RISC OS Open: Forum: Change avatar on the forum

Dec 15, 2020 3:26pm

I would imagine that the rool forums should be able to changed in the setting to allow a user specified url for the image source. Then anyone that has some web space to put up there avatar (every RISC OS user on the net) should not have too much trouble.

That would be “no trouble” apart from any problem with a malicious spammer dropping a malware infected image into the location referenced?

Dec 15, 2020 3:27pm

Stuart Swales (1481) 351 posts

I think we just need to get rid of them.

Dec 15, 2020 4:25pm

Bryan (8467) 468 posts

As I said earlier, my solution to this cross-site tracking problem is to edit my hosts file to redirect the www.gravatar.com request to a local TCP/IP server.

Having updated my server code, dealing with the HTTPS request is not a problem. I just silently drop the connection on port 443. Very quick with no siide effects noticed so far. (tested on Netsuft and Firefox)

Alternatively:-

I think we just need to get rid of them

has my vote.

Dec 15, 2020 8:39pm

Timo Hartong (2813) 204 posts

I like the Avatar so I would vote against. No avatar = no tracking. And for me personally I don’t care about this part of tracking. Read carefully for this part. If the statement is the avatar would be stored on this forum that would be a better idea.

Dec 16, 2020 4:40am

Bryan (8467) 468 posts

That might be slowing things down for you.

I think that that using my local server actually speeds things up.

Dec 16, 2020 8:42am

Steve Pampling (1551) 8172 posts

I think that that using my local server actually speeds things up.

If there’s a server to respond then it’s quite likely the response from that is swift, it does rather depend on what the browser does about the non-existence of the PHP script the page code is trying to run.

We could really do with a simple local ‘server’ instance to run on RO – somewhere to dump the innumerable items of ‘tat’ that are requests embedded in web pages. The gravater stuff under discussion here is really the very, very tip of the iceberg.

Dec 30, 2020 3:00pm

Vince M Hudd (116) 534 posts

No avatar = no tracking

In making that statement, you’re considering only the linking of a given avatar with the person who uses it, which effectively tells gravatar this person uses this forum, that one, this other one… and so on.

In reality, however, gravatar.com is technically capable of tracking all users of forums that link to it to supply avatars.

I’ve no idea if they do or not¹, but they can.

¹ My default settings in this browser largely mitigate against that sort of thing – though sadly can’t eliminate it entirely.

Dec 30, 2020 3:26pm

Bryan (8467) 468 posts

posted by Vince M Hudd

I’ve no idea if they do or not, but they can.

My view is Why else would they do free Avatars?

posted by Vince M Hudd

My default settings in this browser largely mitigate against that sort of thing – though sadly can’t eliminate it entirely.

As I said above¹ routing https requests to www.gravatar.com to a TCP/IP server on my network which quietly drops the connection eliminates it for me. (and lots of other tracking instances as well)

¹ Now implemented

Dec 30, 2020 3:41pm

Vince M Hudd (116) 534 posts

My view is Why else would they do free Avatars?

Inded.

As I said above routing https requests to www.gravatar.com to a TCP/IP server on my network which quietly drops the connection eliminates it for me. (and lots of other tracking instances as well)

Yes, but that requires updating it each time a new one comes along. I have to balance out my general dislike of tracking etc with my general laziness. :)

Dec 30, 2020 3:45pm

Bryan (8467) 468 posts

posted by Vince M Hudd

Yes, but that requires updating it each time a new one comes along.

It is only a case of adding a new entry to a hosts file. The server does not care what the https address is.

Dec 30, 2020 3:59pm

Rick Murray (539) 13851 posts

the only reasonable action is to prevent the use of avatars completely on the forum.

Why, because somebody might sneak in a malicious image? That’s fairly easily fixed. Just set up a Pi somewhere that will accept “whatever” (GIF, JPEG, PNG…) and automatically convert it to a PNG for use on the site/forum. This only needs to b a one-off conversion, so isn’t going to be bandwidth heavy.
The conversion? Via a sprite. With some code running on RISC OS. Thus, the image provided doesn’t make it to the end-user.

I like the Avatar

Just ’cos you have a cool one. ;-)

so I would vote against.

Me too. I’m a visual person, so I use the avatars to know who is writing in preference to reading the name.

No avatar = no tracking.

