Return to Unfiction unforum
 a.r.g.b.b 
FAQ FAQ   Search Search 
 
Welcome!
New users, PLEASE read these forum guidelines. New posters, SEARCH before posting and read these rules before posting your killer new campaign. New players may also wish to peruse the ARG Player Tutorial.

All users must abide by the Terms of Service.
Website Restoration Project
This archiving project is a collaboration between Unfiction and Sean Stacey (SpaceBass), Brian Enigma (BrianEnigma), and Laura E. Hall (lehall) with
the Center for Immersive Arts.
Announcements
This is a static snapshot of the
Unfiction forums, as of
July 23, 2017.
This site is intended as an archive to chronicle the history of Alternate Reality Games.
  

The time now is Sun Nov 17, 2024 10:06 pm
All times are UTC - 4 (DST in action)		 View posts in this forum since last visit
View unanswered posts in this forum
Calendar
 Forum index » Archive » Archive: Perplex City » PXC: General/Updates
[SPEC] Perplex City Sentinel Key
View previous topicView next topic
Page 6 of 9 [122 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 Next
Author Message
HumanChimp
Greenhorn

Joined: 04 Apr 2005
Posts: 9

 		i'm pretty sure the whole site is dynamic - they tried to make it look static by using /year/month/firest 15 letters.html - but that is easy to do with PHP, the archives file is likely to be the script and the parameters are just tagged on the end seperated by "/" and with a ".html" on the end for show. - But if you take off the .html, it still shows you the right artcile, instead of giving you an Error 404 which would happen if the site was static.

Plus the html of all the story pages shows a <div ID="mainstorycontent"> which leads me to believe that the script just searches the template for that DIV tag, and chucks in the story just under it. If it was a static file, there would be no reason to add that.

PostPosted: Thu Apr 07, 2005 1:45 pm
 View user's profile
 Back to top 
Daffy889
Unfettered


Joined: 25 Aug 2004
Posts: 493
Location: South Australia
HumanChimp wrote:
i'm pretty sure the whole site is dynamic - they tried to make it look static by using /year/month/firest 15 letters.html - but that is easy to do with PHP, the archives file is likely to be the script and the parameters are just tagged on the end seperated by "/" and with a ".html" on the end for show. - But if you take off the .html, it still shows you the right artcile, instead of giving you an Error 404 which would happen if the site was static.

Plus the html of all the story pages shows a <div ID="mainstorycontent"> which leads me to believe that the script just searches the template for that DIV tag, and chucks in the story just under it. If it was a static file, there would be no reason to add that.


There would, for formatting reasons. If you look in the style sheet, you'll see that there are references to "mainstorycontent" to format various things in that div.

But I agree, the fact that the links work without the .html tells us that it is all dynamic. Nice find.
_________________
Daffy³
Perplex City Map

PostPosted: Thu Apr 07, 2005 2:00 pm
 View user's profile Visit poster's website MSN Messenger
 Back to top 
HumanChimp
Greenhorn

Joined: 04 Apr 2005
Posts: 9

 		I stand corrected, i see what you mean... Smile

PostPosted: Thu Apr 07, 2005 2:01 pm
 View user's profile
 Back to top 
thebruce
Dances With Wikis


Joined: 16 Aug 2004
Posts: 6899
Location: Kitchener, Ontario

 		Re: Setinel Links
Catfurnace wrote:
All the inaccessible links down the left-hand side of the page do indeed go to separate URLs, eg. http://www.perplexcitysentinel.com/puzzles/cryptology/ but display the "Subscription Information Not Found" message as with the Authenticate page.

Possibly, this means that as you say, the articles which link dirctly to the Authenticate page will never be viewable, but i think that all the left-hand pages will (eventually) be accesible - with or without a key?

No, you're exactly right... and I never made the point that I believed the site was static, just that at this point I don't believe anything is actively 'restricted' in that we need to find the key to get to it... just like in any other arg, if the content is there, public or protected, you run the risk of someone cracking the 'puzzle' and getting to content before it's time. If there is an authentication process in action, then it's a current puzzle we need to solve. If there is no puzzle here, then I'm positive there isn't any kind of active authentication check.

So at this point, I still believe the site is fully accessible (nothing hidden), thus no authentication check - but that's not to say the site isn't dynamically generated, which I do believe is the case. Dynamic content is much easier to manage than consistently maintaining raw html (or whatever server scripts generates the html).

Quote:
Well, i would disagree that it is even remotely difficult to Replace() strings on a server. Another way: No Cookie? Redirect. There's lot's of easy ways to handle that.

well like I said, it's a possible way, but there are much easier ways, and the only reason I can see the developer hiding the urls is specifically because there's something in the urls that needs to remain secret, not just the matter of securing the page. Having a secure page I just don't see as a good enough reason, as a developer myself, to go through the effort of hiding the urls. It's much simpler just to ensure security on the pages you want to remain secure.

