flat assembler
Message board for the users of flat assembler.

Index > Heap > polling deas, how to verify desktop screenshots

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
- is it possible to get same hash? idk, in case we got the exact same hash, we could say content is verified,
Here also the answer is no. Even if the user has the same resolution and view window size, different browsers give different results in the rendering engine output. Plus the fact that you can't trust the user's computer, you have no control over what software is running.
Post 12 Jul 2016, 01:16
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:
sleepsleep wrote:
- is it possible to get same hash? idk, in case we got the exact same hash, we could say content is verified,
Here also the answer is no. Even if the user has the same resolution and view window size, different browsers give different results in the rendering engine output. Plus the fact that you can't trust the user's computer, you have no control over what software is running.


how about providing them with same virtualbox machine os file?
Post 12 Jul 2016, 03:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
how about providing them with same virtualbox machine os file?
That doesn't help, because you can't trust the user's machine. A user can modify the VM. VMs are not secured against the user.
Post 12 Jul 2016, 03:24
View user's profile Send private message Visit poster's website Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 8000
Location: 22° 15' N | 114° 10' E
YONG
sleepsleep wrote:
- is it possible to get same hash?
My method would not work (at least in a secure manner) if the hashing is done on the client side. As pointed out by revolution, we have no control over the client's PC. The user could use reverse engineering, debugger, virtual box, and so on, to find out the inner workings of the application.

Issues with resolution, window size, and things like that can be easily solved by having a Settings page upfront. Once logged in, the user will have the option to adjust the settings before proceeding further. The application on the server side will then perform the hashing accordingly.

Wink
Post 12 Jul 2016, 03:28
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
well,
if we provide them with fixed resolution non-customizable virtualbox os,

and our server side are running the exact same virtualbox os with fixed resolution too,

with exact browser os and so on, ads to trans,

they send us the hash and link, we run the link and hash, if not equal, means content unverified, if equal mean content verified,
Post 12 Jul 2016, 03:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
Forget about the user side processing. You can't trust it and you don't need it. Just ask the server to send a digitally signed document (it could be a PDF, or a text document, an HTML page, or whatever) and the user can save it for later. Digital signing is a solved problem. There is no need to reinvent the wheel here.
Post 12 Jul 2016, 03:47
View user's profile Send private message Visit poster's website Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 8000
Location: 22° 15' N | 114° 10' E
YONG
revolution wrote:
Just ask the server to send a digitally signed document (it could be a PDF, or a text document, an HTML page, or whatever) and the user can save it for later.
What? Are we on the same planet? Rolling Eyes

We are talking about taking screen shots when a user is interacting with a system or application. We are NOT talking about whether an e-statement sent by a bank is authentic or not.

sleepsleep is looking for ways to tell whether a screen shot taken by a user is valid or not.

Wink
Post 12 Jul 2016, 05:59
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
Yeah, but sleepsleep's idea can't work unless we can change the laws of physics. So instead another, practical, option is to ask the server to produce and sign something to "prove" the information. I'm not saying is it necessary or good, but it at least it is possible.
Post 12 Jul 2016, 06:09
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
sleepsleep wrote:
hi TmX,

i was thinking like an application, if run, it would shows something on the desktop, a graphic or etc, so whenever the user print screen, that "extra string & numbers & " would get screenshot into it


Hi sleepsleep,

Hmm your approach looks more complicated than mine.
I'm kinda on low brainpower, so let me take some time to understand yours

Razz
Post 12 Jul 2016, 06:18
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:
Forget about the user side processing. You can't trust it and you don't need it. Just ask the server to send a digitally signed document (it could be a PDF, or a text document, an HTML page, or whatever) and the user can save it for later. Digital signing is a solved problem. There is no need to reinvent the wheel here.


agree, such approach is more practical,
so we just need to create a web that allow people to add login url, user password if need to login, target url, sentence to focus,

we screenshot it, digital signed them, allow them to download

such approach guarantee the document date time creation, content

now, which start up want to roll this out?
Post 12 Jul 2016, 09:29
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
if could be in desktop app mode, as revolution suggested,
once user press our screenshot button,
application grab current focus tab url, input box for user to enter extra credentials, focus text if needed,

send to server, we lookup that web site, screenshot them, digital signed them, let user download the file.
Post 12 Jul 2016, 09:34
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
YONG wrote:
sleepsleep is looking for ways to tell whether a screen shot taken by a user is valid or not.


