Kelly Martin discusses Slim, Brandt, and WR, (she lets it all hang out on IRC) Options

As far as I know and also my OH who has a degree in computer science and is very well versed in these issues, he said

"if they know of a way that normal-ranking members of a forum can gather other's IPs, I would LOVE to know about it "

I suppose you could get it by getting the person to mail you using the emails that reveal their IP, using 'social engineering' but that would be a lot of effort if you wanted to do it for a lot of users.

It's not like the old days, when wikizealots could throw zingers at me for fun.

I'm the one there who called you a "doody-head", just to be silly... and to see if you were still watching.

As far as I know and also my OH who has a degree in computer science and is very well versed in these issues, he said

"if they know of a way that normal-ranking members of a forum can gather other's IPs, I would LOVE to know about it :D "

Well... theoretically, if you hosted your avatar on a domain you personally control, you could look at the raw access logs for that domain, data-mine all the requests for that specific image, and compare it to a similar list you generated from other images. We've known about that all along, and in fact we even deleted Wordbomb's sigs a couple of times just to make sure... but we've nevertheless resisted imposing strict controls on avatars, simply because it would make the place less fun. We also haven't received any complaints, really, except of course from Gary Weiss. Though that may only be because people aren't sufficiently aware of the issue, just like they're not sufficiently aware of the Gary Weiss issue...

Now, whenever someone changes their avatar around here, one of us usually checks to see where it's coming from. But a really devious person could host their avatar on one site for a while and then change it to another after a few weeks, and we might not notice until it's - tragically - too late!

Alkivar's idea of having all the images hosted locally is perfectly reasonable, except that it means exposing an FTP-accessible folder to the world, and there are ways that can be exploited, even though you'd have to be something of a hacker to grab the authentication. Still, if we were a non-controversial site, then we'd almost certainly do it that way, I suppose...

The compromise alternative, which I've been dragging my arse on for two months, is to insist that people use one or more third-party image-hosting sites, such as imageshack and photobucket, that everyone can pretty much agree on. That, or else restrict themselves to what's in the avatar gallery. Again, not as much fun, but I suspect most people wouldn't mind - those sites are fairly easy to use.

Wikipedia definitely logs referrers. They've run statistics on who's hitting WP from Google, for instance.

You can see a sample of what Wikipedia logs here.

In this case, I think Brion enabled some additional logging.

A simple solution would be to require all avatars be locally hosted on the server.

Those of us who initially tried that found that it didn't work, for a technical reason that Somey has since diagnosed.

You can see a sample of what Wikipedia logs here.

The cookies appear to declare the attacker as a logged-out User:MARMOT.

So they can catch you even if you are logged out.

So which is more concerning, then? The idea that WP is logging referrers to sniff out who's following links from here, or the idea that people here are sneakily using offsite-hosted avatars or those little 1px tracking images to obtain IP's without anyone else knowing about it?

I know we've been accused of looking at our own raw access logs to try and figure out who's visiting from WP, but that's just part of the usual JzG cabal disinformation campaign. (AS IF Selina or I would actually have the time or patience to sift through all that stuff!)

Besides, look at the recent numbers down in the board footer... Everybody's dropping by nowadays.

People who care about the privacy of their IP addresses should be
using Tor or some other proxy. Your browser may be configurable
to not show referrers. In Firefox, go to about:config and set
Network.http.sendRefererHeader to 0.

For Konqueror, use the following command:
kwriteconfig --file ~/.kde/share/config/kio_httprc --key SendReferrer --type bool false

Or you coud just edit the kio_httprc file with vim or emacs or
something.

If your browser does not allow you to hide referrers, there are
proxies that can scrub it for you.

The cookies appear to declare the attacker as a logged-out User:[...].

So they can catch you even if you are logged out.

So delete your WP cookies.


This post has been edited by AB: Tue 4th December 2007, 3:06pm

The cookies appear to declare the attacker as a logged-out User:MARMOT.

So they can catch you even if you are logged out.

Yes, this is what cookies do. They are tracking devices. Do people not know this?

Cookies are not an entirely reliable source.

If one is using a public computer (say at a school or library), then an old cookie might have nothing to do with another person who comes along later and uses the same physical machine without logging in.

Cookies are not an entirely reliable source.

Well, you have to take into account what passes for solid evidence with these people. They think that living in the same state or even country is solid proof of sockpuppetry.

Cookies are not an entirely reliable source.

If one is using a public computer (say at a school or library), then an old cookie might have nothing to do with another person who comes along later and uses the same physical machine without logging in.

Reliability !?

Wikipediots don't need no stinkin reliability !!!

Their policy is WP:BFABQL (Ban First And Block Questions Later).

Jonny

This post has been edited by Jonny Cache: Tue 4th December 2007, 6:44pm