No avatar means that one thing isn’t tracking you. Everything else is…

only using Avatars that it had a local copy of, like most forum software I have directly interacted with the host side of does.

The problem with that is that caching local copies complicates the ability of the user to change their avatar.

The way the system works (brief look) is that people’s login email addresses are condensed down to some sort of unique code. This code is fired to gravatar for everybody. If the code matches a known registered address, then an icon is sent back. If it doesn’t, a generic logo is returned. I think it’s supposed to be a sideways ‘G’, but to me it looks a lot like the “power” button logo.

I’ve no idea if they do or not, but they can.

It’s an American outfit (owned by WordPress these days, I think?), so I think the best guess is to assume if they can then they are until it’s proven otherwise.

Pretty much everything is trying to track you in some manner ¹ (hell, UBlock picks up my bank’s website ² trying to bounce requests off xibi or something (some analytical outfit)). There must be so much bull floating around.

¹ My IPcam’s app (which is set to not use data in the background?!) appears to fire requests to China (183.232.98.178 port 14000 and 8080) every so often while the app is supposedly sleeping. Amusingly, neither port at that address is responding. Maybe too much rubbish was received? But, then, these were the twats that used a hard-coded password for associating “the current IP address” with a camera ID. It would have taken about 20 lines of BASIC to iterate through all of the IDs (many, two letters and three numbers, or maybe the other way around?) to hijack ’em all.

² Just fired up the app with NoRootFirewall running. A connection to 93.20.46.204 which translates to be api.cmb.fr so this makes sense.
There’s also a request to ham02s14-in-f195.1e100.net. The bit at the end is the giveaway. 1E¹⁰⁰ is a googol, a really big number. So this is a request to Google. Uh… why?

Dec 30, 2020 4:39pm

Stuart Painting (5389) 714 posts

Amusingly, neither port at that address is responding

<paranoid> Neither port at that address is responding at the moment. </paranoid>

Dec 30, 2020 5:27pm

Andreas Skyman (8677) 170 posts

The gitlab-server has it’s own avatars. I guess it isn’t technically possible, but it would be neat if they could be used in the forum as well.

Dec 30, 2020 7:19pm

Steve Pampling (1551) 8172 posts

There’s also a request to ham02s14-in-f195.1e100.net. The bit at the end is the giveaway. 1E100 is a googol, a really big number. So this is a request to Google. Uh… why?

Google Analytics in all likelihood.

Dec 31, 2020 12:37pm

Bryan (8467) 468 posts

From the google network:

1e100.net is a Google-owned domain name used to identify the servers in our network.

Dec 31, 2020 5:47pm

Steve Pampling (1551) 8172 posts

From the google network:

1e100.net is a Google-owned domain name used to identify the servers in our network.

We know, the question Rick posed was why is his banks web site including code that queries a Google server?

My assumption is that part of it is Google analytics on their endless endeavour to catalogue all of our activity and sell the data to pretty much anyone with the money. A lot of this is done by offering free code to link in¹ so the basic web page can include several shovelfuls of extra “features” with no real effort by the “web designer”² at the expense of inserted code to tag you and your activity.

The Pi-hole server is not just about limiting malware exposure, it also speeds up general access by trimming out access attempts to the tracker and data mining sites, but you’re interested in blocking the Gravatar stuff, so you know that already.

¹ That’s link in as opposed to copy and paste in so your connection to your bank actually requires that your browser also call for a code snippet from Google.

² Ha! Copy and paste merchants with little talent

Dec 31, 2020 7:20pm

Clive Semmens (2335) 3276 posts

Ha! Copy and paste merchants with little talent

“little” – that much? That’s a bit of an overestimate if you ask me…

Dec 31, 2020 9:45pm

Steve Pampling (1551) 8172 posts

You caught me in a relaxed mood. :)
Now round lunchtime¹ I was a bit stretched² and slightly irritable after.

Bloat code
Some sites I’ve seen recently have you download over 40MB just to put a login panel in the middle of an otherwise blank area of screen. Dig a little, and they are only using one function of a large file, but they are too idle, or dim, to pull out that one item.

¹ Didn’t have any, just another pot of coffee

² 2 MS Teams text conversations and a conference call³, logging a change in our system, applying a change on a firewall.

