SoylentNews is people
SoylentNews
from the I-love-the-smell-of-burning-trolls-in-the-morning dept.
Things finally came to a head on slashdot last night, and now anonymous posts are banned. No more anonymous nazi ASCII art, no anonymous racism, and no APK. More in this journal entry [Ed's Comment: And lots of interesting comments too ...].
It's one way to combat anonymous hate speech and forum spam.
[Editor (JR) We've looked at the site but we cannot find an announcement that anonymous posts are actually banned; it might simply be a case that the software is not working correctly, although it would seem to be an unlikely cause. Does anyone in our community have any additional information to categorically prove or disprove that anonymous comments are disabled?
Furthermore, as there are many more comments in the journal entry than there are here, I would recommend making any new comments on BarbaraHudson's journal entry rather than splitting the discussion into two.]
(Score: 4, Informative) by VanessaE on Saturday August 10 2019, @05:15PM (55 children)
If you're logged-in, you can still tick "post anonymously" when making a post. However, you can't actually submit it ("You can't post to this page") if you do.
(Score: 4, Informative) by janrinok on Saturday August 10 2019, @05:30PM (4 children)
The ability to post comments is controlled by a tick box for each story or it can be enabled and disabled globally. It is still possible that a change to software has caused this box to default to No Postings or that the global option has been switched off. If it is the latter, then it might only be temporary (perhaps for the weekend when most spamming and site abuse takes place).
Without a statement from those managing the site, we do not know the reason for the change in AC commenting policy. It could still be an error, it might be a short term measure to counter an attack that is on-going, or it might be a longer term change of policy.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @05:55PM (3 children)
And yet the Unicode support and long posts taking up all the space haven't been fixed.
(Score: 2) by janrinok on Saturday August 10 2019, @06:53PM (2 children)
I assume you are referring to /.'s Unicode support or lack of it etc?
I am not aware of any problems with our Unicode support - in fact the team put a lot of effort into making sure we could work with it.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @08:01PM (1 child)
Yes, as far as I know there have never been any problems with unicode here.
(Score: 3, Funny) by The Mighty Buzzard on Saturday August 10 2019, @10:07PM
Yeah, it was the first non-trivial thing I did after coming on staff, so somewhere between six months and a year in. We're still not entirely 100% (a few very minor bugs left) but we're close enough to mock the hell out of slashdot.
My rights don't end where your fear begins.
(Score: 2, Informative) by Anonymous Coward on Saturday August 10 2019, @05:30PM (8 children)
I tried posting anonymously, and also got the same error: "You can't post to this page."
I tried creating an account, but it requires a recaptcha. There are a hundred reasons I can't do recaptcha.
(Score: 2) by Aighearach on Sunday August 11 2019, @03:09AM (6 children)
Name 10, without repeating any.
(Score: 1, Touché) by Anonymous Coward on Sunday August 11 2019, @04:02AM
Alan, Bert, Carol, Diane, Edgar, Frances, George, Harriet, Iris, Jenny.
(Score: 5, Insightful) by Anonymous Coward on Sunday August 11 2019, @04:13AM (3 children)
1. Running javascript in the browser increases the attack surface of the browser by a ton. It is safer to refuse all javascript.
2. Running Google's javascript is especially unsafe, because Google has a history of being evil.
3. Google has admitted that their recaptcha javascript files do things like fingerprinting the browser, taking a screenshot of the page, and other privacy-violating activities
4. Recaptcha is heavily obfuscated to prevent analysis of the security and privacy implications of the scripts. It goes way beyond just script compression.
5. Recaptcha javascript is also loaded on pages that don't require filling out a recaptcha, to aid Google in tracking you. They claim it is to help distinguish users and bots, but they don't promise that it won't be used for privacy invasion. Many pages (that don't require filling out a recaptcha) fail to load correctly if you block recaptcha scripts from loading.
6. Recaptcha's terms of service are unconscionable.
7. Many times, the recaptchas are hard enough to be unsolvable. I believe they discriminate against: people who aren't signed in to a Google account, people who delete cookies regularly, people who sometimes block scripts, people with uncommon configurations (like most Linux distros), and people who use private browsing mode.
8. Many times, the audio recaptchas are unsolvable.
9. I often get an error message that says "Your computer is sending automated queries. Go away." (paraphrased) This makes it impossible to solve.
