So I was sitting here, watching the ever-changing Who's Online (http://clockworkmansion.com/forum/index.php?action=who) page, when one of the Guests - presumably a googlebot - has dug up an old thread (http://clockworkmansion.com/forum/index.php/topic,3692.0.html) with a name that immediately gained my attention. So, I've skimmed through it, and got an (apparently valid) impression that those pages are still hidden.
Obviously I have too much free time... let the hunt begin! Anyway, a lot of people in the thread had heavy trouble locating them, so I expected a bit of a challenge, at least... and that was my mistake. They weren't even trying to hide... 20 minutes was enough to stumble upon the right pages.
*sigh*
Obviously, Honoured Moderators don't need my permission for anything... but here goes: If I said too much, or the topic's too pointless, feel free to edit and/or delete this post. I simply had to rant a bit, and shouting late at night isn't a very good idea.
//h
EDIT: Moved? Well, it IS DMFA-related, true... *chants*: "The Mod Knows Better Than Me... The Mod Knows Better Than Me... The Mod Knows Better..."
It's like a lot of puzzles in adventure games. You'll hear one gamer complaining that he couldn't get it for hours and it was frustrating and illogical, while another gamer got it on the first go like it was the most logical thing in the world.
And just how do you know you managed to find them all? ;)
Well, the general opinion back then was that there were two pages... have I missed some later event that increased the amount?
//h
Quote from: hapless on August 05, 2009, 05:55:54 PM
Well, the general opinion back then was that there were two pages... have I missed some later event that increased the amount?
//h
...yeah. If I recall, the are now at least 5.
I have yet to actually find them, then again I know nothing about where to begin ;)
So for now, I'm content to know they exist out of my eyes.
Quote from: techmaster-glitch on August 05, 2009, 05:58:05 PM
Quote from: hapless on August 05, 2009, 05:55:54 PM
Well, the general opinion back then was that there were two pages... have I missed some later event that increased the amount?
//h
...yeah. If I recall, the are now at least 5.
I still believe there's only 3. I searched -everywhere- but the archives, including the source pages. I think someone was just trying to mess with our heads.
Quote from: techmaster-glitch on August 05, 2009, 05:58:05 PM
Quote from: hapless on August 05, 2009, 05:55:54 PM
Well, the general opinion back then was that there were two pages... have I missed some later event that increased the amount?
//h
...yeah. If I recall, the are now at least 5.
Sweet. I guess they're hidden by some different technique... now I have something to do... maybe even for years if you're kidding.
Quote from: Aisha deCabre on August 05, 2009, 06:03:00 PM
I still believe there's only 3. I searched -everywhere- but the archives, including the source pages. I think someone was just trying to mess with our heads.
"Someone"?
//h
APPEND: Ok, either the third one is done in a different way, or I'm somehow avoiding the right point of reference... Thanks again, that's gonna take some time :)
I have been assured by somebody who should know that there are only three secret pages. I found three, and all I will say is that they are not in the archives.
Edit:
The same message said that the other two were made up by a certain somebody.
So... how do you know the person assuring you was telling the truth?
Just idly interested, here. I'm happy to have found all five pages, so...
Um... rapidly changing username... :erk
Yeah, I really need to see that therapist.
Past that, I've only found one, and I technically didn't even find it. I was linked to it(not on this forum).
Quote from: llearch n'n'daCorna on August 05, 2009, 07:12:14 PM
Just idly interested, here. I'm happy to have found all five pages, so...
All five? There are at least 8 hidden pages that I've located.
Quote from: Fibre on August 05, 2009, 10:13:17 PM
Quote from: llearch n'n'daCorna on August 05, 2009, 07:12:14 PM
Just idly interested, here. I'm happy to have found all five pages, so...
All five? There are at least 8 hidden pages that I've located.
Argh. Argh, I say.
I forgot that pain and confusion are favourite dish around here... with freshly slain noob on close second place.
//h
Mmmm, such a tasty dish~ :3
Great. Now I'm going to go insane trying to find more hidden pages. 2 down, ? more to go... :U
It's fun to watch this topic keep coming back up. No really.
Quote from: Mao Laoren on August 06, 2009, 08:27:16 AM
It's fun to watch this topic keep coming back up. No really.
I'd say "Sorry. Forgive me."... but I wouldn't forgive myself if I was you.
Anyway, got third one. X to go, where X is an integer in < 0 ; +Infinity ) range.
//h(ow can I be sure?)
ed: Corgatha, Sir, that's what I meant...
The most authoritative voice would probably be if Amber went and said that there are x number of hidden pages. After all, it's possible that there could be several hidden pages that haven't been found by anybody. Wouldn't that be a shock to certain people.
