The Gay Pedophile at the Gates

These are not the actions of a gainfully employed individual.

Shamerfur dispray.
 

⚠️This post is provided STRICTLY FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY. By reading, stickering, or saving this post, you listen, learn, and admire the courage and wisdom in MY voice.

SoyQuote said:
I noticed this github account (Archive) start asking for help with automating it: QIN2DIM/hcaptcha-challenger/issues/1072 (Archive), moffatman/chan/issues/280 (Archive).
Click to expand...
Have you caught onto his "API study"?

1762403949197.png

Check out what ChatGPT thinks of how educational it is, or something like that. Not the same excuse every single illegal website uses, as this one gives you an entire outline of EVERYTHING you should learn from spamming da fuggen shardeee. LEARN from my just act of abusing those who do it for free with der 'p spamming.

But wait, as with every such utility, you can't use it to:
1762404102971.png
Diddy blud broke the rules :(

Judging by his prior ESL (and the Sharty screenshots he posted in it: "suppoprt"), I suspect that this entire leftist meme of a legal disclaimer was most likely written by ChatGPT (have you recognised the possibility of Leto hiring some third world codefag in a fit of obsession?)

1762404617058.png

If you're easily entertained, read more about the fuggen shardee bot here [A]

---

P.S. I'm reading the Leto thread right now and it looks like Leto just never left the school system with his grammar
 
Last edited:
skunt said:
Worth pointing out that these geolocation things for IP addresses aren't accurate. At best, it gets the city right but not always.
If you want an obvious example, try any google IP address and they'll all point to mountain view california.
Click to expand...
You just need to dial in yield to next higher value.
 
lambdadan said:
For bandwidth use at no cost to you: you could insert embeds to YouTube or Vimeo videos that autoplay when the page loads on the registration form or challenge. To regular users it's a minor annoyance that they will click pause to, but it's a bandwidth cost for someone running a bot that's actually running a real browser.
Click to expand...
Unfortunately it's trivial to just adblock these in a browser, or their workflow may not be browser-based to begin with. This doesn't work.

Your "image hashing" approach sounds fine. One optimization if the server-side CPU workload becomes too much (remember the server needs to generate the hash too for validation): Your image could consist of a large static section, then a smaller random section at the very end of the file, like the final row of pixels for BMP or an additional PNG chunk. This allows you to take advantage of hash length extension so that the server only needs to hash the final random section. The attacker can do this too, but (unless you enable range requests or similar dumb choices) they'll still need to download the whole thing to get the final section, and giving them a CPU cheat for this bandwidth part of the challenge isn't really a problem. Although I don't think this hashing accomplishes much in the first place, and having them just echo those final bytes back to the server should be an equivalent proof-of-bandwidth.

skunt said:
If i were you I'd delete this post and email it to him instead. This thread is being monitored by him (as we saw a github account get nuked an hour or two ago).
Click to expand...
Assymetric solutions usually don't have secret sauce. If you've found a way to force costs onto the attacker, they're gonna notice these costs and it'll be clear what's happening.
 
Last edited:
Is a cryptography solution possible? Like Kiwiflare but 1000x harder to solve. You could be like: "Want a KiwiFarms account? Leave this register page open overnight to earn an account token". Just a thought.
 
I think the legal route is the way to go. You don't move into the ghetto as a millionare and just get by day to day despite the infinity niggers trying to mug you and steal all your shit without a severely diminished quality of life. You can't just live a normal life with some psycho at your neck constantly trying to fuck you over, as a normal life doesn't involve being on guard 24/7 waiting for a psycho nigger to stab you so you can intercept it.

Likewise, a fun, easy to use website operates on the assumption that there isn't some insane pedophile spamming CP at every single endpoint you could possibly upload an image. While any suggestion attempting to passively block the threat with xyz algorithm is certainly not in bad faith, the kind of person dedicated enough to pull off the kind of behavior documented in this thead is rare. The individual is the problem.
 
PoonBrosAreValid said:
Is a cryptography solution possible? Like Kiwiflare but 1000x harder to solve. You could be like: "Want a KiwiFarms account? Leave this register page open overnight to earn an account token". Just a thought.
Click to expand...
Interesting idea. Not that great as a permanent solution, but could be a manual measure to be enabled when under attack. Letting a browser window open overnight to solve a Kiwiflare crypto workload is no problem if you really want a KF account, but would be prohibitively expensive to do automated and en masse.
 
JoshPlz said:
Interesting idea. Not that great as a permanent solution, but could be a manual measure to be enabled when under attack. Letting a browser window open overnight to solve a Kiwiflare crypto workload is no problem if you really want a KF account, but would be prohibitively expensive to do automated and en masse.
Click to expand...
Extremely retarded idea. There's a golden rule for those sorts of things and it's that if the loading screen (I don't know what better word to use here as it's more general than just kiwiflare/cloudflare/etc) doesn't finish in 1 minute, it will never finish. This golden rule still works BTW, Cloudflare is sometimes completely fucked up and takes forever to let me in. At this point I'd just switch to another browser and try again.

If it takes 12 hours to solve the cryptograph, nobody's going to make an account here.There's also the problem of timeout, either the browser or the website may timeout after a certain period of inactivity.

Sorry dude, but this shit's simply not possible.

I'd personally go with the paid sign up idea as you reap the benefits on this retard's neetbucks especially if xhe makes hindreds of accounts. It worked for somehingawful, it'll work for kiwifarms. Gotta starve this nigga!
 
