It is currently Mon Oct 22, 2018 9:49 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Security issue
PostPosted: Fri Aug 03, 2018 1:23 pm 
Offline

Joined: Fri Aug 03, 2018 1:20 pm
Posts: 6
Wait


Last edited by teppIes on Fri Aug 03, 2018 11:43 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 1:38 pm 
Offline
User avatar

Joined: Thu May 31, 2018 11:12 am
Posts: 153
Location: Bristol, England
Also lidnariq (that was me)


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 1:44 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 423
Location: FL
Image

I have a hard time believing that this would actually fool anybody.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 1:50 pm 
Offline
User avatar

Joined: Thu May 31, 2018 11:12 am
Posts: 153
Location: Bristol, England
You have a different font to me :D


Attachments:
Screenshot_20180803-214924.jpg
Screenshot_20180803-214924.jpg [ 96.8 KiB | Viewed 1049 times ]
Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 1:59 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 423
Location: FL
Even so, I can't see an account with a single-digit post count and a 2018 registration date somehow successfully impersonating one of the site admins (or lidnariq, who registered a decade ago and has over 7,000 posts) long enough to actually accomplish anything.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 2:06 pm 
Offline
User avatar

Joined: Thu May 31, 2018 11:12 am
Posts: 153
Location: Bristol, England
I would think that no one really looks at the stats. I'd expect most people just glance at the profile picture.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 2:10 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6899
Location: Canada
You don't need special rules for l vs I, there are a lot of ways to impersonate someone's account name. Mods can just ban people for doing that, this is not a security issue.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 2:52 pm 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 4093
Font is set to "Lucida Grande", Verdana, Helvetica, Arial, sans-serif;
So if you actually have Lucida Grande, or don't have Verdana, you get a capless I.

Meanwhile, the Post font is set to "Lucida Grande", "Trebuchet MS", Helvetica, Arial, sans-serif;
Trebuchet MS has the distinctive slanted M character, and a capless I.

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 11:37 pm 
Offline
User avatar

Joined: Thu May 31, 2018 11:12 am
Posts: 153
Location: Bristol, England
It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 11:43 pm 
Offline

Joined: Fri Aug 03, 2018 1:20 pm
Posts: 6
What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Fri Aug 03, 2018 11:57 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6899
Location: Canada
orlaisadog wrote:
It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.

Why do you think this is an experiment that needs to be undertaken? What do you think we need to know about this that we don't already?


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Sat Aug 04, 2018 12:23 am 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 423
Location: FL
teppIes wrote:
What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)

Which of the two other admins on this forum do you think are stupid enough to fall for this?


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Sat Aug 04, 2018 2:13 am 
Offline
User avatar

Joined: Tue Jun 24, 2008 8:38 pm
Posts: 2008
Location: Fukuoka, Japan
Since we know the admin for ages and know their writing pattern, this is not something that would happens. For a new bbs this is a different story but for here there is not much to be concerned about.


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Sat Aug 04, 2018 5:43 am 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 20685
Location: NE Indiana, USA (NTSC)
This post is cryptic, I admit. It's intended to hint to the "guilty" party that we're on to you, while the impostor account's post count is still low, without causing too much disruption otherwise.
Attachment:
File comment: All users can see join dates and post counts, and with an appropriate font, capital I isn't a homoglyph.
Firefox ESR 52 in Debian 9, with Wine (and the MS Core Fonts) installed

postcount.png
postcount.png [ 4.67 KiB | Viewed 936 times ]


The comment section of Explosm.net allows setting "badges" on users, and the Discord chat platform allows setting "roles" on users. Both have been used to distinguish a regular from a homoglyph impostor. The counterpart in phpBB is the "special rank", which this board mostly uses for name change notices.

Without giving too much away: We have set phpBB to store some information about where each post came from, on the basis of legitimate interest in preventing and curing abuse. There exist ways to evade the measures we have in place, but I don't think it's quite bad enough yet to have to install stylometry software to guess identity based on writing style. Stylometry probably wouldn't do a good job anyway in the face of misattribution due to mistaken quoting markup.

Now how would you think to imitate my writing style?


Top
 Profile  
 
 Post subject: Re: Security issue
PostPosted: Sat Aug 04, 2018 11:59 am 
Offline

Joined: Fri Aug 03, 2018 1:20 pm
Posts: 6
Revenant wrote:
teppIes wrote:
What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you

(deletes all forum posts and replaces them with spam)

Which of the two other admins on this forum do you think are stupid enough to fall for this?

I'm not saying anyone is stupid. I would fall for this.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 26 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group