User talk:AmiDaniel/Welcome to VandalProof

Self-add?
Can admins self-add to this list? Or do we still need to go through your moderation process? -- Cyde Weys 05:24, 18 April 2006 (UTC)
 * Still gotta go through the process. If you add yourself to this list, it won't be actualized when you run VandalProof--it retrieves only the last version that I or a moderator edited. Sorry about the inconvenience, but everyone (except for me of course) has had to do it the same way. AmiDaniel (Talk) 05:28, 18 April 2006 (UTC)

Need to emphasize the Lupin popup problem
As above... seems to be the most reported problem. Eagle (talk) (desk) 00:12, 22 April 2006 (UTC)
 * P.S. this page is not hard to find, all that is needed to be done is to download VandalProof, (with or without approval) and try to run it. This page than comes up and states that the user is or is not logged in. At this point right click in the browser window, and click view source code. (provided that you can read the code, this page's location can be found).
 * Potential solution to this is to disable the right click function when the program first opens.
 * I put this suggestion here as to NOT help vandals find this page, and to potentailly help keep this page a secret to vandals. My worry is as soon as vandals find this page, moderation of it may become more difficult.Eagle (talk) (desk) 00:12, 22 April 2006 (UTC)
 * 'Tis true; however, when the app loads it only retrieves the last version of the page that I or a moderator edited, so if a vandal adds himself he will nonetheless not be able to log it. AmiDaniel (Talk) 01:17, 22 April 2006 (UTC)
 * I was more concerned with multiple vandal edits, even potential reverting to very early versions of this page. In addition what happens when this page is moved??? (I am assuming that the vandal is relitivly smart... but still what are the ramifications when this page is moved???Eagle (talk) (desk) 21:59, 22 April 2006 (UTC)
 * I must emphasize, this method is how I found this page... it is not hard to put the title in the search box and hit go, then you get the current version. Sorry if I am being annoying, but I am playing Devil's Advocate:-)Eagle (talk) (desk) 22:02, 22 April 2006 (UTC)
 * Beyond the basic security offered by the app, the page is also move-protected and semiprotected. Reverting to an earlier version again would not work because the edit would still be by that editor, not by a mod. Multiple vandal edits are lost everytime the list is updated, but in any case, I have the page on my watchlist and will revert anything illegitimate I see. I certainly don't mind your playing the Devil's advocate--I'm equally concerned with possible security breaches and would encourage you to contrinue to look for weak links in the chain. Thanks! AmiDaniel (Talk) 23:21, 22 April 2006 (UTC)

(carriage return) Sounds good, another idea... what about a mod-imposter, like User:AmiDanieI, (the "L" in your last name is an "I" (upper case "i"). When this edit is made, the code will of course still refuse to recognize the edit... as with any other vandal edit. The problem lies in the fact that the next moderator will NOT be able to distingish between the "real" and the "false" moderator edits. --- Assume the vandal creates a user page, and talk page... so links will show "blue".
 * Like this. 1- vandal creates lookalike id, edits the page, adding unapproved and "potentially" vandal users. 2-code will not recognize new users... untill another moderator makes any edit to the page. (the "real" moderator will fail to recognize the "fake" moderator). AS SOON as a second moderator edits the vandal will be "approved" on this page.
 * As soon as you reply, comment out parts of my last post to avoid giving ideas to the vandals, unless of course you have that covered:-).Eagle (talk) (desk) 23:44, 22 April 2006 (UTC)
 * But people like myself watch this page, and might spot it. Prodego  talk  23:48, 22 April 2006 (UTC)


