Difference between revisions of "Talk:Iwitness"

From The Urban Dead Wiki
Jump to navigationJump to search
Line 119: Line 119:
:::Ungodly being at least two for pretty much every hour of every day from May 2007 until now. --<small>[[User:Karek#K|Karek]]<sup><font face="Monotype Corsiva">[[User:Karek/ProjDev/OmegaMap|maps?!]]</font></sup></small> 13:26, 28 February 2010 (UTC)
:::Ungodly being at least two for pretty much every hour of every day from May 2007 until now. --<small>[[User:Karek#K|Karek]]<sup><font face="Monotype Corsiva">[[User:Karek/ProjDev/OmegaMap|maps?!]]</font></sup></small> 13:26, 28 February 2010 (UTC)
Hello Karek! A plea (please please please ...) on behalf of MCM, whose [[Malton College of Medicine/textbooks|lecture archive]] is almost entirely recorded on Iwitness. Our new students have no access to the archive at present, which makes us very sad. Any word yet as to when the old Iwits might be available? --{{User:Sherry Stringfield/sig}} 13:45, 27 March 2010 (UTC)
Hello Karek! A plea (please please please ...) on behalf of MCM, whose [[Malton College of Medicine/textbooks|lecture archive]] is almost entirely recorded on Iwitness. Our new students have no access to the archive at present, which makes us very sad. Any word yet as to when the old Iwits might be available? --{{User:Sherry Stringfield/sig}} 13:45, 27 March 2010 (UTC)
:A rapid and extremely helpful reply from Iscariot on my [[User talk:Sherry Stringfield|talk page]]. Anyone with old Iwits they are looking to reclaim should take a look. Thanks Iscariot! --{{User:Sherry Stringfield/sig}} 15:56, 27 March 2010 (UTC)


==[[Iwitness/LocationblockIW]]==
==[[Iwitness/LocationblockIW]]==
Moved to namespace, as per Kareks request. --{{User:Rosslessness/Sig}} 12:46, 28 February 2010 (UTC)
Moved to namespace, as per Kareks request. --{{User:Rosslessness/Sig}} 12:46, 28 February 2010 (UTC)

Revision as of 15:56, 27 March 2010

Site Down?

As of June 16, 2008, the whole iwitness site is down. Is this permanent? - Asoka Wu

Never mind, it seems to have righted itself. :) - Asoka Wu

It went down again a couple of days ago. :( I suggest newbies such as myself who never got a chance to actually read the FAQ to check this archive.org copy for the time being. Lomd 04:16, 28 December 2008 (UTC)

Security

It should be mentioned that Iwitness screenshots can be faked by a user with moderate computer skill. For example, here's a screenshot of me standing outside the Taj Mahal: http://iwrecords.urbandead.info/10-31-07_0500hrs_PUBLIC/OUT_26-66_The_Taj_Mahal_1fe-2a3-846.html

I haven't fully investigated the limits of the program. I found that if I simply saved an urbandead.com map page to my hard drive, IWitness would refuse to make a record based on it. I was able to bypass this by mapping "www.urbandead.com" to "127.0.0.1" in my network hosts file (C:\WINDOWS\system32\drivers\etc\hosts in Windows) and then placing the map page in a web server running on my local machine. An online tool for Iwitness forgery could easily be created using the same mechanism.

So it is an excellent tool for quick information sharing, but is not a substitute for personal trust in matters like proving that another user is a PKer. --Sterling Bershadsky 05:25, 31 October 2007 (UTC)

