Gravatar is On



  • Is there a reason why we are using such a huge privacy WTF? Beyond being meta?



  • We're just making things simpler for the NSA. Now they only have to steal data from one site to get what they need. Alex is very patriotic.


  • Winner of the 2016 Presidential Election

    Could you explain how/why Gravar is a WTF? (It's not that I don't believe you, it's that I don't know WTF Gravatar is.)



  • I know there's some concern because the Gravatar image URL contains an MD5 hash of your email address.


  • Winner of the 2016 Presidential Election

    @DiscourseSucks said:

    I know there's some concern because the Gravatar image URL contains an MD5 hash of your email address.

    MD5, the hashing algorithm that was cracked a decade ago?

    I'm sure it will be fine.



  • On top of that, it makes it easy to identify the same person on different sites if they're using the same email, often without the person in question realizing or intending to. (not just for NSA & co., but also for normal people)



  • Gravatar - globally recognized avatars leak identity data. Your Gravatar ID is based off of the MD5 of your email address. Any time you sign up for a site that uses Gravatar, it creates a link at Gravatar that you use it. It's one of the things I REALLY REALLY REALLY hate about WordPress. Beyond that, with your email address, anyone can track all of your activity across popular websites without even logging in. It's just needlessly leaky and ties back to your actual identity which is what bothers me.



  • @rad131304 said:

    It's just needlessly leaky and ties back to your actual identity which is what bothers me.
    Yes, being able to post and ridicule bad code anonymously is a key feature of TDWTF. The main page feature go to great (often absurd) lengths to anonomize submissions. Compromising anonymity is not OK.


  • Winner of the 2016 Presidential Election

    @HardwareGeek said:

    Yes, being able to post and ridicule bad code anonymously is a key feature of TDWTF. The main page feature go to great (often absurd) lengths to anonomize submissions. Compromising anonymity is not OK.

    I was trying to change my username to one more anonymous, but it says there's already a user with the username error, which I'm pretty positive there's not.

    Is it some kind of reservation?



  • @joe_edwards said:

    MD5, the hashing algorithm that was cracked a decade ago?

    It is cracked in the sense that you can take a digest (the hash) and construct a message that will result in that digest. As far as I know, it is by not possible to reverse the hash into an email address, even if it's milquetoast MD5.



  • @joe_edwards said:

    Is it some kind of reservation?

    Can you use the name command.com or .htaccess?



  • @dhromed said:

    It is cracked in the sense that you can take a digest (the hash) and construct a message that will result in that digest. As far as I know, it is by not possible to reverse the hash into an email address, even if it's milquetoast MD5.

    The problem is that there are very extensive databases (with plaintext and hash) and rainbow tables for MD5 (and other popular hashing algorithms). Unsalted hashes are vulnerable for that reason, no matter what algorithm you use.


  • Winner of the 2016 Presidential Election

    @dhromed said:

    It is cracked in the sense that you can take a digest (the hash) and construct a message that will result in that digest. As far as I know, it is by not possible to reverse the hash into an email address, even if it's milquetoast MD5.

    I know rainbow tables can reverse MD5 in seconds or less; but they're prohibitively large for longer plaintexts and character sets.

    There are even websites/web services that process public queues of MD5 crack requests. Which I've uh. Never. Used. For anything.



  • @joe_edwards said:

    I know rainbow tables can reverse MD5 in seconds or less; but they're prohibitively large for longer plaintexts and character sets.

    A rainbow table for email adresses only has to about 1TB to crack >90% of email adresses, mainly because the domain adds little entropy (with @gmail/yahoo/live/hotmail you probably have over half of all email adresses, that's 2 bits of entropy).

    (for comparison: a MD5 raindbow tables for lowercase alphanumeric strings up to length 10 is 396GB)



  • Well that's not very nice of them.



  • @dhromed said:

    Well that's not very nice of them.

    That's capitalism for you, comrade. Not every business can be a free kittens and pie service.


  • Winner of the 2016 Presidential Election

    @DiscourseSucks said:

    Not every business can be a free kittens and pie service.

    I had to shut down my free kittens and pie service after a shipment mix-up.

    Filed under: I don't want to talk about it.



  • Shepherd's Pie.

    With kittens.



  • @dtech said:

    The problem is that there are very extensive databases (with plaintext and hash) and rainbow tables for MD5 (and other popular hashing algorithms). Unsalted hashes are vulnerable for that reason, no matter what algorithm you use.

    Also, a determined hacker could use your Gravatar to go find an unmaintained WordPress blog you once logged into and attack your password in the WP database since those are saved as MD5 by default (still AFAIK). While I seriously doubt any of us are actually important enough to be attacked this way, script kiddies, lulz, and all that. Suppose you had a twatter handle they wanted?



  • @rad131304 said:

    and attack your password in the WP database since those are saved as MD5 by default

    Nope, they're bcrypt. And as of WordPress 4, the site updates itself automatically to the newest version.



  • @dhromed said:

    Shepherd's Pie.

    With kittens.

    I used to work with an older Vietnamese gentleman. I never quite looked at him the same after he told me that cat tasted better than dog. Dog is too gamy, he said. Cat tastes more like beef. The trick is to use old cats - the older the cat, the better it tastes apparently.



  • @rad131304 said:

    Is there a reason why we are using such a huge privacy WTF? Beyond being meta?

    Do you really want to use gravatar?