³ Trying to explain asymmetric routing problems, L7 routing (lack of) and NAT to a contractor whose experience is in MS Mail

Dec 31, 2020 10:24pm

Rick Murray (539) 13851 posts

Didn’t have any, just another pot of coffee

Sometimes when I was lots younger and doing nerdy stuff, my five a day would basically be cups of tea.
Eat!? Do I look like I have time to eat!?

So glad I left that life behind. Half the pay¹ and none of the stress, seems a good trade-off to me.

to a contractor whose experience is in MS Mail

Hahaha! I got smokin’ hot skillz yo, I can read email!
Prolly not what you meant, but 😂😂😂😂😂.

¹ I’d probably be on a pretty sweet salary by now, if I hadn’t thrown myself off a radio tower. God I hated that job. Being a geek is strictly hobby, strictly on my own terms. Nothing else. So no, I don’t begrudge what little I’m paid now. There’s not a lot of stress in what I do. I just turn up, do stuff, go home, and the part between 5pm and 9am? My time, not time I think about anything to do with work. 🙂

Jan 1, 2021 1:20pm

Jon Abbott (1421) 2651 posts

Does any body have an better ideas?

Move the forum to something more standard that supports them natively and doesn’t use Textile…phpBB?

Yes…yes…I know it doesn’t work that well on Netsurf, but there are other browsers.

Jan 1, 2021 7:57pm

Timo Hartong (2813) 204 posts

I would love that I can access this website with netsurf but if that is impossible well I can use my smartphone ;-)

Jan 1, 2021 11:32pm

Bryan (8467) 468 posts

This website already works very well with Netsurf.

Jan 2, 2021 8:46am

Steve Pampling (1551) 8172 posts

This website already works very well with Netsurf.

Is there a version that handles the footnotes properly yet?
And there was some issue with the widths relating to the use of scrollbars in the
< code > sections I think, so you should probably delete the words “very well” just at the moment. Maybe later.

Jan 2, 2021 9:48pm

Bryan (8467) 468 posts

The footnotes look OK to me.

Wide >pre> snippets can look a bit strange sometimes, but are usually quite readable ---------------------------------------

It is just a case of where the scroll bars are shown.

You get them with Firefox as well – but in a different place.

Neither is perfect.

Jan 2, 2021 10:14pm

Steve Pampling (1551) 8172 posts

The footnotes look OK to me.

Do they work properly? Skip down to footnote and back?

Change avatar on the forum

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Dec 15, 2020 3:26pm Steve Pampling (1551) 8172 posts	I would imagine that the rool forums should be able to changed in the setting to allow a user specified url for the image source. Then anyone that has some web space to put up there avatar (every RISC OS user on the net) should not have too much trouble. That would be “no trouble” apart from any problem with a malicious spammer dropping a malware infected image into the location referenced?

Dec 15, 2020 3:27pm Stuart Swales (1481) 351 posts	I think we just need to get rid of them.

Dec 15, 2020 4:25pm Bryan (8467) 468 posts	As I said earlier, my solution to this cross-site tracking problem is to edit my hosts file to redirect the www.gravatar.com request to a local TCP/IP server. Having updated my server code, dealing with the HTTPS request is not a problem. I just silently drop the connection on port 443. Very quick with no siide effects noticed so far. (tested on Netsuft and Firefox) Alternatively:- I think we just need to get rid of them has my vote.

Dec 15, 2020 8:39pm Timo Hartong (2813) 204 posts	I like the Avatar so I would vote against. No avatar = no tracking. And for me personally I don’t care about this part of tracking. Read carefully for this part. If the statement is the avatar would be stored on this forum that would be a better idea.

Dec 16, 2020 4:40am Bryan (8467) 468 posts	That might be slowing things down for you. I think that that using my local server actually speeds things up.

Dec 16, 2020 8:42am Steve Pampling (1551) 8172 posts	I think that that using my local server actually speeds things up. If there’s a server to respond then it’s quite likely the response from that is swift, it does rather depend on what the browser does about the non-existence of the PHP script the page code is trying to run. We could really do with a simple local ‘server’ instance to run on RO – somewhere to dump the innumerable items of ‘tat’ that are requests embedded in web pages. The gravater stuff under discussion here is really the very, very tip of the iceberg.