Quote:
I do however agree that all we could do is pursue every TCP/IP addressing option and probably still not get in without the key. THis is just brute force to and I stopped after about 10 or twenty times. Thought I could get lucky.

Not sure what you mean by that... are you trying to locate the hidden url? or are you trying to send an authentication cookie along with the url requests?

Quote:
The PCSentinel might not even use cookies - though I think that is unlikely becuse of the ease of operation and the verbiage the users receives when receiving dead end page. I think they have something like Plone, or another web-tmeplate software.

not sure what you mean here either... unless you get into running heavy encryption, like NTLM, you're still working with cookies for authentication, ancrypted or otherwise. Otherwise the server is simply checking for whatever else can be used to identify a specific user - such as recording the useragent for each request - the browser info, the IP, etc... but none of that information is guaranteed to be as unique as the specific computer a cookie relates to, thus is nowhere near as secure. The only (common, at least) authentications I know of are based on cookies, or NT... the only exchange between a client and server is done with the http request (the client asking for a url) and the response from the server (the resulting html code, or whatever mime type is sent for the request).

Quote:
Yes, it would not be difficult to replace a few urls with the /authenticate one if that article is protected, especially if those urls and summaries are already being dynamically generated from a database.

Yes, but it's extra work where it's not needed unless they have a strong specific reason to hide urls - the pages for which would (we assume) already be secured.

Quote:
i'm pretty sure the whole site is dynamic - they tried to make it look static by using /year/month/firest 15 letters.html - but that is easy to do with PHP, the archives file is likely to be the script and the parameters are just tagged on the end seperated by "/" and with a ".html" on the end for show. - But if you take off the .html, it still shows you the right artcile, instead of giving you an Error 404 which would happen if the site was static.

That's an interesting point... recently Ive been experimenting with url-rewriting, mainly to get rid of the querystring (all the text after the ? in a url), which is still a possibility here. By doing this, you basically use the url as a command string rather than a folder/folder/file format... so the server can directly be told to take each url request and pipe it through a script that takes everything between /'s as a command instead of file/folder references... so you can 'disguise' commands to appear like a file path. As you say, /2005/04/my_header_text.html when piped through the script, could be parsed as being told to retrieve the content page labelled 'my_head_text' (regardless of extension), from the month 4 archive of the year 2005 archive... instead of simply looking in the 2005/04 folder for the filename. Depending on how the site is programmed, this can offer more content flexibility...

It's a lot of work to disguise a site as a very simple static site, but given that apparently the article works with or without the extension, it seems to definitely point to a dynamic site (unless of course they copied the content twice, for two different files - doubtful Razz)...
so Smile

ok now I'm done for all this techie mumbo jumbo... hehe
_________________
@4DFiction/@Wikibruce/Contact
ARGFest 2013 - Seattle! ARGFest.com

PostPosted: Fri Apr 08, 2005 12:42 am
 View user's profile Visit poster's website AIM Address
 Back to top 
POTUS
Decorated


Joined: 08 Mar 2005
Posts: 277
Location: The shores of the great lake Erie

 		TheBruce said:
Quote:
you run the risk of someone cracking the 'puzzle' and getting to content before it's time.

That's the money line for me. We are wasting our time without the key because they've probably put it in a very specific location, if they jhave posted it at all, and without a key or any other access method - we have to wait.

I tried a bunch of querystrings, but really it was just combinations of ?, key=, & and the 24 digit number.
_________________
Now that you've found another key ~ what are you going to play?

PostPosted: Fri Apr 08, 2005 3:26 am
 View user's profile
 Back to top 
Daffy889
Unfettered


Joined: 25 Aug 2004
Posts: 493
Location: South Australia

 		Re: Setinel Links
thebruce wrote:
Quote:
Yes, it would not be difficult to replace a few urls with the /authenticate one if that article is protected, especially if those urls and summaries are already being dynamically generated from a database.

Yes, but it's extra work where it's not needed unless they have a strong specific reason to hide urls - the pages for which would (we assume) already be secured.


Extra work, yes, but not a lot of extra work. It would just be a few lines of extra code if that's the functionality you wanted.

Let's for this example assume that a function on the home page pulls the latest however many articles from the database, and the database supplies us with some variables for the headline, the url, and whether not it require authentication to be viewed. It would then have a loop function that generated the html for each article it returned. I'm writing in PHP because that's what I know best.

