was created," is subjective opinion and not evidence. So is saying "The Bible is the Word of God because it says it is, and it says that God created the world," is also not evidence.

Thererfore, your saying that it would be obvious to anyone, and that you say it is so, are not evidence and as such, claims made without evidence may be rejected without consideration.

Either provide serious evidence or stop yammering about something you have no way to prove except "because I said so but I won't even say why."

[Tdarcos]

Tsummary: Tdarcos spent 10 hours over 10 months writing a system that only he understands and cares about, and it still didn't work.

It works fine for current messages, and just because I may have mistaken an old message someone else forged does not make it a failure. Talented, professional certifiers sometimes certify forged art as authentic. Even experienced professionals make mistakes.

[Flack]

Tsummary: Tdarcos spent 10 hours over 10 months writing a system that only he understands and cares about, and it still didn't work.

It works fine for current messages, and just because I may have mistaken an old message someone else forged does not make it a failure. Talented, professional certifiers sometimes certify forged art as authentic. Even experienced professionals make mistakes.

...which means their authentication processes don't work.

[Professional certifier]

REAL!