  • Discourse touched me in a no-no place

    @rad131304 said:

    Is there a reason why we are using such a huge privacy WTF?
    So set your own picture up instead of asking them to delegate to another service. (Sheesh.)



  • @mikeTheLiar said:

    I used to work with an older Vietnamese gentleman. I never quite looked at him the same after he told me that cat tasted better than dog. Dog is too gamy, he said. Cat tastes more like beef. The trick is to use old cats - the older the cat, the better it tastes apparently.

    What's so weird about eating cats/dogs as compared to other animals?



  • @dkf said:

    So set your own picture up instead of asking them to delegate to another service. (Sheesh.)
    Because I totally got to make that decision before Gravatar found out I post to TDWTF?



  • @morbiuswilters said:

    What's so weird about eating cats/dogs as compared to other animals?

    No idea. I could see someone marking a difference in eating someone's pet vs. eating an animal raised to be food though. I guess for animals that are often kept as pets people compartmentalize them into a different category.


  • Winner of the 2016 Presidential Election

    @morbiuswilters said:

    What's so weird about eating cats/dogs as compared to other animals?

    It could be only because I've associated longer with cats and dogs but they each seem to have a distinct personality and continually surprise me with their intelligence. They're basically people. I haven't seen these traits in pigs/cows/chickens (but nor have I spent much time with livestock.).



  • @joe_edwards said:

    It could be only because I've associated longer with cats and dogs but they each seem to have a distinct personality and continually surprise me with their intelligence. They're basically people. I haven't seen these traits in pigs/cows/chickens (but nor have I spent much time with livestock.).

    I dunno, cats and dogs are smarter, sure, but they're not people. And livestock surely feels pain in its own right. So it doesn't seem much difference to me.


  • Discourse touched me in a no-no place

    @rad131304 said:

    Because I totally got to make that decision before Gravatar found out I post to TDWTF?

    Of course. The default is always the NSA-mandated “rape my privacy please”.



  • @morbiuswilters said:

    I dunno, cats and dogs are smarter, sure, but they're not people. And livestock surely feels pain in its own right. So it doesn't seem much difference to me.

    Aren't pigs supposed to be around dogs in intelligence? I seem to remember some cognitive study about self recognition but am too lazy to look it up.



  • @rad131304 said:

    Because I totally got to make that decision before Gravatar found out I post to TDWTF?

    Well, Ghostery seems to be blocking Gravatar — sometimes. Sometimes it says zero items blocked, so I don't know if it's not blocking it, or if some page loads it doesn't try to phone home.



  • @locallunatic said:

    Aren't pigs supposed to be around dogs in intelligence? I seem to remember some cognitive study about self recognition but am too lazy to look it up.

    Pigs are smart, but not cute. There's a lesson there.



  • @HardwareGeek said:

    Well, Ghostery seems to be blocking Gravatar — sometimes. Sometimes it says zero items blocked, so I don't know if it's not blocking it, or if some page loads it doesn't try to phone home.
    I've not heard of Ghostery before, thanks. Added to browser.


  • Winner of the 2016 Presidential Election

    @locallunatic said:

    Aren't pigs supposed to be around dogs in intelligence? I seem to remember some cognitive study about self recognition but am too lazy to look it up.

    I'm open to the idea that I've misjudged pigs. I'm not terribly fond of pork products anyway.
    Cows and chickens (which provide ~95% of the food I eat) do seem blithely content to stand around all day eating and shitting though, and I don't feel remorse for them.



  • @morbiuswilters said:

    What's so weird about eating cats/dogs as compared to other animals?

    Aside from being pets (or quasi-pets, even if the individual animal was raised specifically for food), which is a really big part of it, some of it has to do with what they eat.

    I was told long ago that meat from carnivorous or (especially) omnivorous animals is more likely to have parasites or other nasties that can be passed on to higher-level predators, like humans. Whether this is actually true or not, it contributes to my emotional response to the idea of eating them.

    I know what my dogs eat if I can't stop them in time. Just as I would be reluctant to eat pork from pigs that had been fed garbage, I would not want to eat their meat.


  • Banned

    You can use a local avatar in your profile.

    Over time, we've come to agree that the gravatar approach isn't the best, because...

    • gravatar only caches avatars for 5 minutes, we're guessing because users complain when they change their avatar and it doesn't propagate to the entire Internet immediately. But this is terrible for performance.

    • as a result of the above, gravatar becomes a kind of "ping" to see where you are.

    • the MD5 hash of email address issue

    The good news is that we're working on a change to produce local avatars as a standard default feature and drop gravatar. That should hopefully roll out by the end of this week, or worst case, next week.

    See:

    (although we are actually using images for now, as it ends up being simpler in the code paths.)



  • That's great for future people, I'd still prefer it if it had been turned off by default - I realize I don't actually mind the concept it just annoys me that I didn't have any choice in how my data was leaked. If it was just off by default and people who wanted it could turn it on, it at least gives people the option to not have that privacy leak if they don't want it.



  • I like the new first-letter+color generated avatars. They work rather well! Better than gravatar, anyway.

    Possibility: add the second letter as lowercase, like a chemical element symbol. Should increase the uniqueness.





  • Make the blue go away in this old thread.


  • Banned

    Try the dismiss unread button on your unread tab, from the homepage, as well. The button is at the bottom of the unread page.



  • No, I like the unread blue stuff. But it's trained me to click on stuff with blue. This one had blue because it was old. Also, blue meth.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.