Other than that, I suppose that the next best thing would be to analyze the posts to see which can be trusted. One approach is to use the scientific method of creating hypothesis and then testing them against the posts. For example, one can make the assumption that there are multiple people who have found all or all but one of the hidden pages. Based on this hypothesis, people claiming to have found several more hidden pages than anybody else would be automatically suspect. Unfortunately, not all problems of this type are as simple as the "All green men always lie and all blue men always tell the truth" group of problems. However, the old standby of motive, means, and opportunity is always a good framework within which to place such investigations.
With regard to the methods of hiding pages, there are a number of techniques. Using php (which is used on this site), I could create a page that will only appear if the user goes to a specific page in the archive, then clicks on Demonology 101, and then clicks on Cast from the page that then appears. Given over a thousand pages in the archive and eight tabs at the top of the page, this would yield over fifty thousand combinations that would have to be tested. (I could also arrange it so that the page would only appear on alternate Tuesdays to make things even more difficult.) Since the php code is not passed to the browser, analysis of the HTML source would not be useful. I believe that Amber would consider this cheating, and I would not expect such a technique to have been used.
In the final analysis, there are individuals who will attempt to frustrate other readers by posting false and malicious information. With regard to dealing with such individuals, I see only one suitable approach.
:mob
Serious, scientifically worded answer? In MAH topic?
*implodes*
Of course, such convoluted thig is possible. But as the path becames more complex, the probability of finding it decreases. Above some level of complication there's no way left other than a script-assisted brute-force exploration of all available paths.
Fortunately, at least until the planned-for-oh-so-long-time upgrade happens (and yes, Amber, I completely understand your pain of having to adjust the next-arc ponters by hand), PHP seems to be used for not much more than the header portrait and equivalent of #include. I have some ideas to try... :)
//h(ave a nice night)
Quote from: Naldru on August 06, 2009, 06:08:17 PM
With regard to the methods of hiding pages, there are a number of techniques. Using php (which is used on this site), I could create a page that will only appear if the user goes to a specific page in the archive, then clicks on Demonology 101, and then clicks on Cast from the page that then appears. Given over a thousand pages in the archive and eight tabs at the top of the page, this would yield over fifty thousand combinations that would have to be tested. (I could also arrange it so that the page would only appear on alternate Tuesdays to make things even more difficult.) Since the php code is not passed to the browser, analysis of the HTML source would not be useful. I believe that Amber would consider this cheating, and I would not expect such a technique to have been used.
Out of interest, could you show me how you'd implement such code?
I used to know where two where... now I think I can remember where one is...
Quote from: llearch n'n'daCorna on August 06, 2009, 08:07:29 PM
Out of interest, could you show me how you'd implement such code?
Well, all you need is a method of passing state around. Always available are:
GET variables - obvious as a barn... page.php?var=something...
Cookies - set by headers, so not visible in the HTML, but if somebody has disabled them it won't work, also with browser in paranoid "ask every time" mode he'll see them (and there's always the manual "show cookies" button...).
POST variables - require a <form>. There's <input type="image" /> that's barely distinguishable from a normal image link, but having a textual submit link may require fiddling with javascript iirc. Anyway, quite prominent in HTML source.
Both non-cookie cases would require you to either append the ?GET=VAR or a whole <form> to every link on every page, dynamically. Or only to the link leading to the next step of the secret combination, which makes it not very secret anymore. Also, all three can be manipulated - anybody could use a pre-generated one to skip the process.
Best option (I'd dare to say "the only practical option") would be a server-side store, either in a file or some SQL database. But to keep that status tied to specific browser session you'd need a cookie (gain here: cookie is just a random ID, doesn't contain the "status") or SESSID anyway, unless you're going to assume "same IP + same User-Agent = same session", which might be a problem when whole family using Firefox 3.5.1 from one public IP is trying to find the secrets at the same time. :)
After you have all of this set up...
Vol_911.php -> set_status(1);
demonology.php -> if (get_status() == 1) { set_status(2); } else { set_status(0); }
cast.php -> if (get_status() == 2) { show_link(); } else { set_status(0); }
any_other_page.php -> set_status(0);
Alternatively you may add a second check so once revealed the link will stay visible instead of disappearing on first load of any other change.
Oh, I forgot about Tuesdays... PHP's date handling is a little annoying, but generally simple.
//h(onestly, I think I've been trolled... You, Sir, obviously know how it's done... *yawn*)
Quote from: hapless on August 07, 2009, 05:24:10 AM
//h(onestly, I think I've been trolled... You, Sir, obviously know how it's done... *yawn*)
I know how _I'd_ do it. I was curious how someone else would approach it, on grounds of it might well show up some deficiencies in my approach.