revolution approach is to let "system in charge" produce the screenshot and digital signed it (with assumption such approach will disable possible user data tampering)

of course, verification without digital sign them is still possible,
i don't know how much cost involve to have file "digital signed" feature
do they charge per file sign or etc, per month or idk,

system just need to sha-4 the file hash, post the hash into blockchain, problem settled,
Post 12 Jul 2016, 09:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
if could be in desktop app mode, as revolution suggested,
No, I didn't suggest a desktop app, because you can't trust the users machine. To do what you want it has to be done outside of the users influence. I am not debating the purpose or usefulness, just the technical aspects.
Post 12 Jul 2016, 09:59
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
please forgive my poor english command,

i mean, this thing could be in desktop app mode,

and we use idea "server site screenshot and sign" as revolution suggested,

my suggestion is desktop app make it easier for user to pass url, credentials, focus text to "server or start-up or system" after they press screenshot button

so once user press screenshot button, (the default function of screenshot already in memory waiting to get paste), but we pop up input box for user to enter credential

to do it through web is also fine, user still need to input url, .... and so on for our server to screenshot / save / pdf printed

i hope i clear myself about what i mean with desktop app here,

my concern is on the cost to have a valid digital sign infra / software and etc,

so, i recommend we just sha the screenshot / pdf printed /, post the hash into blockchain,
Post 12 Jul 2016, 10:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
now, which start up want to roll this out?
  1. sleepsleep to start writing the code.
  2. Setup the site.
  3. ???
  4. Profit
Post 12 Jul 2016, 10:38
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
should be no problem for public accessible site, might need to ponder more on how to handle site that needs credentials, eg, facebook, twitter or etc
Post 12 Jul 2016, 21:29
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1471
Furs
So let me get this straight, you want to know if a screenshot is not edited or "Photoshopped" as the meme goes?

Sorry, but you need an authority for that that people trust. It can be a centralized authority (a site/server/company) or decentralized (which puts trust in the decentralized system and the fact that alot of people use it — unpopular system = unsafe).

Theoretically, you can't trust the user's machine, however in practice you can make it enough of a pain for the crackers/reverse engineers.

One way to do it would be to:

  • not have the application's "screenshot taking and uploading" code in the application itself, instead have it be downloaded by the application; this of course includes the encryption keys and algorithms, hardcoded in the code.

  • have the above change randomly on every screenshot; when a user uses the screenshot function, it tells the server to pick 1 specific random algorithm/key for this connection, then the server sends it, the app executes it, and then uploads the screenshot. If the app fails to send the screenshot within a short timeframe (1 sec or less), the server will refuse to take it as authentic. Of course once the server or whatever receives the screenshot, it verifies that it was indeed encoded with the specific code for that connection request.


This is because any tampering or reverse engineering will take awhile even with automated tools, so a short timeframe ensures it's executed fast enough.

Of course there's not enough algorithms or slight changes for every request. So the central server or decentralized system has a pool of codes from which it randomly picks on every request. The key is always randomized independently.

This pool should get completely changed every week or so (or everyday even) so that reverse engineers only have that limited timeframe to analyze it, which is a real pain and they'll give up.


The point isn't to make it theoretically impossible for them, because that is futile. It's to make it painful enough so they don't bother.
Post 13 Jul 2016, 16:33
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8904
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
Furs wrote:
not have the application's "screenshot taking and uploading" code in the application itself, instead have it be downloaded by the application; this of course includes the encryption keys and algorithms, hardcoded in the code.


mind to elaborate?

afaik, screenshot is just a copy of screen region in memory temporarily, waiting to be pasted stuff,

hacker don't need to hack or reverse our application, they could manipulate the screenshot memory / or create a false screenshot memory region and substitute it into current screenshot,

actually your idea just gave me a new thought, but i wish to hear your elaboration first,
Post 13 Jul 2016, 21:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17280
Location: In your JS exploiting you and your system
revolution
Furs: Your suggestion fails to be trustworthy because at the end of all the things you are still trusting the users machine to produce the data that gets encoded/encrypted/signed. If you can't trust the input data then it makes no difference how much you try to hide encryption keys/etc., the user doesn't need to know what the keys are, they only have to provide a service that produces screenshots with whatever data they wish.
Post 14 Jul 2016, 00:46
View user's profile Send private message Visit poster's website Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 8000
Location: 22° 15' N | 114° 10' E
YONG
Furs wrote:
If the app fails to send the screenshot within a short timeframe (1 sec or less), the server will refuse to take it as authentic.
How about users that are stuck with a slow Internet connection? Even with broadband, users may, from time to time, suffer from network congestion. I don't think such a short timeframe restriction is feasible in real life situations.
Post 15 Jul 2016, 03:23
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.