Talk:Iwitness

From The Urban Dead Wiki
Revision as of 22:35, 16 June 2008 by Asoka Wu (talk | contribs) (→‎Site Down?)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Site Down?

As of June 16, 2008, the whole iwitness site is down. Is this permanent? - Asoka Wu

Never mind, it seems to have righted itself. :) - Asoka Wu

Security

It should be mentioned that Iwitness screenshots can be faked by a user with moderate computer skill. For example, here's a screenshot of me standing outside the Taj Mahal: http://iwrecords.urbandead.info/10-31-07_0500hrs_PUBLIC/OUT_26-66_The_Taj_Mahal_1fe-2a3-846.html

I haven't fully investigated the limits of the program. I found that if I simply saved an urbandead.com map page to my hard drive, IWitness would refuse to make a record based on it. I was able to bypass this by mapping "www.urbandead.com" to "127.0.0.1" in my network hosts file (C:\WINDOWS\system32\drivers\etc\hosts in Windows) and then placing the map page in a web server running on my local machine. An online tool for Iwitness forgery could easily be created using the same mechanism.

So it is an excellent tool for quick information sharing, but is not a substitute for personal trust in matters like proving that another user is a PKer. --Sterling Bershadsky 05:25, 31 October 2007 (UTC)

The thing about IWitness is that it is as reliable as a screen shot, but easier to use. I don't belive that at any point anyone said that a screenshot with IWitness couldn't be faked. You'ld have to be ignorant to think that any tool could ensure that all content is 100% real. As for actual security, I'm sure that you'll find that all known XSS attacks won't work (they are using the wiki sanitiser). If you do find one then let people know on the forums. If you are going to try some XSS please make the record private so you don't clog up the recent records list. - If Jedaz = 05:58, 31 October 2007 (BST) then pi = 2 + 1
I guess my main point in posting this was for those who are, as you say, ignorant. In my limited time observing the metagame I've seen several indications of people relying on IWitness as "proof" of PKers, GKers, and other antisocial behavior. So I wanted to let them know that they shouldn't do that, because these screenshots are forgeable. The article doesn't claim they're unforgeable, but it seems like a lot of people assume they are. --Sterling Bershadsky 17:19, 6 November 2007 (UTC)
About not being able to submit from your computer without tricks - it's due to the script checking that url href charecters 12 through 18 are "ead.com/map.c". However this check is client-side and user who knows tidbits about javascript can bypass it even without tweaking etc\hosts... In any case, Seb was worried about this stuff long ago, and in particular made suggestions like this from 8 Mar '07, with the data being digitaly signed from Kevan's side. I recall he also raised this question on Kevan's talk page, but i don't remember. Adding UD-server-side signing would, make also a huge security boost for iwitness, it's a proper decision, although people would need to turn off their plugins --~~~~ [talk] 09:28, 31 October 2007 (UTC)
Yes, I realized later that it would probably be easier to spoof the output of the Javascript rather than fiddling with network settings.
And after I spent time thinking about how to make an unforgeable IWitness I came to roughly the same conclusion, that you'd need some kind of signed validation key on the UD server side. --Sterling Bershadsky 17:05, 6 November 2007 (UTC)
Huh, I completely missed this discussion. The conclusions above are correct; Iwitness is "insecure" in the sense that there's no certification that what it shows actually happened in the game. The system I used simply makes that technically impossible. For one thing, I accept code that has been modified by extensions; this is a very useful feature in that it advertisies those extensions and maybe displays some extra information. It also makes the system much simpler, which is the real reason. But code modification essentially IS spoofing in this case. Any system that used digital signatures would not allow that.
The javascript check isn't really for security; I relaized very early on that it wouldn't prevent spoofs. What it does is act as a client-side block on accidental submissions, in case somebody triggers the bookmarklet while looking at something that is NOT an UrbanDead game page. It avoids accidental garbage (and maybe sensitive information, like say g-mail pages) getting sent by users to my server, and thus maybe save bandwidth on both sides. It obviously won't block INTENTIONALLY sent garbage, if the user wants to send it. Like most of Iwitness, its there as a convenience feature. SIM Core Map.png Swiers 20:40, 24 January 2008 (UTC)

July 3 - Alpha Launch

Iwitness is now officially in its Alpha version, and is fully usable. There's still a few new user-friendly features to add to this version, but those are minor upgrades. And just in time to celebrate Malton's birthday, too! . . . swiers BigEYEwitnessLOGO.png 17:33, 4 July 2007 (BST)

Some issues

I have some issues with Iwitness.

