I've been thinking.
There is a fatal flaw with tripcodes: Your average tripcode contains about 60 bits of data, which is definitely enough to uniquely identify you. However, the human brain cannot usually remember 60 bits of data encoded as letters and numbers without a bit of effort. Thus you have another possibility of attack on tripcodes: there is no need to find an exact copy of a tripcode, you only need to find one that look sort of like the real one to fool people who are not paying attention.
Granted, this is not a big problem on message boards, where you can always post and point out that the forged tripcode is wrong, but it can be annoying. Shii would no doubt say that it's a good reason not to bother with tripcodes, too. But tripcodes are used elsewhere too, for instance on the Share network. And recently, people have started spreading fake versions of the Share executable by using tripcodes that look like the official developer's. This is a much bigger problem.
Now, I like the tripcode method of anonymous indentification, but this is a serious limitation of it. Adding more characters to the tripcode won't help much either, because it's already too long to properly remember. So the question is, can the situation be improved? Is there a way to encode ~60 bits of information in such a fashion that it is easily remembered, and clearly identifiable?
Things with meanings are more easily remembered than meaningless things (such as the current tripcodes). I've been considering many things, like use of colours, shapes and pictures, but I have no solid ideas. Anyone else?
> So the question is, can the situation be improved?
Tripcodes can be collected on other media than the posts on a BBS itself:
http://wakaba.c3.cx/soc/kareha.pl/1102539423
http://nub.wakachan.net/b/res/2528.html
Having somewhere to look them up is good, but the problem is that you can't be bothered to do that all the time. For instance, I'd have been stung by the fake Share tripcodes if I hadn't been tipped off by some other search results for the same search. Having the tripcode in a form you can instantly memorize would be handier. And memorizing 60 bits of data can definitely be easier - the current format of the data is particularly hostile to memorization.
> the current format of the data is particularly hostile to memorization.
If you have the time and the scripts, you can always make yourself a tripcode that is more memorable than your average "let's just type in a password that I will memorize without having to write it down somewhere".
Also, concerning your Share issue: That's exactly what the ID search field is for.
how about storing trusted tripcodes in cookies? you would add one by clicking on it, thus changing it's color or whatever.
That's more or less the principle of the world2ch capcodes, although those had to get registered with the admin of the site / network.
how about something similar to how SILLY_ANONYMOUS works?
Silly tripcodes would have to be really long to avoid losing too much data, which brings the whole thing back to the beginning. I think if you want really memorable tripcodes, you'd have to allow registering them.
Average English text has an infromation density of 2-3 bits per character, so 60 bits would theoretically need 20-30 characters of text. A bit too much, I suppose, and writing the generator would be quite a challenge.
What I was thinking was if one could managed to encode the trip in pictorial form somehow. I am just not quite clear on what would be a good strategy for this.
sub process_tripcode($;$$)
{
my ($name,$tripkey,$secret)=@_;
$tripkey="!" unless($tripkey);
if($name=~/^(.*?)(#|\Q$tripkey\E)(.*)$/)
{
my ($namepart,$marker,$trippart)=($1,$2,$3);
my $trip;
$namepart=clean_string($namepart);
if($secret and $trippart=~s/(?:\Q$marker\E)+(.*)$//)
{
srand unpack "N",rc4(null_string(4),"s".clean_string($1).$secret);
$trip=$tripkey.$tripkey.cfg_expand("%G% %W%",
W => ["%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%","%O%%E%","%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%","%O%%E%","%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%"],
B => ["B","B","C","D","D","F","F","G","G","H","H","M","N","P","P","S","S","W","Ch","Br","Cr","Dr","Bl","Cl","S"],
I => ["b","d","f","h","k","l","m","n","p","s","t","w","ch","st"],
V => ["a","e","i","o","u"],
M => ["ving","zzle","ndle","ddle","ller","rring","tting","nning","ssle","mmer","bber","bble","nger","nner","sh","ffing","nder","pper","mmle","lly","bling","nkin","dge","ckle","ggle","mble","ckle","rry"],
F => ["t","ck","tch","d","g","n","t","t","ck","tch","dge","re","rk","dge","re","ne","dging"],
