The Goons have been building! Goon City is a pixel-art project by Ryan Allen which is growing rapidly[1] because it is built on two of the staples of web 2.0[2], user-generated content and Google Maps. If you ever played Sim City the isometrically tiled layout will be instantly familiar, and the bustling streets are filled with everyone from the little lego man to Mr Orange staring down Mr Blonde. The result is brilliant, a technically slick train smash of fanboy art and pop culture references.

Here’s a couple of snaps of how Goon City has grown over the last while.

circa 16 July

circa 16 September

19 September

My favourite inhabitant is Thich Quang Duc (who sits near the city center) and apparently Waldo is also around.

Thich Quang Duc

The blogosphere has been adopting a new meme over the last while, the cross-site avatar as implemented by Gravatar, MonsterId and others. What this amounts to is a small image displayed next to a blog comment which is meant to socially identify the person making the comment. The point being that it lets you pick a consistent identity for your conversations across the blogosphere.

Gravatars

The key to success for something like this is that it has to be easy to make work on just about any blog or other social site. If it is difficult to implement its uptake will be low and the whole thing doomed to failure. Gravatar certainly is very easy to work with, mainly due to its underlying design, and is therefore well positioned to succeed.
Gravatar’s design is built around the the email address that most blogs require you to provide when commenting and it uses this as the commentator’s unique identifier. The process is as follows: you register your email address with Gravatar and pick one or more images that you want Gravatar to dish up when you comment on an enabled blog or other site. When you then provide that email address for a comment the blog sites sends it off to Gravatar to get the image you picked.
In order to protect the commentator’s email address from spam harvesters the blog site mangles the entered email address using a commonly available one-way hash algorithm named MD5.
A one-way hash works like a very reliable tumble dryer; you stick some data[1] into it and it scrambles it up in a very random way to produce an unrecognisable tangle of stuff which it spits out the other end. What makes a one-way hash special is that it will from any given piece of data produce another piece of data which (a) is very very (99.999999%) likely to be unique and (b) cannot be unscrambled.
The result is that you can with great certainty take an email address and produce a string of text that is unique and you can protect that email address from being collected for spam by never using the actual address but just its hash value – a good thing.

The power of One-way Hashing

So, in order to provide a simple implementation that can quickly be adopted by the blogosphere, Gravatar uses MD5 to hash the commentator’s email address and produce a unique identifier – how can this lead to identity theft and abuse?
Well, one-way hashes are still susceptible to brute force attacks. The brute force approach to cracking a one-way hash is to simply start guessing values and then hashing them. If the hashes match you know that you’ve guessed the right value – easy. A brute force attack is typically streamlined by using a dictionary on the assumption that the hashed data is likely to contain actual human-readable words. And due to its relatively simple nature MD5 is more susceptible to brute force attacks than other, more modern, algorithms. Some common techniques can realistically crack an MD5 hashed email address on a PC. What’s more, there are several which will collectively crack and store MD5 hashes. Several million hashes have already been cracked and are publicly available to search. If a hash has been cracked once by one of these databases it instantly becomes available to the entire internet.
Of course, the more random the data that you put into the hash the more difficult it is to guess[2]. And this is where Gravatar has its first fatal flaw; email addresses are not very random at all. Consider your average email address, it starts out with one or more legible words (say, joetaylor), it then has an @ character followed by a valid, registered domain name (say, hotmail.com). Therefore if you want to crack Gravatar hashes you can limit your dictionary[3] to only include valid domain names preceded by an @ preceded by a relatively human-readable string.
In short, a Gravatar identifier (the hash) is likely to be one of the easiest MD5 hashes to crack. This means that, from your Gravatar identity, a Bad Person^© could recover your email address without even breaking a sweat.

So where’s the identity theft? Well, if I have your email address and nickname from one blog comment it means that I can post other comments using those and reasonably impersonate you – flame war city. Secondly, if I get involved in a flame war with you I can recover your email address from your comment and abuse you directly via email – bad vibe city. To illustrate this point I’ve harvested some Gravatars from across the internet and faked up a bit of a flame war in the comments below. Have a look, it’s a lot of fun!