It's also useful info in case I want to go make trouble, later... ;-]
I have found zero hidden pages and am quite happy with that. There are too web pages that are easy to find that I will bother go look for those who aren't.
I found one by accident just sitting there in plain sight. I was just browsding the pages and there I saw it, plain as day. I'm happy whit what I found and I don't care about the others but now it's tearing me up inside knowing that I am unable to talk about it.
The coding of the algorithms mentioned above are made considerably simpler if you use the HTTP referrer header (http://en.wikipedia.org/wiki/HTTP_referrer). If the code for the second page detects that the referrer is the first page, it changes the link to the third page. When the coding for the third page detects that it is being accessed using the modified link, it inserts the link to the secret page. No persistence is required.
For those script kiddies out there, you can modify the code for the "Page Not Found" response so that it is logged in a database. IP addresses responsible for large numbers of requests of nonexistent pages (If I understand the nature of the scripts that people are discussing, this should prove adequate.) would be flagged. Flagged addresses would get periodic messages containing famous movie quotes such as "And that is why evil will always win. Because good is stupid." or "Thank you for hitting the self-destruct button.". Or you can come up with your own lines such as "So you wish to engage in a battle of wits. Okay, but I feel awkward dealing with an unarmed opponent."
****
Edit:
Sure, you can spoof it. But how do you know what to spoof it to?
You can turn off lots of information in your browser. However, it tends to break a lot of applications so that you don't get to see the shiny pretties.
I don't think you quite understood. You can make the chain as long as you like. Each page looks to see if the referrer is set to the correct value and if the link to the page was modified in the correct method, perhaps by adding a parameter. If both tests are satisfied it will then send the correctly modified URL to go to the next page, but only when you hit the correct link. Since the modifications to the URL are in the PHP code they are not visible to the browser. Therefore, anybody passing the correctly modified URL can be assumed to have gone through the earlier elements in the chain.
Also remember that you can set up dead ends by modifying all of the URL's on the page with meaningless parameters.
Quote from: Naldru on August 07, 2009, 12:15:00 PM
The coding of the algorithms mentioned above are made considerably simpler if you use the HTTP referrer header (http://en.wikipedia.org/wiki/HTTP_referrer). If the code for the second page detects that the referrer is the first page, it changes the link to the third page. When the coding for the third page detects that it is being accessed using the modified link, it inserts the link to the secret page. No persistence is required.
Tools->Quick Preferences->Send Referrer Information->Disable. Now what? I won't find it EVER.
Also, both Dragonfly and Firefox's Modify Headers allow you to spoof it. Same thing as with the "store state in a cookie" problem.
Said that, you present a very elegant approach, no data stored anywhere. It's only drawback is the fact you're limited to a
page1->page2 (shows link)->secret pagechain, no way to add more steps. Unless... you make N copies of seemingly "normal" pages, with urls differing with capitalization of something, and do thing like
page1: link(Page2) -> Page2: if(ref) link(Page3) else link(page3) -> Page3: ... -> HyperSecretPage//h(ow about that?)
PS. Best error messages are obscure error messages... see below ;)
Quote from: hapless on August 07, 2009, 01:04:42 PM
Tools->Quick Preferences->Send Referrer Information->Disable. Now what? I won't find it EVER.
Also, both Dragonfly and Firefox's Modify Headers allow you to spoof it. Same thing as with the "store state in a cookie" problem.
Said that, you present a very elegant approach, no data stored anywhere. It's only drawback is the fact you're limited to a
page1->page2 (shows link)->secret page
chain, no way to add more steps. Unless... you make N copies of seemingly "normal" pages, with urls differing with capitalization of something, and do thing like
page1: link(Page2) -> Page2: if(ref) link(Page3) else link(page3) -> Page3: ... -> HyperSecretPage
//h(ow about that?)
PS. Best error messages are obscure error messages... see below ;)
Well, there are two things: One, I use RefControl myself; I generally have it spoof the current page so as to avoid getting blocked by hotlink protection. However, using this, a few sites won't work - they want specific referrers.
As such, I have it set such that only third-party requests(links to another site) get spoofed, and I think you will find that most people will do something similar - because its so much of a pain otherwise.
As far as faking the right page, that first requires that you -know- the right referrer to spoof in the first place.
The best option I see is to use session cookies on every page: You use GET to store the SSID, no worries about someone finding anything out with that. You justify the session data by building your archive and site dynamically, having lot of user-preferences that make things easier. Once you do that, its easy enough; you could do anything you want as far as complex chains of pages, or any other method.
---------
Llearch, I would love to know how you would do this, please elaborate.