The thing about IWitness is that it is as reliable as a screen shot, but easier to use. I don't belive that at any point anyone said that a screenshot with IWitness couldn't be faked. You'ld have to be ignorant to think that any tool could ensure that all content is 100% real. As for actual security, I'm sure that you'll find that all known XSS attacks won't work (they are using the wiki sanitiser). If you do find one then let people know on the forums. If you are going to try some XSS please make the record private so you don't clog up the recent records list. - If Jedaz = 05:58, 31 October 2007 (BST) then pi = 2 + 1
I guess my main point in posting this was for those who are, as you say, ignorant. In my limited time observing the metagame I've seen several indications of people relying on IWitness as "proof" of PKers, GKers, and other antisocial behavior. So I wanted to let them know that they shouldn't do that, because these screenshots are forgeable. The article doesn't claim they're unforgeable, but it seems like a lot of people assume they are. --Sterling Bershadsky 17:19, 6 November 2007 (UTC)
About not being able to submit from your computer without tricks - it's due to the script checking that url href charecters 12 through 18 are "ead.com/map.c". However this check is client-side and user who knows tidbits about javascript can bypass it even without tweaking etc\hosts... In any case, Seb was worried about this stuff long ago, and in particular made suggestions like this from 8 Mar '07, with the data being digitaly signed from Kevan's side. I recall he also raised this question on Kevan's talk page, but i don't remember. Adding UD-server-side signing would, make also a huge security boost for iwitness, it's a proper decision, although people would need to turn off their plugins --~~~~ [talk] 09:28, 31 October 2007 (UTC)
Yes, I realized later that it would probably be easier to spoof the output of the Javascript rather than fiddling with network settings.
And after I spent time thinking about how to make an unforgeable IWitness I came to roughly the same conclusion, that you'd need some kind of signed validation key on the UD server side. --Sterling Bershadsky 17:05, 6 November 2007 (UTC)
Huh, I completely missed this discussion. The conclusions above are correct; Iwitness is "insecure" in the sense that there's no certification that what it shows actually happened in the game. The system I used simply makes that technically impossible. For one thing, I accept code that has been modified by extensions; this is a very useful feature in that it advertisies those extensions and maybe displays some extra information. It also makes the system much simpler, which is the real reason. But code modification essentially IS spoofing in this case. Any system that used digital signatures would not allow that.
The javascript check isn't really for security; I relaized very early on that it wouldn't prevent spoofs. What it does is act as a client-side block on accidental submissions, in case somebody triggers the bookmarklet while looking at something that is NOT an UrbanDead game page. It avoids accidental garbage (and maybe sensitive information, like say g-mail pages) getting sent by users to my server, and thus maybe save bandwidth on both sides. It obviously won't block INTENTIONALLY sent garbage, if the user wants to send it. Like most of Iwitness, its there as a convenience feature. SIM Core Map.png Swiers 20:40, 24 January 2008 (UTC)

Warning! Don't post any technical details that may spur someone into programming a better service here, as the Wiki Gods will smite you with lightning bolts from their cloud on high. -   HaliphaxTCS 14:35, 9 July 2009 (BST)

No but, the guy running it may get annoyed that you're publicly announcing methods of exploitation instead of doing the appropriate thing and coming to him. It's what is called "Announcing a cheat publicly to be abused is not the proper method of getting a game fixed." Or, rather, 'causing chaos means fuck off'. --Karekmaps?! 22:54, 10 July 2009 (BST)
There is nothing that he can do to fix it without Kevan issuing certificates to mod authors... which I just don't see happening. Its security loopholes are inherent to its nature. -   HaliphaxTCS 15:47, 14 July 2009 (BST)
Warning! You're presence is unwelcome on this page by the current page and project owner. Come back when you've actually got a concern for the best interest of iwitness instead of trying to substitute your crappy second rate substitute in it's place.--Karekmaps?! 01:51, 19 July 2009 (BST)
Whoa, whoa. Why all the flaming? I'm sure Haliphax meant no harm, and he's contributing to the community as well with his project. But next time, he should contact Swiers directly for this, instead of posting hacking information for everyone to see. -- Kittithaj 00:39, 26 July 2009 (BST)
Actually me, he should be contacting me directly since I now run it. I have no problem with trying to help the community, I have a problem with him trying to use iwit as an advertising tool mostly because that's just rude, ungrateful, and going around trying to disuade users away from it by spreading "exploits" in a manner that seemingly intentionally associates them with iwit is purely disingenuous. Basically his behavior makes it strain credulity to claim he's just trying to be helpful. --Karekmaps?! 01:25, 30 July 2009 (BST)

It's funny, when I was originally saying UDWit wasn't secure, I was talking about Private and Public records, where it's nigh-impossible to spy on someone in iWitness, in UDWit all you have to do is open up the records and look for your quarry's name in the URL. 'Course, now he's working on that. --Bob Boberton TF / DW Littlemudkipsig.gif 01:32, 30 July 2009 (BST)

Looks like I should have followed this page closer to better defend myself. My original post was of a benevolent nature, but was not taken as such (though previous posts in the same vein of discussion were viewed with impunity). Regardless, I'll stay out of "your" discussion page henceforth. -   HaliphaxTCS 22:34, 11 January 2010 (UTC)

  • I lied... one more thing: I created my (to remain nameless for fear of inciting a riot) screenshot service to work in tandem with IWitness. I created it during an IWitness outage, because I needed something else to take HTML screenshots with. I have never viewed the two applications as competing with one another, and I *especially* don't see why I would try to steal any IWitness users since I actually *lose* money when people use my server. -   HaliphaxTCS 22:35, 11 January 2010 (UTC)

July 3 - Alpha Launch

Iwitness is now officially in its Alpha version, and is fully usable. There's still a few new user-friendly features to add to this version, but those are minor upgrades. And just in time to celebrate Malton's birthday, too! . . . swiers BigEYEwitnessLOGO.png 17:33, 4 July 2007 (BST)

Some issues

I have some issues with Iwitness.