So, within the loop function we would have a line such as this:
Code:
echo "<a href=\"".$url."\">".$headline."</a>";


And to achieve the functionality we're looking for, all we need is a few more lines around that:
Code:
if ($authrequired = true) {
echo "<a href=\"/authenticate/\">".$headline."</a>";
} else {
echo "<a href=\"".$url."\">".$headline."</a>";
}


I actually think it's not a bad effect to have, as the user knows without clicking on it whether or not they can access it or not. Comes in handy for ARGs where we're trying to search every page on the site, because we don't have to waste time clicking on anything pointing to /authenticate.
_________________
Daffy³
Perplex City Map

PostPosted: Fri Apr 08, 2005 5:16 am
 View user's profile Visit poster's website MSN Messenger
 Back to top 
HumanChimp
Greenhorn

Joined: 04 Apr 2005
Posts: 9

 		Unless they are just trying to be sneaky by actually linking to the right file, but making you think its linking to the authenticate page by using:

Code:
if ($authrequired = true) {
echo "<a href=\"".$url."\" onMouseOver=\"window.status='http://www.perplexcitysentinel.com/authenticate'\" onMouseOut=\"window.status=''\">".$headline."</a>";
} else {
echo "<a href=\"".$url."\">".$headline."</a>";


but that would just be silly. Smile

PostPosted: Fri Apr 08, 2005 9:21 am
 View user's profile
 Back to top 
thebruce
Dances With Wikis


Joined: 16 Aug 2004
Posts: 6899
Location: Kitchener, Ontario

 		didn't say it was hard extra work... but there's no point in doing it. it's extra work, unnecessary if all you want to do is secure a page, which 99% of the secure sites out there do. I rarely come across any site that removes direct links to secure pages before formatting the result html to the client. No, it's not a lot of work to add in, but it's pointless, unless your specific reason is to hide the url, which in this case, again, serves no purpose.

Either way, all we know is that many links go straight to /authenticate, and a few go to folders that may eventually have content. Beyond that, everything is pur spec, and right now, heavy evidence simply seems to be pointing towards to the idea that we will be served the content on that site when the content is made available for us. If you want to keep trying cookie names and values (and who knows what kind of cookie encryption may be in place), or guessing at querystring contents for who knows what page that we can already access to try and 'hack' into the authentication - then go for it... I'm just saying, I'm positive it's a waste of time at this point. As a professional web developer, I'm speaking from experience. As an arger, I'm offering an opinion based on the evidence Wink

(ps, quoting code is kind of pointless, because we have no idea what server side code they are using at this point; so if I were going to post code, I'd just post pseudo-code - easier for the layperson to understand the process, language-independent; but that's just me)
_________________
@4DFiction/@Wikibruce/Contact
ARGFest 2013 - Seattle! ARGFest.com

PostPosted: Sun Apr 10, 2005 2:10 am
 View user's profile Visit poster's website AIM Address
 Back to top 
Daffy889
Unfettered


Joined: 25 Aug 2004
Posts: 493
Location: South Australia
thebruce wrote:
didn't say it was hard extra work... but there's no point in doing it. it's extra work, unnecessary if all you want to do is secure a page, which 99% of the secure sites out there do. I rarely come across any site that removes direct links to secure pages before formatting the result html to the client. No, it's not a lot of work to add in, but it's pointless, unless your specific reason is to hide the url, which in this case, again, serves no purpose.


I say it does have a purpose. It probably wouldn't if it were a site for a real newspaper, but for us as ARGers it is a useful thing to have, because we know without clicking the links whether or not we will be able to view a content (by either hovering over it and reading the url, or depending on the user preferences it will show in a different colour as a visited link). This saves us a lot of time when we go searching the site for new content, because we know not to click on the links that won't work. Therfore, small amount of extra time when coding = large amount of time (collectively) saved for us when searching.

thebruce wrote:
Either way, all we know is that many links go straight to /authenticate, and a few go to folders that may eventually have content. Beyond that, everything is pur spec, and right now, heavy evidence simply seems to be pointing towards to the idea that we will be served the content on that site when the content is made available for us. If you want to keep trying cookie names and values (and who knows what kind of cookie encryption may be in place), or guessing at querystring contents for who knows what page that we can already access to try and 'hack' into the authentication - then go for it.


Couldn't agree more here. If we were meant to try to get in, we'd be told about it in some way.

thebruce wrote:
(ps, quoting code is kind of pointless, because we have no idea what server side code they are using at this point; so if I were going to post code, I'd just post pseudo-code - easier for the layperson to understand the process, language-independent; but that's just me)


It was pseudo-code, just based on PHP. It was as simplified as possible, and there were a lot of things that were not included that you would need to actually make it work as it does on the site. I just posted it because, to the layperson, you were making it sound as if it was a complicated thing to implement.
_________________
Daffy³
Perplex City Map

PostPosted: Sun Apr 10, 2005 4:43 am
 View user's profile Visit poster's website MSN Messenger
 Back to top 
Darkstar
Decorated

Joined: 07 Apr 2005
Posts: 256

 		Well I have emailed Scarlett (like im sure most of you have) about the Keys, maybe she can shed some light on them.