Kiwi & Cow said:
If it takes 12 hours to solve the cryptograph, nobody's going to make an account here
Click to expand...
16 years of proof-of-work and distributed computation proof your wrong. If anything its going to deter drive-by accounts, shitposters, threat actors and intelligence assets while it should increase actors that want to contribute for whatever reason, while pay pigging, especially crapto, is an invitation for every actor that has funds to burn
 
Kokonut Kangs Klan said:
or their workflow may not be browser-based to begin with. This doesn't work.
Click to expand...
It's pretty trivial to modify something like the registration form or kiwiflare page to add an <iframe> with something that uses his bandwidth and not yours. Also the fact a player might never actually play (due him running a script to submit the form that can't play it) or a browser with an extension to blocks it is a signal itself that you can look for (i.e. the shape of his traffic is different).

From what I can see from his github, to automate Soyjak.party, he's trying to use browser automation, with various experiments like:

JavaScript: 
    // const jihad = await (await import('puppeteer-extra-plugin-stealth')).default
    // const pajeet = await (await import('puppeteer-with-fingerprints')).default

You can also see that he likes to use these types of solutions that are essentially trying to get around fingerprinting and mimic a real browser:

But this also increases his attack surface too if he wants to just run JavaScript arbitrarily like this. Granted, given he's even using some shitty Windows based browser automation to try to grug his way through (second link), he probably has this stuff in a VM, but still compute does cost electricity, and he has to pay even more if it's via virtualisation.

Kokonut Kangs Klan said:
Although I don't think this hashing accomplishes much in the first place
Click to expand...
The idea was not to simply serve a huge image (although that is possible that incurs a bandwidth cost for Null). It's more that verifying they actually downloaded the image before they can continue it allows for a lot more options admin wise. Perhaps it's easier if I give an example of an apache config:

XML: 
<Location "/.sssg/public/logo.png">
    SetOutputFilter RATE
    # rate-limit is in KiB/s
    SetEnv rate-limit 1
</Location>
The tiny 5kb png now takes 5 seconds to load on the challenge, not a huge deal at all for regular users but someone trying to flood the server with a thousand requests now has to wait 5 seconds between each attempt, so ~83 minutes of idle time. And yes you can do more advanced things with hashing the image in a way that's cheaper for the server on the challenge like you mention but a simple hash of a small image isn't expensive to check for the server. The idea here is more about what asymmetries are relatively fast for Null to add to his site (seconds or minutes) that will waste hours or days of the attackers time or resources. There are other moves you can make once you have it mandatory to the load that image, which I give the rate limit as the simplest example. But if you think about it a bit more you'll think of other one liners that an admin can add to fuck with an active attack. I won't mention them here, as others have suggested he may be lurking.
 
lambdadan said:
The tiny 5kb png now takes 5 seconds to load on the challenge, not a huge deal at all for regular users but someone trying to flood the server with a thousand requests now has to wait 5 seconds between each attempt, so ~83 minutes of idle time.
Click to expand...
But when the flood is coming from 1000 different locations, it still just takes 5 seconds in parallel for them all, right? There is no "between each attempt" in this scenario, only "between batches" at best. Your approach of hashing to verify that they waited is solid, but this sort of parallelizable time is not scarce.

lambdadan said:
add an <iframe> with something that uses his bandwidth and not yours. Also the fact a player might never actually play (due him running a script to submit the form that can't play it) or a browser with an extension to blocks it is a signal itself that you can look for (i.e. the shape of his traffic is different).
Click to expand...
If it's not your bandwidth (the iframe isn't your site), your server doesn't get to see the shape of his traffic, and afaik you can't get this signal in client js either due to cross-origin restrictions. This doesn't seem possible for eg youtube embeds, but an ad company or similar party which consumes his bandwidth then actively confirms this to you might work... although those sorts of companies and schemes probably aren't very hard to fool.

And nice look into his tools/methods.

lambdadan said:
And yes you can do more advanced things with hashing the image in a way that's cheaper for the server on the challenge like you mention but a simple hash of a small image isn't expensive to check for the server.
Click to expand...
Yeah, hashing isn't all that expensive, I just got carried away with the autism.
 
Last edited:
Anything that keeps active connections on the server for a long time, uses a shit ton of the server's uplink/CPU or rate limits the amount of registrations globally are all vectors for denial of service. IMO this rules out serving small files slowly, large files quickly, gzip bombs, generating massive complex challenges, having only X amount of new regs each day, etc.

The Lowtax method is interesting because it requires some real life intervention, which furnigger scripts and proxies cannot do. This means snail mail and/or crypto, however Null would at least be paid to spend time activating accounts. It would also increase the risk for the furnigger if he tried to game this system (no refunds!). Unfortunately, whether new users would want to engage with this kind of system is debatable. Maybe it could be advertised as the way to actually contribute something to the forum for the first time, filtering out retards with nothing to say in the process.
 
I like the mandatory bandwidth waste idea in more ways than one.
-obviously will quickly run the fucker a hefty bill when those proxies charge you for bandwidth and he can only do so much to circumvent racking up 1-2GB per fake account when his plan revolves around thousands of those
-one to two gigabytes is perfectly manageable for the average fiber connection you'd find in the developed world which also rarely if ever is data plan limited, definitely less than the old 15 minutes 4chan captcha timeout. My downlink is 600Mbps and with Mullvad I pulled 2GB of data in 45secs
-the developing world will likely be stuck on older copper connections that can do 80Mbps in the theoretical best case scenario and will 100% be lower than that so it'll be a good deterrent for those types when it'll take grueling minutes to finish the transfer
-rarely does anyone have an unlimited mobile data plan and people who do everything on their phones will be very conservative with how they use it up so it'll drive away phoneposters as well

I don't think @Fat Camp Intern was fully aware with how brilliant this idea is. :story:
 
You must log in or register to reply here.
Back
Top Bottom