A second flaw in Gravatar’s scheme is that it encourages its users to use a high-value email address[4] to identify themselves. This means that once your Gravatar email has been cracked you are likely to be exposed for a long time. And Gravatar makes no effort to warn its users of the potential for their email addresses to be cracked. It should, at the very least, encourage its users to use throw-away email addresses and allow them to rotate those.

The final flaw in Gravatar’s scheme is that it does not require enabled sites to request your permission[5] before trying to load up a Gravatar image for your comment. So even if you are not registered with Gravatar your email address will still be hashed (against your will) and displayed for harvesting and abuse.

Where does this leave Gravatar as a global identifier for blog comments? I understand that a combination of email address and MD5 was used as a means to encourage fast adoption of the idea across the blogosphere, but it is irresponsible to open up all commentators (whether registered with Gravatar or not) to a totally viable form of identity theft and personal abuse by not allowing commentators to opt out of Gravatar and not warning them of the dangers of using a high-value email address to identify themselves.
Gravatar, if you’re listening, do something about it! You owe it to the blogosphere.

As part of my quest to combat bandwidth thieves with Satan I came across DearComputer.nl’s Google Image Ripper[1]. It’s a service that will query Google Images and display the full-size images of the search results in no apparent order. Essentially it rips the images from the warm womb of their hosting site and spits them out in an explosive bricolage.

Dear Computer – surprise me

What’s interesting about it is that it seems to have a magical ability to present, in one jumbled up mess, the intimate aesthetic of its subject. Somehow, through its collected images, each subject comes to its right. And, of course, that aesthetic changes daily as the internext changes its mind about its subject – what the internet thinks about abortion today is not what it’ll think of it tomorrow. It’s fucking profound, man.

My next post will be a music review for Burial’s Untrue and Cocteau Twins and for both of these Dear Computer gets it right. Of Burial we know nothing more than his single sketch. The Cocteau Twins shoegaze from the 80s 4AD.

So go ahead, have some fun with George Bush(easter bunnies and Jesus), global warming(Al Gore, children and graphs), suicide(Tibet, Singulair and Pete Wentz), Zimbabwe(hands and queues), best life(astronauts, Oprah, Joel Osteen and Patrick Dempsey).
Your dear computer will project the glowing light of its subject onto your wall.

This blog is not anonymous. Even simple google searches will let you lock me down to a first name and probably a last name as well. You can easily determine the city I live in and probably also the suburb. But Anonymous is anonymous.

Anonymous is a group of internet users/vagrants who formed out of the seedy underbelly of the internet – 4chan. 4chan is a nasty place where bad people hang out and anonymously post bad things. It’s most famous for its Random forum where absolutely anything goes. 4chan itself does have rules but the rules for Random itself are summed up as follows

1. ZOMG NONE!!!1*
2. Global rules 1, 2, 4, 7, 9, and 10 are enforced.

You’ll notice that rule 3 doesn’t apply, being:

Do not post [...] Trolls, flames, racism, off-topic replies, uncalled for catchphrases, macro image replies, indecipherable text (example: “lol u tk him 2da bar|?”), anthropomorphic (“furry”), grotesque (“guro”), or loli/shota pornography.

4chan is big on memes[1] and one meme which has developed in the life of 4chan is that of Anonymous. It started out as an idea/attitude[2] and developed through a groundswell of disgust[3] into a concrete form. Today Anonymous is a group of people who are best known for their anti-Scientology protests known as Project Chanology. This protest started in response to the much discussed Tom Cruise Scientology video posted on Youtube in January 2008.

Tom Cruise loses it

Anonymous responded to Scientology’s reaction to the world’s reaction[4] to the video in a video of their own entitled Message to Scientology in which it accused Scientology of internet censorship. This escalated into a series of Denial of Service attacks aimed at Scientology web sites and a variety of real world protests.

Anonymous loses it

All of this has brought Anonymous to where it is today; a mysterious, vulgar, unregulated, non-hierarchical, not-accountable organisation which has no agreed upon goals, agenda or modus operandi. Right now they seem to be focussed on their plans for Project Chanology, but I have a feeling that it will be around for some time.
Personally I don’t entirely agree with their take on anonymous protest[5], but that’s a topic for another post. So well done to Anonymous. I am glad that you are here. More power to you, more power to all of us.