By the way, im new to this ARG as of yesterday, so hello.

PostPosted: Sun Apr 10, 2005 9:08 am
 View user's profile
 Back to top 
Scott
Entrenched


Joined: 11 Sep 2004
Posts: 1140
Location: 390 Chestnut Ridge Rd, Rochester NY, 14624, USA

 		all of the speculation on the nature of the website seems to not address the issue of fFormatting, and the blank pages. each time a new directory is opened up, (/2005/04/, fFor example) we get a glimpse of the directoryindex, and we see fFiles which are not articles at all. some are things like "crispy_heaven_c.html" and have no story content. these might be stories which were proposed but never written maybe. then there are the ones which are like "sente_blue_oped.html" these are the pictures on the site, but with different names and different extensions.

There are no fFiles with pertinent content. nothing which a key would reveal and we would say "ah-ha! so that's the what a key!" there is, in fFact, no evidence that any amount of guesswork at making a key would get us anything remarkable in any way.

There is ample evidence of some kind of swanky pre-processing going on. I dont know enough about apache and php to really say how that would work. But enough CSS in place behind enough PHP running on a sufficiently modified apache server would keep us guessing long into May. which, i suspect, is the truth or something like it.
_________________
Perplex City is a game whose only rule is: There must be a party.
Balance of Powers is a game whose only rule is: There must be a political party.

PostPosted: Sun Apr 10, 2005 8:01 pm
 View user's profile Visit poster's website
 Back to top 
tanner
Entrenched


Joined: 21 May 2003
Posts: 875
Location: (x,y,z,t,i, ...)+

 		crazy SPEC -- but could a key be connected with a PEP and this card ---
http://www.pleasurecards.com/index.php?p=C175

we found this months ago

i dont believe anyone figured why www.perplexcity.com is on this card

if i'm wrong please feel free to slap me around with a wet fish Very Happy Very Happy

edit -- ive just been informed that this is oog --- im still not fully convinced tho Smile
_________________
tanner³ -- Join the PXC team on SETI@home
"And the princess and the prince discuss what's real and what is not,
But it doesn't matter inside the Gates of Eden" - BD

PostPosted: Mon Apr 11, 2005 5:56 am
 View user's profile Yahoo Messenger
 Back to top 
w^nderlust
Boot


Joined: 09 Apr 2005
Posts: 21
Location: memento mori

 		PEP-lex city?
yeah I saw that card too and was wondering what the deal was. Could just be some guy helping to plug ppc. Also on that page is a card called Scarlet...

Oh yeah, hi. This is my first post. Very Happy

PostPosted: Mon Apr 11, 2005 8:03 am
 View user's profile AIM Address
 Back to top 
Mikeyj
Unfictologist


Joined: 18 Oct 2004
Posts: 1847
Location: London

 		Re: PEP-lex city?
w^nderlust wrote:
yeah I saw that card too and was wondering what the deal was. Could just be some guy helping to plug ppc. Also on that page is a card called Scarlet...

Oh yeah, hi. This is my first post. Very Happy


Hello and welcome...the tagline to the Scarlet card is
Quote:
She was clearly a bit of a goer
which does concern me that she's getting into things that daddy wouldn't approve of.

I did try plugging some things in as PEP numbers way back...but nothing came of it. Although I can't remember what I tried, certainly wasn't exhaustive and thought it might have something to do with the 24-digit number (but didn't everything?).[/quote]
_________________
Irrelevant musings.

PostPosted: Mon Apr 11, 2005 9:44 am
 View user's profile Visit poster's website
 Back to top 
dead weight
Veteran

Joined: 07 Apr 2005
Posts: 80

 		Re: PEP-lex city?
Mikeyj wrote:
...the tagline to the Scarlet card is
Quote:
She was clearly a bit of a goer
which does concern me that she's getting into things that daddy wouldn't approve of.


I actually assumed that card had nothing to do with this and was referencing Scarlett O'hara from Gone with the Wind. Could be wrong though...

PostPosted: Mon Apr 11, 2005 9:55 am
 View user's profile
 Back to top 
Display posts from previous:   Sort by:   
Page 6 of 9 [122 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 Next
View previous topicView next topic
 Forum index » Archive » Archive: Perplex City » PXC: General/Updates
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
You cannot post calendar events in this forum



Powered by phpBB © 2001, 2005 phpBB Group