10. Solving a recaptcha is unpaid labor. Thus, it constitutes a payment to Google, in the amount of however much I should have been paid to solve the recaptcha. I should not have to make this payment to receive a nominally free service. If a recaptcha is required, then the service should not be considered free (and they should allow an alternative form of payment. In many cases, I would happily send a micropayment to the site I'm trying to access, but not to Google.)
11. Solving a recaptcha is a payment to Google in the amount of however much I should have been paid to solve the recaptcha. Google should not receive anything, because I feel morally obligated to boycott Google.
12. Solving recaptchas helps Google develop AI technology that will make my life worse.
(Score: 3, Funny) by Pslytely Psycho on Sunday August 11 2019, @07:17AM
He said 10.
Damned overachiever.
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 2) by Chocolate on Sunday August 11 2019, @08:26AM (1 child)
taking a screenshot of the page
What the absolute fuck? Isn't this a violation of privacy?
I have long suspected external javascripts do dodgy things and responded accordingly with my invisible tin foil hat on knowing I was being somewhat paranoid but this is ridiculous. Is there any proof of this?
Bit-choco-coin anyone?
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @02:04PM
Captcha != reCaptcha
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @08:24AM
* Using a VPN
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @07:31AM
Went there too just to tyr and second story up is:
https://tech.slashdot.org/story/19/08/10/1954251/should-some-sites-be-liable-for-the-content-they-host [slashdot.org]
Funny.
(Score: 3, Informative) by SomeGuy on Saturday August 10 2019, @06:34PM (28 children)
Even here, the logged-in "post anonymously" check isn't really anonymous under the hood. The post get associated with your account so you can't mod the post. If you are logged out then it only gets associated with your current IP address.
(Score: 5, Informative) by janrinok on Saturday August 10 2019, @06:45PM (27 children)
Not true - your IP is protected and discarded at the earliest opportunity. We cannot give anyone your IP address - we haven't got it. We use a hash, or in fact a couple of hashes - which cannot be 'unhashed' to give your IP again.
(Score: 1, Interesting) by Anonymous Coward on Saturday August 10 2019, @08:51PM (16 children)
"A couple of hashes" so more than 1 algorithm and / or starting values, each feed the same IP address?
Then "reversing" is quite possible, but space intensive, Example feed all IP addresses through the different versions save the results. Now you have the keys to reserve it. Look up each hash in the multiple list and look at the intersection. If the hash only maps 4 IPs to same value and you have 2 different ones, the odds are damn good for single match in the two lists. Add a third, guaranteed.
Now since you also use machine hashes, hence you can not tell, if I am me, if i use different browsers and or different local machines. You can pin-point if 2 anonymous post are from the same person.
It ffun livingon the bleeding edge of anonymous posting.
(Score: 2) by The Mighty Buzzard on Saturday August 10 2019, @10:08PM (12 children)
Technically possible, practically impossible.
My rights don't end where your fear begins.
(Score: 3, Interesting) by qzm on Saturday August 10 2019, @10:20PM (11 children)
MD5 hashes can be calculated in a single FPGA at a rate of 4Gbps+, so around 125 million hashes/second.
There are around 3.5 billion IP addresses to use (or a bit over 4 if you want to search all, including reserved ones)
So, it wouldnt take many FPGAs to be able to search the ENTIRE space in a second, or around half a minute for one FPGA....
Not saying single MD5 is enough, but double hashing, etc scale without too much trouble.
Not really impossible it seems..
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @11:33PM
4G of addresses x 1024 bit hashes plus 15 bytes for readable ip. Makes a single table only 80 byte rows so 320GB per table, so 3 tables is a 1TB. Just saw some of 1TB SSD for $90.
No need to dump the pictures.
Cost here is time creating the tables to reverse the hashes.
Tech has changed over years still remember 12kB memory and 5MB removable player.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @11:36PM (2 children)
You are assuming you know everything they are doing. They may include salt or some other extra text that adds to the complexity. You'd have to look at the public code repository.
(Score: 3, Informative) by The Mighty Buzzard on Sunday August 11 2019, @12:35AM (1 child)
Us admins have access to the salt, so not really relevant. Mind you, we also have access to the servers so we could just turn logging on and match up the timestamps of posts to the access log. Using a hashed IP address was supposed to make it a nontrivial thing to find a person's IP address rather than seeing it at a glance. That and to annoy law enforcement. There really is no way to keep a determined admin from knowing anything they want to that's going on with their servers.
My rights don't end where your fear begins.
