Due to the complaints from a user, we have added a feature to the site that fulfills one of the functions of "user registration" which is to allow people to have a consistent identity. It's called "ID verification", and it appears as a long hex string after your name, like this:

imc-volunteer idVer:324659533317de05378c76587

That hex string is computed from the "author" and "secret" fields.

By using the same author and secret for each post, you'll produce the same idVer value. That matching value verifies you. The reads need to manually check that the idVer values match.

idVer works because someone else won't know your secret. You should pick a secret that isn't a password for any other website. Even though the secret is not stored anywhere, it may be intercepted as it's sent up to the server.

The secret is not stored anywhere. It's used to calculate the idVer, and then disposed. The idVer is appended to the author field, and saved.

(It *is* possible to spoof a user if you have direct access to the database. You could replace the author and bypass the calculations. But that's not any worse or better than any other similar commenting software.)

Below is a script you can use in Greasemonkey to highlight the first 12 digits after "idVer:". The color is an HTML color based on the hex values for each set of six digits. If it works, we'll just add that javascript to this site.


// ==UserScript==
// @name highlight idVer
// @namespace jk
// @description Highlights strings that start with "idVar:" and followed by hex digits
// @include http://la.indymedia.org/news/*
// @version 1
// @grant none
// ==/UserScript==

var idver_re=/idVer:([0-9a-f]{6})([0-9a-f]{6})/g;
var scratch = document.getElementsByClassName('bgcentercol')[0];
var html = scratch.innerHTML;
html = html.replace( idver_re, 'idVar:$1$2' );
scratch.innerHTML = html;

It needs more work - enabling the idVer colorizer script causes the freenet box to stop working. So it needs more work.

Does this IMC still retain use logs with their I.P.s?
Don't even try to tell me you never have, as I have direct testimony otherwise.
Sometimes the members of this site lets a bit too much out.

be afraid

be very afraid

Of course they know who you are. How could they ever block you otherwise? nessie once blurted it out about checking server logs, by the way, and we all know she was a felon who had to be a stoolie to stay on the streey, and after Andy the cop killer appeared at SF.

And what's with the "secret" horseshit?

"The secret is used to produce an id verification code displayed with your author name. Use the same author name and secret on all your posts."

So what if everybody uses the name "Claude Balls" ?

Something is as fishy as the global warming bullshit.

it's still hashed against whatever {dumb_smashy} name you use and a SALT

well I see computer science is yet another one of your strong points :)

the only problem I see is that this compromised IMC allows outside parties to have access to the information on these logs.
so fuck you, johnk.

prevent spoofing and nothing more.

your sexual advances are directed at the wrong parties

I forgot my original secret, so I used a new one. (I haven't fixed the unicode letter-spoofing issue yet, so people should look out for that. This idVer feature isn't finished until that's done.)

We don't log IP addresses of readers, but we do log accesses at this time. We also automatically delete old server logs.

We do log IP addresses of posters - but these are not in the regular server logs. They go to a text file, and we delete that periodically.

We have considered turning off logging entirely, but it's the only way that we detect the usual URL-based attacks, and detect if something has been somehow uploaded and executed.

The risk of logs being compromised or subpoenaed exists, but the logs are so inconclusive they aren't that useful. Also, given the current political climate, it's more likely that the FBI would install an invisible proxy as a kind of "wiretap" and record the traffic. Due to the lack of encryption, they would get the data, and the metadata.

If we added SSL encryption (which we eventually will), they could still get the metadata, but not the data... but that's moot because all the data is already public on this site. (Think about it - they would know all the SSL setup - ip addresses and url. They could download the page you're reading, and see what you're seeing. If you commented or posted, they'd get the publish urls. Though they wouldn't get the content as it's posted - they could just get the public page after it's been published, and correlate the time of the post with the timestamp on the post. On a site like this IMC, SSL is, at best, an illusion of security if the police use their powers to subpoena the actual traffic. The only time SSL is useful is if all the URLs are anonymous or generic without identifying information. The site must also randomize or not save the "post times" - but that's a huge problem because news relies on time. Finally, it should not be a website like the IMC where all the inputs are turned into public outputs.)

So, to be secured against IP snooping, you need to use something like TOR that will hide your IP address. I think it also forces all TOR users to have the same agent string, so that's less useful for identification as well.

* I absolutely advocate that people use Tor or a similar proxy to read this site. *

The more people do it, the less valuable our log lines become.

If you're extremely paranoid, you can try out freenet and comment on there.

Freenet is more fully anonymous, with all requests and data encrypted and proxies across thousands of nodes. Architecturally, it's more safe than Tor. Try it out.

We don't have a two-way gateway, but it's something, and I'll definitely see the information and might post the comment to the public site.

Posts with local content will probably bet copied up to freenet, too, so you can just bookmark the imc-volunteer account's flog and read the news up there. (I dream of automating this cross-posting of info.)

Within our dataset of several million visitors, only one in 1,545,293 browsers have the same fingerprint as yours.

"and he shall be known by his USER_AGENT"

+hide-user-agent{Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0

tools > change user agent > user agent switcher