But that’s not really the point of this post. What I actually want to write about is Wikipedia, or more specifically Wikipedia’s article on Anonymous and precisely about the image displayed on the article – the one below.

Anonymous
Because none of us are as cruel as all of us

There is an ongoing battle being fought on Wikipedia about whether this image should be removed or not. It comes down to a disagreement on whether the Wikipedia policy on non-free content (i.e. the image) allows for content which cannot be attributed to any person or definable group to be used in an article. This is a subtle and fascinating issue. But first, how cool is the contrast between Anonymous and Wikipedia? Anonymous is all about personal outrage, disregard for institutionalised protection and rejection of any sort of accountability. Wikipedia is all about verifiable references, attributability and community-agreed-upon policy. 4chan (from which Anonymous was spawned) is all about uploading images without any sort of copyright/ownership. Wikipedia has long-running, principle[6] arguments about whether a single image should be allowed. Anonymous sees no value in laws/rules[7] while Wikipedia, on a daily basis, builds its policies into laws based on precedent and forum discussions. Interesting.

But back to the story. So Wikipedia is having a long argument about this image; here’s some of it.

Will: Speedy delete – in big letters: will perpetually fail WP:NFCC#10a because we can never know who holds the copyright. I seriously can’t believe people want to keep images that are blatant violations of our Non-free content criteria. Will
        Comment NFCC10a demands source and copyright holder. A source was found (seemingly midway through the debate). Please note that WP:NFCC does not require that this source be linked to. A specific description of where this source can be found in some other media may be acceptable as well (although this is not relevant as a source was found that could be linked to…again, the undercurrent and implication of where the first source for the image was, has likely colored the discussion). The copyright holder is anonymous (or Anonymous).

Ayla: Overturn and keep. After re-reading the relevant policies and discussions, I have come to agree that the WP:NFCC#10a issue is addressed by the fact that the copyright holder of the image is either Anonymous (the group) or anonymous (undisclosed). Given the nature of the group, it is more than likely that such would also be the “copyright holder” for any alternative logos. Ayla

st47: Delete per WP:NFCC#10a. Our non-free content criteria are not up for debate here. st47

IronGargoyle: Comment again. As I clarified on my page (to which Sceptre has decided to conspicuously ignore, uncivilly shout down opposition, and use blatantly misleading speedy deletion tags to game the system–all due to his conflict of interest), works that are explicitly created anonymously are copyrighted–this is clear to most parties I’m sure. As such, for explicitly anonymous works, that anonymous individual (or group) is explicitly the copyright holder (and we don’t know who they are any better or worse than any of the many pseudonymous editors of Wikipedia). It’s not that we don’t know the provenance of the image (cf. some random picture without source on the internet). It was quite obviously created by a member of Anonymous. A little good faith and common sense on that point would be excellent.

Will: Comment The point is, with Wikipedia, we can know who uploaded it (example, we can differentiate between you and I with uploads). With 4chan, you can’t. Nearly everyone, especially on /b/, posts as “Anonymous”. We don’t know which “Anonymous” uploaded it, whether it was 123.45.67.89 or 98.76.124.3. Will

Coffeepusher: Overturn this is abserd, and at least the 5th dispute I have seen that is WP:GAME against the Anonymous/Project C (I really can’t spell it) that has occured since the wiki creation…Involving editors whos interests in the project are apperant disruption of the articles themselves and a complete contempt of consesus. it also is in direct conflict with the spirit of the rules that are beeing quoted. The Non-Free image rules are created to keep from stealing someones work without giving them credit. If it is imposable to find a spicific individual, and no one will be able to validly claim that it is her/his work, no one has any actual claim on the image (orgonizational or otherwise)…?!?Coffeepusher

Stormfin: Comment This shows the massive gaping flaw in Wikipedia policy. This is an image produced by a loose group that falls under the vague ideology of anonymous. Anything produced by this community will and indeed is expected to be edited, changed, saved and redistributed. To me, this is obviously the same as having no copyright license attached. Of course, to the blinkered view fostered by WP Policy ‘it *must* have a copyright. Which it doesn’t. So we end up here. Again and again and again. The online world plays by a different set of rules to the real one, and if Wikipedia doesn’t realise this soon then it might as well give up covering online communities and websites.