(Score: 2) by jmorris on Sunday August 11 2019, @07:34AM
Wouldn't annoy law enforcement long. If you can regenerate the hash to know the IP is the same it means you have the salting data. Four billion tries gets the IP, worst case. Brute forcing a 32bit value isn't hard now. But if Officer Friendly has a warrant they will get in anyway, best they get what they want and go instead of setting up camp and rooting around.
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @12:26AM (6 children)
I don't have even a single FPGA, but your point is valid. I hadn't even thought of brute forcing them every single time you wanted to find one out. It really annoys me when something so inelegant turns out to be the best way to do a thing. Guess I'll be switching us over to scrypt or bcrypt or some such for the next update. Sigh.
My rights don't end where your fear begins.
(Score: 3, Informative) by el_oscuro on Sunday August 11 2019, @01:36AM (1 child)
I wouldn't do that unless you want your server to melt. Bcrypt/scrypt are password hashes and are explicitly designed to be computationally expensive. The only time you want to use them is to validate a login and generate a session token.
Another idea: Just replace the last octlet of the IP with '.X' or something and hash that.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by The Mighty Buzzard on Sunday August 11 2019, @01:53AM
Our load isn't currently heavy enough that we couldn't get away with a 10-100ms per page load overhead. Mind you, it would make a DDoS much easier. Bears further thought.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @02:05AM
Coming up with a security solution is useless without knowing your threat model. What data do you want to protect with this? Who do you want to protect it from? For how long do you want that protection to last? What cost are you willing to pay for said protection? Etc. Seems like you want to protect the IP addresses from being bruted, but from whom and for how long? What server resource hit are you willing to make per post for that protection?
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @06:40PM (2 children)
Also only use 1 hash routine with one salt. Once you have 2, no matter what they are, you have cut the effectiveness by at least 1/2, more like 1/4. For evey 1 new hash method used, you add the effectiveness of hiding the IP goes down by 1/2^(n-1) to 1/2^(n). So the next question is how affective is the hash method. Like 4 IP all map the same hash. it is why then just 2 different hash methods cause the complete lost of anonymity (mathematically).
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:38PM (1 child)
No, if both hash routines are known it is mathematically the same as one hash routine to brute force (additive for time though), assuming they use the same input (an IPv4 address).
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday August 13 2019, @05:47AM
*and* iff they have the same output space (for high-entropy output, bitcount describes it well enough)
(Score: 2) by janrinok on Sunday August 11 2019, @07:47AM (2 children)
All very true but missing the point. We don't want to know your IP or who you really are. We don't care. We want to read interesting stories and take part in intelligent conversations. It doesn't always work out that way, but that is what this site is for.
We only need the hashes so that the comments can be processed appropriately and so that we can help prevent the most frequent abuses of the site.
(Score: 1) by nsa on Sunday August 11 2019, @10:13PM (1 child)
Spin city. You don't want to know until you do (it falls into the category of 'most frequent abuses of the site'). I'd guess if you were more honest with yourself you'd lose the 'most frequent' qualifier because in fact what is most scary are the abuses that are infrequent, but related to negative outcomes of much greater magnitude.
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:43PM
Nope. Frequency trumps scariness. Spam and moderation abuse are the only things we really use the hashes for. Neither of those require an actual IP, which any admin could get easily just by turning access logging on and greping for timestamps.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @09:50PM (3 children)
TMB claimed he can use a rainbow table to unhash, and your system at least allows admins to track which AC is which. I see why the TOR users get so frustrated with "bad form key" errors which don't like TOR users.
(Score: 4, Touché) by The Mighty Buzzard on Saturday August 10 2019, @10:10PM (2 children)
I said it's technically possible with modern hardware not that either SN or I personally have the free drive space to do so (we don't). I'm not dumping my porn stash just to find out what ISP you use.
My rights don't end where your fear begins.
(Score: 1, Funny) by Anonymous Coward on Sunday August 11 2019, @09:16AM (1 child)
I will take on for the team to provide the offsite storage to backup your porn stash.
Except the horse porn. I was never into that.
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:44PM
Doesn't get me off either but it's pretty hilarious from a "people do some fucked up shit" angle.
My rights don't end where your fear begins.
(Score: 3, Interesting) by pipedwho on Saturday August 10 2019, @09:56PM
The problem with hashing a limited range of inputs is that given the full set of known variables (ie. algorithm, constants, salts, etc). A brute force matching attack is fairly trivial. With a possible search space of a maximum of 2^32 possibilities, a brute force attack won’t take very long at all. Even with a cpu intensive hash the attack time is at most 4 billion times the hash time divided by the cluster multiplier size. So unless soylent is spending multiple seconds on each hash, an attack would be quite fast.