  • Ruins are showing up not like they do in-game (confused me few times)
  • <br> tags are deleted from the page source

--~~~~T''' 10:40, 28 August 2007 (BST)

bump--~~~~ [talk] 10:53, 22 September 2007 (BST)
I looked into the ruins thing, and don't know the reason. The main CSS for Iwitness records is a straight copy of the one the game uses, with a few minor tweaks (yellow links, local hosting of streets image) to prevent confusion. The other CSS are there for special cases (records with UDtool modifiations, etc) - I suspect its one of them causing the problem. The ruins are still quite readable, so its not a high priority to fix...
No idea what is causing the <br> issue- I assume its one of the code-mod features Max installed. I haven't ever looked at that stuff, and really don't have time. Sorry.
If you want to try and fix it, I could give you FTP access and you could go over the code...
SIM Core Map.png Swiers 17:48, 22 September 2007 (BST)

Where's the 2008 stuff?

Does anyone know what happened to all the 2008 iwitness stuff? The archive ends at December 31, 2007. -- Mordac the Refuser 23:41, 23 January 2008 (UTC)

It's been buggy, Swiers said on barhah.com that it should be working now.--Karekmaps?! 23:59, 23 January 2008 (UTC)
If you are looking at http://iwrecords.urbandead.info then its probably not showing up because of how the page sorts / displays records. Among other thing, you'd need to look at the bottom of a list of over 5000 records to find them! That page doesn't "scale" well...
The iwitness index page has a database driven display of public records that DOES show records from 2008 at the top (and only 50 or so records at a time, to speed page loads), but as noted the site is having some issues right now due to server upgrades. I got some help and fixed it once already, and will do so again within the next week, I expect. SIM Core Map.png Swiers 23:51, 23 January 2008 (UTC)

What the hell's going on?

Yes. You heard me. What the hell is going on? I enter iWitness and see a bunch of warnings, so I log off, only to not be able to log back in. What the hell? --•▬ ▬••▬ • •••• •▬ ▬•▬• ▬•▬ #nerftemplatedsigs 15:06, 24 January 2008 (UTC)

Its fucked up, obviously. If I knew what was wrong, I'd have fixed it already. My host made an upgrade to a new PHP version, and some of the code a co-author wrote wasn't compatible with the new version. I fixed most of that, but then new trouble sprang up related to database use, which drive the account system and searches for records.
The older core code that I wrote (which doesn't use a database) still functions, so you can still create and retrieve public and private records, although without any way to search for them, or call up an index, they are all essentially "private" for the time being. SIM Core Map.png Swiers 20:45, 24 January 2008 (UTC)
That doesn't explain why I can't seem to log in anymore... --•▬ ▬••▬ • •••• •▬ ▬•▬• ▬•▬ #nerftemplatedsigs 21:02, 24 January 2008 (UTC)
OK, here's what's up. Your account doesn't exist any more. The database it was held in is GONE, as are all my other databases. There's nothing to log onto- that's why you can't log in. You can still use Iwitness to make "screen shots" and to look at records (those are stored as files, not in the databases), but its up to you to keep a list of the records you make, because there is no way other to track them. SIM Core Map.png Swiers 03:19, 25 January 2008 (UTC)
We will be able to find our reports after you guys sort this whole mess out, right? Even the ones made during these troubled times? --Normal PhobicC 19:13, 15 February 2008 (UTC)
"reports" are stored, but the adjactive "our" is obsolete. there is nothing left of "ownership". public reports are in public directories, you can open them even now. private reports are in private directories and if you haven't saved the link - it will be much harder to restore. possible they could be restored later by ownership of the profile link of character that reported it, but i find that such process of claiming ownership of given reporter's profile id would be quite unsecure --~~~~ [talk] 21:34, 15 February 2008 (UTC)
Actually, I do have a rather fool proof method in mind that WILL allow you to find all of the reports (public and private) made by your character. All you'll have to do is make an account, and then edit the character's description to include a specific pass-phrase associated with that account, and update the account to let it know you did this. So yeah, assuming I make / get help with the (pretty major) effort to rebuild the database and account system, you will be able to reclaim "your" records. SIM Core Map.png Swiers 00:58, 16 February 2008 (UTC)
When will you restore the serch through the public reports? it doesn't depend from the DB --~~~~ [talk] 08:15, 22 February 2008 (UTC)