 * (edit conflict) Well, I hope that any imposters would be readily blocked on sight as I've declared my puppets and most impersonators are blocked within minutes of account creation, but if they did manage to create an imposter account, I still don't think it would matter. Moderators modify the list through an automated Update List function in VP. It only retrieves the last version of the list modified by a moderator, and the app can tell the difference between I and l. Thus if User:AmiDanieI adds User:Bob to the list, Bob won't be able to access the app and the next time I or any other moderator adds a user to the list via the VP app, Bob will not appear in that version of the list either. That was part of my reason for making the list moderation automated rather than manual--as computers can recognize subtle differences that humans cannot. AmiDaniel (Talk) 23:53, 22 April 2006 (UTC)
 * I am duly impressed... now I need to spend more time trying to crash your program... (no one has added a "new" bug in days:-) and on trying to think my way around this programs safeguards. :-), I need to spend some time with the manual revert... as I think I could "remove" users from this page... Give me an hour to test my theory:-)... If it is not clear, I will be testing in a sandbox, NOT on this page... don't worry. Eagle (talk) (desk) 00:01, 23 April 2006 (UTC)
 * If you would like, I could probably set you up with a VP that would retrieve your sandbox instead of this page (naturally only for you to use!) or we could even set aside a very short period of time where you could test on this page. I think it's worth possibly hindering a few people from using VP for an hour if we can find just one way to breach through the security that can be fixed. AmiDaniel (Talk) 00:05, 23 April 2006 (UTC)
 * Before we try any of that, let me make sure that my idea can even be done... give me an hour or two... I don't need any assistance from you at all right now, as I have a basic idea of what you program is checking for, and I have created a imitation program on my system... in (C++/CLI) and NET. of course:-)... that is why I need the hour or two... Thanks for your offer and trust:-), I really appreciate that... and did not expect that, especially since I am trying to undermine you:-).Eagle (talk) (desk) 00:21, 23 April 2006 (UTC)

(carriage return)--P.S. I have several other ideas as well, hope you don't hate me!!!Eagle (talk) (desk) 00:24, 23 April 2006 (UTC)
 * Damn... my imitation program catches it... grr, any way two things.


 * 1)I found a new version of runtime error 9 :-) give me some time to figure out exactly what buttons are affected... as I hate inaccurate bug reports... (i.e. let me find all of the causes) Than I will put it on the bug page.
 * 2)I hate to ask this, but can you e-mail me exactly what your program does to "check" users. I made my imitation program according to some ad-hoc "commen-sense" criteria. I want to see if they match. Thanks... if you are unwilling, that is fine by me, as I would understand the consideration behind it.Eagle (talk) (desk) 01:14, 23 April 2006 (UTC)

Potential problem (2)
Crap... I can undermine your program in an instant:-) all I need to do is change the User2 template. (this was so noticible... I'm annoyed I did not see it until now.
 * I don't know if I could add myself, but I could bring the program to a halt.
 * SOLUTION---protect the damn thing, (the user2 template)... This would close a potential hole in your security.Eagle (talk) (desk) 01:21, 23 April 2006 (UTC)
 * grr.... you have already had this problem, and I did not notice, (or forgot about it)... that annoys me... still advice above still applies, only now I have proof of the damange that can be done.
 * Yep, that problems being weeded out as we speak. Glad to see you noticed it though! lol. As to sending the source code for the user check ... let me think on it a bit, and I'll try to get something put together for you. Thanks for all your help! AmiDaniel (Talk) 02:07, 23 April 2006 (UTC)
 * I don't want source code, just a description will do... if that helps:-) (i.e. I look for X and for Y), if you are unable, I will not be offended, especially around this wikilawyering that you are trying to deal with right now... what a mess:-)Eagle (talk) (desk) 02:17, 23 April 2006 (UTC)

Oh and on the second version of runtime error 9, I will wait untill you post up a new release... as they may be related:-).
 * Though it triggers on both whitelist and blacklist buttonsEagle (talk) (desk) 02:19, 23 April 2006 (UTC)

You may still want to protect the User2 template... :-) untill you get the problem fixed
 * Me, being me, seeing that you were required to register it, just had to take a look at the executable (hence why/how I found this page) and wonder if it'd be no bigger hole to just hex-edit the username "AmiDaniel" (in all instances) with a different username. Personally, I'm uninterested in doing all that work, since I've reverted articles all of, oh, two times and have less than a hundred main namespace edits so far anyway (the price of being a newbie) but the executable itself is quite interesting to peek through. Mm, have you considered, perhaps, using a function to build the "AmiDaniel" username in the program and put it into a variable perhaps? Take care!  <3  ~Kylu ( u | t )  01:27, 28 April 2006 (UTC)