A solution would be to use a HSM (hardware security module) with a protected (ie. never exposed) hash key, to perform the calculation with an internal rate limit to slow down an oracle attack.
A good practice mitigation would be to both time limit the hashes and use a random ephemeral salt that is discarded from secure memory after a reasonable time (eg. a day). This salt must not be saved or exposed. But, it obviously limits the ability to block an up mod to an AC post after that time, which is not a problem IMO, as it’s easy enough to just up mod from a different IP address if the poster really wants to.
Anything less is security by obscurity.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @03:07AM (3 children)
How long is that hash stored?
(Score: 2) by Pslytely Psycho on Sunday August 11 2019, @06:26AM
Most seem to think storing hash in an airtight bag is superior to a freezer, while others recommend a refrigerator for up to a year.
https://www.reddit.com/r/CannabisExtracts/comments/9ts4m1/tips_on_storing_hash/ [reddit.com]
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 2) by kazzie on Sunday August 11 2019, @01:34PM
The Corned Beef Hash I made last night didn't last past lunchtime. Mmm, tasty leftovers...
(Score: 2) by The Mighty Buzzard on Monday August 12 2019, @02:45PM
Two weeks.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @08:29AM
I am so proud of you lot.
(Score: 1, Interesting) by Anonymous Coward on Saturday August 10 2019, @08:48PM (9 children)
Weirdly, I've seen an anonymous comment after the ban went into effect: https://entertainment.slashdot.org/comments.pl?sid=14544108&cid=59072652 [slashdot.org]. If it's not possible even for logged-in users to post anonymously, it's odd that someone still seems capable of anonymous posting. It's almost certainly a bot, because I've seen similar gibberish in other articles -- often with a link to an old (now disabled) goatse URL. The bot seemed to not be subject to the lameness filter because it was able to post the n-word after Slashdot had banned it with the lameness filter.
It seems very odd that at least one anonymous comment has been posted after the ban took effect. An editor-run bot could presumably evade all restrictions on commenting. A long time ago in Slashdot's history, Rob Malda wrote code to populate stories with "first post" comments to discourage other users from similarly attempting to get first post. The comments would later be removed once other comments had been posted. I have no idea why the editors would be running a bot to post gibberish comments, but it's odd that anonymous posting doesn't seem to entirely be gone.
(Score: 2) by takyon on Saturday August 10 2019, @09:02PM (3 children)
I noticed that one too [soylentnews.org]. It's the only one I found from "Researchers Show How Europe's Data Protection Laws Can Dox People" onwards. Whatever it means for SD, it's not good.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @12:53AM (2 children)
Here's another one from today: https://it.slashdot.org/comments.pl?sid=14544568&cid=59074968 [slashdot.org].
(Score: 2) by takyon on Sunday August 11 2019, @01:17AM (1 child)
Guess they found an exploit. Good job.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @08:33AM
You can't post to this page
I haven't found a way around it. Yet.
(Score: 0) by Anonymous Coward on Saturday August 10 2019, @10:23PM (4 children)
Are they actually AC though rather than somebody that's registered and posted anonymously? Most likely those are throwaway accounts.
(Score: 2) by Pslytely Psycho on Sunday August 11 2019, @12:27AM (2 children)
Doesn't work, just tried it. That particular comment does appear to be a legit AC, further up the page there's an AC that seems to be a registered account called Anonymous Coward.
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 2) by maxwell demon on Sunday August 11 2019, @05:45AM (1 child)
But did it already not work at the time that post was created? Maybe originally it was only logged-out posting that was blocked, then spammers/trolls started to use the post anon checkbox, then that got blocked, too.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pslytely Psycho on Sunday August 11 2019, @06:07AM
Unfortunately I can't say. I never actually tried it until shortly after the story first broke, and then again when I saw this comment. Both times were signed in and the first attempt was about fifteen minutes after the story first posted so it appears that it was universal at least from that time on.
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 0) by Anonymous Coward on Sunday August 11 2019, @08:35AM
Okay, I'll pay that.
Register an account just to make one AC post.
You rock :)
(Score: 2) by Chocolate on Monday August 12 2019, @02:24AM
https://slashdot.org/faq [slashdot.org]
Bit-choco-coin anyone?
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @10:48PM
From back in the Minetest 0.3-early 0.4 days. ;-)
Was sorry to hear about the losses in the community in the years since.