O => ["Small","Snod","Bard","Billing","Black","Shake","Tilling","Good","Worthing","Blythe","Green","Duck","Pitt","Grand","Brook","Blather","Bun","Buzz","Clay","Fan","Dart","Grim","Honey","Light","Murd","Nickle","Pick","Pock","Trot","Toot","Turvey"],
E => ["shaw","man","stone","son","ham","gold","banks","foot","worth","way","hall","dock","ford","well","bury","stock","field","lock","dale","water","hood","ridge","ville","spear","forth","will"],
G => ["Albert","Alice","Angus","Archie","Augustus","Barnaby","Basil","Beatrice","Betsy","Caroline","Cedric","Charles","Charlotte","Clara","Cornelius","Cyril","David","Doris","Ebenezer","Edward","Edwin","Eliza","Emma","Ernest","Esther","Eugene","Fanny","Frederick","George","Graham","Hamilton","Hannah","Hedda","Henry","Hugh","Ian","Isabella","Jack","James","Jarvis","Jenny","John","Lillian","Lydia","Martha","Martin","Matilda","Molly","Nathaniel","Nell","Nicholas","Nigel","Oliver","Phineas","Phoebe","Phyllis","Polly","Priscilla","Rebecca","Reuben","Samuel","Sidney","Simon","Sophie","Thomas","Walter","Wesley","William"],
);
return ($namepart,$trip) unless ($trippart);
}
$trippart=clean_string($trippart);
srand unpack "N",rc4(null_string(4),"s".$trippart);
$trip=$tripkey.cfg_expand("%G% %W%",
W => ["%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%","%O%%E%","%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%","%O%%E%","%B%%V%%M%%I%%V%%F%","%B%%V%%M%%E%"],
B => ["B","B","C","D","D","F","F","G","G","H","H","M","N","P","P","S","S","W","Ch","Br","Cr","Dr","Bl","Cl","S"],
I => ["b","d","f","h","k","l","m","n","p","s","t","w","ch","st"],
V => ["a","e","i","o","u"],
M => ["ving","zzle","ndle","ddle","ller","rring","tting","nning","ssle","mmer","bber","bble","nger","nner","sh","ffing","nder","pper","mmle","lly","bling","nkin","dge","ckle","ggle","mble","ckle","rry"],
F => ["t","ck","tch","d","g","n","t","t","ck","tch","dge","re","rk","dge","re","ne","dging"],
O => ["Small","Snod","Bard","Billing","Black","Shake","Tilling","Good","Worthing","Blythe","Green","Duck","Pitt","Grand","Brook","Blather","Bun","Buzz","Clay","Fan","Dart","Grim","Honey","Light","Murd","Nickle","Pick","Pock","Trot","Toot","Turvey"],
E => ["shaw","man","stone","son","ham","gold","banks","foot","worth","way","hall","dock","ford","well","bury","stock","field","lock","dale","water","hood","ridge","ville","spear","forth","will"],
G => ["Albert","Alice","Angus","Archie","Augustus","Barnaby","Basil","Beatrice","Betsy","Caroline","Cedric","Charles","Charlotte","Clara","Cornelius","Cyril","David","Doris","Ebenezer","Edward","Edwin","Eliza","Emma","Ernest","Esther","Eugene","Fanny","Frederick","George","Graham","Hamilton","Hannah","Hedda","Henry","Hugh","Ian","Isabella","Jack","James","Jarvis","Jenny","John","Lillian","Lydia","Martha","Martin","Matilda","Molly","Nathaniel","Nell","Nicholas","Nigel","Oliver","Phineas","Phoebe","Phyllis","Polly","Priscilla","Rebecca","Reuben","Samuel","Sidney","Simon","Sophie","Thomas","Walter","Wesley","William"],
).$trip;
return ($namepart,$trip);
}
return (clean_string($name),"");
}
You're cutting it down to 32 bits with the srand
line, though, and probably even more with the actual expansion. Try to see how many tripcodes you have to try before you find a collision.
>Try to see how many tripcodes you have to try before you find a collision.
865 before the first collision, 1059 before the second, using random tripcodes...
brute-forcing a specific tripcode would still be somewhat difficult because this takes a bit longer than using crypt()... about 16 times as long on my machine...
> if one could managed to encode the trip in pictorial form somehow
It would be harder to quote them... I can copy-paste "hotaru!hoTarufiRE!!H0csnvz2" easily but saving and uploading an image would be more annoying, and you couldn't type it yourself or search for it (eg. on Share) easily.
>>6
Maybe someone could write a firefox extension that keeps a list of words you specify and highlights them wherever they occur in web pages, like how google's cache highlights your search terms.
> Maybe someone could write a firefox extension that keeps a list of words you specify and highlights them wherever they occur in web pages, like how google's cache highlights your search terms.
That's a pretty fucking good idea there!
>It would be harder to quote them... I can copy-paste "hotaru!hoTarufiRE!!H0csnvz2" easily but saving and uploading an image would be more annoying, and you couldn't type it yourself or search for it (eg. on Share) easily.
This is true. Next idea: Unicode symbols!
I can't see any objection to Unicode symbols, except for the requirement that the code work right on boards that might be UTF-8 or SJIS, and that a few people can't read them.