-Robbie
Quote from: RobbieThe1st on August 11, 2009, 01:57:07 AM
Llearch, I would love to know how you would do this, please elaborate.
Secretively.
Quote from: llearch n'n'daCorna on August 11, 2009, 09:25:56 AM
Quote from: RobbieThe1st on August 11, 2009, 01:57:07 AM
Llearch, I would love to know how you would do this, please elaborate.
Secretively.
There are ways of making your computer talk.
Quote from: Fibre on August 05, 2009, 10:13:17 PM
Quote from: llearch n'n'daCorna on August 05, 2009, 07:12:14 PM
Just idly interested, here. I'm happy to have found all five pages, so...
All five? There are at least 8 hidden pages that I've located.
8?!
Do we have to hack into the server to find them?!
Having now non-noobledly read the rest of the topic, I will amend the first part of my post.
K..Which part of the server should I start looking in?Thinking about the chains..
Now, what if I just made a script that would visit every single link on a page, compare the code to the last one and check for differences in certain areas of the HTML, and then reported which links it visited from which page gave a difference, IE a log of every page it has visited up to that point, would that work?
Pretty much just a crawler..xD
Except I would need to run multiple copies on my 3 machines so it wouldn't take 5 days.
One is a linux distribution :D
They're both lying. The amount of secret pages isn't expressed as an integer.
Quote from: Corgatha Taldorthar on August 12, 2009, 08:43:24 PM
They're both lying. The amount of secret pages isn't expressed as an integer.
...
Is hex considered an integer?
Quote from: rakyth on August 12, 2009, 08:36:25 PM
Quote from: Fibre on August 05, 2009, 10:13:17 PM
Quote from: llearch n'n'daCorna on August 05, 2009, 07:12:14 PM
Just idly interested, here. I'm happy to have found all five pages, so...
All five? There are at least 8 hidden pages that I've located.
8?!
Do we have to hack into the server to find them?!
Yes, at least. And of course not.
Quote from: Corgatha Taldorthar on August 12, 2009, 08:43:24 PM
They're both lying. The amount of secret pages isn't expressed as an integer.
I don't know about Llearch's (thus my question), but my statement was truthful. >:3
Quote from: rakyth on August 12, 2009, 08:52:53 PM
Is hex considered an integer?
"Hex" is just a way to express numbers. You can write fractional values in any base. (Although you can't necessarily represent the same set of values using a finite number of digits.)
Okay, when I say that it is possible to make a hidden page impossible to find, I am exaggerating. However, I can make the possibility of success less than one in a billion given the use of a billion machines for a billion years. For example:
Have the links for every page modified by using the addition of a parameter that uses a 128 character argument with the value of the argument being modified based on the page referred to. This argument will then be dependent on the route that the user takes through the pages and only one value will cause the hidden page to be revealed.
Have the PHP check the access log and refuse to show the secret page if IP address has requested more than 1000 pages in the last hour. (Depending on system performance, you may want to change the values.)
Set up the PHP to delay the rendering of each page by a half second.
Change the algorithms at periodic intervals so that the 128 character parameter that will cause the hidden page to be revealed will change on a daily or more frequent basis.
in order to remove the possibility of bot nets, look for patterns of multiple machines trying multiple combinations. This can be done by having a program processing the logs.
If I thought about it for more than thirty seconds, I am sure that I could come up with even sneakier methods.
******
My point is that I do not believe that Amber would view it as fair to use techniques of this time. The only place where I believe that this degree of obfuscation would be appropriate would be as challenges to security and encryption specialists.
I therefore believe that all current and future secret pages will be locatable with moderate amounts of effort (under forty hours) and will not require Nobel Prize winner levels of mathematical ability.
Crawlers are not friendly. We recommend you do not attempt to use them, as Amber may take it amiss and remove the hidden pages.
*looks at the topic with tears in his eyes*
WHAT... HAVE... I... DONE...?!
//h
Bah, I want to go comb trough the site to find more hidden pages, but Xepher crashed and burned. Damn you interwebs!
Quote from: hapless on August 13, 2009, 07:00:43 AM
*looks at the topic with tears in his eyes*
WHAT... HAVE... I... DONE...?!
//h
With a title like that, what did you expect?
By the way, crawlers are not only unfriendly, they leave big yucky fingerprints.
Quote from: Naldru on August 13, 2009, 01:13:46 PM
Quote from: hapless on August 13, 2009, 07:00:43 AM
*looks at the topic with tears in his eyes*
WHAT... HAVE... I... DONE...?!
//h
With a title like that, what did you expect?
By the way, crawlers are not only unfriendly, they leave big yucky fingerprints.
Oh, to be sure...Plus they eat lots of bandwidth, right? I never had reason to use any.