  • Ruins are showing up not like they do in-game (confused me few times)
  • <br> tags are deleted from the page source

--~~~~T''' 10:40, 28 August 2007 (BST)

bump--~~~~ [talk] 10:53, 22 September 2007 (BST)
I looked into the ruins thing, and don't know the reason. The main CSS for Iwitness records is a straight copy of the one the game uses, with a few minor tweaks (yellow links, local hosting of streets image) to prevent confusion. The other CSS are there for special cases (records with UDtool modifiations, etc) - I suspect its one of them causing the problem. The ruins are still quite readable, so its not a high priority to fix...
No idea what is causing the <br> issue- I assume its one of the code-mod features Max installed. I haven't ever looked at that stuff, and really don't have time. Sorry.
If you want to try and fix it, I could give you FTP access and you could go over the code...
SIM Core Map.png Swiers 17:48, 22 September 2007 (BST)

Where's the 2008 stuff?

Does anyone know what happened to all the 2008 iwitness stuff? The archive ends at December 31, 2007. -- Mordac the Refuser 23:41, 23 January 2008 (UTC)

It's been buggy, Swiers said on barhah.com that it should be working now.--Karekmaps?! 23:59, 23 January 2008 (UTC)
If you are looking at http://iwrecords.urbandead.info then its probably not showing up because of how the page sorts / displays records. Among other thing, you'd need to look at the bottom of a list of over 5000 records to find them! That page doesn't "scale" well...
The iwitness index page has a database driven display of public records that DOES show records from 2008 at the top (and only 50 or so records at a time, to speed page loads), but as noted the site is having some issues right now due to server upgrades. I got some help and fixed it once already, and will do so again within the next week, I expect. SIM Core Map.png Swiers 23:51, 23 January 2008 (UTC)

What the hell's going on?

Yes. You heard me. What the hell is going on? I enter iWitness and see a bunch of warnings, so I log off, only to not be able to log back in. What the hell? --•▬ ▬••▬ • •••• •▬ ▬•▬• ▬•▬ #nerftemplatedsigs 15:06, 24 January 2008 (UTC)

Its fucked up, obviously. If I knew what was wrong, I'd have fixed it already. My host made an upgrade to a new PHP version, and some of the code a co-author wrote wasn't compatible with the new version. I fixed most of that, but then new trouble sprang up related to database use, which drive the account system and searches for records.
The older core code that I wrote (which doesn't use a database) still functions, so you can still create and retrieve public and private records, although without any way to search for them, or call up an index, they are all essentially "private" for the time being. SIM Core Map.png Swiers 20:45, 24 January 2008 (UTC)
That doesn't explain why I can't seem to log in anymore... --•▬ ▬••▬ • •••• •▬ ▬•▬• ▬•▬ #nerftemplatedsigs 21:02, 24 January 2008 (UTC)
OK, here's what's up. Your account doesn't exist any more. The database it was held in is GONE, as are all my other databases. There's nothing to log onto- that's why you can't log in. You can still use Iwitness to make "screen shots" and to look at records (those are stored as files, not in the databases), but its up to you to keep a list of the records you make, because there is no way other to track them. SIM Core Map.png Swiers 03:19, 25 January 2008 (UTC)
We will be able to find our reports after you guys sort this whole mess out, right? Even the ones made during these troubled times? --Normal PhobicC 19:13, 15 February 2008 (UTC)
"reports" are stored, but the adjactive "our" is obsolete. there is nothing left of "ownership". public reports are in public directories, you can open them even now. private reports are in private directories and if you haven't saved the link - it will be much harder to restore. possible they could be restored later by ownership of the profile link of character that reported it, but i find that such process of claiming ownership of given reporter's profile id would be quite unsecure --~~~~ [talk] 21:34, 15 February 2008 (UTC)
Actually, I do have a rather fool proof method in mind that WILL allow you to find all of the reports (public and private) made by your character. All you'll have to do is make an account, and then edit the character's description to include a specific pass-phrase associated with that account, and update the account to let it know you did this. So yeah, assuming I make / get help with the (pretty major) effort to rebuild the database and account system, you will be able to reclaim "your" records. SIM Core Map.png Swiers 00:58, 16 February 2008 (UTC)
When will you restore the serch through the public reports? it doesn't depend from the DB --~~~~ [talk] 08:15, 22 February 2008 (UTC)

Greasemonkey

Hi Swiers, I got bored having to exit out of my Extinction frameset browser to get an iWitness so I just ran up a quick Greasemonkey script and it seems to work ok. It just adds a button under the actions in the "gp" td but it does throw some junk in the iWitness shot ... specifically your js href. I don't spose a lot of people will use this but if you have any spare time (HA! I know) and it's simple enough would it be possible to filter it out? Or even better are there any html tags I can add to the script to get iWitness to ignore your bookmarklet code?