Ale_Jrb: Delete – WP:NFCC#10a – the copyright holder cannot be identified. WP:NFCC isn’t randomly optional for some images, and as the creator of the image cannot be identified, it doesn’t matter what it’s of. Ale_Jrb

And it goes on and on.

This is a very relevant debate to Wikipedia policy and is best summed up by Stormfin in saying ‘[...] to the blinkered view fostered by WP Policy it *must* have a copyright. Which it doesn’t‘.

In my opinion what is missing from this debate (and by extension from the Wikipedia policy) is the issue of intent. Copyright[8], by its very nature, comes with a specific intent on the part of the owner to protect its claim to content that it has produced. In the case of Anonymous the intent, the principle founding idea, is to, as identifiable natural persons, not lay claim to or be held accountable for anything that they do or produce. The Wikipedia policy does not make provision for this: intent to remain anonymous.
To Wikipedia, keep the frickin image. Anonymous has no will, no hunger or identity – but it never forgets. And Wikipedia just cannot deal with that.

Victory![1] I’ve been noticing that this blog has been attracting bandwidth thieves for some images hosted on zzzbot.com (particularly ones that happen to be on the first page of Google Image search results[2]). And the time has come to kick some ass among them.

Don’t get me wrong, it’s not as if the bandwidth is what really concerns me, but it ticks me off that someone could be lazy enough to link to another site rather than to host an image themselves. And not because I believe that as an ethical matter you shouldn’t mooch from other people, but because you are opening yourself up to being exploited by them.

In short bandwidth theft(aka hotlinking) involves finding an image that you like on another site and directly placing its URL(its address) in your own site. This causes the image to be displayed in your site but downloaded from the server that hosts the site where you are ‘stealing’ the image from. Doing this saves the hotlinker from having to host the image themselves and generally makes life easier for them. But this laziness comes at a price. By hotlinking to another site you are, essentially, making real estate from your site available to the hotlinked site. If the site that you are linking to is savvy enough to detect the fraudulent image download it can substitute if for anything it wants and your site will happily display it. And this is just too good an opportunity to let by without having some fun with it.
Some sites ‘punish’ hotlinkers by displaying an image advertising the hotlinked site or an offensive image outing the hotlinker as a bandwidth thief. I prefer taking the satanic route.

If someone is going to give you the opportunity to mess with their site then why not do it properly and scare the bejeezuz out of them and their visitors? It’s both funny and effective. After looking around for a while I decided to use this approach, mainly because I could understand it. My weapon of choice is Tool – a genuinely, seriously hardcore esoteric metal band. The last track on their 10,000 days album is entitled Viginti Tres – a short garbled moan of horror whose lyrics contains no trace of irony.

I love Tool; they are one of the few bands that I know of who are really serious about their drugs[3] and their esoteric philosophies. And while I myself do not ascribe to their vision I do admire the integrity and dedication with which they pursue it[3]. Their music also rocks – explosive, cutting metal.

Back to the story. I had to frame the lyrics to Viginti Tres on a suitable canvas so set out to find the most evil album cover on the internet. And forget about the cheesy covers featuring blood-dripped skulls and slathering demons ripping humanoids apart – I mean really, really dark. In the end I settled on this, truly evil image from a combined metal album by Gestapo 666 and Satanic Warmaster.

Truly Evil

Finally I added some scrappy teenage shock horror(for that authentic edge) and some cheap advertising and compressed the whole thing into an ugly, grainy GIF. The result is this

The response has been immediate. The zzzbot.com logs show that within a few hours of redirecting moochers to this image at least one chick removed the hotlinked image from her MySpace profile. Shame, I hope she didn’t get too freaked out by my gentle hack; bless her soul.

To tell the truth I like the idea of being allowed to inject whatever I want into someone else’s site so much that I kinda hope that the hotlinks aren’t removed.

Update: 11 March 2008

After testing my bandwidth thief hater script on the thecages archives I have promoted it to the current thecages images as well. The result has been great! Several sites now sport my satanic message and in one particular case some poor fool used an image hosted by zzzbot.com as the background to their MySpace. The magnificent result of my defacement of Reddy‘s profile is preserved for posterity here. I wonder how long it will take him to notice it?