Dec 30, 2020 3:00pm Vince M Hudd (116) 534 posts	No avatar = no tracking In making that statement, you’re considering only the linking of a given avatar with the person who uses it, which effectively tells gravatar this person uses this forum, that one, this other one… and so on. In reality, however, gravatar.com is technically capable of tracking all users of forums that link to it to supply avatars. I’ve no idea if they do or not¹, but they can. ¹ My default settings in this browser largely mitigate against that sort of thing – though sadly can’t eliminate it entirely.

Dec 30, 2020 3:26pm Bryan (8467) 468 posts	posted by Vince M Hudd I’ve no idea if they do or not, but they can. My view is Why else would they do free Avatars? posted by Vince M Hudd My default settings in this browser largely mitigate against that sort of thing – though sadly can’t eliminate it entirely. As I said above¹ routing https requests to www.gravatar.com to a TCP/IP server on my network which quietly drops the connection eliminates it for me. (and lots of other tracking instances as well) ¹ Now implemented

Dec 30, 2020 3:41pm Vince M Hudd (116) 534 posts	My view is Why else would they do free Avatars? Inded. As I said above routing https requests to www.gravatar.com to a TCP/IP server on my network which quietly drops the connection eliminates it for me. (and lots of other tracking instances as well) Yes, but that requires updating it each time a new one comes along. I have to balance out my general dislike of tracking etc with my general laziness. :)

Dec 30, 2020 3:45pm Bryan (8467) 468 posts	posted by Vince M Hudd Yes, but that requires updating it each time a new one comes along. It is only a case of adding a new entry to a hosts file. The server does not care what the https address is.

Dec 30, 2020 3:59pm Rick Murray (539) 13851 posts	the only reasonable action is to prevent the use of avatars completely on the forum. Why, because somebody might sneak in a malicious image? That’s fairly easily fixed. Just set up a Pi somewhere that will accept “whatever” (GIF, JPEG, PNG…) and automatically convert it to a PNG for use on the site/forum. This only needs to b a one-off conversion, so isn’t going to be bandwidth heavy. The conversion? Via a sprite. With some code running on RISC OS. Thus, the image provided doesn’t make it to the end-user. I like the Avatar Just ’cos you have a cool one. ;-) so I would vote against. Me too. I’m a visual person, so I use the avatars to know who is writing in preference to reading the name. No avatar = no tracking. No avatar means that one thing isn’t tracking you. Everything else is… only using Avatars that it had a local copy of, like most forum software I have directly interacted with the host side of does. The problem with that is that caching local copies complicates the ability of the user to change their avatar. The way the system works (brief look) is that people’s login email addresses are condensed down to some sort of unique code. This code is fired to gravatar for everybody. If the code matches a known registered address, then an icon is sent back. If it doesn’t, a generic logo is returned. I think it’s supposed to be a sideways ‘G’, but to me it looks a lot like the “power” button logo. I’ve no idea if they do or not, but they can. It’s an American outfit (owned by WordPress these days, I think?), so I think the best guess is to assume if they can then they are until it’s proven otherwise. Pretty much everything is trying to track you in some manner ¹ (hell, UBlock picks up my bank’s website ² trying to bounce requests off xibi or something (some analytical outfit)). There must be so much bull floating around. ¹ My IPcam’s app (which is set to not use data in the background?!) appears to fire requests to China (183.232.98.178 port 14000 and 8080) every so often while the app is supposedly sleeping. Amusingly, neither port at that address is responding. Maybe too much rubbish was received? But, then, these were the twats that used a hard-coded password for associating “the current IP address” with a camera ID. It would have taken about 20 lines of BASIC to iterate through all of the IDs (many, two letters and three numbers, or maybe the other way around?) to hijack ’em all. ² Just fired up the app with NoRootFirewall running. A connection to 93.20.46.204 which translates to be api.cmb.fr so this makes sense. There’s also a request to ham02s14-in-f195.1e100.net. The bit at the end is the giveaway. 1E¹⁰⁰ is a googol, a really big number. So this is a request to Google. Uh… why?

Dec 30, 2020 4:39pm Stuart Painting (5389) 714 posts	Amusingly, neither port at that address is responding <paranoid> Neither port at that address is responding at the moment. </paranoid>

Dec 30, 2020 5:27pm Andreas Skyman (8677) 170 posts	The gitlab-server has it’s own avatars. I guess it isn’t technically possible, but it would be neat if they could be used in the forum as well.