I don't know if you use Greasemonkey but if you or anyone else would like to test it here's the Greasemonkey FireFox extension and my script. Install Greasemonkey first then click the script link and it should install. The plain text version is here. --Zeug 16:50, 29 February 2008 (UTC)

I see no reason you couldn't just code your extension to submit the same variables and values that the bookmarklet does, only based on the frame code, not the document code. Or you could re-code the bookmarklets to submit the relevant frames innerHTML. There's nothing magikal about the method my bookmarklet uses, it was just the simplest way I could think of at the time to do the job. Either of these options would be easier than trying to get the server to filter out something. And no, off the top of my head, I can't think of a way to "comment out" someting so that Iwitness removes it, but that would be a great idea if I ever do an update. That way extension designers could comment out things like code-heavy map inserts, rather than forcing me to recognize and remove them. SIM Core Map.png Swiers 18:29, 29 February 2008 (UTC)
"based on the frame code" ... ummm ... errrm ... yes but that's the problem with calling it from a different page/domain innit? JS security will stop my frames from submitting the urbanded.com page. I tried editing the bookmarklet a while ago to target the frameset but never got anywhere. No matter though, I'll go with the line of junk in iWitness as is until I can find a workaround. --Zeug 17:18, 1 March 2008 (UTC)
When I originally concieved Iwitness, it was actually going to be a framed webpage the opened UD's game page in one frame. Then I found out about JS's cross-site security, and realised that wouldn't work. That's why Iwintess has to get the user to launch a bookmarklet (or extension) to make submissions; its the only way to manipulate information from an external site. Anyhow, it sounds like what you want isn't to hard; Theres simply one object (document.body.innerHTML) that needs to be replaced with another (an object that refers to the body.innerHTML of the frame in question). If you give me a link to the site in question, it should be a simple mater to use firebug to dig out the DOM info needed and modify the bookmarklet for yah. I need the practice anyhow. SIM Core Map.png Swiers 20:49, 1 March 2008 (UTC)

Zero AP

I just tried to get a report of my last action before running out of AP - from the "You have run out of Action Points.

Action Points are restored at the rate of one every half hour - check back later in the day, or tomorrow, to continue." screen - received an error message telling me that Iwitness doesn't take that sort of report. Thought you might like to know. Sanpedro 04:42, 28 May 2008 (BST)

Yep. Its not a bug. If you look at any Iwitness report, you'll note that the name is based off the time and place where it occurred. When it can't find that info, it won't accept the report. There's a few other cases where it does the same thing, for similar reasons. Sorry if it caused you any trouble, but its not a feature I plan to ever change. SIM Core Map.png Swiers 05:46, 28 May 2008 (BST)
No real trouble - just wanted to check in that you were aware. Sanpedro 02:35, 29 May 2008 (BST)


Downtime again

iWitness has been down now for a few days, again. You aware of this, Swiers? I miss my nice 'n' easy inventory reporting screen captures. :c --Bob Boberton TF / DW 11:05, 2 June 2009 (BST)

