Lenny's Signature ( I object to)

irishgeo

Following on from this post http://www.boards.ie/vbulletin/showthread.php?s=&threadid=99864

i aslo object to lenny signature. I dont want to be told my ip address or what os i am using etc.

For all i know he could logging this and using as an exploit etc.

How can you justifiy this when the IP address you use to post is only available to admins.

fisty

lol?

Devore already explained this.
nobody else is going to see your stuff....
blah blah....

Now shut up and go away.

Boston

Sorry but don't be a muppet, what makes you think your ip address is only available to admins? I didn't ever see Devore or regi or anyone else promise you that level of security. Back in the good old days of UBB i had a handy way of access the ip address of every member or boards. then again it might have been another forum using ubb. I used a bug in the private messagener software or ubb to get the admins password and then promptly all hell broke loose, and i wasn't even tiring. Vbulletin is better at security and the admins keep it updated regularly but still there are ways and menas.

Besides what makes you think he knows its you accessing the site?

nosmo

A couple of things: AFAIK, Lenny did not write that, and therefore couldn't be logging it. (if you DID write it, apologies) You have an ICQ addy listed in your profile.. That is a much easier way to get your IP. And do you think Lenny would just sit at his PC scrolling through the THOUSANDS of IPs that might be logged by the sig if it DID log, looking for your IP?

trunks

i thik its a gif that uses windows scripting host
the only one that see it is you


maybe

amp

And besides, how else are we going to download all your goat pr0n irishgeo?

Talliesin

Originally posted by irishgeo
For all i know he could logging this and using as an exploit etc.

For all you know he can walk on water.

Redshift

This is nothing at all you can get ones that will show you the whole directory of your hard disk but it's the same thing again only you see it and it's not possible for anyone to get any info on you using a simple trick like this.

You're safe enough M8:)

Red

DeVore

So let me see... you KNOW you're computer sends this info out willy nilly and you arent objecting to that (theres nothing any of the admins can do about that except rewrite the TCP/IP protocols).

But you are objecting to being shown it??

That info is sent with every http request a page causes... if broadcasting that info is a problem I would recommend never going to a page where you arent sure where ever picture and element of that page is being served from....

Fisty, I've never been accused of not being able to talk for myself and I'd prefer if you would cut out the abusive replys as thats the second or third I've seen from you today... kthxbye

DeV.

Boston

Originally posted by DeVore
Fisty, I've never been accused of not being able to talk for myself and I'd prefer if you would cut out the abusive replys as thats the second or third I've seen from you today... kthxbye

DeV.

All that misguided miss directed anger, your really need to express yourself more Devore. ww)

oneweb

From what I can make of it, Lenny's sig is a gif image which is dynamically generated on the server side using PHP or JSP. The server basically grabs all the info that your browser sends in its HTTP request and spits it all back out in a li'l gif.

As previously mentioned, any and all requests for html pages, images, video etc made by your browser will send info about your IP and config (blame your browser's User Agent string for that bit) to the hosting server.

You could, if you felt it necessary, turn off signature showing from your user control panel.

Victor

Originally posted by oneweb
You could, if you felt it necessary, turn off signature showing from your user control panel.

You could turn off the internet

fisty

Originally posted by DeVore


Fisty, I've never been accused of not being able to talk for myself and I'd prefer if you would cut out the abusive replys as thats the second or third I've seen from you today... kthxbye

DeV.

I was pointing out this was covered already, there was no need to start a seperate post.

I can but only hope someday I shall be as eloquent as you m'lord.

ecksor

"off topic"

Behave yourself.

trunks

I been doing some googling in the Lennys Sig

firstly the file vipersig.png

is the sig its some routene in the file it self that retives the Info from your computer

I haven found anyting else "a little help"

trunks

sorry the file

DeadBankClerk

the image probably uses some php image library like gd to get the http header that you send to the webserver and write it onto an image.

OHE NOE MY GIBSON SI TEH HACKED

DeadBankClerk

And thats your ip and os in that attachment tbh.

irishgeo

Ok i am objecting to being shown it yes. I have seem the one which lists your hard drive. i know that the internet is a secure as my wallet.

AMP i like to disassociate myself form what you said about me.(Damn i need a better firewall):D

Ok i guess i can live to accept it and find it assuming.

DeVore

Ok, but you are objecting to it being shown TO YOU?

I mean, its like a mirror whoever looks at the thread sees their own ip reflected at them.