 * I think you would need to change the page name too, otherwise people would keep reverting you every time you edited this page. Prodego  talk  02:05, 28 April 2006 (UTC)
 * Which come to think of it wouldn't matter, since it would look for the last version by you [the vandal], hmm that is a good idea, would it work AmiDaniel? Prodego  talk  02:07, 28 April 2006 (UTC)
 * (edit conflict) No, I think the problem is realistic, but I doubt anyone would really take the time to do this. Hex-editing is not an easy task for even the most experienced programmers, especially when certain instances of AmiDaniel are necessary for the app to run at all. The mods are not defined with in the app internally, and in every instance where AmiDaniel is used to locate the mod list, "AmiDaniel" is incorporated as a const variable. In the next release I'll be sure to store all of these as constants, such that hexediting to point to an incorrect page will not work. The next version will also likely be the first where upgrading will be necessary to use the tool. AmiDaniel (Talk) 02:13, 28 April 2006 (UTC)
 * I personally figured it'd be only slightly easier to hex-edit your tool than write a new one from scratch. If you said, "Kylu, write a function in C that factored a number and returned the results on a webpage," I'd have no problem with the math, but I just never got around to writing network interface code. If you'd like (which I doubt, but I'll make the offer anyway) I'll write a little heavily obfusicated function to set your username variable. As far as I know, const's don't offer any in-binary protection from editing, they just keep running programs from changing the variable. Another possible solution might be to store the values in plaintext variables (const or otherwise) and simply perform a CRC check to determine if they were modified at runtime. If the total "value" of your username, any of the website links, or your copyright were modified, the program would simply stop running. If you wanted to get sneaky, you could even write a small obscure key to the registry so that VandalProof would no longer work on that computer at all! >:D ~Kylu ( u | t )  15:39, 28 April 2006 (UTC)

Sounds interesting, sorry I did not realize posts have been made. I like the idea of preventing hex-editing, personally the thought never entered my mind... Though I agree, that would be one determined vandal... (makeing a vandal bot would be easier). Thus this might not be a serious hole, but nice find Kylu! —The preceding unsigned comment was added by Eagle 101 (talk • contribs).


 * You know what might be an interesting trick... which really I probably shouldn't post here... but what if you set the CRC as a trap. If the CRC of the username const matches, the program works correctly, if not, it has modified functions such as reporting its changes to a different page (using an obfusicated URL built similar to url$=chr$(65)+chr$(whatever) etc...) so those aware of this (Yourself and a limited number of admins) could keep track of this behaviour. Un-abusive VP-users might be relatively ignored, while obvious vandals might get a command from the obfusicated URL to change their wiki-password to a random value (that way they would have to talk to an admin, admit that they were using a cracked version of the program, and ask nicely to have the password reset)... anyway, just ideas. If you'd like any help testing these out or want proof-of-concepts, let me know. If you want someone else to run VandalProof...eh, I'll get back to you later, once I've actually qualified. :D
 * ~Kylu ( u | t )  02:05, 29 April 2006 (UTC)

Internet Exploder login required
I just tried to use it, and before I could do so, I had to fire up Internet Exploder and log in though there (I use normally netscape). That solved the issue, and maybe that should be mentioned under startup issues or so. Kim van der Linde at venus 03:52, 21 May 2006 (UTC)

Problem
Uhhhh.... why do we have two sets of approved users?? I can't figure out why myself. Thanks.
 * Particurally why 4 copies of each persons name???Eagle talk 19:25, 21 May 2006 (UTC)

Ok, I figured it out, Give me a few moments to revert changes... the mod tools are malfunctioning.Eagle talk 19:27, 21 May 2006 (UTC)

I will post a bug report as soon as I get this mess under control