Might I offer an alternative screenshot service? UDWitness   HaliphaxTCS 22:20, 16 June 2009 (BST)
Thanks, but there are plenty of alternatives... including good ol' Imageshack/Photobucket. Also that site isn't exactly secure. --Bob Boberton TF / DW 00:49, 17 June 2009 (BST)
iWitness isn't exactly secure. Image-based screenshots can be forged the same as HTML-based screenshots. Do you mean that there are no Private records, or user accounts? -   HaliphaxTCS 21:23, 23 June 2009 (BST)
You can't forge iWitness, or at least, you can't forge it and upload it on the iWitness web site. Attempting to use iWitness to record Urban Dead screens, real or fake, from other sites than www.urbandead.com (e.g. like this page uploaded onto GeoCities) will fail.
And by "secure", I think he's talking about the fact that all action buttons on UDWitness are still usable. If you look at pages generated by iWitness, you'll see that all action done by form action="..." and all personal buttons (Buy skills, Contacts, Settings, Log out) link were replaced by http://iwitness.urbandead.info/noact.php. Attempting to click on those buttons will provide interesting result. I don't know if by clicking buttons on UDWitness, you can manipulate other character's actions and settings. It's probably not possible (with the game's security and all), but seeing in the html code that no one can mess with your character(s) is quite reassuring. -- Kittithaj 23:08, 24 June 2009 (BST)
Please, check your facts before making claims. All form elements in UDWitness screenshots point to local URLs (i.e., "map.cgi" instead of "http://www.urbandead.com/map.cgi") and have had event.preventDefault(); added to them. Even if someone had their Javascript turned off, clicking the buttons would do absolutely nothing (except bring up a 404 error, since I don't have a map.cgi on my server). As for REFERRING_URL, it can be forged. It is, after all, sent by the browser, and not the server. Also, you would have to be currently logged into Urban Dead in order for clicking anything on a screenshot to work (assuming the form actions pointed to www.urbandead.com), and even then, Kevan's scripts will probably throw out your request since it's not coming from a UD page (instead, it's coming from udwitness). Regarding not being able to forge iWitness screenshots and upload them--yes, you can. In fact, it's quite easy. Information on how to forge Iwitness removed Until Kevan institutes some sort of certificate mechanism to pass authorization from his site to another (i.e., IWitness or UDWitness), they will not be secure. Period. -   HaliphaxTCS 16:27, 8 July 2009 (BST)

Accounts

As of July 03, 2009 accounts have been reactivated. --Karekmaps?! 02:27, 4 July 2009 (BST)

Anniversary of the Alpha Launch! :D -   HaliphaxTCS 16:28, 8 July 2009 (BST)
And they're down again. --ϑϑ 10:56, 27 July 2009 (BST)
Erm, yeah, there's some issues with a script running out of control that need to be sorted. Working on it, it's only taken so long because I had to sort out internet issues first. --Karekmaps?! 01:22, 30 July 2009 (BST)

Ownership

Just wondering if this is a community page, or is a 'claimed' owned page? Save making drama. -- To know the face of God is to know madness....Praise knowledge! Mischief! Mayhem! The Rogues Gallery!. <== DDR Approved Editor 15:05, 17 September 2009 (BST)

HELP!

I cannot take an iWitness. I'm using IE (unfortunately) and I have bookmarked the Public and Private things. I go to my UD and attempt to take an iWitness...and nothing happens. I can haz why? Cookies and Cream 13:57, 27 October 2009 (UTC)

The feature is definitely working, so it must be a problem with either IE (I'm on FF) or your hardware. I'm guessing the latter. Try the usual cookie clearance, turn machine off and on again stuff. -- To know the face of God is to know madness....Praise knowledge! Mischief! Mayhem! The Rogues Gallery!. <== DDR Approved Editor 14:01, 27 October 2009 (UTC)

iWItness not working? (2010)

All right, in 2010 so far, I haven't been able to take screenshots, or view them. I don't seem to have a problem with using UDwit, so what's going on? o.0

All screenshots exist in the system, they are being recorded. There was a short issue for a portion of January in which the server folder had reached a point where it had become unwriteable due to sheer size of hard records created over the last 3 or so years. This has long since been fixed. Old records from before a specific date(February 2nd, 2010) have been moved to a separate folder and a database call method is being implemented to remove any navigation issues one might have due to the index split. Expect this in the next week or so. --Karekmaps?! 12:12, 27 February 2010 (UTC)
You can find them all at http://urbandead.info/iwrecords2/ however this is a very temporary arrangement. Put everything normally after http://iwitness.urbandead.info in there and it should work. Currently running a slow due to index size(the index is 1.42 mbs and has an ungodly amount of folders). --Karekmaps?! 13:22, 28 February 2010 (UTC)
Ungodly being at least two for pretty much every hour of every day from May 2007 until now. --Karekmaps?! 13:26, 28 February 2010 (UTC)

Hello Karek! A plea (please please please ...) on behalf of MCM, whose lecture archive is almost entirely recorded on Iwitness. Our new students have no access to the archive at present, which makes us very sad. Any word yet as to when the old Iwits might be available? --Sherry talk MCM 13:45, 27 March 2010 (UTC)

A rapid and extremely helpful reply from Iscariot on my talk page. Anyone with old Iwits they are looking to reclaim should take a look. Thanks Iscariot! --Sherry talk MCM 15:56, 27 March 2010 (UTC)

Iwitness/LocationblockIW

Moved to namespace, as per Kareks request. --RosslessnessWant a Location Image? 12:46, 28 February 2010 (UTC)