Greasemonkey

Hi Swiers, I got bored having to exit out of my Extinction frameset browser to get an iWitness so I just ran up a quick Greasemonkey script and it seems to work ok. It just adds a button under the actions in the "gp" td but it does throw some junk in the iWitness shot ... specifically your js href. I don't spose a lot of people will use this but if you have any spare time (HA! I know) and it's simple enough would it be possible to filter it out? Or even better are there any html tags I can add to the script to get iWitness to ignore your bookmarklet code?

I don't know if you use Greasemonkey but if you or anyone else would like to test it here's the Greasemonkey FireFox extension and my script. Install Greasemonkey first then click the script link and it should install. The plain text version is here. --Zeug 16:50, 29 February 2008 (UTC)

I see no reason you couldn't just code your extension to submit the same variables and values that the bookmarklet does, only based on the frame code, not the document code. Or you could re-code the bookmarklets to submit the relevant frames innerHTML. There's nothing magikal about the method my bookmarklet uses, it was just the simplest way I could think of at the time to do the job. Either of these options would be easier than trying to get the server to filter out something. And no, off the top of my head, I can't think of a way to "comment out" someting so that Iwitness removes it, but that would be a great idea if I ever do an update. That way extension designers could comment out things like code-heavy map inserts, rather than forcing me to recognize and remove them. SIM Core Map.png Swiers 18:29, 29 February 2008 (UTC)
"based on the frame code" ... ummm ... errrm ... yes but that's the problem with calling it from a different page/domain innit? JS security will stop my frames from submitting the urbanded.com page. I tried editing the bookmarklet a while ago to target the frameset but never got anywhere. No matter though, I'll go with the line of junk in iWitness as is until I can find a workaround. --Zeug 17:18, 1 March 2008 (UTC)
When I originally concieved Iwitness, it was actually going to be a framed webpage the opened UD's game page in one frame. Then I found out about JS's cross-site security, and realised that wouldn't work. That's why Iwintess has to get the user to launch a bookmarklet (or extension) to make submissions; its the only way to manipulate information from an external site. Anyhow, it sounds like what you want isn't to hard; Theres simply one object (document.body.innerHTML) that needs to be replaced with another (an object that refers to the body.innerHTML of the frame in question). If you give me a link to the site in question, it should be a simple mater to use firebug to dig out the DOM info needed and modify the bookmarklet for yah. I need the practice anyhow. SIM Core Map.png Swiers 20:49, 1 March 2008 (UTC)

Zero AP

I just tried to get a report of my last action before running out of AP - from the "You have run out of Action Points.

Action Points are restored at the rate of one every half hour - check back later in the day, or tomorrow, to continue." screen - received an error message telling me that Iwitness doesn't take that sort of report. Thought you might like to know. Sanpedro 04:42, 28 May 2008 (BST)

Yep. Its not a bug. If you look at any Iwitness report, you'll note that the name is based off the time and place where it occurred. When it can't find that info, it won't accept the report. There's a few other cases where it does the same thing, for similar reasons. Sorry if it caused you any trouble, but its not a feature I plan to ever change. SIM Core Map.png Swiers 05:46, 28 May 2008 (BST)
No real trouble - just wanted to check in that you were aware. Sanpedro 02:35, 29 May 2008 (BST)