Security issue
Moderator: Moderators
- orlaisadog
- Posts: 166
- Joined: Thu May 31, 2018 11:12 am
- Location: Bristol, England
Re: Security issue
Also lidnariq (that was me)
Re: Security issue
I have a hard time believing that this would actually fool anybody.
- orlaisadog
- Posts: 166
- Joined: Thu May 31, 2018 11:12 am
- Location: Bristol, England
Re: Security issue
Even so, I can't see an account with a single-digit post count and a 2018 registration date somehow successfully impersonating one of the site admins (or lidnariq, who registered a decade ago and has over 7,000 posts) long enough to actually accomplish anything.
- orlaisadog
- Posts: 166
- Joined: Thu May 31, 2018 11:12 am
- Location: Bristol, England
Re: Security issue
I would think that no one really looks at the stats. I'd expect most people just glance at the profile picture.
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Security issue
You don't need special rules for l vs I, there are a lot of ways to impersonate someone's account name. Mods can just ban people for doing that, this is not a security issue.
Re: Security issue
Font is set to "Lucida Grande", Verdana, Helvetica, Arial, sans-serif;
So if you actually have Lucida Grande, or don't have Verdana, you get a capless I.
Meanwhile, the Post font is set to "Lucida Grande", "Trebuchet MS", Helvetica, Arial, sans-serif;
Trebuchet MS has the distinctive slanted M character, and a capless I.
So if you actually have Lucida Grande, or don't have Verdana, you get a capless I.
Meanwhile, the Post font is set to "Lucida Grande", "Trebuchet MS", Helvetica, Arial, sans-serif;
Trebuchet MS has the distinctive slanted M character, and a capless I.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
- orlaisadog
- Posts: 166
- Joined: Thu May 31, 2018 11:12 am
- Location: Bristol, England
Re: Security issue
It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.
Re: Security issue
What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you
(deletes all forum posts and replaces them with spam)
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you
(deletes all forum posts and replaces them with spam)
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Security issue
Why do you think this is an experiment that needs to be undertaken? What do you think we need to know about this that we don't already?orlaisadog wrote:It's still an issue. Can I get permission from a user with a (lowercase) L in their username and a moderator to see how many people I can fool by doing this and see if it needs to be changed? I have one but it would work better to use someone else's.
Re: Security issue
Which of the two other admins on this forum do you think are stupid enough to fall for this?teppIes wrote:What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you
(deletes all forum posts and replaces them with spam)
Re: Security issue
Since we know the admin for ages and know their writing pattern, this is not something that would happens. For a new bbs this is a different story but for here there is not much to be concerned about.
Re: Security issue
This post is cryptic, I admit. It's intended to hint to the "guilty" party that we're on to you, while the impostor account's post count is still low, without causing too much disruption otherwise.
The comment section of Explosm.net allows setting "badges" on users, and the Discord chat platform allows setting "roles" on users. Both have been used to distinguish a regular from a homoglyph impostor. The counterpart in phpBB is the "special rank", which this board mostly uses for name change notices.
Without giving too much away: We have set phpBB to store some information about where each post came from, on the basis of legitimate interest in preventing and curing abuse. There exist ways to evade the measures we have in place, but I don't think it's quite bad enough yet to have to install stylometry software to guess identity based on writing style. Stylometry probably wouldn't do a good job anyway in the face of misattribution due to mistaken quoting markup.
Now how would you think to imitate my writing style?
Without giving too much away: We have set phpBB to store some information about where each post came from, on the basis of legitimate interest in preventing and curing abuse. There exist ways to evade the measures we have in place, but I don't think it's quite bad enough yet to have to install stylometry software to guess identity based on writing style. Stylometry probably wouldn't do a good job anyway in the face of misattribution due to mistaken quoting markup.
Now how would you think to imitate my writing style?
Re: Security issue
I'm not saying anyone is stupid. I would fall for this.Revenant wrote:Which of the two other admins on this forum do you think are stupid enough to fall for this?teppIes wrote:What about this?
Hello. I seem to have lost my admin rights as my name isn't red anymore. Please can they be restored? Thank you
(deletes all forum posts and replaces them with spam)