AnimeSuki Forum - View Single Post - Leechers on Signature/Avatar request threads

felix · 2010-11-26, 14:15

I personally do only batch jobs when I want to promote a series and burn some free time, so I don't really mind where people use them, it's all the same to me. That said I'm pretty sure I speak for the majority when I say, it's a pain to solve conflicts and "problems". Any little thing the staff could do to streamline the system would be very welcome.

regarding the technical aspect...

Pretty sure the whitelist/blacklist would not work for this case.

To solve this problem technically, it is fairly complicated business. I can see two approaches, in both you leverage on the Album feature of the forum. In one each user could have his own "avatar album" (which appears on a CP page only) and others could submit to it (this if fairly complicated and problematic) - the idea is to have the creator submit to the requester.

Another more simple and efficient way is again each user has his own special "avatar" album but only he can add to it; other people can see it and have a button to "Claim" a avatar there (only one person can claim it at any given time). The "caption" (album) of the avatar is used as hover text.

In both methods the idea is to eliminate the intermediate steps between request and use. With the steps cleared, the avatar image can be obfuscated into the system. There's no effective way to hide it (permanently) but a simple goal to force people to at best have to make a screen shot and go into a editor to get the image is doable (because this provides reasonable protection for things like a gif animation in particular). There are several methods:

The simplest to implement, but weakest is to stretch a 1px image over the avatar. This will make it impossible to RightClick > Save Image. However View Source / Ctrl+F > Copy Link easily bypasses it.
A more secure way is to use "class-ID" system, based on a common alphabet. Basically the avatar is contained in a CSS stylesheet as a background, using a base64 encode (obviously cache headers set). Each stylesheet contains more then one avatar, based on a grouping strategy to optimize requests (so using this method the forum would actually run faster because of fewer http requests, and better compression because of the inherit image packaging). The image is identified by a series of classes belonging to a common alphabet. Lets say for consistency the alphabet is simply hex. Classes in HTML can not start with a digit so we prefix a "H" to make it valid, thus the alphabet is: .H00 .H01 [...] .H0f .H10 [...] .H1f [...] .Hff

What one does is then set the class for the <div> which acts as the avatar container to something like: Hf1 H0a H32 H15 Hfa (length of this is dependent on the bitlength of your hash function) and then in the css, using a global API key set somewhere, the hash digest value is scrambled so for the previous value you could have something like: .H0a.H15.Hfa.Hf1.H32 for a selector (alternatively you can do it backwards; ie. scramble each time in the div).

Another small advantage of using this method is that because we are using CSS it should be possible to hide the avatar when the size of the post would need to be extended to display it. So in other words, 1 line posts would not extend to that of a 10 line post just because of the avatar.

More obfuscation can be done using multiple backgrounds. Basically every container displays every avatar, but in the CSS permutations are done in the background positioning/stacking/order in groups of rules, where the resulting permutation for each group results in the appropriate avatar.

Disclaimer: The system is only reasonably secure against non-tech savvy people. If the person in question is extremely technical no amount of perfect obfuscation and hiding is going to work. In the worst case he can use fraps to clone it. The assumption is only non-tech savvy people would do this.

2010-11-26, 14:15	Link #5
felix sleepyhead Author Join Date: Dec 2005 Location: event horizon	I personally do only batch jobs when I want to promote a series and burn some free time, so I don't really mind where people use them, it's all the same to me. That said I'm pretty sure I speak for the majority when I say, it's a pain to solve conflicts and "problems". Any little thing the staff could do to streamline the system would be very welcome. regarding the technical aspect... Pretty sure the whitelist/blacklist would not work for this case. To solve this problem technically, it is fairly complicated business. I can see two approaches, in both you leverage on the Album feature of the forum. In one each user could have his own "avatar album" (which appears on a CP page only) and others could submit to it (this if fairly complicated and problematic) - the idea is to have the creator submit to the requester. Another more simple and efficient way is again each user has his own special "avatar" album but only he can add to it; other people can see it and have a button to "Claim" a avatar there (only one person can claim it at any given time). The "caption" (album) of the avatar is used as hover text. In both methods the idea is to eliminate the intermediate steps between request and use. With the steps cleared, the avatar image can be obfuscated into the system. There's no effective way to hide it (permanently) but a simple goal to force people to at best have to make a screen shot and go into a editor to get the image is doable (because this provides reasonable protection for things like a gif animation in particular). There are several methods: The simplest to implement, but weakest is to stretch a 1px image over the avatar. This will make it impossible to RightClick > Save Image. However View Source / Ctrl+F > Copy Link easily bypasses it. A more secure way is to use "class-ID" system, based on a common alphabet. Basically the avatar is contained in a CSS stylesheet as a background, using a base64 encode (obviously cache headers set). Each stylesheet contains more then one avatar, based on a grouping strategy to optimize requests (so using this method the forum would actually run faster because of fewer http requests, and better compression because of the inherit image packaging). The image is identified by a series of classes belonging to a common alphabet. Lets say for consistency the alphabet is simply hex. Classes in HTML can not start with a digit so we prefix a "H" to make it valid, thus the alphabet is: .H00 .H01 [...] .H0f .H10 [...] .H1f [...] .Hff What one does is then set the class for the <div> which acts as the avatar container to something like: Hf1 H0a H32 H15 Hfa (length of this is dependent on the bitlength of your hash function) and then in the css, using a global API key set somewhere, the hash digest value is scrambled so for the previous value you could have something like: .H0a.H15.Hfa.Hf1.H32 for a selector (alternatively you can do it backwards; ie. scramble each time in the div). Another small advantage of using this method is that because we are using CSS it should be possible to hide the avatar when the size of the post would need to be extended to display it. So in other words, 1 line posts would not extend to that of a 10 line post just because of the avatar. More obfuscation can be done using multiple backgrounds. Basically every container displays every avatar, but in the CSS permutations are done in the background positioning/stacking/order in groups of rules, where the resulting permutation for each group results in the appropriate avatar. Disclaimer: The system is only reasonably secure against non-tech savvy people. If the person in question is extremely technical no amount of perfect obfuscation and hiding is going to work. In the worst case he can use fraps to clone it. The assumption is only non-tech savvy people would do this. __________________