Um I am really having difficulty understanding why you would obect to someone showing you an image with your ip in it... seriously I cant think why that would bother anyone...

Originally posted by Fisty:
I was pointing out this was covered already, there was no need to start a seperate post.

I can but only hope someday I shall be as eloquent as you m'lord.

I know and you were right ... if a touch unnecessarily uncivil, thats all.

DeV.

trunks

And thats your ip and os in that attachment tbh.

what IP address is it showing *.*.222.4 yea

seamus

Originally posted by trunks
what IP address is it showing *.*.222.4 yea

Yeah, but that's because the attachment is the hard-coded image, and not the source code which generated it.

Just like a normal php page, you can only retrieve the page it generates, and not the source code.

Anyone could be much more surruptitious.

I, for example, could replace the innocent little picture in my sig, with a script which generates an identical picture, but while doing it, rapes your browser for all the info it can get, as well as attempting to pull cookies from your browser, to retreive a list of usernames and md5-encrypted passwords to link to that IP, while also instructing a second thread to perform a quick port scan on your machine.



Anyone who thinks they're anonymous when connected to any network is kidding themselves.

trunks

cool
this is the orginial
http://www.danasoft.com/vipersig.jpg

GoneShootin

remind me never to annoy you Seamus

DeVore

While Seamus is undoubtedly "leet" ... access to cookies is restricted to cookies that belong to the ip/domain that is doing the accessing.

so while www.boards.ie can access your login cookie www.badseamus.com cant.

He'd have to get his script onto our server in the first place in which case snarfing peoples cookies is really not the biggest problem we have!

I'm not saying you cant act the muppet with headers etc but that its not as straight forward as all that.

The general gist of Seamus's post is bang on though.

DeV.

ps: (in all of this I bow to the superior knowledge of web security or lack there of of ecksor and regi and others. Seamus would be one of the others, this post is to clarify rather then correct )

Littletinyman

What if some smartey haxor was standing behind you, looking over your shoulder at Oj's sig, taking in all the IP/OS/ISP information? WHAT THEN? Down with this sort of thing

seamus

Originally posted by DeVore
ps: (in all of this I bow to the superior knowledge of web security or lack there of of ecksor and regi and others. Seamus would be one of the others)

Heh, yah right

I actually couldn't do most of what I said, but I know it could be done, and a few quick web crawls and an hour or two later, I might be able to hack out something like it. But I also bow to the superior knowledge of regi and ecksor.

I'm pretty sure there's some way of fooling a browser into giving you it's cookies, but that'd be a discussion for another time.
Encrypted passwords would be fairly useless anyway , I was just trying to give an idea of what is possible, so people would leave Lenny alone, and consider the tameness of his sig

(Smilie overload alert)

DeVore

I'm pretty sure there's some way of fooling a browser into giving you it's cookies, but that'd be a discussion for another time.

If you could demonstrate that you would be on the 9 O'Clock news.

This *has* been done before (when browser were even more insecure then now) but afaik there are no known exploits for this or Hotmail and many other sites would be unviable.

DeV.

Lenny

Thanks seamus
I knew it would only be a matter of days before a topic like this would arrive, sure I've gotten a few pms about it already. haha
Its only a sig and is harmless, the only thing I see is my own ip, os etc. so TAKE IT

seamus

Originally posted by DeVore
If you could demonstrate that you would be on the 9 O'Clock news.

Hmmm....

/me goes off to decompile IE, while simultaneously trying to avoid arrest



I am neither "leet", nor anything approaching "someone in the know". I know nothing.

I find out today I fail a networks exam (all theory though tbh), and then a guy in work tries to argue with me that Linux is less secure than Windows NT because it's a "mish-mash of different programs" and he's done a server admin course on Linux. Then he admits that he knows nothing about Windows administration.

The funny thing about computers is that no matter how much you *think* you know about something, either you don't know that much, or there's always someone who knows *way* more than you do. This is one of the first lessons I learned when I signed up for boards.ie

I think I'll stop rambling now and go and start studying again

(Save it for your blog seamus)

ecksor

Originally posted by seamus
But I also bow to the superior knowledge of regi and ecksor.

FWIW, I have raised this issue with the other admins before, and I do recognise that it is a valid grievance. If I had my way you lot wouldn't be able to embed images from servers that weren't under our direct control.



(and people who had 100 word signatures trying to show how clever they are who make posts like 'lol' and 'haha pwned' would get banned for a week per offence).