卍巴∀∂⊕⊗☺♤♧♡♢✂✄✃☒☑☤☣☢✈☠☹☀
One can always use numerical entities, but there's still the problem of people needing Unicode fonts, but I suspect most people nowadays have those.
Oh, now I remember why I didn't use symbol tripcodes in Shiichan after thinking of the idea. It was because I didn't want to find a large enough alphabet of symbols; if I used the first half of the SHA hash and wanted 10 symbols of output I'd need 256 different symbols.
>I didn't want to find a large enough alphabet of symbols
http://www.fileformat.info/info/unicode/block/dingbats/utf8test.htm
http://www.fileformat.info/info/unicode/block/miscellaneous_symbols/utf8test.htm
http://www.fileformat.info/info/unicode/block/geometric_shapes/utf8test.htm
Oh, I didn't know that numerics were always Unicode characters. I guess that solves that problem, although I'm not sure if it's worth changing my code around since it would get out of sync with 4chan-futallaby again.
In A.D. 2005
War was beginning.
Moot: What happen ?
WT Snacks: Somebody set up us the fork.
WT Snacks: We get signal.
Moot: What !
WT Snacks: Main screen turn on.
Moot: It's You !!
Mr VacBob: How are you gentlemen !!
Mr VacBob: All your futallaby are belong to us.
Mr VacBob: You are on the way to destruction.
Moot: What you say !!
Mr VacBob: You have no chance to survive make your time.
Mr VacBob: HA HA HA HA ....
<span style="font-family:Wingdings">!TrIPcODE</span>
PROBLEM SOLVED YOU'RE WELCOME
here is an idea: http://hotaru.freelinuxhost.com/k/kareha.pl/1106981745/6-10
a graphical method:
the tripcode will produce 1 to 5 discrete blobs; each blob would be a filled shape with a bezier curve outline with 3-5 vertices (each with 2 control points). the spacing could vary between blobs, and the color could also vary.
additionally, it might be difficult to judge how visually similar one configuration is to another configuration based on only the numerical information.
Yeah, reasonable means of discretion in recognition is the problem here. Personally, I don't think it's something that should be solved from the board software side.
To me, it seems like the best solution would be some kind of firefox-plugin, which lets you "bookmark" certain tripcodes and assign your own colours or whatever to them.
>>32
and add comments that show when you hover over the text?
LAWL
I'm not gonna bother remembering ANYONE's trip code, let alone mine, no matter how simple it is. I rarely bother to remember people's actual names, let alone their faggotry trip codes. So no, the situation cannot be solved, because there will always be people who think (read: know, understand, realize) that tripcodes are stupid.
Er, because of a bug in the cookie code that I cut-and-pasted from somewhere, back in the day (see http://4-ch.net/code/kareha.pl/1113004555). It thinks the "desktop_name" cookie is the same as the "name" cookie. I'll have to fix that.
>>32
Agreed, but the question here is "what CAN we do on the server-side to help".
The original question was rather academic, but it's an interesting thing to think about.
Last I looked at PGP, what they did was rather interesting. To auth a fingerprint with someone, you can either (presumably by phone, as long as you're satisfied) read out the many hex digits, or take a wordlist form.
There's about 32 hex digits, and they suck, so what they did was produce a dictionary for a few hundred two and three-syllable words. You map sequential chunks of the fingerprint bitstring onto these words to get about 20 words. These words are also special in that they alternate between two/three letters, so if someone tells you two two-syllable or two three-syallable words in a row, you know there's an error (very clever error-detection method).
Now, twenty words isn't exactly convenient as a tripcode, but as a method of generating/representing a hash, it could be something interesting to think about. Hotaru's method looks kinda fun.
As Waha also originally stated, another concern is about getting tripcodes that are "close enough" to fool other people. One of the dangers of even longer tripcodes is complacency. Take SSH fingerprints as an example. Noone really ever checks the full fingerprint to verify a server, but we often check the first and last few hex digits, right?
There is software out there that can hammer away at a known fingerprint and the longer you give it, the closer it gets to a desired fingerprint that looks a lot like the machine you want to masquerade as. This is not a trivial threat, and it should be obvious from this that longer tripcodes are probably more dangerous than the security they provide.
>>Maybe someone could write a firefox extension that keeps a list of words you specify and highlights them wherever they occur in web pages, like how google's cache highlights your search terms
I wouldn't think just highlighting it everywhere would be best, as then it would highlight it when someone put it in the subject field too, however this kind of thing could easily be implemented in greasemonkey
http://greasemonkey.mozdev.org/
Could have one colour for whitelisted tripcodes, one for seen before but not messed with, one for first time seen and another colour for blacklisted tripcodes (with an option of hiding their posts?)
Since you bumped the thread--
Implement OpenID, problem solved.