Dec 30, 2020 7:19pm Steve Pampling (1551) 8172 posts	There’s also a request to ham02s14-in-f195.1e100.net. The bit at the end is the giveaway. 1E100 is a googol, a really big number. So this is a request to Google. Uh… why? Google Analytics in all likelihood.

Dec 31, 2020 12:37pm Bryan (8467) 468 posts	From the google network: 1e100.net is a Google-owned domain name used to identify the servers in our network.

Dec 31, 2020 5:47pm Steve Pampling (1551) 8172 posts	From the google network: 1e100.net is a Google-owned domain name used to identify the servers in our network. We know, the question Rick posed was why is his banks web site including code that queries a Google server? My assumption is that part of it is Google analytics on their endless endeavour to catalogue all of our activity and sell the data to pretty much anyone with the money. A lot of this is done by offering free code to link in¹ so the basic web page can include several shovelfuls of extra “features” with no real effort by the “web designer”² at the expense of inserted code to tag you and your activity. The Pi-hole server is not just about limiting malware exposure, it also speeds up general access by trimming out access attempts to the tracker and data mining sites, but you’re interested in blocking the Gravatar stuff, so you know that already. ¹ That’s link in as opposed to copy and paste in so your connection to your bank actually requires that your browser also call for a code snippet from Google. ² Ha! Copy and paste merchants with little talent

Dec 31, 2020 7:20pm Clive Semmens (2335) 3276 posts	Ha! Copy and paste merchants with little talent “little” – that much? That’s a bit of an overestimate if you ask me…

Dec 31, 2020 9:45pm Steve Pampling (1551) 8172 posts	You caught me in a relaxed mood. :) Now round lunchtime¹ I was a bit stretched² and slightly irritable after. Bloat code Some sites I’ve seen recently have you download over 40MB just to put a login panel in the middle of an otherwise blank area of screen. Dig a little, and they are only using one function of a large file, but they are too idle, or dim, to pull out that one item. ¹ Didn’t have any, just another pot of coffee ² 2 MS Teams text conversations and a conference call³, logging a change in our system, applying a change on a firewall. ³ Trying to explain asymmetric routing problems, L7 routing (lack of) and NAT to a contractor whose experience is in MS Mail

Dec 31, 2020 10:24pm Rick Murray (539) 13851 posts	Didn’t have any, just another pot of coffee Sometimes when I was lots younger and doing nerdy stuff, my five a day would basically be cups of tea. Eat!? Do I look like I have time to eat!? So glad I left that life behind. Half the pay¹ and none of the stress, seems a good trade-off to me. to a contractor whose experience is in MS Mail Hahaha! I got smokin’ hot skillz yo, I can read email! Prolly not what you meant, but 😂😂😂😂😂. ¹ I’d probably be on a pretty sweet salary by now, if I hadn’t thrown myself off a radio tower. God I hated that job. Being a geek is strictly hobby, strictly on my own terms. Nothing else. So no, I don’t begrudge what little I’m paid now. There’s not a lot of stress in what I do. I just turn up, do stuff, go home, and the part between 5pm and 9am? My time, not time I think about anything to do with work. 🙂

Jan 1, 2021 1:20pm Jon Abbott (1421) 2651 posts	Does any body have an better ideas? Move the forum to something more standard that supports them natively and doesn’t use Textile…phpBB? Yes…yes…I know it doesn’t work that well on Netsurf, but there are other browsers.

Jan 1, 2021 7:57pm Timo Hartong (2813) 204 posts	I would love that I can access this website with netsurf but if that is impossible well I can use my smartphone ;-)

Jan 1, 2021 11:32pm Bryan (8467) 468 posts	This website already works very well with Netsurf.

Jan 2, 2021 8:46am Steve Pampling (1551) 8172 posts	This website already works very well with Netsurf. Is there a version that handles the footnotes properly yet? And there was some issue with the widths relating to the use of scrollbars in the < code > sections I think, so you should probably delete the words “very well” just at the moment. Maybe later.

Jan 2, 2021 9:48pm Bryan (8467) 468 posts	The footnotes look OK to me. Wide >pre> snippets can look a bit strange sometimes, but are usually quite readable --------------------------------------- It is just a case of where the scroll bars are shown. You get them with Firefox as well – but in a different place. Neither is perfect.

Jan 2, 2021 10:14pm Steve Pampling (1551) 8172 posts	The footnotes look OK to me. Do they work properly? Skip down to footnote and back?